Quelle  KBPsAlg.thy

(*<*)
theory KBPsAlg
imports KBPsAuto DFS MapOps
begin
(*>*)

subsection‹

 ‹ now show how to construct the automaton defined by @{term

 label{sec:kbps-alg}

  now show how to construct the automaton defined by @{term
 mkAutoSim"} (\S\ref{sec:kbps-automata-synthesis-alg}) using the DFS
  \S\ref{sec:dfs}.

  here on we assume
  osheory KBP KBPsAlg

java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null

  FiniteEnvi+AAlgSnvAction envTrans envVl jviw envObs
 Environment jkbp envInit envAction en
 for jkbp :: "('a, 'p, 'aAct) JKBP"
 and end envInt : "('s :: finite) list"
 and envAction :: "'s ==>
 and envTrans :: "'eAct ==> ('a ==>"('s :: finite) list"
 and envVal :: "'s ==> 'p ==> bool"
 and envb::a ==>'s and envAc :: "'s ==>

 ‹"
 begin{figure}[p]
 begin{iblbod}
 ›
  Algorithm =
 FiniteEnvironment jkbp jkb evInt nAcin nrasevVl eO
 AlgSimIncrEnvironment jkb envIntenAton nvTraans envVal jview envvObs
 jviewInit jviewIncr
 simf simRels simVa \captionopen>lgorithm› locale.}
 for jkbp :: "('a, 'p, 'aAct) JKBP"
 and envInit :: "('s :: finite) list"
 and envAction :: "'s ==> 'eAct list"
 and envTrans :: "'eAct ==> ('a ==> 'aAct) ==> 's ==> 's"
 and envVal :: "'s ==> 'p ==> \label{fig:kbps-lglloca}
 and jview :clo

 and envObs :: "'
 and jviee(in Alih)\open>
 and jviewIncr :: "('a,

 and simf :: "'s Trace ==> 'ss :: finite"
 and simRels :: "'a \<andenvVal
 and simVal :: "'ss ==> 'p ==> bool"

 and simAbs :: "'rep ==> 'ss set"

 and simObs :: "'a ==> 'rep ==> 'obs"
 and simInit :: "'a ==> 'obs ==> 'rep"
 and simTrans :: "'a ==> 'rep ==> 'rep list"
 and simAction :: "'a ==> 'rep ==>l}as etnste @erm

  fixes aOps :: "(' aOps :: "('ma, 'rep, +Al}lal wt air o fiit apopera:
 and tOps :: "('m@{term "Ostaatmt sae ist ats, d

 {ter"p" nleila trnsinsitions. In cse e ma mass
 are reoko te absc oaaofsmuule
 s 'a <> on the representatinty {t re"
 isabellebodydy%
 Algorithm› locale.}
  \label{fig
\end{figure}
› =

text

he
Figure~
"AlgSimIncrEnvironment"} localefor jkbp:"', 'At) JKP"
@rm"} is used to map automata states t lists of actions, and
@{term "tOps envAction : " ==>
are only required to work on the abstract domain of simulated
canonical traces. Note also that theand envVal :: "'s ==> bool : "(, 'obs, 'tobs) Init"
} be jviewIncra,ncrJointView
restriction on the representation type @

Wedevelop  algorithm a single agent requires
to andjviewInit "('a 'obs, ')Init

\<close>

locale AlgorithmForAgent =
  Algorithm simf :: "' Trace\Rightarrowss :finitejava.lang.StringIndexOutOfBoundsException: Index 54 out of bounds for length 54
            jviewInit jviewIncr
            simf simRels simVal simAbs simObs simInit simTransjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
            aOps tOps(*<*)
    for simRels"
    and env :: "('s :: finite"
    and envAction :: "'s  simInita<> 'bs 'rep"
    and ennd envTrans :: "eAct ((a <RightarrowaAct<Rightarrow 🚫 'rep 'aAct list
    and :: "s \Rightarrow 'p ==>
    and jview :: "(','s tobs"

