3.7
Properties about trajectory formulas
The syntactic sugar of STE is very limited, as we have seen above, but there are many useful properties that STE formulas have, and in this section, we shall explain them. These properties enable the STE model checking results to be lifted as theorems and used as inference rules in a theorem proving environment [4, 6, 48, 55, 56, 96]. Inference rules provide an effective property decomposition strategy that is used to break the original STE model checking run into smaller runs: use the STE model checker to check the validity of these smaller runs; and then combine the smaller results into a theorem in the theorem proving environment, that represents the result of the overall model checking run. This spirit of combining model checking and theorem proving has drawn considerable attention in other kinds of model checking as well [10, 11, 64, 73, 99, 107].
We present these properties and their proofs here, and, in Chapter 8, when we present an extension of the STE inference rules, we will use many of these properties in the proofs of the new STE inference rules.
Lemma 3.9. Defining sequence less than or equal to defining trajectory
` ∀Mφ A.([A]φ vσ [[A]]φ M)
Proof: Unfolding the definition of vσ we need to prove the following: ∀Mφ A.∀t n.([A]φt n v [[A]]φ Mt n)
We will prove this by induction on t. For any arbitrary M, antecedent A, and valuation φ, we show the following two cases:
Base: We show for anyn that [A]φ0n v [[A]]φM0n
≡[A]φ 0n v [A]φ0n - using Definition 3.10 and Lemma 3.13
Hence the base is proved. Step: We prove for any n that
[A]φ(t+ 1)n v [[A]]φ M(t+ 1) n
≡[A]φ (t+ 1)n v ([A]φ (t+ 1)n) t (M([[A]]φMt)n) - Definition 3.10
≡[A]φ (t+ 1)n v ([A]φ (t+ 1)n) t (M([[A]]φMt)n) - true from Lemma 3.5 Hence the step is proved.
Lemma 3.10. Defining trajectory preserves information ordering
` ∀M. M onotonicM ⊃
∀A B φ.([B]φ v
σ [[A]]φM)⊃ ([[B]]φM vσ [[A]]φM)
3.7. Properties about trajectory formulas 28 Proof: Unfolding the definition of vσ we need to prove the following:
∀M. M onotonicM ⊃
∀A B φ.(∀t n.[B]φt n v [[A]]φMt n)⊃
(∀t n.[[B]]φ Mt n v [[A]]φMt n)
The proof takes place by induction on t, for any arbitrary M, A, B and φ, by assuming the following:
1. M onotonic M 2. (∀t n.[B]φt n v [[A]]φ Mt n) we prove: Base: (∀n.[[B]]φM0n v [[A]]φ M0n) Step: (∀n.[[B]]φMt n v [[A]]φMt n) ⊃ (∀n.[[B]]φM(t+ 1)n v [[A]]φ M(t+ 1) n)
Base: For any φ and n, we show that [
[B]]φM0n v [[A]]φ M0n
≡[B]φ0n v [[A]]φ M0n - follows from assumptions But from assumption (2), we know that for all t and n,
[B]φt n v [[A]]φMt n
so it will be true for t = 0. This proves the base case. Step: We prove for any φ and n that
[ [B]]φM(t+ 1)n v [[A]]φM(t+ 1)n 3. ∀n.[[B]]φ Mt n v [[A]]φMt n - ind. hypothesis 4. ∀s s0.(svss0) ⊃ ((Ms) vs (Ms0)) - 1 and Definition 3.7 5. ([[B]]φMt v s [[A]]φ Mt) ⊃ (M( [[B]]φMt) v s M( [[A]]φMt)) - holds for [[B]]φMt and [[A]]φMt 6. (∀n.[[B]]φMt n v [[A]]φ Mt n) ⊃ (∀n. M( [[B]]φMt)n v M ( [[A]]φMt)n) - Definition 3.5 7. ∀n. M( [[B]]φMt)n v M ( [[A]]φMt)n - modus ponens on 3, 6 8. M( [[B]]φ Mt)n v M( [[A]]φMt)n - holds for any n
9. [B]φ (t+ 1)n v [[A]]φM(t+ 1)n - from 2
10. [B]φ(t+ 1)n v [A]φ(t+ 1)n t (M( [[A]]φ Mt)n) - Definition 3.10 11. [[B]]φ M(t+ 1) n v [[A]]φM(t+ 1)n - Lemma 3.8, 8 and 10
Hence the step is proved.
