diff -r 1b237d147cc4 -r ae0ca486bd3f src/HOL/ex/CTL.thy --- a/src/HOL/ex/CTL.thy Tue Apr 26 11:38:19 2016 +0200 +++ b/src/HOL/ex/CTL.thy Tue Apr 26 11:56:06 2016 +0200 @@ -42,37 +42,38 @@ axiomatization \ :: "('a \ 'a) set" text \ - The operators \\\, \\\, \\\ are taken as primitives, while - \\\, \\\, \\\ are defined as derived ones. The formula \\ p\ - holds in a state @{term s}, iff there is a successor state @{term s'} (with - respect to the model @{term \}), such that @{term p} holds in @{term s'}. - The formula \\ p\ holds in a state @{term s}, iff there is a path in - \\\, starting from @{term s}, such that there exists a state @{term s'} on - the path, such that @{term p} holds in @{term s'}. The formula \\ p\ - holds in a state @{term s}, iff there is a path, starting from @{term s}, - such that for all states @{term s'} on the path, @{term p} holds in @{term - s'}. It is easy to see that \\ p\ and \\ p\ may be expressed using - least and greatest fixed points @{cite "McMillan-PhDThesis"}. + The operators \\<^bold>E\<^bold>X\, \\<^bold>E\<^bold>F\, \\<^bold>E\<^bold>G\ are taken as primitives, while \\<^bold>A\<^bold>X\, + \\<^bold>A\<^bold>F\, \\<^bold>A\<^bold>G\ are defined as derived ones. The formula \\<^bold>E\<^bold>X p\ holds in a + state \s\, iff there is a successor state \s'\ (with respect to the model + \\\), such that \p\ holds in \s'\. The formula \\<^bold>E\<^bold>F p\ holds in a state + \s\, iff there is a path in \\\, starting from \s\, such that there exists a + state \s'\ on the path, such that \p\ holds in \s'\. The formula \\<^bold>E\<^bold>G p\ + holds in a state \s\, iff there is a path, starting from \s\, such that for + all states \s'\ on the path, \p\ holds in \s'\. It is easy to see that \\<^bold>E\<^bold>F + p\ and \\<^bold>E\<^bold>G p\ may be expressed using least and greatest fixed points + @{cite "McMillan-PhDThesis"}. \ -definition EX ("\ _" [80] 90) - where [simp]: "\ p = {s. \s'. (s, s') \ \ \ s' \ p}" -definition EF ("\ _" [80] 90) - where [simp]: "\ p = lfp (\s. p \ \ s)" -definition EG ("\ _" [80] 90) - where [simp]: "\ p = gfp (\s. p \ \ s)" +definition EX ("\<^bold>E\<^bold>X _" [80] 90) + where [simp]: "\<^bold>E\<^bold>X p = {s. \s'. (s, s') \ \ \ s' \ p}" + +definition EF ("\<^bold>E\<^bold>F _" [80] 90) + where [simp]: "\<^bold>E\<^bold>F p = lfp (\s. p \ \<^bold>E\<^bold>X s)" + +definition EG ("\<^bold>E\<^bold>G _" [80] 90) + where [simp]: "\<^bold>E\<^bold>G p = gfp (\s. p \ \<^bold>E\<^bold>X s)" text \ - \\\, \\\ and \\\ are now defined dually in terms of \\\, - \\\ and \\\. + \\<^bold>A\<^bold>X\, \\<^bold>A\<^bold>F\ and \\<^bold>A\<^bold>G\ are now defined dually in terms of \\<^bold>E\<^bold>X\, + \\<^bold>E\<^bold>F\ and \\<^bold>E\<^bold>G\. \ -definition AX ("\ _" [80] 90) - where [simp]: "\ p = - \ - p" -definition AF ("\ _" [80] 90) - where [simp]: "\ p = - \ - p" -definition AG ("\ _" [80] 90) - where [simp]: "\ p = - \ - p" +definition AX ("\<^bold>A\<^bold>X _" [80] 90) + where [simp]: "\<^bold>A\<^bold>X p = - \<^bold>E\<^bold>X - p" +definition AF ("\<^bold>A\<^bold>F _" [80] 90) + where [simp]: "\<^bold>A\<^bold>F p = - \<^bold>E\<^bold>G - p" +definition AG ("\<^bold>A\<^bold>G _" [80] 90) + where [simp]: "\<^bold>A\<^bold>G p = - \<^bold>E\<^bold>F - p" subsection \Basic fixed point properties\ @@ -114,43 +115,44 @@ by (simp add: lfp_gfp) text \ - In order to give dual fixed point