22 on all infinite paths, at some point the formula holds. |
22 on all infinite paths, at some point the formula holds. |
23 Formalizing the notion of an infinite path is easy |
23 Formalizing the notion of an infinite path is easy |
24 in HOL: it is simply a function from @{typ nat} to @{typ state}. |
24 in HOL: it is simply a function from @{typ nat} to @{typ state}. |
25 *}; |
25 *}; |
26 |
26 |
27 constdefs Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set" |
27 definition Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set" where |
28 "Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}"; |
28 "Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}" |
29 |
29 |
30 text{*\noindent |
30 text{*\noindent |
31 This definition allows a succinct statement of the semantics of @{const AF}: |
31 This definition allows a succinct statement of the semantics of @{const AF}: |
32 \footnote{Do not be misled: neither datatypes nor recursive functions can be |
32 \footnote{Do not be misled: neither datatypes nor recursive functions can be |
33 extended by new constructors or equations. This is just a trick of the |
33 extended by new constructors or equations. This is just a trick of the |
34 presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define |
34 presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define |
35 a new datatype and a new function.} |
35 a new datatype and a new function.} |
36 *}; |
36 *}; |
37 (*<*) |
37 (*<*) |
38 consts valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80); |
38 primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80) where |
39 |
39 "s \<Turnstile> Atom a = (a \<in> L s)" | |
40 primrec |
40 "s \<Turnstile> Neg f = (~(s \<Turnstile> f))" | |
41 "s \<Turnstile> Atom a = (a \<in> L s)" |
41 "s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" | |
42 "s \<Turnstile> Neg f = (~(s \<Turnstile> f))" |
42 "s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" | |
43 "s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" |
43 "s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)" | |
44 "s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" |
|
45 "s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)" |
|
46 (*>*) |
44 (*>*) |
47 "s \<Turnstile> AF f = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)"; |
45 "s \<Turnstile> AF f = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)" |
48 |
46 |
49 text{*\noindent |
47 text{*\noindent |
50 Model checking @{const AF} involves a function which |
48 Model checking @{const AF} involves a function which |
51 is just complicated enough to warrant a separate definition: |
49 is just complicated enough to warrant a separate definition: |
52 *}; |
50 *}; |
53 |
51 |
54 constdefs af :: "state set \<Rightarrow> state set \<Rightarrow> state set" |
52 definition af :: "state set \<Rightarrow> state set \<Rightarrow> state set" where |
55 "af A T \<equiv> A \<union> {s. \<forall>t. (s, t) \<in> M \<longrightarrow> t \<in> T}"; |
53 "af A T \<equiv> A \<union> {s. \<forall>t. (s, t) \<in> M \<longrightarrow> t \<in> T}" |
56 |
54 |
57 text{*\noindent |
55 text{*\noindent |
58 Now we define @{term "mc(AF f)"} as the least set @{term T} that includes |
56 Now we define @{term "mc(AF f)"} as the least set @{term T} that includes |
59 @{term"mc f"} and all states all of whose direct successors are in @{term T}: |
57 @{term"mc f"} and all states all of whose direct successors are in @{term T}: |
60 *}; |
58 *}; |
61 (*<*) |
59 (*<*) |
62 consts mc :: "formula \<Rightarrow> state set"; |
60 primrec mc :: "formula \<Rightarrow> state set" where |
63 primrec |
61 "mc(Atom a) = {s. a \<in> L s}" | |
64 "mc(Atom a) = {s. a \<in> L s}" |
62 "mc(Neg f) = -mc f" | |
65 "mc(Neg f) = -mc f" |
63 "mc(And f g) = mc f \<inter> mc g" | |
66 "mc(And f g) = mc f \<inter> mc g" |
64 "mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" | |
67 "mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" |
65 "mc(EF f) = lfp(\<lambda>T. mc f \<union> M\<inverse> `` T)"|(*>*) |
68 "mc(EF f) = lfp(\<lambda>T. mc f \<union> M\<inverse> `` T)"(*>*) |
|
69 "mc(AF f) = lfp(af(mc f))"; |
66 "mc(AF f) = lfp(af(mc f))"; |
70 |
67 |
71 text{*\noindent |
68 text{*\noindent |
72 Because @{const af} is monotone in its second argument (and also its first, but |
69 Because @{const af} is monotone in its second argument (and also its first, but |
73 that is irrelevant), @{term"af A"} has a least fixed point: |
70 that is irrelevant), @{term"af A"} has a least fixed point: |
104 that @{term mc} and @{text"\<Turnstile>"} agree for @{const AF}\@. |
101 that @{term mc} and @{text"\<Turnstile>"} agree for @{const AF}\@. |
105 This time we prove the two inclusions separately, starting |
102 This time we prove the two inclusions separately, starting |
106 with the easy one: |
103 with the easy one: |
107 *}; |
104 *}; |
108 |
105 |
109 theorem AF_lemma1: |
106 theorem AF_lemma1: "lfp(af A) \<subseteq> {s. \<forall>p \<in> Paths s. \<exists>i. p i \<in> A}" |
110 "lfp(af A) \<subseteq> {s. \<forall>p \<in> Paths s. \<exists>i. p i \<in> A}"; |
|
111 |
107 |
112 txt{*\noindent |
108 txt{*\noindent |
113 In contrast to the analogous proof for @{const EF}, and just |
109 In contrast to the analogous proof for @{const EF}, and just |
114 for a change, we do not use fixed point induction. Park-induction, |
110 for a change, we do not use fixed point induction. Park-induction, |
115 named after David Park, is weaker but sufficient for this proof: |
111 named after David Park, is weaker but sufficient for this proof: |
163 |
159 |
164 Now we iterate this process. The following construction of the desired |
160 Now we iterate this process. The following construction of the desired |
165 path is parameterized by a predicate @{term Q} that should hold along the path: |
161 path is parameterized by a predicate @{term Q} that should hold along the path: |
166 *}; |
162 *}; |
167 |
163 |
168 consts path :: "state \<Rightarrow> (state \<Rightarrow> bool) \<Rightarrow> (nat \<Rightarrow> state)"; |
164 primrec path :: "state \<Rightarrow> (state \<Rightarrow> bool) \<Rightarrow> (nat \<Rightarrow> state)" where |
169 primrec |
165 "path s Q 0 = s" | |
170 "path s Q 0 = s" |
166 "path s Q (Suc n) = (SOME t. (path s Q n,t) \<in> M \<and> Q t)" |
171 "path s Q (Suc n) = (SOME t. (path s Q n,t) \<in> M \<and> Q t)"; |
|
172 |
167 |
173 text{*\noindent |
168 text{*\noindent |
174 Element @{term"n+1::nat"} on this path is some arbitrary successor |
169 Element @{term"n+1::nat"} on this path is some arbitrary successor |
175 @{term t} of element @{term n} such that @{term"Q t"} holds. Remember that @{text"SOME t. R t"} |
170 @{term t} of element @{term n} such that @{term"Q t"} holds. Remember that @{text"SOME t. R t"} |
176 is some arbitrary but fixed @{term t} such that @{prop"R t"} holds (see \S\ref{sec:SOME}). Of |
171 is some arbitrary but fixed @{term t} such that @{prop"R t"} holds (see \S\ref{sec:SOME}). Of |