18 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky π : πj : π ′ j : πi : π ′ i : π ′′ j : π ′ : 0 ¯r 2¯r 3¯r 4¯r 5¯r t π i t π j n¯r d1 d2 d3 π pre π pre i t π i t π i π pre i π pre′ i t π j t π j t π j t π j π ′ j I π ′′ j I mu ¯r−d2 I1 t ∗∗ t ∗∗ t ∗∗ t π j t ∗∗ t π i t π j t ∗∗ π pre π ′ i Fig. 2: Lemma 1: Proof structure for the “⇐” direction of existentially quantified bounded until I I2
<strong><strong>Time</strong>d</strong> <strong>CTL</strong> <strong>Model</strong> <strong>Check<strong>in</strong>g</strong> <strong>in</strong> <strong>Real</strong>-<strong>Time</strong> Maude 19 Assume that d π′′ j k ∈ I2 and let π ′ be the concatenation π pre and π ′ i . The state t π′′ j k appears <strong>in</strong> π′′ j by assumption at a time po<strong>in</strong>t <strong>in</strong> (mu¯r− d2, mu¯r], and therefore also <strong>in</strong> π ′ i at a time po<strong>in</strong>t <strong>in</strong> (mu¯r, mu¯r + d2] and <strong>in</strong> π ′ at a time po<strong>in</strong>t <strong>in</strong> ((n + mu)¯r + d1, (n + mu)¯r + d1 + d2]. By construction π ′ j conta<strong>in</strong>s the state t∗∗ at time po<strong>in</strong>t mu¯r − d2. Aga<strong>in</strong> by construction, also π ′ i conta<strong>in</strong>s t∗∗ at time po<strong>in</strong>t mu¯r − d2 + d2 = mu¯r. Therefore, the state t ∗∗ appears also <strong>in</strong> π ′ at time po<strong>in</strong>t (n + mu)¯r + d1. We conclude that both t π′′ j k and t∗∗ appear <strong>in</strong> π ′ with<strong>in</strong> the time <strong>in</strong>terval ((n + mu)¯r, (n + mu + 1)¯r). From T K, t π′′ j k |=c ϕ2 we get therefore by <strong>in</strong>duction T K, t∗∗ |=c ϕ2. S<strong>in</strong>ce t∗∗ appears <strong>in</strong> π ′ i at time po<strong>in</strong>t mu¯r be<strong>in</strong>g the upper bound of I, also the time bound of the until is satisfied for t∗∗ on π ′ i . F<strong>in</strong>ally, we have already shown that all states up to <strong>in</strong>dex v <strong>in</strong> π ′ i satisfy ϕ1. This holds also for all rema<strong>in</strong><strong>in</strong>g states preceed<strong>in</strong>g t∗∗ <strong>in</strong> , s<strong>in</strong>ce they also appear <strong>in</strong> π′′ before the <strong>in</strong>dex k. Thus the <strong>in</strong>dex π ′ i j of t∗∗ <strong>in</strong> π ′ i satisfies the condition of the bounded until on π′ i . (iii) For the case d π′′ j k ∈ I1 = I\I2 we observe that t π′ i l j = tπ′′ l−v for all l ≥ v. Therefore, T K, t π′′ j k |=c ϕ2 implies T K, t π′ i k+v |=c ϕ2. S<strong>in</strong>ce d π′′ j k ∈ I2 we have d π′′ j k ≤ mu¯r − d2 and thus d π′ i j k+v = dπ′′ k + d2 ≤ mu¯r, i.e., the duration of π ′ i until the (k + v)-th state is below the upper bound of I. It is easy to see that this duration is also above the lower bound (d π′′ j k is above the lower bound and d π′ i j k+v = dπ′′ k + d2 > d π′′ j k ). We have already shown above that the states with <strong>in</strong>dices up to v satisfy ϕ1. Furthermore, T K, t π′′ j l |=c ϕ1 implies T K, t π′ i l+v |=c ϕ1 for all l < k Therefore, the <strong>in</strong>dex (k + v) is appropriate to show that the path π ′ i satisfies the bounded until property. – ϕ = A ϕ1 UI ϕ2, “⇒”: This proof case it quite analogous to the “⇒” direction of the existentially quantified bounded until case. The proof structure is illustrated <strong>in</strong> Figure 3. Assume that R, tπ i |=c A ϕ1 UI ϕ2 holds. Then by def<strong>in</strong>ition each path πi ∈ tfPathsT K(tπ i ) has a time ref<strong>in</strong>ement π′ i ∈ tfPathsT K(tπ i ) such that for some <strong>in</strong>dex k with d π′ i 0 ≤ l < k. k i ∈ I we have T K, tπ′ k |=c ϕ2, and T K, t π′ i l |=c ϕ1 for all We show that R, tπ j |=c A ϕ1 UI ϕ2 holds. Let πj ∈ tfPathsT K(tπ j ) be a path. Due to time robustness, πj has a time ref<strong>in</strong>ement π ′ j ∈ tfPathsT K(tπ j ) which conta<strong>in</strong>s a state t∗∗ at time po<strong>in</strong>t ml¯r (which is tπ j <strong>in</strong> case ml = 0) and a state t∗ at time po<strong>in</strong>t ml¯r − d2 − d1/2 <strong>in</strong> case ml > 0. Let π ′ j be such a time ref<strong>in</strong>ement and let πi be the concatenation of π pre i and π ′ j . From R, tπi |=c A ϕ1 UI ϕ2 we conclude that there is a time ref<strong>in</strong>ement