CTL Model Update Implementation Using ANTLR Tools

Similar documents
Lecture 16: Computation Tree Logic (CTL)

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Model Checking with CTL. Presented by Jason Simas

Computation Tree Logic (CTL)

MODEL CHECKING. Arie Gurfinkel

Alan Bundy. Automated Reasoning LTL Model Checking

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Overview. overview / 357

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

FAIRNESS FOR INFINITE STATE SYSTEMS

Chapter 4: Computation tree logic

Model checking the basic modalities of CTL with Description Logic

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Propositional Logic and Semantics

The State Explosion Problem

PSPACE-completeness of LTL/CTL model checking

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Computation Tree Logic

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Abstractions and Decision Procedures for Effective Software Model Checking

Verification Using Temporal Logic

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Propositions. c D. Poole and A. Mackworth 2010 Artificial Intelligence, Lecture 5.1, Page 1

Temporal Logic Model Checking

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Linear Temporal Logic (LTL)

Algorithmic verification

Extensions to the Logic of All x are y: Verbs, Relative Clauses, and Only

Hoare Logic: Reasoning About Imperative Programs

Formal Verification of Mobile Network Protocols

Finite-State Model Checking

Logical Agent & Propositional Logic

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

CSC 4181Compiler Construction. Context-Free Grammars Using grammars in parsers. Parsing Process. Context-Free Grammar

Implementation of CTL Model Checker Update

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

3-Valued Abstraction-Refinement

22c:145 Artificial Intelligence

Formal Specification and Verification. Specifications

Alternating Time Temporal Logics*

Chapter 6: Computation Tree Logic

ESE601: Hybrid Systems. Introduction to verification

Towards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs

Model Checking: An Introduction

Using Patterns and Composite Propositions to Automate the Generation of LTL Specifications

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Model for reactive systems/software

Decision Procedures for Satisfiability and Validity in Propositional Logic

Linear Temporal Logic and Büchi Automata

CTL satisfability via tableau A C++ implementation

Timo Latvala. February 4, 2004

Alternating-Time Temporal Logic

The Algorithm and a Case Study for CTL Model Update

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

UNIT-I: Propositional Logic

Logic. Propositional Logic: Syntax

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Lecture 7. Logic. Section1: Statement Logic.

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

T Reactive Systems: Temporal Logic LTL

A brief introduction to Logic. (slides from

Logical Agent & Propositional Logic

Computer-Aided Program Design

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL Specifications

Introduction to Kleene Algebras

Generating Linear Temporal Logic Formulas for Pattern-Based Specifications

A Logic Primer. Stavros Tripakis University of California, Berkeley

Reasoning About Imperative Programs. COS 441 Slides 10b

Model Checking & Program Analysis

Learning Goals of CS245 Logic and Computation

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Logic. proof and truth syntacs and semantics. Peter Antal

Requirements Validation. Content. What the standards say (*) ?? Validation, Verification, Accreditation!! Correctness and completeness

Automata-Theoretic Model Checking of Reactive Systems

Propositional Logic: Syntax

Model Checking: the Interval Way

Model Checking. Boris Feigin March 9, University College London

Program Analysis Part I : Sequential Programs

Bringing machine learning & compositional semantics together: central concepts

CS522 - Programming Language Semantics

Natural Deduction for Propositional Logic

CS357: CTL Model Checking (two lectures worth) David Dill

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

A Logic Primer. Stavros Tripakis University of California, Berkeley. Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 A Logic Primer 1 / 35

Harvard CS 121 and CSCI E-207 Lecture 9: Regular Languages Wrap-Up, Context-Free Grammars

COMP 3161/9161 Week 2

Logic. Propositional Logic: Syntax. Wffs

Title: Logical Agents AIMA: Chapter 7 (Sections 7.4 and 7.5)

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Logic. Introduction to Artificial Intelligence CS/ECE 348 Lecture 11 September 27, 2001

Propositional Logic: Methods of Proof (Part II)

Programming Languages and Types

CMSC 330: Organization of Programming Languages. Pushdown Automata Parsing

Lecture Notes on Inductive Definitions

Adding Modal Operators to the Action Language A

The Importance of Being Formal. Martin Henz. February 5, Propositional Logic

An Introduction to Temporal Logics

Transcription:

CTL Model Update Implementation Using ANTLR Tools LAURA FLORENTINA CACOVEAN Department of Computer Science Lucian Blaga University of Sibiu, Faculty of Sciences Str. Dr. Ion Ratiu 5-7, 550012, Sibiu ROMANIA laura.cacovean@ulbsibiu.ro FLORIN STOICA Department of Computer Science Lucian Blaga University of Sibiu, Faculty of Sciences Str. Dr. Ion Ratiu 5-7, 550012, Sibiu ROMANIA florin.stoica@ulbsibiu.ro Abstract: - The model checkers are tools which can be used to verify that a given system satisfies a given temporal logic formula. In this paper is presented an algorithm which implements a CTL model updater towards the development of an automatic model modification tool and is illustrated a case study by applying the model update to the elevator control scenario, using for the implementation of the formula grammar the ANTLR (Another Tool for Language Recognition) instruments. Key-Words: - CTL model checkers, ANTLR implementation, model update, algorithm, directed graph 1 Introduction Verification of a model is one of the most useful technologies for automatic system verifications. In the model checking approach, the system behaviour is modeled by a Kripke structure. The specification properties that must be accomplished by a system are expressed as formulas in a propositional temporal logic (for example CTL). The model checking takes as input the model and a formula, and then checks if the formula is satisfied or not by the Kripke model. If the formula is not satisfied by the model, the system will provide an error and any information necessary to know where the formula was not satisfied. In this paper is defined the principle of minimal change for the update of a CTL model. The necessary semantic and the computational properties are provided for the CTL model update. Based on these ascertainments is developed the algorithm for updating the CTL model. Presenting a case study, we will show that the new model can be then viewed as a possible correction of the original system specification. 2 CTL Syntax and semantics CTL is a branching-time logic, meaning that its formulas are interpreted over all paths beginning in a given state of the Kripke structure. A Kripke model M over AP is a triple M=(S, Rel, P:AP 2 S ) where S is a finite set of states, Rel S S is a transition relation, P:S 2 AP is a function that assigns each state with a set of atomic propositions. The CTL formulas are defined by the following rules [1]: (a) The logical constants true and false are CTL formulas; (b) Every atomic proposition, ap AP is a CTL formula; (c) If f 1 and f 2 are CTL formulas, then so are f 1, f 1 f 2, f 1 f 2, EX f 1, AX f 1, E[f 1 Uf 2 ], and A[f 1 Uf 2 ]. 2.1 Syntax definition of CTL model checker A CTL has the following syntax given in Backus-Naur form [4]: f :: p ( f 1 ) f 1 f 2 f 1 f 2 f 1 f 2 AX f 1 EX f 1 AG f 1 EG f 1 AF f 1 EF f 1 A[f 1 Uf 2 ] E[f 1 Uf 2 ] where p AP. A CTL formula is evaluated on a Kripke model M. A path in M from a state s is an infinite sequence of states and is denoted as π = [s 0, s 1,, s i-1, s i, s i+1, ] such that s 0 =s and (s i, s i+1 ) Rel holds for all i 0. We write (s i, s i+1 ) π and s i π. If we express a path as π = [s 0, s 1,, s i,, s j, ] and i < j, we say that s i is a state earlier than s j in π and s i < s j. For simplicity, we may use succ(s) to denote state s 0 if there is a relation (s, s 0 ) in Rel. 2.2 Semantic definition of CTL model checker Let M=(S, Rel, P:AP 2 S ) be a Kripke model for CTL. Given any s in S, we define whether a CTL formula f holds in state s. We denote this by (M, s) f. The satisfaction relation is defined by structural induction on fourteen CTL formulas [10]. Without a detailed declaration we presuppose that all the five formulae CTL presented in the contextually are by-path satisfied. Toward example, we consider the update of a Kripke model with CTL formulas, beginning from the fact that f is not satisfied. The input is a CTL Kripke model which not satisfies the formula f and the output is an updated CTL Kripke model which satisfies the input formula. In the beginning is presented a general definition of the CTL model update. ISSN: 1790-5109 169 ISBN: 978-960-474-099-4

The next definition presents just a prerequisite for requirements of the CTL model updater and not tells how the update to be performed. The CTL Update Definition [4]: Be a CTL Kripke model M = (S, Rel,P) and a CTL formula f. An update of M = (M, s 0 ), where s 0 S with f is a CTL Kripke model M' = (S', Rel', P') such that M' = (M', s 0 '), (M', s 0 ') f where s 0 ' S'. We use Update(M, f) to denote the result M' and Update(M, f) =M' if M' f. 3 Primitive update operations Pr 1. Add an only relation. Given M = (S, Rel,P), its updated model M' = (S', Rel',P') is the result of M having added only one new relation. That is S'= S, P' = P, and Rel' = Rel (s addrel, s addrel2 ) where (s addrel, s addrel2 ) Rel for one pair of s addrel,s addrel2 S. Pr 2. Remove an only relation. Given M = (S, Rel, P), its updated model M' = (S', Rel',P ') is the result of M having removed only one existing relation. That is, S'= S, P' = P, and Rel' = Rel-(s remrel, s remrel2 ) where (s remrel, s remrel2 ) Rel for one pair of s remrel, s remrel2 S. Pr 3. Substitute a state and its associated relations. Given M = (S, Rel, P), its updated model M' = (S', Rel', P') is the result of M having substituted only one existing state and its associated relations. That is, S' = S[s/s substate ]. S' is the set of states where one state s in S is substituted by s substate, Rel' = Rel (s i, s substate ), (s substate,s j ) for some s i, s j S -(s i,s),(s,s j ) (s i,s),(s,s j ) Rel and P '(s) = P (s) for all s S S' and P'(s substate ) = τ (s substate ), where τ is a truth assignment on s substate. Pr 4. Add a state and its associated relations. Given M = (S, Rel, P), its updated model M' = (S', Rel', P') is the result of M having added only one new state and its associated relations. That is, S' = S s addstate. S' is the set of states where one state s in S is added by s addstate, Rel' = Rel (s i, s addstate ), (s addstate,s j ) s i,s j S S' and P'(s) = P(s) for all s S S' and P'(s addstate ) = τ (s addstate ), where τ is a truth assignment on s addstate. Pr 5. Remove a state and its associated relations. Given M = (S,Rel, P), its updated model M' = (S',Rel', P') is the result of M having added only one existing state and its associated relations. That is, S' = S-s remstate s remstate S. S' is the set of states where one state s in S is removed by s remstate, Rel' = Rel-(s i, s remstate ), (s remstate,s j ) for some s i,s j S and P'(s) = P (s) for all s S S'. All changes on CTL model can be specified in terms of these five operations. We can argue that Pr 3 is accomplished by Pr 4 and Pr 5. Anyway, we treat state substitution differently than a combination of state addition and state deletion. Whenever a substitute of a state is needed, is applied Pr 3 directly more than Pr 4 followed by Pr 5. This thing will simplify the definition of minimal change of the CTL model [10, 2]. The Definition of Admissible Update is given by assertion: Given a CTL Kripke model M = (S, Rel,P), M= (M, s 0 ), where s 0 S, and a CTL formula f, Update(M, f) is called admissible if the following conditions hold: (1) Update(M, f) = (M', s 0 ') f where M' = (S', Rel', P') and s 0 ' S'; (2) There not exist another resulting model M'' = (S'', Rel'', P'') and s 0 '' S''; such that (M'',s 0 '') f and M''< M M'. We denote M 1 < M M 2 if M 1 M M 2 and M 2 M M 1. If are given three CTL Kripke models M, M 1, M 2 where M 1 and M 2 are obtained from M by applying Pr 1, Pr 2, Pr 3, Pr 4, Pr 5 operations, we say that M 1 is closer to M as M 2, denoted as M 1 M M 2, iff Diff(M,M 1 ) Diff(M,M 2 ). We denote Diff(M,M 1 ) Diff(M,M 2 ) iff for each i with i = 1,, 5, DiffP i (M,M 1 ) DiffP i (M,M 2 ) where M, M 1, M 2 are three CTL models. 4 Semantic Characterizations In this section we will present a variety of semantic characterizations of the CTL model updater that present possible solutions to achieve admissible updates under certain conditions. In many situations, as will be shown in the following, a single type primitive operation will be enough to achieve an admissible updated model. These model characterizations also play an essential role in simplifying the implementation of the CTL model update. First of all we shall return to the definition of the CTL Model Update. The algorithm is designed following a similar style of CTL model checking algorithm SAT [4], where an updated formula is parsed through its structure and recursive calls to proper functions are made to its sub-formulas [2]. From the definition of Admissible Update (stated above) we observe that, for a given CTL Kripke model M and a formula f, there may be many admissible updates satisfying f, where some updates are simpler than others. We consider a special form of path π where the first i states starting from s 0 already satisfy formula f. Under this situation, we can simply cut off the path. For example we can apply one time Pr 2 or Pr 5 to disconnect all other states not satisfying f [10,2]. The implementation can be formulated in the following form: Function Update AG (M, f) /* M AG f. Update M to satisfy AG f */ ISSN: 1790-5109 170 ISBN: 978-960-474-099-4

