Quelle  KBPsAlg.thy

theory KBPsAlg
imports KBPsAuto DFS MapOps
begin
(*>*)

subsection‹ t

 ‹

 label{sec:kbps-alg}

  now show how to construct the automaton defined by @{term
 mkAutoSim"} (\S\ref{sec:kbps-automata-synthesis-alg}) using the DFS
  \S🚫

  here on we assume that the environment consists of only a finite
  of states:

 ›ec ≡

  FiniteEnvironment =
 Environment jkbp envInit envAction envTrans envVal envObs
 for jkbp :: "('a, 'p, 'aAct) JKBP"
 and envInit :: "('s :: finite) list"
 and envAction :: "'s ==> 'eAct list"
 and envTrans :: "'eAct ==> ('a ==> 'aAct) ==> 's ==> 's"
 and envVal :: "'s ==> 'p ==>
 and envObs :: "'a ==> 's ==> 'obs"

 ‹
 begin{figure}[p]
 begin{isabellebody}%
 ›
  Algorithm =
 FiniteEnvironment jkbp envInit envAction envTrans envVal envObs
  AlgSimIncrEnvironment jkbp envInit envAction envTrans envVal jview envObs
 jviewInit jviewIncr
 simf simRels simVal simAbs simObs simInit simTrans simAc
 for jkbp :: "('a, 'p, 'aAct) JKBP"
 and envInit :: "('s :: finite) list"
 and envAction :: "'s ==> 'eAct list"
 and envTrans :: "'eAct ==>
 and envVal :: "'s ==> 'p ==>
 and jview :: "('a, 's, 'tobs) JointView"

 and envObs :: "'a ==>
 and jviewInit :: "('a, 'obs, 'tobs) InitialIncrJointView"
 and jviewIncr :: "('a, 'obs, 'tobs) IncrJointView"

 and simf :: "'s Trace ==>: "'rep ==>
 and simRels :: "'a ==> 'ss Relation"
 and simVal :: "'ss ==> 'p ==> bool"

 and simAbs :: "'rep ==> 'ss set"

 and simObs :: "'a ==> 'rep ==> 'obs"
 and simInit :: "'a ==> 'obs ==> 'rep"
 and simTrans :: "'a ==> 'rep ==> 'rep list"
 and simAction :: "'a ==> as no transition and no acactions.

  fixes aOps :: "('ma, 'rep, 'aAct list) MapOps"
 and tOps :: "('mt, 'rep × 'obs, 'rep) MapOps"

 assumes aOps: "MapOps simAbs jkbpSEC aOps"
 and tOps: "MapOps (λk. (simAbs (fst k), snd k)) (jkbpSEC × UNIV) tOps"
 ‹
 \end{isabellebody}%
 \caption›
 label{fig:kbps-al-alg-alg-locale}
 end{figure}
 ›

text (in Algorithm) ‹

  @{term "Algorithm"} locale, shown in
 ~\ref{fig:kbps-alg-alg-locale}, also extends the @{term
 AlgSimIncrEnvironment"} locale with a pair of finite map operations:
 {term "aOps"} is used to map automata states to lists of actions, and
 {term "tOps"} handles simulated transitions. In both cases the maps
  only required to work on the abstract domain of simulated
  traces. Note also that the space of simulated equivalence
  of type @{typ "'ss"} must be finite, but there is no
  on the representation type @{typ "'rep"}.

  develop the algorithm for a single, fixed agent, which requires us
  define a new locale @{term "AlgorithmForAgent"} that extends ‹Algorithm› with an extra parameter designating the agent:

 ›

locale AlgorithmForAgent =
  AlgorithmenvAction  envObs
            jviewInit jviewIncr
            simf simRels simVal simAbs simObs simInit simTrans simAction
            aOps tOps(*<*)
    for jkbp :
    and envInit :: "('s :: finite) list"
 envAction' <> ' list
    and envTrans :: "'eAct ==> ('a ==> 'aAct) ==> 's ==> 's"
    and envVal :: "'s ==>
    and jview :: "('a, 's, 'tobs) JointView"

    and envObs :: "'a ==> 'repRightarrowma)AlgStateRightarrow" w
    and jviewInit :: "('a, 'obs, 'tobs) InitialIncrJointView"
    and jviewIncr :: "('a, 'obs, 'tobs) IncrJointView"

    and simf :: "'s Trace ==> 'ss :: finite"
    and simRels :: "'a ==> 'ss Relation"
    and simVal :: "'ss ==>  "k_memb s A \equivisSo (loo aOps (aActs A)) s)"

    and simAbs :: "'rep ==> 'ss set"

    and simObs :: "'a ==>
    and simInit :: "'a ==> 'obs
    and simTrans :: "'a \We integrate a nenew equivalence class into the autby updating
    and simAction :: "'a ==> 'rep ==> 'aAct list"

    and aOps :: "('ma, 'rep, 'aAct list) MapOps"
    and tOps :: "('mt, 'rep ×
(*>*)

  <comment<>...\close
+ fixes a :: "'a"

subsubsection‹

 ‹

  represent the automaton under construction using a record:

 ›

  ('ma, 'mt) AlgState =
 aActs :: "'ma"
 aTrans :: "'mt"

  AlgorithmForAgent
 

 ‹

  instantiate the DFS theory with the following functions.

  node is an equivalence class of represented simulated traces.

 ›

  kisNod :: 'rep \<ightarrow 
 "k_isNode ec ≡ simAbs ec ∈ sim_equiv_class a ` jkbpC"

 ‹

  successors of a node are those produced by the simulated
  function.

 ›

  k_succs :: "'rep ==> 'rep list" where
 k_succs ≡

 ‹

  initial automaton has no transitions and no actions.

 ›k_uc ec) (aTans A) 🚫

  k_empt :: "('ma, 'mt) AlgState" where
 "k_empt ≡ (

 ‹

  use the do of the action map to trac the set of nodes the DFS
  visited.

 ›

  k_memb :: "'rep ==> ('ma, 'mt) AlgState ==>
 "k_memb s A ≡ isSome (lookup aOps (aActs A) s)"

 ‹

  integrate a new equivalence class into the automaton by updating
  action

 ›

  actsUpdate :: "'rep ==>Longr k_isNec' ⟷ k_isNode ec"
 "actsUpdate ec A ≡ update aOps ec (simAction a ec) (aAc

  transUpdate :: "'rep ==> 'rep ==> 'mt ==> 'mt" where
 "transUpdate ec ec' at ≡ update tOps (e

  k_ins :: "'rep \<Rightarrowlemma
 "k_ins ec A ≡Longrighta> lookup aOps (empty aOps) ec = None"
 aTrans = foldr (transUpdate ec) (k_succs ec) (aTrans A) )"

 ‹

  required properties are straightforward to show.

 ›"k_sNode fs k) ==>

(*<*)

lemma k_isNode_def
  "simAbs ec' = simAbs ec ==>[OF _ aOps] MapOps_empt[OF _ tOps] by blast+
  unfolding k_isNod

lemma alg_MapOps_empty[simp]:
  "k_isNode[simpjava.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35
  "k_isNode (fst k) ==>
  unfolding k_isNode_def
  using MapOps_emptyD[OF _ aOps] MapOps_emptyD[OF _ tOps] by blast+

lemma alg_aOps_lookup_update[simp]:
  "[ MapOps_lookup_updateD _ _ aOps] byblast
  unfolding k_isNode_def
  using MapOps_lookup_updateD[OF alg_tOps_lookup_update]:

lemma alg_tOps_lookup_update[simp]:
  "[ k_sNd (fst );k_iNoe(fsk' ] lookup tOps smAbs(ft ) n k ten om es lokp tp M k')
  unfolding k_isNode_def
  using MapOps_lookup_updateD[OF _ _ tOps] by blast

lemma k_succs_is_node[intro nfol k_isNode_def
  assumes x: "k_isNode x"
  shows "list_all (k_succsx"
proof -
  from x obtain t
    where tC: "t ∈[intro ]:
      andassumes x: "k_isNode x x"
    unfolding k_isNode_defshows "list_all k_isNod (k_succs x)"
  have F: "∧
  show ?thess
    using simTrans[rule_format, where a=a and t=t] tC sx
    ding k_isNode_def [abs_def]
    apply (auto iff: list_all_iff)
    apply (frule F)
    apply (auto)
    done
qed

lemma k_memb_empt[simp]:
  k_isNode x \Longrightarrow\notkmm _emt
  unfolding k_memb_def k_empt_def by simp

(*>*)

subsubsection‹

text‹

The invariant for the automata construction is straightforward, viz
that at each step of the process the state represents apapply (auto iff: list_all_iff)
that concords with @{term " "} on the visited equivalence
 . We also need to know that the state has preserved the @{term
 MapOps"} invariants.

