状态机smv 线性时序逻辑(LTL) 分支时序逻辑(CTL)

系统结构 smv_parser,对smv_parser的结果进行分析

突发性wet，比如水泼了

  -> State: 33.7 <-homePresentState = presentruninfan12.timer = 1runinfan27.timer = 2runinfan61.timer = 3runinalarm.timer = 3-> State: 33.8 <-homewater.waterSensor.water = wetfan.switchCap.switch = offruninfan12.timer = 0delayfan12 = 0runinfan27.timer = 1runinfan61.timer = 2runinalarm.timer = 2-> State: 33.9 <-homePresent.presenceSensor.presence = not_presenthomewater.waterSensor.water = dryfan.switchCap.switch = onhomewaterState = wetruninfan27.timer = 0delayfan27 = 0runinfan61.timer = 1runinalarm.timer = 1

对目前状态机的更改问题

实际的运行状态 ⊆ 目前的状态机
1.补全了next
2.加入了对smoke、alarm
如果不加，判断条件就不能是smoke只能是runinfan61.timer=1 & fan.switchCap.switch=on
3.case顺序调换，delay是肯定调后的，状态中runin的调后目前不确定

调换后delayfan修正了，runin虽然没修正但也正常

  -> State: 1.22 <-homePresent.presenceSensor.presence = presenthomewater.waterSensor.water = wetfan.switchCap.switch = offruninfan12.timer = 1runinfan27.timer = 0delayfan27 = 0runinfan61.timer = 2-> State: 1.23 <-homePresent.presenceSensor.presence = not_presenthomewater.waterSensor.water = dryfan.switchCap.switch = onhomePresentState = presenthomewaterState = wetruninfan12.timer = 0delayfan27 = 4runinfan61.timer = 1-> State: 1.24 <-fan.switchCap.switch = offhomePresentState = not_presenthomewaterState = dryruninfan12.timer = 4runinfan27.timer = 4runinfan61.timer = 0delayfan61 = 0

问题：hold / is true

LTL和CTL的选择问题

快是因为复杂度原因
CTL property不能用LTL替换，比如某些情况是子树，包含多个路径
EF AG这种分析包含多个路径的子树的，只能用CTL，如果最简单的ltl逻辑enough for our purpose，只用ltl就行了

维基上更清楚
https://en.wikipedia.org/wiki/Linear_temporal_logic#Weak_until_and_strong_release

G ((runinfan61.timer = 2 & fan.switchCap.switch = off) -> !( F (runinfan61.timer = 2 & fan.switchCap.switch = on)))

G ((runinfan61.timer = 2 & fan.switchCap.switch = off) -> F (runinfan61.timer = 1 & fan.switchCap.switch = on))，只要找到F不为(runinfan61.timer = 1 & fan.switchCap.switch = on)的就是false，并不能满足我们的需求
!(上式)会出现timer=2并且为on

G,F限制区间问题，read always followed by green or yellow
G(color.red->X(color.green 或 yellow)) ->有当前、未来一步和未来之意？

p->q等价于非p或q
φ ↔ ψ ≡ (φ → ψ) ∧ ( ψ → φ)
->和->F有区别
一个判断当前和后续，一个只判断未后续状态
!一般用于取具体的例子

!G不等于G!
G! (runinfan61.timer=2 & fan.switchCap.switch = off) 全局的每一个状态存在! (runinfan61.timer=2 & fan.switchCap.switch = off)
等价于 !F(runinfan61.timer=2 & fan.switchCap.switch = off)

AutoTap : If @raining while @ rain.off and window.open , then window.close
check_ltlspec -p “G((weather.rain=raining)->!F(window.switch=close))” 基于下一步才变

– Loop starts here
-> State: 1.1 <-
window.switch = open
weather.rain = raining
rain.config = raining
-> State: 1.2 <-
bounded model check就可以避开初始冲突

Trace Type: Counterexample
-> State: 1.1 <-
window.switch = open
weather.rain = not_raining
-> State: 1.2 <-
weather.rain = raining
– Loop starts here
-> State: 1.3 <-
weather.rain = not_raining
-> State: 1.4 <-

Trace Type: Counterexample
-> State: 3.1 <-
window.switch = open
weather.rain = not_raining
step = 1
-> State: 3.2 <-
weather.rain = raining
step = 2
-> State: 3.3 <-
window.switch = close
step = 3
– Loop starts here
-> State: 3.4 <-
window.switch = open
-> State: 3.5 <-
window.switch = close
-> State: 3.6 <-
window.switch = open

