of 112/112

# 第 6 章 模型检测

• View
133

0

Embed Size (px)

DESCRIPTION

### Text of 第 6 章 模型检测

• 6 ( )

• 6

• 6

• ::= p | ( ) | ( ) | ( ) | ( ) ( i)(e1) (e2)1, 2, , n 1, 2, , n ,

• p, q1, 2, , n, , 1, 2, , n ,

• t ::= x | c | f(t, , t) , ::= P(t1, t2, , tn) | ( ) | ( ) | ( ) | ( ) | (x ) | ( x ) ( P )

• Model checking, narrowly interpretedDecision procedures for checking if a given Kripke structure is a model for a given formula of a modal logic.Why is this of interest to us?Because the dynamics of a discrete system can be captured by a Kripke structure. Because some dynamic properties of a discrete system can be stated in modal logics. Model checking = System verification

• Model checking, generously interpretedAlgorithms for system verification which operate on a system model (semantics) rather than a system description (syntax).

There are many different model-checking problemsfor different (classes of) system modelsfor different (classes of) system properties

• S{s1, s2, s3}()A{p, q} S S s1 s2, L: S P(A)L(s1) = { p },

• (Linear-time Temprol Logic, LTL)

• LTL ::= | | p | ( ) | ( ) | ( ) | ( ) |(X ) | (F ) | (G ) | ( U ) | ( W ) | ( R ) , , p, q, r, (X)(F)(G)(U)(R)(W)

• LTL ::= | | p | ( ) | ( ) | ( ) | ( ) |(X ) | (F ) | (G ) | ( U ) | ( W ) | ( R ) , , p, q, r, U, R, W ,

• LTLKripkeS, s0, , A, LSs0ALs:S. s':S. s s'S, , L = s1 s2 i si si si+1

• , , p iff p L(s1), iff 1 2 iff 1 2 1 2 iff 1 2 1 2 iff 1 2 X iff 2 G iff i 1i F iff i 1i U iff i 1i j =1, , i 1j

• U iff i 1i j =1, , i 1j

s1 s2 s3 s4 s5 s6 s7 s8 s9s10

i( 3 i 9)p U q

• U iff i 1i j =1, , i 1j

W iff i 1i j =1, , i 1j k 1k

R iff i 1i j =1, , i j k 1k

• R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

• R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

• R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

• R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

• , s s s , s0 p q, s0 r, s0 , s0 X r, s0 X ( q r ), s0 G ( p r ), s2 G r

• , s s s , s F (q r ) F G rsG F pps0 s1 s0 s1 G F ps0 s2 s2 G F p, s0 G F p G F r, s0 G F r G F p

• LTLG F enabled G F runningenabled

G(floor2 directionup ButtonPressed5 (directionup U floor5))525

• LTL

3

• LTL FG G F , F G X X X UR ( U ) R ( R ) U F ( ) F F G ( ) G G

• LTL {, , }

{U, X} R ( U ) W R ( ) {R, X} {W, X}

• (safety)(liveness)(non-blocking)

• n t c n ntc

c1c2

• G(c1 c2)s0

• G(t1 F c1)s0

• n1t1

• c1c1c2

c1c2c1

• G(c1 c1W(c1 c1W c2))c1c2c1

• New Symbolic Model Verifier

• LTL

• (Computation Tree Logic) ::= | | p | ( ) | ( ) | ( ) | ( ) |AX | EX | AF | EF | AG | EG | A[ U ] | E[ U ] AEqEF qp EF AG pAG( p E[p U q] )AG( p EG q )

• CTL, s AX s s1s1, s1 , s EX s s1s1, s1 , s1 AG s1 s2 si, si , s1 EG s1 s2 si, si

• CTL, s1 AF s1 s2 si, si , s1 EF s1 s2 si, si , s1 A[1 U 2 ]s1 s2 1 U 2, s1 E[1 U 2 ]s1 s2 1 U 2

• CTLEF

• CTLEG

• CTLAG

• CTLAF

• CTL, s0 EX( q r ), s0 AX( q r ), s0 EF( p r ), s2 EG( r ), s0 AF r , s0 E [( p q ) U r ], s0 A [ p U r ], s0 AG(pqr EF EG r)

AG (requested AF acknowledged ) LTL G(requested F acknowledged)

• CTLAG ( AF enabled )enabled LTL G F enabled

• CTLAG( floor2 directionup ButtonPressed5 A [directionup U floor5] )525 LTL G( floor2 directionup ButtonPressed5 (directionup U floor5) )

• CTLenabledLTL G F enabled G F running

G F enabled G F runningAEAG AF enabled AG AF running

• CTLAG( EF restart )