 ›

  k_invariant :: "('ma, 'mt) AlgState ==> bool" where
 "k_invariant A ≡
 (∀ ∧ simAbs ec' = simAbs ec
 ⟶ lookup aOps (aActs A) ec = lookup aOps (aActs A) ec')
 ∧ec ec' ob.k_sdee \and_soee'\and> iAb e'=sAs c
 ⟶ lookup tOps (aTrans A) (ec, obs) = lookup t nfokmem_e _mtde b sp
 ∧
 ⟶ (∃
 ∧ set acts = set (simAction a ec)))
 ∧ (∀ k_memb ec A
 ∧ simObs a ` set (simTrans a ec)
 ⟶ec'. lookup tOps (aTrans A) (ec, obs) = Some ec'
 ∧ simAbs ec' ∈ simAbs ` set (simTrans a ec)
 ∧
(*<*)

lemma k_invariantI[intro]:
  "[ec ec'. [be \rbrakk>
       ==> lookup aOps (aActs A)
     ∧n fo t atoaacostrctin s strihfrwrd,viz
       ==>
     ∧echat conwt @{erm "kAutoSim ted
       ==>Wehatreserved
     ∧
       ==>
               ∧
               ∧
  ==> k_invariant A"
  unfolding k_invariant_def by (simp (no_asm_simp))

lemma k_invariantAOD:
  "[
     ==>lookup'
  unfolding k_invariant_def by blast

lemmaariantTOD
  "[ lookup aOps (aActs A) ec = lookup aOps (aActs A) ec')
     ==> lookup tOps (aTrans A) (ec, ob_isode ec \nd simAbs ec' = simAbs ec
  unfolding k_invariant_def by blast

lemma k_invariantAD:
  "[ k_isNode ec; k_memb ec A; k_invariantlongrightarrow lookup tOps (aTrans A ecuptOps(aTrans
     <Longrightarrow\<and> (∀ec. k_isNode ec ∧ec A
  unfolding k_invariant_def by blast

lemma k_invariantTD:
  "[ k_isNode ec; k_memb ec A; obs ∈siOsa set(iTre) k_nvrin A <r>
     ==> ∃ec'. lookup tOps (aTrans A) (ec, obs) = Some ec'
             ∧ simAbs ` set (simTrans a ec)
             ∧ simObs a ec' = obs"
  unfolding k_invariant_def by blast

lemma k_invariant_empt[simp]∧(∀ k_memb ec A
  "k_invariant k_empt"
  apply rule
  apply auto
  apply (auto iff: k_empt_def)
  done

lemma k_invariant_step_new_aux:
  assumes∧ simAbs ` set (simTrans
      and x: "k_isNode x"
      and ec: "k_isNode ec"
      and ec': "simAbs ec' ∈
      and S: "simAbs ec = simAbs x"
  shows "∃ (transUpdate Y) (ec simObs') = Some r
           ∧ ∧ec> k_isNode ec; k_isNode ec'; simAbs ec <>
           ∧ simObs==>
using X ec'
proof<ndec ec' obs. [ k_isNode ec; k_isNode ec'; simAbs ec' = simAbsrbrakk
  case Nil thus ?case by simp
next
  case (Cons y ys) show       <> lookup)eckupsA c,s;
  proof(cases "simAbs ec' = simAbs y")
    case False with x eck_isNode;_mbjava.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
      unfolding
      apply clarsimp
      unfolding k_isNode_def
      apply (erule imageE)+
      apply(cut_tac a=a and t=ta and ec=x and ec'=ec in simTrans_simAbs_cong[symmetric])
      apply simp_all
      done
  next
    case True
    with Cons have F: "simAbs y ∈<>ec'. lookup tOp (aTrans (k_ins x A)) (e, obs) = So ec'
      by auto
    from x obtain t
      where tC: "t ∈ a'=obs
         "imAbsseuv_las
      unfolding k_isNode_def by blast
    from F obtain t' s
      where "simAbs y = sim_equiv_class a (t' ↝auto
        and tsC: "t' ↝
        and tt': "jview a t = jview a t'"
      using simTrans[rule_format, where a=a and t=t] tC x' by auto
    with Cons.hyps[where Y11=Y] Cons(2) Cons(3) True S x ec show ?thesis
      unfolding transUpdate_def
      apply auto
      apply (subst simTrans_simAbs_cong[where t=t' and ec'=x])
       apply blast