if M 0 = (M,s 0 ) f, then Pr 3 is applied to s 0 such that M' =CTLUpdate(M 0, f ); else 1. select a path π = [s 0,s 1, ], where Ǝs i π such that M i =(M,s i ) f; 2. select a state s i π such that s j <s i with (M,s j ) f then (1) Applying Pr 2 to remove relation (pre(s i ),s i ), then S :=S; Rel :=Rel-(pre(s i ),s i ); P = P, since is removed a only relation; or (2) Applying Pr 5 to remove state s i, its associated relation, then S :=S-s i ; Rel :=Rel-(pre(s i ),s i ),(s i,succ(s i )) where if associated relations of s i ; P :S 2 AP, since S S, s S,such that P (s):= P(s), is removed a only relation; or (3) Applying Pr 3 M'=CTLUpdate(M i,f); if M' AG f then return M'; else return Update AG (M',f); The above implementation can be formulated in a short form as follows: /* M EG f. Update M to satisfy EG f */ 1. select a path π = [s 0,s 1, ], in M; 2. select a state s i π such that M i =(M,s i ) f 3. M'=CTLUpdate(M i,f); 4. if M' EG f then return M'; else return Update EG (M',f); 5 Elevator example In this section we present a case study which illustrates the features of the CTL model update approach. As example we will present a scenario for an elevator control system. The designer analyzes [3] the state-transition diagram showed in Fig. 1, for the solely control transformation, Elevator Controller, and finds eight locked-state events. These locked-state events occur because the Elevator Controller, in most instances, takes one action and then awaits a response before moving onto a new state. In fact, only two event flows, Up Request and Down Request (when we denote with Move state when the request exist) do not qualify as locked-state events, because each of them can arrive any time a client presses a floor button or when the scheduler schedules an elevator. The remaining events can occur only when the Elevator Controller is expecting them. We begin from the state diagram transition of an elevator Controller shown in Fig. 1. Update AG (M, f) /* M AG f. Update M to satisfy AG f */ 1. select a path π = [s 0,s 1, ], where s i π and M i =(M,s i ) f; 2. M'=CTLUpdate(M i,f); 3. if M' AG f then return M'; else return Update AG (M',f); In [5,2] is presented a theorem which characterizes three typical situations for the update with formula EG f. In substance, this theorem says that in order to make formula EG f true, we first select a path, then we can either make a new path based on this path so that all states in the new path satisfy f (Case1), or trim the path from the state where all previous states satisfy f (Case 2) or simply change the assignments for all states which are not satisfying f in the path (Case 3). Proof of this theorem which proves that resulting models are admissible is presented in [5]. The implementation is: Function Update EG (M, f) Fig 1. State Transition Diagram for the Elevator Controller Suppose that we have an elevator system control which includes in first case a process for normal moving of lift cabin and in second case a faulty process. In first case for the normal moving of lift cabin process, doesn t shall appear the errors, so the door is closed and the passengers are going up or down when the button is pressed. The second process is the faulty process, when the lift cabin doesn t moving when the button is pressed ISSN: 1790-5109 171 ISBN: 978-960-474-099-4

