Symbolic Simulation, Model Checking and Abstraction with Partially Ordered Boolean Function

我长大后想当一名建筑设计师英语作文全文共3篇示例，供读者参考篇1Since I Was A Little Kid, I've Dreamed of Becoming an ArchitectEver since I was a young child, I've been fascinated by buildings and construction. When other kids were watching cartoons, I was glued to shows about how skyscrapers and bridges were designed and built. While they were reading comic books, I had my nose buried in books about famous architects throughout history like Frank Lloyd Wright, Zaha Hadid, and I.M. Pei. It was clear from an early age that my calling in life was to become an architect.I still vividly remember the first time the seed was planted in my mind to pursue architecture as a career. It was a school field trip to a major city when I was about 8 years old. As our bus crossed the bridge over the river into downtown, I was awestruck by the towering skyscrapers reaching up into the clouds. The sunlight glistened off the steel and glass facades in a breathtaking way. I thought to myself, "Wow, whoever designedthose buildings is incredibly talented. I want to be able to create amazing structures like that one day."From that moment on, I was hooked. Anytime we went downtown as a family, I would make my parents walk or drive me around to different buildings so I could inspect and admire them up close. I was mesmerized by all the intricate details, interesting shapes, and varying materials and textures. Subconsciously, I was training my eye for design at a young age.In school, I thrived in math, art, and any classes that involved spatial reasoning, model making, or drawing. Geometry was my favorite subject because I loved calculating angles, areas, and volumes. In art class, I'd spend hours meticulously constructing 3D sculptures out of clay, wood, and other materials. When it came time to pick an topic for our fifth grade science fair篇2My Dream of Becoming an ArchitectEver since I was a little kid, I've been fascinated by buildings and structures. Whenever my family would go on road trips, instead of playing games or reading like my siblings, I would stare out the window in awe at the houses, skyscrapers, bridges and other architectural wonders we'd pass by. While other kidsmy age wanted to be firefighters, astronauts or professional athletes when they grew up, I always knew that I wanted to be an architect.To me, buildings are like living, breathing entities. They have souls and personalities of their own. A building's design speaks volumes about its purpose, the era it was built in, and the vision of its creators. Great architects don't just construct four walls and a roof - they craft experiences and shape the way people interact with the built environment around them. Through their work, they leave lasting impacts on cities and communities.I love how architecture blends art and science in such a harmonious way. Architects have to be creative visionaries, sketching out ambitious and innovative concepts. But they also have to be pragmatic and analytical, ensuring their designs are structurally sound, functional, and in compliance with codes and regulations. It's an incredible challenge that requires immense skill and passion.From the grandiose opera houses with their elegant curves and ornate embellishments to the severe simplicity of modern skyscrapers formed by glass and steel, I'm in awe of the entire spectrum of architectural styles. I find myself constantly critiquing and analyzing the built world around me. Why did thearchitect choose those materials and that form? How did the design complement or clash with its surroundings? What was the inspiration and core concept?When I study history, I'm just as interested in learning about the societies and belief systems that constructed ancient wonders like the Pyramids, the Parthenon, and the Colosseum as I am about the battles, rulers and cultures themselves. Those buildings have stood as enduring monuments and timeless testaments to human ingenuity and achievement for thousands of years. It's mind-blowing to ponder the work and labor that went into their construction with so few modern tools and machinery at their disposal.Studying architectural drafting and design at school has only deepened my passion. I've pored over drawings and renderings of buildings until my eyes glazed over. I've experimented with different computer-aided design and 3D modeling software to try and digitally construct my own visions. Just a few lines on a screen can contain entire galaxies of inspiration.On a few occasions, I've been fortunate to see building designs I worked on in class actually get constructed, even if just as small-scale models. Holding something you created in your own two hands, dimensionalizing it and bringing it into ourphysical world, is such an indescribably rewarding feeling. It makes me imagine how transcendent and meaningful it must be for real architects to see their grandiose sketches and blueprints metamorphize into tangible edifices of steel, concrete, glass and stone.My dream architectural project would be to design an art museum or contemporary gallery. I envision a structure that's a symbolic celebration of creative expression itself - with bold angles, sweeping curves, contrasting materials and abundant natural light to dramatically showcase the artwork and sculptures inside. The exterior facade would beckon and seduce visitors with its striking appearance. But once inside, the building's design would strategically direct the flow of patrons and their experiences in an organic, thoughtfully planned way.I know the road to becoming a successful architect won't be an easy one. It requires years of higher education, training, internships and accreditation. The hours can be quite grueling, especially when working on competitions or crunchingto meet tight deadlines. And even after completing college, you essentially have to start at the bottom as a junior employee before working your way up to lead larger projects.But I've never shied away from hard work and academic challenges. My passion for architecture fuels me and drives me to push myself. I'm already taking advanced STEM classes like calculus, physics and drafting to get a head start. And I've joined the school's Architecture Club to gain more experience with design software and start building up a portfolio of my work.More than just a career, I see architecture as a higher calling - a way to literally construct the world we'll all live in and leave an enduring, tangible legacy that will last long after I'm gone. An architect's creations and impacts become part of the cultural fabric and lived experiences of a community or city. That's an amazing legacy and responsibility that few other professions can claim.In my mind, becoming an architect goes far beyond just designing visually appealing buildings. It's about shaping communities and crafting environments that elevate the human experience. It's about protecting the environment through sustainable and eco-friendly construction. It's about finding innovative solutions to problems like urban crowding and housing shortages. Most of all, it's about using creativity and human ingenuity to constantly push the boundaries of what's possible.I can't wait to one day be part of the long, storied lineage of architects - joining the ranks of legendary visionaries and trailblazers like Frank Lloyd Wright, Zaha Hadid, Frank Gehry, and so many other brilliant minds. Just dreaming about adding my own work to the rich, sprawling atlas of architectural wonders across the globe fills me with anticipation and excitement.While most kids my age are focused on passing the next test or checking the latest celebrity gossip, my sights are set on a much loftier goal. The world is filled with too many drab, uninspiring buildings and cityscapes. I want to be one of the architects helping inject more beauty, creativity and "wow factor" into the built environment of tomorrow. With cutting-edge computer technology, new sustainable construction materials, and a fresh generation of innovative thinkers entering the field, the potential for architecture feels limitless.I can't wait to one day walk through a city street or neighborhood I helped design - observing how people move through and experience the spaces, how the buildings relate to their environment and each other, and knowing that my creativity and hard work played a part in shaping it all. What higher accomplishment could an architect aspire to? Breathing life into an entirely new corner of the world is my ultimate dream.And I'm determined to make that dream a reality through perseverance, skill and sheer force of will. The future's mostjaw-dropping, awe-inspiring structures have yet to be built. And I can't wait to be the one who imagines and constructs them.篇3My Dream to Become an ArchitectEver since I was a little kid, I've been fascinated by buildings and construction. When we'd go on family road trips, I wouldn't stare out the window at the passing scenery like my siblings. Instead, I'd be glued to the towering skyscrapers, ancient cathedrals, and modern marvels of architecture we'd encounter in each new city. While other kids my age were reading comic books, I had my nose buried in books about famous architects and their most iconic works.As I got older, my passion for architecture only grew stronger. In middle school, I started sketching my own building designs, drafting meticulous floor plans, and dreaming up unusual and audacious structural concepts. My parents just thought it was a harmless phase I was going through, but I knew this was more than just a childish fancy – it was the first spark of what would become my life's ambition.In high school, I loaded up on math, science, and art classes to prepare myself for a career in architecture. Calculus, physics, and engineering principles helped me understand the mathematical and structural side of buildings. Art classes like drawing, sculpture, and computer-aided design allowed me to explore my creative side and practice transforming my bold ideas into visual reality. I joined the school's architecture club and read vociferously about the field, devouring books and articles by icons like Frank Gehry, Zaha Hadid, and Frank Lloyd Wright.My hard work and relentless studying paid off when I was accepted into a top-tier architecture program at university. Walking onto campus on that first day of freshman year, I couldn't believe that my lifelong dream was finally coming true. In the massively inspiring environment of the college's architecture school, I felt like I had found my tribe. I was surrounded by passionate, imaginative students who shared my fervor for design and an almost spiritual reverence for the built environment.The architecture program was incredibly demanding, but I attacked it with enthusiasm and drive. Core classes covered topics like architectural theory, urban planning, sustainabledesign, and the history of architecture from ancient civilizations through present day. We studied under professors who were renowned architects in their own right, teaching us to see buildings with an expert's eye for functionality, aesthetics, and cultural significance.In the studio classes, we put our knowledge into practice through intensive, all-consuming design projects. Groups of students would be given a site and guidelines, and then spend the entire semester conceiving and shaping our own buildings from the ground up. We started with sketches and rough massing models, pushing the boundaries of our creativity while considering factors like structural integrity, environmental impact, and human use patterns. With each passing iteration, our designs became more refined, considering things like floor plans, circulation patterns, materials, facades, and aesthetic touches like lighting and landscaping.By the time we reached the final review in front of jurors made up of our professors and visiting critics, we had produced enormously complex proposals in painstaking detail through hundreds of hours of work. It was incredibly stressful but also exhilarating to defend our design vision and have our intellectual and creative abilities pushed to the absolute limit.Looking back at the models and renderings of my various projects over my university years, I can vividly see the evolution of my skills and ambitions as an architect. My freshman year designs look laughably simplistic to me now, but they represented an important first step in learning to think like an architect and manifesting ideas into built form.My later projects became increasingly intricate and audacious, grappling with real-world constraints while aiming to create buildings that were not just functional, but also environmentally sustainable and socially uplifting. One of my personal favorites was my proposal for a mixed-use residential and commercial development aimed at revitalizing a rundown area of the city and creating a thriving new neighborhood hub. Another highlight was my design for a cutting-edge research laboratory intended to bring scientists' work out of the shadows and put it on public display through an innovative use of open layouts, transparent materials, and interactive exhibits for visitors.In addition to the intense studio work, I also had the chance to get hands-on experience through internships at local firms during my summer breaks. Working side-by-side with seasoned professionals, I gained invaluable real-world insights into everyphase of the architectural process from pitching proposals to clients, to managing construction crews, to putting the final polish on newly erected buildings.Now, as I prepare to graduate and take my architectural registration exams, I can't wait to finally put my hard-earned skills and knowledge into practice on real projects out in the field.I dream of one day heading up my own firm and getting the chance to literally leave my mark on communities through buildings that don't just provide shelter, but elevate the human experience through innovative design.To me, the greatest architects create more than just four walls and a roof – they craft spaces that inspire the spirit and spark wonder. Their work speaks to the cultural identity and hopes of the society it represents. When you experience a truly transcendent piece of architecture, it's almost like the building itself takes on a life of its own. You can feel the concrete, steel, and glass pulsating with the energy and humanity imbued into it by its architects and builders.From Antonio Gaudí's phantasmagorical cathedral in Barcelona to Frank Gehry's contorted, kaleidoscopic masterpieces, to the ancient pyramids and temples that continue to stir awe in the hearts of all who lay eyes upon them, I'menamored by any structure that pushes the boundaries of what we thought possible and shakes people out of their everyday lull. To me, that's the highest aspiration of the craft: creating the unexpected, pushing the limits of engineering and artistry, and leaving society with something that not just shelters us but inspires us and ennobles the human spirit.As I stand on the precipice of beginning my professional architecture career, I feel a breathless sense of possibility. I know the road ahead won't be easy; late nights, tidal waves of criticism, and ongoing challenges to marry aesthetic ideals with concrete realities are all part of the job description. But I welcome those tests because I'm confident they'll push me to become a better, more thoughtful architect with each project I take on.Who knows what the future holds? Perhaps I'll spend my career on small-scale public works or single-family homes, slowly but surely helping improve communities one building at a time. Maybe I'll get the chance to work at a large global firm and travel the world, erecting museums, stadiums, or glistening corporate headquarters that reshape city skylines. I may even find myself teaching at a university one day, shaping and inspiring the next generation the way my mentors guided me.Or maybe, just maybe, I'll be one of the rare few who gets to produce a true architectural masterwork that captures the zeitgeist and hopes of an era the way Fallingwater, the Chrysler Building, or the Pyramids of Giza did. An iconic creation that will still be studied and celebrated centuries from now as humanity continues its eternal quest to mold the landscape to our hands and achieve ever-greater glories of art and utility. A monument testifying that with creative vision, technical brilliance, and sheer force of will, human beings can create the extraordinary.I know those colossal ambitions make me sound naively idealistic. And to be sure, not every architect gets to be a Frank Lloyd Wright or I.M. Pei. Most of us find meaning and pride in more modest accomplishments that simply enhance people's daily lives in quieter but no less essential ways. But I've never been one to think small or settle for mediocrity. I want to reach for the stars and chisel my place among the celebrated visionaries – not for personal glory, but for the chance to create something transcendent and lasting. Something greater than myself that inspires and elevates the human condition for generations to come.With youth, passion, and the arsenal of skills I've worked so hard to build over my academic career, I'm ready to diveheadfirst into bringing revolutionary architectural concepts into reality. The world has always needed bold thinkers to create the structures we live, work, and play within. And in our rapidly changing era of disruptive technologies, new construction materials, and urgent environmental imperatives, that need is greater than ever before. The challenges architects must grapple with are immense, but so are the opportunities to profoundly shape the future and invent new ways of inhabiting this planet.I'm ready to rise to that challenge and take my place among the ranks of architectural greats who have given the world its most breathtaking and humanistic built works. Da Vinci, Le Corbusier, Kahn, Calatrava – I aspire to one day have my name uttered alongside the luminaries who transformed architecture into an art form that elevates the human condition. The journey ahead will be arduous, with small triumphs and bitter setbacks around every turn. But I welcome that struggle because I know it will forge me into a master of my craft capable of producing work that inspires wonder for ages to come.Engineering, artistry, vision, persistence against all odds –that is the。

