Timed CTL Model Checking in Real-Time Maude⋆ - IfI

More documents

Recommendations

Info

$G:\MISQ\2006\September 2006\Gregor.wpd - IfI$

20 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky π : πj : π ′ j : πi : π ′ i : π ′′ j : π ′ : 0 ¯r 2¯r 3¯r 4¯r 5¯r t π i t π j n¯r d1 d2 d3 π pre π pre i t π j ml ¯r−d2− d 1 2 t π j t ∗ t π i t π j t ∗ π pre i t π i t π j t ∗ π pre′ i t π j t ∗ t π i t π j t ∗ π pre π ′ i Fig. 3: Lemma 1: Proof structure for the “⇒” direction of universally quantified bounded until I1 π ′ j π ′′ j ml ¯r I t ∗∗ t ∗∗ t ∗∗ t ∗∗ t ∗∗ I2 I I
Timed CTL Model Checking in Real-Time Maude 21 π ′ i of πi and an index k s.t. d π′ i i k ∈ I, T K, tπ′ k |=c ϕ2, and T K, t π′ i l |=c ϕ1 for all 0 ≤ l < k. Let π ′ i be such a path and k such an index. Note that π ′ i contains the state tπj at time point d2. Let π pre′ i and π ′′ j be the prefix resp. suffix of π ′ i ending resp. starting at that state. Let v be the number of states in π pre′ i and let π ′ be the concatenation of πpre and π ′ i . We show that the bounded until is satisfied along π ′′ j , being a time refinement of πj. Remember that ml¯r is the lower bound of I. We distinguish between (i) d π′ i k ∈ I1 = [ml¯r, ml¯r + d2 + d3) and (ii) d π′ i k ∈ I2 = I\I1. (i) Assume first that d π′ i k ∈ I1 = [ml¯r, ml¯r + d2 + d3). We observe that π ′ i contains the state t∗∗ at time point ml¯r + d2 (we added this sample point when refining πj to π ′ j ), thus t∗∗ appears in π ′ at time point (n + ml)¯r + d1 + d2. Furthermore, we assumed that d π′ i k ∈ I1, i.e., ml¯r ≤ d π′ i k < ml¯r + d2 + d3, implying that t π′ i [(n + ml)¯r + d1, (n + ml + 1)¯r). Thus both t∗∗ and t π′ i k appear in π′ in the interval ((n + ml)¯r, (n + ml + 1)¯r), and from T K, t π′ i k |=c ϕ2 we get by induction that T K, t∗∗ |=c ϕ2. k appears in π′ at a time point in Note that t ∗∗ also appears in π ′′ j . We want to show that the index of t∗∗ in π ′′ j satisfies the conditions for the satisfaction of the until formula by π′′ j . We already have shown that T K, t ∗∗ |=c ϕ2. Additionally, t ∗∗ appears in π ′′ j at time point ml¯r, which is the left end point of the interval I. In case ml = 0 we are done, because there are no states prior to t∗∗ in π ′′ j . Otherwise, if ml > 0, it remains to show that all states prior to t∗∗ in π ′′ j satisfy ϕ1. There are two cases. ∗ We know that all states t π′ i l with l < k (especially all states at time points less than ml¯r) satisfy ϕ1. We conclude that the states in π ′′ j at time points less than ml¯r − d2, building a subset of the above states, all satisfy ϕ1. ∗ It remains to show that all states at time points from [ml¯r −d2, ml¯r) in π ′′ j also satisfy ϕ1. Notice that π ′ i contains the state t∗ at time point ml¯r − d1/2. Since this time point is below the lower bound of I we have T K, t ∗ |=c ϕ1. This state t ∗ appears in π ′ is at time point (n¯r + d1) + (ml¯r − d1/2) = (n + ml)¯r + d1/2 . By induction we get that all states appearing in π ′ at time points from the interval ((n + ml)¯r, (n + ml + 1)¯r) satisfy ϕ1. I.e., all states in π ′′ j at time points from ((n + ml)¯r − (n¯r + d1 + d2), (n + ml + 1)¯r − (n¯r + d1 + d2)) = (ml¯r − d1 − d2, (ml + 1)¯r − d1 − d2) ⊇ [ml¯r − d2, ml¯r) satisfy ϕ1.
Page 1 and 2: Timed CTL Model Checking in Real-Ti
Page 15 and 16: π : πi : π ′ i : πj : π ′
Page 19: Timed CTL Model Checking in Real-Ti
Page 23 and 24: π : πi : π ′ i : πj : π ′

Timed CTL Model Checking in Real-Time Maude⋆ - IfI

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?