Timed CTL Model Checking in Real-Time Maude⋆ - IfI

More documents

Recommendations

Info

$G:\MISQ\2006\September 2006\Gregor.wpd - IfI$

16 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky (i) Assume first that d π′′ i k ∈ I1 = [ml¯r, ml¯r + d2 + d3). We observe that π ′′ i contains the state t∗∗ at time point ml¯r + d2 (we added this sample point when refining πi to π ′ i ), thus t∗∗ appears in π ′ at time point (n + ml)¯r + d1 + d2. Furthermore, we assumed that d π′′ i k d π′′ i k < ml¯r + d2 + d3, implying that t π′′ i ∈ I1, i.e., ml¯r ≤ k appears in π′ at a time point in [(n + ml)¯r + d1, (n + ml + 1)¯r). Thus both t∗∗ and t π′′ i k appear in π′ in the interval ((n + ml)¯r, (n + ml + 1)¯r), and from T K, t π′′ i k |=c ϕ2 we get by induction that T K, t∗∗ |=c ϕ2. Note that t∗∗ also appears in π ′ j . We want to show that the index of t∗∗ in π ′ j satisfies the conditions for the satisfaction of the until formula by π′ j . We already have shown that T K, t∗∗ |=c ϕ2. Additionally, t∗∗ appears in at time point ml¯r, π ′′ i at time point ml¯r + d2, therefore it appears in π ′ j which is the left end point of the interval I. In case ml = 0 we are done, because tπ j satisfies ϕ2 and there are no states prior to tπ j in π′ j . Otherwise, if ml > 0, it remains to show that all states prior to t∗∗ in π ′ j satisfy ϕ1. There are two cases. ∗ We know that all states t π′′ i l with l < k (especially all states at time points less than ml¯r) satisfy ϕ1. We conclude that the states in π ′ j at time points less than ml¯r − d2, building a subset of the above states, all satisfy ϕ1. ∗ It remains to show that all states at time points from [ml¯r −d2, ml¯r) in π ′ j also satisfy ϕ1. Notice that π ′ i contains the state t∗ at time point ml¯r − d1/2. Since this time point is below the lower bound of I we have T K, t ∗ |=c ϕ1. This state t ∗ appears in π ′ at time point (n¯r + d1) + (ml¯r − d1/2) = (n + ml)¯r + d1/2 . By induction we get that all states appearing in π ′ at time points from the interval ((n + ml)¯r, (n + ml + 1)¯r) satisfy ϕ1. I.e., all states in π ′ j at time points from ((n + ml)¯r − (n¯r + d1 + d2), (n + ml + 1)¯r − (n¯r + d1 + d2)) = (ml¯r − d1 − d2, (ml + 1)¯r − d1 − d2) ⊇ [ml¯r − d2, ml¯r) satisfy ϕ1. (ii) For the case d π′′ i k ∈ I2 = I\I1 let v be the number of states in π pre′ i . We show that k − v is a proper index for the satisfaction of the bounded until along π ′ j . We observe that t π′ j l T K, t π′ j i = tπ′′ l+v i for all l. Therefore, T K, tπ′′ k |=c ϕ2 implies k−v |=c ϕ2. Since d π′′ i k ∈ I2 we have d π′′ i k ≥ ml¯r + d2 + d3 and thus d π′ j i k−v = dπ′′ k − d2 ≥ ml¯r + d3, i.e., the duration of π ′ j until the (k − v)-th state is above the lower bound of I. It is easy to see that this
Timed CTL Model Checking in Real-Time Maude 17 duration is also below the upper bound (d π′′ i k is below the upper bound and d π′ j k−v i = dπ′′ k − d2 < d π′′ i k ). Finally, T K, t π′′ i l+v |=c ϕ1 implies T K, t π′ j l |=c ϕ1 for all l < k−v Therefore, the index (k − v) is appropriate to show that the path π ′ j satisfies the bounded until property. “⇐”: The proof structure is illustrated in Figure 2. Assume that R, t π j |=c E ϕ1 UI ϕ2 holds. Then by definition there is a path πj ∈ tfPaths T K(t π j ) such that for each time refinement π′ j ∈ tfPaths T K(t π j ) of πj there is an index k s.t. d π′ j j k ∈ I, T K, tπ′ k |=c ϕ2, and T K, t π′ j l |=c ϕ1 for all 0 ≤ l < k. Let πj be such a path. Remember that mu¯r denotes the upper bound of I in case it is finite. Let π ′ j be πj if the upper bound of I is INF or 0 and a time refinement of πj which contains the state t∗∗ at the time point mu¯r − d2 otherwise. Then the above properties hold also for π ′ j . Let πi be the concatenation of π pre i (appearing in π) and π ′ j . We show that πi satisfies the requirements for R, tπ i |=c E ϕ1 UI ϕ2. Let π ′ i be a time refinement of πi. Then tπ j appears in π′ i at time point d2 at some position v. Let π ′′ j be the suffix of π′ i starting at position v. Then π′′ j is a time refinement of π ′ j T K, t π′′ j l j . Therefore there must be an index k s.t. dπ′′ k j ∈ I, T K, tπ′′ k |=c ϕ2, and |=c ϕ1 for all 0 ≤ l < k. We distinguish between k = 0 and k > 0. k = 0 For the case k = 0 notice that t π′′ j 0 = tπ j and thus T K, tπ j |=c ϕ2. By induction we get T K, t π i |=c ϕ2. Furthermore, since d π′′ j 0 j = 0 and dπ′′ 0 ∈ I, the lower bound of I must be 0. I.e., the index 0 satisfies the condition for the bounded until on the path π ′ i . k > 0 Otherwise, if k > 0 then, since t π′′ j 0 = tπj we get T K, tπj |=c ϕ1 and by induction T K, t π′ i l |=c ϕ1 for all l < v (i.e., all states in the prefix π pre′ i of π ′ i ending at tπj at time point d2 satisfy ϕ1). (i) If the upper bound of I is INF then we show that k+v is an appropriate index to satisfy the bounded until along π ′ j i . From T K, tπ′′ k |=c ϕ2 and t π′′ j i i k = tπ′ k+v we conclude that T K, tπ′ k+v |=c ϕ2. Furthermore, d π′′ j is above the lower bound of I and d π′ i j k+v = dπ′′ k + d2, i.e., d π′ i k+v ∈ I. Finally, all states with indices from v to (k + v − 1) in π ′ i satisfy ϕ1, since they also appear in π ′′ j before the index k. We have already shown above that the states with indices up to v also satisfy ϕ1, therefore the bounded until is satisfied along the path π ′ i . (ii) Assume next that the upper bound mu¯r of I is finite. Note that k > 0 implies mu > 0. We first assume d π′′ j k ∈ I2 = (mu¯r − d2, mu¯r], and consider d π′′ j k ∈ I1 = I\I2 in case (iii). k
Page 1 and 2: Timed CTL Model Checking in Real-Ti
Page 15: π : πi : π ′ i : πj : π ′
Page 23 and 24: π : πi : π ′ i : πj : π ′

Timed CTL Model Checking in Real-Time Maude⋆ - IfI

Create successful ePaper yourself

Delete template?

Save as template?