3.7. Properties about trajectory formulas 29 Lemma 3.11. Defining sequence is monotonic
` ∀A B φ.([A]φ vσ [Aand B]φ)
Proof: Unfolding the definition of vσ we need to prove the following: ∀A B φ.∀t n.([A]φ t n v [Aand B]φt n)
We prove for any arbitrary A, B, φ, t and n that [A]φt n v [AandB]φt n
[A]φt n v ([A]φt n t [B]φt n) - Definition 3.9 ≡[A]φt n v ([A]φ t n t [B]φ t n) - Lemma 3.5
Lemma 3.12. Defining sequence of a formula is contained in the defining trajectory of the conjunction
` ∀M.∀A B φ.([A]φ v
σ [[AandB]]φM)
Proof: Unfolding the definition of vσ we need to prove the following:
∀M.∀ABφ.∀t n.([A]φ t n v [[AandB]]φMt n)
For any arbitrary M, A, B, and φ we will prove by induction on t
∀t n.([A]φ t n v [[Aand B]]φMt n) Base: t= 0 [A]φ 0n v [[AandB]]φM0n ≡ [A]φ 0n v [Aand B]φ0n - Definition 3.10 ≡ [A]φ 0n v (([A]φ0n) t ([B]φ0n)) - Definition 3.9 ≡ [A]φ 0n v (([A]φ0n) t ([B]φ0n)) - Lemma 3.5
Hence the base case is proved. Step: We will prove that
[A]φ (t+ 1) n v [[AandB]]φ M(t+ 1) n
≡ [A]φ (t+ 1) n v ([AandB]φ (t+ 1)n)t
(M( [[AandB]]φMt)n) - Definition 3.10
1. [A]φ (t+ 1)n v [AandB]φ (t+ 1)n - Lemma 3.11 2. [A]φ (t+ 1)n v [[A andB]]φM(t+ 1)n - Lemma 3.7
Hence the step is proved.
3.7. Properties about trajectory formulas 30 Lemma 3.13. Defining trajectory is monotonic
` ∀M. M onotonicM ⊃ ∀A B φ.([[A]]φ M vσ [[Aand B]]φM) Proof: Unfolding the definition of vσ we need to prove the following: ∀M. M onotonicM ⊃ ∀ABφ.∀t n.([[A]]φM t n v [[Aand B]]φMt n)
For any arbitrary M, A, B and φ we assume that Mis monotonic and prove that [ [A]]φM t n v [[Aand B]]φMt n 1. M onotonic M - assumption 2. ∀MA B. M onotonic M ⊃ (∀t n.[B]φ t n v [[A]]φMt n) ⊃ (∀t n.[[B]]φMt n v [[A]]φMt n) - Lemma 3.10 3. ∀A B.(∀t n.[B]φ t n v [[A]]φMt n) ⊃ (∀t n.[[B]]φMt n v [[A]]φMt n) - modus ponens on 1 and 2 4. (∀t n.[A]φt n v [[AandB]]φ Mt n) ⊃ (∀t n.[[A]]φ Mt n v [[A andB]]φMt n) - from 3
5. ∀t n.([A]φt n v [[AandB]]φ Mt n) - modus ponens on
Lemma 3.12 and 1 6. [[A]]φ Mt n v [[AandB]]φ Mt n - modus ponens on
4 and 5
Lemma 3.14. Defining trajectory is commutative
` ∀MA B φ.( [[B and A]]φM = [[AandB]]φM)
Proof: Two functions are equal if they return the same value for all elements in the domain. Thus we need to prove the following:
