Верификация автоматных программ

-
. . , . . ,
. . , . .
-
2011
:
. ., . . , ,
-

. ., . . , ,
-

004.42
. ., . ., . ., . .
. , 2011. 242 .

. ,

.

.
, .
,

, .
.

, , ,
,
,
, , .

, , .

2009
,
12 ,

.

,
20092018 .
-
, , 2011
. ., . ., . ., . ., 2011

....................................................................................... 5
1. ........................................................ 8
1.1. ............................................................. 8
1.2. ..................................................................................... 12
1.3. ................................................................................. 12
1.4. ......................................................... 15
1.5. ........................................................................ 21
1.6. ................................. 26
2. . 29
2.1. ............................................................ 29
2.2. ..... 34
2.2.1. LTL ................................................................................. 35
2.2.2. LTL................................................................................. 37
2.2.3. ............................................................................... 42
2.2.4. LTL .............................................................................. 45
2.2.5. LTL ........................................................ 46
2.2.6. LTL............................................................. 50
2.2.7. LTL ......................... 62
2.3. . 72
2.3.1. CTL ................................................................................. 73
2.3.2. CTL ................................................................................ 75
2.3.3. CTL ................................................................ 80
2.3.4. CTL, CTL* LTL ...................... 82
2.3.5. CTL ........................................................ 88
2.3.6. CTL ..................................................... 89
2.3.7. CTL CTL* ............................................... 91
2.4. ........................................................ 99
2.4.1. ............................................................. 100
2.4.2. ............................................... 104
2.5.
................................................................................................ 106
2.5.1. ..................................................................... 109
2.5.2. ................................................. 115
2.5.3. TCTL ............................................................................ 120
2.5.4. TCTL ............................................................................ 122
2.5.5. TCTL ................................ 125
2.5.6. ................................................ 127
2.5.7. ...................................................................... 134

2.5.8. ............................. 138
2.6. ................................................................................... 145

3. ............................................. 150
3.1. SPIN ............................................................................................... 150
3.2. SMV ............................................................................................... 161
4. .................... 169
4.1. ........................................................... 169
4.2. ............................................... 174
4.3. ......................................... 178
4.3.1. ......................................................................... 182
4.3.2. ........................................ 183
4.4. , ..... 186

4.4.1. Converter ......................................................................................... 186
4.4.2. Unimod.Verifier ............................................................................... 190
4.4.3. FSM Verifier .................................................................................... 198
4.5. .................................................... 205

4.5.1. CTL Verifier ..................................................................................... 205
4.5.2. Automata Verificator ....................................................................... 223
............................................................................... 227
.................................................................. 231
.......................................................... 240

(
)
( ,
, , ,
. .)
. 1995 . ,
25 ,
. , 20 %
,
.

.
, ,

, . ,
. ,
, , ,
, .
,
, , .
,
,
,
.
. ,
Intel Pentium
500 .
Ariane-5, , ,
.
(
, )
.
.

,
.
,
( )
.
,
, .
5
,

,
, , ,
, .

,
, ,
. .
,
.

.
, ,
.

. ,

.

,
.

(model checking). ,

,
( ),
.
, .

. , Intel

.
, :

.

,
.
6

, , , .
.
.

.
,
.

,
,
.
.
,
.
:
,
.
,
.

.

.
.
,

. [1].
,
[2].
,
,
, ,
, ,

.
(, ),
,
, .
()
()
.
.

, ,

.
,
,

. , ,
, .

,
,

-
20072012
-
-
-
.
-
, ( ).

: , ,
, , ,
.
. .
.
. .
1.
1.1.

, , , ,
.
8
,
.

, ,
, .
, ,
.
,
( ) .
, ,

.
?
,

. ,
, .
. 1.1 [1].
. 1.1.
,
? ,
: , ,
,
, ,
. .
,
,
.
. 1.2.
...
. 1.2.
, ,
, , :
.
, 80%
,
,
.

. ,
.
:
,
. . ,

( 1,1 ).

,
, ,

[1, 3, 4]. , ,
,
,
.

,
.

, .
,
.

,
.
:
( ).
10
,
, , .

. [5]
.
, ,
.
,
,
. . ,
,
, .

, . .
, ,
,
.
.
,
.
,
.

.

.
.

,
,
(, )
.
,
,
.

.
11
1.2.
,
. ,
( )

.
, .
, ,
, , .
, ,
.
,
( ).
1.3.
,
[6].
,
(, ).
,
, . ,
.
, .
,
, .
,
,
.

, . .
, ,
.
, ,
,
, .
, , , :
;

(, );
.
12
, .
,
. , ,
.
,

[7].
:
1. .

.
2. .
.
3.
.
4. .

.
.
5.
.
,
.

, .
,
, ,
. :
,
(),
[8].
,
.
-

.
.
1. (Unit tests). ,
. .
, .
13
2. . ,
.
.
3. . , ,
.
4. -.
.
5. (monkey test).
,
.
.
.
6. . ,
, .
7. . .
, .
(Test-driven development)

(test-driven development TDD) [9].
, TDD .
,
:
1. .
2. . .
, , ,
.
3. .
4. . .
5. . ,
.
6. . .
7. ( ).

.
,
, - [9] (mocks).
.
14
[10].
- (RhinoMock,
NMock, JMock .).
:
, ;
,
.
1.4.

, .

[11]. ,
()
, ()
.
,
.
,
.
,
,

.
:
, ,
,
. ., ,
, .

.
, ,
.
, ,
,
.
15

[1, 12],

. , .
-
.
, , :
::= p | | ( ).
p (, x 2),
, .
: = ( ),
true = , false = true = .
.

( ),
( ). -
,
, ,
.

.
().
:
{} S {}.
, S , .
{} S {} [13]

.
,
.
{} S {} ,
S, ,
, ,
.
{} S {} ,
S, , ,
,
.
16
,
S,
, .
, .

,
.
:
S ::= skip | x := E | S; S | if B then S else S fi | while B do S od.
skip , x := E E
x (, x E ), S; S
. ,
(B ).
:
, , ,
. true
. .

. 1.1.
1.1.

skip
skip
x : k x : k
S1 , S2
S1; S2
B S1 , B S2
if B then S1 else S2 fi
B S
while B do S od B
' , ' S ' , '

S
skip, ,
: , ,
.
,
[x := k].
17
, x
k. ,
{k2 k = y} x := k {x2 x = y}.
,

,
.

, S1
S2.
B,
, : S1 S2.
. ,
while B do S od,

S. ,
.

. ,
.
,
.
,
.

. .
, -
. , ,
' .
.
. 1.1 ,
(
)
,
B S , B n N S n N , n 0
.
while B do S od B
18
N , B, n S.
, N
n, n ,
.
, n
n 0. n
.

S1 S2 S1 || S2
.

:
S1 , ' S2 '
' S1 || S2 ' .

, ,
. S1 S2
,
, , .
[14].
, .

. , ,

, -
, .
, S1 x := x + 2, S2 x := x + 1; x := x + 1 S3
x := 0, x S1 || S3 0 2,
x S2 || S3 0, 1 2.
x S1 S3
S2 S3. , , -
S1 S2 ( x 2),
, .

, .
,
,
.
, . ,

, .
19

,
, ,
.

.
,
, (
).

.

.

,
,
(
) , .

.
( ,
). ,
, ,
.

,

,
(- ) ,
. , ,
(
), .

P ,
,
- .

,
, .
U (until) G (globally) ,
( , , ).
20
U ,
, ,
, G , ,
. ,
, ,
:
G [sndP(m) sndP(nxt(m)) U rcvP(ack)].
, m P,
nxt(m),
.
, ,
( ,
),
. .
[15, 16].

.
,
,
( )
,
.
, ,
, :
,
.

, , ,
,
. .
1.5.
, (model
checking) [1, 17, 18], ,
, .

( )
( ), .
, ()
21
.
,
. ,
1.
,
. ,

( ,
)
. . 1.3.

( )

( )
. 1.3.

:
,
.
. ,
1

, , ,
. , ,
.
22
, ,
( ).

, ,
.
,
. , ,
,
: , .
.
,
[19].
,

, ,
.

.

, .

,
,
:
.

( ).
,

, ,
.
,
.
. ,

(),
( ).

,
23
.
,
(
),
.

,
,
.
. A
B, , A, B.
,
( )
( ).
, ,
.
:
,
. ,
.
, , ,
CTL,
.
:
(
), (
).
,
, ,
,
.
[20].
,
,
.

.
,
, ,
, . .
24
:

.
,
,
,
.

, .

. ,
,

.

, , , ,

.
:
,
, , ,
.
,
.
,

.

, . ,
, ,
(
,
). ,

, .
(
)
25
).
,
. ,
,

.

.
[21]. ,
, ,
,

.
, ,
,
.

. ,
,
.

,

. , ,
,

.
[17].
,
[2]
.
1.6.

,
. ,
, , ,
. ,
26
, .
, , ,
,
. ,
, .

.
,
.
. ,
.
,
.
.
,
,

.
,
, ,
. ,
. ,
,
.
(,
),
.

. ,
.
,
,
.
,
.
.
f(t1, , tn), f
n ti .
0. P(t1, , tn), P
n, ti .
,
,
27
.
,
( x int).

,
, .
.

.
, ,
(, 1 2
1 2),
(,
,
).
,

.

, .
, , .
,
, . ,
,
. ,
,
.
,
n
n.
.

.

.

:
.

.
28
,
.

,

,
. , -
,
.

, , .

,
.
()
.
,
.
,
( ) .

.

.
,
. ,
.
2.

2.1.
,
, . ,
.
,
. model
checking , ,
29
,
. ,
,
. ,
,
, ,
, .

[17].
-,
,
.
,
.

.

[17] ,
, .
.
.

( ) ,
.
, .
AP.
x 0 x 1
x.
. ,

x, y, , 0, 1, 2, , max, gcd, x = 2,
x mod 2 = 0, ; max(x, y) 3 x = y.
AP,
.
, AP ,
,
.

. - , ,
AP ,
, ,
30
, , ,
.
( )
AP (S, R, Label),
S ;
R S S S,
s S ;
Label: S 2AP s S
Label(s), s.
R S S ,
s S
(s S: s' S: (s, s') R).
,
S0 S.
s0
= s0 s1 s2 , i 0
R(si, si+1).

,
.
V = {v1, v2, , vn}
. model checking
, ,

D.
V , v V
D.
,
s: V D.
, ,
.
, V = {v1, v2, v3}, D = {1, 2, 3} s
(v1 = 1, v2 = 2, v3 = 3).
: (v1 = 1) (v2 = 2) (v3 = 3).

, :

,
31
. ,
S0(v1, v2, , vn).
.
V' = {v1', v2', , vn'}. v

, v'
. V V'.
R(V, V'),
, V V'
.

.
v = d s , s(v) = d.

.
1.
V.
2.
s: V D, S0(s)
.
3. .
s1 s2 ,
R(s1, s2) .
,
sk,
, : R(sk, sk) = true.
4. Label: S 2AP , Label(s)
, s.
, s(vk) = dk,
(vk = dk) Label(s).

, [17].
x y,
D = {0, 1},
x := x + y (mod 2).
.
:
S0(x, y) = (x = 1) (y = 1),
:
32
R(x, y, x', y') = (x' = x + y (mod 2)) (y' = y).

:
1. S = {0, 1} {0, 1};
2. S0 = {(1, 1)};
3. R = {((0, 0), (0, 0)); ((0, 1), (1, 1)); ((1, 0), (1, 0)); ((1, 1), (0, 1))};
4. L((0, 0)) = {x = 0, y = 0},
L((0, 1)) = {x = 0, y = 1},
L((1, 0)) = {x = 1, y = 0},
L((1, 1)) = {x = 1, y = 1}.

.
.
,
.
,
,
.
,
,
. ,
.
[17].
x, y ,
:
: x := x + y,
: y := y + x.
x = 1 y = 2.
,
:
0: load R1, x
0: load R2, y
1: add R1, y
1: add R2, x
2: store R1, x
2: store R2, y
, ,
x = 3 y = 5.
,
x = 4 y = 3. :
33
0, 0, 1, 1, 2, 2, ,
x = 3 y = 3.
x = 3 y = 3 ,
, .
, ,
.
.
,
, .
, ,
0, 0, 1, 1, 2, 2.
, .

, , ,
.
2.2.

. ,
.

,
, .
,
.

.
, ,
- .
.

.
, ,
:
(,
). ,
.
(, ). ,
.
34
, :
,
.

.
,
.
, [15].

.
,
.
1.
.
2.
, ,
.

, .

. [1].
2.2.1. LTL
,

(LTL linear temporal logic).
AP . :
1. p p AP.
2. , .
3. , .
4. , X .
5. , U .
, ,
LTL.
, ,
,
. , ,
35
LTL.
X (neXt) U (Until).
LTL -.
p AP LTL- :
::= p | | ( ) | X | ( U ).
(), ()
() :
= ( ),
= ,
= ( ) ( ).
true , false true.
G (Globally, ) F (Future, -)
:
F = true U ,
G = F .
true , F
, -
. , ,
. .
G . F , G
. F G.
, ,
(X, F, G, U) ,
X , G
, F , U
,
.

. ,
, . ,
U F () U (F ). U
, ,
.
,
(() ) U ((X ) (F ))
:
( ) U (X F ).
36
. AP = {x = 1, x < 2, x 3}
. LTL- X(x = 1), (x < 2),
x < 2 x = 1, (x < 2) U (x 3), F(x < 2) G(x = 1).
.
LTL- :
G[(x < 2) U (x 3)].
2.2.2. LTL
LTL-,
. LTL
. X
, , F
( - ).
, ,
, - ?
,
, .
.
LTL- M = (S, R, Label), :
S ;
R: S S s S
R(S);
Label: S 2AP s S
Label(s), s.
s S R(S) ,
s. R ,
s, R(S),
R(R(S)), R(R(R(S))),
LTL .
LTL- (S, , Label),
, S Label ,
.
Label ,
M. s Label(s) = ,
,
s. s, p
(p Label(s)), p-.
. AP = {x = 0, x = 1, x 0}
, S = {s0, , s3} , R(si) = si+1
37
0 i < 3 R(s3) = s3 Label(s0) = {x 0},

Label(s1) = Label(s2) = {x = 0}, Label(s3) = {x = 1, x 0} ,
. M =
(S, R, Label) x = 0 s1 s2,
x 0 s0 s3, x = 1 s3.
, ,
M.
. , x = 1 s,
, x 0 .
,
Label .

( ) M,
s .
(M, s, ) : M, s .
, M, s ,
s M. M ,
s M, s .
LTL . p AP
, M = (S, R, Label) LTL-, s S ,
LTL-.
:
s p
p Label(s);
(s );
s ( )
(s ) (s );
s X
R(s) ;
s ( U ) j 0: R j(s) (0 k < j: R k(s) ).

R0(s) = s R n+1(s) = R(R n(s)) n 0.
R(s) = s', s' s.
R n(s) = s' n 1, s' s.
M, s , , M
s. , s
M.
true, false, , , G F

. true :
true = p p, true s
p Label(s) p Label(s),
38
s. , M, s true
s. F :
s F
{ F }
s true U
{ U }
j 0: R j(s) ( 0 k < j: R k(s) true)
{ }
j 0: R j(s) .
, F s,
( ) s
s, .
F, G :
s G
{ G }
s F
{ }
( j 0: R j(s) )
{ }
( j 0: (R j(s) ))
{ }
j 0: R j(s) .
, G s,
s, s, .
. U s, F
. , U ,
, - ,
. Until,
Weak until (unless) W ,
, ,
. W
:
W = G ( U ).
U W :
39
U = F ( W ).
. M ,
. 2.1.
, R ( s s',
R(s) = s'). R ( )
, .
Label .
M
{q}
{q}
{ p, q }
Fp
Gp
qUp
. 2.1. LTL-
: F p, G p
q U p. ,
, . F p
, . p-
. G p ,
,
p-. q- () p-
. ,
q U p.
. M ,
. 2.2, p, q, r, s, t .
X[r (q U s)],
X[r (q U s)]. ,
r, .
.
, r , q s . ,
,
q, s, q U s
40
. G p, F t, GF r
X[r (q U s)] M.
M
{ p, q, t }
{ p, q, r }
{ p, s }
{ p, r }
Gp
Ft
GF r
X[r (q U s)]
. 2.2. LTL-

LTL , M, s .
: s
M.
1. F : ( s) , - .
2. G[ F ]: , - ( s,
s).
3. GF : .
4. FG : - , .
,

. ,
.
:
41
() M, s
, M, s ?

.
:
, M
s, M, s ?
, M
s, . LTL
.
LTL .
.

, LTL- .
, ,
.
,
, .
, . ,

.
,
:
, M, s
M s?
,
, ,
M, s M s,
( ) M s.
,
.
2.2.3.
LTL-
, .
,
, M.
, U [ X( U )].
42
:
, U ( ),
0. ,
,
U , U .
:
s [ X( U )]
{ }
(s ) (s ) s X( U )
{ X }
(s ) (s ) R(s) U
{ U }
(s ) (s ) [ j 0: R j(R(s))
0 k < j: R k(R(s)) ]
{ R n+1(s) = R n(R(s)) }
(s ) [ j 0: R j+1(s)
0 k < j: (R k+1(s) s )]
{ R0(s) = s }
(s ) [ j 0: R j+1(s) 0 k < j + 1: R k(s) ]
{ R0(s) = s }
[ j = 0: R0(s) 0 k < j: R k(s) ]
[ j 0: R j+1(s) 0 k < j + 1: R k(s) ]
{ }
[ j 0: R j(s) 0 k < j: R k(s) ]
{ U }
s U .
,
.

. ,
LTL-
LTL- .
, , (), s
, s M s.
43
,
. ,
, .
.
, , ,
. ,
F G F, G,
FG GF.
,
. ,
,
. ,
F G
U
F G.
,
. , ,
M s M:
M, s , M, s .
:
G F ;
F G ;
X X ;
(f U g) g W (f g);
(f W g) g U (f g).
:
GG G ;
FF F ;
U ( U ) U ;
( U ) U U .
:
FGF GF ;
GFG FG .
:
X( U ) (X ) U (X ).
44
:
U [ X( U )];
W [ X( W )];
F XF ;
G XG .
,
:
.
, ,
.
LTL [22].
2.2.4. LTL
. G ,
, .
,
. ,
. G,
, G
XG . , G
G
, -,
. , F U
X( U ). (, X
F XF U
).
,
.
:
;
G G
F F ;
)].
U [ ( U
F .
G

X( U )
: U
, U. ,
, .
. ,
. ,
45
. LTL
.
,
, . , G (
) ( ),
. F (- )

, X , ,
. ,

.
.
, LTL
2 [23].
2.2.5. LTL
,
,
.
,

,
.

