Reasoning About Qos Contracts in The Probabilistic Duration Calculus PDF
Reasoning About Qos Contracts in The Probabilistic Duration Calculus PDF
Reasoning About Qos Contracts in The Probabilistic Duration Calculus PDF
www.elsevier.com/locate/entcs
Dimitar P. Guelev2,3
Institute of Mathematics and Informatics
Bulgarian Academy of Sciences
Sofia, Bulgaria
Abstract
The notion of contract was introduced to component-based software development in order to facilitate
the semantically correct composition of components. We extend the form of this notion which is based
on designs to capture probabilistic requirements on execution time. We show how reasoning about such
requirements can be done in an infinite-interval-based system of probabilistic duration calculus.
Introduction
Combining off-the-shelf and dedicated components has become an established ap-
proach to achieving reuse, modularity, productivity and reliability. Contracts facili-
tate the correct use of components. A contract is a collection of requirements which
are written in terms of the component interface. Contract requirements should be
satisfied by implementations of the component, provided that the items imported
from other components also satisfy the requirements appearing in the contract for
them. Four levels of contracts have been identified in [1]. These are the syntactical
1 This work has been partially supported by the research project No. 60603037 granted by the National
Natural Science of Foundation of China
2 Work on this paper was done during the D. Guelev’s visit to UNU/IIST in August-September 2007.
3 Email: [email protected]
4 Email: [email protected]
level, the behavioural level, the synchronization level and the quality of service level.
Quality of Service (QoS) is a collective term for non-functional requirements such
as worst-case and average execution time, and the consumption of resources such
as memory, power, bandwidth, etc.
Component models are built around appropriate formalisations of the notions
of interface, contract, component composability, composition, etc. A contract theory
for components based on the notion of design from [12] has been proposed in [13,14]
and has become known as the rCOS model. Since designs capture input-output
relations, this model is mostly about the functional requirements on components
and leaves out the QoS level from [1]. In our previous work we extended the rCOS
model to capture requirements on timing and resources [3,11]. We have considered
hard requirements, where, e.g., missing a deadline is regarded as fatal. We used
the Duration Calculus (DC ) as our notation. QoS is mainly concerned with soft
requirements, where, e.g., missing a deadline by little and not too often is tolerable.
Handling requirements on the QoS involves reasoning about probability.
In this paper we extend designs to capture probabilistic requirements on exe-
cution time and develop a technique to reason about QoS of real-time embedded
systems using an infinite-interval-based system of probabilistic DC (PDC ) which
was proposed in [10] as an extension of a corresponding system of Probabilistic
Interval Temporal Logic with infinite intervals (PITL). P DC with infinite inter-
vals subsumes the systems of PDC from [17,5,9] and has a relatively complete
proof system to support formal reasoning. The fitness of (non-probabilistic) DC
for reasoning about real-time systems has been asserted by numerous case studies
[25,4,21,2,16]. Since DC is interval-based, reasoning about the behaviour of whole
method executions, including their execution time, is relatively straightforward in
DC . By using a probabilistic extension of DC we are able to enjoy this advantage
when reasoning about QoS requirements too.
1 Preliminaries
We consider only the extended set of the real numbers R = R ∪ {∞} as the flow of
time in PITL and PDC . In order to facilitate the description of repetitive behaviour,
we include a least-fixed-point operator for non-probabilistic formulas, which was
introduced in [18] and studied in [8]. ITL with infinite intervals [23,20,21,22] is
the underlying non-probabilistic logic of PITL and PDC . It extends the syntax of
predicate logic by a binary modality (.; .), known as chop. 5 Non-logical symbols are
divided into rigid and flexible depending on whether their meaning is required to
be the same at all reference intervals or not. Individual variables are rigid.
An interpretation of a vocabulary L is a function I on L which maps the symbols
from L to members of R, functions and predicates on R, according to the type and
arity of symbols. I(s) takes an interval from Ĩ as an additional argument in case s
Iteration, also known as Kleene star, can be defined using μ by the equivalence
ϕ∗ μ1 X. = 0 ∨ (ϕ; X). I, σ |= ϕ∗ can be defined independently by the condition:
min σ = max σ or σ = σ1 ; . . . ; σn and I, σi |= ϕ, i = 1, . . . , n, for some n <
ω, σ1 , . . . , σn ∈ Ĩ.
