From jasuja@iris  Wed May 23 19:40:50 1990
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA08135; Wed, 23 May 90 19:40:50 PDT
Received: from iris.ucdavis.edu by clover.ucdavis.edu (5.59/UCD.EECS.1.11)
        id AA05624; Wed, 23 May 90 19:44:35 PDT
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA08114; Wed, 23 May 90 19:40:09 PDT
Message-Id: <9005240240.AA08114@iris.ucdavis.edu>
To: Ramayya Kumar <kumar%ira.uka.de@RELAY.CS.NET>
Cc: info-hol@CLOVER.UCDAVIS.EDU
Subject: Re: Temporal Operators
In-Reply-To: Your message of Wed, 23 May 90 18:00:07 +0700.
             <9005231612.AA21742@clover.ucdavis.edu>
Date: Wed, 23 May 90 19:40:05 PDT
From: Amit Jasuja <jasuja@iris>

Don't know how much this will help, but I've codified Manna and Pnueli's
definitions and axioms for temporal logic in HOL.  For more explanantions
about the logic refer to the original papers by them.  How these
definitions can be used for specifying circuit elements - even I'm working
on the same problem, and would love to have some feedback.  The file that
follows is quite simple to understand.

%----------------------------------------------------------------
definitions of a temporal framework for verification

author: amit jasuja
date: 22 may, 1990
based on: manna and pnueli - verification of concurrent programs:
a temporal proof system (proc. of the 4th school of advanced
programming - amsterdam.
----------------------------------------------------------------%
%----------------------------------------------------------------

new_theory `temporal`;;

loadf `/usr/hol/ml/unwind.ml`;;

loadf `/usr/hol/ml/extras.ml`;;

----------------------------------------------------------------%

let henceforth = new_definition (`henceforth`,
"!(w:num->bool) (t:num). henceforth w t =
  (!(t1:num). (t <= t1) ==> w t1)");;

let eventually = new_definition (`eventually`,
"!(w:num->bool) (t:num). eventually w t =
  (?(t1:num). (t <= t1) /\ (w t1))");;

let next = new_definition (`next`,
"!(w:num->bool) (t:num). next w t = w(SUC t)");;

let until = new_definition (`until`,
"!(w1 w2:num->bool) (t:num). until w1 w2 t =
  (?(t1:num). (t <= t1) /\ (w2 t1) /\
              (!(t2:num). ((t <= t2) /\ (t2 < t1)) ==> (w1 t2)))");;

%----------------------------------------------------------------
define a new set of temporal connectives
----------------------------------------------------------------%

let Not = new_definition (`Not`,
"!(w:num->bool) (t:num). Not w t = ~(w t)");;

let Imp = new_definition (`Imp`,
"!(w1 w2:num->bool) (t:num). Imp w1 w2 t = ((w1 t) ==> (w2 t))");;

let And = new_definition (`And`,
"!(w1 w2:num->bool) (t:num). And w1 w2 t = ((w1 t) /\ (w2 t))");;

let Or = new_definition (`Or`,
"!(w1 w2:num->bool) (t:num). Or w1 w2 t = ((w1 t) \/ (w2 t))");;

%----------------------------------------------------------------
useful lemmas
----------------------------------------------------------------%

let lemma1 = prove_thm (`lemma1`,
"!a b. (~a = b) = (a = ~b)",
REPEAT GEN_TAC
THEN BOOL_CASES_TAC "a:bool"
THEN REWRITE_TAC []);;

let lemma2 = prove_thm (`lemma2`,
"!a b c. (a ==> b ==> c) = ((a /\ b) ==> c)",
REPEAT GEN_TAC
THEN BOOL_CASES_TAC "a:bool" THEN REWRITE_TAC[]);;

let lemma3 = prove_thm (`lemma3`,
"!a b. ((a ==> b) /\ a) = a /\ b",
REPEAT GEN_TAC
THEN BOOL_CASES_TAC "a:bool" THEN REWRITE_TAC[]);;