: (S) (R).
(S.out), .
. S
m R, S.out.
S.out R.in
.
R.in. ,
,
AP = {m S.out, m R.in}, m .
,
m (
m).
2
,
.
46
, ,
. , , S.out
R.in ,
.
. 2.3.
S
S.out
R.in
. 2.3.

LTL:
:
G (m S.out m R.in).
. ,
, , S.out,
R.in:
G(m S.out F(m R.in)).
, ,
, , ,
m ,
.

,
,
:
G(m S.out XF(m R.in)),
m S.out R.in .
. , m, m'
S.out, m
m':
G[m S.out m' S.out F(m' S.out)
F(m R.in m' R.in F(m' R.in))].
, m' S.out
, , m' S.out m.
F(m' S.out) , m'
, m S.out.
. ,
m R.in S.
F
:
47
G[(m R.in) F(m S.out)].

U:
G[(m R.in)U(m S.out)].

(
) .
,
, ,

, . .
.

. , ,
,
. ,

.

. ,
,
.
, ,
.
, .
. 2.4.
P1
.....
P2
PN
. 2.4.
,
.
,
( ) (
) .
, ,
48

- .
,
.
.
, ,
, .
:
AP = {leaderi, activei, i < j | 1 i, j N},
leaderi , i , activei
i , i < j i ,
j ( ).
i j , N
. ,
.

.
, LTL.
,
i: P(i) ( P )
P(1) P(N).
i: P(i).
:
:
G[i: leaderi (j i: leaderj)]
,

(, ), , ,
.

,
.
GF[i: leaderi (j i: leaderj)],

,
.
. .
:
G[leaderi j i: leaderj]
49
. (
,
.
, ):
GF[i: leaderi]
, .
, ,
.

- :
G[i, j: ((leaderi i < j leaderj activej) F leaderi)].
,
- ,
-
. , j
.
. ,

:
G[i, j: (leaderi X leaderi XF leaderj) i < j].
, , ,
, .

[24].
2.2.6. LTL

.
, s0,
LTL-. LTL-
, ,
(, ,
, ).

[22]. f M
LTL- T f.

, ,
f. .
50
). :
f f;
(f g) f g;
(f g) f g;
f g f g;
X f X f;
F f G f;
G f F f;
(f U g) g W (f g);
(f W g) g U (f g).
.
: (f (F g X(h W r))).
: f G g X(r U (h r)).
,
.
,
pi fi,
( ) ,
G(pi fi).
, , pi, fi
. , pi fi.
fi
pi.
.
: f G g X(r U (h r)).
: G(p1 G g) G(p2 (r U (h r))) G(p3 X p2)
( f p1 p3).
:
G g, (r U (h r))
X(r U (h r)).
.
.
51

,
, G(pi T), T

,
.
.
1. G(pi G fi).
ri
:
G(pi ri) G(ri fi) G(ri X ri).
ri , , fi
.
2. G(pi (fi W gi)).
ri
:
G(pi gi fi ri) G(ri X(gi fi ri)).
ri : gi
, , -, fi, -,
.
3. G(pi (fi U gi)).
, gi -
.
ri
:
G(pi gi fi ri) G(ri X(gi fi ri)) G(pi F gi).

G(pi F gi).
.
4. G(pi F fi).
ri
:
G(pi (fi ri)) G(ri X(fi ri)) GF ri.
ri : , fi
( pi), GF ri
, pi (ri) -
, , fi .
.
: G(p1 G g).
: G(p1 r1) G(r1 g) G(r1 X r1).
52
: G(p2 (r U (h r))).
: G(p2 (h r r r2)) G(r2 X(h r r r2))
G(p2 F(h r)).
: G(p2 F(h r)).
:
G(p2 ((h r) r3)) G(r3 X((h r) r3)) GF r3.

G (
). :
p G(q (r1 X s1) (rn X sn) F t1 F tm),
p, q, r1, , rn, s1, , sn, t1, , tm
, .
: p
, q ,
ri si ( i 1 n)
, tj ( j 1 m),
,
.
.
(f (F g X(h W r))).

:
( f p1 p3) G(
(p1 r1) (r1 g) (p2 r (h r2 r3))
(r1 X r1) (r2 X(r (h r2)))
(r3 X(h r r3)) (p3 X p2) F r3).

p, q, r1, , rn, s1, , sn t1, , tm
. AP
. 2|AP|
( ).

, .
, AP = {a, b, c} ,
53
{a, b, c} = {1, 0, 1}, a c,

b .
,
q (
). , q
. , x y
x y,
i 1 n ri(x) si(y).
(r1 X s1) (rn X sn) ,
i ri,
si.
, (
) ,
p. , p
0.

.
. , ,

, tj (j 1
m). ,
, ,
- j ,
tj. ,
, ,
( , tj
). ,
(
),
. 2.4.

, , .
,
:
1. (
, ).
,
,
.
2. (
) , tj ( j
54
1 m) .
.
.
, . tj j
1 m ,
:
;
j ,
tj.

, - . ,
,
. ,
tj ( j 1
m) .
,
( ,
,
, ),
. ,
, .
( ,
) tj .
. , (
) ,
tj. , ,
tj .
, t1,
t1 t2, . . tm. tm t1, .
, tj
. , , tj
, ,
. tj .
, , ,
:
p G(q (r1 X s1) (rn X sn)),
,
tj.
55
,
, .
. :
x y G(
(x y) (x y X(x y z))
(x y z X(x y (y z)))
((y z) X(x y z y z))
(x z X(x z)) (y z X(y z))
F (x z) F((x y) z)).
3 : x, y, z. 8
(. 2.5).
x y,
, . . 2.6
.
x
x, y
x, z
x, y, z
y, z
. 2.5.
x, y
x, z
x, y, z
y, z
. 2.6.
56
G((r1 X s1) (rn X sn))

( . 2.7 ,
).
x, y
x, z
x, y, z
y, z
. 2.7.
, x y.
(. 2.8).
x, y
x, z
x, y, z
y, z
. 2.8.
F (x z) F((x y) z)
, :

. (. 2.9).
57
, (
). F (x z)
, F((x y) z) (. 2.10).
x, y
1
y
2
x, z
x, y, z
2
y, z
2
z
. 2.9.
x, y
1
y
2
x, z
x, y, z
2
y, z
. 2.10.
. ,
(x, y, z) 1. . 2.10
. (. 2.11).
, (x, z) .
. 2.11 ( ,
: 1).
,
1, 2. ,
, , . 2.12.
58
1
y
x, y
2
x, z
2
y, z
. 2.11.
x, y
2
y, z
1
y
. 2.12.
. G(z1 (z2 W z3)).

:
G((z1 z3 z2 r) (r X(z3 z2 r))).
, . 2.13.
, ,
.
2, 4 6 , ,
.
(
, ).
, ,
, ,
.
, ,
.
59
z2
r
z3
z2
z2, z3
z1, z3
z1, z2, z3
z3
r
z2, z3
r
z1
r
z1, z3
r
z1, z2, z3
r
. 2.13. G(z1 (z2 W z3))
, :
( ,
).

L(M) () M.
. ,
, T. ,
, LTL.
, LTL-
M, : T
, , L(M) L(T).
M
,
T .
( L(M) L(T)),
60
, .
.
PSPACE-
. .
, L(M) L(T) (L(M) L(T) = ), T (
T) ,
T. ,
T T :
2
T n , T cn
c > 1. ,
.
, , T
(L(T) = L(T)),
LTL.
,
. , T
, .
M ,
T, ,
. ,
M.
, .
: T
, L(M) L(T) = .

M T. M (S, R, S0, Label),
T (SD, RD, S0D, LabelD), S0D
, .
-
M' = (S', R', S0', Label')
:
S' = {(s, sD) | s S, sD SD LabelD(sD) AP = Label(q)};
R' = {((s, sD), (s', sD')) | (s, s') R, (sD, sD') RD} (S' S');
S0' = {(s0, s0D) | s0 S0, s0D S0D} S';
Label'(s, sD) = LabelD(sD).
tj
, M' ,
( , ,
. 2.4). , M
61
,
.
O(|S| 2||). ,
LTL PSPACE-

[25].
2.2.7. LTL
LTL-
LTL- .
. ,
, .
AP .
2AP A = (Q, q0, , F),
Q ;
q0 ;
Q 2AP Q ;
F Q .
, , [16, 17]
LTL-.
R (Release),
:
R = ( U ).
, , :
R ( X( R )).
, LTL-

.
LTL-
.
1. F true U .
2. G false R .
3. ,
: , , .
4. LTL
62
( U ) R ,
( R ) U
X X ,
.
:
UID ;
Formula LTL-;
Node .
,
,
Node ( 2.1):
2.1. Node
struct Node
{
UID id;
list<NodeID> incoming;
list<Formula> old;
list<Formula> new;
list<Formula> next;
};
incoming - (,
). old, new next
.
CreateAutomaton ( 2.2)
f.
2.2. CreateAutomaton
list<Node> CreateAutomaton (Formula f)
{
Node n;
n.incoming = {init};
n.old = ;
n.new = {f};
n.next = ;
return expand(n, );
}

( 2.3):
Expand
2.3. Expand
list<Node> Expand (Node currentNode, list<Node> nodes)
{
63
if (currentNode.new == )
{
if ( Node r nodes: r.old == currentNode.old
&& r.next == currentNode.next)
{
r.incoming = r.incoming currentNode.incoming;
return nodes;
}
else
{
Node newNode;
newNode.incoming = {currentNode};
newNode.old = newNode.next = ;
newNode.new = currentNode.next;
Expand(newNode, nodes {currentNode});
}
}
else
// currentNode.new .
{
Formula n currentNode.new;
currentNode.new = currentNode.new \ {n};
if (n currentNode.old) Expand(currentNode, nodes);
else
{
if (n == false or !n currentNode.old) return
nodes;
if (n AP or !n AP or n == true)
// .
{
node newNode;
newNode.incoming = currentNode.incoming;
newNode.old = currentNode.old {n};
newNode.new = currentNode.new;
newNode.next = currentNode.next;
Expand(newNode, nodes);
}
if (n f g)
// currentNode newNode.
{
node newNode1, newNode2;
newNode1.incoming = currentNode.incoming;
newNode1.old = currentNode.old {n};
newNode1.new = currentNode.new {f};
newNode1.next = currentNode.next;
newNode2.new = currentNode.new {g};
Expand(newNode2, Expand(newNode1, nodes));
}
64
if (n f U g)
// f U g g (f X (f U g)).
// .
{
newNode1.next = currentNode.next {f U g};
newNode2.new = currentNode.new {g};
Expand(newNode2, expand(newNode1, nodes));
}
if (n f R g)
// f R g g (f X (f R g)).
// .
{
newNode2.new = currentNode.new {f, g};
newNode2.next = currentNode.next {f R g};
Expand(newNode2, expand(newNode1, nodes));
}
if (n f g)
{
node newNode;
newNode.new = currentNode.new {f, g};
newNode.next = currentNode.next;
}
if (n X f)
{
node newNode;
newNode.new = currentNode.new;
newNode.next = currentNode.next {f};
}
}
65
}
}
.
F((p R q) r).
:
F((p R q) r) true U ((p R q) r)
true U ((p R q) r) true U ((p U q) r).
,
f = true U ((p U q) r). init n.
n old next new,
f. nodes,

.
Expand f n.new.
f a U b. n
: n1 n2 (. 2.1).
2.1. n n1 n2
n
n1
n2
incoming
init
init
init
old
next
true
true U ((p U q) r)
new
Expand n1,
n2.
n1.new true n1
n3 (. 2.2).
2.2. n1 n3
n1
n3
next
init
f
f
init
{f , true}
f
new
true
incoming
old
new n3 . nodes
r,
66
old next, nodes n3.

n4 (. 2.3):
2.3. n4
n
incoming
init
old
next
new
.

LTL-,
. :
LTL-
.
.
.
,
LTL- .
, -,
, . , ,
-, .
,
LTL-. , .
.
LTL.
.
,
. ,
.
, true.
. ,

.
, LTL,
. 2.14. GF p - p
p .
67
p
p
True
. 2.14. GF p
. . 2.14
.
,
, ,
.
LTL , ,
, ( )
, .
, ,
, LTL.
,
LTL. ,

, .
, 2.14.
, p ,

. ,
. . 2.14 :
p.
, : ,
. 2.14 p,
. ,
. , p
, ,
, p .
LTL-
.
, , . 2.15.

. :
,
68
p, q
p
p, q
s0
s0
s1
s1
p, q
q
p, q
s2
s2
. 2.15. () ()
.
,
.
, .
, ,
[17]:
.

.
.
,
.

.
,
-, , ,
,
, .
.
, :
LTL- .
69
, ,
, ,
. ,
,
, . ,
.
, , ,
, , ,
,
. . 2.16.
. 2.16.
p , .
, p' p
, .
,
. , p'
,
. ,
p',
.
,
, ,
. ,
, ,
, .
,
,
:
-
.
,
, . 2.4.
70

, .
,
.
, ,
, ,
,
()
. ,
: ,
(),
. ,
.

,
.
,
.

,
.
:
.

.
, :
.

,

.
,
.
.
,

.
,
,
.
71
2.3.

.
[15].
LTL.
,
:
-,
. ,
, ,
,
, s R(s).
, s
s, R(s),
R(R(s)), .

,
X, U, F G
( ).
80-
,
, .
,
.
,
.
, ,
. , R(s)
() , , LTL.
,
, .

.
. , , s,
,
s.
72

( )
. , EF ,
, F .
,
, , , ,
. , , ,
,
, . AF ,
,
, ,
F .

.
,
,
,
:
. ,
, ,

.
,
,
, .
, ,
.

CTL (Computational Tree Logic). ,
LTL,
.
[1] [4, 26].
2.3.1. CTL
(
) .
CTL ,
LTL. CTL
73
- (p
AP):
::= p | | ( ) | EX | E[ U ] | A[ U ].
:
EX ( );
E ( );
A ( );
U ( ).
X U ,
,
E ,
A .
E A
X U. , AX
.
true, false, , .
F = true U :
EF = E[true U ];
AF = A[true U ].
EF , AF
. G F A E ,
3:
EG = AF ;
AG = EF ;
AX = EX .
, :
A(F )
{ A E }
E (F )
{ G (F ); }
EG .
A E CTL- ,
.
, , E[F ] AF .
3
74
EG , AG ,
AX .
. AP = {x = 1, x < 2, x 3}
.
CTL- : EX(x = 1),

x < 2 x = 1, E[(x < 2)U(x 3)] AF(x < 2).
AX(x = 1),
E[x = 1 AX(x 3)] CTL-,

x = 1 AX(x 3) X- U-.
EF[G(x = 1)]
CTL-.
EG[x = 1 AX(x 3)] , , CTL. EF[EG(x = 1)] EF[AG(x = 1)]
CTL-.
CTL ,
X, F, G U E
A. ,
CTL*.
CTL* E A
LTL-. , , E[p X q] F p G q]
, CTL.
CTL*
LTL, LTL
CTL-. LTL, CTL CTL*
. , CTL
CTL*,
,
.
2.3.2. CTL
,
LTL
M = (S, R, Label), S , Label
, R ,

-. R(s) s
, M s

s, R(s),
R(R(s)),
,
s, LTL- ,
LTL
.
75
, ,
, ( )
. , ,
, .
,
. ,
CTL- , . , CTL-
,
, ,
[27].
, LTL- , R
.
. AP = {x = 0, x = 1, x 0}
, S = {s0, , s3}
Label(s0) = {x 0},
Label(s1) = Label(s2) = {x = 0},
Label(s3) = {x = 1, x 0},
R :
R = {(s0, s1), (s1, s2), (s1, s3), (s3, s3), (s2, s3), (s3, s2)}.
CTL- M = (S, R, Label).
. 2.17 (). , R
: s s' ,
(s, s') R. Label(s) s.

. M = (S, R, Label) CTL-.
,
s0 s1 s2 , (si, si+1) R i 0.
( ). i 0 [i]
(i + 1)- , i ,
. , = t0 t1 t2 , [i] = ti ( ti ),
i = ti ti+1 ti+2
, s M,
: PM(s) = { S | [0] = s}.
CTL- M = (S, R, Label) s S
, s,
(s', s'') , (s', s'') R. s,
p Label(s), p-.
p-, p-.
76
s0
s2
s2 {x = 0}
s0
s1
{x 0}
{x = 0}
s1
s2
s3
s3
s3
{x = 1, x 0}
s2
s2
s3
s3
s3
s2
s3
. 2.17. CTL- ()
()
. CTL- . 2.17 ().

, s0,
. 2.17 (). s0 s1s2 s3 ,
s0 s1 s2 s3
s0 s1 s3 s2 s3 . PM(s3), ,
*
: { s3 s2 s3 , s3 s2
*
}.
CTL
( ) M, s
. , M, s (M, s, ) .
M, s ,
s M. , M,
.
p AP , M = (S, R, Label)
CTL-, s S , CTL-.
:
p Label(s);
s
(s );
s ( )
(s ) (s );
s EX
PM(s): [1] ;
s E[ U ] PM(s): (j 0: [j]
(0 k < j: [k] ));
s A[ U ] PM(s): (j 0: [j]
(0 k < j: [k] )).
s p
77
,
.
EX s, ,
s, ,
[1] .
A[ U ] s, ,
s, (,
s) ,

s.
E[ U ] s, ,
s, U .
AX , EF , EG , AF
AG
. ,
EG .
s EG
{ EG }
s AF
{ AF }
s A[true U ]
{ }
(s A[true U ])
{ A[ U ] }
[ PM(s): (j 0: [j] (0 k < j: [k] true))]
{ s true s }
[ PM(s): (j 0: [j] )]
{ ; }
PM(s): (j 0: ([j] ))
{ }
PM(s): (j 0: [j] ).
, EG s,
, s, ,
.
78
, AG s,
, s,
.
EF s,
, s, AF
, ,
s.
. CTL- M, . 2.18.