Axioms and rules for μ and ∗ in DC were proposed in [18,8,7].
Higher-order quantifiers We use ∃ on flexible constants and state variables with
the usual meaning, in order to describe the semantics of local variables. The de-
ductive power of some axioms and rules for this usage has been studied in [24,8,7].
Probabilistic ITL and DC with infinite intervals (PITL) extends the syntax of
ITL terms by probability terms of the form p(ϕ) where ϕ is a formula. Formula
syntax is as in ITL, with μ and higher-order quantifiers included. A PITL model is
based on a collection of interpretations of a given vocabulary L. Each interpretation
is meant to describe a possible behaviour of the modelled system. Consider a non-
empty set W, a function I on W into the set of the ITL interpretations of L and
a function P of type W × R × 2W → [0, 1]. Let I w and P w abbreviate I(w) and
λτ, X.P (w, τ, X), respectively, for all w ∈ W. I w and P w , w ∈ W, are intended
to represent the set of behaviours and the associated probability distributions for
every τ ∈ R in the PITL models for L.
Definition 1.2 A general PITL model for L is a tuple of the form W, I, P where
F , W, I and P are as above and satisfy the following requirements for every w ∈ W:
• W is closed under variants of interpretations. If w ∈ W, x is an individual
variable from L and a ∈ R, then there is a v ∈ W such that P v = P w and
I v = (I w )ax , where (I w )ax maps x to a and is the same as I w on other symbols.
• The functions P w are probability measures. For every w ∈ W and τ ∈ R the
function λX.P w (τ, X) is a probability measure on the boolean algebra 2W , ∩, ∪, ∅, W.
Furthermore λX.P w (τ, X) is required to be concentrated on [w]≡τ : P w (τ, X) =
P w (τ, X ∩ [w]≡τ ) for all X ⊆ W.
The following rules enable approximating (1) with arbitrary precision in PITL
proofs:
ϕ ⇒ ¬(ϕ; = 0)
(P )
= 0 ∧ p(ϕ ∧ p(ψ) < x; ) = 0 ⇒ p((ϕ; ) ∧ ψ) ≥ x.p(ϕ; )
ϕ ⇒ ¬(ϕ; = 0)
(P )
= 0 ∧ p(ϕ ∧ p(ψ) > x; ) = 0 ⇒ p((ϕ; ) ∧ ψ) ≤ x.p(ϕ; )
The proof system for PITL from [10] is minimal. Using the abbreviations
ϕhl ϕ ∧ ≥ l ∧ ≤ h
46 D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62
and
α ⇒ ¬(α; = 0), β ⇒ ¬(β; = 0), [ETα ∈ [l1 , h1 ]]x1 , [ETβ ∈ [l2 , h2 ]]x2
(Seq) ,
= 0 ∧ p(α; β; ) = 1 ⇒ p(αlh11 ; βlh22 ; ) = x1 x2
We propose a toy language to illustrate our approach. It is shaped after that from
[6] and has restricted form of method call, in order to set the stage for the use of
components and contracts.
Programs consist of components, which import and/or export methods. Their
syntax is:
The part code is required only for exported methods. It has the syntax
D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62 47
We do not allow var to occur in the scope of other control statements. Assign-
ments are atomic. Parameters are passed by value. A mutual recursion statement
can trigger an infinite computation. Components are passive. The active part of a
program is just a piece of code, typically a collection of concurrently running inter-
leaved threads. The syntax of control statements deliberately makes tail-recursion
the only expressible form of repetitive behaviour. We give no details on the type
system and tacitly assume an appropriately many-sorted system of DC .