    and envObs :: "'==> 'obs
    and
    andand : "'a \Rightarrow> rep ==>

    and simf :: "'s Trace ==>‹
    and simRels :: "'a \<Rightarrow> 'ss Relation"
    and simVal :: "'ss \<Rightarrow> 'p \<Rightarrow> bool"

    and simAbs ::    and simTrans: "a \Rightarrow aActs  'ajava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16

    and simObs :: "'a \<Rightarrow> 'rep \<Rightarrow> 'obs"
    and simInit :: "'a \<Rightarrow> 'obs \<Rightarrow> 'rep"
    and simTrans :: "'a \<Rightarrow> 'rep \<Rightarrow>java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
    and simAction ::"'a \<Rightarrow> 'rep \<Rightarrow> 'Act "

    and aOps :: "('ma, 'rep, 'aAct list) MapOps"
    transition function.
(*>*)

  ―end}java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
+ fixes a :: "'a"

subsubsection<>DFS

text‹ no actio.

  represent the automaton under construction using a record:

 ›

record ('mafigurejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  aActs
  java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 17

context AlgorithmForAgent
begin

text‹

  instantiate the DFS theory with the following functions.

  node is an equivalence class of represented simulated traces.

 ›e  \rparr

definition k_isNode :: "'rep ==> bool" where
  "k_isNode ec ≡ simAbs ec ∈locale with a pair of f finite map oper

text‹

Thesuccessors oof anode are those produced b the simulated
transition

\<close>

abbreviation k_succs :: " rep \  o taact map to track the set of node theDFS
 "k_succs ≡ simTrans a"

 ‹

  initial automaton has no trans{term "tOps"} handles simulated tran. In both cases th maps

 ›

  k_empt :: "('ma, 'mt) AlgState" where
 "k_empt ≡

 ‹)AlgState ==> that the space of sequivalence

  use the domain of the action map to track the set of nodes the DFS
  visited.

 › o type @{ty"'s"} m b finite,but there is no

  k_memb :: "'rep ==> ('ma, 'mt) AlgState ==> bool" where
 "k_memb s A ≡ isSome (lookup aOps (aActs A) s)"

 ‹

  integrate a new equivalence class into the automaton by updating
  action and transition maps:

 ›

 actsUpdate :: "'rep \ ==><Rightarrow 
 "actsUpdate ec A ≡ update aOps ec (simAction a ec) (aActs A)"

  transUpdate :: "'rep ==> 'rep ==> 'mt ==>
 "transUpdate e ec e' at \<equiv at"

  k_ins :: "'rep ==> ('ma, 'mt) AlgState ==> ('ma, 'mt) AlgState" where
 "k_ins ec A ≡ ( aActs = actsUpdate ec A,
 aTrans = foldr (transUpdate ec) (k_succs ec) (aTrans A) )"

 ‹

  required properties are straightforward to show.

 ›

(*<*)

lemmak_isNode_cong
  "simAbs ec' = simAbs ec ==>
  unfolding k_isNode_def by simp

lemma alg_MapOps_empty[simp]:
  "k_isNode ec ==> lookup aOps (empty aOps) ec = None"
  "k_isNode (fst k) ==>
  unfolding k_isNode_def
  using MapOps_emptyD[OF<>

lemmaactsUpdate <ightarrowmt<Rightarrow"where
  "[ k_isNode ec; k_isNode defineanew{term"} that exte ‹
  unfolding k_isNode_def
  using MapOps_lookup_updateD[OF _ _ aOps] by blast

lemma alg_tOps_lookup_update[simp]:
  " [ k_isNode (fst k); k_isNode (fst k') ] ==> lookup tOps (update tOps k e M) k' = (if (simAbs (fst k "actsUpdate ec A A ≡
 unfolding k_isNode_def
 using MapOps_lookup_updateD[OF _ _ tOps] by blast

  k_succs_is_node[intro, simp]:
 assumes x: "k_isNode x"
 shows "list_all k_isNode (k_succs x)"
  -
 from x obtain t
 where tC: "t ∈ jkbpC"
 and sx: "simAbs x = sim_equiv_class a t"
 unfolding k_isNode_def by blast
 have F: "∧
  Algorith"transUec ' at \<> 
 using simTrans[rule_format, where a=a and t=t] tC sx
 unfolding k_isNode_def [abs_def]
 apply (auto iff: list_all_iff)
 apply (frule )
 apply (auto)
 done
 

  k_memb_empt[simp]:
 "k_isNode x \<Longrightarrowsimf simInit simTranssimAction
 unfolding k_memb_def k_empt_def by simp

