Impressum KBPsAlg.thy

(*<*)
theory KBPsAlg
imports KBPsAuto DFS MapOps
begin
(*>*)

subsection\(*<*)

text‹An algorithm for automata synthesis›

\label{sec:kbps-alg<

WeAn algorithm for automata synthesis›
"mkAutoSim"} (\S\ref{sec:kbps-automata-synthesislg)ghe
ofnowowowomatonrmmkAutoSimpssis} ng

From here on we assume that\S\ef{c:dfs
set ofof

java.lang.NullPointerException

localeniteEnvironment FiniteEnvironmentctionVal
  nvironmentnvInition envObs
    or,ctenvAction> 'eAct list"
    and envInit :: "('s :: finite)"
    d nvAction :: "s<Rightarrow 'eAct list"
    and envTrans :: "'eAct 🚫and envObs :: "'a ==> 'obs"
    and envVal"' ==> bool"
    andbsRightarrow 'ss set"

text_raw‹ 'rep ==>
\begin{figure}[p]
\begin{isabellebody}%
\<close>
locale Algorithm =
  FiniteEnvironment jkbp envInit envAction envTrans envV
+ AlgSimIncrEnvironment jkbp envInit evvAction envTrans envVal view envObs
               jviewInit jviewIncr
               simf simRels simVal simAbs simObs simInit simTrans simAction
    dn:"stand 'eAct list"
    and envInit :: "s initeet
 envActionRightarrow 'eAct list"
    and envTrans :: "'eAct \<> ('a \<Rightarrow> 'aAct) \<Rightarrow>  Rightarrow 's"
      :: "'s \<Rightarrow> 'p \<Rightarrow> bool"
    and'gSimIncrEnvironmentair initemaprations

     <Rightarrow' \Rightarrow> 'bsjava.lang.StringIndexOutOfBoundsException: Index 58 out of bounds for length 58
    and jviewInit:( 's)itialIncrJointView
     jviewIncrjviewIncr :: "absobs crJointViewiew

    and simf :: "'s Trace \define a new localeto jviewInit :: "( bstobsitialIncrJointViewalIncrJointView
    and  :: "
    andsimVal'    envTrans:" '\Rightarrow> ) \>s < s"

    and simAbs 

    and simObs :'<Rightarrow'epp\Rightarrow 'bs"
    and simInit :: "'a \<Rightarrow>'java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 0
     : 'a\>  :'java.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
     simAction ' <> rep<>'list"

+ fixes aOps :: "('ma, 'rep, 'aAct list) MapOps"
    and tOps :: "('mt, 'rep \<times> 'obs, 'rep) MapOps"

  assumes aOps: "MapOps   " ec <quiv>  ec<in  a: '   'Actlist
      and 
text_rawopen>
  \{isabellebody%
  \caption{The \<open>Algorithm\<close> locale.}
  \label{fig:kbps-alg-alg-locale
\end{}
\<close>

text (in Algorithm

The @{term "Algorithm
Figure~\ref{fig:kbps-alg-alg-locale}, also extends the @{term
"AlgSimIncrEnvironment"} caleithairffiniteite poperations
@{term "aOps"}  successors oderehoseroduceddyjava.lang.StringIndexOutOfBoundsException: Index 60 out of bounds for length 60
@{dlessmulatedransitionsases emaps
are only required to work on the abstract 
canonicaltraces Note alsohatthe cesimulatedivalencelencece
classesfype @{p'ssuste inite,butthereereso
restriction on the representation type @{typ "'rep"}.