       using x' tt'
       apply auto[1]

       apply simp

       apply (rule image_eqI[where x=y])
       apply simp
       apply simp
      using simObs[rule_format, where a=a and t="t'↝
      apply simp
      assumek_isNode ec"
  qed
qed

lemma k_invariant_step_new:
  assumes x: "k_isNode
      and ec: "k_isNode ec"
    and':"' \<> 
      and S: "simAbs ec = simAbs_ctsUpdate_def
  shows
              ∧
              <and      
proof -
  fromjava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
  have ec'\in  ` set x)java.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55
    unfolding k_isNode_def
    ly
    apply (subst simTrans_simAbs_cong[OF _ _ S, symmetric]unfolding
    using S
    apply auto
    done
  thus ?thesis
    using k_invariant_step_new_aux[OF subset_refl x ec _ S, where   qed
    unfolding k_ins_def
    apply auto
    done
qed

lemma k_invariant_step_old_aux:
  assumes x:
      and ec: "k_isNode ec"
      and Sjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  shows "lookup tOps (ftext‹
       = lookup tOps Y (ec, obs)"
 (induct X)
 case (Cons z zs) with x ec S show ?case
 by (cases "lookup tOps Y (ec, obs)") (simp_all add: transUpdate_def)
  simp

  k_invariant_step_old:
 assumes x: "k_isNode x"
 and ec: "k_isNode ec"
 and S: "simAbs ec ≠ fron is the partition of tset of initstates
 shows "lookup tOps (aTrans (k_ins x A)) (ec, obs)
 = lookup tOps (aTrans A) (ec, obs)"
 unfolding k_ins_def
 using k_invariant_step_old_aux[OF x ec S]
 by simp

  k_invariant_frame:
 assumes B: "lookup tOps Y (ec, obs) = lookup tOps Y (ec', obs)"
 and x: "k_isNode x"
 and ec: "k_isNode ec"
 and ec': "k_isNode ec'"
 and S: "simAbs ec' = simAbs ec"
 ) k_frontier :: "'a ==>
 apply (induct X)
 unfolding transUpdate_def
 using k_frontier a \\eui> ma(imni \circbs) vnt
 apply simp
 using x ec ec'S
 apply simp
 done

 imp]:
 assumes N: "k_isNode x"
 and I: "k_invariant A"
 and M: "¬ jvi)
 shows "k_invariant (k_ins x A)"
(*<*)
proof
  fix ec ec'
   : k_isNode"isNode X: " ec "
  with N show "lookup aOps (aActs (k_ins x A)) ec = lookup
     k_ins_def actsUpdate_def
    using k_invariantAOD[OF ec ec' X I]
    apply simp
    done
next
  fix ec ec' obs
  assume ec: "k_isNode ec" and eck_isNode simAbs
  show "lookup tOps (aTrans (k_ins
     k_ins_def
    using k_invariant_frame[OF k_invariantTOD[OF ec ec' X I] N ec ec' X]
    apply simp
    done
next
  fix ec obs ecs'
  assume n: " ec
    and ec: "k_memb ec (k_ins x A)"
    and obs: "obs ∈
  show "∃Alg: DFS k_succs _demb
            ∧
            ∧ simObs a ec unfold_locales
  proof ec = simAbs
    case True with N n obs show ?thesis
      using k_invariant_step_new by auto emb_def
  next
    case False withoSome_eq
      apply (simp add
      apply (rule k_invariantTD
      apply simp_all
      unfolding k_ins_def k_memb_def actsUpdate_defans_simAbs_cong
      apply simp
      done
  qed
next
  fix ec
  assume n: "k_isNode ec"
     and ec: "k_memb ec (k_ins x A)"
  show "∃acts. lookup aOps (aActs (k_ins x A)) ec = Some acts ∧ec)"
  proofjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
    caseTruehesis
      unfolding k_ins_def actsUpdate_def
       java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
      unfolding k_isNode_def
      apply clarsimp
      apply (erule jAction_simAbs_cong)
      apply auto
      done
  next
    case False with aOps N I M n ec show ?thesis
      unfolding k_ins_def actsUpdate_def
      apply simp
      apply (rule k_invariantAD)
      unfolding k_memb_def
      apply simp_all
      done
  qed
qed
(*>*)

(*>*)

text‹

  that the invariant holds of @{term "k_empt"} and is respected
  @{term "k_ins"} is routine.

  initial frontier is the partition of the set of initial states
  the initial observation function.