M. ,
, . :
EX p ,
, p.
AX p s0, ,
s0, s2, p
.
, p , AX p
.
, s2, (,
s0 s1s3 ), p . , EG p
. , p Label(s2), ,
s2, p , .
AG p s3,
s3 , p .
,
s2, p. ,
AG p .
EF(EG p) ,
s0, s1 s3,
, p
.
A[p U q] s3,
s3 ,
q. , , ,
p , q.
, E[p U (p A[p U q])] s3,
s3 q-. s0 s1
, s2
79
p-, p s2,
s2 p U q,
s2 q-. , s0 (s0s2s1)
p U (p A[p U q]), p Label(s0),
p Label(s2) q Label(s1). s2 ,
p s2, , s2,
q-. ,
p A(p U q) 0.
s0
s1
{p}
s3
{p, q}
{p}
s2
{q}
EX p
AX p
EG p
AG p
EF (EG p)
A[p U q]
E[p U( p
A[ p U q])]
. 2.18. CTL-
2.3.3. CTL
,
,
:

,
80
.
. LTL-
U:
U ( X[ U ]).
F G :
G XG ;
F XF .
CTL . ,
U, F G
,
, . 2.4.
2.4. CTL
EG
EX EG
AG
AX AG
EF
EX EF
AF
AX AF
E[ U ]
( EX(E[ U ]))
A[ U ]
( AX(A[ U ]))

(
)
( EX AX
,
). ,
EG s, s (
) ,
s (
).
.
, AF :
AF
{ AF }
A[true U ]
{ A[ U ] }
81
(true AX[A(true U )])

{ ; AF }
AX[AF ].
, EG :
EG
{ EG }
AF
{ }
( AX[AF ])
{ }
AX[AF ]
{ AX }
EX([AF ])
{ EG }
EX[EG ].
,
EF AG. ,
.
CTL,

U LTL, .
2.3.4. CTL, CTL* LTL

LTL,
CTL CTL*, CTL*
CTL LTL CTL*.
, ,
, ,
.
CTL CTL* ,
LTL ,
. ,
LTL,
. ,
LTL
82
(, X
?), ,
, , , ,
LTL- .
LTL CTL*.
LTL ::= A ,
.
( p AP):
::= p | | ( ) | X | ( U ).
CTL, CTL* LTL
,
. . 2.5
.4
2.5. LTL, CTL CTL*
LTL
CTL
CTL*
::= A
::= p | | ( ) | E
::= | X | ( U )
::= p | | ( ) | E
::= | | ( ) | X | ( U )
::= p | | ( ) | X | ( U )
CTL* , LTL,
: A = E .
CTL* CTL.
CTL*. p AP
, M = (S, R, Label) CTL- ( ), s S
, PM(s) , ,
. ,
: M, sState
M, Path .
, M ,
.
State :
4
CTL,
. , E A
.
83
sState p
p Label(s);
sState
(sState );
sState ( ) (sState ) (sState );

sState E
PM(s): (Path ).
Path:
Path
[0]State ;
Path
(Path );
Path ( ) (Path ) (Path );

Path X
1Path ;
Path ( U ) j 0: jPath (0 k < j: kPath ).

1, j k .
, CTL
CTL*: CTL- CTL*,
(). ,
.
, ,
, .
CTL CTL*:
.
. ,
,
L (
) L'.
.
,
M s
M, s , M, s .
,
.
L L' ,
L L'
(, M s: M, s M, s )
L'
L (, M s: M, s
M, s ).
, , L ()
, L'.
84
. 2.19 ,
. ,
CTL* , LTL CTL, LTL
CTL . ,
, .
CTL*
CTL
LTL
A[F(p
A[F(p
X p)]
X p)]
AG(EF q)
AG(EF q)
A[p U q]
. 2.19. LTL, CTL CTL*
LTL, CTL .
, A[FG p] A[F(p X p)] LTL-,
CTL [4, 28].
LTL, CTL:
A[GF p F q].
, p
, q - . ,
.
,
:
, -
.
, LTL- A[FG a] A[F(a X a)]
CTL-. M0, M1, M2, ,
,
. 2.20.
Mn
M0
{}
{a}
{}
{a}
Mn1
. 2.20. M0 Mn
85
. 2.21 .
n
{}
s0
{a}
s1
{}
{a}
{}
{a}
...
. 2.21. Mn n 0
M , . 2.22.
{}
s0
{a}
s1
. 2.22. M
s0 M Mn,
s1 . ,
M' M",
M', s0
M", s0 ;
M', s1
M", s1 .
M, M0, M1, , Mn, s0 A[FG a]

Mn, s0 A[F(a X a)] n 0, M, s0 | A[FG a]
M, s0 | A[F(a X a)]. .
M ,
{a} {a}
FG a F(a X a).
, Mn
a-, :
{a} ({a}),
FG a F(a X a). ,
FG a F(a X a) M Mn.
CTL- (
||||)
. , ||a b|| = 0 ||E[(a b c)U((EX a) E[b U c])]|| = 2.
86
n, , M Mn
CTL-
n. , CTL, |||| n: Mn, s0
M, s0 ( s1
s0). ,
:
1. n 0 0
M Mn.
2. , M Mn,
, , .
3. , M, Mn
Mn+1, , EX , AX , E[ U ] A[ U ],
M Mn+1.
.
CTL- , A[FG a] (,
, A[F(a X a)]). , ,
M, s0 | A[FG a] Mn, s0 A[FG a] ( n), , M, s0 |
M||||, s0 . , , M M||||
CTL-
||||, ,
M M||||. .
CTL, LTL .
AG EF p CTL-,
LTL. ,
, ,
p, . p
, ,
,
. , AG EF p
LTL, .
LTL-, A AG EF p.
M . 2.23 (). M, s AG EF p,
, M, s A . M' M,
. 2.23 (). , s M',
, s M. , M', s A .
M', s AG EF p , p
s.
, LTL-
, .
LTL-, E AG EF p.
87
M. M, s AG EF p M, s E .
M" M, . 2.23 (). , s
M, , s M".
, M", s E .
M", s AG EF p, p
(s"), s",
s.
s
s'
{p}
{ p}
s"
{ p}
{ p}
s'
{ p}
{p}
. 2.23. M, M' M"
CTL* LTL. LTL CTL*

[26]:
CTL*- LTL- (
) A f(), f() ,
. ,
= EF EG p AF q f() = FG p F q. ,
CTL*, A f() .
LTL,
, ,
: CTL*-
LTL-,
LTL- E f().

LTL, CTL CTL* LTL- GF p
p. ,

CTL*-: AG F p EG F p CTL*-.
AG F p AG AF p ( M
),
AG F p CTL-,
AG AF p CTL-. EG F p, ,
CTL-.
2.3.5. CTL
, CTL
,
. (P1 P2)
88
: (C),
(T) (N).
, ,
. ,
.
. Pi
Pi.s i = 1, 2.
CTL.
1.
:
AG[(P1.s = C P2.s = C)].
2. , , :
AG[P1.s = T AF(P1.s = C)].
3.
:
AG[P1.s = C A(P1.s = C U (P1.s C A(P1.s C U P2.s = C)))].
2.3.6. CTL

, CTL-
F = {f1, , fk}.
,
,
. ,
:
1 .
,
, 1
.
, CTL-
, (
CTL
).
,
f1, , fk.
F , = s0 s1 s2
M F-, fi F
, fi.
89
lim() M,
, fi
M, F-, :
lim() fi i.
Fair CTL-
:
::= p | | ( ) | EX | E[ U ] | A[ U ] |
| EF X | EF [ U ] | AF [ U ].
F .
CTL ,
. PMF (s) M,
s F-.
CTL-
PMF (s) PM(s).
, :
M, s
s M:
s EF X
PMF (s): [1] ;
s EF [ U ]
PMF (s): (j 0: [j]

(0 k < j: [k] ));
s AF [ U ]
PMF (s): (j 0: [j]
(0 k < j: [k] )).

CTL , .
,
, .
CTL ,
CTL, CTL*.
CTL, , LTL.
. CTL- M . 2.24.
M, s0 AG[p AF q]. ,
s0 s1 s2 s4 , q-.
, ,
s2
s3 s4.
s3, ,
G[p AF q] :
M, s0 | AG[p AF q].
90
{q}
s2 s3
s0
s1
s2
{p}
{p}
{p}
s4
{p}
. 2.24. CTL- M
CTL-
F = {f1, f2}, f1 = {s3}, f2 = {s4}.
AG[p AF F q] .
, M, s0 AG[p AF F q].
F- , s0,
f1 f2.
, s3 s4
.
s0 s1 s2 s4 , s3.
, M, s0 AG[p AF F q] .
2.3.7. CTL CTL*

CTL

. ,
,
. ,

(
),
,
.
:
M, s , M, s .

: M
s, M, s .
, .
( 2.4).
91
2.4.
set<State> Sat(Formula )
{
if ( == true)
return S;
if ( == false)
return ;
if ( AP)
return {s | Label(s)};
if ( == 1)
return S \ Sat(1);
if ( == (1 2))
return Sat(1) Sat(2);
if ( == EX 1)
return {s S | (s,s) R:
s Sat(1)};
if ( == E[1 U 2])
return SatEU(1, 2);
if ( == A[1 U 2])
return SatAU(1, 2);
// Sat() = {s | M,s }
}
,
, ,
.
E[1 U 2] A[1 U 2]
.

.
(OBDD Ordered
Binary Decision Diagram) [29]
,
, ,
. ,

2n ,
n .
.
n, i
i- ,

( ).
, ,
,
2n , . ,
()
,
() .
[30, 31].
[32].
92
, ROBDD
(Reduced OBDD),
. ,
[33, 34],
ROBDD ,
.
, , ,
, ,
,
, .
CTL.
, , Fair CTL ,
.

Fair CTL
.
Fair CTL
EX, EU, EF G:
::= p | | ( ) | EX | E[ U ] | EF G .
p AP , F
. :
AX = EX ;
AF X = EF X ;
EF X = EX( EF G true);
EG = EG ;
A[ U ] = (E[ U ( )] EG );
AF [ U ] = (EF [ U ( )] EF G );
EF [ U ] = E[ U ( EF G true)],
F G.
, ,
[35]:
(
).
CTL, ,
2.4, 2.5.
93
2.5.
set<State> Sat(Formula )
{
if ( == true)
return S;
if ( == false)
return ;
if ( AP)
return {s | Label(s)};
if ( == 1)
return S \ Sat(1);
if ( == (1 2))
return Sat(1) Sat(2);
if ( == EX 1)
return {s S | (s,s) R:
s Sat(1)};
if ( == E[1 U 2])
return SatEU(1, 2);
if ( == EF G 1)
return SatEG(1, F);
// Sat() = {s | M,s }
}
. ,
,
.
1. ,
(
).
2. ,
.
3. , ,
.
4.
EX .
5. E[ U ]
,
,
,
. .
. 2.25.
s0
s1
s2
s3
{p}
{p}
{q}
{}
. 2.25. SatEU(p, q)
94
6.
EF G . ,
,
. .
,
( EF G
).
G , ,

(, ,
EF G true). ,
,

F:
O(|F| (|S| + |R|)). (F = ),
O(|S| + |R|).
. 2.4.
O(|| (|S| + |R|))
.

.
, .
, , s M
( ) .
1. EX ,
s .
,
, EX .
2. E[ U ] EG
.

. E[ U ]
,
,
, .
EG ,
, . ,
, (. 2.26).
3. EF G ,

(, , fi,
95
fi F), ,
. ,
. 2.4. ,
EG .
s8
s9
s7
s10
s6
s11
17
s5
s4
s12
s16
s13
s15
s14
s3
s2
s1
s
. 2.26. -
.
, CTL
:
,
CTL-
, -
(, ),

(. 2.26).

.
, , ,
.
CTL*
CTL*-
,
LTL. ,
LTL. .
96
M CTL*- .
,
. ,
A E , LTL-,
. LTL-
, ,
,
A E . M
.
.
,
,
.
.

, ,
, ,
, .
M ,
.

, LTL
.
,
,
. LTL , ,
, , CTL.
, ,
CTL LTL, LTL-
,
. , M
LTL- , CTL-, E
( A ) CTL
LTL- (
,
P NP).
[36], .
, CTL,
LTL, LTL
CTL-, , ,
97
. , CTL,
, ,
( ) ,
()
CTL LTL.
.
, LTL CTL.
G = (V, E), V , E V V
. V = {v1, , vn}.
, (
,
).
LTL. ,
G ,
G .
vi V
pi, Label(vi) = {pi}. ,
() w , w V Label(w) = {q}, q
, pi. w
vi ( (vi, w) ),
( (w, w) ). . 2.27
4 .
v1
v2
v1
v2
{p1}
{p2}
w
{q}
{p3}
v3
v4
{p4}
v3
v4
. 2.27.

LTL 5:
E[(i: F pi) Xn q],
5
, LTL-,
E LTL. , E ,
( ),
A ,
A , LTL-.
98
X1 q = X q Xn+1 q = X(Xn q).

, ,
.
vi.
w,

. ,
.
CTL
. CTL g(p1, , pn), ,
, ,
p1 pn :
g(p1, , pn) = p1 EX(p2 EX( EX pn)).
CTL
CTL
. P
{1, , n}. :
P: g(p(1), , p(n)).

. CTL-

, NP-

CTL-,
P = NP. ,
CTL-, (
P NP).
2.4.

.
, LTL-
. , ,
, :

.
99
s
F. ,
, s
( ,
).
: ,
s Fair CTL-
EF G true. ,
CTL-, LTL-.
F = ,
F ,
.
:
,
.

, ,
.
2.4.1.
,
LTL,
[17].

, SPIN Bogor.
(DFS Depth-First
Search). , ,
, ,
DFS.
. DFS
.
,
.
,
, . ,

.
100

DFS 2.6
[17]. terminate
.
2.6.
bool emptiness()
{
q0 Q0
dfs1(q0);
terminate false;
}
void dfs1(q)
{
q flag1;
q q
if (q flag1)
dfs1(q);
if (accept(q))
dfs2(q);
}
void dfs2(q)
{
q flag2;
q q
{
if (q flag1)
terminate true;
else if (q flag2)
dfs2(q);
}
}
true, ,
false . true,
: DFS

q1. .
DFS q1 q2,
. ,
, DFS q2,
q1 q2 q1,
q1 . ,
.

[17].
,
101
, ,
, .
true, DFS
s
q2. DFS
q2 q1, s q2.
, q2 q1.
, ,
,
s q1, q1 q2 q1.
. 2.28.
s
DFS 1
q1
q2
DFS 2
. 2.28. ,

: false,
. ,
. ,
, q
. DFS
, , q.
. q
, q ,
DFS. ,
q. :
1. q ,
DFS,
102
DFS. DFS , ,
, .
, .
2. q ,
DFS, r, DFS. ,
.
. ,
, DFS, ,
. DFS
q. , r
, DFS, , :
, q;
DFS.
, q' ,
, r. q, r
q' . 2.29.
r
q'
qs
. 2.29. q, q' r.
. , DFS
.
1. q' q.
q' r q q'.
DFS q', .
, .
, q ,
DFS .
2. q' q. q'
, , 1.
: ,
, ,
103
,
. . 2.29, q q'.
, , DFS
q' , q.
, ,
DFS q , q',

.
, , ,

.
2.4.2.

. G
F.
, .
:
1. .
,
,
( ,
)
.
2. ,
,
, .
3. ,
,
(
).

[37, 38].
.
S.
. ,
,
.
,
.
104
v -
v.index,
.
, v.lowest,
,
:
v.lowest =
Min
v',

v
v'.index
, v
,
v.lowest = v.index.
, , v.lowest,
.
v S
, ,
, v.
,
v, .
2.7.
2.7.
G = (V, E)
void computeSCC()
{
// DFS
index = 0;
//
S = ;
foreach (v V) do
// DFS
if (v.index )
visit(v);
}
void visit(v)
{
// v
v.index = index;
v.lowest = index;
index = index + 1;
S.push(v);
105
// v
foreach ((v, v') E) do
// v'
if (v'.index )
{
visit(v');
v.lowest = min(v.lowest, v'.lowest);
}
else
// v'
v.lowest = min(v.lowest, v'.index);
// v -
if (v.lowest == v.index)
{
print " :";
repeat
{
v' = S.pop;
print v';
}
until (v' == v);
}
}
.
, ,
,
O(|F| |M|),
M .
,
.
2.5.

,
, LTL CTL,
,
. ,
.
, p ,
A, q ,
B. LTL- G[p F q] ,
A B,
,
A B.
106
,
.
, , ,

, , .
, ,
,
.
,
.
, ,
: ,

,
.
, :
,
. ,
,

.
.

, ,

. ,
, ,
30 , ,
.

.
,
,
.

. ,
, ,
.

:
107
)?

)?

.
,
, , . ,
,
, .

RTTL (Real-Time Temporal Logic).

,
.
, .
,
,

. X ,
. Xk k
,
X0 = Xk+1 = Xk (X ) k 0. , ,
, A B
32 ,
G[p X<32 q], X<k
X0 Xk1 , p q A B,
. , Xk-

EXPSPACE-.
,
.
.
CTL
,
.
Timed CTL (
, TCTL) [39],
. ,

108
(
).
Timed CTL

CTL. Timed CTL , ,
A
B 32 AG[p AF<32 q], ,
, p (q) A (B).
Timed CTL CTL,

.
,
, ,

, .
, . ,

,
.
,
Timed CTL.

,
,
.

,
,
.
, ,
.
.

, TCTL-
.
[1].
2.5.1.

.
109
, , .
.
, .
x, y z.

6.
( ), .
.
. , ,
, .

: ,
,
. ,
, .

.
C ( x, y C)
C () :
::= x ~ c | x y ~ c | | ( ).
c ~ {<, }.
, x c
(x < c) x = c x c x c . .
, , x c + d d .
, x + y < 3,
. c
,
, ,
, , .
, , c .
, , c
.

( ).
(L, l0, E, Label, C, clocks, guard, inv),
110
L
l0 L;
E , (
e) from(e) into(e), ,
,
( ,
);
Label: L 2AP ,
l L Label(l) ;
C ;
clocks: E 2C ,
e E clocks(e);
guard: E (C) , e E
guard(e) C;
inv: L (C) ,
.
Label , CTL LTL,

,
. ,

TCTL. e clocks(e)
, e.
guard(e) , ,
e . l inv(l)
, .

. ,
. ,
true ( ,
). ,
() ()
, .
.
true , ,
.
Label,

.
. . 2.30 ()
x l .
111
, x
2. x .
x 0. . 2.30 ()
,
x. , 0,
l . true
l,
l.
. 2.30 ()
x 3 l , x
. x 2
( ) x 3 ()
. . 2.30 () ().
,
. 2.30 () 2 x 3,
true l.
2 x 3 (
),
, ,
l. . 2.30 () ().
,
, ,
. , , ,

.
.
.
. . 2.31 () x
y. 0
, .
,
. x, y ,
.
x y .
. 2.31 ().
. . 2.32 ,
off on, x y.
0 off.
. 2.32 .
,

112
, .
9
, off on.
x
, . ,
x 2, .
y ,
, off
on, .
x
4
x2
{x}
x
4
3
x2
{x}
x3
x
4
3
2x3
{x}
. 2.30.
113
x2
{x}
x
y
l
2
y2
{y}
0
. 2.31.
x2
{x, y}
off
on
x2
{x}
y=9
{x}
. 2.32. :
, .
.
v C v: C ,
x C v(x).
V() C.
A (l, v), l
A, v C A.
. . 2.32.
(off, v) v(x) = v(y) = 0, (off, v')
v'(x) = 4 v'(y) = 13, (on, v'') v''(x) = 4 v''(y) = 3. ,
.
v C.
v + t , t
v. (v + t)(x) = v(x) + t
x C. [x]v, v
x, :
114
v y ,
x v y 0,
y x
y x.