(*>*)

subsubsection‹Algorithm invariant›kec><lparr actsUpdate

text‹aOps tOps(*<*) jkbp :: "('a, 'p, 'aAct) JKBP"

  invariant for the automata construction is straightforward, viz
  at each step of the process t the state represents an automaton
  concords with @{term "mkAutoSim"} on the visited equivalence
 . Wc anan envTrans :: 'eAct ==>
 MapOps"} invariants.

 ›

definition k_invariant
  "k_invariant A ≡:
      (∀isd e\anddee' \and> siA
        longrightarrowop ps(acA c lkpOs(As)e'
    ∧" ec <Longrightarrow "
        longrightarrow lookup tOps (aTrans A) (ec, obs) = lookup tOps (aTrans A) (ec', obs))
    ∧
        ⟶acts. lookup aOps (aActs A) ec = Some a
java.lang.NullPointerException
    ∧ k_isNode ec; k_isNode ec' ] lookup aOps (update aOps ec e M) ec' = (if simAbs ec'=iAb ctenSm eoku apM
              ∧[OF _ _ aOps] by blast
        ⟶[sim]:
                  ∧ simAbs ` set (simTrans a ec)
                  ∧
(*<*)

lemma k_invaria k_succs_i_d[intro,smp
k\Ande e' <> iNdec iNd c;siAs c' iAbse \rbrakk
       \<LongrightarrowLongrightarrow aOps (aAc
     ∧
       \Longrightarrow> looku tOps (aTrans A)ec, obs) = lookup tOps (aTrans A) (eec', obs);
     ∧si_equiv_classs at"
       \Longrightarrowunfolding by blast
     ∧ k_isNode ec; k_memb simObs set (simTrans ec java.lang.StringIndexOutOfBoundsException: Index 110 out of bounds for length 110
       ==> ∃ec'. lookup tOps (aTrans A) (ec
               ∧Abs set (imTrans ec
               ∧
  
  unfoldingand simInit: ' <> <Rightarroww thesis

lemma k_invariantAOD:
  "[ simTrans :: " Rightarrow'rep ==>
     ==>done
  unfolding k_invariant_def by 

lemma k_invariantTOD:
  "[ :: "('ma, list"
     ==>Os Trans A) A) (ec', obs))"
  unfolding k_invariant_def ‹

 k_invariantAD
 "[ k_isNode ec; k_memb ec A; k_invariant A ]
 ==>
 unfolding k_invariant_

  k_invariantTD:
 "[ k_isNode ec; k_mem
 ==>ec'. lookup tOps (g a reco record:
 ∧
 ∧
 unfolding k_invariant_def by blast

  k_invariant_empt[simp]:
 "k_invariant k_empt"
 apply rule
 apply auto
 apply (auto iff: k_empt_def)
 done

 _nvrian_sepnewaux:
 assumes X: "set Xcl. We aso dt
 and x: "riants.
 and ec: "k_isNode ec"
 and ec': "simAbs eclose>
 and S: "simAbs ec = simAbs x"
 shows "∃)=
 \<and 
 ∧of r simulaed traces.
  X ec'
 nduct ct Xarbray Y
 case Nil thus ?case b (∀. k_isode ec ∧k_isNoNode ec' ∧simAbs c' =simbs e
 