We develop the algorithm for a single, fixed agent, Updatee ct>update tOps (ec, simObs a ec') ec' 
to   locale @term "AlgorithmForAgent that extendsxtends>Algorithm\<close> with an extra parameter designating the agent:

\<close>

locale AlgorithmForAgenttransUpdatet\ updatetOps(ec simObs  ec'ec at
  Algorithm  )
            jviewInit jviewIncr
             simRels simVal simAbssimObs simInittsimTransansjava.lang.StringIndexOutOfBoundsException: Index 72 out of bounds for length 72
            aOps tOps(*<*)
    for
    and
    and envAction ocess
        and : ('a java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
    MapOps_lookup_updateD
    andsuccs_is_node

    <> lookupOps
    and jviewInit
     jviewIncrkupansA) ec) lookupOps (s)' bs

    and sxquiv_classss
    and simRels :==>Andy. y ∈eck_memb> a ` set a c)rbrakk
    and simVal :: "'ss ==> 'p ==> bool"

    and simAbs :: "'rep ==>c ∈

    and simObs==> k_invariant A"
    andsimInit :: "a \Rightarrow'obs \Rightarrow> 'r show ?thesis
    andsimTrans :: ""'a \<> 
    and simAction :: "'a \ 

    and aOps, 'rep, aAct) MapOps
    and tOps :: "('mt, 'rep × lookup tOps (aTrans A) (ec, obs) = lookup tOs (aTrans A) (e', obs
(*>*)

  ―...›
+ fixes a :: "'a"

subsubsection‹

text

arecordo

\<close>

record ('ma, 'mt) AlgState =
  aActs :: "'ma"
  aTrans :: "'mt"

context AlgorithmForAgent
begin

text\<andiantsnts

We instantiate the DFS theory with theWe

A node is an equivalence class of epresentedmulatedtracesraceses.

\<close

>l ere
  "k_isNode

java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 11

The successors frombtain
transition unction

\<lose   btaint

abbreviation k_succs :: "'rep \<Rightarrow> 'rep list" where
  "k_succssimTrans_simAbs_congimAbs_congs_congheretdx

text\<open

The initial automaton has Longrightarrowacts. lookup aOps (aActs A)comeacts\ tcts set(n

\<x

definitionemptpt( 't gState" re">k_isNode ec; k_isNode ' simAbsc= sec _nvariantt \>
  "<<existsactslookup aOps (aActs A) ec = Some acts \<and> set acts = set (simAction a ec)"

text\<open>

We use the domain of theunfoldingk_invariant_def by blast
has visited

\<close>

ow (ma,, 'mt)AlgState \<Rightarrowool"where
  "k_memb s java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

text\<open>

We integrate a new equivalence 
the action and

\<close>

definition actsUpdate :: "'rep \<Rightarrow> (java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
  "actsUpdate ec  \< update aOps ec (simAction a ec) (aActs A)"

definition transUpdate ::ece"ndNodemAbs 
  "transUpdate ec ec' at \<equiv> update tOps (ec, simObs k_isNode_defyjava.lang.StringIndexOutOfBoundsException: Index 34 out of bounds for length 8

definition\simAbs ec' \<in> simAbs ` set (k_succs)
  "k_ins java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6
                    =oldrdateimp

text\<open>

The required properties are straightforward andc"mb ereand

\<close>

(*<*)

lemma
  simAbs mAbs ec<> k_isNode
  unfolding k_isNode_def

lemma alg_MapOps_emptyk_ins_def      \>simAbs>simAbs (k_succs)
  "k_isNodeapply smp
  "k_isNode (fst
  unfolding k_isNode_def
  usingproof -' "simAbs\<in simAbs ` set (k_succs x)

lemma alg_aOps_lookup_update
  "<lbrakk>isNodee   thus ?thesis
  unfolding k_isNode_def
  using MapOps_lookup_updateD[OF _ _ aOps] java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8

lemma alg_tOps_lookup_update[simp]:
  "\<lbrakk> k_isNode unfolding(induct X)
  unfolding k_isNode_def
  using MapOps_lookup_updateD[OF _ _ tOps] byassumes"k_isNode x"

lemma k_succs_is_node[intro, simp]:
  umes_Node ssumes :ookupupOpsYjava.lang.StringIndexOutOfBoundsException: Index 65 out of bounds for length 65
   "list_all( X)
proof -
  from x obtain t
    where tC: "t \<in> jkbpC"
      and sx: java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
    unfolding k_isNode_def by blast
  have F: "\<And>y. y \<in> set (k_succs x) \<Longrightarrow
  <>(using k_invariantAOD[OF ecXI
    using simTrans\<Rightarrow(ma,mt) AlgState"
    unfolding k_isNode_def [abs_def]
    apply (autoiff: list_all_iff
    apply (frule F)
    apply
    done
qed

lemma k_memb_empt[simp]:
  "k_isNode x \<Longrightarrow> \<not>k_memb x k_empt"
  unfolding_mb_def_f k_empt_defsimp