. , [x]([y]v)
[x, y]v.
. v v' .
v + 9 (v + 9)(x) = (v + 9)(y) = 9.
[x](v + 9) x 0, y 9.
v' [x](v + 9) + 4.
, ,
.
,
.
(
C) ( C).
x, y C; v V(); , () :
v x ~ c
v(x) ~ c;
v x y ~ c
v(x) v(y) ~ c;
v | ;
v ( )
(v ) (v ).

. , x ~ c v,
, v(x) ~ c.
.
. v, v + 9 [x](v + 9)
,
:= x 5 := (x y = 0).
v(x) = v(y) = 0 v v . , v + 9 | ,
(v + 9)(x) = 9 > 5, v + 9 , (v + 9)(x) = (v + 9)(y) = 9.
, [x](v + 9) [x](v + 9) | .
2.5.2.

), S
(S,

(, ),
, ,
115
. ,
:
.
.

, A
), :
M(A), (S, s0,
S = {(l, v) L V() | v inv(l)};

s0 = (l0, v0), v0(x) = 0 x C (s0
);
S ( {}) S

:
(l', [clocks(e)]v),
1) (l, v)
:
(a) e = (l, l') E,
(b) v guard(e)
(c) ([clocks(e)]v) inv(l');
(l, v + d) d,
2) (l, v)
:
d' d: v + d' inv(l).
d
(l, v), l A, v
C ( A), , v
l. ,
(
). , (a)
e , v (b)
e (
) (c) ,
, e v,
l' ( l' ).
( )
,
. ,
v + d inv(l),
d' < d. , inv(l) = (x 2) (x > 4) (l, v)
v(x) = 1.5 3
: , v + 3 inv(l),
(, v + 2)
.
116
s A ,
*
*
s, s0 A,
s0
.

s0 a0 s1 a1 s2 a2
, , ,
ai
si+1 i 0.
si
,
()
.
, , ,
.
(i, d) , d 0, ai =
, ai .
(i, d)
, ,
si si+1. si
(li, vi). Pos() .
(i, d) (li, vi + d).
:
(i, d) (j, d'), i < j (i = j d < d').
, (i, d) (j, d'),
li lj
d d'.
, ,
.
a0
a1
s1
i
= s0
s0 si, (, i)
, 0 0
, i 1 , i 0a
i
ai ;
ai .
, limi (, i) = .
, s,
PM (s). ,
.
,
1
2
2
2
s0 s1 s2 s3
117
,
[ 12 , 1].
,
.
,
.
a0
a1
s1
7,
= s0

.
, ,
,
.
:
, ,
, .

.
,
.
,
, ,
, .
[4].
. A C ,
A
en
e2
e1

ln, l0 = ln,
l1
l0
x C i, j 1 n , :
x clocks(ei)
V(C) , guard(ej)
[clocks(ej)] inv(lj), x 1.
A .
. A C,
, ,
. A
7
,
, ,
.
118
, -
. l.
, ,
, l. ,
, (,
).
; , ,
. , A ,
- ( l0 l1 ln = l0)
.
, , i, j
x, .
, i = n ( ,

, ).
A,
l0:
(lj, j) (ln, n).

(l0, 0) (lj1, j1)
, ln1 ln = l0 x
lj1 lj , j1(x) 1 (
j1(x) < 1 ,
lj). ,
l0 ln = l0 .
, , A .
.
(. 2.32). :
3
4
(off, v1)
(on, v2)
(on, v3)
= (off, v0)
1
2
2
(on, v5)
(off, v8)
(on, v6)
(on, v7)
(on, v4)
v0(x) = v0(y) = 0, v1 = v0 + 3, v2 = [x, y]v1, v3 = v2 + 4, v4 = [x]v3,

v5 = v4 + 1, v6 = v5 + 2, v7 = v6 + 2 v8 = [x]v7.
. 2.6.
2.6.
x
y
v0
v1
v2
v3
v4
v5
v6
v7
v8
0
0
3
3
0
0
4
4
0
4
1
5
3
7
5
9
0
9
(on, v2), , ,
(off, v1)
(a) e off on, (b) v1 x 2, v1(x) = 3,
119
(c) v2 inv(on). (0, 3),

(1, 0), (2, 4), (3, 0), (4, 1), (5, 2), (6, 2), (7, 0), .
, , (1, 0) (5, 2). , (, 3) = 7
(, 7) = 12.
,
off,
. , -
, , v(x) 2, on ,
. ,
on.
, inv(off) = inv(on) = true.
, inv(off) y 9, inv(on) true,
(
(off, v8) ),
.
2.5.3. TCTL
A , AP
D ,
A
(C D = ).
z D
.
,
.
p AP, z D (C D)
:
TCTL-
::= p | | | ( ) | z in | E[ U ] | A[ U ].
,
. , ,
. true, false, ,
. z z in

z . : z in
s,
: z 0. ,
z in (z = 0) , z in (z > 1) .

until- ,
.
, D ,
- .
120
,
TCTL- . ,
.
, , x 2 z in (z y = 4) ,
x, y (x, y D). x in (x 2)
z in (y in (z y = 4)), , .
, CTL, TCTL until
. EF, EG . .
until-, . ,
TCTL EX AX.
.
CTL.
CTL, E[ U ], EF . .
. ,
A[ U 7 ]
, ,
, ,
7 .

z in A[ U ( z 7)].
, EF<5 , ,
,
5 ,
z in EF(z < 5 ), EF , . , EF<c
, - c .
AF<c ,
- c .
. AP {b = 1,
b < 2, b 3}. TCTL- E[(b < 2)U 21(b 3)],
AF1(b < 2) EF<7[EF<3(b = 1)]. AX <2 (b = 1)
TCTL-, .
AF (b < 2) TCTL-, .
AF 2 AG 4 b 2 .
3
5

TCTL-
AF=5[AG<6 (b < 2)].
121
,
t , , t
. , t: z in (AG[(b = 1) AF(z < t b 3)]).

.
2.5.4. TCTL
,
. LTL ()
S , R
Label
. CTL R
. TCTL
.
,
. ,
( Label),

.
, , ,

. ,
s = (l, v) w.
v w , x
v(x) z w(z).
TCTL
( ), M,
( ),
, ,
. (M, (s, w), )
: M, (s, w) . M, (s, w) ,
s M
w. M ,
.
s = (l, v) ,
(s, w) , w , w(z) = 0
z.
p AP , (C D)
)
C D, M = (S,
122
, s S, w V(D) , TCTL-.
:
s, w p
p Label(s);
s, w
v w ;
s, w
(s, w );
s, w ( )
s, w z in
(s, w ) (s, w );
s, w E[ U ]
PM (s): (i, d) Pos():
s, [z]w ;
((i, d), w + (, i) + d ((j, d') (i, d):
(j, d'), w + (, j) + d' ));
s, w A[ U ]
PM (s): (i, d) Pos():
((i, d), w + (, i) + d ((j, d') (i, d):

(j, d'), w + (, j) + d' )).
,
, .
(s, w), v ( s) w
. z in (s, w), (s, w'),
w' w z. E[ U ]
(s, w), ,
s,
.
A[ U ] (s, w), ,
s, .
,
TCTL
. ,
TCTL ,
( ,
). ,
. 2.30 ().
TCTL-
s0, w E[(x 1)U(x > 1)].
x > 1 ,
x 1. ,
. ,
,
, :
s (l, x*), x* > 1,
,
x 1 .
123
(l, x), 1 < x < x*.

,
. ,
E[ U ]
, , ,
s0, w E[(x 1)U(x > 1)]
.
,
E[ U ] ,
,
E[(x 1)U(x > 1)], .
,
,
. , LTL-
[ U ] [( )U ] (
,
TCTL- E[ U ] A[ U ]).

, , E[ U ]
E[( )U ], A[ U ] A[( )U ].
E[ U<12 ]
s M. ,
( s), ,
12 , ,

. A[ U<12 ] ,
, s.
CTL
. ,
: M
( ) , M ?
LTL CTL , TCTL ,
. ,

:
,
[40].

,
( F, U G).
X (
X) U ( U). , CTL LTL
124
.

,
( ). TCTL,
, : TCTL
[41].
, , ,
.
2.5.5. TCTL

, ,
TCTL.
1.
.
,
5 . :
AG[send(m) AF<5 receive(rm)],
, m rm , send(m)
receive(rm) , m , , ,
rm , .
2. :
. , ,
m
11 . :
EG[send(m) AF=11 receive(rm)].
3. : ,
. ,
,
, .

,
, , 25 .
:
AG[AF=25 putbox],
putbox ,
, .
,
,
125
,
25 . , ,
,
25, 50, 75, ,
, , 35, 60, 85,
:
AG[putbox putbox U=25 putbox].
25

, 8.
4. :
. ,
,
180
. tac ,
, .
:
AG[tac tac U180 tac].
until-
.
5. :
,
. , ,

,
900
. ,

:
AG[tac (tac U180 tac tac U 900 tac)].
:
AG[tac tac U=180(AF 720 tac)].
,
, 180
( ) ,
,
8
,
. , rm .
, receive(rm) .
putbox,
.
126
720 + 180 = 900

).
2.5.6.
TCTL
, .

M(A) A.
s0 = (l0, v0) M(A). l0
A, v0 ,
A. ,
TCTL-.
TCTL- A A ,
M(A), (s0, w0) , w0(y) = 0
y.
,
A TCTL . A
M(A). , , ,
M(A) L V(C) !
. 2.33 (,
, true).
x=0
x=2
..
x = 2.1
..
x=
......
x = 27
..
. 2.33.
,
M(A),
?
,
. ,
(
), ,
() ,
: (
TCTL-) (
).
127

().
, M
TCTL-. ,
TCTL-,
. ,
A :
M(A), ((l, v), w) M(A), ((l, v'), w')
v w v' w'.
,
, ,
A, ,

, . ,
TCTL- ,
TCTL-,
. , ,
.
, ,
, .
,
, , .
,
TCTL-
, ,
. ,
A,
. ,
. ,
,
.
,
CTL
(
). , ,
TCTL-
CTL.
, TCTL-
A.
v [v].
,
128
,
.
(l, [v]) [s] s = (l, v).
, [s, w] (l, [v w]), w
. s = (l, v)
s' = (l', v') s, w s', w',
s = s'
v w v' w'.
TCTL-
:
1. () .
2. R(A).
3. CTL R(A).
4. A [s0, w0] SatR().

R(A).
.
,
.
.
v: C x C v(x) = [x] + {x},
[x] {x} . ,
v(x) = 2.134 [x] = 2 {x} = 0.134.
,
. v v' ,
C.
. ,
. 2.34, : (l0, v) (l0, v')
v(x) = 3.2 v'(x) = 3.7. l0 l1
, 2.
v(x) v'(x) . ,
v(x) = 1.2 v'(x) = 1.7,
. ,
, x ~ c, c ,
, .
:
v v', [v(x)] = [v'(x)] x C.

129
(*)
(
) ,
. ,
, TCTL.
x2
l0
l1
{x}
. 2.34. , ,
. . 2.35
: s = (l0, v) s' = (l0, v') v(x) = 0.4, v'(x) = 0.2
v(y) = v'(y) = 0.3.
, v v', [v(x)] = [v'(x)] = 0
y. s l2,
s'.
. s 0.6
. v + 0.6 (v + 0.6)(x) = 1
(v + 0.6)(y) = 0.9. , l0 l1,
. l1
0.1 , ,
l2, . s'
. s' l1,
x 0.8 .
v'(y) = 1.1 l2 .
v v' , {v(x)} > {v(y)},
{v'(x)} < {v'(y)}.
(*):
v(x)} {v(y)} {v'(x)} {v'(y)}

x, y C.
(**)

, .
l0
x=1
l1
y=1
l2
. 2.35.
. . 2.36
: s = (l0, v) s' = (l0, v') v(x) = 0 v'(x) = 0.1.
130
(*) (**) v v', ,

s s' . ,
s, w EF=1 p, s', w | EF=1 p, p ,
l1. v v'
, x s 0,
s' 0.
(*) (**) :
{v(x)} = 0 {v'(x)} = 0 x C.
(***)

, ,
.
l0
x=1
l1
. 2.36.

. cx ,
x x ~ c
x y ~ c .
,
, . cx
, x , ,
v(x) > cx, x . ,
v(x) > cx,
.

.

((*) )
(**) , (***).
, ,
. , v(y) > cy,
y , y
.
,
.
A C v, v' V().
v v',
:
131
1. [v(x)] = [v'(x)] v(x) > cx v'(x) > cx x C.

2. {v(x)} {v(y)}, {v'(x)} {v'(y)} x, y C
, v(x) cx v(y) cy.
3. {v(x)} = 0, {v'(x)} = 0 x C
v(x) cx.
4. x y ~ c
~~ {<, } v(x) v(y) ~~ c ,
v'(x) v'(y) ~~ c.
,
C' ,
C C'. , C'
( ). z
cz ,
z z ~ c z y ~ c,
.
,
z in AF[(p z 3) (q z > 4) (z x > 5)] cz 5.

. . 2.30 ().
{x} cx = 2,
x 2.

. v v' , v(x) v'(x)

( n
n- ).
[x ~ c] {x | x ~ c} c
~.
1. , [v(x)] = [v'(x)],
:
[0 x < 1], [1 x < 2], [2 x < 3], [3 x < 4],
2. cx = 2,
v(x) = 3 v'(x) = 27. ,
,
, :
[0 x < 1], [1 x < 2], [x = 2] [x > 2].
3. ,
.
,
. ,
.
132
4. , {v(x)} = 0 {v'(x)} = 0 v(x) cx,

, , [0 x < 1]
[x = 0] [0 < x < 1]. [1 x < 2].
[x > 2] ,
v(x) cx.
6 :
[x = 0], [0 < x < 1], [x = 1], [1 < x < 2], [x = 2] [x > 2].
. C = {x, y} cx = 2 cy = 1,
x y ~ c
y x ~ c. . 2.37

.
. v v' ,
(v(x), v(y)) (v'(x), v'(y))

.
1. , [v(x)] = [v'(x)] C, ,
, [(0 x < 1), (0 y < 1)]
[(1 x < 2), (0 y < 1)] . .
, v(x) > cx v'(x) > cx
C, [(x > 2),
(y > 1)]. , v,
v(x) > 2 v(y) > 1, x y .
:
[(0 x < 1), (0 y < 1)],
[(1 x < 2), (0 y < 1)],
[(0 x < 1), (y = 1)],
[(1 x < 2), (y = 1)],
[(0 x < 1), (y > 1)],
[(1 x < 2), (y > 1)],
[(x = 2), (0 y < 1)],
[(x > 2), (0 y < 1)],
[(x = 2), (y = 1)],
[(x > 2), (y = 1)],
[(x = 2), (y > 1)],
[(x > 2), (y > 1)].
12 . 2.37 ().
2. [(0 x < 1), (0 y < 1)],
.
,
[(0 x < 1), (0 y < 1),
(x < y)], [(0 x < 1), (0 y < 1), (x = y)] [(0 x < 1), (0 y < 1),
(x > y)]. [(1 x < 2),
(0 y < 1)]. . ,
[(0 x < 1), (y = 1)] ,
x y ,
{v(x)} {v(y)}. [(1 x < 2), (y > 1)] ,
v(x) cx v(y) cy.
. 2.37 () .
133
3. , .
[(0 x < 1), (0 y < 1),
(x = y)], .
[(x = 0), (y = 0)] [(0 < x < 1), (0 < y < 1),
(x = y)]. . 2.37 () 28
: 6 , 14
8 ().
4. , , x y ~ c
, .
y
2 x
2 x
2 x
. 2.37. cx = 2 cy = 1
2.5.7.

.
.
r (l, [v]) l L v V().

, .
, ,
, TCTL-.
.
[39]. s, s' S w, w' V(D) , s, w s', w'.
TCTL- : M(A), (s, w) ,
M(A), (s', w') .

s s',
TCTL-.

(), .
134
, ,
.
-
.
, .
.
.
,
.
,
.
.
. 2.30 (). , x,
2. cx = 2. . 2.38.
A
l
x=0
l
0<x<1
l
x=1
l
x>2
l
x=2
D
l
1<x<2
. 2.38.
,
l.
, .
A. E F
A . ,
,
, .
F,
. F x
( ).
,
. 2.30 () TCTL-,
z cz = 2 ( z
, 2),
x z ~ c z x ~ c. {x, z}
. 2.39.
135
x=0
0<x<1
x=1
1<x<2
x=2
z=x
z=x
z=x
z=x
z=x
x=2
1<x<2
x=1
0<x<1
x=0
x>2
z>2
z>2
z>2
z>2
z=2
z>2
L
l
x=0
z>2
. 2.39.
z cz = 2
, ,
: G L.
z > 2. ,
z .
,
, .
r, r' (r r'). r'
r ( r' = delsucc(r)),
d
s'
[s, w] = r d , s
r' = [s', w + d] = [s + d, w + d], 0 d' < d
(s + d', w + d') r,
r'.
s = (l, v) s + d (l, v + d). ,
[s', w'] [s, w], [s, w]
[s', w']
[s, w] [s', w'] -
. ,
. ,
,
.
.
. 2.30 (). , x z
(. 2.39),

.
x = z. , [x = z = 1]
[(0 < x < 1), (x = z)], [(1 < x < 2), (x = z)]
[x = z = 2]. [(x = 1), (z > 2)]
136
[(0 < x < 1), (z = 2)] ( ,

),
d' , , d' ,
[(0 < x < 1), (z > 2)].
r ,
v , r = [v], v(x) > cx x C.

, , , ,
. . 2.38 2.39
.

(), :

.
A (
C D) R(A, )
(R, r0, ),
R = S = {[s, w] | s S, w V(D)};
r0 = [s0, w0];
r r',
s')
1) s, s', w: (r = [s, w] r' = [s', w] s
2) r r = r'
3) r r' r' = delsucc(r).
, ,
, ,
.
,
-, . ,
R , ,
(R, r0, )
R' = {r R | r0 * r}, *
. ,
(R', r0, ).
.
, (. 2.40).
on
y 3. ,
137
, ,
. , ,
.
x1
{x, y}
y3
off
on
x2
{x}
y=3
{x}
. 2.40.
R(A, ), A ,
. 2.41. :
= {x 1, x 2, y = 3, y 3}
A.
. , , D E,
s = (off, v), v(x) = v(y) > 1,
s' = (on, v'), v'(x) = v'(y) = 0 D = [s], E = [s'].
D D, [v], v(x) = v(y) > 1,
. ,
off : inv(off) = true.
2.5.8.
R(A, ) A
TCTL- A
, CTL.
.
, ()
,
. ,

( true false),
. (i + 1)-
i + 1
. ,
, i (i 1).

