I'm wondering if the CTL formulas below are equivalent and if so, can you help me persuade myself that they are?
A(p U ( A(q U r) )) = A(A(p U q) U r)
I can't come up with any models that contradicts it and my guts tells me the formulas are equivalent but I can't find any equivalences that supports that statement. I've tried to rewrite the equivalence
A(p U q) == not(E ((not q) U not(p or q)) or EG (not q))
into something helpful but failed several times.
I've looked through my course material as well as google but I can't find anything. I did however find another question here that has the same equivalence question but with no answer, so I'm trying to make a second try.
Note: this answer might be late.
However, since the question was raised multiple times, I think it's still useful.
Question: Is A[p U A[q U r]] equivalent to A[A[p U q] U r]?
Answer: no.
To prove that the inequality stands, it is sufficient to provide a single Kripke Structure s.t. A[p U A[q U r]] is verified but A[A[p U q] U r] is not (or the converse).
Now, for simplicity, we assume to deal with a Kripke Structure in which every state has only one possible future state. Therefore, we can forget about the A modifier and consider the LTL version of the given problem: is [p U [q U r]] equivalent to [[p U q] U r]?.
Let's break down [p U [q U r]]:
[q U r] is true on paths which match the expression {q}*{r}
[p U [q U r]] is true on paths that mach {p}*{[q U r]} = {p}*{q}*{r}
What about [[p U q] U r]?
[p U q] is true on paths which match the expression {p}*{q}
[[p U q] U r] is true on paths that mach {[p U q]}*{r} = {{p}*{q}}*{r}
Now, {p}*{q}*{r} != {{p}*{q}}*{r}.
In fact, {p}*{q}*{r} matches any path in which a sequence of p is followed by r and there is no q along the way.
However, {{p}*{q}}*{r} does not. If a path contains a sequence of p, then the occurrence of q before r is mandatory.
Thus, the two formulas are not equivalent.
Hands-On Answer:
Let's encode a Kripke structure that provides the same counter-example using NuSMV
MODULE main ()
VAR
p: boolean;
q: boolean;
r: boolean;
INVAR !q;
INIT
!q & p & !r
TRANS
r -> next(r);
TRANS
p & !r -> next(r);
CTLSPEC A[p U A[q U r]];
CTLSPEC A[A[p U q] U r];
and check it:
~$ NuSMV -int
NuSMV > reset; read_model -i test.smv; go; check_property
-- specification A [ p U A [ q U r ] ] is true
-- specification A [ A [ p U q ] U r ] is false
-- as demonstrated by the following execution sequence
Trace Description: CTL Counterexample
Trace Type: Counterexample
-> State: 1.1 <-
p = TRUE
q = FALSE
r = FALSE
Indeed, one property is verified but the other is not.
Related
There is a set of pairs (set_pairs) and I want to create a set (set_fsts) of first elements of those pairs. I am writing it in the following way
definition "set_fsts = {f . p ∈ set_piars ∧ fst p = f}"
but Isabelle shows me this err msg: Extra variable on rhs "p"
Could you please help me with this?
You need to introduce p by existential quantification, i.e. EX p. P : set_pairs ...
Shorter way would be to define set_fsts as fst ` set_pairs
You can try
set_fsts = {fst p . p ∈ set_piars}
This would work in Isabelle/ZF, I am not sure about Isabelle/HOL.
[] = always
O = next
! = negation
<> = eventually
Wondering is it []<> is that equivalent to just []?
Also having a hard time understanding how to distribute temporal logic.
[][] (a OR !b)
!<>(!a AND b)
[]([] a ==> <> b)
I'll use the following notations:
F = eventually
G = always
X = next
U = until
In my model-checking course, we defined LTL the following way:
LTL: p | φ ∩ ψ | ¬φ | Xφ | φ U ψ
With F being a syntactic sugar for :
F (future)
Fφ = True U φ
and G:
G (global)
Gφ = ¬F¬φ
With that, your question is :
Is it true that : Gφ ?= GFφ
GFφ <=> G (True U φ)
Knowing that :
P ⊧ φ U ψ <=> exists i >= 0: P_(>= i) ⊧ ψ AND forall 0 <= j < i : P_(<= j) ⊧ φ
From that, we can clearly see that GFφ indicates that it must always be true that φ will be always be verified after some time i, and before that (j before i) True must be verified (trivial).