(*>*)

subsubsectionsimAbsx

text‹ aAct list)

 riantor hetomatacon isstraigh,orwar, iiz
  at each step of the process thstate represents an automaton
  concordsae wi
 . We also need to kow that the sta
 MapOps"} invariants.

 (frontier a)

  k_invariant :: "('ma, 'mt) AlgState ==>neix c
 "k_invariant A ≡
 (∀acs. lookup aOOps (aAc(k_ \and et acts = set (simAction a ec)"
 ⟶
 ∧
 ⟶ lookup tOps (aTrans A) (ec, obs) = lookup tOps (aTrans A) (ec', obs))
 {he lgop
 aActsct A) ec =e
  \<>set
 ∀ k_memb ec A
 ∧ simTnsimAct )Init"
 ⟶
 ∧
 ∧
(*<*)

lemma k_invariantI[
  "[ ∧ec ec'. [ k_isNode ec; k_i (λ)si ron a))(ec,ob))"
       <Longrightarrow sActsookupcjava.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
     ∧
       ==> lookupin) k_frontier :: "'a \<Rightarrow  list"where
     \>c\lbrakkde ec
       xists()c me> setacts (simActionaec;
     ∧ec obs ecs'. [ k_isNode ec; k_memb ec A; obs ∈
       ==> k_isNodek_frontier ajava.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 36
               ∧
               ∧
  ==>
  unfolding k_invariant_defasm_simp

java.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 21
  java.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87
     ==> lookup aOps (aActs A) ec = lookup aOps (aActs A) ec'"
  variant_def blast

lemma k_invariantTOD:
  "[ k_isNode ec
     ==>)
  unfolding k_invariant_def by blast

lemma k_invariantAD:
  "[ k_isNode  using
     ==> (lookupk_dfsobsjava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
  unfolding by blast

lemma k_invariantTD
  "[
     ==>
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
             ∧ (looku aO (aActs A) ))
  unfolding k_invariant_def by blast

lemma k_invariant_empt[simp]:
  "k_invariant k_empt"
  apply rule
  apply auto
  apply ( iff: k_empt)
  done

lemma k_invariant_step_new_aux:
  assumes X: "set
      usingKBPAlg.dfs_invariant Sk_empt xs
      and
mkAlgAuto
      and S: "simAbs\Rightarrow( rep \<>' can see the set ofclasses
  "<lookup oldr simObs'java.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for length 88
           ∧
           ∧ simObs a r = simObs a ec'"
using X ec'
proof(induct X arbitrary: Y)
  case Nil thus ?case by simp            \<> 
next
  case (Cons y ys) show ?case
  proof(cases "simAbs ec' = simAbs y")
    case False with x ec ('a ==>
       transUpdate_def
      apply clarsimp
      unfolding k_isNode_def
      apply (erule immageE)+
      apply (cut_tac a=a and t=ta and ec=x and ec'=ec in simTrans_simAbs_cong[symmetric])
      apply simp_all
      done
  next
    case True
    with Cons have F: "simAbs y ∈ simAbs ` set (k_succs x)"
      by auto
    from x obtain t
      where tC: "t ∈ jkbpC"
        and x': "simAbs x = sim_equiv_class a t"
      unfolding k_isNode_def by blast
    from F obtain t' s
       "imAbs  t'\leadsto>s)"
        and tsC: "t' ↝ s ∈ jkbpC"
        and tt': "jview a t = jview a t'"
      using simTrans[rule_format, where a=a and t=t] tC x' by auto
    with Cons.hyps[where Y11=Y] Cons(2) Cons(3) True S x ec show ?thesis
      unfolding transUpdate_def
      apply auto
      apply (subst simTrans_si "simAbs KBPAlg.reachable (k_frontier)) a ` jkbpC"
       apply blast