The execution of code can be described in terms of the values of its signals, vari-
ables and parameters as functions of time. The semantic function [[.]] defined below
maps every piece of code to a DC formula which defines the set of its observable
behaviours. We model each program variable v by a corresponding pair of flexible
constants v and v , which denote the value of v at the beginning and at the end of
the reference interval and therefore satisfy the axiom ∀x¬(v = x; v = x) where x is
a rigid individual variable. We model methods m which return a value by a corre-
sponding flexible function symbol. A formula of the form v = m(e1 , . . . , en ) means
that the reference interval describes a complete invocation of m with e1 , . . . , en as
the input parameters and v as the value. We use a flexible predicate symbol for
methods which return no value. We use dedicated state variables R and W to indi-
cate that the thread is currently running, or has terminated, respectively. Building
on the work from [19,6], we use a state variable N to mark computation time,
which, unlike the time consumed by the execution of delay statements, waiting for
the reaction of the environment, etc., is regarded as Negligible, in order to simplify
calculations. R, W and N satisfy the axioms
which express that computation time is negligible, a process can never be both
running and terminated, and, once terminated, is never re-activated. A dedicated
pair of state variables R and W describes the status of each thread. N marks
negligible time for all threads. The formulas
K(V ) x = x and KR (V ) K(V ) ∧ R.
x∈V
mean that the variables from V preserve their values. KR (V ) additionally means
that the thread is active throughout the reference interval. The clauses below define
[[.]]V , where V is the set of program variables which are in the scope in the given
code.
[[stop]]V W
[[return e]]V (¬R; KR (V ) ∧ r = e)
[[return]]V ¬R
[[X]]V X
[[(C1 ; C2 )]]V ([[C1 ]]V ; [[C2 ]]V )
[[x := e]]V (¬R; KR (V \ {x}) ∧ x = e)
[[delay r]]V ¬R ∧ r = ¬N
[[if b then C1 else C2 ]]V (¬R; (b ∧ KR (V ); [[C1 ]]V ) ∨ (¬b ∧ KR (V ); [[C2 ]]V ))
[[call v := m(e1 , . . . , en )]]V (¬R; K(V \ {v}) ∧ v = m(e1 , . . . , en ))
[[call m(e1 , . . . , en )]]V (¬R; K(V ) ∧ m(e1 , . . . , en ))
⎛ ⎞
W ⇔ W1 ∧ W2 ∧ R ⇔ R1 ∨ R2 ∧
⎜ ⎟
⎜ ⎟
⎜ ¬R1 ∧ R2 ∧ ⎟
[[(C1 C2 )V ]] ∃R1 ∃R2 ∃W1 ∃W2 ⎜
⎜
⎟
⎟
⎜ T(R1 , W1 ) ∧ [R1 /R, W1 /W ][[C1 ]]V ∧ ⎟
⎝ ⎠
T(R2 , W2 ) ∧ [R2 /R, W2 /W ][[C2 ]]V
if m returns a value;
[[export m(p1 , . . . , pn ) code]] 2∀p1 . . . ∀pn (m(p1 , . . . , pn ) ⇔ [[code]]∅ ),
D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62 49
= Fconnect ( (k−m+1)t
k )(FgetMail ( (m+1)t
k ) − FgetMail ( mt
k )) +Bk
m≤k−1
Sk
lt
where Bk ≤ maxl≤k−1 Fconnect ( (l+1)t
k ) − Fconnect ( k ), and therefore limk Bk = 0. By
the definition of Stieltjes integral, we have limk Sk = FC (t). Hence we can take Ak
to be the expression on the right of ≤ above.
Note that Seq was formulated with ϕtt21 standing for ϕ ∧ l ≥ t1 ∧ ≤ t2 , but it
applies to (3) as well.
