model-checking

问题 I am new to spin. I want to check whether a transition system satisfies the given LTL property. But I don't know how to model a transition system in promela. For example, the transition system shown below has two states, and the initial state is s0. How to check whether the LTL property: <>q is satisfied. Does anybody know how to describe this problem in promela? By the way, how to use the next operator of LTL in spin? 回答1: You can model your automata by using labels, atomic blocks and gotos:

问题 I'm trying to get my feet wet with Alloy (also relatively new-ish to formal logic as well), and I'm trying to start with a completely connected graph of nodes. sig Node { adj : set Node } fact { adj = ~adj -- symmetrical no iden & adj -- no loops all n : Node | Node in n.*adj -- connected } pred ex { } run ex for exactly 3 Node As you can see from the image, Nodes 0 and 1 aren't connected. I thought that my fact was enough to make it completely connected...but perhaps I missed something. 回答1:

问题 I would like to print all states when checking my model. We do get a trail file when an assertion violation occurs but I want to see the states even when there are no assertion violations. How can I do that? 回答1: One option is to compile pan with the gcc flag -DVERBOSE and watch the full details of the verification run. Of course the run will take a while and will spit excessive output, but you will see all the states as they are visited (the format is not very easy to read, but may

问题 How can I transform LTL into Automata in PROMELA? I know that with the command SPIN -f "ltl x" it is possible transform the LTL into a never claim, but I want the automata of the LTL and not the negation one. It is correct If I negate the LTL before to generate the never claim. Can anyone help me? 回答1: Spin generates the Promela code equivalent to the Buchi Automaton which matches the LTL formula , and envelops it into a never block. From the docs: NAME never - declaration of a temporal claim

问题 How can I implement symbolic execution for particular language without using model checking and Finite State Machine (FSM) for example not such as Java Path Finder ? I need a detail about it. for example by what language I can implement this symbolic execution and what other things I need to know? 回答1: You need: A parser for the language to be symbolically executed that can build ASTs Name resolution (and associated symbol tables), so when your execution engine encounters an identifier it can

问题 Is it possible to bypass a chessboard of size N × N with a knight from the initial position (I, J), having visited each square only once? #define A[] = True; A[I,J] = false; active proctype method(){ bit I=4; bit J=3; bit K=1; bit N=8; do ::I>2 && J<N && A[I-2,J+1] => I=I-2;J=J+1; A[I,J]=False; K++; printf("i %d j %d \n"i, j); ::I>2 && J>1 && A[I-2,J-1] => I=I-2;J=J-1; A[I,J]=False; K++; printf("i %d j %d \n"i, j); ::I<N && J>1 && A[I+1,J-2] => I=I+1;J=J-2; A[I,J]=False; K++; printf("i %d j

问题 I'm trying to use NuSMV as a model checker in java. However, I'm not able to find the related JAR library online. The only one I've found is provided on here for which the download link doesn't work anymore. Apparently, the library exists but the access link is not working. Does anyone know how I can access NuSMV java API library or know of any alternative way? 回答1: Here is a working download link of nusmv-tools which is from the same author and includes the Java front-end you were talking

问题 Suppose I have following structure M = (S, R, L) where S = {s0, s1, s2} is the set of possible states, R is a transition relation such that: s0 -> s1, s0 -> s2, s1 -> s0, s1 -> s2, and s2 -> s2, and L is the labeling function for each state defined by: L(s0) = {p, q}, L(s1) = {q, r}, and L(s2) = {r}. I am using notations describe in Logic in Computer Science textbook by Huth and Ryan. Clearly, from such model, we have X r is satisfied in s0 (the initial state), since r is satisfied in s1 and

问题 I need help writing these CTL. I don't reall understand how to write in NuSMV format yet, hopefully my code will make sense to you since it is incomplete atm. 2)If a process is waiting, it will eventually get to its critical section 3)The two processes must 'take turns' entering the critical section 4)It is possible for one process to get into the critical section twice in succession (before the other process does). 5)Successive entries into a critical section by process 1 will be separated

问题 I have the following simplified public-key Needham-Schroeder protocol: A → B: {Na, A} Kb B → A: {Na, Nb} Ka A → B: {Nb} Kb where Na , Nb are the nonces of A , B , and Ka , Kb are the public keys of A , B respectively. Messages encrypted by a party’s public key can only be decrypted by the party. At Step (1), A initiates the protocol by sending a nonce and its identity (encrypted by B ’s public key) to B . Using its private key, B deciphers the message and gets A ’s identity. At Step (2), B