       sing x' tt'
       apply auto[1]

       apply simp

       apply (rule image_eqI[where x=y])
       apply simp
       p
      using simObs[rule_format, where a=a and t="\leadsto>s"]
      apply simp
      done
  qed
qed

lemmak_invariant_step_new::
  assumes x: "k_isNode
      andsI<in envInit
      and a s =iobs"
      and S: "simAbs ec = simAbs(*<*)
  shows "<t>ec''. . loookup tOps (aTrans (k_ins x A)) (ec, simObs a ec') = Some c''
              \<and  imInit simTrans simAction fra) = simInit a"
              <>simObs a ec'' = simp jviewInit simInit)
proof -

esimAbs'\in simAbs
    unfolding k_isNode_def
     clarsimp
    apply (subst simTrans_simAbs_cong>>sim_equiv_class `jkbpC"
    using S
    apply auto
    done
  thus ?thesis
    using k_invariant_step_new_aux[OF subset_refl x ec _ S, where ec'=ec']
    unfolding k_ins_def
    apply auto
    
qed

lemma k_invariant_step_old_aux:
  assumes x: "k_isNode 
      and ec: "k_isNode ec"
      and S: "simAbs ec ≠ simAbs x"
  shows "lookup tOps (foldr (transUpdate x) X Y) (ec, obs)
       = lookup tOps Y (ec, obs)"
proof(induct
  case (Cons z zs) with x ec
    by ( "lookup tOps Y (ec ob)" ( addtransUpdate_def)
qed simp

lemma k_invariant_step_old
  assumes x: "k_isNode x"
      and ec: java.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47
      simAbs ec ≠ = λ the(loo s "\in"
  shows "lookuprans(c,)
       = lookup tOps (aTrans A) (ecAlgorithmForAgent
  unfolding BPAlg
  using_rontier_def
  by simp

lemma k_invariant_frame:
  assumes B: "lookup tOps Y (ec, obs) final algorithm, with the constants inl, is shown in
      and x: "k_isNode x"
      and ec: "k_isNode
      and ecness
      and S: "simAbs ec' = simAbs ec"
  showsfoldrUpdate,) s(ansUpdateec
  apply (inductesult
  unfolding transUpdate_def
   using B
   apply simp
  using x ec ec 
  pply
  done

lemma k_invariant_step
  assumes "" x"
      and I: ""k_invariant A"
      and M: "¬ tsC eldin alg_dfs_def
  shows "k_invariantk_ins AA)
(*<*)
proof
  fix ec ec'
  assumejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  with N show "lookup aOps (aActs (k_ins x A)) ec = lookup aOps (aActs (k_ins x A)) ec'"
    unfoldingjava.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
    using k_invariantAOD[OF ec ec' X I]
    apply simp
    done
next
  fix ec ec' obs
  assume ec "k_isNode ec" and': "k_isNode c'" dXsimAbs'  simAbs ec
  show "lookup tOps (aTrans (k_ins x A)) (ec, obs) = lookup tOp with the paritionof @{term ""} under the simu
    unfolding k_ins_def
    using k_invariant_frame[OF k_invariantTOD[OF ec ec' X I] N ec ec' X]
    apply simp
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
next
  fix ec obs ecs'
  assume n: "k_isNode"
    and ec: "k_memb ec (k_ins rec0rect
     obs. by auto
  show "∃
            ∧(rule rtrancl_into_rtrncleb=""]
            \<ands
  proof(cases "simAbs ec = simAbs x")
     True with N n obs show ?thesis
      using k_invariant_step_new by auto
  next
    case False with I N n ec obs show ?thesis
      apply (simp add: k_invariant_step_old)
      apply (
      apply simp_all
      b_def actsUpe_defc traces.
      apply simp
      done
  qed
next
  fix ec
  assume n: "k_isNode ec"
     and ec: "k_memb ec (k_ins x A)"
  show "<N"
  proof(
    case with      
       k_ins_def
      apply clarsimp
      unfolding k_isNode_def
      clarsimp
      apply (erule jAction_simAbs_cong)
      apply auto
      done
  next
    case False with aOps N I M n ec show ?thesis
      unfolding k_ins_def
      apply simp
      apply (rule k_invariantAD)
      unfolding k_memb_def
      apply simp_all
      done
  qed
qedhowsxrhsmp
(*>*)