letrec X where 1
X : if userRequest then 2
(userRequest := false; 3
⎛ ⎞
call handle := requestDownload (url , timeout); 4
⎜ ⎟
⎜ ⎟
(4) ⎜ if handle! = null ⎟ 5
⎜
X ⎜ ⎟
⎟
⎜ then (call download (handle); stop) ⎟ 6
⎝ ⎠
else (call signalTimeout(url ); stop) 7
) 8
else X 9
url . Let
⎛ ⎞
(¬R; KR (V ) ∧ ¬userRequest)∗ ;
⎜ ⎟
⎜ ⎟
α(R, T ) ⎜ ¬R; KR (V ) ∧ userRequest; ¬R; ⎟ ∧ ¬N = T
⎝ ⎠
R
K (V \ {userRequest}) ∧ userRequest = false
and
⎛ ⎞
¬R;
⎜ ⎟
⎜ R ⎟
⎜ K (V \ {handle}) ∧ handle = requestDownload (url , timeout); ⎟
⎜
β(R, W, T ) ⎜ ⎟
⎟
⎜ ¬R; KR (V ) ∧ handle! = null; ¬R; ⎟
⎝ ⎠
KR (V ) ∧ download (handle) ∧ ¬N = T ; W
According to the semantics of (4), α(R, T ) describes the repeated execution of lines
2-3 and 9 until userRequest becomes true with T denoting the overall execution time,
and β(R, W, T ) corresponds to the execution of lines 4-6, with R and W describing
the status of the thread created in order to complete the requested download, and T
denoting the download time. The scenario of launching the five downloads involves
six threads: one for each download and one to keep the system ready for further
requests. Let R1 , . . . , R6 , W1 , . . . , W6 describe the status of the six threads. Then
the scenario can be described by the formula
⎛ ⎞
6
6
⎜ W ⇔ W i ∧ R ⇔ R i ∧ ⎟
(5) ∃R1 . . . ∃R6 ∃W1 . . . ∃W6 ⎜ ⎝
i=1 i=1
6
⎟
⎠
¬(Ri ∧ Rj ) ∧ T(Ri , Wi ) ∧ γ
1≤i<j≤6 i=1
where γ describes the concurrent execution of the six threads and is written using
the additional abbreviations:
αi (T ) α(Ri+1 ∨ . . . ∨ R6 , Wi+1 ∧ . . . ∧ W6 , T ) and βi (T ) β(Ri , Wi , T ).
With these abbreviations γ can be written as
⎛ ⎛ ⎞⎞
β1 (D1 )∧
⎜ ⎜⎛ ⎛ ⎞⎞ ⎟⎟
⎜ ⎜ ⎟⎟
⎜ ⎜ β2 (D2 )∧ ⎟⎟
⎜ ⎜⎜ ⎜⎛ ⎛ ⎞⎞ ⎟ ⎟ ⎟⎟
⎜ ⎜⎜ ⎜ ⎟⎟ ⎟⎟
⎜α(R, W, T0 ); ⎜ ⎜ ⎜ β (D )∧ ⎟⎟ ⎟⎟
⎜ ⎜ ⎜α1 (T1 ); ⎜ ⎜ ⎜ ⎛3 3 ⎛ ⎞⎞ ⎟⎟ ⎟⎟ ⎟⎟
⎜ ⎜⎜ ⎜⎜ ⎜ ⎟⎟ ⎟⎟ ⎟⎟
⎜ ⎜⎜ ⎜ ⎜α2 (T2 ); ⎜ β (D )∧ ⎟⎟ ⎟⎟ ⎟⎟
⎝ ⎝⎝ ⎝⎝ ⎝ ⎝α3 (T3 ); ⎝ 4 4 ⎠⎠ ⎠⎠ ⎠⎠ ⎠⎠
(α4 (T4 ); ξ ∧ η)
Here Ti denotes the time between launching the ith and the i + 1st download
and Di denotes the duration of the ith download, i = 1, . . . , 5. The formulas ξ and
η denote
D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62 53
(¬R5 ; KR5 (V \ {handle}) ∧ handle = requestDownload (url , timeout) ∧ ¬N = x; ))
and
((¬R6 ; KR6 (V ) ∧ ¬userRequest)∗ ; ),
and correspond to the thread for the 5th download and the thread for subsequent
user requests after the 5th download request. The occurrences of in them mark
future behaviour which is not specified in our scenario. The semantics of letrec
implies (5); this can be established using the validity of μX.ϕ ⇔ [μX.ϕ/X]ϕ. As-
suming that the rate of downloading is the limiting factor for the working of the
entire system, which allows us to ignore time taken for dialog, computation and by
requestDownload for the first four downloads, the 5th download becomes cancelled
in case x exceeds timeout, which is equivalent to
⎛ ⎞
4 i−1
4
timeout + Ti < min ⎝Di + Tj ⎠ .
