Timed CTL Model Checking in Real-Time Maude⋆ - IfI

Timed CTL Model Checking in Real-Time Maude 19
Assume that d π′′
j
k ∈ I2 and let π ′ be the concatenation π pre and π ′ i .
The state t π′′
j
k
appears in π′′
j
by assumption at a time point in (mu¯r−
d2, mu¯r], and therefore also in π ′ i at a time point in (mu¯r, mu¯r + d2]
and in π ′ at a time point in ((n + mu)¯r + d1, (n + mu)¯r + d1 + d2].
By construction π ′ j contains the state t∗∗ at time point mu¯r − d2.
Again by construction, also π ′ i contains t∗∗ at time point mu¯r − d2 +
d2 = mu¯r. Therefore, the state t ∗∗ appears also in π ′ at time point
(n + mu)¯r + d1.
We conclude that both t π′′ j
k and t∗∗ appear in π ′ within the time
interval ((n + mu)¯r, (n + mu + 1)¯r). From T K, t π′′ j
k |=c ϕ2 we get
therefore by induction T K, t∗∗ |=c ϕ2.
Since t∗∗ appears in π ′ i at time point mu¯r being the upper bound of
I, also the time bound of the until is satisfied for t∗∗ on π ′ i .
Finally, we have already shown that all states up to index v in π ′ i
satisfy ϕ1. This holds also for all remaining states preceeding t∗∗ in
, since they also appear in π′′ before the index k. Thus the index
π ′ i j
of t∗∗ in π ′ i satisfies the condition of the bounded until on π′ i .
(iii) For the case d π′′
j
k ∈ I1 = I\I2 we observe that t π′ i
l
j
= tπ′′
l−v for all l ≥ v.
Therefore, T K, t π′′ j
k |=c ϕ2 implies T K, t π′
i
k+v |=c ϕ2. Since d π′′ j
k
∈ I2
we have d π′′
j
k ≤ mu¯r − d2 and thus d π′ i
j
k+v = dπ′′
k + d2 ≤ mu¯r, i.e., the
duration of π ′ i until the (k + v)-th state is below the upper bound of
I. It is easy to see that this duration is also above the lower bound
(d π′′
j
k is above the lower bound and d π′
i
j
k+v = dπ′′
k + d2 > d π′′
j
k ).
We have already shown above that the states with indices up to v
satisfy ϕ1. Furthermore, T K, t π′′
j
l
|=c ϕ1 implies T K, t π′
i
l+v |=c ϕ1 for
all l < k Therefore, the index (k + v) is appropriate to show that the
path π ′ i satisfies the bounded until property.
– ϕ = A ϕ1 UI ϕ2,
“⇒”: This proof case it quite analogous to the “⇒” direction of the existentially
quantified bounded until case. The proof structure is illustrated in
Figure 3.
Assume that R, tπ i |=c A ϕ1 UI ϕ2 holds. Then by definition each path
πi ∈ tfPathsT K(tπ i ) has a time refinement π′ i ∈ tfPathsT K(tπ i ) such that for
some index k with d π′
i
0 ≤ l < k.
k
i
∈ I we have T K, tπ′
k |=c ϕ2, and T K, t π′
i
l |=c ϕ1 for all
We show that R, tπ j |=c A ϕ1 UI ϕ2 holds. Let πj ∈ tfPathsT K(tπ j ) be a path.
Due to time robustness, πj has a time refinement π ′ j ∈ tfPathsT K(tπ j ) which
contains a state t∗∗ at time point ml¯r (which is tπ j in case ml = 0) and a
state t∗ at time point ml¯r − d2 − d1/2 in case ml > 0.
Let π ′ j be such a time refinement and let πi be the concatenation of π pre
i
and
π ′ j . From R, tπi |=c A ϕ1 UI ϕ2 we conclude that there is a time refinement