MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Similar documents
Models for Efficient Timed Verification

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

CS357: CTL Model Checking (two lectures worth) David Dill

Computation Tree Logic

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Lecture 16: Computation Tree Logic (CTL)

Temporal Logic Model Checking

Computation Tree Logic (CTL)

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Model Checking with CTL. Presented by Jason Simas

Automatic Verification of Real-time Systems with Discrete Probability Distributions

Model checking the basic modalities of CTL with Description Logic

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Overview. overview / 357

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Model Checking & Program Analysis

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Model for reactive systems/software

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

3. Temporal Logics and Model Checking

PSPACE-completeness of LTL/CTL model checking

First-order resolution for CTL

Alternating-Time Temporal Logic

From Liveness to Promptness

Finite-State Model Checking

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Parameter Synthesis for Timed Kripke Structures

3-Valued Abstraction-Refinement

Representing Temporal System Properties Specified with CCTL formulas using Finite Automaton

Theorem Proving beyond Deduction

Chapter 6: Computation Tree Logic

Model Checking: An Introduction

Computation Tree Logic

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Model checking (III)

An Introduction to Temporal Logics

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Decision Procedures for CTL

Binary Decision Diagrams

Algorithms for Model Checking (2IW55)

On the Expressiveness and Complexity of ATL

An Introduction to Modal Logic III

CTL-RP: A Computational Tree Logic Resolution Prover

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Linear Temporal Logic (LTL)

Timed Automata VINO 2011

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

Computation Tree Logic (CTL)

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

T Reactive Systems: Temporal Logic LTL

Lecture 11: Timed Automata

An n! Lower Bound On Formula Size

Logic-Based Modeling in Systems Biology

QBF Encoding of Temporal Properties and QBF-based Verification

Real-Time Systems. Lecture 10: Timed Automata Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany main

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Model-Checking Games: from CTL to ATL

ESE601: Hybrid Systems. Introduction to verification

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Alternating Time Temporal Logics*

Reasoning about Time and Reliability

Verifying Quantitative Properties of Continuous Probabilistic Timed Automata

Timo Latvala. February 4, 2004

Lecture Notes on Model Checking

CTL Model Checking. Wishnu Prasetya.

Reasoning about Equilibria in Game-like Concurrent Systems

Model Checking of Systems Employing Commutative Functions

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Chapter 4: Computation tree logic

TIMED automata, introduced by Alur and Dill in [3], have

Reasoning about Strategies: From module checking to strategy logic

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Automata-theoretic Decision of Timed Games

Efficient timed model checking for discrete-time systems

Symbolic Model Checking Property Specification Language*

Verification of Linear Duration Invariants by Model Checking CTL Properties

Efficient Model-Checking of Weighted CTL with Upper-Bound Constraints

Guest lecturer: Mark Reynolds, The University of Western Australia

Linear Temporal Logic and Büchi Automata

Time and Timed Petri Nets

Syntax of propositional logic. Syntax tree of a formula. Semantics of propositional logic (I) Subformulas

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Partial model checking via abstract interpretation

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

Transcription:

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN 1. Introduction These slides are for a talk based on the paper Model-Checking in Dense Real- Time, by Rajeev Alur, Costas Courcoubetis, and David Dill. The paper was published in Information and Computation 104(1):2-34, 1993 (preliminary version appeared in Proc. 5th LICS, 1990). A URL to the paper is http://www.cis.upenn.edu/ alur/lics90d.ps.gz. The overview of CTL is based on a book chapter titled Model Checking and the Mu-calculus by E. Allen Emerson. This was published in Proceedings of the DIMACS Symposium on Descriptive Complexity and Finite Model, N. Immerman and P. Kolaitis, eds., American Mathematical Society Press, Pages 185-214. A URL to the book chapter is http://www.cs.utexas.edu/users/emerson/pubs/fmt96q.ps. 2. CTL (Computation Tree Logic) 2.1. Kripke Structure. A Kripke Structure is a triple (S, L, R), where S is a set of states. L is a mapping L : S 2 AP, where AP is a set of atomic propositions. R S S is a total relation, s S t S s.t. (s, t) R 1

2 SHANT HARUTUNIAN P S0 AP={P, Q, R} Q P,R S1 S3 P S2 Q S4 Figure 1. Sample Kripke Structure 2.2. Syntax. CTL is inductively defined as follows S1 A proposition p in AP is a state formula. S2 If p and q are state formula, then p q, p are a state formula. S3 If p is a path formula, then Ep and Ap are state formula. P0 If p and q are state formula, then Xp and puq are path formula. The state formulas generated by S1-S3 define the language of CTL. Alternative rules, (replace S3 and P0 with Sa below).