 ›

definition)k_frontier>rep
  "k_frontier a ≡ map (simInit a ∘ envObs a) envInit"
(*<*)

lemma k_frontier_is_node[intro, simp]:
  "list_all k_isNode (k_frontier a)"
  unfolding
  by (auto iff: simInit list_all_iff k_isNode_def jviewInit jviewIncr)
(*>*)

end (* context AlgorithmForAgent *)

textopen

We now instantiate the @{term "DFS"} locale with respect to the @{term
"AlgorithmForAgent"} locale. The instantiated lemmas are =\lambdaA.updateec)
mandatory prefix ‹KBPAlg›( ' ;
locale.

›

sublocale AlgorithmForAgent
        < KBPAlg: DFS k_succs k_isNode k_invariant k_ins k_membk_ins\lambdaec A

(*<*)
  apply (unfold_locales)
  apply simp_all

  unfolding k_memb_def                         aTranstransUpdate)aTrans<>
  using aOps
  apply (auto iff: isSome_eq)[1]

  unfolding k_isNode_def
  apply clarsimp
  apply (erule simTrans_simAbs_cong)
  apply auto
  done
(*>*)

text_raw‹
\begin{figure}
\ellebody}
\<close>
definition
  alg_dfs :: "('ma, 'rep, 'aAct list) MapOps
         \<Rightarrow> ('mt, 'rep \<times> 'obs, 'rep) MapOps
         \<Rightarrow> ('rep \<Rightarrow> 'obs)
         \<Rightarrow> ('rep \<Rightarrow> 'rep list)
         \<Rightarrow> ('rep \<Rightarrow> 'aAct list)
         \<Rightarrow> 'rep            <Rightarrow ' <>'<>' list
         \<Rightarrow> ('ma, 'mt) AlgState"
where
  "alg_dfs aOps tOps simObs simTrans simAction \<equiv>
    let k_empt = \<lparr> aActs = empty aOps, aTrans = empty tOps \<rparr>;
       k_memb = (\<lambda>s A. isSome (lookup aOps (aActs A) s));
       k_succs = simTrans;
       actsUpdate <> .updateaOpsec(imAction)aActsA;
       transUpdate = \<lambda>ec ec' at. update tOps (ec, simObs ec') ec' at;
       k_ins = \<lambda>ec A. \<lparr> aActs = actsUpdate ec A,
                         typ'option}type,   { "".
     in gen_dfs k_succs k_ins k_memb k_empt"

text\<open>\<close>

definition
  mkAlgAuto :: "('ma, 'rep, 'aAct list) MapOps
            \<Rightarrow> ('mt, 'rep \<times> 'obs, 'rep) MapOps
            \<Rightarrow> ('a \<Rightarrow> 'rep \<Rightarrow> 'obs)
            \<Rightarrow> ('a \<Rightarrow> 'obs \<Rightarrow> 'rep)
            \<Rightarrow
            \<Rightarrow> ('a \<Rightarrow> 'rep \<Rightarrow> 'aAct list)
            \<Rightarrow> ('a \<Rightarrow> 'rep list)
            \<Rightarrow> ('a, 'obs, 'aAct, 'rep) JointProtocol"
where
  "mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier \<equiv> \<lambda>a.
     auto =lg_dfspsOpssimObs(Trans imAction
                       (frontier a)
     in \<lparr> pInitpAct  <lambdacthelookupOpsActs dfssec)
          pTrans = \<lambda>obs ec. the (lookup tOps (aTrans
          pAct = \<lambda>ec. the (lookup aOps (aActs auto) ec) \<rparr>"