for start the moving. The aim of the model is to find where the faulty process is. The objective of model updating, with other words, is to correct the original model which contains the faulty process. Starting from the original CTL structure for the elevator control system presented in the Fig. 2 with seven states of the system denoted with s 1, s 2,, s 7, we have added the state s d for checking if another passenger is requesting the elevator. The Kripke model has seven states and the propositional variables are from the set Start, Close, Move, Error. Start represented the start button for start moving up or down the elevator, Close represent the close door to the lift cabin, Move is moving up or down the elevator and Error means occur some error. The formal definition of the Kripke structure of the elevator control is given by: M = (S, Rel, P), where S=s 1,s 2,,s 7, Rel=(s 1,s 2 ), (s 2,s 3 ), (s 3,s 2 ), (s 3,s 4 ), (s 4,s 3 ), (s 4,s 5 ), (s 5,s 6 ), (s 6,s 7 ), (s 7,s 7 ), (s 7,s 4 ), (s 4,s 1 ), (s 1,s d ), (s d,s 4 ), (s d,s 1 ), AP=Start, Close, Move, Error, P assigns state s 1 in M with not start, not close, not move and not error, that is set Start, Close, Move, Error. We denote Start with St, Close with Cl, Move with Mv and Error with Er. P assigns state s 2 in M with St, Cl, Mv, Er, the state s 3 in M with St, Cl, Mv, Er, the state s 4 in M with St, Cl, Mv, Er, the state s 5 in M with St,Cl, Mv, Er, the state s 6 in M with St,Cl,Mv, Er and the state s 7 in M with St,Cl, Mv, Er. The model is shown below: Fig 2. The CTL structure of Elevator Controller In this figure START represents the Start elevator, Open and Close represents the open door and close the door, RESET is for a new initialization and DONE represents the done moving of elevator. The faulty process from this graph is the path s 1 s 2 s 3 s 4. The interpretation is following. In first state is started the elevator s 1,s 2. In the state s 2 we observed that have not Cl (that is the door don't close) and the moving is out of order and it pointed some error which is passed from the state s 2 in the state s 3 where the door elevator shall be closed. In the state s 3 there is an error and the elevator moving don t starts so must be performed a reset for the reestablishment. That is, the control is passed from the state s 3 to the state s 4. The process with normal behavior is the case obtained from the original CTL Kripke structure through s 1 s 4 s 5 s 6 s 7. Notice that this model don't satisfies the property f = EF(St EG Mv) [4]. The CTL model updater brings a minimum modification of the Kripke model which satisfies the property f. Firstly, must be analyzed f in AG( (St EG Mv)) for removing the symbol. The translation is doing with the function Update. Then is necessary to check whether each state satisfies (St (EG Mv)). This string must be parsed before it is checked. Selecting the EG Mv for elevator model means that is selected any path having any state with Mv. Then must be searched the paths in the form [s 1,s 2,s 3,s 4,s 1, ] and [s 1,s 4,s 1, ] which represents the connected components loops satisfying EG Mv. After that are identified all states with St, these are s 2,s 3,s 5,s 6. Then are selected the states with St and Mv, these are s 2,s 3. Because the AG( (St EG Mv)) formula identifies that the model has no both states St and Mv, is necessary an update of states s 2 and s 3 so as they will appear in the updated model. For the execution of Update AG function we can use three minimum updates: (case 1) applying Pr 2 to remove the connection (s 1, s 2 ); (case 2) applying the property Pr 5 to removed the state s 2 and the associate relations e.g. (s 1,s 2 ), (s 2,s 3 ) and (s 4,s 3 ); and (case 3) applying Pr 3 on the state s 2 and s 3. Using case three, the first translation will be from (St EG Mv) to St EG Mv, therefore s 2 and s 3 are updated with either St or EG Mv by the main function CTLUpdate what is dealing with and with the Update _ function. In other words, the new states of s 2 and s 3 will be denoted with s 2 and s 3. The Update AG (M, (St EG Mv)) function calls the main function CTLUpdate(M, St) or CTLUpdate(M, EG Mv) for the case f 1 f 2. We choose the St because this is simplest than EG Mv. In this case is necessary to update the atomic proposition St in states s 2 and s 3 of path π with St instead, thus there are no states on path π having the specification EF (St EG Mv). That is M = (M, s 1 ) EF (St EG Mv). The resulting model is presented in Fig. 3. ISSN: 1790-5109 172 ISBN: 978-960-474-099-4

