Mercurial Mercurial > repos > isabelle / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc-src/TutorialI/CTL/CTL.thy
changeset 10801 c00ac928fc6f
parent 10800 2d4c058749a7
child 10839 1f93f5a27de6
equal deleted inserted replaced
10800:2d4c058749a7 10801:c00ac928fc6f 
    37 primrec
 
    37 primrec
 
    38 "s \<Turnstile> Atom a  =  (a \<in> L s)"
 
    38 "s \<Turnstile> Atom a  =  (a \<in> L s)"
 
    39 "s \<Turnstile> Neg f   = (~(s \<Turnstile> f))"
 
    39 "s \<Turnstile> Neg f   = (~(s \<Turnstile> f))"
 
    40 "s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)"
 
    40 "s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)"
 
    41 "s \<Turnstile> AX f    = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)"
 
    41 "s \<Turnstile> AX f    = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)"
 
    42 "s \<Turnstile> EF f    = (\<exists>t. (s,t) \<in> M^* \<and> t \<Turnstile> f)"
 
    42 "s \<Turnstile> EF f    = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)"
 
    43 (*>*)
 
    43 (*>*)
 
    44 "s \<Turnstile> AF f    = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)";
 
    44 "s \<Turnstile> AF f    = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)";
 
    45 
    45 
    46 text{*\noindent
 
    46 text{*\noindent
 
    47 Model checking @{term AF} involves a function which
 
    47 Model checking @{term AF} involves a function which
 
    60 primrec
 
    60 primrec
 
    61 "mc(Atom a)  = {s. a \<in> L s}"
 
    61 "mc(Atom a)  = {s. a \<in> L s}"
 
    62 "mc(Neg f)   = -mc f"
 
    62 "mc(Neg f)   = -mc f"
 
    63 "mc(And f g) = mc f \<inter> mc g"
 
    63 "mc(And f g) = mc f \<inter> mc g"
 
    64 "mc(AX f)    = {s. \<forall>t. (s,t) \<in> M  \<longrightarrow> t \<in> mc f}"
 
    64 "mc(AX f)    = {s. \<forall>t. (s,t) \<in> M  \<longrightarrow> t \<in> mc f}"
 
    65 "mc(EF f)    = lfp(\<lambda>T. mc f \<union> M^-1 ``` T)"(*>*)
 
    65 "mc(EF f)    = lfp(\<lambda>T. mc f \<union> M\<inverse> ``` T)"(*>*)
 
    66 "mc(AF f)    = lfp(af(mc f))";
 
    66 "mc(AF f)    = lfp(af(mc f))";
 
    67 
    67 
    68 text{*\noindent
 
    68 text{*\noindent
 
    69 Because @{term af} is monotone in its second argument (and also its first, but
 
    69 Because @{term af} is monotone in its second argument (and also its first, but
 
    70 that is irrelevant) @{term"af A"} has a least fixed point:
 
    70 that is irrelevant) @{term"af A"} has a least fixed point:
 
    73 lemma mono_af: "mono(af A)";
 
    73 lemma mono_af: "mono(af A)";
 
    74 apply(simp add: mono_def af_def);
 
    74 apply(simp add: mono_def af_def);
 
    75 apply blast;
 
    75 apply blast;
 
    76 done
 
    76 done
 
    77 (*<*)
 
    77 (*<*)
 
    78 lemma mono_ef: "mono(\<lambda>T. A \<union> M^-1 ``` T)";
 
    78 lemma mono_ef: "mono(\<lambda>T. A \<union> M\<inverse> ``` T)";
 
    79 apply(rule monoI);
 
    79 apply(rule monoI);
 
    80 by(blast);
 
    80 by(blast);
 
    81 
    81 
    82 lemma EF_lemma:
 
    82 lemma EF_lemma:
 
    83   "lfp(\<lambda>T. A \<union> M^-1 ``` T) = {s. \<exists>t. (s,t) \<in> M^* \<and> t \<in> A}";
 
    83   "lfp(\<lambda>T. A \<union> M\<inverse> ``` T) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}";
 
    84 apply(rule equalityI);
 
    84 apply(rule equalityI);
 
    85  apply(rule subsetI);
 
    85  apply(rule subsetI);
 
    86  apply(simp);
 
    86  apply(simp);
 
    87  apply(erule lfp_induct);
 
    87  apply(erule lfp_induct);
 
    88   apply(rule mono_ef);
 
    88   apply(rule mono_ef);
 
   364 the semantics of @{term EU} is straightforward:
 
   364 the semantics of @{term EU} is straightforward:
 
   365 @{text[display]"s \<Turnstile> EU f g = (\<exists>p. until A B s p)"}
 
   365 @{text[display]"s \<Turnstile> EU f g = (\<exists>p. until A B s p)"}
 
   366 Note that @{term EU} is not definable in terms of the other operators!
 
   366 Note that @{term EU} is not definable in terms of the other operators!
 
   367 
   367 
   368 Model checking @{term EU} is again a least fixed point construction:
 
   368 Model checking @{term EU} is again a least fixed point construction:
 
   369 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M^-1 ``` T))"}
 
   369 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M\<inverse> ``` T))"}
 
   370 
   370 
   371 \begin{exercise}
 
   371 \begin{exercise}
 
   372 Extend the datatype of formulae by the above until operator
 
   372 Extend the datatype of formulae by the above until operator
 
   373 and prove the equivalence between semantics and model checking, i.e.\ that
 
   373 and prove the equivalence between semantics and model checking, i.e.\ that
 
   374 @{prop[display]"mc(EU f g) = {s. s \<Turnstile> EU f g}"}
 
   374 @{prop[display]"mc(EU f g) = {s. s \<Turnstile> EU f g}"}
 
   380 *}
 
   380 *}
 
   381 
   381 
   382 (*<*)
 
   382 (*<*)
 
   383 constdefs
 
   383 constdefs
 
   384  eufix :: "state set \<Rightarrow> state set \<Rightarrow> state set \<Rightarrow> state set"
 
   384  eufix :: "state set \<Rightarrow> state set \<Rightarrow> state set \<Rightarrow> state set"
 
   385 "eufix A B T \<equiv> B \<union> A \<inter> (M^-1 ``` T)"
 
   385 "eufix A B T \<equiv> B \<union> A \<inter> (M\<inverse> ``` T)"
 
   386 
   386 
   387 lemma "lfp(eufix A B) \<subseteq> eusem A B"
 
   387 lemma "lfp(eufix A B) \<subseteq> eusem A B"
 
   388 apply(rule lfp_lowerbound)
 
   388 apply(rule lfp_lowerbound)
 
   389 apply(clarsimp simp add:eusem_def eufix_def);
 
   389 apply(clarsimp simp add:eusem_def eufix_def);
 
   390 apply(erule disjE);
 
   390 apply(erule disjE);
isabelle