MODEL-CHECKING IN DENSE REAL-TIME 3 Sa If p and q are state formula, then AXp, EXp, ApUq, and EpUq are state formula. We use the following abbreviations: EF p for E true Up AF p for A true Up EGp for (A true U p) AGp for (E true U p) Some sample CTL formulas are as follows: EXp ApUq AG(p AF q)

4 SHANT HARUTUNIAN 2.3. Full Path. A full path is an infinite sequence of states s 0, s 1, s 2,..., where (s i, s i+1 ) R For a full path x = (s 0, s 1, s 2,...), we denote by x i = (s i, s i+1, s i+2,...). 2.4. CTL Semantics. For a Kripke structure M and a state s 0, we write M, s 0 = p, for a state formula p For a Kripke structure M and a full path x, we write M, x = p, for a path formula p We define = inductively: S1 M, s 0 = p iff p L(s 0 ), for p AP S2 M, s 0 = p q iff M, s 0 = p and M, s 0 = q M, s 0 = p iff it is not the case that M, s 0 = p S3 M, s 0 = Ep iff a full path x = (s 0, s 1, s 2,...) in M, and M, x = p M, s 0 = Ap iff full paths x = (s 0, s 1, s 2,...) in M, and M, x = p P0 M, x = puq iff i, M, s i = q and j<i, M, s j = p M, x = Xp iff M, s 1 = p

MODEL-CHECKING IN DENSE REAL-TIME 5 a S0 AP={a, b} S1 a S2 b S3 Figure 2. Example CTL Model-Checking We wish to determine for which states of the Kripke structure the property φ = EaUb holds.

6 SHANT HARUTUNIAN We use the following algorithm to Model-Check the formula φ=eau b. 1 let D = 2 for all s S, if b L(s), then add s to D, and let L(s) = L(s) {EaUb} 3 H = 4 While H D do 4.1 H = D 4.2 for all s S\H, if t (s, t) R, and t H, and a L(s), then add s to D, and let L(s) = L(s) {EaUb} 5 od

MODEL-CHECKING IN DENSE REAL-TIME 7 We step through the algorithm for the example structure. 2 D = {s 3 }, and L(s 3 ) = {b} {EaUb} 3 H = 4.1,i1 H = {s 3 } 4.2,i1 S\H = {s 0, s 1, s 2 } D = {s 3, s 2 }, (we add s 2 to the set) 4.3,i1 L(s 2 ) = {a} {EaUb},(we add φ to the labels of s 2) 4.1,i2 H = {s 3, s 2 } 4.2,i2 S\H = {s 0, s 1 } D = {s 3, s 2, s 0 }, (we add s 0 to the set) 4.3,i2 L(s 0 ) = {a} {EaUb},(we add φ to the labels of s 0) 4.1,i3 H = {s 3, s 2, s 0 } 4.2,i3 S\H = {s 1 } D = {s 3, s 2, s 0 }, (nothing is added to the set) 5 Exit loop (we exit the loop since H = D)

8 SHANT HARUTUNIAN a S0 EaUb a S0 S1 S1 a S2 EaUb b S3 Step 2 EaUb a S2 EaUb b S3 Step 4.3, i2 a S0 EaUb a S0 S1 S1 EaUb a S2 EaUb b S3 EaUb a S2 EaUb b S3 Step 4.3, i1 Step 4.3, i3 Figure 3. Labelled Kripke Structure at various steps in the Model-Checking Algorithm 3. Model-Checking in Dense Real-Time 3.1. Timed Graph. A tuple (S, µ, S init, E, C, π, τ) S: A finite set of nodes. S init : A node in S designated as the start node. µ: S 2 AP, where AP is a set of atomic propositions. E: E S S, the set of edges. C: Finite set of clocks A clock is a variable ranging over the nonnegative Reals

MODEL-CHECKING IN DENSE REAL-TIME 9 π: E 2 C, indicates which clocks in C are reset along an edge in E. τ: A function labelling each edge in E with an enabling condition built from boolean connectives of atomic formula of the form X c c X where X is a clock and c N. (y 2)? S0 S1 S2 S3 x:=0 y:=0 (1 < x < 2)? Figure 4. Sample Timed Graph