(*>*)

text<"hs

Showingec∈
by { "k_ins".

The frontier thepartition
underinitialbservationonfunctiononand : "ec sim_equiv_class a t"

›

definition (in Algorithm) k_frontier :: "'
  "k_frontier a ≡.able_defhis
(*<*)

lemmaimp
  "list_all k_isNode (k_frontier a)"
  unfolding k_frontier_def
  by (auto iff: simInitit


end (* context AlgorithmForAgent *)

text

We now instantiate the @{term "DFS"} locale with respect to the @{term
"AlgorithmForAgent"} locale. The instantiated lemmas are Algorithm
mandatory prefix ‹
locale.

\<close>

sublocale AlgorithmForAgent
        < KBPAlg: thm

(*<*)
  apply (unfold_locales)
  apply simp_all

  unfolding 
  using aOps
  plyto_)[1

  unfolding k_isNode_def
  apply clarsimp
  apply (erule  assumes: "t \in> jkbpC"
  apply           rec0rectrec0 ({ (x, y). y ∈
  done
(*>*)

text_raw‹
 begin{tStep
 begin{isabellebody}%
 › ygeI"]
definition
  alg_dfs :: "('ma, 'rep, 'aAct
         ==> ('mt, 'rep ×: "simAbs(unJP k__mkA a) = sim_equiv_class a
         Rightarrow> 'rep \<Rightarrowapply
         ==>
         ==> ('rep ==>
         ==>
         ==>ieuiv_class a ( (t ↝set (simTn runJP k_mkAlgAkAlgAuto t gAututo t "
where
  "alg_dfs aOps tOps simObs simTrans simAction ≡
    let k_empt = (
       k_memb = = (λ (lookup aOps (aActs A) s));
       k_succs = simTrans;
       actsUpdate = λc: c \> sset (simTraa (runJP k_mkkAlgAt a))"
       UpdateectpsimObs
       k_ins = λbyauto
                         aTrans = foldr (transUpdate ec) (k_succs ec) (aTrans A  fromp
     n_dfsmb

text‹

 
 mkAlgAuto :: "('ma, 'rep, 'a N E F BP_s_invvaiannt]
 ==> ('mt, 'rep ×
 \< (
 ==>appl(cutut_ta=a andec ad t="'↝
 ==> iff: k
 ==> ('a ==>from tStep show ?case by (simp only: G mkAutoSim_ec)
 ==> ('a ==>
 ==> ('a, 'obs, 'aAct, 'rep) J
 
 "mkAlgAuto aOpsata produced by DFS on a R using KBPAlg.eachble_imp_[OF N' k_f
 let auto = alg_dfs aOps tOps (simObs a) (simTrans a) (simAction a)
 frontier a)
 in (
  = λ:
 pAct = λ tC: "t ∈[OF _ _ _ k_dfs_, symmetric])

 
java.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 21
 \caption{The algorithm. The function
 @{typ "'a option"} type, diverging on @{term "None"}.}
 \label{figkbps-alg-algorithm}
 end{figure}
 ›
(*<*)
lemmaeS djava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
  "pInit (mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier a
  "(mkAlgAuto
 = (λobst \in jkbpC
  "pAct (mkAlg shows " ∘
 = (λ
  unfolding
  apply (simp_all add 
  done