∀MA B φ.∀t n.( [[B andA]]φM t n = [[Aand B]]φMt n)
For arbitrary M, A, B and φ, we prove by induction on t. Base: t= 0
([B]φ 0n t [A]φ0n) = ([A]φ 0n t [B]φ0n) - Definition 3.9, Definition 3.10 ≡([B]φ 0n t [A]φ0n) = ([A]φ 0n t [B]φ0n) - Lemma 3.4
Hence the base case is proved. Step: We have to prove
[
[B and A]]φ M(t+ 1) n = [[AandB]]φM(t+ 1)n
3.7. Properties about trajectory formulas 31 1. ∀n.[[B andA]]φ Mt n = [[Aand B]]φMt n - ind. hypothesis
2. [[B andA]]φMt = [[Aand B]]φMt - extensionality
3. M( [[B and A]]φ Mt) = M( [[A andB]]φMt) - congruence 4. M( [[B and A]]φ Mt)n = M( [[A andB]]φMt)n - congruence
5. [[B andA]]φM(t+ 1)n = ([B and A]φ(t+ 1)n)
t(M( [[B and A]]φMt)n) - Definition 3.10 6. [[AandB]]φM(t+ 1)n = ([Aand B]φ(t+ 1)n)
t(M( [[Aand B]]φMt)n) - Definition 3.10
7. [AandB]φ (t+ 1)n = [B and A]φ(t+ 1) n - Definition 3.9, Lemma 3.4 8. [[B andA]]φM(t+ 1)n = [[Aand B]]φM(t+ 1)n - from 4 and 7
Hence the step is proved.
Lemma 3.15. Defining sequence containment implies defining trajectory containment
` ∀M. M onotonicM ⊃ ∀A B φ.([B]φ v
σ [A]φ)⊃ ([[B]]φM vσ [[A]]φM)
Proof: Unfolding the definition of vσ, we need to prove the following: ∀M. M onotonicM ⊃ ∀ABφ.(∀t n.[B]φ t n v [A]φ t n)⊃
(∀t n.[[B]]φMt n v [[A]]φMt n) For any arbitrary Mwhich is monotonic and any arbitrary A, B and φ, we show
(∀t n.[[B]]φ Mt n v [[A]]φMt n)
We prove this by induction on t. Base: t= 0
[B]φ0n v [A]φ0n - Definition 3.10 ≡(∀t n.[B]φt n v [A]φt n) - assumption
≡[[B]]φ M0n v [[A]]φM0n - t= 0 and using Definition 3.10 Hence the base is proved.
Step: 1. [[B]]φM(t+ 1)n v [[A]]φ M(t+ 1)n - to prove 2. ([B]φM(t+ 1)n t M( [[B]]φMt)n) v ([A]φM(t+ 1)n t M( [[A]]φMt)n) - applying Definition 3.10 on 1 3. M onotonic M - assumption 4. (∀t n.[B]φt n v [A]φt n) - assumption 5. ∀n. [[B]]φ Mt n v [[A]]φMt n - ind. hypothesis 6. ∀s s0.(svss0) ⊃ ((Ms) vs (Ms0)) - Definition 3.7 7. (∀n.[[B]]φMt n v [[A]]φ Mt n) ⊃ (∀n.M( [[B]]φ Mt)n v M( [[A]]φMt)n) - holds for [[B]]φMt and [[A]]φMt 8. ∀n. M( [[B]]φMt)n v M ( [[A]]φMt)n - modus ponens on 5 and 7 9. [B]φ (t+ 1)n v [A]φ (t+ 1)n - from 4 10. M( [[B]]φMt)n v M ( [[A]]φMt)n - from 8
11.[[B]]φ M(t+ 1) n v [[A]]φM(t+ 1)n - from 9, 10 and Lemma 3.6
3.8. Extending the reach of STE 32