Theory Invariants
section "Reachability and Invariance"
theory Invariants
imports Lib TransitionSystems
subsection Reachability
text ‹
A state is `reachable' under @{term I} if either it is the initial state, or it is the
destination of a transition whose action satisfies @{term I} from a reachable state.
The `standard' definition of reachability is recovered by setting @{term I} to @{term TT}.
inductive_set reachable
for A :: "('s, 'a) automaton"
and I :: "'a ⇒ bool"
reachable_init: "s ∈ init A ⟹ s ∈ reachable A I"
| reachable_step: "⟦ s ∈ reachable A I; (s, a, s') ∈ trans A; I a ⟧ ⟹ s' ∈ reachable A I"
inductive_cases reachable_icases: "s ∈ reachable A I"
lemma reachable_pair_induct [consumes, case_names init step]:
assumes "(ξ, p) ∈ reachable A I"
and "⋀ξ p. (ξ, p) ∈ init A ⟹ P ξ p"
and "(⋀ξ p ξ' p' a. ⟦ (ξ, p) ∈ reachable A I; P ξ p;
((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧ ⟹ P ξ' p')"
shows "P ξ p"
using assms(1) proof (induction "(ξ, p)" arbitrary: ξ p)
fix ξ p
assume "(ξ, p) ∈ init A"
with assms(2) show "P ξ p" .
fix s a ξ' p'
assume "s ∈ reachable A I"
and tr: "(s, a, (ξ', p')) ∈ trans A"
and "I a"
and IH: "⋀ξ p. s = (ξ, p) ⟹ P ξ p"
from this(1) obtain ξ p where "s = (ξ, p)"
and "(ξ, p) ∈ reachable A I"
by (metis prod.collapse)
note this(2)
moreover from IH and ‹s = (ξ, p)› have "P ξ p" .
moreover from tr and ‹s = (ξ, p)› have "((ξ, p), a, (ξ', p')) ∈ trans A" by simp
ultimately show "P ξ' p'"
using ‹I a› by (rule assms(3))
lemma reachable_weakenE [elim]:
assumes "s ∈ reachable A P"
and PQ: "⋀a. P a ⟹ Q a"
shows "s ∈ reachable A Q"
using assms(1)
proof (induction)
fix s assume "s ∈ init A"
thus "s ∈ reachable A Q" ..
fix s a s'
assume "s ∈ reachable A P"
and "s ∈ reachable A Q"
and "(s, a, s') ∈ trans A"
and "P a"
from ‹P a› have "Q a" by (rule PQ)
with ‹s ∈ reachable A Q› and ‹(s, a, s') ∈ trans A› show "s' ∈ reachable A Q" ..
lemma reachable_weaken_TT [elim]:
assumes "s ∈ reachable A I"
shows "s ∈ reachable A TT"
using assms by rule simp
lemma init_empty_reachable_empty:
assumes "init A = {}"
shows "reachable A I = {}"
proof (rule ccontr)
assume "reachable A I ≠ {}"
then obtain s where "s ∈ reachable A I" by auto
thus False
proof (induction rule: reachable.induct)
fix s
assume "s ∈ init A"
with ‹init A = {}› show False by simp
subsection Invariance
definition invariant
:: "('s, 'a) automaton ⇒ ('a ⇒ bool) ⇒ ('s ⇒ bool) ⇒ bool"
(‹_ ⊫ (1'(_ →')/ _)› [100, 0, 9] 8)
"(A ⊫ (I →) P) = (∀s∈reachable A I. P s)"
:: "('s, 'a) automaton ⇒ ('s ⇒ bool) ⇒ bool"
(‹_ ⊫ _› [100, 9] 8)
"(A ⊫ P) ≡ (A ⊫ (TT →) P)"
lemma invariantI [intro]:
assumes init: "⋀s. s ∈ init A ⟹ P s"
and step: "⋀s a s'. ⟦ s ∈ reachable A I; P s; (s, a, s') ∈ trans A; I a ⟧ ⟹ P s'"
shows "A ⊫ (I →) P"
unfolding invariant_def
fix s
assume "s ∈ reachable A I"
thus "P s"
proof induction
fix s assume "s ∈ init A"
thus "P s" by (rule init)
fix s a s'
assume "s ∈ reachable A I"
and "P s"
and "(s, a, s') ∈ trans A"
and "I a"
thus "P s'" by (rule step)
lemma invariant_pairI [intro]:
assumes init: "⋀ξ p. (ξ, p) ∈ init A ⟹ P (ξ, p)"
and step: "⋀ξ p ξ' p' a.
⟦ (ξ, p) ∈ reachable A I; P (ξ, p); ((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧
⟹ P (ξ', p')"
shows "A ⊫ (I →) P"
using assms by auto
lemma invariant_arbitraryI:
assumes "⋀s. s ∈ reachable A I ⟹ P s"
shows "A ⊫ (I →) P"
using assms unfolding invariant_def by simp
lemma invariantD [dest]:
assumes "A ⊫ (I →) P"
and "s ∈ reachable A I"
shows "P s"
using assms unfolding invariant_def by blast
lemma invariant_initE [elim]:
assumes invP: "A ⊫ (I →) P"
and init: "s ∈ init A"
shows "P s"
proof -
from init have "s ∈ reachable A I" ..
with invP show ?thesis ..
lemma invariant_weakenE [elim]:
fixes T σ P Q
assumes invP: "A ⊫ (PI →) P"
and PQ: "⋀s. P s ⟹ Q s"
and QIPI: "⋀a. QI a ⟹ PI a"
shows "A ⊫ (QI →) Q"
fix s
assume "s ∈ init A"
with invP have "P s" ..