10 SHANT HARUTUNIAN 3.2. Clock Assignments. A clock assignments ν assigns a nonnegative real value to each clock in C, ν : C R. We let Γ(G) denote the set of clock assignments for a timed graph G. We use the following notation regarding clock assignments: ν + t for each y C, [ν + t](y) = ν(y) + t [x t]ν: for each y C y x, [x t]ν(y) = ν(y) y = x, [x t]ν(y) = t 3.3. (s, ν)-run of a timed graph. An infinite sequence of the following form ( s 0, ν 0, t 0, s 1, ν 1, t 1, s 2, ν 2, t 2,...) Initialization: s 0 = s, ν 0 = ν, and t 0 = 0. Consecution: We have the following requirements regarding a transition from one component of the run to the next: t i+1 > t i. For edge e i E, e i = s i, s i+1. ν i+1 =[π(e i ) 0](ν i + t i+1 t i ). (ν i +t i+1 t i ) satisfies the enabling condition, τ(e i ). Progress of time: t i t. For any t R, there exists i s.t.

3.4. (s, ν)-path. MODEL-CHECKING IN DENSE REAL-TIME 11 We may derive a (s, ν)-path from a (s, ν)-run ρ : R S Γ(G) ρ(t) = s j, ν j + t t j for t j t < t j+1 3.5. Example (s, ν)-run of a timed graph. r 1 ( s 0, [0, 0], 0,(where [0, 0] is [ν 0(x), ν 0(y)]) s 1, [0, 0.5], 0.5, s 2, [1, 0], 1.5, s 3, [1.7, 0.7], 2.2, s 0, [3.7, 2.7], 4.2, s 1, [0, 2.8], 4.3, s 2, [0.1, 0], 4.4, s 3, [1.1, 1], 5.4, s 0, [3.1, 3], 4.2 + 3.2i, s 1, [0, 3.1], 4.2 + 3.2i + 0.1, s 2, [0.1, 0], 4.2 + 3.2i + 0.2, s 3, [1.1, 1], 4.2 + 3.2i + 1.2 ), for all i > 0. ρ r1 : ρ r1 (4.25) = s 0, [3.75, 2.75]

12 SHANT HARUTUNIAN 3.6. Example Sequences that are NOT Runs. seq 1 ( s 0, [0, 0], 0, s 1, [0, 1], 1, s 2, [3, 0], 4 ) The above sequence is not a run since it is finite. seq 2 ( s 0, [0, 0], 0, s 0, [t i, t i ], t i ), where t i = i k=0 1 2 k, for all i 0. In the above sequence, for all i, t i < 2. The above sequence is infinite but it is not a run because it does not satisfy the progress requirement of a run: for all t R, there exists i where t i t.

MODEL-CHECKING IN DENSE REAL-TIME 13 3.7. TCTL (Timed CTL) Syntax. S1 p AP is a TCTL formula S2 If φ 1 and φ 2 are TCTL formulas, then so are φ 1 φ 2 and φ 1 S3 If φ 1 and φ 2 are TCTL formulas, then so are Aφ 1 U c φ 2 and Eφ 1 U c φ 2 Where {<,, =,, >} and c N The class of formula generated by S1-S3 is the language of TCTL. 3.8. TCTL Semantics. We assume that ρ is a s, ν -path of a timed transition system M based on a timed graph G, and s = s 0, ν is a state in S Γ(G). S1 M, s = p, iff p µ(s 0 ) for a p AP S2 M, s = φ 1 φ 2 iff M, s = φ 1 and M, s = φ 2 M, s = φ 1 iff it is not the case that M, s = φ 1, for TCTL formulas φ 1 and φ 2 S3 M, s = Eφ 1 U c φ 2 iff for some path ρ, for some t c, M, ρ(t) = φ 2, and for 0 t < t, M, ρ(t ) = φ 1 M, s = Aφ 1 U c φ 2 iff for all paths ρ, for some t c, M, ρ(t) = φ 2, and for 0 t < t, M, ρ(t ) = φ 1

14 SHANT HARUTUNIAN 3.9. Equivalence of Clock Assignments. For all x C, let c x be the largest constant with which x is compared Two clock assignments are equivalent (ν = ν ) iff: For each x C, ν(x) = ν (x), or both ν(x) and ν (x) are greater than c x For each pair x, y C, s.t. ν(x) c x and ν(y) c y, 1. fract(ν(x)) fract(ν(y)) iff fract(ν (x)) fract(ν (y)) 2. fract(ν(x)) = 0 iff fract(ν (x)) = 0 Our goal is to show that for equivalent clock assignment ν and ν, a TCTL formula φ, and s S, M, s, ν = φ iff M, s, ν = φ.