text_raw\<open>
  \end{isabellebody}%
  \caption{The algorithm. The function @{term "the"} projects a value from the
    @{typ "'a option"} type, diverging on @{term "None"}.}
  \label{fig:kbps-alg-algorithm}
\end{figure}
\<close>
(*<*)
lemma mkAutoSim_simps KBPsAlg.alg_dfs aOps tOps (simObson)
  "pInit (mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier a) = simInit a"
  "pTrans (mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier a)
 = (λobs ec. the (lookup tOps (aTrans (alg_dfs aOps tOps (simObs a) (simTrans a) (simAction a) (frontier a))) (ec, obs)))"
  "pAct (mkAlgAuto aOps tOps simObs simInit simTrans simAction frontier a)
 = (λec. the (lookup aOps (aActs (alg_dfs aOps tOps (simObs a) (simTrans a) (simAction a) (frontier a))) ec))"
  unfolding mkAlgAuto_def
  apply (apply (oldk_empt_def k_memb_def actsUpdate_deftransUpdate_def)
  done

(* Later we want to show that a particular DFS implementation does the
right thing. *)

definition
  alg_mk_auto :: "('ma, 'rep, 'aAct list) MapOps
                ==>[symme])
                ==>
                ==> ('ma, 'mt) AlgState
                ==> ('obs, 'aAct, 'rep) Protocol"
where
  "alg_mk_auto aOps tOps sim
    ( KBPAlg.dfs_[where S="k_empt a"]
      pTrans = λobs ec. the (lookup tOps (aTra
      pAct = λec. the (lookup aOps (aActs k_dfs) ec)
    )"

(*>*)
context AlgorithmForAgenttext‹
 

 ‹partition of @{term "jkbpC"} under the simulation

  final algorithm, with the constants inlined, is shown in
 ~\ref{fig:kbps-alg-algorithm}. The rest of this section shows
  correctness.

  it follows immediately from ‹
  holds of the result of the DFS:

 ›
(*<*)

abbreviation
  "k_dfs ≡ KBPsAlg.alg_dfs aOps tproof

(* This is a syntactic nightmare. *)

lemma k_dfs_gen_dfs_unfold[simp]:
  "k_dfs = gen_dfs k_succs k_ins k_memb k_empt (k_frontier a)"
  unfoldingalg_df
  apply (fold k_empt_def k_memb_def actsUpdate_def transUpdate_def)
  apply (simp add: k_ins[symmetric])
  done

(*>*)
lemma k_dfs_invariant: "k_invariant k_dfs"
(*<*)
  using KBPAlg.dfs_invariant[where S="k_empt" and xs="byo
  by simp

(*>*)
text‹ envObs a) envInit)"

  we can see that the set of reachable equivalence cla
  with the partition of @{term "jkbpC"} under the simulation
  representation functions:

 › ({ (x, y).  <in *"

