Timed CTL Model Checking in Real-Time Maude⋆ - IfI

More documents

Recommendations

Info

$G:\MISQ\2006\September 2006\Gregor.wpd - IfI$

24 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky Finally, all states with indices from v to (k + v − 1) in π ′ i satisfy ϕ1, since they also appear in π ′′ j before the index k. We have already shown above that the states with indices up to v also satisfy ϕ1, therefore the bounded until is satisfied along the path π ′ i . (ii) Otherwise mu¯r is the finite upper bound of I. Note that k > 0 implies mu > 0. We assume first d π′ j k ∈ I2 = (mu¯r − d2, mu¯r] and cover d π′ j k ∈ I1 = I\I2 in case (iii). Let π ′ be the concatenation πpre′ and π ′′ j j . The state tπ′ k appears in π ′ j by assumption at a time point in (mu¯r − d2, mu¯r], and therefore also in π ′′ i at a time point in (mu¯r, mu¯r + d2] and in π ′ at time point ((n + mu)¯r + d1, (n + mu)¯r + d1 + d2]. By construction π ′ j contains the state t∗∗ at time point mu¯r − d2. Again by construction, also π ′′ i contains t∗∗ at time point mu¯r −d2 + d2 = mu¯r. Therefore, the state t∗∗ appears also in π ′ at time point (n + mu)¯r + d1. We conclude that both t π′ j k and t∗∗ appear in π ′ within the time interval ((n + mu)¯r, (n + mu + 1)¯r). From T K, t π′ j k |=c ϕ2 we get therefore by induction T K, t ∗∗ |=c ϕ2 . Since t ∗∗ appears in π ′′ i at time point mu¯r being the upper bound of I, also the time bound of the until is satisfied for t ∗∗ on π ′′ i . We have shown above that all states with indices up to v in π ′′ i satisfy ϕ1. The remaining states preceeding t ∗∗ in π ′′ i also satisfy ϕ1, since they appear in π ′ j before the index k. Thus the index of t∗∗ in π ′′ i satisfies the condition of the bounded until on π ′ i . (iii) For the case d π′ j k ∈ I1 = I\I2 we observe that t π′′ i l j = tπ′ l−v for all l ≥ v. Therefore, T K, t π′ j k |=c ϕ2 implies T K, t π′′ i k+v |=c ϕ2. Since d π′ j k ∈ I2 we have d π′ j k ≤ mu¯r − d2 and thus d π′′ i j k+v = dπ′ k + d2 ≤ mu¯r, i.e., the duration of π ′′ i until the (k + v)-th state is below the upper bound of I. It is easy to see that this duration is also above the lower bound (d π′ j k i j is above the lower bound and dπ′′ k+v = dπ′ k + d2 > d π′ j k ). We have shown above that all states with indices up to v satisfy ϕ1. Furthermore, T K, t π′ j l |=c ϕ1 implies T K, t π′′ i l+v |=c ϕ1 for all l < k. Therefore, the index (k + v) is appropriate to show that the path π ′′ i satisfies the bounded until property. Based on the above lemma we gain our completeness result: Theorem 1. Assume a time-robust real-time rewrite theory R whose time domain satisfies the theory GCD-TIME-DOMAIN. Let Π be a set of tick-invariant atomic propositions, and assume a protecting extension of R defining the atomic propositions in Π and inducing a labeling function LΠ. Let t0 be a state of R, r a non-zero time value of sort Time, ϕ a TCTLcb formula over Π, and assume
Timed CTL Model Checking in Real-Time Maude 25 that ¯r = GCD(R, t0, r, ϕ) is a defined non-zero time value. Then R, LΠ, t |=c ϕ ⇐⇒ R gcd(t0,r,ϕ) , LΠ, t |=p ϕ for all states t reachable in R gcd(t0,r,ϕ) from t0. Proof. Notice that t0 is also a state of R gcd(t0,r,ϕ) . Furthermore, all states t reachable in the abstraction R gcd(t0,r,ϕ) from t0 are also states reachable in R from t0. Since t is reachable in T K gcd , there is a path π pre ∈ tfPaths T K gcd(t0) leading from t0 to t. Let π pre be such a path and let n0 be the number of states in π pre . Note that π pre has tick steps of length ¯r/2 and also that π pre ∈ tfPaths T K(t0). We denote by T K the timed Kripke structure associated to R, by T K gcd the timed Kripke structure associated to R gcd(t0,r,ϕ) . By definition R, LP , t |=c ϕ ⇐⇒ T K, t |=c ϕ, R gcd(t0,r,ϕ) , LP , t |=p ϕ ⇐⇒ T K gcd , t |=p ϕ. Thus the theorem is equivalently proved, if we show that T K, t |=c ϕ ⇐⇒ T K gcd , t |=p ϕ. Given a TCTLcb formula of the kind E ϕ1 UI ϕ2 or A ϕ1 UI ϕ2, we refer to the path formula ϕ1 UI ϕ2 as “the until path formula”. The proof is done by induction on the structure of ϕ. Base cases: – ϕ = true: We have R, LP , t |=c true and R gcd(t0,r,ϕ) , LP , t |=p true for all t by definition of, respectively, |=c and |=p. – ϕ = p: We have R, LP , t |=c p iff p ∈ LP (t) iff R gcd(t0,r,ϕ) , LP , t |=p p, by definition of |=c and |=p. Assume now that the theorem holds by induction hypothesis for ϕ1 and ϕ2 that is, respectively, R, LP , t |=c ϕ1 ⇐⇒ R gcd(t0,r,ϕ) , LP , t |=p ϕ1, R, LP , t |=c ϕ2 ⇐⇒ R gcd(t0,r,ϕ) , LP , t |=p ϕ2, for all states t reachable in the abstraction R gcd(t0,r,ϕ) from t0. – ϕ = ¬ϕ1: – ϕ = ϕ1 ∧ ϕ2: T K, t |=c ¬ϕ1 ⇐⇒ not (T K, t |=c ϕ1) (by def. of |=c) ⇐⇒ not (T K gcd , t |=p ϕ1) (by ind. on ϕ1) ⇐⇒ T K gcd , t |=p ¬ϕ1 . (by def. of |=p) T K, t |=c ϕ1 ∧ ϕ2 ⇐⇒ T K, t |=c ϕ1 and T K, t |=c ϕ2 ⇐⇒ T K (by def. of |=c) gcd , t |=p ϕ1 and T K gcd , t |=p ϕ2 (by ind. on ϕ1 and ϕ2) ⇐⇒ T K gcd , t |=p ϕ1 ∧ ϕ2 . (by def. of |=p)
Page 1 and 2: Timed CTL Model Checking in Real-Ti
Page 15 and 16: π : πi : π ′ i : πj : π ′
Page 23: π : πi : π ′ i : πj : π ′

Timed CTL Model Checking in Real-Time Maude⋆ - IfI

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?