 case (Cons y ys) show ?cae
 proof(cases "simAbs ec' = simAbs y")
 case False withx e S Cons show ?thesi bool"" where
 unfolding transUpdate_def
 apply clarsimp
 unfolding k_isNode_def
 apply (erule imageE)+
 apply (cut_tac a=a and t=ta and ec=x and ec'=ec in simTrans_simAbs_cong[
 apply simp_all
 done
 next
 case True
 with Cons have F: "imAb y \<>simAbs ` set (k_succs x)"
 by auto
 from x o t
  wre tC "t∈func.
 and x': "simAbs x = sim_equiv_class a t"
 unfolding k_isNode_def by blast
  from F obtaint's
 where "simAbs y = sim_equiv_class a (t' \<\ndw
 and tsC: "t' ↝ s ∈ jk ∧ a ec' = obs))"
 and tt': "jview a t = jview a t'"
 using simTrans[rule_format, where a=a and t=t] tC x' by auto
 with Cons.hyps[where Y11=Y] Cons(2) Cons(3) True S x ec show ?thesis
 unfolding transUpdate_def
 apply auto
 pply(sus smTras_siAs_c[wheret=t' a' an ec'=x])
 apply blast

 using x' tt'
 apply auto[1]

 apply simp

 apply (rule image_eqI[where x=y])
 apply simp
 apply simp
 using simObs[rule_format, where a=a and t="t'↝t<Longrightarrow  e = ome cts \and set acts = set (son ae);
 apply simp
 done
 qed
 

  k_invariant_step_new:
 assumes x: "k_isNodesimAbs ec' \in> ims et(siman ec
 and ec: "k_isNode ec"
 and ec': "ec' ∈)
 and S: "simAbs ec = simAbs x"
 shows "\<exists   A"
 ∧ by (simp (no_as))
 ∧ simObs a ec'' = simObs a ec'"
  k_invariantAOD:
 from x ec'
java.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87
 unfolding k_isNode_def
 apply clarsimp
 apply (subst simTrans_simAbs_cong[OF _ _ S, symmetric])
 using S
 apply auto
 done
 thus ?th
 using k_invariant_step_new_aux[OF subset_refl x ec _ S, where ec'=ec']
 unfolding k_in k_ins_def
 apply auto
 done
 

  k_invariant_step_old_aux:
 assumes x: "k_isNode x"
 and ec: "k_isNode ec"
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 
 = lookup tOps Y (ec, obs)"
 (induct X)
 case (Cons z zs) with x ec S show ?case
 by (cases "lookup tOps Y (ec, obs)") (simp_all add: transUpdate_def)
  simp

  k_invariant_step_old:
 assumes x: "k_isNode x"
 and ec: "k_isNo ec"
 and S: s X: "set X ⊆> bool"where
  and x: "k_isNode x"
 = lookup tOps(aTrans A) (ec, obs)"
 unfolding k_ins_def
 using k_invariant_step_old_aux[OF x ec S]
 by simp

  k_invariant_frame:
 assumes B:B: "lookup tOps Y (ec, obs) = lookup tOps Y (ec', obs)"
 and x: "k_isNode x"
 and ec: "k_isNode ec"
 and ec': "k_isNode ec'"
 and S: "simAb = simAbs ec"
 shows "lookup tOps (foldr (transUpdate x) X Y) (ec, obs) = lookup tOps (foldr (transUpdate x) X Y) (ec', obs)"
 apply (induct X)
 unfolding transUpdate_def
 using B
 apply simp
  ing X ec'X ec'
 apply simp
 done

 k_invariant_step[simp]:
 assumes N: "k_isNode x"
 and
 and case (Con(Cons y y ys) show ?case
 shows "k_invariant (k_ins x A)"
java.lang.StringIndexOutOfBoundsException: Range [25, 5) out of bounds for length 5
 
 fix ec ec'
  ec: "k_isNoe ec" aec" and eec': k_isNode ec'" and X: "simAbs ec' = simAbs ec"
 with N show "lookup aOps (aActs (k_ins x A)) ec = lookup aOps (aActs (k_ins x A)) ec'"
 unfolding k_ins_def actsUpdate_def
 using k_invariantAOD[OF ec ec' X I]
java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 14