MODULE mainVARwindow.switch:{open, close, uncertain};weather.rain:{raining,not_raining};ASSIGNinit(weather.rain):=not_raining;--防止第一次,对没有TAP规则的要注意单独处理一下--init(window.switch):=close;next(window.switch):=window.switch;

5种数排列120种

MODULE mainVARwindow.switch:{open, close, uncertain};weather.rain:{raining,not_raining};step:1..3;--rain.config:{raining,not_raining};ASSIGNinit(weather.rain):=not_raining;next(weather.rain):=casestep = 2:raining;TRUE:{raining,not_raining};esac;init(step):=1;next(step):=casestep != 3: step+1;TRUE:step;esac;init(window.switch):=open;next(window.switch):=casestep = 1:open;weather.rain = raining:{open, close, uncertain};TRUE: window.switch;esac unioncasestep = 1:open;weather.rain = not_raining:{open, close, uncertain};TRUE: window.switch;esac;--check_ltlspec -p "G((weather.rain=raining)->!F(window.switch=close))"

MODULE mainVARwindow.switch:{open, close, uncertain};weather.rain:{raining,not_raining};ASSIGNinit(weather.rain):=not_raining;next(weather.rain):=caseTRUE:{raining,not_raining};esac;init(window.switch):=open;next(window.switch):=caseweather.rain = raining:close;TRUE: window.switch;esac;

MODULE mainVARwindow.switch:{open, close, uncertain};window.switch_old:{open, close, uncertain};window.certain:boolean;temperature:0..10;humidity:10..20;flag_open:0..1;flag_close:0..1;ASSIGNinit(temperature) := 5;init(humidity) := 10;init(window.switch) := close;next(window.switch):=casenext(flag_open)=1 & next(flag_close)=1:uncertain;temperature < 5: close;TRUE:window.switch;esac unioncasenext(flag_open)=1 & next(flag_close)=1:uncertain;humidity > 15 : open;TRUE:window.switch;esac;init(window.switch_old) := close;next(window.switch_old) := window.switch;init(flag_open) := 0;next(flag_open):=casetemperature < 5: 1;TRUE:0;esac;init(flag_close) := 0;next(flag_close):=casehumidity > 15: 1;TRUE:0;esac;init(window.certain) := TRUE;next(window.certain):=casenext(flag_open) = 1 & next(flag_close) = 1: FALSE;TRUE:TRUE;esac;-- check_ltlspec -p "G(window.certain=TRUE)"

该路径没有LOOPS
Trace Type: Counterexample-- Loop starts here-> State: 1.1 <-window.switch = closewindow.switch_old = closewindow.certain = TRUEtemperature = 5humidity = 10flag_open = 0flag_close = 0-> State: 1.2 <-temperature = 3humidity = 17-> State: 1.3 <-window.switch = uncertainwindow.certain = FALSEtemperature = 0humidity = 10flag_open = 1flag_close = 1-> State: 1.4 <-window.switch = closewindow.switch_old = uncertainwindow.certain = TRUEtemperature = 7humidity = 13flag_close = 0-> State: 1.5 <-window.switch_old = closetemperature = 5humidity = 10flag_open = 0

MODULE mainVARwindow.switch:{open, close, uncertain};window.switch_old:{open, close, uncertain};window.certain:boolean;temperature:0..10;t1:0..10;humidity:10..20;h1:10..20;flag_open:0..1;flag_close:0..1;step:1..3;ASSIGNinit(temperature) := 5;next(temperature):=casestep = 1: 3;TRUE:0..10;esac;init(humidity) := 10;next(humidity):=casestep = 1: 17;TRUE:10..20;esac;--等于配置初始值init(t1) := 5;--第一次变化之后保持不变，防止生成过多无效空间next(t1):=casestep = 1: 1..10;TRUE:t1;esac;    init(h1) := 15;  next(h1):=casestep = 1: 10..19;TRUE:h1;esac;   init(step):=1;next(step):=casestep != 3: step+1;TRUE:step;esac;init(window.switch) := close;next(window.switch):=casenext(flag_open)=1 & next(flag_close)=1:uncertain;temperature < t1: close;TRUE:window.switch;esac unioncasenext(flag_open)=1 & next(flag_close)=1:uncertain;humidity > h1: open;TRUE:window.switch;esac;init(window.switch_old) := close;next(window.switch_old) := window.switch;init(flag_open) := 0;next(flag_open):=casetemperature < t1: 1;TRUE:0;esac;init(flag_close) := 0;next(flag_close):=casehumidity > h1: 1;TRUE:0;esac;init(window.certain) := TRUE;next(window.certain):=casenext(flag_open) = 1 & next(flag_close) = 1: FALSE;TRUE:TRUE;esac;-- check_ltlspec -p "G(window.certain=TRUE)"