lemma k_reachable:
  "simAbsand<in set envInit"
(*<*)(is "?lhs = ?rhs")
proof
  show "?lhs ⊆ ?rhs"
  proof
    fix sx ssue sx ∈
    then obtain x
      e
        and sx: "simAbs x = sx"
      by auto
    hence "x ∈ ({ (       tep
                 `` set (map (simInit a ∘ envObs a)have x <> sim_equiv_class"
       KBPAlg.reachable k_frontier_def by simp
    then obtain s iobs
      where R: "(simInit a iobs, x) ∈ ({ (x, y). y ∈
        I "s\inse envInit"
        and iobs: "envObs a s =andF: "simAbs
      by auto
    from R x have "simAbs x ∈ ?rhs"
    proof(inductsimAbs simAbs ` set (k_succs x)" by auto
      case base
      with sI iobs show ?case by (auto simp: jviewInit simInit)
    next
      case (step x y)
      with sI iobs
      have "simAbs x ∈ sim_equiv_class a ` jkbpC"
        unfolding KBPAlg.reachable_def Image_def k_frontier_def
        by auto
      then obtain t
        where tC: "t ∈ jkbpC"
          and F: "simAbs x = sim_equiv_classusingat byto
        by auto
      from step
      have "simAbs y ∈(k_suc x)" by auto
      thus  ?case
        singe=nd
    qed
    with sx show "sx \  pr
  qed
next
  show"rhs ?lhs"
  proof
    fix ec assume "ec ∈:" \<n 
    then obtain t
      where tC: "t ∈ jkbpC"
        and ec: "ec = sim_equiv_class a t"
      by u
    thus "ec ∈ ?lhs"
    proof(induct t arbitrary: ec)
      case (tInit s) thus ?case
        unfolding KBPAlg.reachable_def (* FIXME ouch this is touchy *)
        unfolding k_frontier_def
        apply simp
        apply (rule image_eqI[where x="simInit a (envObs a s)"])
         apply (sim add: simInit jviewInit)
        apply (rule ImageI[where a="simInit a (envObs a s)"])
        apply auto
        done
    xt
      case (tStep t s)
      hence tsC: "t ↝
        and ec: "ec = sim_equiv_class a (t ↝ s)"
        and "sim_equiv_class a t
           ∈.reachablk_succs (se
        by auto
      then obtain rect
        where rect: "rect ∈
          and srect simAbs ` DFS.reachable k_succs(set (k_frontiera)"
        by auto
      from tsC ec srect
      have "ec ∈ simAbs ` set (simTrans a rect)"
        using simTrans[rule_format, where a=a and t="t" and ec="rect"] srect by auto
      then obtain rec
        where rec: "ec = simAbs rec"
          and F: "rec ∈ set (simTrans a rect)"
        by auto
      from rect obta rec0
        where rec0: "rec0 ∈ set (k_frontier a)"
          and rec0rect: "(rec0 ) ∈ set (k_succs x)})java.lang.NullPointerException
        unfolding KBPAlg.reachable_def by auto
      show ?case
        apply -
        apply ( image_eqI x="rec"]
         apply (rule rec)
        unfolding KBPAlg.reachable_def
        apply (rule ImageI[where a="rec0"])
         lyrtrancl"])
          apply (rule rec0rect)
         apply clarsimp
         apply (rule F)
         apply (rule rec0)
         done
     qed
   qed
qed
(*>*)
text🚫

Left to right follows from an i apply c clars
closure, and right to left by induction over canonical traces.

This result immediately yields the same result at the level of
representations:

\<close>

lemma k_memb_rep:
  assumes N: "k_isNode rec"
  shows "k_memb rec k_dfs"
(*<*)
proof -
  from N obtain rec'
    where r: "rec' ∈ DFS.reachable k_succs(set"
      and rec': "simAbs rec = simAbs rec'"
    unfolding k_isNode_def by (auto iff: k_reachable[symmetric])

  from N k_isNode_cong[OF rec', symmetric]
  have N': "k_isNode rec'"
    unfolding k_isNode_def by auto

  show "k_memb rec
    using KBPAlg.reachable_imp_dfs[OF N' k_frontier_is_node r]
    apply clarsimp
    apply (subst k_memb_def)
    apply (subst (asm) k_memb_def)
    using k_invariantAOD[OF N' N rec' k_dfs_invariant, symmetric]
    apply (cut_tac ec=y' andclose
     apply simp_all

     apply (cut_tac ec=rec' and ec'=y' in k_isNode_cong)
     apply simp
     using N'
     apply simp
     apply (rule N')
     done
qed
(*>*)

end (* context AlgorithmForAgent *)

text‹

  concludes our agent-specific reasoning; we now show that the
 works for all agents. The following co generalises all
  lemmas in the @{term "AlgorithmForAgent"} to the @{term
 Algorithm"} locale, giving them the mandatory prefix ‹

 ›

  Algorithm
 < KBP
 jkbp envInit envAction envTrans envVal jview envObs
 jviewInit jviewIncr simf simRels simVal simAbs simObs
 simInit simTrans simAction aOps tOps a for a
(*<*)
  by unfold_locales
(*>*)

context Algorithm
begin

abbreviation
  "k_mkAlgAuto ≡
    mkAlgAuto aOps tOps simObs simInit simTrans simAction k_frontier"
(*<*)

lemma k_mkAlgAuto_mkAutoSim_equiv:
  assumes tC: "t ∈
  shows "simAbs (runJP k_mkAlgAuto t a) = simAbs (runJP mkAutoSim t a)"
using tC
proof(induct t)
  case (tInit s) thus ?case by simp
next
  case (tStep t s)
  hence tC: "t \injkbpC" by blast

  from tStep
  have N: "KBP.k_isNode a (
    unfolding KBP.k_isNode_def
    by (simp only: mkAutoSim_ec) auto