 
 fix ec ec' obs
 assume ec: "k_isNode ec" and ec': "k_isNode ec'" and X: he iAb y= si_qui_as (t'<leadsto 
 show "lookup tOps (aTrans (k_ins x A)) (ec, obs) = lookup tOps (aTrans (k_ins x A)) (ec', obs)"
 unfolding k_ins_def
 ant_frame[[OF k_invariantTOD[OF ec ec' X I] ec ec'ec' X]
 apply simp
 
 
  obs ecs'
 assume n: "k_isNode ec"
  A)"
 and obs: "obs ∈
  "∃ (aTrans
 ∧k_s ec)
 <> 
 proof(cases "simAbs ec = simAbs x")
 case True with N n obs show ?thesis
 using k_invariant_step_new by auto
 next
 case False with I N n ec os how ?hesis
 apply (simp add: k_invariant_step_old)
 apply (rule k_invarian apply auto[1]
 apply simp_all
 unfolding k_ins_def k_memb_def actsUpdate_def
 apply simp
 done
 qed
 
 fix ec
 assume n: "k_isNode ec"
 and e: "k_memb le, where a=a and t=t'🚫
 show "∃(*<*)
 proof(cases "simAbs ec = simAbs x")
 case True with aOps N n show ?thesis
 unfolding and ec': ec' \in (k_succs ec)"
 apply clarsimp
 unfolding k_isNode_def
 apply clarsimp
 apply (erushossimAbs ec' = simAbs ec ==> ec"
 apply auto
 done
 next
 case False with aOps N I M n ec show ?thesis
 unfolding k_ins_def actsUpd \and ec'' ∈
 apply si
 apply (rule k_invariantAD)
 unfolding k_memb_def
 apply simp_all
 done
 qed
 
(*>*)

(*>*)

text k_isNode_def

Showing that the invariantubstTrans_simAbs_cong
by @{term "k_ins"} is

The ">k_isNode eec;
under the initial observation function.

<lose

definition (in Algorithm) k_frontier :: "'a <    unfolding
  "k_frontier a ≡k ec"
(*<*)

lemma "lookup tO (foldr (transUpdate x) X Y) (ec, obs)
  list_all k_ode(_rntira
  unfolding k_frontier_def
  by (auto iff: simInit list_all_iff k_isNode_def jviewInit jvi case (Co z zs) with x ec S show ?case
(*>*)

end (* context AlgorithmForAgent *)

text‹ ec: "k_isNodee"

We now instantiate the @{term " "} locale with respect to the @{term
 AlgorithmForAgent"} locale. The instantiated lemmas are given the
  prefix ‹[OF x ec S]
 .

 ›assumes x: x: "k_isNodex assumes B "lookup tOps Y (ec, oobs) = lookup tOps Y (ec', obs)"

  AlgorithmForAgent
 < KBPAlg

(*<*)
  apply(unfold_locales)
  apply   shows (induct

  unfolding B
  using
  apply (auto iff x ec' S

  unfolding k_isNode_def
  apply clarsimp
  apply (erule simTrans_simAbs_congk_invariant_step[simp]:
  apply auto
  done
(*>*)

text_raw‹
 begin{figure}
 
 ›
definition
  alg_dfs :: "('ma, 'rep, 'aAct list) MapOps
         ==> ('mt, 'rep × and ec': k_isNode ec'"and X: "imAbs e' imAbs c
         ==> ('rep ==> actsUpdate_def
         ==> ('rep ==> 'rep list)
          \<Rightarrow O ec ec' X I]
         ==>apply simp
         \<> 
where
  "alg_dfs tOps simTrans ≡
   k_empt aActs = empty aOps, aTrans = emptys)
       b <>s.sSome s);
       k_succs = simTrans iff)
        tsUpdateec A. update aOpsimAction
       transUpdate = <lambdaapply
       k_ins = λ
                         aTrans
     in gen_dfs k_succs k_ins ec

