02291: System Integration Kripke Structure and Computational Tree - - PowerPoint PPT Presentation

02291: System Integration

Kripke Structure and Computational Tree Logic (CTL) Hubert Baumeister

huba@dtu.dk

DTU Compute Technical University of Denmark

Spring 2020

Model checking

Prove: ”in our model of the train and signals it never happens that both trains are

• n the bridge”

M | = φ ◮ Models M are Kripke structures ◮ Formulas φ are Computational Tree Logic (CTL) formulas ◮ Proving: Model checking

Example of a Kripke structure

◮ Kripke structure: Set of states + relation between states ◮ The Kripke structure of the railroad crossing system has 36 states (2 × 2 × 3 × 3)

1 7 [s1=red s2=green t1=onBridge t2=onBridge] 1 6 [s1=green s2=green t1=onBridge t2=onBridge] 1 5 [s1=green s2=red t1=onBridge t2=onBridge] 1 0 [s1=red s2=red t1=onBridge t2=onBridge] 3 [s1=green s2=red t1=atSignal t2=enroute] 4 [s1=green s2=red t1=onBridge t2=enroute] 5 [s1=red s2=red t1=onBridge t2=enroute] 2 [s1=red s2=red t1=atSignal t2=enroute] 1 [s1=red s2=red t1=enroute t2=enroute] 8 [s1=green s2=red t1=onBridge t2=atSignal] 7 [s1=green s2=red t1=atSignal t2=atSignal] 6 [s1=red s2=red t1=atSignal t2=atSignal] 1 1 [s1=red s2=red t1=enroute t2=onBridge] 1 2 [s1=red s2=green t1=enroute t2=onBridge] 1 3 [s1=red s2=green t1=enroute t2=atSignal] 9 [s1=red s2=red t1=onBridge t2=atSignal] .... .... .... 1 4 [s1=red s2=red t1=enroute t2=atSignal]

Kripke structure: Definition

M | = φ

Kripke structure (nondeterministic finite state machine)

A Kripke structure M = (S, I, R, λ): ◮ Set of states S, e.g., S = {1, 2, . . . , 36} ◮ Initial states I ⊆ S, e.g., I = {1} ⊆ S ◮ Transition relation R ⊆ S × S, e.g., R = {(1, 2), (2, 3) . . .} ◮ Propositions V, e.g., V = {s1 is red, s1 is green, s2 is red, s2 is green, t1 is on bridge, t1 is at signal, t1 is enroute, t2 is on bridge, t2 is at signal, t2 is enroute} ◮ Set of true propositions in a state λ : S → 2V, e.g.,

λ(1) = {s1 is red, s2 is red, t1 is on bridge, t2 is on bridge} λ(2) = {s1 is red, s2 is red, t1 is at signal, t2 is on bridge} . . .

Computation Tree

Unfolding of a Kripke structure

Computation Tree

Unfolding of a Kripke structure

Computation Tree

Unfolding of a Kripke structure

Computation Tree

Unfolding of a Kripke structure

Computation Tree

Unfolding of a Kripke structure

Logical formulae: CTL

M | = φ if and only if ∀s0 ∈ I : M, s0 | = φ

Satisfaction

◮ M, s0 | = φ: the formula φ holds starting from state s0

CTL: Computation Tree Logic formulae (1/4)

◮ p ∈ V: p is a basic proposition ◮ ¬φ, φ ∧ ψ, φ = ⇒ ψ, . . . : the usual boolean connectors . . .

Satisfaction: simple formulae

◮ M, s0 | = p iff p ∈ λ(s0) ◮ M, s0 | = φ ∧ ψ iff M, s0 | = φ and M, s0 | = ψ . . .

Example

1 7 [s1=red s2=green t1=onBridge t2=onBridge] 1 6 [s1=green s2=green t1=onBridge t2=onBridge] 1 5 [s1=green s2=red t1=onBridge t2=onBridge] 1 0 [s1=red s2=red t1=onBridge t2=onBridge] 3 [s1=green s2=red t1=atSignal t2=enroute] 4 [s1=green s2=red t1=onBridge t2=enroute] 5 [s1=red s2=red t1=onBridge t2=enroute] 2 [s1=red s2=red t1=atSignal t2=enroute] 1 [s1=red s2=red t1=enroute t2=enroute] 8 [s1=green s2=red t1=onBridge t2=atSignal] 7 [s1=green s2=red t1=atSignal t2=atSignal] 6 [s1=red s2=red t1=atSignal t2=atSignal] 1 1 [s1=red s2=red t1=enroute t2=onBridge] 1 2 [s1=red s2=green t1=enroute t2=onBridge] 1 3 [s1=red s2=green t1=enroute t2=atSignal] 9 [s1=red s2=red t1=onBridge t2=atSignal] .... .... .... 1 4 [s1=red s2=red t1=enroute t2=atSignal]

M, 1 | = s1 = red M, 5 | = s1 = green M, 3 | = s1 = green ∧ t1 = atSignal

Logical formulae: CTL

M, s0 | = QTφ ◮ Q: for all paths (A), or there exists one path (E) ◮ T: for the next state of one path (X), for some state of one path (F), for all states on one path (G)

CTL: Computation Tree Logic (2/4)

. . . ◮ EX φ,AX φ: formula φ holds in one successor state or in all successor states . . .

Logical formulae: CTL

CTL: Computation Tree Logic (3/4)

. . . ◮ EF φ, AF φ: formula φ holds eventually in one state in one path or eventually in one state in all paths ◮ EG φ, AG φ: formula φ holds in every state of one path or in every state of every path . . .

CTL example

Please stop the video and try to find the answer Continue with the video to see the solution

CTL example

Railway crossing example

◮ Safety property: Both trains are not at the same time on the bridge ◮ The following states are not reachable:

[s1=? s2=? t1=onBridge t2=onBridge]

Please stop the video and try to find the answer Continue with the video to see the solution

Railway crossing example

◮ Safety property: Both trains are not at the same time on the bridge ◮ The following states are not reachable:

[s1=? s2=? t1=onBridge t2=onBridge]