Theory Invariants
section "Reachability and Invariance"
theory Invariants
imports Lib TransitionSystems
begin
subsection Reachability
text ‹
A state is `reachable' under @{term I} if either it is the initial state, or it is the
destination of a transition whose action satisfies @{term I} from a reachable state.
The `standard' definition of reachability is recovered by setting @{term I} to @{term TT}.
›
inductive_set reachable
for A :: "('s, 'a) automaton"
and I :: "'a ⇒ bool"
where
reachable_init: "s ∈ init A ⟹ s ∈ reachable A I"
| reachable_step: "⟦ s ∈ reachable A I; (s, a, s') ∈ trans A; I a ⟧ ⟹ s' ∈ reachable A I"
inductive_cases reachable_icases: "s ∈ reachable A I"
lemma reachable_pair_induct [consumes, case_names init step]:
assumes "(ξ, p) ∈ reachable A I"
and "⋀ξ p. (ξ, p) ∈ init A ⟹ P ξ p"
and "(⋀ξ p ξ' p' a. ⟦ (ξ, p) ∈ reachable A I; P ξ p;
((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧ ⟹ P ξ' p')"
shows "P ξ p"
using assms(1) proof (induction "(ξ, p)" arbitrary: ξ p)
fix ξ p
assume "(ξ, p) ∈ init A"
with assms(2) show "P ξ p" .
next
fix s a ξ' p'
assume "s ∈ reachable A I"
and tr: "(s, a, (ξ', p')) ∈ trans A"
and "I a"
and IH: "⋀ξ p. s = (ξ, p) ⟹ P ξ p"
from this(1) obtain ξ p where "s = (ξ, p)"
and "(ξ, p) ∈ reachable A I"
by (metis prod.collapse)
note this(2)
moreover from IH and ‹s = (ξ, p)› have "P ξ p" .
moreover from tr and ‹s = (ξ, p)› have "((ξ, p), a, (ξ', p')) ∈ trans A" by simp
ultimately show "P ξ' p'"
using ‹I a› by (rule assms(3))
qed
lemma reachable_weakenE [elim]:
assumes "s ∈ reachable A P"
and PQ: "⋀a. P a ⟹ Q a"
shows "s ∈ reachable A Q"
using assms(1)
proof (induction)
fix s assume "s ∈ init A"
thus "s ∈ reachable A Q" ..
next
fix s a s'
assume "s ∈ reachable A P"
and "s ∈ reachable A Q"
and "(s, a, s') ∈ trans A"
and "P a"
from ‹P a› have "Q a" by (rule PQ)
with ‹s ∈ reachable A Q› and ‹(s, a, s') ∈ trans A› show "s' ∈ reachable A Q" ..
qed
lemma reachable_weaken_TT [elim]:
assumes "s ∈ reachable A I"
shows "s ∈ reachable A TT"
using assms by rule simp
lemma init_empty_reachable_empty:
assumes "init A = {}"
shows "reachable A I = {}"
proof (rule ccontr)
assume "reachable A I ≠ {}"
then obtain s where "s ∈ reachable A I" by auto
thus False
proof (induction rule: reachable.induct)
fix s
assume "s ∈ init A"
with ‹init A = {}› show False by simp
qed
qed
subsection Invariance
definition invariant
:: "('s, 'a) automaton ⇒ ('a ⇒ bool) ⇒ ('s ⇒ bool) ⇒ bool"
(‹_ ⊫ (1'(_ →')/ _)› [100, 0, 9] 8)
where
"(A ⊫ (I →) P) = (∀s∈reachable A I. P s)"
abbreviation
any_invariant
:: "('s, 'a) automaton ⇒ ('s ⇒ bool) ⇒ bool"
(‹_ ⊫ _› [100, 9] 8)
where
"(A ⊫ P) ≡ (A ⊫ (TT →) P)"
lemma invariantI [intro]:
assumes init: "⋀s. s ∈ init A ⟹ P s"
and step: "⋀s a s'. ⟦ s ∈ reachable A I; P s; (s, a, s') ∈ trans A; I a ⟧ ⟹ P s'"
shows "A ⊫ (I →) P"
unfolding invariant_def
proof
fix s
assume "s ∈ reachable A I"
thus "P s"
proof induction
fix s assume "s ∈ init A"
thus "P s" by (rule init)
next
fix s a s'
assume "s ∈ reachable A I"
and "P s"
and "(s, a, s') ∈ trans A"
and "I a"
thus "P s'" by (rule step)
qed
qed
lemma invariant_pairI [intro]:
assumes init: "⋀ξ p. (ξ, p) ∈ init A ⟹ P (ξ, p)"
and step: "⋀ξ p ξ' p' a.
⟦ (ξ, p) ∈ reachable A I; P (ξ, p); ((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧
⟹ P (ξ', p')"
shows "A ⊫ (I →) P"
using assms by auto
lemma invariant_arbitraryI:
assumes "⋀s. s ∈ reachable A I ⟹ P s"
shows "A ⊫ (I →) P"
using assms unfolding invariant_def by simp
lemma invariantD [dest]:
assumes "A ⊫ (I →) P"
and "s ∈ reachable A I"
shows "P s"
using assms unfolding invariant_def by blast
lemma invariant_initE [elim]:
assumes invP: "A ⊫ (I →) P"
and init: "s ∈ init A"
shows "P s"
proof -
from init have "s ∈ reachable A I" ..
with invP show ?thesis ..
