Timed CTL Model Checking in Real-Time Maude⋆ - IfI

More documents

Recommendations

Info

$G:\MISQ\2006\September 2006\Gregor.wpd - IfI$

34 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky Fig. 5: A Ptolemy II DE model of the railroad crossing benchmark. 6.2 Ptolemy II Discrete Event Models As mentioned, Real-Time Maude provides a formal analysis tool for a set of modeling languages for embedded systems, including Ptolemy II discrete-event (DE) models. Ptolemy II [16] is a well-established modeling and simulation tool used in industry that provides a powerful yet intuitive graphical modeling language. Our model checker has been integrated into Ptolemy II by Kyungmin Bae, so that we can now model check TCTL properties of Ptolemy II DE models from within Ptolemy 12 . We show the TCTL analysis of the railroad crossing and the hierarchical traffic light existing Ptolemy II models. In this second case study, our model checking has uncovered a previously unknown flaw in the model. Railroad Crossing Model Figure 5 shows the Ptolemy II model of the well known railroad crossing benchmark. In this model, a train approaches a railroad crossing, and a gate should be lowered when a train is in the intersection. The 12 Real-Time Maude verification commands can be entered into the dialog box that pops up when the button “Double click to generate code” in Fig. 6 is clicked.
Timed CTL Model Checking in Real-Time Maude 35 model contains two finite state machines: one for the train and one for the gate. One transition is taken in each time unit in the state machine Train. We refer to [7] for a thorough explanation of the model. The Real-Time Maude specification for Ptolemy II DE models provides an intuitive syntax for specifying state propositions, so that e.g. the state proposition “the train is in state approaching” is written ’RailroadSystem . ’Train @ ’approaching One important property that the system should satisfy is that the gate should open within a reasonable time (here 11 time units) after being lowered, which can be model checked by the following Real-Time Maude command: Maude> (mc-tctl {init} |= AG((’RailroadSystem . ’Gate @ ’closed) implies AF[ (mc-tctl {init} |= A not (’RailroadSystem . ’Gate)@ ’closed U AG[
Page 1 and 2: Timed CTL Model Checking in Real-Ti
Page 15 and 16: π : πi : π ′ i : πj : π ′
Page 23 and 24: π : πi : π ′ i : πj : π ′
Page 33: Timed CTL Model Checking in Real-Ti

Timed CTL Model Checking in Real-Time Maude⋆ - IfI

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?