In ANTLRWorks have been implemented all macrooperations of CTL model checker. The program receives as input the model M where are defined the sets S, Rel and P. In figure 4 is showed the implementation of the AG macro. We use Java as target language for the implementation of our model checker tool. Fig. 3 The updated model for an elevator control using the primitive P3 where s 2 is set St, Cl, Mv, Er and the state s 3 is set St, Cl, Mv, Er. The algorithm will generate one of the three resulting models without specific indication. Because of criteria used they are all minimally changed from the original model. 6 ANTLR In this section, we will present the first formula f 1 = AG(not (St and (EG (not Mv) )) that was checked by our implementation using the ANTLR tools. The ANTLR 3 [7] tools are used for the construction of software instruments as translators, compilers, recognition and parser of static/dynamic programs. The ANTLR is a generator of compilers; it receives as input a grammar, with a precise description of a language, and generates the source code and other auxiliary files for lexer and parser. The source code of our ANTLR grammar must contain the specification of all macro-operations presented in [6]. We decorate the grammar for formula language with actions. ANTLR inserts our actions in the generated code for parser, and parser must execute embedded actions after matching the preceding grammar element. This is the mechanism of formula evaluation for a given model. We define a CTL model checker as an algebraic compiler [6]. The algebraic methodology was used in specification of the ANTLR grammar for CTL formulas. This grammar can be used for the generation and the verification of different models. Using our CTL model checker generator, the user can correct a model in case in which the model was not correct defined and more important is that the result received is easy to be traced by the user. An essential contribution of the implementation presented in this section is that it can be used as a model checker generator. For a given model is automatically generated the java code for a verification tool of satisfiability of CTL formulas. Fig.4 Specification of CTL formula grammar in ANTLRWorks The detailed specification of AG operation is defined in [6], and the specification of and operation as actions in ANTLR grammar is presented in the following: //Ctlformula ag formula returns [HashSet set] : 'ag' f=formula HashSet rez = new HashSet(); // Z:= ; HashSet rez1 = new HashSet($f.set); // Z':= d ctl (t); while (!rez.equals(rez1)) // while Z Z' do rez.clear(); rez.addall(rez1); //Z:=Z' HashSet tmp = new HashSet(); boolean include; for (int i=0; i<max_stari; i++) include = true; for (int j=0; j<max_stari; j++) if (rel[i][j]==1) // succ(s), s S if (!(rez1.contains(new Integer(j)))) include = false; if (include) tmp.add(new Integer(i)); // succ(s) Z' // end for rez1.retainall(tmp); //Z':=Z' s S succ(s) Z'; // end while trace("",6); ISSN: 1790-5109 173 ISBN: 978-960-474-099-4

