Timed CTL Model Checking in Real-Time Maude⋆ - IfI

30 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky
Our implementation of the TCTL model checker is based on the explicit-state
CTL model checking approach [8] that, starting with the atomic propositions,
recursively computes for each subformula of the desired TCTL formula the set
of satisfying reachable states. We implemented specific procedures for a basic set
of temporal modal operators and we expressed other formulas into this canonical
form. The basic set consists of the CTL modal operators E ϕ1 U ϕ2, E G ϕ,
the TCTL≤≥ 10 modal operators E ϕ1 U∼r ϕ2 with ∼∈ {>, ≥}, E ϕ1 U∼r ϕ2
with ∼∈ {0 ϕ2 and the TCTLcb modal operator E ϕ1 U [a,b] ϕ2.
The procedures for CTL modalities follow the standard explicit algorithm [8].
For TCTL≤≥ modalities, our implementation adapts the TCTL≤≥ model checking
procedure defined in [19] for time-interval structures and to timed Kripke
structures with time-diverging paths.
We briefly explain the model checking procedure for ϕ = E ϕ1 U [a,b] ϕ2. We
first compute the satisfacton set for the CTL formula ˆϕ = E ϕ1 U ϕ2, then we
restrict the transition relation (which we here denote by tr) in the timed Kripke
structure, to those transitions between states satisfying ˆϕ except transitions from
¬ϕ1-states, obtaining ¯tr. We then recursively compute all the time distances from
any state to some ϕ2 state up to b time units. This is computed by the operator
computeDistances. The first two arguments of this operator are set of pairs of
the kind < r, s > with r a time value and s a state (represented by a natural
number in the current implementation), where each pair means that it is possible
to reach some ϕ2-state from state s in time r ≤ b. The first set of such pairs is
the set of time distances that still have to be “visited”, that is the predecessors
of s still have to be visited with the given time stamp r. The second of such sets
contains time distances that have already been visited. The third argument is
the time bound b and the fourth argument is the restricted transition relation
¯tr. The operator is initially called with
computeDistances({< 0, ϕ2-state >},emptyRatNatPairSet,b, ¯tr),
since each ϕ2-state can obviously be reached in zero time.
vars RNPS0 RNPS1 RNPS RNPS’ : RatNatPairSet .
vars TIME0 TIME : Rat .
var TRTKS : TransRelTKS .
var N0 : Nat .
op computeDistances :
RatNatPairSet RatNatPairSet Rat TransRelTKS -> RatNatPairSet .
ceq computeDistances(( < TIME0, N0 > RNPS), RNPS’, TIME, TRTKS) =
computeDistances((RNPS1 RNPS), (< TIME0, N0 > RNPS’), TIME, TRTKS)
if RNPS0 := allTimedPredecessors(TRTKS,N0) /\
RNPS1 := addTimeAndFilter(RNPS0, TIME0, TIME) .
eq computeDistances(emptyRatNatPairSet, RNPS’, TIME, TRTKS) = RNPS’ .
10 We denote by TCTL≤≥ the restricted TCTL logic with time constraints on the
temporal modalities of the form ∼ r, where ∼∈ {},