let lemma4 = prove_thm(`lemma4`,
"!a b c. (a <= b) /\ (b <= c) ==> (a <= c)",
REPEAT GEN_TAC
THEN REWRITE_TAC[LESS_OR_EQ]
THEN STRIP_TAC THEN ASM_REWRITE_TAC[LESS_TRANS]
THENL [
  MP_TAC (SPECL ["a:num";"b:num";"c:num"] LESS_TRANS)
  THEN ASM_REWRITE_TAC[OR_INTRO_THM1]
  ;
  ASSUM_LIST (\thms. (REWRITE_TAC[SYM_RULE (el 1 thms)]))
  THEN ASM_REWRITE_TAC[]
  ]);;

let lemma5 = prove_thm(`lemma5`,
"!n. 0 <= n",
REWRITE_TAC[LESS_OR_EQ;(ONCE_REWRITE_RULE [DISJ_SYM] LESS_0_CASES)]);;

let lemma6 = prove_thm(`lemma6`,
"!m n. (SUC m) <= n ==> m <= n",
REPEAT GEN_TAC
THEN STRIP_TAC
THEN ASSUME_TAC OR_LESS
THEN RES_TAC
THEN ASM_REWRITE_TAC[LESS_OR_EQ]);;

%----------------------------------------------------------------
ax1: eventually and henceforth are duals.
----------------------------------------------------------------%

let A1 = prove_thm (`A1`,
"!w t. (Not (eventually w) t) = (henceforth (Not w) t)",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[eventually;henceforth;Not]
THEN depth_conv_tac NOT_EXISTS_CONV
THEN FORALL_EQ_TAC
THEN REWRITE_TAC[DE_MORGAN_THM;IMP_DISJ_THM]);;

let A1_INV = prove_thm (`A1_INV`,
"!w t. (Not (henceforth w) t) = (eventually (Not w) t)",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[eventually;henceforth;Not]
THEN ONCE_REWRITE_TAC[lemma1]
THEN depth_conv_tac NOT_EXISTS_CONV
THEN FORALL_EQ_TAC
THEN REWRITE_TAC[DE_MORGAN_THM;IMP_DISJ_THM]);;

%----------------------------------------------------------------
ax2: if universally w1 implies w2, then if henceforth w1 is true,
     then so is w2.
----------------------------------------------------------------%

let A2 = prove_thm(`A2`,
"!w1 w2 t. (Imp (henceforth (Imp w1 w2))
                (Imp (henceforth w1) (henceforth w2))
                 t)",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[henceforth;Imp]
THEN REWRITE_TAC [lemma2]
THEN REPEAT STRIP_TAC
THEN RES_TAC);;

%----------------------------------------------------------------
ax3: henceforth implies true
----------------------------------------------------------------%

let A3 = prove_thm(`A3`,
"!w t. (Imp (henceforth w) w t)",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[henceforth;Imp]
THEN STRIP_GOAL_THEN MATCH_MP_TAC
THEN REWRITE_TAC[LESS_OR_EQ]);;

%----------------------------------------------------------------
ax4: duality of next.
----------------------------------------------------------------%

let A4 = prove_thm(`A4`,
"!w t. (Not (next w) t) = (next (Not w) t)",
REPEAT GEN_TAC
THEN REWRITE_TAC[next;Not]);;

%----------------------------------------------------------------
ax5: analogue of ax2 for the next operator
----------------------------------------------------------------%

let A5 = prove_thm (`A5`,
"!w1 w2 t. (Imp (next (Imp w1 w2)) (Imp (next w1) (next w2)) t)",
REPEAT GEN_TAC
THEN REWRITE_TAC[next;Imp]);;

%----------------------------------------------------------------
ax6: henceforth implies next
----------------------------------------------------------------%

let A6 = prove_thm (`A6`,
"!w t. Imp (henceforth w) (next w) t",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[henceforth;next;Imp]
THEN STRIP_GOAL_THEN MATCH_MP_TAC
THEN REWRITE_TAC[LESS_EQ_SUC_REFL]);;

%----------------------------------------------------------------
ax7: henceforth implies henceforth after the next instant also.
----------------------------------------------------------------%

let A7 = prove_thm(`A7`,
"!w t. Imp (henceforth w) (next (henceforth w)) t",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[Imp;next;henceforth]
THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\thms. (MATCH_MP_TAC (el 2 thms)))
THEN MATCH_MP_TAC (SPECL ["t:num";"SUC t";"t1:num"] lemma4)
THEN ASM_REWRITE_TAC[LESS_EQ_SUC_REFL]);;