(* Later we want to show that a particular DFS implementation does the
right thing. *)

definition
  alg_mk_auto java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
                ==> N: "KBP.k_isNode a(runJP k_mkAlgAuto t a)"
                Rightarrow('obs ==> 'rep)
htarrow'ma)AlgState
                ==> ('obs.k_memb_rep[OF]
where
  tOps<<equiv
    ( pInit = simInit acts
      pTrans = λobs
      pAct=<>c.hepsts
    )"

(*>*)
context AlgorithmForAgent
begin

text‹

The final algorithm, with the constants inlined, is shown in
Figure~\ref{fig:kbps-alg-algorithm}. The rest of this section shows
its correctness.

Firstly it follows immediately from ‹ca tStep t s)
invariant hoiheoremk_mkAlgAuto_implements: " k_mkAlgAuto"

 ›
(*<*)

abbreviation
  "k_dfs ≡

(* This is a syntactic nightmare. *)

lemma k_dfs_gen_dfs_unfold[simp]:
  "k_dfs
  unfolding alg_dfs_def
  apply fold k_empt_def actsUpdate_def)
  apply (simpadd_def
  done

(*>*)
lemmaen\{sec
(*<*)
  using
  by simp

(*>*)
text‹

  we can see that the set of reachable equivalence classes
  with the partition of @{term "jkbpC"} under the simulation
  representation functions:

 ›

lemma k_reachable:
  "simAbs ` KBPAlg.reachable (set (k_frontier a)) = sim_equiv_class a ` jkbpC"
(*<*)(is "?lhs = ?rhs")
proof
  show "
  proof
    fix sx assume "sx ∈ aset ( k_mkAlgAuto
    then obtain x
     re\>KBPAlg.reachable (setk_frontier a)
        and sx: "simAbs x = sx"
      by auto
    hence have E:"KBP._memb (runJP k_mkAlgAuto t a) (Kk_dfs a)"byblast
                 ``java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
      unfolding.reachable_def by simp
    then obtain s iobsclarsimp: )
       R: "simInit iobs, x) \<<in*"
        and sI: "s ∈
        and iobs: "envObs a s = iobs"
      by autoapply(subgoal_ "simAbs <> 
    from R x have "simAbs x ∈apply (u_a = n cec dt="<leadstosa" in simObs[rule_format])
    proof(induct arbitrary: sx rule: rtrancl_ind app simpp
      case base
      with sI iobs show ?case by (auto simp: jviewInit simInit)
    next
      case (step x y)
      with sI iobs
      have "simAbs x 
        unfolding KBPAlg.reachable_def Image_def k_frontier_def
        by auto
      then obtain t
        where tC: "t ∈
          and F: "simAbs: tin jkbpC"
        by auto
      from step
      have "simAbs y ∈lgAuto_mkAutoSim_equiv
      thus  ?case
        using simTrans
    qed
    with sx<java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
qed
nextshows actJP k_mkAlgAuto t = set ∘
   "?r ⊆
  
    fix ec assume "ec < ?
    then t
      where tC: "t ∈
        and ec: "ec=im_equiv_classs t
      by auto
    thusec ?lhs"
    proof(induct t arbitrary: ec)
      case (tInit s) thus ?case
        unfolding KBPAlg.reachable_def (* FIXME ouch this is touchy *)
        unfolding k_frontier_def
        apply
        apply (rule image_eqI[where x="simInit a (envObs a s)"])
         apply (simp add: simInit jviewInit
        apply (rule ImageI[where a="simInit a (envObs a s)"])
        apply auto
        done
    next
      case (tStep t s)
      