Trace Type: Counterexample-> State: 1.1 <-window.switch = closewindow.switch_old = closewindow.certain = TRUEtemperature = 5t1 = 5humidity = 10h1 = 15flag_open = 0flag_close = 0step = 1-> State: 1.2 <-temperature = 3t1 = 1humidity = 17h1 = 11step = 2-- Loop starts here-> State: 1.3 <-temperature = 0humidity = 10flag_close = 1step = 3-> State: 1.4 <-temperature = 1humidity = 12flag_open = 1flag_close = 0-> State: 1.5 <-temperature = 0humidity = 10flag_open = 0flag_close = 1

反例

一、线性时序逻辑(LTL)

X,U是temporal operator，不指precise time
W(weak until) (ψ U φ) ∨ G ψ 多了个G ψ
F sometimes
FG infinitely often
Realse ψ R φ。φ保持为真，直到ψ变为真（包括为真的地方）。如果ψ不会为真，则φ一直为真

the syntax of LTL
之前都是看the first letter就行
X可以看the rest of word
X(X(p2))
X(p1Up2) 在下一状态，p1Up1 = true?和p1Up2的区别是起始位置不同
X(X(p1UX(p2)))

p1 until p2 ，找到p2为true的第一个地方，在那个地方前p1 is true

true每个点都满足意味着没约束，true U p1 在某个p1为true的地方
true U ¬p1 在某个p1为flase的地方
¬(true U ¬p1)意味着无法找到某个p1为flase的地方，everywhere p1 is true

∅1→∅2 如果∅1，那么∅2

i can’t(¬) reach F(¬∅) sometime
G§:p is True in every state

每处F(∅)为true

LTL本身的定义和在状态机中的体现

AP-INF是所有可能，property ∅是AP-INF的一个子集，Words(∅):AP-INF中满足∅的words

一个是对符号的拆分一个是satisfy ∅，对复杂的直接把∅替换为一坨

words(∅) = σ

狼羊过河问题

planning problem:find a path to the goal state


check !∅，如果有反例是满足∅的

MODULE main
VARman:boolean;goat:boolean;wolf:boolean;cabbage:boolean;carry:{g,w,c,0};
ASSIGNinit(man) := FALSE;init(goat) := FALSE;init(wolf) := FALSE;init(cabbage) := FALSE;init(carry) := 0;--man要么在左边要么在右边next(man) := {TRUE,FALSE};--man和其它同值则可以搬运，且一次可以搬运的选项是非确定性(non-deterministic),esac union 提供了next value的non-deterministic choice-- carry并不是实际的，只是提供了一种选项（choose to do），因为可以呆在原地不变next(carry) :=  caseman = goat:g;-- 确保condition exhaustedTRUE:carry;esac unioncaseman = wolf:w;TRUE:carry;esac unioncaseman = cabbage:c;TRUE:carry;esac union 0;next(goat):= 	case-- 如果goat被carry，那么反置值表示达到另一岸--next(carry) = g:!goat;-- carry = goat但man可能呆在同一岸，随着人的位置而变化next(carry) = g:next(man);TRUE:goat;esacnext(wolf):=next(cabbage):=nextLTLSPEC
!( ((goat = cabbage | goat = wolf)->man = goat) U (man & cabbage & goat & wolf) )

nusmv test.smv

trace相关的p94 - 100

4个变量和转化为可达性问题（全0到全1）

二、分支时序逻辑(CTL)

每个node可以是{p1}{p2}{p1,p2}，如switch=ff & present = off

LTL讨论path的property
CTL讨论tree的property，一个状态机可以表示为一颗树，初始状态是根节点

E

红点并不是node，而是该node有对应的ap

A

两个符号E代表Exist，Exist a path 满足∅，A代表all path满足∅，E(F(A(G(∅))))，某个子树满足A(∅)

E mix with A

CTL*

state formulae
path formulae

LTL CTL* CTL的关系

如果系统满足LTL，则对应的树满足A(∅)，LTL属于CTL的一部分
CTL property不能用LTL替换，比如某些情况是子树，包含多个路径
LTL不能用CTL实现，CTL也不能用LTL实现

如果最简单的ltl逻辑enough for our purpose，只用ltl就行了

CTL是CTL*限制后的

LTL CTL*的转换

如果G (runinfan61.timer=2 & fan.switchCap.switch = off)，如果等于初始0，找到反例并不能说明冲突存在
–LTLSPEC G! (runinfan61.timer=2 & fan.switchCap.switch = off)
如果找到反例则说明这种情况存在