.
2.8.
138
off
on
off
x=y=0
x=y=0
yx=3
x>1
off
on
0<x=y<1
0<x=y<1
T
on
off
y=2
yx=3
yx=2
x=1
off
on
on
x=y=1
x=y=1
2<y<3
yx=3
yx=2
0<x<1
off
off
on
on
off
x=y>1
1<x=y<2
y=3
yx=3
yx=2
x=0
on
on
x=y=2
2<y<3
x=0
on
on
2<x=y<3
y=3
0<x<1
on
on
x=y=3
y=3
yx=3
. 2.41. . 2.40
2.8. TCTL
set<Region> SatR(Formula )
{
if ( == true)
return S/;
if ( == false)
return ;
if ( AP)
return {[s,w] | Label(s)};
if ( == )
return {[s,w] | (s=(l,v))
((v w) )};
if ( == 1)
return (S/) \ SatR(1);
139
if ( == (1 2))
if ( == z in 1)
return SatR(1) SatR(2);

return {[s,w] |
(s, [z]w) SatR(1)};
R
if ( == E[1 U 2])
return Sat EU
(1, 2);
if ( == A[1 U 2])
return Sat RAU (1, 2);
// SatR() = {[s,w] | M,(s,w) }
}
A , , M(A), (s0, w0)

, :
M(A), (s0, w0) , [s0, w0] SatR()
(
).
SatR()
. (true, false,
, )
CTL. SatR()
[s, w] , w v (
s) . [s, w]
SatR(z in ), w', w'(z) = 0
( 0) w'(x) = w(x) x z.
until- .
2.9 2.10.
2.9. E[ U ]
R
set<Region> Sat EU
(Formula )
{
set<Region> Q, Q;
Q = SatR();
Q = ;
while (Q Q)
{
Q = Q;
Q = Q ({s | sQ: s s} SatR());
}
return Q;
R
// Sat EU
(,) = {[s,w] | s,w E[ U ]}
}
2.10. A[ U ]
set<Region> Sat RAU (Formula )
{
set<Region> Q, Q;
Q = SatR();
Q = ;
140
while (Q Q)
{
Q = Q;
Q = Q ({s | (sQ: s s)
(s: s s, s Q)} SatR());
}
return Q;
// Sat RAU (,) = {[s,w] | s,w A[ U ]}
}
R
Sat EU
.
Sat RAU , ,
A[ U ]. CTL
:
Q := Q ({s | s': s s', s' Q} SatR()).
, , ,
s .
CTL, CTL-
. ,

, ,
. ,
Q ,
Q Q.
2.10. , Q,
,
(). ,
- , . 2.42.
C:
l, ,
x = 1.
x1
x<1
l
x=0
l
0<x<1
l
x=1
. 2.42.
. (. 2.41)
, on
q, off p.
, on
off :
141
M(A), (s0, w0) | E[p U<1 q],

,
A (, [s0, w0]), E
Q, ,
. .
E[p U<1 q] z in E[p U (q z < 1)].
z, A
. ,
( q )
C E. z
1, .
, ,
,
,
.
,
.
[42]. (s, w) Sat(),
[s, w] SatR().
,
,
.
, ,

( ,
).
,
A, ,
M(A) .
. A ,
sS
M(A), s EF=1 true.

:

, .
. ,
.
142
,
,
( )
.
, ,
,
( ,
).
, , . 2.42,
, .
,
, .
,
.
, , ,
( ,
, , ).
Sat RAU
.

R(A, )
A .
R(A, ) A
.
A
. , .
C A .
,
x y ~ c.
[4]:
C!
c
x C
Regions 2 C
C!
2c
x C
2 .

,

. .
C V(C). r
(P, , D), P
, D
143
,
:
(P, , D)
P = (Px)x C
Px { {0}, (0, 1), {1}, (1, 2), , (cx 1, cx), {cx}, (cx, +) }
, (x) Px x C
r.
Copen x C , Px
,
Copen = {x C | Px { (0, 1), (1, 2), , (cx 1, cx), (cx, +) } }.
= (x1, , xk) Copen = {x1, , xk} ,
r
( , i j {(xi)} {(xj)}).
D open open ,
r xi D
xi1 : xi D
{(xi1)} = {(xi)}.

(P, , D).

, ,
2c
x C
2 P,
|Copen|! |C|! Copen

2|Copen | 1 2|C | 1
D \ {x1}.
,

. D = Px { (0, 1), (1, 2),
, (cx 1, cx) }.
,
c
x C
P |C|! ,
.
c = max{cx | x C}.
:
|Regions| 2|C | 1 |C|! (2c + 2)|C |.
144
,
x y ~ c.
(P, , D) , , : Px

{0}, (0, 1), {1}, (1, 2), , (2c 1, 2c), {2c}, (2c, +).

,
:
|Regions| 2|C | 1 |C|! (4c + 2)|C |.
, TCTL:
1) ;
2) A ;
3)
A .
TCTL-
PSPACE- [39].

.
2.6.
,
. ,
, [43].
[44, 45].
N (S, T, W),
S ;
T ;
S T ;
W: (S T) (T S) {0, 1, 2, 3, } .

;
.
N = (S, T, W)
M: S {0, 1, 2, 3, }. M t,
s M(s) W(s, t).
t M,
145
M',
s :
M'(s) = M(s) W(s, t) + W(t, s),
t
, t
.
t
M'. , . 2.43 M M',
: M
t.
, , .
. 2.43.
(N, M0), N , M0
N,
tn
t2
t1

Mn
M1
M0
, M0 Mn.
t2
t1tn
t1
Mn. M0
M1
: M0
.
, ,
. M N
M
,
M0
.
,
. M M'
M M', t,
t
M'.
M
(S, T, W, , l), (S, T, W) ,
l ,
.
.
, . ,
t
M', M M'
M
l(t).
.

146
,
. l
,

l(12) = l(1)l(2).
(N, M0) M f N (
) M f
M f}
L(N, M0, M f) = { | M0
M M}
T(N, M0) = { | M0
(
).
(N, M0), N = (S, T, W, , l)
M f N M f
M f}
L(N, M0, M f) = {l() | M0
M M}.
T(N, M0) = {l() | M0
,
. ,
(S, T, W, M0, Is), S , T
, W , M0
, Is: T ( {})
t , t.
t Is(t) .
M En(M) ,
M.
t
, , t .
(M, v), M
, v v: En(M) . t
, .
, t

. t ,
Is(t) = [tmin(t), tmax(t)].
, ,
tmax(t).
147

. d
, t T , s s'
d
s',
. s
s' s d .
t
s', s'
s
s t.

, s0), s0 ( (M0, v), v 0)
(S,
*
s} (
S = {s | s0
*
).

, ,
.
.

:
? .

.
.

[44].

. (
) ge(s, c), s , c
. ge(s, c)
s c.
M, M(s) c.
, EX (Existential neXt) EF
(Existential Future).
EX , t , ,
t, . EF ,
, ,
, .
, CTL CTL*,
, ,
.

.
,
148
ge(s, c) .

, .
, , ,
(,
,
). :
first(t), t .
M, t , M
.
en(t), t . M, M
t9.
F
(
F , -
) .
, ,
:
, .
F first(t),
, t - ,
GF first(t), G = F , , t
.

.
, GF,
.
GF first(t), , ,
GF first(t) GF first(t') (
).

.
, GF ,
, :

.
en(t) ge(s, W(s, t))

. .
149
3.
3.1. SPIN
SPIN [46] ,
.
SPIN
:
rendezvous [46];
,
.
.

,
.
SPIN ,
PROMELA (PROtocol Meta-Language)
, , LTL- (
X) ,
. .
SPIN . 3.1.
, SPIN LTL-
, LTL- .
LTL-

XSPIN
Promela
. 3.1. SPIN
SPIN
.
Xspin.

, ,
150
, . SPIN
,
.

,
. -
,
,
.
PROMELA C.
PROMELA :
init.

, .
( 3.1):
3.1.
proctype proc(int a; int b)
{
byte b; /* */
/* */
}
.
,
active.
run.
PROMELA :
bit;
bool;
byte;
short;
int.
.
.
, .
151
,
.
, . ,
x < 7
, x .

, . (,
) .
PROMELA ,
( 3.2)
[47].
3.2.
if
:: guard1 -> S1
:: guard2 -> S2
...
:: else -> Sk
fi
do
:: guard1 -> S1
:: guard2 -> S2
...
:: else -> Sk
od
if. guardi ,
Si.
, .
, Sk,
else. else .
, ,
,
.
do , if,
, if do, fi od. ,
do ,
, ,
. do, ,
goto break.
PROMELA .

( ) . 0
152
( rendezvous SPIN).
, . ,
chan c = [5] of byte
, c, 5 .
.
,
. c .
c!2 , c .
2 . c?x
, c . c
x. c ,
0, c! ( c?) , c? ( c!,
), (
).

.

[1, 48]. N (N 2)
, .
.
ident,
.
,
. :
.
,
, ,
.
( 3.3):
3.3.
active:
d = ident;
while (true)
{
send(d);
receive(e);
if (e == d) stop; // d
send(e);
receive(f);
if e >= max(d, f)
{
153
d = e;
}
else break;
}
relay:
while (true)
{
receive(d);
send(d)
}
,
(active). , ,
(
d).
. ,
, . (relay),

.
d
,
(e)
. d,
, d
,
. (,
!)
(e d), (f), d,

.
e, f d,
(d := e).
. ,
.
, ,

1 4, . 3.2.
, .
,
.
, d, e
f. , ,
.
154
(2,-,-)
(2,-,-)
4
(4,-,-)
(3,-,-)
(4,-,-)
2; 4
(3,-,-)
(1,-,-)
(2,4,-)
2
(4,-,-)
1
(1,-,-)
(2,4,-)
(4,1,-)
(4,4,1)
2; 4
(3,-,-)
(4,1,-)
(4,4,1)
4
(3,2,-)
(1,-,-)
(3,2,4)
(4,1,3)
2
(1,-,-)
(3,-,-)
(4,4,1)
(1,3,-)
(1,3,-)
(4,4,1)
(4,3,1)
3
(3,2,4)
(4,1,3)
(4,1,3)
(4,2,4)
3
(3,3,2)
4
(3,3,2)
(3,1,3)
(3,2,4)
4
(3,4,2)
(4,3,4)
(3,2,4)
(4,1,3)
4
(4,4,3)
. 3.2.
PROMELA
PROMELA ( 3.4):
,
, .
process
,
. ,
.
in, out
.
3.4. PROMELA
proctype process (chan in, out; byte ident)
{ byte d, e, f;
printf("%d\n", ident);
activ:
d = ident;
do :: true -> out!d;
in?e;
155
if :: (e == d) ->
printf("%d \n", d);
goto stop
:: else -> skip
fi;
out!e;
in?f;
if :: (e >= d) && (e >= f) -> d = e
:: else -> goto relay
fi
od;
relay:
end:
do :: in?d -> out!d
od;
stop:
skip
}
: activ (active
,
PROMELA), relay stop. stop,
. ,
, relay.
(,

end:) relay .
PROMELA
end:, SPIN
.
, , , in?e ,
in . , ,
, .
, in?e : ,
in,
e.
PROMELA
( 3.5):
3.5. PROMELA
#define N 5
/* */
#define I 3
/* */
#define L 10 /* (>= 2*N) */
/* N L */
chan q[N] = [L] of { byte };
156
I .
,
ident. L
2N,
.
( ),
q[0] q[N1] byte.

, init.
PROMELA ( 3.6):
3.6.
init {
byte i;
atomic {
i = 1;
do :: i <= N -> run process (q[i-1],
q[i%N], (N+I-i)%N+1);
i = i+1
:: i > N -> break
od
}
}
%N N.
run process(). ,
,
. , ,
,
. , ,
.
.
,
atomic. ,
, .
,
. ,
, .

(, ) .
, PROMELA,
.
157
PROMELA-, ,
.
. ,
, (,
) .
PROMELA
,
, ,
. LTL
G [#leaders 2],
, ,
G[#leaders 1].
SPIN .
[]p, [] G, p
:
#define p
(nr_leaders <= 1)
nr_leaders
PROMELA,
. PROMELA
( 3.7):
3.7. PROMELA
byte nr_leaders = 0;
{ ..... .....
activ:
d = ident;
in?e;
if :: (e == d) ->
printf("%d \n", d);
nr_leaders = nr_leaders + 1;
goto stop
:: else -> skip
fi;
..... .....
}
[] p SPIN
. ,
SPIN, ( 3.8):
158
3.8.
/*
* : [] p
* claim
* !([] p)
* ( )
*/
never { /* !([] p) */
T0_init:
if
:: (1) -> goto T0_init
:: (! ((p))) -> goto accept_all
fi;
accept_all:
skip
}
,
A, G[#leaders 1].
property1, SPIN ,
( ) PROMELA
:
#include
"property1"
( 3.9).
3.9.
Full state space search for:
never-claim +
assertion violations + (if within scope of claim)
cycle checks (disabled by DSAFETY)
invalid endstates (disabled by never-claim)
State-vector 140 byte, depth reached 155, errors: 0
16585 states, stored
44589 states, matched
61174 transitions (= stored+matched)
18 atomic steps
hash conflicts: 1766 (resolved)
(max size 2^19 states)
Stats on memory usage (in Megabytes):
2.388 equivalent memory usage for states
(stored*(State-vector + overhead))
2.046 actual memory usage for states (compression: 85.65%)
State-vector as stored = 119 byte + 4 byte overhead
2.097 memory used for hash-table (-w19)
0.200 memory used for DFS stack (-m10000)
4.448 total actual memory usage
159
errors: 0.
5 (
) .
SPIN ,
.
(
), (
),
.

, 3189
5014 16585 61172 ,
,
.
:
;
;
, .
, , :
G[#leaders = 1]. ,
, .
SPIN, ,
, .
,
. ,
, .

, ,
(assertions).
, .
.
PROMELA , SPIN ,
, .
.
. ,
,
.
assert(nr_leaders <= 1)
PROMELA ,
,
160
nr_leaders.
( 3.10):
3.10. ,
byte nr_leaders = 0;
{ ..... .....
activ:
d = ident;
in?e;
if :: (e == d) ->
printf("%d \n", d);
nr_leaders = nr_leaders + 1;
assert(nr_leaders <= 1);
goto stop
:: else -> skip
fi;
..... .....
}
PROMELA
,
LTL- G[#leaders 1].
3.2. SMV
SMV (Symbolic Model Verifier) [49]
,
.

.
, ,
[50]. SMV
.
CTL-. ,
SMV.
SMV [1].
SMV ,
( ) ,
, .
main, C.
SMV 3.11.
161
3.11. SMV
MODULE main
VAR
ASSIGN
/* */
DEFINITION
SPEC CTL-
MODULE /* 1 */
MODULE /* 2 */
.............
SMV
:
. , SMV

.
. , P,
:
MODULE P ( )
VAR
ASSIGN
ASSIGN ,
, P,
:
1) Pasync
:
VAR Pasync: process P()
2) Psync
:
VAR Psync: P()

.
. SMV

( )
( ) ,
.
162
.
, next(x) := x+y+2 x
x+y+2 . x
init(x) := 3 , x
3. next(x) := 0
x 0 .
. ,
next(x) := {0, 1} ,
x 0 1.
. ,
next(x) := case b = 0: 2;
b = 1: {7, 12}
esac;
x 2, b 0
() 7 12, b 1. x
Q, Q.x.
,

.
.
.
,
.
,
. next
, .
,
.

. ,

,
( ,
). ,
, ,

.
CTL-. CTL- SMV
& , | , ->
163
! .
SMV ,
.

[1]
,
.
. i (i = 1, 2)
ti yi,
, i.
{, false, true}.
, false true .
, y2 = y1 , y1 .
: y1, y2, t1, t2 := , , , .
1 3.12.
3.12. 1
start1:
t1 := if y2 = false then false else true fi
y1 := t1
if y2 then t1 := y2 fi
y1 := t1
loop while y1 = y2
critical section 1; y1, t1 := ,
goto start1
2 3.13.
3.13. 2
start2:
t2 := if y1 = true then false else true fi
y2 := t2
if y1 then t2 := y2 fi
y2 := t2
loop while (y2) = y1
critical section 2; y2, t2 := ,
goto start2
,
,
y1 y2 . ,
164
.
, .
SMV
SMV
.
:
VAR prc1 : process P(t1,t2,y1,y2);
prc2 : process Q(t1,t2,y1,y2);

. ,
l1. ,
.
. SMV
.
-- ( 3.14).
3.14. P
MODULE P(t1,t2,y1,y2)
VAR label : {l1,l2,l3,l4,l5,l6,l7};
-- label
ASSIGN init(label) := l1;
--
ASSIGN
--
next(label) :=
case
label = l1
: l2;
label = l2
: l3;
label = l3
: l4;
label = l4
: l5;
label = l5 & y1 = y2
: l5; -- loop
label = l5 & !(y1 = y2) : l6;
label = l6
: l7;
label = l7
: l1; -- goto start
esac;
next(t1) :=
case
label = l1 & y2 = false
: false;
label = l1 & !(y2 = false) : true;
label = l3 & y2 = bottom
: t1;
label = l3 & !(y2 = bottom) : y2;
label = l6
: bottom;
1
: t1;
--
-- t1
esac;
next(y1) :=
case
165
label = l2 | label = l4 : t1;

label = l6
: bottom;
1
: y1;
--
-- y1
esac;
, prc1.l6
1 , , prc2.m6
2.
SMV
,
.
,
. CTL
:
AG (prc1.label = l6 prc2.label = m6).
SMV :
DEFINE MUTEX := AG !(prc1.label = l6 & prc2.label = m6)
MUTEX .
SPEC MUTEX :
specification MUTEX is true
resources used:
user time: 1.68333 s, system time: 0.533333 s
BDD nodes allocated: 12093
Bytes allocated: 1048576
BDD nodes representing transition relation: 568 + 1
reachable
states:
157
(2^7.29462)
out
of 3969
(2^11.9546)
, BDD.
SMV BDD ( ) ,

.