%----------------------------------------------------------------
ax8: computational induction axiom - if property is inherited over
     one step transitions, then it is invariant over any suffix
     sequence whose first state satisfies 'w'.
----------------------------------------------------------------%

let A8 = prove_thm(`A8`,
"!w t. (Imp (henceforth (Imp w (next w))) (Imp w (henceforth w)) t)",
PURE_REWRITE_TAC[Imp;henceforth;next]
THEN GEN_TAC
THEN INDUCT_TAC
THENL [
  REWRITE_TAC[lemma5;lemma2;(ONCE_REWRITE_RULE [CONJ_SYM] INDUCTION)]
  ;
  STRIP_TAC
  THEN STRIP_TAC
  THEN INDUCT_TAC
  THENL [
    REWRITE_TAC[LESS_OR_EQ;NOT_LESS_0;NOT_SUC]
    ;
    REWRITE_TAC[LESS_OR_EQ;LESS_MONO_EQ;INV_SUC_EQ]
    THEN ASM_CASES_TAC "(SUC t) <= t1"
    THEN RES_TAC
    THEN ASM_REWRITE_TAC[]
    THEN ASSUM_LIST (\thms. (ASM_REWRITE_TAC [
      REWRITE_RULE [SYM_RULE LESS_EQ] (el 1 thms)]))
    THEN STRIP_TAC
    THEN ASSUM_LIST (\thms. (ACCEPT_TAC (
     REWRITE_RULE [(el 1 thms)] (el 4 thms))))
    ]
  ]);;

%----------------------------------------------------------------
ax9: characterizes the until operator by distributing the effect
     into what is implied by the present instant and the next instant.
----------------------------------------------------------------%

let A9 = prove_thm(`A9`,
"!w1 w2 t. until w1 w2 t = (Or w2 (And w1 (next (until w1 w2)))) t",
PURE_REWRITE_TAC[until;Or;And;next]
THEN REPEAT GEN_TAC
THEN EQ_TAC
THEN STRIP_TAC
THENL [
  ASM_CASES_TAC "t < t1"
  THENL [
    MATCH_MP_TAC OR_INTRO_THM2
    THEN ASSUM_LIST (\thms. (ASM_REWRITE_TAC [
      (REWRITE_RULE[LESS_EQ_REFL;(el 1 thms)] (SPEC "t:num" (el 2 thms)))]))
    THEN EXISTS_TAC "t1:num"
    THEN ASM_REWRITE_TAC[SYM_RULE LESS_EQ]
    THEN REPEAT STRIP_TAC
    THEN ASSUM_LIST (\thms. (ACCEPT_TAC
      (REWRITE_RULE[LESS_OR_EQ;(el 1 thms);(el 2 thms)]
         (SPEC "t2:num" (el 4 thms)))))
    ;
    ASSUM_LIST (\thms. (ASM_REWRITE_TAC[
      (REWRITE_RULE[(el 1 thms);LESS_OR_EQ] (el 4 thms))]))
    ]
  ;
  EXISTS_TAC "t:num"
  THEN ASM_REWRITE_TAC[LESS_EQ_REFL;
     (ONCE_REWRITE_RULE[CONJ_SYM]LESS_EQ_ANTISYM)]
  ;
  EXISTS_TAC "t1:num"
  THEN ASSUME_TAC lemma6
  THEN RES_TAC
  THEN ASM_REWRITE_TAC[LESS_OR_EQ]
  THEN REPEAT STRIP_TAC
  THENL [
    ASSUME_TAC LESS_SUC_EQ
    THEN RES_TAC
    ;
    ASSUM_LIST (\thms. (PURE_REWRITE_TAC[
      SYM_RULE (el 2 thms);(el 9 thms)]))
    ]
  ]);;

%----------------------------------------------------------------
ax10: until implies eventually the terminating condition will be
      true.
----------------------------------------------------------------%

let A10 = prove_thm(`A10`,
"!w1 w2 t. Imp (until w1 w2) (eventually w2) t",
PURE_REWRITE_TAC[Imp;until;eventually]
THEN REPEAT GEN_TAC
THEN STRIP_TAC
THEN EXISTS_TAC "t1:num"
THEN ASM_REWRITE_TAC[]);;

