02291: System Integration Kripke Structure and Computational Tree - PowerPoint PPT Presentation

02291: System Integration Kripke Structure and Computational Tree Logic (CTL) Hubert Baumeister huba@dtu.dk DTU Compute Technical University of Denmark Spring 2020

Model checking Prove: ”in our model of the train and signals it never happens that both trains are on the bridge” M | = φ ◮ Models M are Kripke structures ◮ Formulas φ are Computational Tree Logic (CTL) formulas ◮ Proving: Model checking

Example of a Kripke structure ◮ Kripke structure: Set of states + relation between states ◮ The Kripke structure of the railroad crossing system has 36 states (2 × 2 × 3 × 3) 1 2 3 4 5 1 0 [s1=red [s1=red [s1=green [s1=green [s1=red [s1=red s2=red s2=red s2=red s2=red s2=red s2=red t1=enroute t1=atSignal t1=atSignal t1=onBridge t1=onBridge t1=onBridge t2=enroute] t2=enroute] t2=enroute] t2=enroute] t2=enroute] t2=onBridge] .... .... .... 1 7 6 7 8 9 [s1=red [s1=red [s1=green [s1=green [s1=red s2=green s2=red s2=red s2=red s2=red t1=onBridge t1=atSignal t1=atSignal t1=onBridge t1=onBridge t2=onBridge] t2=atSignal] t2=atSignal] t2=atSignal] t2=atSignal] 1 1 1 2 1 3 1 4 1 5 1 6 [s1=red [s1=red [s1=red [s1=red [s1=green [s1=green s2=red s2=green s2=green s2=red s2=red s2=green t1=enroute t1=enroute t1=enroute t1=enroute t1=onBridge t1=onBridge t2=onBridge] t2=onBridge] t2=atSignal] t2=atSignal] t2=onBridge] t2=onBridge]

Kripke structure: Definition M | = φ Kripke structure (nondeterministic finite state machine) A Kripke structure M = ( S , I , R , λ ) : ◮ Set of states S , e.g., S = { 1 , 2 , . . . , 36 } ◮ Initial states I ⊆ S , e.g., I = { 1 } ⊆ S ◮ Transition relation R ⊆ S × S , e.g., R = { ( 1 , 2 ) , ( 2 , 3 ) . . . } ◮ Propositions V , e.g., V = { s1 is red , s1 is green , s2 is red , s2 is green , t1 is on bridge , t1 is at signal , t1 is enroute , t2 is on bridge , t2 is at signal , t2 is enroute } ◮ Set of true propositions in a state λ : S → 2 V , e.g., λ ( 1 ) = { s1 is red , s2 is red , t1 is on bridge , t2 is on bridge } λ ( 2 ) = { s1 is red , s2 is red , t1 is at signal , t2 is on bridge } . . .

Computation Tree Unfolding of a Kripke structure

Computation Tree Unfolding of a Kripke structure

Computation Tree Unfolding of a Kripke structure

Computation Tree Unfolding of a Kripke structure

Computation Tree Unfolding of a Kripke structure

Logical formulae: CTL M | = φ if and only if ∀ s 0 ∈ I : M , s 0 | = φ Satisfaction ◮ M , s 0 | = φ : the formula φ holds starting from state s 0 CTL: Computation Tree Logic formulae (1/4) ◮ p ∈ V : p is a basic proposition ◮ ¬ φ , φ ∧ ψ , φ = ⇒ ψ , . . . : the usual boolean connectors . . . Satisfaction: simple formulae ◮ M , s 0 | = p iff p ∈ λ ( s 0 ) ◮ M , s 0 | = φ ∧ ψ iff M , s 0 | = φ and M , s 0 | = ψ . . .

Example 1 2 3 4 5 1 0 [s1=red [s1=red [s1=green [s1=green [s1=red [s1=red s2=red s2=red s2=red s2=red s2=red s2=red t1=enroute t1=atSignal t1=atSignal t1=onBridge t1=onBridge t1=onBridge t2=enroute] t2=enroute] t2=enroute] t2=enroute] t2=enroute] t2=onBridge] .... .... .... 1 7 6 7 8 9 [s1=red [s1=red [s1=green [s1=green [s1=red s2=green s2=red s2=red s2=red s2=red t1=onBridge t1=atSignal t1=atSignal t1=onBridge t1=onBridge t2=onBridge] t2=atSignal] t2=atSignal] t2=atSignal] t2=atSignal] 1 1 1 2 1 3 1 4 1 5 1 6 [s1=red [s1=red [s1=red [s1=red [s1=green [s1=green s2=red s2=green s2=green s2=red s2=red s2=green t1=enroute t1=enroute t1=enroute t1=enroute t1=onBridge t1=onBridge t2=onBridge] t2=onBridge] t2=atSignal] t2=atSignal] t2=onBridge] t2=onBridge] M , 1 | = s1 = red M , 5 �| = s1 = green M , 3 | = s1 = green ∧ t1 = atSignal

Logical formulae: CTL M , s 0 | = QT φ ◮ Q : for all paths (A), or there exists one path (E) ◮ T : for the next state of one path (X), for some state of one path (F), for all states on one path (G) CTL: Computation Tree Logic (2/4) . . . ◮ EX φ , AX φ : formula φ holds in one successor state or in all successor states . . .

Logical formulae: CTL CTL: Computation Tree Logic (3/4) . . . ◮ EF φ , AF φ : formula φ holds eventually in one state in one path or eventually in one state in all paths ◮ EG φ , AG φ : formula φ holds in every state of one path or in every state of every path . . .

CTL example

Please stop the video and try to find the answer Continue with the video to see the solution

CTL example

Railway crossing example ◮ Safety property: Both trains are not at the same time on the bridge ◮ The following states are not reachable: [s1=? s2=? t1=onBridge t2=onBridge]

Please stop the video and try to find the answer Continue with the video to see the solution

Railway crossing example ◮ Safety property: Both trains are not at the same time on the bridge ◮ The following states are not reachable: [s1=? s2=? t1=onBridge t2=onBridge]