i=1
j=1 j=1
Let F (l, t) be a lower bound for the probability for download do complete a download
of length l within time t. It can be assumed that F (al, at) = F (l, t) for all a > 0 and
that F (l, t) = 0 in case tl exceeds the top transmission rate v. Let li be the length
of the ith download, i = 1, . . . , 5. Let li > v(T1 + T2 + T3 + T4 ) for i = 1, . . . , 4, that
is, none of the downloads can be over before all of them have been launched, for the
sake of simplicity. Then the probability Pi for i ∈ {1, . . . , 4} to be the first download
to complete, and to complete before the timeout for the pending 5th download is
at least
∂
4
4
∂q F (q, t)(li − qi , timeout). F (qk , Ts )dq1 . . . dq4 ,
{
q1 ,...,q4 :li −qi ≤lj −qj ,j=1,...,4} k=1 s=k
The property of method m encoded by P, R, F can be written as the PITL for-
mulas
m ⇒ (P (v) ⇒ R(v, v )) and = 0 ⇒ p(P (v) ∧ m ∧ > t; ) < 1 − F (v, t).
The first one is for the functional behaviour of m. The second one states that if P (v)
holds, then m to takes more than t time units with probability less than 1 − F (v, t).
F is just a lower bound, because an exact probability need not exist.
the type of Fm is
⎛ ⎞
⎝ Vn × R+ → [0, 1]⎠ → (Vm × R+ → [0, 1]).
n∈Ci,m
zero probability for runs with calls to imported methods which themselves lead to
no further calls, etc. Since Fm k are meant to be under-approximations, and the
k s
monotonicity of Fm entails Xm ≤ Xm s+1 ≤ lim X j for all s < ω, X s can be used as
j m m
j
Fm instead of limj Xm for sufficiently large s, to achieve a crude, but less expensive
approximation.
Concluding remarks
Here we focused just on soft requirements on execution time, but we believe that the
approach can be used to capture other QoS requirements involving probability as
well. The notion of QoS originated from telecommunications. Our examples come
from everyday use of the Internet and need no expertise to understand. However, we
believe that our technique would work just as well in other areas such as embedded
systems.
References
[1] Antoine Beugnard, Jean-Marc Jézéquel, Noël Plouzeau, and Damien Watkins. Making Components
Contract Aware. Computer, 32(7):38–45, 1999.
[2] Dang Van Hung. Modelling and Verification of Biphase Mark Protocols in Duration Calculus Using
PVS/DC− . In Proceedings of the 1998 International Conference on Application of Concurrency to
System Design (CSD’98), pages 88–98. IEEE Computer Society Press, March 1998.
[3] Dang Van Hung. Toward a formal model for component interfaces for real-time systems. In Tiziana
Margaria and Mieke Massink, editors, Proceedings of the 10th international workshop on Formal
methods for industrial critical systems, pages 106 – 114. ACM Press, 2005.
[4] Dang Van Hung and Wang Ji. On The Design of Hybrid Control Systems Using Automata Models. In
Proceedings of FST TCS 1996, volume 1180 of LNCS, pages 156–167. Springer, 1996.
[5] Dang Van Hung and Zhou Chaochen. Probabilistic Duration Calculus for Continuous Time. Formal
Aspects of Computing, 11(1):21–44, 1999.
[6] Dimitar P. Guelev and Dang Van Hung. Prefix and Projection onto State in Duration Calculus. In
Proceedings of TPTS’02, volume 65(6) of ENTCS. Elsevier Science, 2002.
[7] Dimitar P. Guelev and Dang Van Hung. On the Completeness and Decidability of Duration Calculus
with Iteration. Theoretical Computer Science, 337:278–304, 2005.
[8] Dimitar P. Guelev. A Complete Fragment of Higher-order Duration μ-calculus. In Proceedings of FST
TCS 2000, volume 1974 of LNCS, pages 264–276. Springer, 2000.
6 In practice F k can be non-monotonic: increasing the execution time of an imported method may indeed
m
shorten the execution time of code which would abort if an imported method misses a deadline.