Optimizing Symbolic Model Checking forConstraint-Rich ModelsBwolen Yang,Reid Simmons,Randal E.Bryant,and David R.O’HallaronSchool of Computer ScienceCarnegie Mellon UniversityPittsburgh,PA15213bwolen,reids,bryant,droh@Abstract.This paper presents optimizations for verifying systems with complextime-invariant constraints.These constraints arise naturally from modeling physi-cal systems,e.g.,in establishing the relationship between different components ina system.To verify constraint-rich systems,we propose two new optimizations.Thefirst optimization is a simple,yet powerful,extension of the conjunctive-partitioning algorithm.The second is a collection of BDD-based macro-extractionand macro-expansion algorithms to remove state variables.We show that thesetwo optimizations are essential in verifying constraint-rich problems;in particu-lar,this work has enabled the verification of fault diagnosis models of the Nomadrobot(an Antarctic meteorite explorer)and of the NASA Deep Space One space-craft.1IntroductionThis paper presents techniques for using symbolic model checking to automatically verify a class of real-world applications that have many time-invariant constraints.An example of constraint-rich systems is the symbolic models developed by NASA for on-line fault diagnosis[15].These models describe the operation of components in complex electro-mechanical systems,such as autonomous spacecraft or robot explor-ers.The models consist of interconnected components(e.g.,thrusters,sensors,motors, computers,and valves)and describe how the mode of each component changes over time.Based on these models,the Livingstone diagnostic engine[15]monitors sensor values and detects,diagnoses,and tries to recover from inconsistencies between the ob-served sensor values and the predicted modes of the components.The relationships be-tween the modes and sensor values are encoded using symbolic constraints.Constraintsbetween state variables are also used to encode interconnections between components.We have developed an automatic translator from such fault models to SMV(SymbolicModel V erifier)[10],where mode transitions are encoded as transition relations andstate-variable constraints are translated into sets of time-invariant constraints.To verify constraint-rich systems,we introduce two new optimizations.Thefirst optimization is a simple extension of the conjunctive-partitioning algorithm.The otheris a collection of BDD-based macro-extraction and macro-expansion algorithms to re-move redundant state variables.We show that these two optimizations are essential inverifying constraint-rich problems.In particular,these optimizations have enabled theverification of fault diagnosis models for the Nomad robot(an Antarctic meteorite ex-plorer)[1]and the NASA Deep Space One(DS1)spacecraft[2].These models can bequite large,with up to1200state bits.The rest of this paper is organized as follows.Wefirst briefly describe symbolicmodel checking and how time-invariant constraints arise naturally from modeling(Sec-tion2).We then present our new optimizations:an extension to conjunctive partitioning(Section3),and BDD-based algorithms for eliminating redundant state variables(Sec-tion4).We then show the results of a performance evaluation on the effects of each optimization(Section5).Finally,we present a comparison to prior work(Section6)and some concluding remarks(Section7).2BackgroundSymbolic model checking[5,6,10]is a fully automatic verification paradigm thatchecks temporal properties(e.g.,safety,liveness,fairness,etc.)offinite state systems by symbolic state traversal.The core enabling technology for symbolic model check-ing is the use of the Binary Decision Diagram(BDD)representation[4]for state setsand state transitions.BDDs represent Boolean formulas canonically as directed acyclicgraphs such that equivalent sub-formulas are uniquely represented as a single subgraph.This uniqueness property makes BDDs compact and enables dynamic programming to be used for computing Boolean operations symbolically.To use BDDs in model checking,we need to map sets of states,state transitions,andstate traversal to the Boolean domain.In this section,we briefly describe this mappingand motivate how time-invariant constraints arise.We thenfinish with definitions ofsome additional terminology to be used in the rest of the paper.2.1Representing State Sets and TransitionsIn the symbolic model checking offinite state systems,a state typically describes thevalues of many components(e.g.,latches in digital circuits)and each component isrepresented by a state variable.Let be the set of state variables in a system,then a state can be described by assigning values to all the variables in.This valuation can in term be written as a Boolean formula that is true exactly for thevaluation as,where is the value assigned to the variable,and the“==”represents the equality operator in a predicate(similar to the C programming language).A set of states can be represented as a disjunction of the Boolean formulasthat represent the states.We denote the BDD representation for a set of states by .In addition to the set of states,we also need to map the system’s state transitions to the Boolean domain.We extend the above concept of representing a set of states to representing a set of ordered-pairs of states.To represent a pair of states,we need two sets of state variables:the set of present-state variables for thefirst tuple and the set of next-state variables for the second tuple.Each variable in has a corresponding next-state variable in.A valuation of variables in and can be viewed as a state transition from one state to another.A transition relation can then be represented as a set of these valuations.We denote the BDD representation of a transition relation as.In modelingfinite state systems,the overall state transitions are generally specified by defining the valid transitions for each state variable.To support non-deterministic transitions of a state variable,the expression that defines the transitions evaluates to a set,and the next-state value of the state variable is non-deterministically chosen from the elements in the set.Hereafter,we refer to an expression that evaluates to a set either as a set expression or as a non-deterministic expression depending on the context,and we use the bold font type,as in f,to represent such expression.Let f be the set expres-sion representing state transitions of the state variable.Then the BDD representation for’s transition relation can be defined as f For syn-chronous systems,the BDD for the overall state transition relation isDetailed descriptions on this formulation,including mapping of asyn-chronous systems,can be found in[5].2.2Time-Invariant Constraints and Their Common UsagesIn symbolic model checking,time-invariant constraints specify the conditions that must always hold.More formally,let,...,be the time-invariant constraints and let.Then,in symbolic state traversal,we consider only states where is true.We refer to as the constrained space.To motivate how time-invariant constraints arise naturally in modeling complex systems,we describe three common usages.One common usage is to make the same non-deterministic choice across multiple expressions in transition relations.For exam-ple,in a master-slave model,the master can non-deterministically choose which set of idle slaves to assign the pending jobs,and the slaves’next-state values will depend on the choice made.To model this,let f be a non-deterministic expression represent-ing how the master makes its choice.If f is used multiple times,then each use makes a non-deterministic choice independently of other uses.Thus,to ensure that the same non-deterministic choice is seen by the slaves,a new state variable is introduced to record the choice made,and is then used to define the slaves’transition relations.This recording process is expressed as the time-invariant constraint f.Another common usage is for establishing the interface between different compo-nents in a system.For example,suppose two components are connected with a pipe of a fixed capacity.Then,the input of one component is the minimum of the pipe’s capacity and the output of the other component.This relationship is described as a time-invariant constraint between the input and the output of these two components.Third common usage is specific uses of generic parts.For example,a bi-directional fuel pipe may be used to connect two components.If we want to make sure the fuel flows only one way,we need to constrain the valves in the fuel pipe.These constraints are specified as time-invariant constraints.In general,specific uses of generic parts arise naturally in both the software and the hardware domain as we often use generic building blocks in constructing a complex system.In the examples above,the use of time-invariant constraints is not always necessary because some these constraints can be directly expressed as a part of the transition re-lation and the associated state variables can be removed.However,these constraints are used to facilitate the description of the system or to reflect the way complex systems are built.Without these constraints,multiple expressions will need to be combined into pos-sibly a very complicated expression.Performing this transformation manually can be error-prone.Thus it is up to the verification tool to automatically perform these transfor-mations and remove unnecessary state variables.Our optimizations for constraint-rich models is to automatically eliminate redundant state variables(Section4)and partition the remaining constraints(Section3).2.3Symbolic State TraversalTo reason about temporal properties,the pre-image and the image of the transition re-lation are used for symbolic state traversal,and time-invariant constraints are used to restrict the valid state space.Based on the BDD representations of a state set and the transition relation,we