        and ec: "ec = sim_equiv_class
        and
           ∈
Therefored
      theneneratesjkbp"nh given
        where rect: "rect
          and : "simAbs rect = sim_equiv_class a t"
        by auto k_mkAlgAuto_implementsk_mkAlgAuto
      from tsC ec srect
      have "ec ∈
        using simTrans[rule_format, where a=a and t="t" and ec="rect"] srect by auto
      then obtain rec
        where rec: " = simAbs
          and F: "rec ∈
        by auto
      from rect obtain rec0
        where rec0: "rec0 java.lang.NullPointerException
          and rec0rect: java.lang.NullPointerException
        unfolding KBPAlg.reachable_def by auto
      show ?case
        apply -
        apply (rule image_eqI[where x="rec"])
         apply (rule rec)
        unfolding KBPAlg.reachable_def
        apply (rule ImageI[where a="rec0"])
         apply (rule rtrancl_into_rtrancl[where b="rect"])
          apply (rule rec0rect)
         apply clarsimp
         apply (rule F)
         apply (rule rec0)
         done
     qed
   qed
qed
(*>*)
text‹

Left to right follows from an induction on the reflexive, transitive
closure, and right to left by induction over canonical traces.

This result immediately yields the same result at the level of
representations:

\<close>

lemma k_memb_rep:
  assumes N: "  rec"
 shows "k_memb rec k_dfs"
(*<*)
proof -
  from N obtain rec'
    where r: "rec' ∈ DFS.reachable k_succs (set (k_frontier a))"
      and rec': "simAbs rec = simAbs rec'"
    unfolding k_isNode_def by (auto iff: k_reachable[symmetric])

  from N k_isNode_cong[OF rec', symmetric]
  have N': "k_isNode rec'"
    unfolding k_isNode_def by auto

  show "k_memb rec k_dfs"
    using KBPAlg.reachable_imp_dfs[OF N' k_frontier_is_node r]
    apply clarsimp
    apply (subst k_memb_def)
    apply (subst (asm) k_memb_def)
    using k_invariantAOD[OF N' N rec' k_dfs_invariant, symmetric]
    apply (cut_tac ec=y' and ec'=rec' in k_invariantAOD[OF _ _ _ k_dfs_invariant, symmetric])
     apply simp_all

     apply (cut_tac ec=rec' and ec'=y' in k_isNode_cong)
     apply simp
     using N'
     apply simp
     apply (rule N')
     done
qed
(*>*)

end (* context AlgorithmForAgent *)

text‹

  concludes our agent-specific reasoning; we now show that the
  works for all agents. The following command generalises all
  lemmas in the @{term "AlgorithmForAgent"} to the @{term
 Algorithm"} locale, giving them the mandatory prefix ‹KBP›:

 ›

sublocale Algorithm
        < KBP: AlgorithmForAgent
            jkbp envInit envAction envTrans envVal jview envObs
            jviewInit jviewIncr simf simRels simVal simAbs simObs
            simInit simTrans simAction aOps tOps a for a
(*<*)
  by unfold_locales
(*>*)

context Algorithm
begin

abbreviation
  "k_mkAlgAuto ≡
    mkAlgAuto aOps tOps simObs simInit simTrans simAction k_frontier"
(*<*)

lemma k_mkAlgAuto_mkAutoSim_equiv:
  assumes tC: "t ∈ jkbpC"
  shows "simAbs (runJP k_mkAlgAuto t a) = simAbs (runJP mkAutoSim t a)"
using tC
proof(induct t)
  case (tInit s) thus ?case by simp
next
  case (tStep t s)
  hence tC: "t ∈ jkbpC" by blast

  from tStep
  have N: "KBP.k_isNode a (runJP k_mkAlgAuto t a)"
    unfolding KBP.k_isNode_def
    by (simp only: mkAutoSim_ec) auto

  from tStep
  have ect: "simAbs (runJP k_mkAlgAuto t a) = sim_equiv_class a t"
    by (simp only: mkAutoSim_ec) auto

  from tStep
  have "sim_equiv_class a (t ↝ s) ∈ simAbs ` set (simTrans a (runJP k_mkAlgAuto t a))"
    using simTrans[rule_format, where a=a and t=t] tC ect by auto
  then obtain ec
    where ec: "ec ∈ set (simTrans a (runJP k_mkAlgAuto t a))"
      and sec: "simAbs ec = sim_equiv_class a (t ↝ s)"
    by auto

