Timed CTL Model Checking in Real-Time Maude⋆ - IfI
Timed CTL Model Checking in Real-Time Maude⋆ - IfI
Timed CTL Model Checking in Real-Time Maude⋆ - IfI
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
14 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky<br />
– ϕ ′ = true: R, t |=c true for all t by the def<strong>in</strong>ition of |=c.<br />
– ϕ ′ = p: S<strong>in</strong>ce all steps between tπ i and tπj are tick steps, the property follows<br />
from the tick-<strong>in</strong>variance of p.<br />
Assume now that the lemma holds for the subformulae ϕ1 and ϕ2.<br />
– ϕ ′ = ¬ϕ1:<br />
– ϕ ′ = ϕ1 ∧ ϕ2:<br />
– ϕ ′ = E ϕ1 UI ϕ2:<br />
R, t π i |=c ¬ϕ1 ⇐⇒ not (R, t π i |=c ϕ1)<br />
<strong>in</strong>duction<br />
⇐⇒ not (R, t π j |=c ϕ1)<br />
⇐⇒ R, t π j |=c ¬ϕ1 .<br />
R, t π i |=c ϕ1 ∧ ϕ2 ⇐⇒ R, t π i |=c ϕ1 and R, t π i |=c ϕ2<br />
<strong>in</strong>duction<br />
⇐⇒ R, t π j |=c ϕ1 and R, t π j |=c ϕ2<br />
⇐⇒ R, t π j |=c ϕ1 ∧ ϕ2 .<br />
We def<strong>in</strong>e d1 = dπ i −n¯r, d2 = dπ j −dπi and d3 = (n+1)¯r−d π j . Let furthermore<br />
πpre denote the prefix of π end<strong>in</strong>g at tπ i and let πpre i denote the tick sequence<br />
tπ ri<br />
i −→ . . . rj−1<br />
−→ tπ j . Let ml¯r be the lower bound of I. The upper bound of I<br />
is either INF or a f<strong>in</strong>ite bound mu¯r.<br />
“⇒”: The proof structure is illustrated on Figure 1.<br />
Assume that R, t π i |=c E ϕ1 UI ϕ2 holds. Then by def<strong>in</strong>ition there is a path<br />
πi ∈ tfPaths T K(t π i ) such that for each time ref<strong>in</strong>ement π′ i ∈ tfPaths T K(t π i )<br />
of πi there is an <strong>in</strong>dex k s.t. d π′ i<br />
i<br />
k ∈ I, T K, tπ′<br />
k |=c ϕ2, and T K, t π′ i<br />
l |=c ϕ1 for<br />
all 0 ≤ l < k.<br />
Let πi be such a path. Due to time robustness, πi has a time ref<strong>in</strong>ement<br />
π ′ i ∈ tfPathsT K(tπ i ) which conta<strong>in</strong>s the state tπj at time po<strong>in</strong>t d2, a state t∗ at time po<strong>in</strong>t7 ml¯r − d1/2 <strong>in</strong> case ml > 0, and a state t∗∗ at time po<strong>in</strong>t<br />
ml¯r + d2 (which is tπ j <strong>in</strong> case ml = 0). Note that time robustness assures<br />
that the state <strong>in</strong> π ′ i at time po<strong>in</strong>t d2 is tπ j .<br />
Let π ′ i be such a path. Let πpre′ i and πj be the prefix resp. suffix of π ′ i<br />
end<strong>in</strong>g resp. start<strong>in</strong>g at tπ j at the time po<strong>in</strong>t d2. We show that πj satisfies<br />
the conditions for R, tπ j |=c E ϕ1 UI ϕ2.<br />
Let π ′ j be a time ref<strong>in</strong>ement of πj. Then the concatenation π ′′<br />
i<br />
of πpre′<br />
i<br />
π ′ j is a time ref<strong>in</strong>ement of πi. By assumption there is an <strong>in</strong>dex k s.t. d π′′<br />
i<br />
k<br />
and<br />
∈ I,<br />
T K, t π′′<br />
i<br />
k |=c ϕ2, and T K, t π′′<br />
i<br />
l |=c ϕ1 for all 0 ≤ l < k.<br />
Let k be such an <strong>in</strong>dex and let π ′ be the concatenation of πpre and π ′′<br />
i .<br />
Remember that ml¯r is the lower bound of I. We dist<strong>in</strong>guish between (i)<br />
d π′′<br />
i<br />
k ∈ I1 = [ml¯r, ml¯r + d2 + d3) and (ii) d π′′<br />
i<br />
k ∈ I2 = I\I1.<br />
7 For <strong>in</strong>tuition we sample the middle po<strong>in</strong>t between ml¯r − d1 and ml¯r. However, any<br />
time po<strong>in</strong>t <strong>in</strong> the <strong>in</strong>terval (ml¯r − d1, ml¯r) would fit for our purpose.
Change language