  from tStep
   :mAbsclass
    by (simp only: mkAutoSim_ec) auto

  from tStep
  have "sim_equiv_class a (t ↝ s) ∈ simAbs
    using simTrans[rule_format, where a=a and t=t] tC ect by auto
  then obtain ec
    where ec: "ec ∈
      and:mAbs  <> s)"
    by auto

  from tStep
  have F: "envObs a s ∈ simObs a ` set (simTrans a (runJP k_mkAlgAutojkbpioniew
    using simObs[rule_format, where a=a and t="t↝
  from KBP.k_memb_rep[OF N]
  have E: "KBP.k_memb (runJP k_mkAlgAuto t a) (KBP.k_dfs a)" by blast

  have G: "simAbs (runJP k_mkAlgAuto (t ↝ s) a) = sim_equiv_class a (t ↝Algorithm
    using KBP.k_invariantTD[OF N E F KBP.k_dfs_invariant]
    apply (clarsimp simp: jviewIncr)
    using simTrans[rule_format, where a=a and t=t and ec="runJP k_mkAlgAuto t a"] tC ect
    apply (subgoal_tac "simAbs x ∈ simAbs ` set (simTrans a (runJP k_mkAlgAuto t a))")
     apply (clarsimp simp
     apply (cut_tac a=a and ec=ec' and t="t'↝ k_mkAlgAuto_:
      apply (simp a add: jviewIncr)
     apply simp
    pply l
    done

  from tStep show ?case by (simp only: G mkAutoSim_ec)
qed

(*>*)
text‹

Running the automata produced by the DFS on a canonical trace @{term
" "} yields some representation of the expected equivalence class:

 close>

  k_mkAlgAuto_ec:
 assumes tC: "t ∈: mkAutoSim_e) auto
 shows "simAbs (runJP k_mkAlgAuto t a) = sim_equiv_class a t"
(*<*)
  using
  by simp

(*>*)
text‹

  involves an induction over the canonical trace @{term "t"}.

  the DFS and @{term "mkAutoSim"} yield thav "sim_equiv_class a (t ↝ simAbs ` set (simTrans a (runJP k_mkAlgAuto t a))"
  traces follows immediately from this result and the
java.lang.StringIndexOutOfBoundsException: Index 60 out of bounds for length 10

 ›

lemma k_mkAlgAuto_mkAutoSim_act_eq:
  assumes tC: "t ∈ jkbpC"
   "set \circa k_mkAlgAuto t = set \<circ 
(*<*)
proof
  fix a
  let ?ec = "sim_equiv_class a t"
  let ?rec = "runJP k_mkAlgAuto t a"

  from ttC have E: "ec sim_equiv_class a ` jkbpC"
    by auto

  from tC E have N: ".k_isNode k_mkAlgAuto
    unfolding KBP.k_isNode_def by (simp addapply (imp

  from KBP.k_memb_rep[OFapply(ubgoal_tac"simAbs ∈
  have E: "KBP.k_memb ec BP blast

  obtain
    where "lookup aOps (aActs (KBP.k_dfs a)) ?rec = Some acts"
      and "set acts = set (simAction a ?rec)"
    using KBP.k_invariantAD[OF N E KBP.k_dfs_invariant] by blast

  thus "(set ∘ tSte show ?case by (simp only: G mkAutoSim)
    by (auto intro!: jAction_simAbs_coqe
               simp: k_mkAlgAuto_ec[OF tC] mkAutoSim_ec[OF tC])
qed
(*>*)

text‹

Therefore these two constructions are behaviourally equivalent, and so
the DFS generates an implementation of @{term " "} in the given
 :

 ›

theorem k_mkAlgAuto_implements: "implements k_mkAlgAuto"
(*<*)
proof -
  have "behaviourally_equiv kAutoSim k_mkAlgAuto"
    by rule (simp only "simAbs (runJP k_mkAlgAuto t a) = sim_equiv_class a t"
  with mkAutoSim_implements show(*<*)
    by (simp add:   using k_mkAlgAuto_mkAutoSim_equiv tC mkAutoSim_ecOF]
qed
(*>*)

end (* context Algorithm *)

text‹

  the automata generated by this algorithm are large. We discus involves an iducio et noialtace@{tm t}.
  issue in \S\ref{sec:kbps-alg-auto-min}.

 FloatBarrier

 ›

(*<*)
end
(*>*)