  from tStep
  have F: "envObs a s ∈ simObs a ` set (simTrans a (runJP k_mkAlgAuto t a))"
    using simObs[rule_format, where a=a and t="t↝s", symmetric] sec ec by auto
  from KBP.k_memb_rep[OF N]
  have E: "KBP.k_memb (runJP k_mkAlgAuto t a) (KBP.k_dfs a)" by blast

  have G: "simAbs (runJP k_mkAlgAuto (t ↝ s) a) = sim_equiv_class a (t ↝ s)"
    using KBP.k_invariantTD[OF N E F KBP.k_dfs_invariant]
    apply (clarsimp simp: jviewIncr)
    using simTrans[rule_format, where a=a and t=t and ec="runJP k_mkAlgAuto t a"] tC ect
    apply (subgoal_tac "simAbs x ∈ simAbs ` set (simTrans a (runJP k_mkAlgAuto t a))")
     apply (clarsimp simp: jviewIncr)
     apply (cut_tac a=a and ec=ec' and t="t'↝sa" in simObs[rule_format])
      apply (simp add: jviewIncr)
     apply simp
    apply blast
    done

  from tStep show ?case by (simp only: G mkAutoSim_ec)
qed

(*>*)
text‹

  the automata produced by the DFS on a canonical trace @{term
 t"} yields some representation of the expected equivalence class:

 ›

lemma k_mkAlgAuto_ec:
  assumes tC: "t ∈ jkbpC"
  shows "simAbs (runJP k_mkAlgAuto t a) = sim_equiv_class a t"
(*<*)
  using k_mkAlgAuto_mkAutoSim_equiv[OF tC] mkAutoSim_ec[OF tC]
  by simp

(*>*)
text‹

  involves an induction over the canonical trace @{term "t"}.

  the DFS and @{term "mkAutoSim"} yield the same actions on
  traces follows immediately from this result and the
 :

 ›

lemma k_mkAlgAuto_mkAutoSim_act_eq:
  assumes tC: "t ∈ jkbpC"
  shows "set ∘ actJP k_mkAlgAuto t = set ∘ actJP mkAutoSim t"
(*<*)
proof
  fix a
  let ?ec = "sim_equiv_class a t"
  let ?rec = "runJP k_mkAlgAuto t a"

  from tC have E: "?ec ∈ sim_equiv_class a ` jkbpC"
    by auto

  from tC E have N: "KBP.k_isNode a (runJP k_mkAlgAuto t a)"
    unfolding KBP.k_isNode_def by (simp add: k_mkAlgAuto_ec[OF tC])

  from KBP.k_memb_rep[OF N]
  have E: "KBP.k_memb ?rec (KBP.k_dfs a)" by blast

  obtain acts
    where "lookup aOps (aActs (KBP.k_dfs a)) ?rec = Some acts"
      and "set acts = set (simAction a ?rec)"
    using KBP.k_invariantAD[OF N E KBP.k_dfs_invariant] by blast

  thus "(set ∘ actJP k_mkAlgAuto t) a = (set ∘ actJP mkAutoSim t) a"
    by (auto intro!: jAction_simAbs_cong[OF tC]
               simp: k_mkAlgAuto_ec[OF tC] mkAutoSim_ec[OF tC])
qed
(*>*)

text‹

  these two constructions are behaviourally equivalent, and so
  DFS generates an implementation of @{term "jkbp"} in the given
 :

 ›

theorem k_mkAlgAuto_implements: "implements k_mkAlgAuto"
(*<*)
proof -
  have "behaviourally_equiv mkAutoSim k_mkAlgAuto"
    by rule (simp only: k_mkAlgAuto_mkAutoSim_act_eq)
  with mkAutoSim_implements show ?thesis
    by (simp add: behaviourally_equiv_implements)
qed
(*>*)

end (* context Algorithm *)

text‹

  the automata generated by this algorithm are large. We discuss
  issue in \S\ref{sec:kbps-alg-auto-min}.

 FloatBarrier

 ›

(*<*)
end
(*>*)