AG( floor3 idle DoorClosed EG (floor3 idle DoorClosed ))3

• CTLAG( n1 EX t1 )

EF (c1 E[ c1 U ( c1 E[ c2 U c1 ] ) ] )LTL G(c1 c1W(c1 c1W c2))

• CTL AF EG EF AG AX EX AF A[ U ]EF E[ U ]

• CTL

{AX, EX}{EG, AF, AU}EU

• LTLCTL1CTLLTLCTL2LTLCTLLTLF p F qpqCTLFAEpqAF p AF qAG( p AF q )

• CTL(X, U, F, G)(A, E)A[(p U r) (q U r)]A[X p XX p]E[GF p]p

• CTL(X, U, F, G)(A, E)

::= | p | ( ) | ( ) | A[] | E[] ::= | ( ) | ( ) | ( U ) | (G ) | (F ) |(X )

• CTLLTL CTLA[ ]CTLCTL ::= ( U ) | (G ) | (F ) | (X )

• 1CTLLTLAG EF p p(1) , s AG EF p(2) s

• , s AG EF p

• , s AG EF p

s

• 1CTLLTLAG EF p p LTLA[ ]AG EF p, s AG EF p , s A[ ], s AG EF ps , s A[ ]

• 1CTLLTLAG EF p p2LTLCTLA[GF p F q] pq3CTLLTLCTLE[GF p]p

• 1CTLLTLAG EF p p2LTLCTLA[GF p F q]3CTLLTLCTLE[GF p]p4LTLCTLAG(p AF q) (CTL) G(p F q) (LTL) pq

• LTLCTLG( p F q )AG( p AF q )FG p AF AG pFG pAF AG p

• pFG p

• AG pAF AG p

• CTLs0S, s0 1 , s0 yesno2 , s ss02

• =(S, , L) {, , } {AF, EU, EX} 1 2 2 3

• pp L(s)s p 1 2s 1 2s 1 2 1s 1 1AF 11s 1AF 12s AF 1s AF 1

• E[ 1 U 2]1s 2E[ 1 U 2]2s 1E[ 1 U 2], s E[ 1 U 2] , EX 1s 1s EX 1

• E[c2 U c1]1E[c2 U c1]c1 s2, s4

• E[c2 U c1]2E[c2 U c1]c2 s1, s3

• E[c2 U c1]3E[c2 U c1]c2 s0

• , s0 s0 s1 s3 s7 s1 s3 s7

• AG( t1 AF c1)

• s1(s3 s1)(s2) (s1 s3 )s1(s3 s1)(s2)

• Weak fairness: a specified set of transitions cannot be enabled forever without being taken Strong (Streett) fairness:a specified set of transitions cannot be enabled infinitely often without being taken

• Weak fairness is sufficient for asynchronous models (no process waits forever if it can move). Strong fairness is necessary for modeling synchronous interaction (rendezvous).

• 2GFc2 GFc2

• LTLCTL1CTL2LTL, s s

• LTL = ( S, , L ) , s {a, b}aa (a U b)

s3, s4, s3, s2, s2, (trace) ab, ab, ab, ab, ab,

• LTL1 (a U b) A a U bAa U b

UXC (a U b) ={ a, b, (a U b), a, b, (a U b) }X

• LTL1 (a U b) Asa) s s a U b

• LTL1 (a U b) Asb) 1 2 1 2s 12s a U b

• LTL1 (a U b) Asb) 1 2 1 2s 12s c) 1 2 a U b

• LTL1 (a U b) Asd) 1U 2s 12s a U b

• LTL1 (a U b) Asd) 1U 2s 12s e) (1U 2)s 2s a U b

• LTL1 (a U b) A (a U b )

a U b

• LTL1 (a U b) A( s, s )iff a)1U 2 s2ssa U b

• LTL1 (a U b) A( s, s )iff a)1U 2 s2ssb)(1U 2) s1 ssa U b

• LTL1 (a U b) A( s, s ) iff c)1U 2 s2s1U 2 s 1U 2 =2 (1 X(1U 2 ))a U b

• LTL1 (a U b) A( s, s ) iff d)(1U 2) s1 s(1U 2) s(1U 2) =2 (1 X(1U 2 ))a U b

• LTL1 (a U b) A1U 22s3, s3, a U b

• LTL1 A2AAa U b

• LTL2AAa U b

• LTL2AA

• LTL2AA

• a U b

• LTL2AAa U b

• LTL2AA3s a U b

• LTL3s yes, , s no, , s s3, (s4, s3,) s2, s2, s3, s4, (s3, s4,) s3, s1, s2, s2, a U b

• LTL = ( S, , L ) , s 1 A2AA3s yes, , s no, , s

Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents