Model Checked Propositions. Computational tree logic (CTL), a temporal logic, is used to express properties of a system. In CTL formulas are composed of path quantifiers, E and A, and temporal operators, X, F, G, and U [21]. A means “All” and has to hold on all paths starting from the current state. F means “Finally” and eventually has to hold (somewhere on the subsequent path). In this section the claims of agreement at the good nodes and at the end of the third round is examined. The node- fault and link-fault models are model checked separately for F = 1, 2, and 3, while the same CTL proposition is used to verify agreement has been reached at all good nodes for both models. For model checking of each scenario, a particular node is instructed to be the source and scheduled to initiate broadcast of a Sync message at a particular time. Since the 3ROM is deterministic, the final vote time, VotingResultTime, is set to the end of the 3rd round after the broadcast of the initial Sync message. Validation of the CTL proposition requires examination of an underlying proposition. In particular, the variable VoteTime is used in these properties and is defined here. The GlobalClock is a measure of elapsed time from the beginning of the operation with respect to the real time, i.e., external view. The VoteTime is indicative of the GlobalClock reaching its target value of VotingResultTime and the GlobalAgreement is defined as the conjunction of voting results at all good nodes.
Appears in 2 contracts