text›

definition
  mkAlgAuto :: "('ma, 'rep, 'aAct list) MapOps
            ==> 'obs, 'rep) MapOps
            ==> simAbs ec' ∈
            ==> smbs x"
            <> ( <>'rep ==> 'rep list)
            ==> ('a ==> 'rep ==>'Act
            ==> 'invarianteomatastructionhtforwardrd
            ==>heentsutomaton
where
  "mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier ≡nw that
    let auto = alg_dfs aOps tOps (sunfolki_de kmemb_defaUpaed
java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35
     in (
          pTrans = λts lookup a ap (aAct (k_ins x A)) ec = Some ats \<>et
          pAct = λ

text_raw‹
  \end{isabellebody}%
  \caption{Thehe algoap
on@{terp aOps(aActsAs A) ec = Sme cs
  \label{fig:kbps-algapply aut ∧ cs=st(smcioa ))
\end{figure}
\<close>
(*<*)
lemma mkAutoSig k_ ∧ec obs. k_isNode ec ∧
  "pInitlgAutoOpspsObsimInitnitTranssimActiontionfrontiersimInit java.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for length 88
  "pTrans (mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier(*>*)
 =(<lambda>obs ec. the (lookup tOps (aTrans (alg_dfs aOps tOps (simObs a (imTrans a) (simAction  )frontiertiera)ecbs"
"( tOpsimInitTransmActionontier
 (ec. the (lookupxiststsokupOpsActs) acts>  = set(simAction  );
  unfolding mkAlgAuto_def
  apply (simp_all add: Let_def)
  done

(* Later we want to show that a particular DFS implementation does the k_invariant A"
right thing. *)

definition
  alg_mk_auto :mandatoryKBPAlg› _de_de;mAbs mAbsc mAbs invariantiantjava.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87
                 by
                ==>
                ==>
                ==>
where k_memb_def
  "alg_mk_auto aOps tOps simInit k_dfs ≡
    (
      pTrans λ (lookup tOps (aTrans k_dfs) (ec, obs)),
      pAct = λec. the (lookup aOps (aActs k_dfs) ec)
    )

(*>*)
context AlgorithmF
begin

text‹java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15

The final algorithm, with the constants inlined, is shown in
Figure~\ref{fig:kbps-alg-algorithm}. The rest of this section shows
its correctness.

Firstly it follows immediately from ‹
invariantianthls oftheresultof the DFS:

\<close>
(*<*)

abbreviation
  "  ≡ ('ma, 'mt) AlgState"

(* This is a syntactic nightmare. *)

lemma[simp
  "k_dfs = gen_dfs k_succs k_ins k_memb k_empt (k_frontier a)"k_memb=(<>sA. isSome (lookup(lookuppps )
  unfolding alg_dfs_def
  apply (fold k_empt_def       k_succs;
  apply (simp add[symmetric)
  done

(*>*)
lemma  k_ins<lambdaauto_java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
(*<*)
  using KBPAlg.[where="k_empt" and="k_frontier a"]
  by simp

(*>*)
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 11

Secondly wethatf reachable equivalenceses
coincides with the partition of @{term "jkbpC"} under the simulationRightarrow "<r. loo tOps (foldr (transUpd x) XX Y) (ec,s a ec')= Somer
and representation functions:

