Reactive Systems: Modelling, Specification and Verification - Cs.ioc.ee

132 CHAPTER 6. HML WITH RECURSION
Hence the defender has a universal winning strategy.
Example 6.4 Let X min
= 〈a〉tt ∨ 〈b〉X. This property informally says that it is
possible to perform a sequence of b actions leading to a state where the action a
is enabled. We will show that s |= X by defining a universal winning strategy
for the defender starting from (s, X). The strategy looks as follows (note that it
consists solely of the defender’s moves D → or the referee’s → moves for expanding
the variable X, so it is truly a universal winning strategy):
(s, X) → (s, 〈a〉tt ∨ 〈b〉X) D → (s, 〈b〉X) D → (s1, X)
→ (s1, 〈a〉tt ∨ 〈b〉X) D → (s1, 〈b〉X) D → (s2, X)
→ (s2, 〈a〉tt ∨ 〈b〉X) D → (s2, 〈a〉tt) D → (s3, tt) .
According to the definition (s3, tt) is a winning configuration for the defender.
Example 6.5 Let X max
= 〈b〉tt ∧ [b]X. This property informally says that along
every path where the edges are labelled by the action b, the action b never becomes
disabled. It is easy to see that s |= X and we will prove it by finding a universal
winning strategy for the attacker starting from (s, X). As before, the attacker’s
strategy will not give any selection possibility to the defender and hence it is a
universal one.
(s, X) → (s, 〈b〉tt ∧ [b]X) A → (s, [b]X) A → (s1, X)
→ (s1, 〈b〉tt ∧ [b]X) A → (s1, [b]X) A → (s2, X)
→ (s2, 〈b〉tt ∧ [b]X) A → (s2, 〈b〉tt) .
From the last configuration (s2, 〈b〉tt) the defender is supposed to continue but he
is stuck as s2 b and hence the attacker wins.
Example 6.6 Let X max
= 〈a〉tt ∧ [a]X. This is the same property as in the previous
example (with a exchanged for b). We will show that s2 |= X by finding a universal
winning strategy for the defender from (s2, X). In the first round we expand the
variable X by the move (s2, X) → (s2, 〈a〉tt ∧ [a]X) and in the second round the
attacker can play either
or
(s2, 〈a〉tt ∧ [a]X) A → (s2, 〈a〉tt)
(s2, 〈a〉tt ∧ [a]X) A → (s2, [a]X) .