. , , ,
,
:
166
NST := AG ((prc1.label in {l1, l2, l3, l4,

AF prc1.label =
(prc2.label in {m1, m2, m3, m4,
AF prc2.label =
l5} ->
l6) &
m5} ->
m6))
:
AG AF !(prc1.label in {l1, l2, l3, l4, l5}) &
AG AF !(prc2.label in {m1, m2, m3, m4, m5})
,
1 ( 2) -
l1 l5 ( m1 m5). ,
1 2 .
NST SMV :
-- specification NST is false
-- as demonstrated by the following execution sequence
-- loop starts here
state 1.1:
NST = 0
MUTEX = 1
t1 = bottom
t2 = bottom
y1 = bottom
y2 = bottom
prc1.label = l1
prc2.label = m1
state 1.2:
[executing process prc2]
state 1.3:
t2 = true
prc2.label = m2
state 1.4:
y2 = true
prc2.label = m3
state 1.5:
prc2.label = m4
state 1.6:
prc2.label = m5
167
state 1.7:
prc2.label = m6
state 1.8:
t2 = bottom
y2 = bottom
prc2.label = m7
state 1.9:
prc2.label = m1
.
, .
, ,
, , prc2
, prc1
. ,
SMV
,
.
, .
, ,
.
, ,
(, )
. ,
.
SMV
SMV
(
):
FAIRNESS f
f CTL-.
, , -
( f), ,
f .
f.
,
. SMV
running, true,
.
FAIRNESS running SMV
168
,
, (
). ,
. , ,
(,
)
.
FAIRNESS.
,

. , prc1.l6 ,
1 .
MODULE P, :
ASSIGN
next(label) :=
case
.........
label = l6 : {l6, l7};
.........
esac;
1
, 2 - .
, FAIRNESS running
: 2
, , ,
. ,
:
FAIRNESS !(prc1.label = l6)
,
CTL A E
!(prc1.label = l6).
, , !(prc1.label = l6)
, .
, 1
.
4.
4.1.
, ,
169
,
, [2, 51].

,
( )
. ,
,
,
.
( ).
: ,
, , .

,
.
( ),
( ).
,
.
. 4.1
.

.
x1, e
x2
. 4.1.

(. 4.2). .
,
.
,
.

. .
170
. 4.2. : ()
()

.
, .
: .

, .

.
: ()
().
,
.

, ,
.

. .

.
,
,
,

171

.

,
, .

,

.
.
, -
.

,
.
,
/
.
,
,
,
.
. ,
, .

. A,
e ( event ),
x,
y s,
z, . 4.1 4.2 ().

.

(. 4.3).
.
Closed ().
( e11)
(o1.z1), Opening ().
(e2)
Opened ().
. e12 , o1.z2
. -
172
. 4.3. ,
, e3,
Opening.
( e4),
Error ().
(o2.x1),
(o2.z1). Error
. , ,
Opening.

,
.

.
1. :
.
2. : .
3. : ,
.

, ,
. , ,
. .
173

,
.
.

.
-
( )
.

[52]. C A B
A B. , C
A B.
-
A B.
.

, C
.
4.2.

[53]
[54].
, :
,
,
. . 4.1.
174
4.1.
Bogor

BIR.
. BIR
-
.
Eclipse.

CMM- (CORBA Component
Model), EJB (Enterprise Java Beans).
Eclipse.
CADP
.
:

.
, ,
,
LOTOS (Language of Temporal Ordering Specifications,
ISO standard 8807). ,
EVALUATOR (
) XTL (eXecutable Temporal
Language) ,
. , HML, CTL, ACTL
LTAC.

ANSI C C++.
, ,
(assertions).
ANSI C:
,
,
. .
,
, CTL
-.
,
.
Specification patterns,
Cadena
CADP
(Construction
and Analysis of
Distributed
Processes)
CBMC
(A Bounded
Model Checker
for C/C++
programs)
GEAR (A game
based model
checking tool
capable of
CTL, modal &calculus and
specification
patterns)
175
Java
Pathfinder
LTSA
(Labelled
Transition
System
Analyser)
MOPS (Model
Checking
Programs for
Security
Properties)
NuSMV
(A New
Symbolic
Model
hecker)
Java -.
,
, . .
10 000 .
NASA Ames Research Center.
(concurrent
systems). LTS (Labelled
Transition System) FSP (Finite State Processes).

(
LTL). , ,
- .
,
, C.

(defensive
programming).
,
.
SMV
(Symbolic Model
Checker). ,
BDD (Binary Decision Diagrams) ,
SAT (SAT-based model checking).

: CTL, LTL.
, ,
.
.
.
ORIS (Uses
a CTL-like
temporal logic
with real-time
bounds, action
and state
based)
SMV (Symbolic ,
Model
,
Checker)
CTL. ,
, ,
.
.
176

PROMELA.
,
. LTL.
UPPAAL

(Uppaal Model .
Checker)
,
( , . .).
Timed Automata.
TCTL.
VIS
(Verification
Verilog.
Interacting

with Synthesis) CTL.
dSPIN
SPIN.

.
SPIN.

, SPIN:
, /
, ,
,
.
( PROMELA).
DBRover
(runtime monitor)
, LTL
MTL. ,
TemporalRover.
,
, . :
Ada, C, C++, Java, VHDL Verilog.
: LTL, MTL
(Metric Temporal Logic) . .
Reactis Tester .
: Simulink/Stateflow.
Temporal
,
Rover
LTL
(with realtime constraints).
,
SPIN
177
.
e
x 5 ,
100
, e1
. : Ada, C, C++, Java, VHDL,
Verilog.
: LTL, MTL (Metric Temporal

Logic) . . StateRover,
,
. StateRover
Temporal
Rover UML.
Java, C, C++.
,
Eclipse.
4.3.

, .
( )
,
. ,
( ),
, ,
, .
,
, ,
. ,
, ,
,
.
.
UML
[55]. ,
, ,
, .

,
.
,
178
,
.

.

, .
,
.
, ,
,
. ,
,
, ,
.

[56, 57].
, ,
, , , ,
.
.
:
,
. , ,
,
,
.

,
:
,, ,
, .

. , -
,
, .

: ,
.
.
179

[58]. , -,
, , -,
, :
, ,
, ,
.
,
.
(
) [59]
, [60].
,
,
98%
, .
8- ,
- [61, 62].

[6367].
, ,
.
,
?
,

. , ,
SPIN,

, , ,
.
,
,
, .

, ,
, .
180

,
,
, ,
. .
-.
,

.

.
,
, ,
. ,
.
:
s1, e1, z1 . .
, , ,
,
.

,
.

. ,
, .

.
,
.
:
,
CTL- [68].
,
,
( )
.
181
, ,

. . . [6973].

, .

, [74].
4.3.1.
,
, , ,
.

pin-. :
. AClient
, AServer
. ,

. :
HardwareEventProvider
;
HumanEventProvider , ;
ServerEventProvider , ;
ClientEventProvider , .
FormPainter ;
ServerQuery ;
ServerReply .

UniMod, [58, 75, 76].
. 4.4 ,

.
182
. 4.4. ,

. 4.5 AClient.
. 4.6
.
AServer,
4.3.2.

.
183
. 4.5. AClient
( ):
, pin-.
,
.
: ,
pin- , .

LTL:
([ PIN-] U [ ]).
184
. 4.6. AServer
. 4.5, o1.z10.

, , o1.z10
10. AClient,
.
pin- e10.
, :
(e10 U (AClient in 10. ))
CTL .
(E):
E[e10 U (AClient in 10. )].
( ):
.
,
.
LTL:
F[ ].
,
, :
F(AClient in 10. ).
CTL
(A):
AF(AClient in 10. ).
185
4.4. ,

4.4.1. Converter

Converter [7779] , ,
SPIN [46, 80].
LTL.
SPIN
Promela.
Converter
:
Promela,
,
. ,
Converter.

Promela,
, ,
:
int lastEvent; ,
;
int stateAi;
Ai.
Promela
,
.
,
,
.
.
Promela
,

stateAi lastEvent.

LTL. :
186
lastEvent = e1 ,
e1;
stateAi = 1 ,
Ai Promela 1. ,

,

SPIN ,
. ,
SPIN Promela
, C.
Converter .

Promela
. , SPIN
, ,
.
4.1.
4.1. Converter
State Test 1 : init
Going to state Test 2 : s0
Event = e2
State Test 2 : s0
Going to state Test 33 : s1-1
Event = e3
State Test 33 : s1-1

Converter ,
UniMod.
, ,
, .
UML-,

Java.
UniMod
XML.
Converter.
Converter
SPIN. ,
187
gcc PATH
, gcc
.
Windows.
:
run.cmd <XML- > < >
<LTL->
XML- ,
UniMod XML;
,
;
LTL-
!(<>{lastEvent == e1}).
[] Globally ();
<> Future (- );
U Until ( );
V p V q !(!p U !q);
! ;
&& ;
|| ;
-> ;
<-> .

Converter UniMod.
.

UniMod XML- .
. Converter
, ,

. ,
10. ,
:
run.cmd Bankomat.xml report.txt ""
188
Bankomat.xml ,
UniMod
.
model.ltl,

( 4.2).
4.2.
...
#define STATE_10 10 /*8. */
#define STATE_11 11 /*10. */
#define STATE_12 12 /*9. */
...
, ,
11. :
!(!{lastEvent == e10} U {stateAClient == 11}).
Converter
, .
:
run.cmd Bankomat.xml report.txt "(!{lastEvent ==
e10} U {stateAClient == 11})"

.
report.txt ( 4.3).
4.3.
Converter v. 0.50
warning: for p.o. reduction to be valid the never claim
must be stutter-invariant
(never claims generated from LTL formulae are stutterinvariant)
(Spin Version 4.2.8 6 January 2007)
+ Partial Order Reduction
Full statespace search for:
never claim
+
assertion violations + (if within scope of claim)
acceptance
cycles + (fairness disabled)
invalid end states - (disabled by never claim)
129 states, stored
8 states, matched
137 transitions (= stored+matched)
0 atomic steps
hash conflicts: 0 (resolved)
189
errors: 0
. .
():
run.cmd Bankomat.xml report.txt
"(!<>{stateAClient == 11})"
report.txt
( , 4.4).
4.4.
...
...
Never claim moves to line 267
[(!((stateAClient==11)))]
State AClient 1 : s1
Going to state AClient 13 : 1.
State AClient 13 : 1.
Going to state AClient 6 : s2
Event = e0
State AClient 6 : s2
spin: trail ends after 34 steps
...
.

. s1,
1. ,
, e0,
.
.
,
.
( e0), .
s2, .
. ,

.
4.4.2. Unimod.Verifier

UniMod.Verifier [77, 81, 82]
Bogor [83].
190
, ,
, Converter.
Bogor, BIR,
, ,
, .
,
,
.
Bogor ,
.

,
,
, .
UniMod.Verifier ,
.
step: .

.
,
Bogor
.
step.
,

.

.

.
, UniMod.Verifier
. (,
Converter)
. Converter

UniMod.
,
Promela. ,
UniMod Promela.
UniMod.Verifier , Bogor
191

UniMod. Bogor
UniMod
UniMod.Verifier . 4.7.
Bogor

BIR
UniMod

UniMod
UniMod.Verifier
. 4.7. UniMod.Verifier

, BIR,
,
. ,
UniMod.Verifier,

.
,
.

Bogor, , UniMod.Verifier,
,
LTL.

:
BIR
wasEvent(e) True,
e, False
;
wasInState(sm, s) True,
sm s;
isInState(sm, s) True,
sm s;
192
cameToState(sm, s) True,
sm
s. , (isInState(sm, s) && !wasInState(sm, s));
cameToFinalState() True,

. ,
;
wasAction(z) True,
z;
wasFirstAction(z) True,
z;
wasLastAction(z) True,
z;
getActionIndex(z) ,
.
, ,

;
wasTrue(g) True,
g,
True. :
g = !o1.x1 && o1.x2;
wasFalse(g) True,
g,
False.

,
.

,
UniMod.Verifier.
.
Unimod.bir,
.
:
LTL.always (G) ;
LTL.eventually (F) -;
193
LTL.next (X) ;
LTL.until (U) , ;
LTL.weakUntil (W) , , ;
LTL.release (R) : p R q = (p U q);
LTL.negation ;
LTL.equivalence ;
LTL.implication ;
LTL.conjunction ;
LTL.disjunction .
Unimod.bir .
( 4.5).
4.5. , LTL
fun NoPinNoMoney() returns boolean =
LTL.temporalProperty(
Property.createObservableDictionary(
Property.createObservableKey("correct_pin",
AutomataModel.wasEvent(model, "e10")),
Property.createObservableKey("give_money",
AutomataModel.wasAction(model, "o1.z10"))
),
LTL.weakUntil (
LTL.negation(LTL.prop("give_money")),
LTL.prop("correct_pin")
)
);
!o1.z10 W e10.
. ,
"correct_pin" , AutomataModel.wasEvent(model, "e10")
. ,
e10.

.
.
:
verifier.cmd Bankomat.xml NoPinNoMoney
Bankomat.xml ,
UniMod
, NoPinNoMoney ,
Unimod.bir.
194

.

, .
.

Converter, UniMod.Verifier
XML- ,
UniMod.
().
,
.
. C
Unimod.bir ,
4.6.
4.6. UniMod.Verifier
fun NoPinNoMoney() returns boolean =
LTL.temporalProperty(
Property.createObservableDictionary(
Property.createObservableKey("correct_pin",
AutomataModel.wasEvent(model, "e10")),
AutomataModel.isInState(model, "/AClient",
"10. "))
),
LTL.negation (
LTL.until (
LTL.negation(LTL.prop("correct_pin")),
LTL.prop("give_money")
)
)
);
correct_pin give_money,
, e10,
AClient
10. .
: !(!<correct_pin> U <give_money>).
:
verifier.cmd Bankomat.connectivity NoPinNoMoney

( 4.7).
195
4.7.
(W) Unknown option
edu.ksu.cis.projects.bogor.module.Isearcher.maxErrors
Transitions: 1, States: 1, Matched States: 0, Max
Depth: 1, Errors found: 0, Used Memory: 2MB
Transitions: 63, States: 41, Matched States: 22, Max
Depth: 14, Errors found: 0, Used Memory: 1MB
Total memory before search: 708688 bytes (0,68 Mb)
Total memory after search: 1134712 bytes (1,08 Mb)
Total search time: 688 ms (0:0:0)
States count: 41
Matched states count: 22
Max depth: 14
Done!
Verification successful!
, ,
.
().
Unimod.bir ( 4.8).
4.8. UniMod.Verifier
fun AlwaysMoney() returns boolean =
LTL.temporalProperty (
Property.createObservableDictionary (
AutomataModel.isInState(model, "/AClient",
"10. "))
),
LTL.eventually (LTL.prop ("give_money"))
);
, verifier.out:
verifier.cmd Bankomat.connectivity AlwaysMoney
> verifier.out
verifier.out
( 4.9
).
4.9.
Generating error trace 0...
Done!
1 traces were found.
Replaying the trace with least states (#0).
Replaying trace by key: 0
Stack of transitions leading to the error:
196
Model [ step [0] event [null] guards [null] transitions

[null]
actions
[null]
states
[null]
]
fsaState
[bad$accept_init]
Model [ step [0] event [] guards [] transitions [] actions
[] states [(/AClient:9. /AServer) (Top);
(/AClient:5. /AServer) (Top); (/AClient:3.
/AServer) (Top); (/AClient) (Top)] ]
fsaState [bad$accept_init]
Model [ step [1] event [*] guards [] transitions [s1#1.
#*#true] actions [o1.z1] states [(/AClient:9.
/AServer)
(Top);
(/AClient:5.
/AServer) (Top); (/AClient:3. /AServer)

(Top); (/AClient) (1. )] ] fsaState
[bad$accept_init]
Model [ step [2] event [e6] guards [true->true] transitions
[1. #2. pin-#e6#true] actions
[o1.z2] states [(/AClient:9. /AServer) (Top);
/AServer) (Top); (/AClient) (2. pin)] ] fsaState [bad$accept_init]
[2. pin-#13. #e2#true] actions
[o1.z13] states [(/AClient:9. /AServer)
(Top); (/AClient:5. /AServer) (Top);
(/AClient:3. /AServer) (Top); (/AClient)
(13. )] ] fsaState [bad$accept_init]
[13. #1. #e7#true] actions
[o1.z1] states [(/AClient:9. /AServer) (Top);
/AServer) (Top); (/AClient) (1.
)] ] fsaState [bad$accept_init]
Done!
.
: ,
,
.
.
,
1. . ( e6),
2. pin-.
,
13. , , (
e7),
1. .
,
,

.
197
4.4.3. FSM Verifier

FSM Verifier [65, 77] NuSMV,
, SMV.
.
1. SMV.
2.
.
3. NuSMV.
4.
.
. 4.8.

ACTL
SMV
NuSMV

. 4.8. FSM Verifier
.

.
, .
,
.
,
, ,
. ,
198
(x1, x2)
Ai in sj (, Ai
sj). .

o.zi() Ai.ej()
.

FSM Verifier ,
, ,

. ,
:
. 4.9
.
0
s1
s1
e1[x1 & x2]

1
A2.e1
e1[x1 & x2]

A2.e1, z1
2
z1
s2
3
s2
. 4.9. .
(), ()

FSM Verifier
.
Ak sj;
zi;
ei.
NuSMV, , FSM Verifier,

,
199
CTL.
: AF f, AG f, A[f U g].
,
.

,
NuSMV,
.
, .

.

. FSM Verifier
[65].

:
verifier.jar ,
SMV;
counterexample.jar , ,
NuSMV,
.
,
:
NuSMV;
Java Runtime Environment.

Windows Linux.
FSM Verifier ,
XML.
FSM Verifier
. [77].
XML-
( 4.10).
4.10. FSM Verifier
<specification>
<string>AG (A0.s1 -> AF A1.s1)</string>
</specification>
200
, inputfile.fsm,
SMV
input.smv:
java jar fsmverifier.jar inputfile.fsm > input.smv
NuSMV:
NuSMV input.smv > verifier.out

:
java jar counterexample.jar verifier.out inputfile.fsm

HTML- .
:

UniMod
XML,
, FSM Verifier.
,
UniMod
FSM Verifier.
UniMod
.
FSM Verifier ,
.
UniMod
FSM Verifier
. ,
:
FSM Verifier .
AClient
10. s11,
201
AClient in 10. AClient.s11.

