Some properties of CTL

1 CTL formulae We formalize basic concepts of Computational Tree Logic (CTL) [2, 1] within the simply-typed set theory of HOL. By using the common technique of “shallow embedding”, a CTL formula is identified with the corresponding set of states where it holds. Consequently, CTL operations such as negation, conjunction, disjunction simply become complement, intersection, union of sets. We only require a separate operation for implication, as point-wise inclusion is usually not encountered in plain set-theory. lemmas [intro!] = Int-greatest Un-upper2 Un-upper1 Int-lower1 Int-lower2 types ′a ctl = ′a set constdefs imp :: ′a ctl ⇒ ′a ctl ⇒ ′a ctl (infixr → 75 ) p → q ≡ − p ∪ q lemma [intro!]: p ∩ p → q ⊆ q by (unfold imp-def ) auto lemma [intro!]: p ⊆ (q → p) by (unfold imp-def ) rule