can compute the pre-image and the image of,while restrict-ing the computations to the constrained space,as follows:pre-image(1) image(2) One limitation of the BDD representation is that the monolithic BDD for the transi-tion relation is often too large to build.A solution to this problem is the conjunctive partitioning[5]of the transition relation.In conjunctive partitioning,the transition rela-tion is represented as a conjunction with each conjunct represented by a BDD.Then,the pre-image can be computed by conjuncting with one at a time,and by using early quantification to quantify out variables as soon as possible. The early-quantification optimization is based on the property that sub-formulas can be moved out of the scope of an existential quantification if they do not depend on any of the variables being quantified.Formally,let,a subset of,be the set of variables that do not appear in any of the subsequent’s,where and.Then the pre-image can be computed as(3)...pre-imageThe determination and ordering of partitions(the’s in above)can have signifi-cant performance monly used heuristics[7,11]treat the state variables’transition relations(’s)as conjuncts.The ordering step then greedily schedules the partitions to quantify out more variables as soon as possible,while introducing fewer new variables.Finally,the ordered partitions are tentatively merged with their prede-cessors to reduce the number of intermediate results.Each merged result is kept only if the resulting graph size is less than a pre-determined limit.The conjunctive partitioning for the image computation is performed similarly with present-state variables in being the quantifying variables instead of next-state vari-ables in.However,since the quantifying variables are different between the image and the pre-image computation,the resulting conjuncts for image computation is typi-cally very different from those for pre-image computation.2.4Additional TerminologyWe define the ITE operator(if-then-else)as follows:given arbitrary expressions and where and may both be set expressions,and Boolean expression,thenITE if otherwisewhere is the set of variables used in expressions,,and.We define a care-space optimization as any algorithm care-opt that has following properties:given an arbitrary function where may be a set expression,and a Boolean formula,thencare-opt ITEwhere is defined by the particular algorithm used.The usual interpretation of this is that we only care about the values of when is true.We will refer to as the care space and as the don’t-care space.The goal of care-space optimizations is to heuristically minimize the representation for by choosing a suitable in the don’t-care space.Descriptions and a study of some care-space optimizations,including the commonly used restrict algorithm[6],can be found in[13].3Extended Conjunctive PartitioningThefirst optimization is the application of the conjunctive-partitioning algorithm on the time-invariant constraints.This extension is derived based on two observations.First, as with the transition relations,the BDD representation for time-invariant constraints can be too large to be represented as a monolithic graph.Thus,it is crucial to represent the constraints as a set of conjuncts rather than a monolithic graph.Second,in constraint-rich models,many quantifying variables(variables being quan-tified)do not appear in the transition relation.There are two common causes for this. First,when time-invariant constraints are used to make the same non-deterministic choices,new variables are introduced to record these choices(described as thefirst example in Section2.2).In the transition relation,these new variables are used only intheir present-state form.Thus,their corresponding next-state variables do not appear in the transition relation,and for the pre-image computation,these next-state variables are parts of the quantifying variables.The other cause is that many state variables are used only to establish time-invariant constraints.Thus,both the present-and the next-state version of these variables do not appear in the transition relations.Based on this observation,we can improve the early-quantification optimization by pulling out the quantifying variables()that do not appear in any of the transition relations.Then,these quantifying variables()can be used for early quantification in conjunctive partitioning of the constrained space()where the time-invariant con-straints hold.Formally,let be the partitions produced by the conjunctive partitioning of the constrained space,where.For the pre-image computation,Equation3is replaced by...where,a subset of,is the set of variables that do not appear in any of the subse-quent’s,where and.Similarly,this extension also applies to the image computation.4Elimination of Redundant State VariablesOur second optimization for constraint-rich models is targeted at reducing the state space by removing unnecessary state variables.This optimization is a set of BDD-based algorithms that compute an equivalent expression for each variable used in the time-invariant constraints(macro extraction)and then globally replace a suitable subset of variables with their equivalent expressions(macro expansion)to reduce the total number of variables.The use of macros is traditionally supported by language constructs(e.g.,DEFINE in the SMV language[10])and by simple syntactic analyses such as detecting determin-istic assignments(e.g.,where is a state variable and is an expression)in the specifications.However,in constraint-rich models,the constraints are often specified in a more complex manner such as conditional dependencies on other state variables (e.g.,as conditional assignment of expression to variable when is true).To identify the set of valid macros in such models,we need to combine the effects of multiple constraints.For these models,one drawback of syntactic analysis is that,for each type of expression,syntactic analysis will need to add a template to pattern match these expressions.Another more severe drawback is that it is difficult for syntactic analysis to estimate the actual cost of instantiating a macro.Estimating this cost is important because reducing the number of variables by macro expansion can sometimes result in significant performance degradation caused by large increasesin other BDD sizes.These two drawbacks make the syntactic approach unsuitable for models with complex time-invariant constraints.Our approach uses BDD-based algorithms to analyze time-invariant constraints and to derive the set of possible macros.The core algorithm is a new assignment-extraction algorithm that extracts assignments from arbitrary Boolean expressions(Section4.1). For each variable,by extracting its assignment form,we can determine the variable’s corresponding equivalent expression,and when appropriate,globally replace the vari-able with its equivalent expression(Section4.2).The strength of this algorithm is that by using BDDs,the cost of macro expansion can be better characterized since the actual model checking computation is performed using BDDs.Note that there have been a number of research efforts on BDD-based redundant variable removal.To better compare our approach to these previous research efforts,we postpone the discussion of this prior work until Section6,after describing our algo-rithms and the performance evaluation.4.1BDD-Based Assignment ExtractionThe assignment-extraction problem can be stated as follows:given an arbitrary Boolean formula and a variable(where can be non-Boolean),find g and such that–g,–g does not depend on,and–is a Boolean formula and does not depend on.The expression g represents a non-deterministic assignment to variable.In the case that g always returns a singleton set,the assignment g is deterministic.A solution to this assignment-extraction problem is as follows:t ITE(4)g restrict twhere is the set of all possible values of variable,and restrict[6]is a care-space optimization algorithm that tries to reduce the BDD graph size(of t)by collapsing the don’t-care space().The BDD algorithm for the operator is similar to the BDD algorithm for the existential quantification with the operator replaced by the operator for variable quantification.A correctness proof of this algorithm can be found in the technical-report version of this paper[17].4.2Macro Extraction and ExpansionIn this section,we describe the elimination of state variables based on macro extrac-tion and macro expansion.Thefirst step is to extract macros with the algorithm shown in Figure1.This algorithm extracts macros from the constrained space(),which is represented as a set of conjuncts.Itfirst uses the assignment-extraction algorithm toextract assignment expressions(line5).It then identifies the deterministic assignments as candidate macros(line6).For each candidate,the algorithm tests to see if applying the macro may be beneficial(line7).This test is based on the heuristic that if the BDD graph size of a macro is not too large and its instantiation does not cause excessive in-crease in other BDDs’graph sizes,then instantiating this macro may be beneficial.If the resulting right-hand-side g is not a singleton set,it is kept separately(line9).These g’s are combined later(line10)to determine if the intersection of these sets would result in a macro(lines11-13).extractorder497ds1-b a buggy fault diagnosis model for the NASA DS1spacecraft657futurebus FutureBus cache coherency protocol1273v-gate reactor-system model100nodes(i.e.,optimizations in Section3are used without the“early quantifi-cation on the constrained space”optimization).Without this partition-ing,the BDD representation of the constrained space could not be con-structed for4models.Quan:same as the Base case with the addition of the“early quantification on the constrained space”optimization(Section3).SynMacro:same as the Quan case with the addition of a syntactic analysis that pattern