FSM Verifier
, .
. 4.5, 4.6 , e10
AClient. e10 AClient.e10.
4.11.
4.11.
<specification>
<string>!E[!AClient.e10 U AClient.s11]</string>
</specification>
, FSM Verifier,
:
java jar verifyer.jar Bankomat.fsm
Bankomat.fsm ,
UniMod
FSM Verifier. , ,
.
out.smv
NuSMV.
NuSMV:
NuSMV out.smv

4.12.
4.12.
:\Verifiers\FSM Verifier>NuSMV out.smv
*** This is NuSMV 2.4.3 (compiled on Tue May 22 14:08:54
UTC 2007)
*** For more information on NuSMV see
<http://nusmv.irst.itc.it>
*** or email to <nusmv-users@irst.itc.it>.
*** Please report bugs to <nusmv@irst.itc.it>.
*** This version of NuSMV is linked to the MiniSat SAT
solver.
*** See
http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat
*** Copyright I 2003-2005, Niklas Een, Niklas Sorensson
-- specification !E [ !AClient.e10 U AClient.s11 ]
true
is
,
. ,
, pin-.
202
.
FSM Verifier 4.13.
4.13.
<specification>
<string>AF AClient.s11</string>
</specification>
NuSMV:
java jar verifyer.jar Bankomat.fsm
NuSMV:
NuSMV out.smv
4.14
( ).
4.14.
:\Verifiers\FSM Verifier>NuSMV out.smv
*** This is NuSMV 2.4.3 (compiled on Tue May 22
14:08:54 UTC 2007)
*** For more information on NuSMV see
<http://nusmv.irst.itc.it>
*** or email to <nusmv-users@irst.itc.it>.
*** Please report bugs to <nusmv@irst.itc.it>.
*** This version of NuSMV is linked to the MiniSat SAT
solver.
*** See
http://www.cs.chalmers.se/Cs/Research/FormalMethods/Min
iSat
*** Copyright I 2003-2005, Niklas Een, Niklas Sorensson
-- specification AF AClient.s11 is false
-- as demonstrated by the following execution sequence
Trace Description: CTL Counterexample
Trace Type: Counterexample
-> State: 1.1 <AClient.State = 0
AServer.State = 0
Active = 0
Event = 0
AClient.s9 = 0
...
NuSMV .
:
NuSMV out.smv > verifier.out
203

FSM Verifier:
java jar counterexample.jar verifier.out Bankomat.fsm
out.html.
, ,
. 4.2.
4.2. ,
FSM Verifier
Step
Active
Event
AClient
AServer
Action
1
2
3
4
5
6
7
8
9
AClient
AClient
AClient
AClient
AClient
AClient
AClient
AClient
AClient
eAlways
e6
e2
e7
s1
s1
s13
s13
s9
s9
s7
s7
s13
s1
s1
s1
s1
s1
s1
s1
s1
s1
o1.z1
o1.z2
o1.z13
o1.z1
,

UniMod- , ,
FSM Verifier.
(
AClient):
s1 UniMod-;
s13 1. ;
s9 2. pin-;
s7 13. .
.
.
( e6), ( e2),
( e7),
(s1). :
.
, .
,
. 4.5,
204
1. ,
.
2. pin-
13.
,
. , 3 9
.
, 4- 9- , 1- 3-
.
,
(
):
123456789 456789 456789 4
4.5.
4.5.1. CTL Verifier

CTL Verifier [63, 77, 84]
,
CTL.

.
,
, .

.
.

M = (S, R, Label)
Label Label S AP.
R(s, t) s t.
, ,
.
,
.
,
.
,
.
,
205
, .
,
(
).

, ,
, ,

. ,
.
.
AP :
AP = {Y1, Y2, } {e1, e2, } {x1, x2, } {z1, z2, }
{InState, InEvent, InAction} Names.
{Y1, Y2, }
, {e1, e2, } , {x1, x2, }
, {z1, z2, }
. Names
, InState, InEvent InAction
, ,
, ,
.
: ,
(
,
). .
S
s
Label : (s, s) (s, InState).
s
. s zs[1], , zs[u],
s. u
{r1, , ru} u r1 r2, , ru1 ru, ru s.
Label (rk, zs[k]), (rk, InAction) k
1 u. ,
, , s,
r1.
. 4.10.
206
Y
z1, z2, , zn
z 1,
InAction
z2,
InAction
zn,
InAction
Y,
InState
. 4.10.
() ()

.
.
Y AY,1, AY,2,
, AY,v (
). (
) ,
Y. AY,1, AY,2, , AY,v
.
,
,
.
, ,
.
,

. Label.
,
, v : i 1
v 1
AY,i
AY,i+1
AY,v , Y.
Y - ,

AY,1.
. 4.11.
AY,1
AY,1
Start
AY,2
AY,1
Finish
AY,2
Start
AY,v
AY,2
Finish
AY,v
Start
AY,v
Finish
Y
InState
. 4.11. ,
, A
B.
207
(
)
. ( )

( ).
,
. AClient
AServer, AServer AClient.

. 4.4, AServer AClient
. 4.5 4.6.
.
. 4.12 :
,
.
, ,
.
. 4.12.
208
.
, .
,
.
p ,
, ,
,
.
. p
ei[1], , ei[s].
xj[1], , xj[t] ( ) .
zk[1], , zk[u],
q. r u + 1
{re, r1, , ru}, u + 2 : p re,
re r1, r1 r2, , ru1 ru, ru q, Label
(re, ei[i*]), (re, xj[j*]) (re, InEvent), (rk*, zk[k*]), (rk*, InAction)
i* 1 s, j* 1 t k* 1 u.
,
,
, :
,
ei. ,
,
,
.

(____ + 1)
__,
2_.

ATrig,
RS- [85] (. 4.13, 4.14).
!S
!R
S & !R
Y=0
Y=1
R
. 4.13. ATrig
209
InEvent,
R, S
InEvent
InEvent,
S
InState,
InEvent,
R, S
Y=0
InEvent,
R
InEvent,
R
InEvent,
S
InState,
Y=1
InEvent
. 4.14. ATrig
CTL-
(S R) EX EX (Y = 1), ,
, , ,
1.
, , ,
InEvent.

( ,
, )
Label
(
Names),
(,
).
,
,
.

AP :
AP = {Y1, Y2, } {e1, e2, } {x1, x2, } {!x1, !x2, }
{z1, z2, } {InState, InEvent, InAction} Names.
, , ,
S
s Label :
(s, s) (s, InState). , ,
.
.
, .
:
210
{x1, !x1; x2, !x2; x3, !x3; }.

, ,
. !.

, ( !xi).
r ,
p q
ei & hj[1] & hj[2] & hj[3] & & hj[m] / zi[1], , zi[n]
( hj[j*] = xj[j*], hj[j*] = !xj[j*] , hj[j*]
, ), n + 1
{re, r1, , rn} n + 2 :
p re, re r1, r1 r2, , rn1 rn, rn q.
Label (re, ei), (re, InEvent), (rk, zi[k]),
(rk, InAction) k 1 n,
(re, hi[1]), (re, hi[2]), , (re, hi[m]).
. 4.15.
Y=1
ei & x2 & !x4 & !x5 / z1, z2, , zn
Y=2
InState,
Y1
InEvent,
ei,
x2, !x4, !x5
InAction,
z1
InAction,
z2
InAction,
zn
InState,
Y2
. 4.15.
() ()
, ,
,
,
( , ).
, ,
Label
,
.
,
211
(. 4.3). . 4.16 ,
.
InEvent,
e4
!o2.x1
InState,
Error
InEvent,
e11
InAction
o1.z1
InAction
o2.z1
InState,
Opening
InEvent,
e2
InEvent,
e3
InState,
Closed
InEvent,
e2
InEvent,
e4,
o2.x1
InState,
Opened
InAction,
o1.z1
InState,
Closing
InAction,
o1.z2
InEvent,
e12
. 4.16. ,

ARemote,
[86].
. 4.17 4.18.
ARemote
z00
z01

start()
handleEvents(), keypressed()
handleEvents(), time_is_up()
handleEvents(), receive_signal(&signal)
handleEvents(), receive_signal(&signal), STOP_SIGNAL
e0
z02
e1
z03
e2
z04
e3
e4
z05
z06
z07
key == KEY_RESET
key == KEY_RECORD
key == KEY_SET_PAD
len == MAX_SIGNALS, full()
<Reset>
x0
z08
x1
z09
x2
z10
x3
z11
z12
z13
z14
hash_send(key)
; " ..."
: " ";

: "
"
: " ";

: " "
; :
" ";
;
,
message(),
set_timer()
pad = key
message()
message(),
set_timer()
message()
key_for_bind,
message()
set_timer(),
message(), full()
buf[len++] =
_signal
hash_bind(),
message
: " "
: " "
. 4.17. ARemote
212
hash_load(),
message()
message()
set_timer()
0.
e1 & x0 & x1 & x2

z00
e0
z00
2.
e1 & x0 & x1 & x2

z01
1.
e2
4.
e1 & x0 & x1 & x2
e1
z02
z06
e1 & x0 & x1 & x2

e1 & x0 & x1 & x2
z04
3.
z03
6.
e2
z05
e2
z07
e2
e1 & x0 & x1 & x2

z08
e4 | e1 & x1
z11
5.
e2
z12
z14
e3 & x3
z13
z09
e3 & x3
z10
. 4.18. ARemote
. 4.19 ,
ARemote. ,
, .
- ,
, ,
,
.
,
. , A2 A1
, A1
3,
3
.
, .
.

. 4.20 4.21.
,
. ,

.
.

.
213
ARemote,
InEvent, e0
ARemote,
InAction, z00
ARemote,
InEvent, e1,
x0, !x1, !x2
ARemote,
InAction, z01
ARemote,
InState, Y = 0
ARemote,
InEvent, e1,
!x0, !x1, !x2
ARemote,
InAction, z02
ARemote,
InAction, z04
ARemote,
InState, Y = 1
ARemote,
InEvent, e2
ARemote,
InEvent, e1,
!x0, x1, !x2
ARemote,
InEvent, e2
ARemote,
InEvent, e1
ARemote,
InState, Y = 2
ARemote,
InAction, z06
ARemote,
InState, Y = 6
ARemote,
InAction, z07
ARemote,
InEvent, e2
ARemote,
InState, Y = 4
ARemote,
InEvent, e1,
!x0, !x1, !x2
ARemote,
InEvent, e1,
x1
ARemote,
InAction, z14
ARemote,
InAction, z05
ARemote,
InAction, z11
ARemote,
InEvent, e4
ARemote,
InAction, z12
ARemote,
InEvent, e2
ARemote,
InAction, z13
ARemote,
InEvent, e3,
x3
ARemote,
InEvent, e1,
!x0, !x1, x2
ARemote,
InEvent, e1,
!x0, !x1, !x2
ARemote,
InAction, z08
ARemote,
InState, Y = 5
ARemote,
InEvent, e2
ARemote,
InAction, z09
ARemote,
InAction, z10
ARemote,
InEvent, e3,
!x3
ARemote,
InState, Y = 3
ARemote,
InAction, z03
. 4.19. ARemote
CTL-

.
CTL-
CTL-
: , CTL, ()
.
( f f).
, ,
: ,
214
A1
A1.Y1
A1.Y2
call A2
call A2
A2
A2.Y1
A2.Y2
e & A1.Y2 & !x
call A3
call A3
A3
A3.Y1
A3.Y2
e & x & A1.Y1 & A2.Y1
. 4.20. , ,

A3, InState,
A3, InEvent,
A3, InState,
A2, InState,
A2, InEvent,
A3, InState,
A3, InEvent,
A3.Y1
e, x
A3.Y2
A2.Y1
e, !x
A3.Y1
e, x
12
13
11
21
10
A3, InState,
A3, InEvent,
A3, InState,
A1, InEvent,
A1, InState,
A2, InState,
A3, InState,
A3.Y2
e, x
A3.Y1
A1.Y1
A2.Y2
A3.Y2
14
19
15
17
16
18
20
A2, InState,
A2, InEvent,
A3, InState,
A3, InEvent,
A3, InState,
A2, InState,
A1, InState,
A2.Y1
e, !x
A3.Y1
e, x
A3.Y2
A2.Y2
A1.Y2
. 4.21.
( , xi
!xi).
,
CTL.
: ,
, CTL-,
(

, ).
215
. CTL-:
e14 E[o3.z0 U y10]. : e14,
10, o3.z0.
. e14
10 AServer:
3, 9
AClient. ,
,
. 4.22. e14, ,
.
. 4.22.
,
CTL.
, CTL,
,
CTL. .
, . 4.22,

(. 4.23, 4.24). e14 .
216
. 4.23. AClient

[77, 84, 87].

CTL Verifier
:
.
217
. 4.24. AServer
() ()
CTL Verifier
CTL, : EX,
EG, EU. CTL
:
AX g = !EX !g;
EF g = 1 EU g;
AF g = !EG !g;
AG g = !EF !g = !(1 EU g);
f AU g = !((!g EU !(f || g)) || EG !g).
218

. ,
, ,
.

[58, 75, 76]
.
-,
, ,
.
, .

,
. ,
, ,
.

. ,
, Y =
InState,
.

.

, .
, ,
.
(, )
( ).

,
, ,
.

CTL Verifier ,
. ,

.
219
, ,
.
. ,
. , EG !e1 ,
4.15.
4.15. EG !e1
[Properties]
f1 = e1
f2 = !f1
f3 = $EG f2
:
CTLVerif.exe < >
[ < > [< >] ]
CTL Verifier
Windows.
:
, ;
,
. ,
,
;
,
.

, ,
. :
1 34 35 (3 38 39 5 109 110 8 91 92 15 85 86 20 82 83);
,

.

FSM Verifier, CTL Verifier
, UniMod.
CTL Verifier
UniMod-
. UniMod ,
UniMod
CTL Verifier.
,
220
,
. .

Bankomat.dat. AClient 10.
s10.
Bankomat.dat 4.16.
4.16.
[Properties]
; !(!e10 EU s10)
f1 = e10
f2 = !f1
f3 = s10
f4 = f2 $EU f3
f5 = !f4
:
CTLVerif.exe Bankomat.dat out.txt out
out.txt .
, out, f1, f2, f3, f4 f5.
,
.
f5. 4.17 (
4 82).
4.17.
$
1: AClient InState s0
28: AClient InAction o1.z1
, f5
s0 AClient
. s0
CTL Verifier
s1 UniMod.
,
. ,
,
,
pin-.
. CTL Verifier
AF, ,
CTL: AF s10 = !EG !s10.
221

Bankomat.dat.
( 4.18)
4.18.
[Properties]
; AF s10 = ! EG !s10
f1 = s10
f2 = !f1
f3 = $EG f2
f4 = !f3
:
CTLVerif.exe Bankomat.dat out.txt out
f4 3 ,
( 4.19).
4.19.
106: AClient e13 InEvent
,
. ,
,
.
f3.
. 4.20
113 f3.
4.20.
[1]
$
89: * AClient InEvent
Cycle:
% 80: AClient InState s5
4.20
.
,
, .
,

( UniMod).
4.21.
222
4.21.
$
89: * AClient InEvent
29: AClient InState "1. "
Cycle:
% 80: AClient InState s2
.
,
.
( e0), .
s2, . ,
.
4.5.2. Automata Verificator

Automata Verificator [88]
- .
,
, , ,
LTL.
,
.
, [88],

.
Automata Verificator ,
UniMod.

,
. ,
.

, Automata
Verificator, ,
UniMod.Verifier. :
223
wasEvent;
isInState;
wasInState;
cameToFinalState;
wasAction;
wasFirstAction.
,
UniMod.Verifier. ,
,
,
.
, Automata Verificator
.
Java,
@Predicate. , ,
o1.z1
o1.z2.
LTL.

,
.

.

Automata Verificator
Java- ,
.
, ,
Automata Verificator.

XML,
UniMod.
:
java jar verifier.jar A.xml A1 "F(wasEvent(p.e1))"
224
java Java- (
Java Runtime Environment 6- );
A.xml
UniMod;
A1 ;
F(wasEvent(p.e1)) (
: - e1,
p).

, LTL,
.
Verification successful. ,
, 4.22.
4.22. Automata Verificator
LTL: F(isInState(AClient, AClient["10. "]))
initial 0
BuchiNode 0
[!isInState(AClient, 10. )] 0
Accept set 0 [0]
DFS 2 stack:
["<"13. ", "s1">", 0, 0]["<"1.
", "s1">", 0, 0]
DFS 1 stack:
["<"s1", "s1">", 0, 0]["<"1. ",
"s1">", 0, 0]
["<"2. pin-", "s1">", 0, 0]["<"3.
", "s1">", 0, 0]
["<"4. ", "s1">", 0, 0]["<"13.
", "s1">", 0, 0]
,
(initial)
(Accept set).
0.
.

(DFS 1)
(DFS 2).
DFS 1 DFS 2.
DFS 2,
DFS 1.
225

.
:
1. ;
2. ;
3. .

UniMod.
.
. , e10,
:
wasEvent(p3.e10)
p3 , e10 (. 4.5).
, AClient
10. , :
isInState(AClient, AClient[\"10. \"])

:
java jar verifier.jar Bankomat.xml AClient
"!U(!wasEvent(p3.e10), isInState(AClient, AClient[\"10.
\"]))"
4.23.
4.23.
LTL: !U(!wasEvent(p3.e10), isInState(AClient,
AClient["10. "]))
initial 1
BuchiNode 0
[true] 0
BuchiNode 1
[!wasEvent(e10)] 1
[isInState(AClient, 10. )] 0
Accept set 0 [0]
Verification successful
, .
:
java jar verifier.jar Bankomat.xml AClient
"F(isInState(AClient, AClient[\"10. \"]))"
226
4.22.
.
DFS 1, DFS 2.

AClient.
, AClient
s1,
1. , 2. pin-, ,
, 3. .
, 4. .
,
13. .
DFS 2,
1. .
, ,
.
,

.
,
.
, .
,
,
.
,
,

.
,
( ).
,
,
.
.
,
227
15- ,
[89].
,
.

(model checking), 30 .
, ,
,
,
.

2007 .
, .
, ,
. , ,
Pentium I
Intel [90]. Intel

.
,

.
40 000 [89].
, ,
.
.
,
,
(bounded model checking) [91],

.
,

.

10 000 [89].
,
,
- IEEE Futurebus+
( IE 896.11991).
228
1988 .,
.
1992 . -
[92] SMV ,
SMV, ,
.

.

.
.

[2, 51]. ,

.
,
. ,
model checking

.
,
, . ,
, ,

() ,
model checking,
.
,
,
,
.

, [59].

[93, 94].
[17, 18].

2006 . [87], [70].
-
,
229
[53, 63, 77]

. . . [95, 96].
[97, 98], , [99].

:
.
,
, ,
.
230

1. Katoen J.-P. Concepts, Algorithms, and Tools for Model Checking.
Lehrstuhl fr Informatik VII, Friedrich-Alexander Universitt
Erlangen-Nrnberg. Lecture Notes of the Course Mechanised
Validation of Parallel Systems (course number 10359). 1998/1999.
http://fmt.isti.cnr.it/~gnesi/matdid/katoen.pdf
2. . .
Switch-.
. .: ,
1998. http://is.ifmo.ru/books/switch/1
3. Liggesmeyer P.,
Rothfelder M.,
Rettelbach M.,
Ackermann T.
Qualittssicherung Software-basierter technischer Systeme
Problembereiche und Lsungsanstze // Informatik Spektrum. 21: 249
258, 1998.
4. Baier C., Katoen J.-P. Principles of Model Checking. The MIT Press,
2008.
http://is.ifmo.ru/books/_principles_of_model_checking.pdf
5. Harel D., Pnueli A. On the Development of Reactive Systems // Logics

and Models of Concurrent Systems. V. F-13 of NATO ASI Series. NY,
Springer-Verlag, 1985.
http://www.wisdom.weizmann.ac.il/~dharel/SCANNED.PAPERS/
ReactiveSystems.pdf
6. . ., . .
. .: , 2008.
7. ISO/ITU-T. Formal Methods
International Standard, 1996.
in
Conformance
Testing.
Draft
8. .

. .: , 2004.
9. . :
. .: , 2003.
10. Freeman S., Pryce N., Mackinnon T., Walnes J. Mock

Objects. http://www.jmock.org/oopsla2004.pdf
Roles,
not
11. Umrigar Z., Pitchumani V. Formal verification of a real-time hardware

design / Proceedings of the 20th Design Automation Conference, 1983.
http://portal.acm.org/ft_gateway.cfm?id=800667&type=pdf&
CFID=112534228&CFTOKEN=12780503
12. . . . :
, -, 2003.
231
13. Hoare C. A. R. An axiomatic basis for computer programming

// Communications of the ACM. 1969/12, pp. 576583.
http://se.ethz.ch/teaching/ss2005/0250/readings/Axiomatic_
Basis.pdf
14. Owicki S., Gries D. An axiomatic proof technique for parallel programs
// Acta Informatica. 1976/6, pp. 319340.
http://www.springerlink.com/content/x12541v1q15570n2/
15. Pnueli A. The temporal logic of programs / 18th IEEE Symposium on

Foundations of Computer Science. 1977, pp. 4657.
http://www.inf.ethz.ch/personal/kroening/classes/fv/f2007/
readings/focs77.pdf
16. ., ., ., ., ., .,
., ., ., ., .
:
. .: , 1998.
17. ., ., . :
Model Checking. .: , 2002.
18. . . Model Checking:
. .: -,
2010.
19. West C. H. Applications and limitations of automated protocol
validation / 2nd Symposium on Protocol Specification, Testing and
Verification. 1982, pp. 361371.
20. Clarke E. M., Emerson E. A. Synthesis of synchronization skeletons for
branching time logic // Logic of Programs. LNCS 131. 1981, pp. 52
71. http://www.springerlink.com/content/w1778u28166t2677/
21. Apt K. R., Kozen D. C. Limits for the automatic verification of finitestate concurrent systems // Information Processing Letters. 1986/22,
pp. 307309.
22. . .
.
http://logic.pdmi.ras.ru/~kulikov/verification/10.pdf
23. Lichtenstein O., Pnueli A., Zuck L. The glory of the past // Logics of
Programs. LNCS 193. 1985, pp. 196218.
http://www.springerlink.com/content/7681m36026888082/
24. . .
// . 1993. 1, . 328.
232
25. Sistla A. P., Clarke E. M. The complexity of propositional linear

temporal logics // Journal of the ACM. 32(3). 1985, pp. 733749.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.
94.178&rep=rep1&type=pdf
26. Clarke E. M., Draghicescu I. A. Expressibility results for linear time

and branching time logics // Linear Time, Branching Time, and Partial
Order in Logics and Models for Concurrency. LNCS 354. 1988,
pp. 428437.
http://www.springerlink.com/content/5n2702u432119wx8/
27. Kripke S. A. Semantical considerations on modal logic // Acta

Philosophica Fennica 16: 8394, 1963.
http://condor.wesleyan.edu/courses/2007s/phil390/01/etexts/Kripke/Kripke,%20Semantical%20Considerations%20on%
20Modal%20Logic.pdf
28. Emerson E. A., Halpern J. Y. Sometimes and not never revisited:

on branching versus linear time temporal logic // Journal of the ACM.
33(1). 1986, pp. 151178.
http://www.cs.cmu.edu/~emc/15-820A/reading/p127emerson.pdf
29. Bryant R. Graph-based algorithms for boolean function manipulation

// IEEE Transactions on Computers. C-35. 1986/8, pp. 677691.
http://www.cs.cmu.edu/~bryant/pubdir/ieeetc86.pdf
30. . . Model Checking.

http://intsys.msu.ru/staff/mironov/modelchk.pdf
31. . ., . .
// .
. 9. 2005. . 14, . 209252.
http://www.intsys.msu.ru/magazine/archive/v9(1-4)/mironov209-252.pdf
32. Wegener I. Branching Programs and Binary Decision Diagrams. SIAM

monographs on discrete mathematics and applications, 2000.
33. Clarke E. M., Grumberg O., Long D. Verification tools for finite-state
concurrent systems // A Decade of ConcurrencyReflections and
Perspectives. LNCS 803. 1993, pp. 124175.
http://www-2.cs.cmu.edu/~modelcheck/edpapers/VTfFSCS.pdf
34. McMillan K. L. Symbolic

Publishers, 1993.
Model
Checking.
Kluwer
Academic
http://cadence.com/cadence/cadence_labs/Documents/mcmillan_
CMU_1992_Symbolic.pdf
233
35. Clarke E. M., Emerson E. A., Sistla A. P. Automatic verification of

finite-state concurrent systems using temporal logic specifications
// ACM Transactions on Programming Languages and Systems. 8(2).
1986, pp. 244263.
http://www.cs.cmu.edu/~modelcheck/ed-papers/AVoFSCSU.pdf
36. Kropf T. Hardware Verifikation. Habilitation thesis. University of

Karlsruhe, 1997.
37. Tarjan R. Depth-first search and linear graph algorithms // SIAM
Journal on Computing. Vol. 1 (1972). No. 2, pp. 146160.
http://rjlipton.files.wordpress.com/2009/10/dfs1971.pdf
38. Eppstein D. Design and Analysis of Algorithms. Lecture notes for

1996. http://www.ics.uci.edu/~eppstein/161/960220.html
39. Alur R., Courcoubetis C., Dill D. Model-checking in dense real-time
// Information and Computation. 104: 234, 1993.
http://www.cis.upenn.edu/~alur/Lics90D.ps
40. Alur R., Henzinger T. A.

Real-time
logics:
Complexity
and
expressiveness // Information and Computation. 104: 3577, 1993.
http://www.cis.upenn.edu/~alur/Lics90H.ps
41. Alur R., Henzinger T. A. Back to the future: towards a theory of timed
regular languages / IEEE Symp. on Foundations of Computer Science.
1992, pp. 177186. http://www.cis.upenn.edu/~alur/Focs92.ps
42. Yovine S. Model checking timed automata // Embedded Systems.
LNCS 1494, 1998.
http://wwwverimag.imag.fr/~yovine/articles/embedded98.ps.gz
43. Petri C. A. Kommunikation mit Automaten. Ph. D. Thesis. University

of Bonn, 1962.
44. Esparza J., Nielsen M. Decidability issues for Petri nets a survey
// Bulletin of the EATCS, 1994.
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.
2.3965
45. Boucheneb H., Hadjidj R. Model checking of time Petri nets.

46. Holzmann G. J. The Model Checker SPIN // IEEE Transactions on

software engineering. 1997, V. 23, I. 5.
47. Dijkstra E. W. Guarded commands, non-determinacy and formal

derivation of programs // CACM. 18(8), 1975.
http://www.cs.utexas.edu/users/EWD/ewd04xx/EWD418.PDF
234
48. Dolev D., Klawe M., Rodeh M. An O(n log n) unidirectional distributed
algorithm for extrema finding in a circle // Journal of Algorithms.
1982/3, pp. 245260.
49. McMillan K. L. The SMV System. Technical Report CS-92-131.

Carnegie-Mellon University, 1992.
http://www.comp.nus.edu.sg/~cs3234/smvmanual.pdf
50. Chan W., Anderson R. J., Beame P., Burns S., Modugno F., Notkin D.,
Reese J. D. Model checking large software specifications // IEEE
Transactions on Software Engineering. 24(7). 1998, pp. 498519.
http://www.cs.washington.edu/homes/beame/papers/fse.pdf
51. . ., . . .
.: , 2010. http://is.ifmo.ru/books/_book.pdf
52. ., ., .
, . .: , 2008.
53. .
1, 2. 2007.
http://is.ifmo.ru/verification/_2007_01_reportverification.pdf
54. 1-
.
http://is.ifmo.ru/verification/_2007_01_patentverification.pdf
55. Gnesi S., Mazzanti F. A model checking verification environment for

UML statecharts / Proceedings of XLIII Congresso Annuale AICA,
2005. http://fmt.isti.cnr.it/~gnesi/matdid/aica.pdf
56. . .,
. .

//
. . 18. 2009, . 8892.
http://is.ifmo.ru/works/_volobuev.pdf
57. . ., . .
/
,
- .
. .: 2010, . 9098.
http://is.ifmo.ru/works/_2010_05_25_verific.pdf
235
58. . .,
. .,
. .,
. .

// . 2007. 6, . 6580.
http://is.ifmo.ru/works/_2008_01_27_gurov.pdf
59. Zakonov A., Stepanov O., Shalyto A. GA-Based and Design by Contract
Approach to Test Generation for EFSMs / Proceedings of IEEE EastWest Design & Test Symposium (EWDTS`10). St. Petersburg. 2010,
pp. 152155.
http://is.ifmo.ru/works/_ewdts_2010_zakonov.pdf
60. . ., . ., . .

,
: .
, 2010, . 124130.
http://is.ifmo.ru/works/_2010-10-01_klebanov.pdf
61. Barr M. Real men program in C.

http://www.eetimes.com/General/DisplayPrintViewContent?
contentItemId=4027479
62. . . :
? //
: . 2010. 4,
. 5460.
63. . ., . .
// -
. 2009. . 6(64), . 6677.
http://is.ifmo.ru/works/_2010_01_29_velder.pdf
64. . ., . .
// - . 2008. 5,
. 1521. http://is.ifmo.ru/works/_egorov.pdf
65. . . ,

SMV // - . . 53.
. 2008, . 137144.
http://books.ifmo.ru/ntv/ntv/53/ntv_53.pdf
66. . ., . .
SPIN // -
. . 53. .
2008, . 145162.
236
67. . ., . .
UNIMOD.VERIFIER // -
. . 53. .
2008, . 162176.
68. Roux C., Encrenaz E. CTL May Be Ambiguous when Model Checking
Moore Machines. UPMC LIP6 ASIM, CHARME, 2003.
http://sed.free.fr/cr/charme2003.ps
69. . .
// . 2006. 1,
. 2734. http://is.ifmo.ru/verification/_hamp.pdf
70. . ., . ., . .
CPN/Tools //
. 2006. 2, . 415.
http://is.ifmo.ru/verification/_cpnverif.pdf
71. . ., . .
LTL
//
. 2007. 1, . 314.
http://is.ifmo.ru/verification/_LTL_for_Spin.pdf
72. . ., . ., . .
LTL.
http://is.ifmo.ru/verification/_ltl_aut_ver_1.pdf
73. . ., . . ,
// . 2008.
1, . 3860.
http://is.ifmo.ru/download/2008-03-12_verification.pdf
74. . ., . . .
, 2006.
http://is.ifmo.ru/unimod-projects/bankomat
75. eVelopers Corporation. http://www.evelopers.com

76. UniMod. http://unimod.sf.net
77. .
3, 4. 2008.
78. . . .
. , 2007.
http://is.ifmo.ru/papers/_lukin_bachelor.pdf
237
79. . .
SPIN.
. , 2009.
http://is.ifmo.ru/papers/_lukin_master.pdf
80. Spin home page. http://spinroot.com

81. . . UniMod Bogor.
. , 2007.
http://is.ifmo.ru/papers/_jaminov_bachelor.pdf
82. . . UniMod-.
. , 2009.
http://is.ifmo.ru/papers/_jaminov_master.pdf
83. Bogor home page. http://bogor.projects.cis.ksu.edu

84. . ., . .
// -
. . 53. . 2008, . 123136.
85. . . .
. .: , 2000.
http://is.ifmo.ru/books/log_upr/1
86. . ., . .
. , 2005.
http://is.ifmo.ru/projects/irrc/
87. . .
model
checking.
.
, 2006.
http://is.ifmo.ru/papers/_velder_bachelor.pdf
88. . ., . .
// - . . 53.
. 2008, . 177188.
89. . model checking // Communications of the

ACM. 2008. Vol. 51. 07/08, pp. 110112.
http://is.ifmo.ru/verification/_model_checking.pdf
90. . // Communications of the

ACM. 2008. Vol. 51. 07/08, pp. 1416.
http://is.ifmo.ru/verification/_v_poiskax_nadejnogo_koda.pdf
91. Biere A., Heule M., Maaren H. van, Walsh T. (eds.)

Satisfiability. IOS Press, 2009.
238
Handbook
of
92. Long O. E. Model Checking, Abstraction and Compositional

Reasoning. PhD thesis. Carnegie Mellon University, 1993.
93. Schnoebelen P., Brard B., Bidoit M., Laroussinie F., Petit A.
Vrification de logiciels: techniques et outils du model-checking.
Vuibert, 1999.
94. Brard B., Bidoit M., Finkel A., Laroussinie F., Petit A., Petrucci L.,
Schnoebelen P. Systems and Software Verification. Model-Checking
Techniques and Tools. Springer, 2001.
95. . ., . .
// .
2007. 1, . 1118. http://mais.uniyar.ac.ru/ru/article/61
96. . .
TCTL .
. , 2008.
http://is.ifmo.ru/papers/_velder_master.pdf
97. . .
.
. . .
.
. . . , 2008.
http://is.ifmo.ru/disser/kubasov_disser.pdf
98. . . .
. . .
, 2011.
99. . .
.
. .-. . .
. . . , 2010.
239
, 110
CTL-, 76, 83
, 91
LTL-, 37, 124
, 138
LTL-, 50, 99
, 86
, 146
, 62, 99, 100

, 110
,
91, 92
, 118, 142
, 118, 142
, 117
, 128, 135, 137
, 148
, 170,
229
, 145
, 44
, 34
, 151
, 27
, 30
, 42
, 42
, 34
, 118
,
91, 92
, 152
, 111
, 18
, 5, 9
, 147
, 19
, 26, 228
, 91
, 27
, 91
, 44
, 15, 227
, 145
, 35,
72
, 108
, 147
, 35,
72
, 91
240
, 145
, 146
, 110, 111
, 206
, 117
,
210
, 145
, 45
, 31, 83, 99
, 146
-, 14
, 16
, 38
, 136
, 62
, 38
, 116, 127
, 16
, 148
, 27
, 31, 50, 54
, 27
, 118, 142
, 30
, 146
, 16
, 137
, 6, 21, 148, 228
, 45
, 228
, 228
, 48, 169
, 151
, 174
, 152
, 38
, 46
, 46, 124
, 31, 76
, 36
, 117
, 118
, 38, 77, 90, 115
, 117
, 31, 76, 99
, 117
, 166, 169
, 31
, 145
, 114
, 14
, 118, 142
, 62
, 117
, 31
, 11, 34
241
, 128, 134
, 35, 72
, 137
, 35, 72
, 128, 135, 137
, 108
, 36
, 145
, 27
, 146
, 12
, 146
, 12
, 146
, 28
, , 147
, 16
, 228
, 31, 76, 99
, 12
, 34
, 16
, 107
, 11, 34
(assertions), 160, 175
, 34
, 120
, 116
, 15, 227
, 148
, 16
LTL-, 37
, 82
, 62
, 82
, 114, 122
, 120
, 147
, 117, 148
, 114
, 31
, 110
, 31, 50, 54, 62, 116, 127,

148
, 16
, 110
, 53, 70, 89, 93, 168
, 120
, 45
, 31
, 76, 84
, 84
, 117
, 84
, 21
, 60
242
2009 ,
12 ,

.

-
, 20092018 .

1991
. . . .
,
- ,

.

.
200 ,

,
,
.

,
,
,

. .
-
-
,
.
. .
00408 05.11.99
27.01.2011 .
1527
150 .

199034, , .., , . 1416
.: +7 (812) 915-14-54, e-mail: zakaz@TiBir.ru
www.TiBir.ru
-
-
,

197101, -, ., 49

Верификация автоматных программ

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Верификация автоматных программ

Загружено:

Авторское право:

Доступные форматы

-

2.5.7. ...................................................................... 134

2.6. ................................................................................... 145

4.4. , ..... 186

4.5. .................................................... 205

' , ' S ' , '

V' = {v1', v2', , vn'}. v

R(x, y, x', y') = (x' = x + y (mod 2)) (y' = y).

0 i < 3 R(s3) = s3 Label(s0) = {x 0},

s ( U ) j 0: R j(s) (0 k < j: R k(s) ).

G[(m R.in) F(m S.out)].

GF[i: leaderi (j i: leaderj)],

{a, b, c} = {1, 0, 1}, a c,

G((r1 X s1) (rn X sn))

. G(z1 (z2 W z3)).

. 2.13. G(z1 (z2 W z3))

old next, nodes n3.

CTL- : EX(x = 1),

E[x = 1 AX(x 3)] CTL-,

. CTL- . 2.17 ().

(true AX[A(true U )])

2.3.4. CTL, CTL* LTL

sState ( ) (sState ) (sState );

Path ( ) (Path ) (Path );

Path ( U ) j 0: jPath (0 k < j: kPath ).

. 2.19. LTL, CTL CTL*

M, M0, M1, , Mn, s0 A[FG a]

. 2.23. M, M' M"

CTL* LTL. LTL CTL*

PMF (s): [1] ;

PMF (s): (j 0: [j]

PMF (s): (j 0: [j]

(0 k < j: [k] )).

2.3.7. CTL CTL*

X1 q = X q Xn+1 q = X(Xn q).

Label , CTL LTL,

S = {(l, v) L V() | v inv(l)};

(lj, j) (ln, n).

v0(x) = v0(y) = 0, v1 = v0 + 3, v2 = [x, y]v1, v3 = v2 + 4, v4 = [x]v3,

(c) v2 inv(on). (0, 3),

PM (s): (i, d) Pos():

PM (s): (i, d) Pos():

((i, d), w + (, i) + d ((j, d') (i, d):

(l, x), 1 < x < x*.

720 + 180 = 900

v v', [v(x)] = [v'(x)] x C.

v(x)} {v(y)} {v'(x)} {v'(y)}

(*) (**) v v', ,

1. [v(x)] = [v'(x)] v(x) > cx v'(x) > cx x C.

z in AF[(p z 3) (q z > 4) (z x > 5)] cz 5.

4. , {v(x)} = 0 {v'(x)} = 0 v(x) cx,

[(0 < x < 1), (z = 2)] ( ,

return SatR(1) SatR(2);

A , , M(A), (s0, w0)

M(A), (s0, w0) | E[p U<1 q],

M(A), s EF=1 true.

|Copen|! |C|! Copen

en(t) ge(s, W(s, t))

label = l2 | label = l4 : t1;

NST := AG ((prc1.label in {l1, l2, l3, l4,

: LTL, MTL (Metric Temporal

LTL.release (R) : p R q = (p U q);

Model [ step [0] event [null] guards [null] transitions

/AServer) (Top); (/AClient:3. /AServer)