thus "Q s" by (rule PQ)
fix s a s'
assume "s ∈ reachable A QI"
and "(s, a, s') ∈ trans A"
and "QI a"
from ‹QI a› have "PI a" by (rule QIPI)
from ‹s ∈ reachable A QI› and QIPI have "s ∈ reachable A PI" ..
hence "s' ∈ reachable A PI" using ‹(s, a, s') ∈ trans A› and ‹PI a› ..
with invP have "P s'" ..
thus "Q s'" by (rule PQ)
:: "('s, 'a) automaton ⇒ ('a ⇒ bool) ⇒ (('s, 'a) transition ⇒ bool) ⇒ bool"
(‹_ ⊫⇩A (1'(_ →')/ _)› [100, 0, 0] 8)
"(A ⊫⇩A (I →) P) = (∀a. I a ⟶ (∀s∈reachable A I. (∀s'.(s, a, s') ∈ trans A ⟶ P (s, a, s'))))"
lemma invariant_restrict_inD [dest]:
assumes "A ⊫ (TT →) P"
shows "A ⊫ (QI →) P"
using assms by auto
:: "('s, 'a) automaton ⇒ (('s, 'a) transition ⇒ bool) ⇒ bool"
(‹_ ⊫⇩A _› [100, 9] 8)
"(A ⊫⇩A P) ≡ (A ⊫⇩A (TT →) P)"
lemma step_invariant_true:
"p ⊫⇩A (λ(s, a, s'). True)"
unfolding step_invariant_def by simp
lemma step_invariantI [intro]:
assumes *: "⋀s a s'. ⟦ s∈reachable A I; (s, a, s')∈trans A; I a ⟧ ⟹ P (s, a, s')"
shows "A ⊫⇩A (I →) P"
unfolding step_invariant_def
using assms by auto
lemma step_invariantD [dest]:
assumes "A ⊫⇩A (I →) P"
and "s∈reachable A I"
and "(s, a, s') ∈ trans A"
and "I a"
shows "P (s, a, s')"
using assms unfolding step_invariant_def by blast
lemma step_invariantE [elim]:
fixes T σ P I s a s'
assumes "A ⊫⇩A (I →) P"
and "s∈reachable A I"
and "(s, a, s') ∈ trans A"
and "I a"
and "P (s, a, s') ⟹ Q"
shows "Q"
using assms by auto
lemma step_invariant_pairI [intro]:
assumes *: "⋀ξ p ξ' p' a.
⟦ (ξ, p) ∈ reachable A I; ((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧
⟹ P ((ξ, p), a, (ξ', p'))"
shows "A ⊫⇩A (I →) P"
using assms by auto
lemma step_invariant_arbitraryI:
assumes "⋀ξ p a ξ' p'. ⟦ (ξ, p) ∈ reachable A I; ((ξ, p), a, (ξ', p')) ∈ trans A; I a ⟧
⟹ P ((ξ, p), a, (ξ', p'))"
shows "A ⊫⇩A (I →) P"
using assms by auto
lemma step_invariant_weakenE [elim!]:
fixes T σ P Q
assumes invP: "A ⊫⇩A (PI →) P"
and PQ: "⋀t. P t ⟹ Q t"
and QIPI: "⋀a. QI a ⟹ PI a"
shows "A ⊫⇩A (QI →) Q"
fix s a s'
assume "s ∈ reachable A QI"
and "(s, a, s') ∈ trans A"
and "QI a"
from ‹QI a› have "PI a" by (rule QIPI)
from ‹s ∈ reachable A QI› have "s ∈ reachable A PI" using QIPI ..
with invP have "P (s, a, s')" using ‹(s, a, s') ∈ trans A› ‹PI a› ..
thus "Q (s, a, s')" by (rule PQ)
lemma step_invariant_weaken_with_invariantE [elim]:
assumes pinv: "A ⊫ (I →) P"
and qinv: "A ⊫⇩A (I →) Q"
and wr: "⋀s a s'. ⟦ P s; P s'; Q (s, a, s'); I a ⟧ ⟹ R (s, a, s')"
shows "A ⊫⇩A (I →) R"
fix s a s'
assume sr: "s ∈ reachable A I"
and tr: "(s, a, s') ∈ trans A"
and "I a"
hence "s' ∈ reachable A I" ..
with pinv have "P s'" ..
from pinv and sr have "P s" ..
from qinv sr tr ‹I a› have "Q (s, a, s')" ..
with ‹P s› and ‹P s'› show "R (s, a, s')" using ‹I a› by (rule wr)
lemma step_to_invariantI:
assumes sinv: "A ⊫⇩A (I →) Q"
and init: "⋀s. s ∈ init A ⟹ P s"
and step: "⋀s s' a.
⟦ s ∈ reachable A I;
P s;
Q (s, a, s');
I a ⟧ ⟹ P s'"
shows "A ⊫ (I →) P"
fix s assume "s ∈ init A" thus "P s" by (rule init)
fix s s' a
assume "s ∈ reachable A I"
and "P s"
and "(s, a, s') ∈ trans A"
and "I a"
show "P s'"
proof -
from sinv and ‹s∈reachable A I› and ‹(s, a, s')∈trans A› and ‹I a› have "Q (s, a, s')" ..
with ‹s∈reachable A I› and ‹P s› show "P s'" using ‹I a› by (rule step)