matches deterministic assignment expressions(,whereis a state variable and is an expression)as macros and expands thesemacros.BDDMacro:all the optimizations are turned on;i.e.,same as the SynMacro case with the addition of BDD-based assignment extraction to extract macros.The evaluation was performed on a200MHz Pentium-Pro with1GB of memory running Linux.Each run was limited to6hours of CPU time and900MB of memory.5.2ResultsFigure4shows the impact of our optimizations for the7models whose results changed by more than10CPU seconds and10%from the Base case.For all benchmarks,the time spent by our optimizations is very small(5seconds or5%of total time)and is included in the running time reported.The overall impact of our optimizations is shown in the rightmost column of Fig-ure4.These results demonstrate that our optimizations have significantly improved the performance for2cases(with speedups up to74)and have enabled the verification of4cases.For the v-gates model,the performance degradation(speedup)is in the computation of the reachable states from the initial states.Upon further inves-tigation,we believe that it is caused by the macro instantiation,which increases the graph size of the transition relation from122-thousand to476-thousand nodes.This case demonstrates that reducing the number of state variables does not always improve performance.Quan BDDMacrosec sec speedupacs327ds1-b32154ds1m.o.37futurebus5319nomad t.o.633v-gates3550xavier52The remaining columns of Figure4show the impact of each optimization.The results show that by simply performing early quantification on the constraints(the Quan column),we have enabled the verification of acs and ds1-b,and achieved sig-nificant performance improvement on futurebus(speedup20).This is mostly due to the fact that a large number of variables can be pulled out of the transition relations and applied to conjunctive partitioning and early quantification of the time-invariant constraints(Figure5(a)).With the addition of syntactic analysis for macro extraction (the SynMacro column),we are able to verify nomad.Finally,by adding BDD-based macro extraction(the BDDMacro column),we are able to verify ds1.The results in Figure5(b)show that BDD-based macro extraction(BDDMacro)can be rather effec-tive in reducing the number of variables,especially for the acs,nomad,ds1-b,and ds1 models where additional BDD variables(i.e.,state bits)are removed in comparison to using syntactic analysis(SynMacro).CP Optimization#of BDD vars extractedVariables pre-image acs439ds1-b550ds1550 futurebus58nomad1121v-gates0xavier69SynMacro3524924961884416116(b)Fig.5.Effectiveness of each optimization.(a)Number of quantifying BDD variables that are pulled out of the transition relation for early quantification of the time-invariant constraints.These results are measured without macro optimizations.With macro optimizations,the corresponding results are basically the same as subtracting off the number of state variables removed.(b)The number of BDD variables removed by macro expansion.Note:the number of BDD variables is twice the number of state variables—one copy for the present state and one copy for the next state.6Related WorkThere have been many research efforts on BDD-based redundant state-variable removal in both logic synthesis and verification.These research efforts all use the reachable state space(set of states reachable from initial states)to determine functional dependencies for Boolean variables(macro extraction).The reachable state space effectively plays the same role as a time-invariant constraint,because the verification process only needs to check specifications in the reachable state space,Berthet et al.propose thefirst redundant state-variable removal algorithm in[3].In [9],Lin and Newton describe a branch-and-bound algorithm to identify the maximum set of redundant state variables.In[12],Sentovich et al.propose new algorithms for latch removal and latch replacement in logic synthesis.There is also some work on detecting and removing redundant state variables while the reachable state space is being computed[8,14].From the algorithmic point of view,our approach is different from prior work in two ways.First,in determining the relationship between variables,the algorithms used to extract functional dependencies in previous work can be viewed as direct extraction of deterministic assignments to Boolean variables.In comparison,our assignment ex-traction algorithm is more general because it can also handle non-Boolean variables and extract non-deterministic assignments.Second,in performing the redundant state-variable removal,the approach used in the previous work would need to combine all the constraintsfirst and then extract the macros directly from the combined result.How-ever,for constraint-rich models,it may not be possible to combine all the constraints because the resulting BDD is too large to build.Our approach addresses this issue by first applying the assignment extraction algorithm to each constraint separately and then combining the results to determine if a macro can be extracted(see Figure1).Another difference is that in previous work,the goal is to remove as many vari-ables as possible.However,we have empirically observed that in some cases,removing additional variables can result in significant performance degradation in overall verifi-cation time(slowdown over4).To address this issue,we use simple heuristics(size of the macro and the growth in graph sizes)to choose the set of macros to expand.This simple heuristic works well in the test cases we tried.However,in order to fully eval-uate the impact of different heuristics,we need to gather a larger set of constraint-rich models from a wider range of applications.7Conclusions and Future WorkThe two optimizations we proposed are crucial in verifying this new class of constraint-rich applications.In particular,they have enabled the verification of real-world applica-tions such as the Nomad robot and the NASA Deep Space One spacecraft.We have shown that the BDD-based assignment-extraction algorithm is effective in identifying macros.We plan to use this algorithm to perform a more precise cone-of-influence analysis with the assignment expressions providing the exact dependence information between the variables.In general,we plan to study how BDDs can be use to further help other compile-time optimizations in symbolic model checking. AcknowledgementWe thank Ken McMillan for discussions on the effects of macro expansion.We thank Olivier Coudert,Fabio Somenzi and reviewers for comments on this work.We are grate-ful to Intel Corporation for donating the machines used in this work.References[1]B APNA,D.,R OLLINS,E.,M URPHY,J.,AND M AIMONE,M.The Atacama Desert trek-outcomes.In Proc.of the1998International Conference on Robotics and Automation (May1998),pp.597–604.[2]B ERNARD,D.E.,D ORAIS,G.A.,F RY,C.,J R.,E.B.G.,K ANEFSKY,B.,K URIEN,J.,M ILLAR,W.,M USCETTOLA,N.,N AYAK,P.P.,P ELL,B.,R AJAN,K.,R OUQUETT,N., S MITH,B.,AND W ILLIAMS,B.Design of the remote agent experiment for spacecraft autonomy.In Proc.of the1998IEEE Aerospace Conference(March1998),pp.259–281.[3]B ERTHET,C.,C OUDERT,O.,AND M ADRE,J.C.New ideas on symbolic manipulationsoffinite state machines.In1990IEEE Proc.of the International Conference on Computer Design(September1990),pp.224–227.[4]B RYANT,R.E.Graph-based algorithms for Boolean function manipulation.IEEE Trans-actions on Computers C-35,8(August1986),677–691.[5]B URCH,J.R.,C LARKE,E.M.,L ONG,D.E.,M C M ILLAN,K.L.,AND D ILL,D.L.Symbolic model checking for sequential circuit verification.IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems13,4(April1994),401–424.[6]C OUDERT,O.,AND M ADRE,J.C.A unified framework for the formal verification ofcircuits.In Proc.of the International Conference on Computer-Aided Design(Feb1990), pp.126–129.[7]G EIST,D.,AND B EER,I.Efficient model checking by automated ordering of transitionrelation partitions.In Proc.of the Computer Aided Verification(June1994),pp.299–310.[8]H U,A.J.,AND D ILL,D.L.Reducing BDD size by exploiting functional dependencies.In Proc.of the30th ACM/IEEE Design Automation Conference(June1993),pp.266–71.[9]L IN,B.,AND N EWTON,A.R.Exact redundant state registers removal based on binarydecision diagrams.IFIP Transactions A,Computer Science and Technology A,1(August 1991),277–86.[10]M C M ILLAN,K.L.Symbolic Model Checking.Kluwer Academic Publishers,1993.[11]R ANJAN,R.K.,A ZIZ,A.,B RAYTON,R.K.,P LESSIER,B.,AND P IXLEY,C.EfficientBDD algorithms for FSM synthesis and verification.Presented in the IEEE/ACM Interna-tional Workshop on Logic Synthesis,May1995.[12]S ENTOVICH,E.M.,AND H ORIA T OMA,tch optimization in circuits generatedfrom high-level descriptions.In Proc.of the International Conference on Computer-Aided Design(November1996),pp.428–35.[13]S HIPLE,T.R.,H OJATI,R.,S ANGIOVANNI-V INCENTELLI,A.L.,AND B RAYTON,R.K.Heuristic minimization of BDDs using don’t cares.In Proc.of the31st ACM/IEEE Design Automation Conference(June1994),pp.225–231.[14]VAN E IJK,C.A.J.,AND J ESS,J.A.G.Exploiting functional dependencies infinite statemachine verification.In Proc.of European Design and Test Conference(March1996), pp.266–71.[15]W ILLIAMS,B. C.,AND N AYAK,P.P.A model-based approach to reactive self-configuring systems.In Proc.of the Thirteenth National Conference on Artificial Intelli-gence and the Eighth Innovative Applications of Artificial Intelligence Conference(August 1996),pp.971–978.[16]Y ANG,B.,B RYANT,R.E.,O’H ALLARON,D.R.,B IERE,A.,C OUDERT,O.,J ANSSEN,G.,R ANJAN,R.K.,AND S OMENZI,F.A performance study of BDD-based modelchecking.In Proc.of the Formal Methods on Computer-Aided Design(November1998), pp.255–289.[17]Y ANG,B.,S IMMONS,R.,B RYANT,R.E.,AND O’H ALLARON,D.R.Optimizing sym-bolic model checking for constraint-rich models.Tech.Rep.CMU-CS-99-118,School of Computer Science,Carnegie Mellon University,March1999.。

Symbolic Model Checking without BDDsArmin Biere1,Alessandro Cimatti2,Edmund Clarke1,and Yunshan Zhu11Computer Science Department,Carnegie Mellon University5000Forbes Avenue,Pittsburgh,PA15213,U.S.AArmin.Biere,Edmund.Clarke,Yunshan.Zhu@2Istituto per la Ricerca Scientifica e Tecnologica(IRST)via Sommarive18,38055Povo(TN),Italycimatti@irst.itc.itAbstract.Symbolic Model Checking[3,14]has proven to be a powerful tech-nique for the verification of reactive systems.BDDs[2]have traditionally beenused as a symbolic representation of the system.In this paper we show howboolean decision procedures,like St˚a lmarck’s Method[16]or the Davis&Put-nam Procedure[7],can replace BDDs.This new technique avoids the space blowup of BDDs,generates counterexamples much faster,and sometimes speeds upthe verification.In addition,it produces counterexamples of minimal length.Weintroduce a bounded model checking procedure for LTL which reduces modelchecking to propositional satisfiability.We show that bounded LTL model check-ing can be done without a tableau construction.We have implemented a modelchecker BMC,based on bounded model checking,and preliminary results arepresented.1IntroductionModel checking[4]is a powerful technique for verifying reactive systems.Able tofind subtle errors in real commercial designs,it is gaining wide industrial -pared to other formal verification techniques(e.g.theorem proving)model checking is largely automatic.In model checking,the specification is expressed in temporal logic and the sys-tem is modeled as afinite state machine.For realistic designs,the number of states of the system can be very large and the explicit traversal of the state space becomes in-feasible.Symbolic model checking[3,14],with boolean encoding of thefinite state machine,can handle more than1020states.BDDs[2],a canonical form for boolean expressions,have traditionally been used as the underlying representation for symbolic model checkers[14].Model checkers based on BDDs are usually able to handle sys-tems with hundreds of state variables.However,for larger systems the BDDs generated during model checking become too large for currently available computers.In addition,selecting the right ordering of BDD variables is very important.The generation of a variable ordering that results in small BDDs is often time consuming or needs manual intervention.For many examples no space efficient variable ordering exists.Propositional decision procedures(SAT)[7]also operate on boolean expressions but do not use canonical forms.They do not suffer from the potential space explosion of BDDs and can handle propositional satisfiability problems with thousands of vari-ables.SAT based techniques have been successfully applied in various domains,such as hardware verification[17],modal logics[9],formal verification of railway control systems[1],and AI planning systems[11].A number of efficient implementations are available.Some notable examples are the PROVE tool[1]based on St˚a lmarck’s Method [16],and SATO[18]based on the Davis&Putnam Procedure[7].In this paper we present a symbolic model checking technique based on SAT pro-cedures.The basic idea is to consider counterexamples of a particular length k and generate a propositional formula that is satisfiable iff such a counterexample exists.In particular,we introduce the notion of bounded model checking,where the bound is the maximal length of a counterexample.We show that bounded model checking for lin-ear temporal logic(LTL)can be reduced to propositional satisfiability in polynomial time.To prove the correctness and completeness of our technique,we establish a cor-respondence between bounded model checking and model checking in general.Unlike previous approaches to LTL model checking,our method does not require a tableau or automaton construction.The main advantages of our technique are the following.First,bounded model checkingfinds counterexamples very fast.This is due to the depthfirst nature of SAT search procedures.Finding counterexamples is arguably the most important feature of model checking.Second,itfinds counterexamples of minimal length.This feature helps the user to understand a counterexample more easily.Third,bounded model check-ing uses much less space than BDD based approaches.Finally,unlike BDD based ap-proaches,bounded model checking does not need a manually selected variable order or time consuming dynamic reordering.Default splitting heuristics are usually sufficient.To evaluate our ideas we have implemented a tool BMC based on bounded model checking.We give examples in which SAT based model checking significantly out-performs BDD based model checking.In some cases bounded model checking detects errors instantly,while the BDDs for the initial state cannot be built.The paper is organized as follows.In the following section we explain the basic idea of bounded model checking with an example.In Section3we give the semantics for bounded model checking.Section4explains the translation of a bounded model checking problem into a propositional satisfiability problem.In Section5we discuss bounds on the length of counterexamples.In Section6our experimental results are presented,and Section7describes some directions for future research.2ExampleConsider the following simple state machine M that consists of a three bit shift register x with the individual bits denoted by x0x1,and x2.The predicate T x x denotes the transition relation between current state values x and next state values x and isequivalent to:x 0x 1x 1x 2x 21In the initial state the content of the register x can be arbitrary.The predicate I x that denotes the set of initial states is .This shift register is meant to be empty (all bits set to zero)after three consecu-tive shifts.But we introduced an error in the transition relation for the next state value of x 2,where an incorrect value 1is used instead of 0.Therefore,the property,that eventually the register will be empty (written as x 0)after a sufficiently large number of steps is not valid.This property can be formulated as the LTL formula F x 0.We translate the “universal”model checking problem AF x 0into the “existential”model checking problem EG x 0by negating the formula.Then,we check if there is an execution sequence that fulfills G x 0.Instead of searching for an arbitrary path,we restrict ourselves to paths that have at most k 1states,for instance we choose k 2.Call the first three states of this path x 0,x 1and x 2and let x 0be the initial state (see Figure 1).Since the initial content of x can be arbitrary,we do not have any restrictionx 0x 1x 2Fig.1.Unrolling the transition relation twice and adding a back loop.on x 0.We unroll the transition relation twice and derive the propositional formula f m defined as I x 0T x 0x 1T x 1x 2.We expand the definition of T and I ,and get the following formula.x 10x 01x 11x 02x 1211st step x 20x 11x 21x 12x 2212nd step Any path with three states that is a “witness”for G x 0must contain a loop.Thus,we require that there is a transition from x 2back to the initial state,to the second state,or to itself (see also Figure 1).We represent this transition as L i defined as T x 2x i which is equivalent to the following formula.x i 0x 21x i 1x 22x i 21Finally,we have to make sure that this path will fulfill the constraints imposed by the formula G x 0.In this case the property S i defined as x i 0has to hold at each state.S i is equivalent to the following formula.x i 01x i 11x i 21Putting this all together we derive the following propositional formula.f M2i0L i2i0S i(1)This formula is satisfiable iff there is a counterexample of length2for the original formula F x0.In our example wefind a satisfying assignment for1by setting x i j:1for all i j012.3SemanticsACTL*is defined as the subset of formulas of CTL*[8]that are in negation normal form and contain only universal path quantifiers.A formula is in negation normal form(NNF)if negations only occur in front of atomic propositions.ECTL*is de-fined in the same way,but only existential path quantifiers are allowed.We consider the next time operator‘X’,the eventuality operator‘F’,the globally operator‘G’,and the until operator‘U’.We assume that formulas are in NNF.We can always transform a formula in NNF without increasing its size by including the release operator‘R’(f R g iff f U g).In an LTL formula no path quantifiers(E or A)are allowed.In this paper we concentrate on LTL model checking.Our technique can be extended to handle full ACTL*(resp.ECTL*).Definition1.A Kripke structure is a tuple M S I T with afinite set of states S, the set of initial states I S,a transition relation between states T S S,and the labeling of the states:S P A with atomic propositions A.We use Kripke structures as models in order to give the semantics of the logic.For the rest of the paper we consider only Kripke structures for which we have a boolean en-coding.We require that S01n,and that each state can be represented by a vector of state variables s s1s n where s i for i1n are propositional variables. We define propositional formulas f I s,f T s t and f p s as:f I s iff s I,f T s t iff s t T,and f p s iff p s.For the rest of the paper we simply use T s t instead of f T s t etc.In addition,we require that every state has a successor state.That is,forall s S there is a t S with s t T.For s t T we also write s t.For an infinite sequence of statesπs0s1we defineπi s i andπi s i s i1for i IN. An infinite sequence of statesπis a path ifπiπi1for all i IN.Definition2(Semantics).Let M be a Kripke structure,πbe a path in M and f be an LTL formula.Thenπf(f is valid alongπ)is defined as follows.πp iff pπ0πp iff pπ0πf g iffπf andπgπf g iffπf orπgπG f iff iπi fπF f iff iπi fπX f iffπ1fπf U g iff iπi g and j j iπj fπf R g iff iπi g or j j iπj fDefinition 3(Validity).An LTL formula f is universally valid in a Kripke structure M (in symbols M A f )iff πf for all paths πin M with π0I.An LTL formula f is existentially valid in a Kripke structure M (in symbols M E f )iff there exists a path πin M with πf and π0I.Determining whether an LTL formula f is existentially (resp.universally)valid in a given Kripke structure is called an existential (resp.universal )model checking problem .In conformance to the semantics of CTL*[8],it is clear that an LTL formula f is universally valid in a Kripke structure M iff f is not existentially valid.In order to solve the universal model checking problem,we negate the formula and show that the existential model checking problem for the negated formula has no solution.Intuitively,we are trying to find a counterexample,and if we do not succeed then the formula is universally valid.Therefore,in the theory part of the paper we only consider the existential model checking problem.The basic idea of bounded model checking is to consider only a finite prefix of a path that may be a solution to an existential model checking problem.We restrict the length of the prefix by a certain bound k .In practice we progressively increase the bound,looking for longer and longer possible counterexamples.A crucial observation is that,though the prefix of a path is finite,it still might repre-sent an infinite path if there is a back loop from the last state of the prefix to any of the previous states (see Figure 2(b)).If there is no such back loop (see Figure 2(a)),then the prefix does not say anything about the infinite behavior of the path.For instance,only a prefix with a back loop can represent a witness for G p .Even if p holds along all the states from s 0to s k ,but there is no back loop from s k to a previous state,then we cannot conclude that we have found a witness for G p ,since p might not hold at s k 1.S k S i S kS i S l (a)no loop (b)k l -loopFig.2.The two cases for a bounded path.Definition 4.For l k we call a path πa k l -loop if πk πl and πu v ωwith u π0πl 1and v πl πk .We call πsimply a k -loop if there is an l IN with l k for which πis a k l -loop.We give a bounded semantics that is an approximation to the unbounded semantics of Definition 2.It allows us to define the bounded model checking problem and in the next section we will give a translation of a bounded model checking problem into a satisfiability problem.In the bounded semantics we only consider a finite prefix of a path.In particular,we only use the first k 1states (s 0s k )of a path to determine the validity of aformula along that path.If a path is a k-loop then we simply maintain the original LTL semantics,since all the information about this(infinite)path is contained in the prefix of length k.Definition5(Bounded Semantics for a Loop).Let k IN andπbe a k-loop.Then an LTL formula f is valid along the pathπwith bound k(in symbolsπk f)iffπ f.Assume thatπis not a k-loop.Then the formula f:F p is valid alongπin the unbounded semantics if we canfind an index i IN such that p is valid along the suffix πi ofπ.In the bounded semantics the k1-th stateπk does not have a successor. Therefore,we cannot define the bounded semantics recursively over suffixes(e.g.πi)of π.We keep the originalπinstead but add a parameter i in the definition of the bounded semantics and use the notation i k.The parameter i is the current position in the prefix ofπ.In Lemma7we will show thatπi k f impliesπi f.Definition6(Bounded Semantics without a Loop).Let k IN,and letπbe a path that is not a k-loop.Then an LTL formula f is valid alongπwith bound k(in symbols πk f)iffπ0k f whereπi k p iff pπiπi k p iff pπiπi k f g iffπi k f andπi k gπi k f g iffπi k f orπi k gπi k G f is always falseπi k F f iff j i j kπj k f πi k X f iff i k andπi1k fπi k f U g iff j i j kπj k g and n i n jπn k fπi k f R g iff j i j kπj k f and n i n jπn k gNote that ifπis not a k-loop,then we say that G f is not valid alongπin the bounded semantics with bound k since f might not hold alongπk1.Similarly,the case for f R g where g always holds and f is never fulfilled has to be excluded.These constraints imply that for the bounded semantics the duality of G and F(F f G f)and the duality of R and U(f U g f R g)no longer hold.The existential and universal bounded model checking problems are defined in the same manner as in Definition3.Now we describe how the existential model checking problem(M E f)can be reduced to a bounded existential model checking problem (M k E f).Lemma7.Let h be an LTL formula andπa path,thenπk hπhProof.Ifπis a k-loop then the conclusion follows by definition.In the other case we assume thatπis not a loop.Then we prove by induction over the structure of f and i k the stronger propertyπi k hπi h.We only consider the most complicated case h f R g.