MODEL-CHECKING IN DENSE REAL-TIME 15 y 2 1 C x =2 C y =1 1 2 3 x Figure 5. Equivalence Regions of Clocks {x, y} 3.10. Successor Region. Let α be an equivalence class of the clock assignments (Γ(G)). We denote that β is an equivalence class that is the successor of α, β = Succ(α), iff: For a positive t R, and for ν α, (ν + t) β, and for all t < t, (ν + t ) α β.

16 SHANT HARUTUNIAN x = 0, y = 0 x = 0, 0 < y < 1 x = 0, y =1 x = 0, 1 < y < 2 0 < x < 1, y = 0 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) 0 < x < 1, 0 < y < 1, f(x) > f(y) 0 < x < 1, y =1 0 < x < 1, 1 < y < 2, f(x) < f(y) 0 < x < 1, 1 < y < 2, f(x) = f(y) 0 < x < 1, 1 < y < 2, f(x) > f(y) x = 0, y = 2 0 < x < 1, y = 2 x = 0, y > 2 0 < x < 1, y > 2 f(x) = fract(x) x = 1, y = 0 x > 1, y = 0 x = 1, 0 < y < 1 x > 1, 0 < y < 1 x = 1, y =1 x > 1, y =1 x = 1, 1 < y < 2 x > 1, 1 < y < 2 x = 1, y = 2 x > 1, y = 2 x = 1, y > 2 x > 1, y > 2 Figure 6. Example-1: Successor Regions (c x = 1, c y = 2)

MODEL-CHECKING IN DENSE REAL-TIME 17 x = 0, y = 0 0 < x < 1, y = 0 x = 0, 0 < y < 1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 0, y =1 0 < x < 1, y =1 x = 0, 1 < y < 2 0 < x < 1, 1 < y < 2, f(x) < f(y) 0 < x < 1, 1 < y < 2, f(x) = f(y) 0 < x < 1, 1 < y < 2, f(x) > f(y) x = 0, y = 2 0 < x < 1, y = 2 x = 0, y > 2 0 < x < 1, y > 2 f(x) = fract(x) x = 1, y = 0 x > 1, y = 0 x = 1, 0 < y < 1 x > 1, 0 < y < 1 x = 1, y =1 x > 1, y =1 x = 1, 1 < y < 2 x > 1, 1 < y < 2 x = 1, y = 2 x > 1, y = 2 x = 1, y > 2 x > 1, y > 2 Figure 7. Example-2: Successor Regions (c x = 1, c y = 2)

18 SHANT HARUTUNIAN x = 0, y = 0 0 < x < 1, y = 0 x = 0, 0 < y < 1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 0, y =1 0 < x < 1, y =1 x = 0, 1 < y < 2 0 < x < 1, 1 < y < 2, f(x) < f(y) 0 < x < 1, 1 < y < 2, f(x) = f(y) 0 < x < 1, 1 < y < 2, f(x) > f(y) x = 0, y = 2 0 < x < 1, y = 2 x = 0, y > 2 0 < x < 1, y > 2 f(x) = fract(x) x = 1, y = 0 x > 1, y = 0 x = 1, 0 < y < 1 x > 1, 0 < y < 1 x = 1, y =1 x > 1, y =1 x = 1, 1 < y < 2 x > 1, 1 < y < 2 x = 1, y = 2 x > 1, y = 2 x = 1, y > 2 x > 1, y > 2 Figure 8. Example-3: Successor Regions (c x = 1, c y = 2)