D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62 57
[9] Dimitar P. Guelev. Probabilistic Neighbourhood Logic. In Mathai Joseph, editor, Proceedings of
FTRTFT 2000, volume 1926 of LNCS, pages 264–275. Springer, 2000. A proof-complete version is
available as UNU/IIST Technical Report 196 from http://www.iist.unu.edu.
[10] Dimitar P. Guelev. Probabilistic Interval Temporal Logic and Duration Calculus with Infinite
Intervals: Complete Proof Systems. Logical Methods in Computer Science, 3(3), 2007. URL:
http://www.lmcs-online.org/.
[11] Hung Ledang and Dang Van Hung. Concurrency and Schedulability Analysis in Component-based
Real-Time System Development. In Proceedings of the 1st IEEE & IFIP International Symposium on
Theoretical Aspects of Software Engineering. IEEE Computer Society Press, 2007.
[12] C.A.R. Hoare and He Jifeng. Unifying Theories of Programming. Prentice Hall, 1998.
[13] He Jifeng, Li Xiaoshan, and Liu Zhiming. A Theory of Reactive Components. In Liu Zhiming and
Luis Barbosa, editors, Proceedings of the International Workshop on Formal Aspects of Component
Software (FACS 2005), volume 160 of ENTCS, pages 173–195. Elsevier, 2006.
[14] He Jifeng, Xiaoshan Li, and Zhiming Liu. A refinement calculus of object systems. Theoretical
Computer Science, 365(1-2):109–142, 2006.
[15] Michael R. Hansen and Zhou Chaochen. Semantics and Completeness of Duration Calculus. In Real-
Time: Theory and Practice, volume 600 of LNCS, pages 209–225. Springer, 1992.
[16] Li Li and He Jifeng. A Denotational Semantics of Timed RSL using Duration Calculus. In Proceedings
of RTCSA’99, pages 492–503. IEEE Computer Society Press, 1999.
[17] Liu Zhiming, A. P. Ravn, E. V. Sørensen, and Zhou Chaochen. A Probabilistic Duration Calculus.
In H. Kopetz and Y. Kakuda, editors, Dependable Computing and Fault-tolerant Systems Vol. 7:
Responsive Computer Systems, pages 30–52. Springer, 1993.
[18] Paritosh K. Pandya. Some extensions to Mean-Value Calculus: Expressiveness and Decidability. In
Proceedings of CSL’95, volume 1092 of LNCS, pages 434–451. Springer, 1995.
[19] Paritosh K. Pandya and Dang Van Hung. Duration Calculus of Weakly Monotonic Time. In Proceedings
of FTRTFT’98, volume 1486 of LNCS, pages 55–64. Springer, 1998.
[20] Paritosh K. Pandya, Wang Hanping, and Xu Qiwen. Towards a Theory of Sequential Hybrid Programs.
In D. Gries and W.-P. de Roever, editors, Proceedings of IFIP Working Conference PROCOMET’98,
pages 336–384. Chapman & Hall, 1998.
[21] Gerardo Schneider and Xu Qiwen. Towards a Formal Semantics of Verilog Using Duration Calculus. In
Anders P. Ravn and Hans Rischel, editors, Proceedings of FTRTFT’98, volume 1486 of LNCS, pages
282–293. Springer, 1998.
[22] Wang Hanpin and Xu Qiwen. Completeness of Temporal Logics over Infinite Intervals. Discrete Applied
Mathematics, 136(1):87–103, 2004.
[23] Zhou Chaochen, Dang Van Hung, and Li Xiaoshan. A Duration Calculus with Infinite Intervals.
In Horst Reichel, editor, Fundamentals of Computation Theory, volume 965 of LNCS, pages 16–41.
Springer, 1995.
[24] Zhou Chaochen, Dimitar P. Guelev, and Zhan Naijun. A Higher-order Duration Calculus. In Millennial
Perspectives in Computer Science, pages 407–416. Palgrave, 2000.
[25] Zheng Yuhua and Zhou Chaochen. A Formal Proof of a Deadline Driven Scheduler. In Proceedings of
FTRTFT’94, volume 863 of LNCS, pages 756–775. Springer, 1994.