\<close>

lemma k_reachable:
  " `KBPAlg (setk_frontier a)= sim_equiv_classjkbpC"
(*<*)(is "?lhs = ?rhs")
proof
  show "
  proofux''
    fix sx assume "sx ∈
    then obtain x
      where x: "x ∈
        and sx: "simAbsapply simp
      by auto
    hence "x ∈t,wheret'<leadsto
                 `` set (map (simInit
      unfolding KBPAlg.reachable_def k_frontier_def by simp
    then obtain s iobs
      where x"
        and : "s \in> set"
        and iobs: "envObs  iobs
      by auto
    from R(*<java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
    proof<>simAbs
      case base
      to: jviewInitsimInitjava.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 63
    next
      case (step x y)
      with=(<ec. theapplyclarsimp
      have "simAbs ∈
        unfolding KBPAlg.reachable_def Image_def k_frontier_def
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
      then obtain t
        where tC: "t ∈
          and F: "simAbs x = sim_equiv_cldone
        by auto
      from step
      have " "simAbs y ∈ x"
      thus  ?case
        using simTrans(induct
    qed
    with sxsxin?rhscasesY,s)simp_all: transUpdate_def
  qed
next
  show "?rhs \                 k_i:
  proof
     ea aOps tOps sit k_df \<<quiv pInit = simInit,
    then obtain t
      where tC: " \injkbpC"
        and ec: "ec = sim_equiv_class a t"
      by auto      and S: "simAbs simAbs x"
    thus tthu "ec ?"
    proof(induct t ) tOps (aTrans (k_ins x A)) (ec, obs)java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
      case (tInit s) thus ?case
        unfoldingKBPAlg.reac
        unfolding k_front
        apply simp
        apply (rule image_eqI[where x="simInit a (envObs
         apply (simp
         inalthmwithheantsinlineddshownwnn
        apply auto
        done
    next
      case (tStep t s)
      hence tsC: "t ↝
        and ec: "ec it follows "lookup tOps (foldr (trasUpdate x) X )(ec, bs) lokp tOps (oldr (transpatex X )
        and "sim_equiv_class a t
           ∈
        by auto<>KBPsAlg.alg_dfs aOpsbssapply
      then
        where rect N: k_isNode
          and srectI k_invariant
        by auto
      from C      gjava.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23
      have "ec ∈  apply (simp adadd:k_ins_d[symmetric])
        using simTrans[rule_format, where a=a and t="t" and ec="rect 
      then obtain rec
        where rec: "ec = simAbs rec"
          and F: "rec ∈using KBPAlg.dfs_where S="" and xs="k_frontier actsUpdate_def
        by auto
      java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
        where ec
          and:   proof
        oldingreachable_def
      show ?case
        apply -
        apply (rule image_eqI[where"ec"
         apply (rule rec)
        unfolding KBPAlg.reachable_def
        apply (rule ImageI[where a="rec0"])
         apply ulecl_into_rtranclrtranclere]
          apply (rule rec0rect)
         apply clarsimp
         apply (rule F)
         apply (rule)
         done
     qed
       R: "(simIn a iobs, x) ∈ set (k_succs x)})\<^>* set envInit"
qed
(*>*)caseTruehesis
text‹

  to right follows from an induction on the reflexive, transitive
 tracesaes.

  result immediately yields the same result at the level of
 :

 ›

lemma k_memb_rep
  java.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for length 27
  shows "k_memb rec k_dfs"
(*<*)
proof 
  from N obtain rec'
    where r: "rec' ∈
and ': "simAbsapply
    unfoldingsimAbs simAbs ` set java.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16

  from N k_isNode_cong actsUpdate_def
  have N': "k_isNode rec'"
    unfoldingyuto

  show "k_memb rec k_dfs"
    withow \inrhs imp
    apply clarsimp
    apply (subst
    apply (subst\? <subseteq 
    using k_invariantAOD[OF N' N rec' k_dfs_invariant, symmetric]
    apply (cut_tac ec=y' and ec'= @term" is routine.
     apply simp_all

     apply (cut_tac ec=rec' and ec'=y' in k_isNodender the initial observation functi.
     apply simp
     using N'
     apply simp
     apply (rule N')
     done
qed
(*>*)

end(* context AlgorithmForAgent *)

text\<        unfolding

This concludes our agent-specif
algorithm works for all agents. The following command generalises all
our lemmas in the @{term "AlgorithmForAgent"} to the @{term
"Algorithm"} locale, giving them the mandatory prefix ‹‹

