--- proof of lemma-6 --- lemma-6 (goal RAILCAB-NEW |- ceq channel2(S:Sys) = empty if conLoc(S:Sys) = s4 ;) (set ind on S:Sys .) (apply SI .) --- 18 subgoals generated (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) --- lemma-8 (init ceq (loc(S:Sys) ~ opposite) = false if conLoc(S:Sys) = s4 . by S:Sys <- x#1 ; .) (cp eq loc(x#1) = opposite . >< ceq loc(x#1)~ opposite = false if conLoc(x#1)= s4 [label added-1]. ) (equation .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (cp eq channel2(x#1) = Q#3 chkMsg . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq chkMsg . by Q:MsgSeq <- Q#3 ; .) (auto .) (cp eq channel2(x#1) = Q#3 passed . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq passed . by Q:MsgSeq <- Q#3 ; .) (auto .) (cp eq channel2(x#1) = Q#3 reqMsg . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq reqMsg . by Q:MsgSeq <- Q#3 ; .) (auto .) (cp eq channel2(x#1) = Q#3 gateMsg(z#2) . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(G:Signal) . by (Q:MsgSeq <- Q#3 ;) (G:Signal <- z#2 ;) .) (auto .) (cp eq channel2(x#1) = Q#3 respMsg(z#2) . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(G:Signal) . by (Q:MsgSeq <- Q#3 ;) (G:Signal <- z#2 ;) .) (auto .) (apply CA CA IP RD .) (cp eq channel2(x#1) = Q#3 chkMsg . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq chkMsg . by Q:MsgSeq <- Q#3 ; .) (auto .) (cp eq channel2(x#1) = Q#3 passed . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq passed . by Q:MsgSeq <- Q#3 ; .) (auto .) (cp eq channel2(x#1) = Q#3 reqMsg . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq reqMsg . by Q:MsgSeq <- Q#3 ; .) (auto .) (cp eq channel2(x#1) = Q#3 gateMsg(z#2) . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(G:Signal) . by (Q:MsgSeq <- Q#3 ;) (G:Signal <- z#2 ;) .) (auto .) (cp eq channel2(x#1) = Q#3 respMsg(z#2) . >< ceq channel2(x#1) = empty if conLoc(x#1)= s4 . ) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(G:Signal) . by (Q:MsgSeq <- Q#3 ;) (G:Signal <- z#2 ;) .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) --- a new lemma-9 (init ceq channel2(S:Sys) = empty if conLoc(S:Sys) = s1 /\ channel1(S:Sys) = Q:MsgSeq passed . by (S:Sys <- x#1 ;) (Q:MsgSeq <- Q#2 ;) .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) --- end of proof of lemma-6