representations of @{term "\ p"} and - @{term "\ p"}: + In order to give dual fixed point representations of @{term "\<^bold>A\<^bold>F p"} and + @{term "\<^bold>A\<^bold>G p"}: \ -lemma AF_lfp: "\ p = lfp (\s. p \ \ s)" - by (simp add: lfp_gfp) -lemma AG_gfp: "\ p = gfp (\s. p \ \ s)" +lemma AF_lfp: "\<^bold>A\<^bold>F p = lfp (\s. p \ \<^bold>A\<^bold>X s)" by (simp add: lfp_gfp) -lemma EF_fp: "\ p = p \ \ \ p" +lemma AG_gfp: "\<^bold>A\<^bold>G p = gfp (\s. p \ \<^bold>A\<^bold>X s)" + by (simp add: lfp_gfp) + +lemma EF_fp: "\<^bold>E\<^bold>F p = p \ \<^bold>E\<^bold>X \<^bold>E\<^bold>F p" proof - - have "mono (\s. p \ \ s)" by rule auto + have "mono (\s. p \ \<^bold>E\<^bold>X s)" by rule auto then show ?thesis by (simp only: EF_def) (rule lfp_unfold) qed -lemma AF_fp: "\ p = p \ \ \ p" +lemma AF_fp: "\<^bold>A\<^bold>F p = p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>F p" proof - - have "mono (\s. p \ \ s)" by rule auto + have "mono (\s. p \ \<^bold>A\<^bold>X s)" by rule auto then show ?thesis by (simp only: AF_lfp) (rule lfp_unfold) qed -lemma EG_fp: "\ p = p \ \ \ p" +lemma EG_fp: "\<^bold>E\<^bold>G p = p \ \<^bold>E\<^bold>X \<^bold>E\<^bold>G p" proof - - have "mono (\s. p \ \ s)" by rule auto + have "mono (\s. p \ \<^bold>E\<^bold>X s)" by rule auto then show ?thesis by (simp only: EG_def) (rule gfp_unfold) qed text \ - From the greatest fixed point definition of @{term "\ p"}, we derive as + From the greatest fixed point definition of @{term "\<^bold>A\<^bold>G p"}, we derive as a consequence of the Knaster-Tarski theorem on the one hand that @{term - "\ p"} is a fixed point of the monotonic function - @{term "\s. p \ \ s"}. + "\<^bold>A\<^bold>G p"} is a fixed point of the monotonic function + @{term "\s. p \ \<^bold>A\<^bold>X s"}. \ -lemma AG_fp: "\ p = p \ \ \ p" +lemma AG_fp: "\<^bold>A\<^bold>G p = p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" proof - - have "mono (\s. p \ \ s)" by rule auto + have "mono (\s. p \ \<^bold>A\<^bold>X s)" by rule auto then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold) qed @@ -159,27 +161,27 @@ of \\\, which is an instance of the overloaded \\\ in Isabelle/HOL). \ -lemma AG_fp_1: "\ p \ p" +lemma AG_fp_1: "\<^bold>A\<^bold>G p \ p" proof - - note AG_fp also have "p \ \ \ p \ p" by auto + note AG_fp also have "p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p \ p" by auto finally show ?thesis . qed -lemma AG_fp_2: "\ p \ \ \ p" +lemma AG_fp_2: "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" proof - - note AG_fp also have "p \ \ \ p \ \ \ p" by auto + note AG_fp also have "p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" by auto finally show ?thesis . qed text \ On the other hand, we have from the Knaster-Tarski fixed point theorem that - any other post-fixed point of @{term "\s. p \ \ s"} is smaller than - @{term "\ p"}. A post-fixed point is a set of states @{term q} such that - @{term "q \ p \ \ q"}. This leads to the following co-induction - principle for @{term "\ p"}. + any other post-fixed point of @{term "\s. p \ \<^bold>A\<^bold>X s"} is smaller than + @{term "\<^bold>A\<^bold>G p"}. A post-fixed point is a set of states \q\ such that @{term + "q \ p \ \<^bold>A\<^bold>X q"}. This leads to the following co-induction principle for + @{term "\<^bold>A\<^bold>G p"}. \ -lemma AG_I: "q \ p \ \ q \ q \ \ p" +lemma AG_I: "q \ p \ \<^bold>A\<^bold>X q \ q \ \<^bold>A\<^bold>G p" by (simp only: AG_gfp) (rule gfp_upperbound) @@ -187,92 +189,91 @@ text \ With the most basic facts available, we are now able to establish a few more - interesting results, leading to the \<^emph>\tree induction\ principle for \\\ + interesting results, leading to the \<^emph>\tree induction\ principle for \\<^bold>A\<^bold>G\ (see below). We will use some elementary monotonicity and distributivity rules. \ -lemma AX_int: "\ (p \ q) = \ p \ \ q" by auto -lemma AX_mono: "p \ q \ \ p \ \ q" by auto -lemma AG_mono: "p \ q \ \ p \ \ q" - by (simp only: AG_gfp, rule gfp_mono) auto +lemma AX_int: "\<^bold>A\<^bold>X (p \ q) = \<^bold>A\<^bold>X p \ \<^bold>A\<^bold>X q" by auto +lemma AX_mono: "p \ q \ \<^bold>A\<^bold>X p \ \<^bold>A\<^bold>X q" by auto +lemma AG_mono: "p \ q \ \<^bold>A\<^bold>G p \ \<^bold>A\<^bold>G q" + by (simp only: AG_gfp, rule gfp_mono) auto text \ The formula @{term "AG p"} implies @{term "AX p"} (we use substitution of \\\ with monotonicity). \ -lemma AG_AX: "\ p \ \ p" +lemma AG_AX: "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>X p" proof - - have "\ p \ \ \ p" by (rule AG_fp_2) - also have "\ p \ p" by (rule AG_fp_1) + have "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" by (rule AG_fp_2) + also have "\<^bold>A\<^bold>G p \ p" by (rule AG_fp_1) moreover note AX_mono finally show ?thesis . qed text \ - Furthermore we show idempotency of the \\\ operator. The proof is a good + Furthermore we show idempotency of the \\<^bold>A\<^bold>G\ operator. The proof is a good example of how accumulated facts may get used to feed a single rule step. \ -lemma AG_AG: "\ \ p = \ p" +lemma AG_AG: "\<^bold>A\<^bold>G \<^bold>A\<^bold>G p = \<^bold>A\<^bold>G p" proof - show "\ \ p \ \ p" by (rule AG_fp_1) + show "\<^bold>A\<^bold>G \<^bold>A\<^bold>G p \ \<^bold>A\<^bold>G p" by (rule AG_fp_1) next - show "\ p \ \ \ p" + show "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>G \<^bold>A\<^bold>G p" proof (rule AG_I) - have "\ p \ \ p" .. - moreover have "\ p \ \ \ p" by (rule AG_fp_2) - ultimately show "\ p \ \ p \ \ \ p" .. + have "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>G p" .. + moreover have "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" by (rule AG_fp_2) + ultimately show "\<^bold>A\<^bold>G p \ \<^bold>A\<^bold>G p \ \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" .. qed qed text \ \<^smallskip> - We now give an alternative characterization of the \\\ operator, which - describes the \\\ operator in an ``operational'' way by tree induction: - In a state holds @{term "AG p"} iff in that state holds @{term p}, and in - all reachable states @{term s} follows from the fact that @{term p} holds in - @{term s}, that @{term p} also holds in all successor states of @{term s}. - We use the co-induction principle @{thm [source] AG_I} to establish this in - a purely algebraic manner. + We now give an alternative characterization of the \\<^bold>A\<^bold>G\ operator, which + describes the \\<^bold>A\<^bold>G\ operator in an ``operational'' way by tree induction: + In a state holds @{term "AG p"} iff in that state holds \p\, and in all + reachable states \s\ follows from the fact that \p\ holds in \s\, that \p\ + also holds in all successor states of \s\. We use the co-induction principle + @{thm [source] AG_I} to establish this in a purely algebraic manner. \ -theorem AG_induct: "p \ \ (p \