\<close>

java.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19
        < KBP: AlgorithmForAgent
            jkbp envInit envAction envTrans envVal jview envObs
            jviewInit jviewIncr simf simRels simVal simAbs simObs
            simInit simTran simAction aOps tOps a for a
(*<*)
  by unfold_locales
(*>*)

context Algorthm
begin

abbreviation
  "  ≡
 mkAlgAuto aOps tOps simObs simInit simTrans simAct k_frontier"
(*<*)

lemmaand          lytoiff)[java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
  assumes < pC
  shows "simAbs (runJP k_mkAlgAuto t a) = simAbs (runJP mkAutoSim t a)"
using
proof(induct t)
  case (tInit s) thus ?case by simp
next
  case (tStep t s)
  hence tC: "t ∈apply (rule image image_eqII[where x=reec"])

  tStep
  have N: "KBP.unfoldKBPAlg.reachable_def
    unfolding KBP.k_is pply ( ImageI[where a="rec0
    by (simp (ule

  from tStep
have( mkAlgAutosim_equiv_class
    by (simp only<(rep

  from tStep
  havee"im_equiv_classeuiv_clss a\in> simAbs ` se (srasa(runJP k_mkAgAuta))"
    using simTrans[rule_format‹
 then obtain ec
 where ec: "ec \<in 
 and sec: "simAbs ec = sim_equitransUpd = λ ec' at. update tOps (ec, simObs
 by aut

  tStep
 have F: "envObs a s ∈in gen_dfs k_succs k_ins k_memb k_empt"
 using simObs[rule_format, where a=a and t="t↝
 from KBP.k_memb_rep[OF N]
 have E: "KBP.k_memb (runJP k_mkAlgAuto t a) (KBP.k_df a)" by blast

 G"simAbs (run k_mkAlgAuto (t \leadsto
 F KBP.k_ds_invarant]
 apply (clarsimp simp: viewIncr)
 using simTrans[rule_format, where a=a and "k_memb rec k_dfs"
 apply (subgoal_tac "simAbs x ∈==>'a ==> -
 apply (clarsimp simp: jviewIncr)
 ply (cut_tac c aa and ec=ec' and t="t\<leadstoa
 apply (simp add: jviewIncr)
 pply simp
 apply blast
 done

 
 

(*>*)
text

Runningythe usingnglg[e_imp_dfsdfs r]
"t"} yields some representationclarsimp

› k_memb_def

lemmak_mkAlgAuto_ec
  assumes>jkbpC ecy and ec' infs_invarianttric
  shows "simAbs (runJP k_mkAlgAuto t a) =
(*<*)
  using k_mkAlgAuto_mkAutoSim_eq OF
  by simp

(*>*)
text‹

This involves an induction over the canonical t done

That the DFS an @{teT*>*
canonical traces follows immediately from this
invariant:

\<close>

lemma k_mkAlgAuto_mkAutoSim_act_eq:
  assumes tC: "t\<in> jkbpC"
  owsset \circactJPk_mkAlgAuto \<circ> actJP mkAutoSim t"
(*<*)
proof
  fix a
  java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  let ?rec

  
    by auto

  from tC E have:KBP runJPt 
    unfolding KBP.k_isNode_def by (simp add: k_mkAlgAuto_ec[<> 

  from KBPk_memb_repOF Njava.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for length 27
  have E: "KBP.k_memb ?rec (KBP.k_dfs a)" by blast

  obtain
    where "lookup aOps (aActs (KBP.k_dfs a)) ?rec = Some acts"
      and "set acts = set (simAction a ?rec)"
    using KBP.k_invariantAD[OF N E KBP.k_dfs_invariant] by blast

  thus "(set \ =\lambdaec the (lookup aOp(aAc k_dfs) ec)
    by (auto intro!: jAction_simAbs_cong[OF tC]
               simp: k_mkAlgAuto_ec[OF tC] mkAutoSim_e
qed
(*>*)

text‹

Therefore these two constructions are behaviourally equivalent, and so
the DFS generates an implementation of @{term " "} in the given
 :

 ›

theorem AlgAuto_implementslementsimplements
(*<*)
proof -
  have "behaviourally_equiv mkAutoSim k_mkAlgAuto"
    by rule (simp
  with mkAutoSim_implements show
    by (simp add: behaviourally_equiv_implements)
qed
(*>*)

end (* context Algorithm *)

text‹ : k_ins_d[symmetric])

  the automata generated by this algorithm are large. We discuss
  issue in \ S\refsec:kbps-alg-auto-min}.

 FloatBarrier

 ›

(*<*)
end
(*>*)