But Gφ indicates that φ must always be true, "from now to forever" and not "from i to forever".
G p indicates that at all times p holds. GF p indidcates that at all times, eventually p will hold. So while the infinite trace pppppp... satisfies both of the specifications, an infinite trace of the form p(!p)(!p!)p(!p)p... satisfies only GF p but not G p.
To be clear, both these example traces need to contain infinitely many locations, where p holds. But in the case of GF p, and only in this case, it is acceptable that there be locations in between, where p does not hold.
So the short answer to the above question by counterexample is: no, those two specifications aren't the same.
I will be introduced with .csp file by Cache
Can you help elaborate their coding linem what was that initials (w, q, k, d, s etc )
w "<th>Total (RM)</th>"
q
#;=====================================
#;knjlbbk
#;=====================================
xxfindSomthingSomthing(dateFrom,dateTo,Status,currentPage,sessionId,type)
n (dateFrom,dateTo,Status,%request)
d insertAudit^exyz,abcabc(126,43,"",$$getSession^eaa.Audit(sessionId,type),"")
k ^Temp
d paginationInit^eaa.Pagination($g(currentPage))
s dataCount = 0
s list = ""
f
{
s stand for set
w is write
q is quit
that's all you know.
I want to proof this lemma in Coq:
a : Type
b : Type
f : a -> b
g : a -> b
h : a -> b
______________________________________(1/1)
(forall x : a, f x = g x) ->
(forall x : a, g x = h x) -> forall x : a, f x = h x
I know that Coq.Relations.Relation_Definitions defines transitivity for relations:
Definition transitive : Prop := forall x y z:A, R x y -> R y z -> R x z.
Simply using the proof tactic apply transitivity obviously fails. How can I apply the transitivity lemma to the goal above?
The transitivity tactic requires an argument, which is the intermediate term that you want to introduce into the equality. First call intros (that's almost always the first thing to do in a proof) to have the hypotheses nicely in the environment. Then you can say transitivity (g x) and you're left with two immediate applications of an assumption.
intros.
transitivity (g x); auto.
You can also make Coq guess which intermediate term to use. This doesn't always work, because sometimes Coq finds a candidate that doesn't work out in the end, but this case is simple enough and works immediately. The lemma that transitivity applies is eq_trans; use eapply eq_trans to leave a subterm open (?). The first eauto chooses a subterm that works for the first branch of the proof, and here it also works in the second branch of the proof.
intros.
eapply eq_trans.
eauto.
eauto.
This can be abbreviated as intros; eapply eq_trans; eauto. It can even be abbreviated further to
eauto using eq_trans.
eq_trans isn't in the default hint database because it often leads down an unsuccessful branch.
Ok, I was on the wrong track. Here is the proof of the lemma:
Lemma fun_trans : forall (a b:Type) (f g h:a->b),
(forall (x:a), f x = g x) ->
(forall (x:a), g x = h x) ->
(forall (x:a), f x = h x).
Proof.
intros a b f g h f_g g_h x.
rewrite f_g.
rewrite g_h.
trivial.
Qed.
Reduction of many one , is not symmetric . I'm trying to prove it but it doesn't work
so well .
Given two languages A and B ,where A is defined as
A={w| |w| is even} , i.e. `w` has an even length
and B=A_TM , where A_TM is undecidable but Turing-recognizable!
Given the following Reduction:
f(w) = { (P(x):{accept;}),epsilon , if |w| is even
f(w) = { (P(x):{reject;}),epsilon , else
(Please forgive me for not using Latex , I have no experience with it)
As I can see, a reduction from A <= B (from A to A_TM) is possible , and works great.
However , I don't understand why B <= A , is not possible .
Can you please clarify and explain ?
Thanks
Ron
Assume for a moment that B <= A. Then there is a function f:Sigma*->Sigma* such that:
f(w) = x in A if w is in B
= x not in A if w is not in B
Therefore, we can describe the following algorithm [turing machine] M on input w:
1. w' <- f(w)
2. if |w'| is even return true
3. return false
It is easy to prove that M accepts w if and only if w is in B [left as an exercise to the reader], thus L(M) = B.
Also, M stops for any input w [from its construction]. Thus - L(M) is decideable.
But we got that L(M) = B is decideable - and that is a contradiction, because B = A_TM is undecideable!