MODEL-CHECKING IN DENSE REAL-TIME 19 x = 0, y = 0 0 < x < 1, y = 0 x = 0, 0 < y < 1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 0, y =1 0 < x < 1, y =1 x = 0, 1 < y < 2 0 < x < 1, 1 < y < 2, f(x) < f(y) 0 < x < 1, 1 < y < 2, f(x) = f(y) 0 < x < 1, 1 < y < 2, f(x) > f(y) x = 0, y = 2 0 < x < 1, y = 2 x = 0, y > 2 0 < x < 1, y > 2 f(x) = fract(x) x = 1, y = 0 x > 1, y = 0 x = 1, 0 < y < 1 x > 1, 0 < y < 1 x = 1, y =1 x > 1, y =1 x = 1, 1 < y < 2 x > 1, 1 < y < 2 x = 1, y = 2 x > 1, y = 2 x = 1, y > 2 x > 1, y > 2 Figure 9. Example-4: Successor Regions (c x = 1, c y = 2)

20 SHANT HARUTUNIAN 3.11. Clock Regions vs. Augmented Clock Regions. To the clock set C, add a clock x, not in C, that is not reset by any edge in the timed graph G. The clock regions resulting from the addition of x are called the augmented clock regions. We denote by c x the largest integer constant appearing in the TCTL formula. The augmented clock regions refine a clock region due to the addition of the extra clock x. Example clock region... {0 < y < 1}... and its augmented clock regions (assume c x = 1): {0 < y < 1, x = 0}, {0 < y < 1, 0 < x < 1}, {0 < y < 1, x = 1}, {0 < y < 1, x > 1} We write C to represent the clock set with the added clock x. We denote by [ν] the equivalence class with respect to the equivalence relation for clock assignments with clocks in C.

MODEL-CHECKING IN DENSE REAL-TIME 21 3.12. Region Graph. The region graph consists of vertices V that is the product of the set of augmented regions with the nodes S of timed graph G. The edges of the region graph are defined as follows; Edges representing the passage of time: Each vertex s, α, where α is not an end class, has an edge to s, succ(α) Edges representing transitions in G: Each vertex s, α for each edge e = s, s, has an edge to s, [[π(e) 0]ν], provided that i) α is not a boundary class*, and ii) Either ν α or ν succ(α), and iii) ν satisfies the enabling condition τ(e). * A boundary class α is such that for a positive real t and all ν in α, ν + t is not equivalent to ν. Examples: {x = 0, 1 < y < 2}, {x = 1, y = 2} where c x = 1, and c y = 2.

22 SHANT HARUTUNIAN (y > 1)?, y := 0 S0 S1 (y 1)? y:=0 (y < 1)? x = 0, y = 0 0 < x < 1, y = 0 S0 x = 0, y = 0 0 < x < 1, y = 0 S1 x = 0, 0 < y <1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) x = 0, 0 < y < 1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) x = 0, y =1 0 < x < 1, y =1 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 0, y =1 0 < x < 1, y =1 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 0, y > 1 0 < x < 1, y > 1 x = 0, y > 1 0 < x < 1, y > 1 x = 1, y = 0 x > 1, y = 0 x = 1, y = 0 x > 1, y = 0 x = 1, 0 < y< 1 x > 1, 0 < y < 1 x = 1, 0 < y < 1 x > 1, 0 < y <1 x = 1, y =1 x > 1, y =1 x = 1, y =1 x > 1, y =1 x = 1, y > 1 x > 1, y > 1 x = 1, y > 1 x > 1, y > 1 f(x) = fract(x) Graph only shows edges to vertices reachable from < S 0, [x = y = 0] > Figure 10. Timed Graph-1 and its Region Graph (c x = 1, c y = 1)

MODEL-CHECKING IN DENSE REAL-TIME 23 (y < 1)?, y := 0 S0 S1 (y 1)? y:=0 (y < 1)? x = 0, y = 0 0 < x < 1, y = 0 S0 x = 0, y = 0 0 < x < 1, y = 0 S1 x = 0, 0 < y < 1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) x = 0, 0 < y < 1 0 < x < 1, 0 < y < 1, f(x) < f(y) 0 < x < 1, 0 < y < 1, f(x) = f(y) x = 0, y =1 x = 0, y > 1 0 < x < 1, y =1 0 < x < 1, y > 1 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 0, y =1 x = 0, y > 1 0 < x < 1, y =1 0 < x < 1, y > 1 0 < x < 1, 0 < y < 1, f(x) > f(y) x = 1, y = 0 x > 1, y = 0 x = 1, y = 0 x > 1, y = 0 x = 1, 0 < y < 1 x > 1, 0 < y < 1 x = 1, 0 < y < 1 x > 1, 0 < y <1 x = 1, y =1 x > 1, y =1 x = 1, y =1 x > 1, y =1 x = 1, y > 1 x > 1, y >1 x = 1, y > 1 x > 1, y > 1 f(x) = fract(x) Graph only shows edges to vertices reachable from < S 0, [x = y = 0] > Figure 11. Timed Graph-2 and its Region Graph (c x = 1, c y = 1)