printset(" ag " + $f.text,rez1); $set = rez1; // d ctl (All global (t)) :=Z'; For checking the first formula f 1 of our example, we will use the ANTLR debugging facility to visualize the parse tree and execution of actions of grammar rules, i.e. evaluation of the CTL formula. The CTL rules set which are directly specified in the syntactic algebra of CTL, denoted by Sin ctl, can be ambiguous, therefore it is necessary that the set of formulas from Sin ctl to be divided in the non-terminal symbols denoted with Ctlformula, Formula, Factor, Termen and Expresie. Thus, the defined rules deliver non-ambiguous specification in algebra Sin ctl. In section 5 we presented as an example the elevator controller. Starting from the original model it was seen that there is a situation in which the f 1 formula is not satisfied. This has been verified with our implementation of model checker. The states from our implementation begin from state s 0. The result obtained using the ANTLR implementation of the CTL model checker is shown below: factor Move: 5 6 ; notmove: 0 1 2 3 4 ; eg (notmove): 0 1 2 3 ; expresie ( Start and (eg(notmove)) ) : 1 2 ; termen not ((Startand(eg(notMove)))): 0 3 4 5 6 ; ag (not((startand(eg(notmove))))): ; expresie ( Start and (eg(notmove)) ) : ; termen not ((Startand(eg(notMove)))): 0 1 2 3 4 5 6 ; ag (not((startand(eg(notmove))))): 0 1 2 3 4 5 6 ; The complete implementation of our CTL model checker is provided as a Netbeans 6.1 project, which include the java code generated by the ANTLR. References: [1] Baral C. and Y. Zhang, Knowledge updates: semantics and complexity issues, Artificial Intelligence, 164, 209.243, 2005. [2] Buccafurri F., T. Eiter, G. Gottlob, and N. Leone, Enhancing model checking in verification by ai techniques, Artificial Intelligence, 112, 57.104, 1999. [3] Gomaa H., Software Design Methods for Concurrent and Real-Time Systems, Addision-Wesley Publishing Company, Reading Massachusetts, 1993 [4] Harris H. and M. Ryan, Theoretical foundations of updating systems, in the Prodeedings 18th IEEE pp. 291.298, 2003. [5] Ding Yulin, Yan Zhang, CTL Model Update: Semantics, Computations and Implementation. ECAI 2006, Italy. [6] Laura Cacovean, Florin Stoica, Algebraic Specification Implementation for CTL Model Checker Using ANTLR Tools, 2008 WSEAS International Conferences, Computers and Simulation in Modern Science - Volume II, Bucharest, Romania, Nov. 2008, ISSN: 1790-5117, ISBN: 978-960-474-032-1 [7] Terence Parr, The Definitive ANTLR Reference, Building Domain-Specific Languages, version: 2007 For the original model has been found that the f 1 formula was not satisfied in all the model states. We proved in section 5 that if we are applying the algorithm for CTL model update, the states s 2 and s 3 will be updated. Thus was obtained a new model with two new states s 2 and s 3. Using our CTL model checker generator on the new model has shown that the f 1 formula was satisfied in all the new model states: factor Start: 4 5 ; factor Move: 5 6 ; termen not Move: 0 1 2 3 4 ; eg (notmove): 0 1 2 3 ; ISSN: 1790-5109 174 ISBN: 978-960-474-099-4

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback