Educación Para la Salud

Let M = (S, R, L) be a Kripke structure. Assume that we want to determine which states in S satisfy the CTL formula f. The algorithm will operate by labeling each state s with the set label(s)of subformulas off which are true ins. Initially,label(s)is justL(s). Recall that any CTL formula can be expressed in terms of¬,∧, EX, EU and EG. Thus, it is sufficient to be able to handle six cases, depending on whether g is atomic or has one of the following forms: ¬f1,f1∧f2,EXf1, E[f1U f2], orEGf1.

We could write the following algorithm for formula has the form (¬f):

procedureCheckNegation(f) for alls∈ {s|f /∈label(s)} do label(s) := label(s)∪{¬f} end procedure

Forf1∨f2, we do as following:

procedureCheckConjunction (f1, f2)

for alls∈ {s|f1 ∈label(s) ∧f2 ∈label(s)}

do label(s) := label(s)∪{f1∧f2}

end procedure

To handle formula of the formg =E[f1U f2]we first find all states that are labeled withf2. We

then work backwards using the converse of the transition relation R and find all states that can be reached by a path in which each state is labeled withf1. All such states should be labeled

withg.

In the following Algorithm, we give a procedure CheckEU that add E[f1U f2] to label(s) for

everysthat satisfiesE[f1U f2], assuming thatf1 andf2 have already been processed correctly,

that is, for every state s, f1 ∈ label(s)iff s f1 andf2 ∈ label(s)iff s f2. This procedure

ProcedureCheckEU(f1, f2)

T :={s|f2 ∈label(s)};

for alls∈T dolabel(s) :=label(s)∪ {E[f1U f2]};

WhileT 6=φdo chooses∈T; T :=T{s};

for alltsuch thatR(t, s)do

ifE[f1U f2]∈/ label(t)andf1 ∈label(t)then

label(t) := label(t)∪ {E[f1U f2]};

T :=T ∪ {t}; end if;

end for all; end while; end procedure

The case in whichg = EGf1 is slightly more complicated. It is based on the decomposition

of the graph into nontrivial strongly connected components. A strongly connected component (SCC)C is maximal subgraph such that every node in C is reachable from every other node in C along a directed path entirely contained within C. C is nontrivial iff either it has more than one node or it contains one node with a self-loop.

Let M’ be obtained from M by deleting from S all of those states at which f1 does not hold

and restricting R and L accordingly. Thus M0 = (S0, R0, L0) where S0 = s∈S|M, sf1 ,

R0 = RkS0_×S0 , and L0 = Lk0

S. Note that R

0

may not be total in this case. The states with no outgoing transitions may be eliminated, but this is not essential for the correctness of our algorithm. The algorithm depends on the following observation.

LEMMA 1 M, sEGf1 iff the following two conditions are satisfied:

1. s∈S0

2. There exists a pathM0 that leads fromsto some nodet in nontrivial strongly connected componentCof the graph(S0, R0).

Proof Assume thatM, s EGf1. Clearly s ∈ S0. Letσ be an infinite path starting at s such

thatf1 holds at each state on σ. SinceM is finite, it must be possible to writeσ asσ = σ0σ1

whereσ0 is a finite initial segment andσ1 is an infinite suffix ofσ with the property that each

state onσ1 occurs infinitely often. Then,σ0 is contained in S’. LetCbe the set of states inσ1.

states inC. Let s1 ands2 be states inC. Pick some instance ofs1 onσ1. By the way in which

σ1 was selected, we know that there is an instance ofs2 further alongσ1. The segment froms1

tos2 lies entirely withinC. This segment is a finite path froms1 tos2 inC. Thus, eitherC is

strongly connected component or it is contained within one. In either case, both conditions (1) and (2) are satisfied.

ProcedureCheckEG(f1)

S0 :={s|f1 ∈label(s)};

SCC :={C|Cis a nontrivialSCC ofS0}; T :=S

c∈SCC{s|s ∈C};

for alls∈T dolabel(s) :=label(s)∪ {EGf1};

whileT 6=φdo chooses ∈T ; T :=T{s};

for alltsuch thatt ∈S0 andR(t, s)do ifEGf1 ∈/ label(t)then

label(t) := label(t)∪EGf1;

T :=T ∪t; end if; end for all; end while; end procedure

We will illustrate the model checking algorithm forCT Lon a small example that describes the behavior of a microwave oven. Figure 2.6 gives the Kripke structure for the oven. For clarity, each state is labeled with both the atomic propositions that are true in the state and the negations of the propositions that are false in the state. The labels on the arcs indicate the actions that cause transitions and are not part of the Kripke structure.

We check the CTL formula AG(Start → AF Heat) which is equivalent to the formula ¬ EF(Start ∧EG ¬Heat)(here, we use EF f as an abbreviation for E[true U f]). We start by computing the set of states that satisfy the atomic formulas and proceed to more complicated subformulas. LetS(g)denote the set of all states labeled by the subformulag. Note that, with a suitable data structure, the computation ofS(p)for allp∈AP requires timeO(|S|+|R|). S(Start)={2,5,6,7}.

S(¬Heat) ={1,2,3,5,6}.

In order to computeS(EG¬Heat) we first find the set of nontrivial strongly connected com- ponent inS0 = S(¬Heat). SCC ={{1,2,3,5}}. we proceed by settingT, the set of all states

that should be labeled byEG¬Heat to be the union over the elements of SCC, that is, initially T = {1,2,3,5}. Note other state in S’ can reach a state in T along a path in S’. Thus, the computation terminates with

S(EG¬Heat)={1,2,3,5} Next we compute

S(Start∧EG¬Heat)={2,5}.

When computingS(EF(Start∧EG¬Heat)), we start by settingT =S(Start∧EG¬Heat). Next, we use the converse of the transition relation to label all states in which the formula holds. We get:

S(EF(Start∧EG¬Heat))={1,2,3,4,5,6,7}. Finally, we compute that

S(¬EF(Start∧EG¬Heat)) =φ

Since the initial state 1 is not contained in this set, we conclude that the system described by the Kripke structure does not satisfy the given specification.

~Start ~Close ~Heat ~Error Start ~Close ~Heat Error ~Start Close ~Heat ~Error ~Start Close Heat ~Error Start Close ~Heat Error Start Close ~Heat ~Error Start Close Heat ~Error 1 2 3 4 5 6 7

start oven open door _{close door open door}

open door close door start cooking

warmup reset start oven

done

cook