qed
lemma invariant_weakenE [elim]:
fixes T σ P Q
assumes invP: "A ⊫ (PI →) P"
and PQ: "⋀s. P s ⟹ Q s"
and QIPI: "⋀a. QI a ⟹ PI a"
shows "A ⊫ (QI →) Q"
proof
fix s
assume "s ∈ init A"
with invP have "P s" ..
thus "Q s" by (rule PQ)
next
fix s a s'
assume "s ∈ reachable A QI"
and "(s, a, s') ∈ trans A"
and "QI a"
from ‹QI a› have "PI a" by (rule QIPI)
from ‹s ∈ reachable A QI› and QIPI have "s ∈ reachable A PI" ..
hence "s' ∈ reachable A PI" using ‹(s, a, s') ∈ trans A› and ‹PI a› ..
with invP have "P s'" ..
thus "Q s'" by (rule PQ)
qed
definition
step_invariant
:: "('s, 'a) automaton ⇒ ('a ⇒ bool) ⇒ (('s, 'a) transition ⇒ bool) ⇒ bool"
(‹_ ⊫⇩A (1'(_ →')/ _)› [100, 0, 0] 8)
where
"(A ⊫⇩A (I →) P) = (∀a. I a ⟶ (∀s∈reachable A I. (∀s'.(s, a, s') ∈ trans A ⟶ P (s, a, s'))))"
lemma invariant_restrict_inD [dest]:
assumes "A ⊫ (TT →) P"
shows "A ⊫ (QI →) P"
using assms by auto
abbreviation
any_step_invariant
:: "('s, 'a) automaton ⇒ (('s, 'a) transition ⇒ bool) ⇒ bool"
(‹_ ⊫⇩A _› [100, 9] 8)
where
"(A ⊫⇩A P) ≡ (A ⊫⇩A (TT →) P)"
lemma step_invariant_true:
"p ⊫⇩A (λ(s, a, s'). True)"
unfolding step_invariant_def by simp
lemma step_invariantI [intro]:
assumes *: "⋀s a s'. ⟦ s∈reachable A I; (s, a, s')∈trans A; I a ⟧ ⟹ P (s, a, s')"
shows "A ⊫⇩A (I →) P"
unfolding step_invariant_def
using assms by auto
lemma step_invariantD [dest]:
assumes "A ⊫⇩A (I →) P"
and "s∈reachable A I"
and "(s, a, s') ∈ trans A"
and "I a"
shows "P (s, a, s')"
using assms unfolding step_invariant_def by blast
lemma step_invariantE [elim]:
fixes T σ P I s a s'
assumes "A ⊫⇩A (I →) P"
and "s∈reachable A I"
and "(s, a, s') ∈ trans A"
and "I a"
and "P (s, a, s') ⟹ Q"
shows "Q"
using assms by auto
lemma step_invariant_pairI [intro]:
assumes *: "⋀ξ p ξ' p' a.
⟦ (ξ, p) ∈ reachable A I; ((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧
⟹ P ((ξ, p), a, (ξ', p'))"
shows "A ⊫⇩A (I →) P"
using assms by auto
lemma step_invariant_arbitraryI:
assumes "⋀ξ p a ξ' p'. ⟦ (ξ, p) ∈ reachable A I; ((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧
⟹ P ((ξ, p), a, (ξ', p'))"
shows "A ⊫⇩A (I →) P"
using assms by auto
lemma step_invariant_weakenE [elim!]:
fixes T σ P Q
assumes invP: "A ⊫⇩A (PI →) P"
and PQ: "⋀t. P t ⟹ Q t"
and QIPI: "⋀a. QI a ⟹ PI a"
shows "A ⊫⇩A (QI →) Q"
proof
fix s a s'
assume "s ∈ reachable A QI"
and "(s, a, s') ∈ trans A"
and "QI a"
from ‹QI a› have "PI a" by (rule QIPI)
from ‹s ∈ reachable A QI› have "s ∈ reachable A PI" using QIPI ..
with invP have "P (s, a, s')" using ‹(s, a, s') ∈ trans A› ‹PI a› ..
thus "Q (s, a, s')" by (rule PQ)
qed
lemma step_invariant_weaken_with_invariantE [elim]:
assumes pinv: "A ⊫ (I →) P"
and qinv: "A ⊫⇩A (I →) Q"
and wr: "⋀s a s'. ⟦ P s; P s'; Q (s, a, s'); I a ⟧ ⟹ R (s, a, s')"
shows "A ⊫⇩A (I →) R"
proof
fix s a s'
assume sr: "s ∈ reachable A I"
and tr: "(s, a, s') ∈ trans A"
and "I a"
hence "s' ∈ reachable A I" ..
with pinv have "P s'" ..
from pinv and sr have "P s" ..
from qinv sr tr ‹I a› have "Q (s, a, s')" ..
with ‹P s› and ‹P s'› show "R (s, a, s')" using ‹I a› by (rule wr)
qed
lemma step_to_invariantI:
assumes sinv: "A ⊫⇩A (I →) Q"
and init: "⋀s. s ∈ init A ⟹ P s"
and step: "⋀s s' a.
⟦ s ∈ reachable A I;
P s;
Q (s, a, s');
I a ⟧ ⟹ P s'"
shows "A ⊫ (I →) P"
proof
fix s assume "s ∈ init A" thus "P s" by (rule init)
next
fix s s' a
assume "s ∈ reachable A I"
and "P s"
and "(s, a, s') ∈ trans A"
and "I a"
show "P s'"
proof -
from sinv and ‹s∈reachable A I› and ‹(s, a, s')∈trans A› and ‹I a› have "Q (s, a, s')" ..
with ‹s∈reachable A I› and ‹P s› show "P s'" using ‹I a› by (rule step)
qed
qed
end