24 SHANT HARUTUNIAN 3.13. Fair Paths in the Region Graph. A path through the region graph is an infinite sequence of vertices in the region graph v 1, v 2, v 3,..., such that v i has an edge to v i+1. A path is fair if every clock in C is either reset infinitely often or is eventually always increasing. Hence, for all fair paths β through the region graph, for each clock y C, infinitely many vertices along the path β satisfy either y = 0, or y > c y. In labelling the region graph, for each vertex v, for each clock y C, label vertex v with p y=0 if y = 0 in v p y>cy if y > c y in v Using Fair CTL, with clock set C = {x, y, z}, the fairness condition would be F(px=0 p x>cx ) F(p y=0 p y>cy ) F(p z=0 p z>cz ), Where F x denotes that the proposition x is true infinitely often along a path.

MODEL-CHECKING IN DENSE REAL-TIME 25 3.14. A Graph Labelling Algorithm. For vertices in the region graph, every subscript c appearing in TCTL formula φ, label the vertex with p c iff at vertex s, [ν], ν = x c. Also label vertices with P b if a vertex represents a boundary class. For a formula of the form EpU c q, where p and q are propositions, label v = s, [ν] with φ iff: For some fair path starting at s, [[x 0]ν], Has a prefix (v 1, v 2, v 3,...) such that For each i n, v i is labelled with p, and v n is labelled with q and v n is labelled with p c, and v n is either labelled with p b or p. When labelling a vertex s, [ν] with φ, where [ν] is a refinement of a clock region α, we also label s, [ν ] with φ, where [ν ] ( [ν] ) is a refinement of the same clock region α.

26 SHANT HARUTUNIAN (z < 1)?, z := 0 S0 S1 S2 p q (z 1)? y:=0 (y < 1)? (y = 1)? 0 S p 0 x = y = z = 0 9 S 2 x > 1, y > 1 1 S p 0 0 < x = y < 1 4 S q 1 y = 0, x < 1 6 S 1 q 0 < y < x < 1 S 2 y = 1 < x 10 S 0 x = y = 1 2 p 5 S q 1 y = 0, x = 1 7 S 1 q 0 < y < x = 1 S 1 11 q x > 1, y > 1 S 0 x = y > 1 3 p 8 S q 1 0 < y < 1 < x S 1 y = 1 < x 12 q x = z, holds at all vertices. Graph only shows vertices reachable from < S 0, [x = y = z = 0] > Figure 12. Example TCTL Model-Checking

MODEL-CHECKING IN DENSE REAL-TIME 27 3.15. A Procedure Using Fair CTL to Model-Check a Region Graph. Remove vertices, and associated edges, from the region graph that do not have an outgoing edge (repeat this step until all such vertices are removed). For vertices in the region graph, every subscript c appearing in TCTL formula φ, label the vertex with p c iff at vertex s, [ν], ν = x c. Also label vertices with P b if a vertex represents a boundary class. For a TCTL formula φ of the form Eφ 1 U c φ 2, we use the Fair CTL formula φ of the form Eφ 1 Up c φ 2 (p b φ 1 ) We assume that all TCTL subformulas φ 1 and φ 2 of TCTL formula φ have already been checked using this procedure. (i.e., the graph is already labelled with φ 1 and φ 2 ) For each vertex v, for each clock y C, label vertex v with p y=0 if y = 0 in v p y>cy if y > c y in v

28 SHANT HARUTUNIAN Using Fair CTL, with clock set C, the fairness condition is y C F(py=0 p y>cy ) We assume that the Fair CTL Model-Checker returns the set of vertices S φ that satisfy the given formula φ, but does not label the graph with φ. Remove those vertices from S φ where x 0. For the vertices that remain in S φ, label each vertex with φ. When labelling a vertex s, [ν] with φ, where [ν] is a refinement of a clock region α, we also label s, [ν ] with φ, where [ν ] ( [ν] ) is a refinement of the same clock region α. Department of Electrical & Computer Engineering University of Texas at Austin E-mail address: shant@mail.utexas.edu

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback