--- proof of --- lemma-7 (goal RAILCAB-NEW |- ceq channel1(S:Sys) = empty if conLoc(S:Sys) = s1 /\ appResult(S:Sys) = grant [label lemma-7] ;) (set ind on S:Sys .) (apply SI .) --- 18 subgoals generated (auto .) (apply CA CA IP RD .) (cp eq channel1(x#1) = Q#2 chkMsg . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq chkMsg . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 passed . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq passed . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 reqMsg . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq reqMsg . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 gateMsg(grant) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(grant) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 gateMsg(reject) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(reject) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 respMsg(grant) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(grant) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 respMsg(reject) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant . ) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(reject) . by Q:MsgSeq <- Q#2 ; .) (auto .) (apply CA CA IP RD .) --- lemma-10 (init ceq true = false if appResult(S:Sys) = grant /\ loc(S:Sys) = appCross . by (S:Sys <- x#1 ;) .) (auto .) --- lemma-11 (apply CA CA IP RD .) (init ceq conLoc(S:Sys) = s1 if appResult(S:Sys) = grant . by (S:Sys <- x#1 ;) .) (cp eq conLoc(x#1) = s5 . >< ceq conLoc(x#1) = s1 if appResult(x#1)= grant [label added-1]. ) (equation .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) --- lemma-12 (init ceq true = false if appResult(S:Sys) = grant /\ loc(S:Sys) = endOfTS . by (S:Sys <- x#1 ;) .) (auto .) (apply CA CA IP RD .) (init ceq conLoc(S:Sys) = s1 if appResult(S:Sys) = grant . by (S:Sys <- x#1 ;) .) (cp eq conLoc(x#1) = s2 . >< ceq conLoc(x#1) = s1 if appResult(x#1)= grant [label added-1].) (equation .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (init ceq channel1(S:Sys) = empty if channel2(S:Sys) = Q:MsgSeq gateMsg(grant) . by (S:Sys <- x#1 ;) (Q:MsgSeq <- Q#3 ;) .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (init ceq conLoc(S:Sys) = s1 if appResult(S:Sys) = grant . by (S:Sys <- x#1 ;) .) (cp eq conLoc(x#1) = s3 . >< ceq conLoc(x#1) = s1 if appResult(x#1)= grant [label added-1].) (equation .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (cp eq channel1(x#1) = Q#2 chkMsg . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq chkMsg . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 reqMsg . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq reqMsg . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 gateMsg(grant) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(grant) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 gateMsg(reject) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(reject) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 respMsg(grant) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(grant) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 respMsg(reject) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(reject) . by Q:MsgSeq <- Q#2 ; .) (auto .) (apply CA CA IP RD .) (apply CA CA IP RD .) (apply CA CA IP RD .) (init ceq conLoc(S:Sys) = s1 if appResult(S:Sys) = grant . by (S:Sys <- x#1 ;) .) (cp eq conLoc(x#1) = s4 . >< ceq conLoc(x#1) = s1 if appResult(x#1)= grant [label added-1].) (equation .) (auto .) (apply CA CA IP RD .) (cp eq channel1(x#1) = Q#2 passed . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq passed . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 reqMsg . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq reqMsg . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 gateMsg(grant) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(grant) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 gateMsg(reject) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq gateMsg(reject) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 respMsg(grant) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(grant) . by Q:MsgSeq <- Q#2 ; .) (auto .) (cp eq channel1(x#1) = Q#2 respMsg(reject) . >< ceq channel1(x#1) = empty if conLoc(x#1)= s1 /\ appResult(x#1)= grant .) (equation .) (init ceq true = false if empty = Q:MsgSeq respMsg(reject) . by Q:MsgSeq <- Q#2 ; .) (auto .)