
--- lemma-3 
(goal RAILCAB-NEW |- ceq gate(S:Sys) = true if 
    channel2(S:Sys) = (Q:MsgSeq gateMsg(grant)) [label lemma-3 nonexec] ;) 

  (set ind on S:Sys .)
  (apply SI .)
  
(apply TC .)
(init ceq true = false if empty = Q:MsgSeq gateMsg(grant) . by (Q:MsgSeq <- Q#1 ;) .)
(auto .)


(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)


(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)
(init eq channel2(S:Sys)  = Q#2 gateMsg(grant) . by (S:Sys <- x#1 ;) .)
(auto .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)
(init eq channel2(S:Sys)  = Q#2 gateMsg(grant) . by (S:Sys <- x#1 ;) .)
(cp eq gate(x#1) = false  . ><   ceq gate(x#1) = true
      if channel2(x#1)= Q#2 gateMsg(grant) [label lemma-32]. ) 
(equation .)
(auto .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#3 ;) .)
(apply CA CA IP RD .)


(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#3 ;) .)
(apply CA CA IP RD .)
(init ceq true = false if channel2(S:Sys) = (Q:MsgSeq gateMsg(G1:Signal) gateMsg(G2:Signal)) . by (S:Sys <- x#1 ;) (Q:MsgSeq <- Q#3 ;) (G1:Signal <- grant ;) (G2:Signal <- z#2 ;) .)
(auto .)


(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#3 ;) .)
(apply CA CA IP RD .)
(init ceq true = false if channel2(S:Sys) = (Q:MsgSeq gateMsg(G1:Signal) respMsg(G2:Signal)) . by (S:Sys <- x#1 ;) (Q:MsgSeq <- Q#3 ;) (G1:Signal <- grant ;) (G2:Signal <- z#2 ;) .)
(auto .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)


(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

 --- lemma-6 is needed here 
(init ceq channel2(S:Sys) = empty  if conLoc(S:Sys) = s4  . by (S:Sys <- x#1 ;) .)
(cp  eq channel2(x#1) = Q#2 gateMsg(grant)  . ><  ceq channel2(x#1) = empty
      if conLoc(x#1)= s4 [label added-1]. )
(equation .)
(init ceq true = false if Q:MsgSeq gateMsg(grant) = empty . by Q:MsgSeq <- Q#2 ; .)
(auto .)

(apply TC .)
(init lemma-3 by (Q:MsgSeq <- Q#2 ;) .)
(apply CA CA IP RD .)

--- end of proof of lemma-3