A Proof systems
A.1 Proof system for ITL with infinite intervals
The following axioms and rules have been shown to form a complete proof system for ITL with infinite
intervals when added to a Hilbert-style proof system for classical first-order predicate logic and appropriate
axioms about an abstract domain of durations in [22]:
58 D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62
(N ) ϕ ϕ
,
¬(¬ϕ; ψ) ¬(ψ; ¬ϕ)
is correct only if no variable in t becomes bound due to the substitution, and either t is rigid or (.; .) does
not occur in ϕ.
(P⊥ ) p(⊥) = 0
(P ) p() = 1
(P+ ) p(ϕ) + p(ψ) = p(ϕ ∨ ψ) + p(ϕ ∧ ψ)
1 ϕ⇒ψ assumption
2 (; = ∞) ∨ ( ∧ = ∞) ⇒ (ϕ ⇒ ψ) 1, ITL
3 p(ϕ) ≤ p(ψ) 2, P≤∞
1 ϕ ∧ ¬ϕ ⇔ ⊥ ITL
2 p(ϕ ∧ ¬ϕ) = p(⊥) 1, PITL1
3 p(ϕ ∧ ¬ϕ) = 0 2, P⊥
4 ϕ ∨ ¬ϕ ⇔ ITL
5 p(ϕ ∨ ¬ϕ) = p() 4, PITL1
6 p(ϕ ∧ ¬ϕ) = 1 5, P
7 p(ϕ) + p(¬ϕ) = p(ϕ ∧ ¬ϕ) + p(ϕ ∧ ¬ϕ) P+
8 p(ϕ) + p(¬ϕ) = 1 2, 6, 7, ITL
PITL3:
60 D.P. Guelev, D. Van Hung / Electronic Notes in Theoretical Computer Science 238 (2010) 41–62
1 p(ψ) ≤ p(ϕ ∨ ψ) ∞
P≤
2 p(ϕ) + p(ψ ∧ ¬ϕ) = p(ϕ ∧ ψ ∧ ¬ϕ) + p(ϕ ∨ ψ ∧ ¬ϕ) P+
3 p(ϕ) + p(ψ ∧ ¬ϕ) = p(ϕ ∨ ψ) 2, PITL1, P⊥
4 p(ϕ) < p(ψ) ⇒ p(ϕ) < p(ϕ ∨ ψ) 1
5 p(ϕ) < p(ψ) ⇒ p(ψ ∧ ¬ϕ) = 0 3, 4
∞ to the ITL theorems
PITL4 is obtained by applying P≤
(; = ∞) ∨ ( ∧ = ∞) ⇒ (ϕ ⇒ ϕ ∧ = ∞)
and
(; = ∞) ∨ ( ∧ = ∞) ⇒ ( = ∞ ∧ ϕ ⇒ ϕ).
PITL5:
1 ϕ⇒ ITL
2 p(ϕ) ≤ p() 1, PITL1
3 p(ϕ) ≤ 1 2, P
PITL6:
PITL8:
30 = 0 ∧ p(αh h2
l ∧ p(α; βl ; ) = x2 ; ) = 0 ⇒
1
1 2
p((αh h2 h1
l ; ) ∧ (α; βl ; )) = x2 .p(αl ; )
1
P , P , assumptions
1 2 1
31 ¬(α ∧ (α; = 0); ) ⇒ ((αh h2 h1 h2
l ; ) ∧ (α; βl ; ) ⇔ (αl ; βl ; )) ITL
1
1 2 1 2
32 (αh1 h2 h1 h2
l ; ) ∧ (α; βl ; ) ⇔ (αl ; βl ; ) assumption, 31
1 2 1 2
33 p((αh
l1 ; )
1
∧ (α; βlh2 ; )) = p(αh h2
l1 ; βl2 ; )
1
32, PITL1
2
34 = 0 ∧ p(α; ) = 1 ⇒ p(αh
l ; ) = x1
1
[ETα ∈ [l1 , h1 ]]x1
1
35 = 0 ∧ p(α; β; ) = 1 ⇒ p(αh h2
l ; βl ; ) = x2 .x1
1
10, 29, 30, 33, 34
1 2