Timed CTL Model Checking in Real-Time Maude⋆ - IfI

More documents

Recommendations

Info

$G:\MISQ\2006\September 2006\Gregor.wpd - IfI$

28 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky In order to prove that T K gcd , t |=p A ϕ1 UI ϕ2, we have to show that for each π ∈ tfPathsT Kgcd(t) there is an index j s.t. dπ j ∈ I, T Kgcd , tπ j |=p ϕ2, and ∀ 0 ≤ i < j T K gcd , tπ i |=p ϕ1. Let π ∈ tfPathsT Kgcd(t). We know that π is also a path in T K, thus by assumption there exist a path refinement π ′ of π that satisfies the until path formula in the continuous semantics in T K. By definition, all tick durations in π ′ are ≤ ¯r 2 , thus, we can define π′′ to be the same time abstraction of π ′ that we defined in the proof for the (“⇒”) of the existential until, where we removed all states at time points non-multiple of ¯r . We have already shown 2 how this path also satisfies the until path formula in T K, thanks to Lemma 1. In particular, we have that π ′′ = π and, by using the induction hypotesis on ϕ1 and ϕ2 as we did for the “⇐” proof, we know that π ′′ satisfies the until path formula in the pointwise semantics in T K gcd , and hence T K gcd |=p ϕ. 4.1 Soundness and completeness for TACLT and TECLT Since it is the theory R σ that is model checked, not all behaviors in the theory R are analyzed. Therefore, R σ , LΠ, s |= ϕ does not necessarily imply R, LΠ, s |= ϕ. However, for the universal fragment TACTL 8 , in the pointwise semantics, if a counter-example exists in the model checking of R σ , then this is also a counterexample in R; that is, for ϕA a TACTL formula, we have R σ , LΠ, s |=p ϕA =⇒ R, LΠ, s |=p ϕA. Thus, R σ is a complete abstraction of R for TACTL. However, if a counter-example does not exist in R σ , then this does not exclude the existence of a counter-example in R. Conversely, in the existential fragment, if the given state satisfies the TECTL formula in R σ in the pointwise semantics, meaning that there exists a path π satisfying the given formula, then this holds also for R, since π is also a path in R; that is, for ϕE a TECTL formula, we have R σ , LΠ, s |=p ϕE =⇒ R, LΠ, s |=p ϕE. Thus, R σ is a sound abstraction of R for TECTL. 5 Implementation Our model checker makes the natural and reasonable assumption that given a real-time rewrite theory R, and an initial state t0 on which we would like to check some TCTL formula ϕ, all behaviors starting from t0 are time-diverging 8 The universal and the existential fragments [13] of TCTL are defined by allowing negation only in front of propositions and by restricting quantification to the universal quantifier TACTL, and to the existential quantifier in TECTL.
Timed CTL Model Checking in Real-Time Maude 29 w.r.t. the selected time sampling strategy σ. This assumption also implies that the transition relation T −→R σ in the timed Kripke structure T K(Rσ , t0)Π is total. The current implementation of the model checker assumes that time values are either in NAT-TIME-DOMAIN-WITH-INF or POSRAT-TIME-DOMAIN-WITH-INF, and provides the user with two possible model-checking strategies: (i) The basic strategy, which performs the model checking on the model obtained by applying the user-defined time sampling strategy on the original model. As we explained in section 4.1, this strategy provides a sound analysis for TETCL and a complete analysis for TATCL. (ii) The gcd strategy, which extends the maximal time sampling strategy with the “gcd” transformation to perform the model checking for the satisfaction problem R gcd(t0,r,ϕ) , LΠ, t0 |=p ϕ. Soundness and completeness of the gcd strategy might come at the cost of a larger state space due to the application of the gcd transformation. When the gcd strategy is impractical, the user can still perform model checking with the generally faster basic strategy, which does not increase the system state space and can still be very useful to discover potential bugs, as illustrated below. Real-Time Maude, and hence our model checker, is implemented in Maude, making extensive use of Maude’s meta-programming capabilities. Therefore, our model checker gets as input the meta-representation R of the Real-Time Maude model R to analyze, as well as the meta-representations t0 and ϕ of, respectively, the initial state t0 and the TCTL formula ϕ to check. The algorithm first applies the user selected time sampling strategy to R, and then explores the reachable state space to incrementally construct the timed Kripke structure T K(R σ , t0)Π, which is subsequently model checked (directly as it is in the default strategy, while, in the gcd strategy, it is further refined by “splitting” the transitions into smaller ones of duration equal to the computed greatest common divisor in the gcd strategy and then model checked). This is done by repeatedly using Maude’s meta-level descent functions metaSearch, to find all states reachable from a state in one rewrite step, and metaReduce, to check whether an atomic proposition holds in a state. Since the meta-representation of the states can be fairly large 9 , performing the rest of the model checking procedure on the generated timed Kripke structure is fairly inefficient. In our current implementation, we assign a unique natural number to each (meta-represented) state in the generated timed Kripke structure, and construct a more compact timed Kripke structure, where all the occurrences of these meta-represented states are replaced by their respective identifiers. We then perform the main part of the model checking procedure, namely, the recursive computation of the satisfaction set of ϕ on this compact representation. This optimization led to a large performance improvement and made it feasible to apply our model checker to a number of case studies in reasonable time, whereas working directly on meta-represented terms made model checking unfeasible even for simple case studies. 9 For example, each state in the Maude representation of the Ptolemy II model in Section 6 “contains” the entire Ptolemy II model.
Page 1 and 2: Timed CTL Model Checking in Real-Ti
Page 15 and 16: π : πi : π ′ i : πj : π ′
Page 23 and 24: π : πi : π ′ i : πj : π ′
Page 27: Timed CTL Model Checking in Real-Ti

Timed CTL Model Checking in Real-Time Maude⋆ - IfI

Create successful ePaper yourself

Delete template?

Save as template?