πi k f R g j i j kπj k f and n i n jπn k gj i j kπj f and n i n jπn gj i jπj f and n i n jπn gLet j j i and n n ijπi j f and n n jπi n gjπi j f and n n jπi n gnπi n g or j j nπi j fπi f R gIn the next-to-last step we used the following fact:mπm f and l l mπl g nπn g or j j nπj f Assume that m is the smallest number such thatπm f andπl g for all l with l m. In thefirst case we consider n m.Based on the assumption,there exists j n such thatπj f(choose j m).The second case is n m.Becauseπl g for all l m we haveπn g for all n m.Thus,for all n we have proven that the disjunction on the right hand side is fulfilled.Lemma8.Let f be an LTL formula f and M a Kripke structure.If M E f then there exists k IN with M k E fProof.In[3,5,12]it is shown that an existential model checking problem for an LTL formula f can be reduced to FairCTL model checking of the formula EG in a certain product Kripke structure.This Kripke structure is the product of the original Kripke structure and a“tableau”that is exponential in the size of the formula f in the worst case.If the LTL formula f is existentially valid in M then there exists a path in the product structure that starts with an initial state and ends with a cycle in the strongly connected component of fair states.This path can be chosen to be a k-loop with k bounded by S2f which is the size of the product structure.If we project this path onto itsfirst component,the original Kripke structure,then we get a pathπthat is a k-loop and in addition fulfillsπf.By definition of the bounded semantics this also impliesπk f.The main theorem of this section states that,if we take all possible bounds into account,then the bounded and unbounded semantics are equivalent.Theorem9.Let f be an LTL formula,M a Kripke structure.Then M E f iff there exists k IN with M k E f.4TranslationIn the previous section,we defined the semantics for bounded model checking.We now reduce bounded model checking to propositional satisfiability.This reduction enables us to use efficient propositional decision procedures to perform model checking.Given a Kripke structure M,an LTL formula f and a bound k,we will construct a propositional formula M f k.The variables s0s k in M f k denote afinite se-quence of states on a pathπ.Each s i is a vector of state variables.The formula M f kessentially represents constraints on s0s k such that M f k is satisfiable iff f is valid alongπ.The size of M f k is polynomial in the size of f if common subformulas are shared(as in our tool BMC).It is quadratic in k and linear in the size of the propositional formulas for T,I and the p A.Thus,existential bounded model checking can be reduced in polynomial time to propositional satisfiability.To construct M f k,wefirst define a propositional formula M k that constrains s0s k to be on a valid pathπin M.Second,we give the translation of an LTL formula f to a propositional formula that constrainsπto satisfy f.Definition10(Unfolding the Transition Relation).For a Kripke structure M,k INk1M k:I s0T s i s i1i0Depending on whether a path is a k-loop or not(see Figure2),we have two different translations of the temporal formula f.In Definition11we describe the translation if the path is not a loop(“i k”).The more technical translation where the path is a loop (“l i k”)is given in Definition13.Consider the formula h:p U q and a pathπthat is not a k-loop for a given k IN (see Figure2(a)).Starting atπi for i IN with i k the formula h is valid alongπi with respect to the bounded semantics iff there is a position j with i j k and q holds atπj.In addition,for all statesπn with n IN starting atπi up toπj1the proposition p has to be fulfilled.Therefore the translation is simply a disjunction over all possible positions j at which q eventually might hold.For each of these positions a conjunction is added that ensures that p holds along the path fromπi toπj1. Similar reasoning leads to the translation of the other temporal operators.The translation“i k”maps an LTL formula into a propositional formula.The parameter k is the length of the prefix of the path that we consider and i is the current position in this prefix(see Figure2(a)).When we recursively process subformulas,i changes but k stays the same.Note that we define the translation of any formula G f as .This translation is consistent with the bounded semantics.Definition11(Translation of an LTL Formula without a Loop).For an LTL formula f and k i IN,with i kp i k:p s i p i k:p s if g i k:f i k g i k f g i k:f i k g i kG f i k:F f i k:k j i f j kX f i k:if i k then f i1k elsef Ug i k:k j i g j k j1n i f n kf Rg i k:k j i f j k j n i g n kNow we consider the case where the path is a k-loop.The translation“l i k”of an LTL formula depends on the current position i and on the length of the prefix k.It also depends on the position where the loop starts(see Figure2(b)).This position is denoted by l for l oop.Definition12(Successor in a Loop).Let k l i IN,with l i k.Define the successor succ i of i in a k l-loop as succ i:i1for i k and succ i:l for i k.Definition13(Translation of an LTL Formula for a Loop).Let f be an LTL formula, k l i IN,with l i k.lp i k:p s i l p i k:p s ilf g i k:l f i k l g i k l f g i k:l f i k l g i klG f i k:k j min i l l f j k l F f i k:k j min i l l f j kl X f i k:l f succ iklf Ug i k:k j i l g j k j1n i l f n ki1j l lg j k k n i l f n k j1n l l f n klf Rg i k:k j min i l l g j kkj i lf j k j n i lg n ki1j l lf j k k n i lg n k j n l l g n kThe translation of the formula depends on the shape of the path(whether it is a loop or not).We now define a loop condition to distinguish these cases.Definition14(Loop Condition).For k l IN,let l L k:T s k s l L k:k l0l L kDefinition15(General Translation).Let f be an LTL formula,M a Kripke structure and k INM f k:M k L k f0kkl0l L k l f0kThe left side of the disjunction is the case where there is no back loop and the translation without a loop is used.On the right side all possible starts l of a loop are tried and the translation for a k l-loop is conjuncted with the corresponding l L k loop condition.Theorem16.M f k is satisfiable iff M k E f.Corollary17.M A f iff M f k is unsatisfiable for all k IN.5Determining the boundIn Section3we have shown that the unbounded semantics is equivalent to the bounded semantics if we consider all possible bounds.This equivalence leads to a straightfor-ward LTL model checking procedure.To check whether M E f,the procedure checks M k E f for k012.If M k E f,then the procedure proves that M E f and produces a witness of length k.If M E f,we have to increment the value of k indefi-nitely,and the procedure does not terminate.In this section we establish several bounds on k.If M k E f for all k within the bound,we conclude that M E f.5.1ECTLECTL is a subset of ECTL*where each temporal operator is preceded by one existential path quantifier.We have extended bounded model checking to handle ECTL formulas. Semantics and translation for ECTL formulas can be found in the full version of this paper.In general,better bounds can be derived for ECTL formulas than for LTL formu-las.The intersection of the two sets of formulas includes many temporal properties of practical interest(e.g.EF p and EG p).Therefore,we include the discussion of bounds for ECTL formulas in this section.Theorem18.Given an ECTL formula f and a Kripke structure M.Let M be the number of states in M,then M E f iff there exists k M with M k E f.In symbolic model checking,the number of states in a Kripke structure is bounded by2n,where n is the number of boolean variables to encode the Kripke structure. Typical model checking problems involve Kripke structures with tens or hundreds of boolean variables.The bound given in Theorem18is often too large for practical prob-lems.Definition19(Diameter).Given a Kripke structure M,the diameter of M is the mini-mal number d IN with the following property.For every sequence of states s0s d1 with s i s i1T for i d,there exists a sequence of states t0t l where l d such that t0s0,t l s d1and t j t j1T for j l.In other words,if a state v is reachable from a state u,then v is reachable from u via a path of length d or less.Theorem20.Given an ECTL formula f:EF p and a Kripke structure M with diam-eter d,M EF p iff there exists k d with M k EF p.Theorem21.Given a Kripke structure M,its diameter d is the minimal number that satisfies the following formula.s0s d1t0t ddi0T s i s i1t0s0d1i0T t i t i1di0t i s d1For a Kripke structure with explicit state representation,well-known graph algo-rithms can be used to determine its diameter.For a Kripke structure M with a boolean encoding,one may verify that d is indeed a diameter of M by evaluating a quantified boolean formula(QBF),shown in Theorem21.We conjecture that a quantified boolean formula is necessary to express the property that d is the diameter of M.Unfortunately, we do not know of an efficient decision procedure for QBF.Definition22(Recurrence Diameter).Given a Kripke structure M,its recurrence di-ameter is the minimal number d IN with the following property.For every sequence of states s0s d1with s i s i1T for i d,there exists j d such that s d1s j. Theorem23.Given an ECTL formula f and a Kripke structure M with recurrence diameter d,M E f iff there exists k d with M k E f.Theorem24.Given any Kripke structure M,its recurrence diameter d is the minimal number that satisfies the following formulas0s d1di0T s i s i1di0s i s d1The recurrence diameter in Definition22is a bound on k for bounded model check-ing that is applicable for all ECTL formulas.The property of a recurrence diameter can be expressed as a propositional formula as shown in Theorem24.We may use a propo-sitional decision procedure to determine whether a number d is the recurrence diameter of a Kripke structure.The bound based on recurrence diameter is not as tight as that based on the diameter.For example,in a fully connected Kripke structure,the graph diameter is1while the recurrence diameter equals the number of states.5.2LTLLTL model checking is known to be PSPACE-complete[15].In section4,we reduced bounded LTL model checking to propositional satisfiability and thus showed that it is in NP.Therefore,a polynomial bound on k with respect to the size of M and f for which M k E f M E f is unlikely to be found.Otherwise,there would be a polyno-mial reduction of LTL model checking problems to propositional satisfiability and thus PSPACE=NP.Theorem25.Given an LTL formula f and a Kripke structure M,let M be the number of states in M,then M E f iff there exists k M2f with M k E f.For the subset of LTL formulas that involves only temporal operators F and G,LTL model checking is NP-complete[15].For this subset of LTL formulas,it can be shown that there exists a bound on k linear in the number of states and the size of the formula. Definition26(Loop Diameter).We say a Kripke structure M is lasso shaped if every path p starting from an initial state is of the form u p vωp,where u p and v p arefinite sequences of length less or equal to u and v,respectively.We define the loop diameter of M as u v.Theorem27.Given an LTL formula f and a lasso-shaped Kripke structure M,let the loop diameter of M be u v,then M E f iff there exists k u v with M k E f.Theorem27shows that for a restricted class of Kripke structures,small bounds on k exist.In particular,if a Kripke structure is lasso shaped,k is bounded by u v,where u v is the loop diameter of M.6Experimental ResultsWe have implemented a model checker BMC based on bounded model checking.Its input language is a subset of the SMV language[14].It outputs a SMV program or a propositional formula.For the propositional output mode,two different formats are supported.Thefirst format is the DIMACS format[10]for satisfiability problems.The SATO tool[18]is a very efficient implementation of the Davis&Putnam Procedure[7] and it uses the DIMACS format.We also support the input format of the PROVE Tool [1]which is based on St˚a lmarck’s Method[16].As benchmarks we chose examples where BDDs are known to behave badly.First we investigated a sequential multiplier,the sequential shift and add multiplier of[6]. We formulated as model checking problem the following property:when the sequential multiplier isfinished its output is the same as the output of a combinational multiplier (the C6288circuit from the ISCAS’85benchmarks)applied to the same input words. These multipliers are16x16bit multipliers but we only allowed16output bits as in[6] together with an overflow bit.We proved the property for each output bit individually and the results are shown in Table1.For SATO we conducted two experiments to study the effect of the‘-g’parameter that controls the maximal size of cached clauses.We picked a very small value(‘-g5’)and a very large value(‘-g50’).Note that the overflow bit depends on all the bits of the sequential multiplier and occurs in the specification. Thus,cone of influence reduction could not remove anything.SMV2SATO-g50sec MB sec MB sec MB919130001125790129161300013278203658015201256710236743983735502271741492642134730293924132018371913111667193830115641343632547521226415684731sum220222578。

IPSEC6.EXE ......(Ipv6 安全配置工具). 用于配置 IPv6 安全性的工具.ipsecsnp.dll ....Internet 协议安全策略管理ipsecsvc.dll ....Windows IPSec SPD Server DLLipsmsnap.dll ....IP 安全监视快照IPV6.EXE ........( Ipv6 安全配置工具). 用于安装和配置 IPv6 的工具.ipv6mon.dll .....IF 监视 DLLipxmontr.dll ....IPX 路由监视 DLLipxpromn.dll ....IPX 路由监视 DLLipxrip.dll ......IPX RIPIPXROUTE.EXE ....(IPX 路由). 用于显示和控制 IPX 路由的工具.ipxrtmgr.dll ....IPX 路由管理程序ipxsap.dll ......SAP Agent DLLipxwan.dll ......IPXWANmprddm.dll ......查询拨号管理程序超级用户mprdim.dll ......动态接口管理程序mprmsg.dll ......多协议路由服务消息DLLmprui.dll .......多个提供程序NETSH.EXE .......(路由和远程访问服务配置工具). 用于配置 RRAS 设置.PING6.EXE .......(Ipv6 的Ping 命令). 用于验证指定IP 地址或主机名的连接情况的工具.ROUTEMON.EXE ....(路由控制台监视器).不再受支持的工具. 建议使用netsh 命令.rtm.dll .........路由表管理程序TRACERT6.EXE ....(Ipv6 路由跟踪工具). 用于追踪数据包传输路径的工具. winipsec.dll ....Windows IPSec SPD Client DLLwship6.dll ......IPv6 助手 DLL从 C:\WINDOWS\system32\drivers 中删除以下文件:ipfltdrv.sys ....IP 筛选驱动ipinip.sys ......IP in IP 封装驱动ipnat.sys .......IP 网络地址转换驱动469. The detective detected that the arch was under the marching Arctic architects' protection. 侦探发现，这个拱门是在正在行军中的北极的建筑师保护之下的。

软件测试中的模型检测方法与工具在软件开发过程中，软件测试是非常重要的环节，它旨在发现和修复系统中的缺陷，保证软件的质量和可靠性。

随着软件规模和复杂性的增加，传统的测试方法往往无法满足需求，因此，模型检测方法与工具成为软件测试领域的一种重要技术手段。

模型检测是一种形式化验证方法，它通过对系统的模型进行分析和推理，验证系统是否满足某些性质。

在软件测试中，模型检测可以帮助测试人员发现潜在的错误、缺陷和安全风险，提高测试效率和覆盖率。

一种常用的模型检测方法是符号模型检测（Symbolic Model Checking）。

符号模型检测通过将系统的状态空间转化为布尔代数形式，使用符号计算来进行推理和验证。

它能够自动地检测系统中的死锁、安全性问题和性能瓶颈等。

常用的符号模型检测工具有NuSMV和SPIN。

NuSMV是一种基于符号模型检测的开源工具，它支持对有穷状态机（FSM）和时序逻辑进行建模和分析。

NuSMV提供了丰富的语言和算法库，可以对系统的行为和性质进行验证。

通过使用NuSMV，测试人员可以快速地建立模型，并自动地进行验证和推理。

SPIN 是一种常用的基于符号模型检测的工具，它使用Promela语言描述系统模型，并通过模拟与验证的方式进行分析。

SPIN提供了强大的模型检测功能，可以有效地检测系统中的死锁、数据竞争和资源分配问题。

它还支持属性和断言的定义，方便测试人员对系统性质进行验证。

除了符号模型检测，还有一种常用的模型检测方法是模态模型检测（Modal Model Checking）。

模态模型检测通过使用模态逻辑对系统的行为和性质进行建模和验证。

常用的模态模型检测工具有PRISM和UPPAAL。

PRISM 是一种常用的基于模态模型检测的工具，它主要用于建模和分析概率性系统。

PRISM使用概率性模型与模态逻辑相结合，能够对系统的可靠性和性能进行验证。

它支持多种性质的定义，如概率达到、时间约束和资源分配等。

现代电子技术Modern Electronics Technique2022年9月1日第45卷第17期Sep.2022Vol.45No.170引言“发动机构造”“发动机原理”和“发动机设计”是能源与动力（汽车发动机方向）专业的核心专业课程，为了加深学生对发动机结构、工作过程及工作原理的理解，同时也开设了“发动机速度特性实验”“发动机燃烧参数调整特性实验”和“发动机气门运动规律”等10项实验教学项目[1]。

实验教学项目在开展过程中遇到了教学资源紧张、学生操作安全隐患大、知识点覆盖不全面等问题，未能充分发挥实验教学的优势[2]。

本文针对以上问汽车发动机虚拟仿真实验教学平台开发与应用范鲁艳，曲大为，苏岩，杨硕（吉林大学汽车工程学院，吉林长春130025）摘要：汽车发动机实验课程是提高学生专业实践能力的重要环节，但在传统实验教学台架搭建过程中存在“耗时、耗能、耗力”的问题，并且受实验场地和成本的限制，学生开展实验的自由度和参与度较低，针对以上问题搭建了汽车发动机虚拟仿真实验教学平台。

平台以CA4DD 柴油机为建模对象，在对其结构分析的基础上利用CRUISE⁃M 软件完成了发动机进排气子系统、EGR 子系统等以及整机的模型搭建、参数输入与模型校核，以柴油机燃烧参数调整特性虚拟仿真实验为例，设计实验流程，展示了平台的实际应用。

学生可以根据搭建的CA4DD 一维性能仿真模型在课堂教学演示和自学之后，利用CRUISE⁃M 的在线和离线仿真方法，实现传统实验教学平台的升级，扩充现有的实验项目。

平台丰富了实验内容，弥补了当前发动机专业实践教学的缺陷，拓宽了学生的知识领域，提升了学生的学习兴趣和实践能力。

关键词：汽车发动机；实验教学平台；虚拟仿真；CRUISE⁃M ；进排气；EGR ；气缸；模型搭建中图分类号：TN02⁃34；G434文献标识码：A文章编号：1004⁃373X （2022）17⁃0163⁃06Development and application of automobile engine virtual simulation experimentalteaching platformFAN Luyan ，QU Dawei ，SU Yan ，YANG Shuo（College of Automotive Engineering ，Jilin University ，Changchun 130025，China ）Abstract ：Automobile engine experiment course is an important part to improve students ′professional practical ability.However ，the process of the traditional experimental teaching platform construction is time ⁃consuming ，energy ⁃consuming and effort ⁃consuming.In addition ，with the limitation of experimental site and cost ，students have low degree of freedom and participation in experiments.Therefore ，a virtual simulation experimental teaching platform for automobile engine is set up.Onthe platform ，the CA4DD diesel engine is taken as the modeling object.On the basis of the structural analysis of the CA4DD diesel engine ，the CRUISE ⁃M is used to complete the model building ，including engine intake &exhaust subsystem ，EGR subsystem and the model building ，parameter input and model checking of the whole engine.The virtual simulation experiment of diesel engine combustion parameter adjustment characteristics is taken as an example.The experiment procedures are designed to show the practical application of the platform.According to the built one⁃dimensional performance simulation modelof CA4DD ，students can realize the upgrade of the traditional experimental teaching platform and expand the existing experimental projects by CRUISE⁃M online and offline simulation methods after classroom teaching demonstration and self⁃study.The platform can enrich the experiment content ，make up for the defects of the current practical teaching of engine major ，broaden the knowledge field of students and improve their learning interests and practical abilities.Keywords ：automobile engine ；experimental teaching platform ；virtual simulation ；CRUISE ⁃M ；intake and exhaust ；EGR ；cylinder ；model buildingDOI ：10.16652/j.issn.1004⁃373x.2022.17.030引用格式：范鲁艳，曲大为，苏岩，等.汽车发动机虚拟仿真实验教学平台开发与应用[J].现代电子技术，2022，45（17）：163⁃168.收稿日期：2022⁃01⁃21修回日期：2022⁃02⁃18基金项目：国家自然科学基金面上项目（51876079）；吉林大学教学改革项目（2019XYB156）163现代电子技术2022年第45卷题，利用动力系统一维仿真软件CRUISE⁃M，搭建了典型汽油机和柴油机的整机模型，分析了发动机结构参数、控制参数和环境参数对发动机燃烧过程、动力性、经济性和排放的影响规律，完成了虚拟仿真实验教学平台的开发，扩充了实验教学所涵盖的知识点范围，提高了学生学习的主动性和参与度，增强了学生对相关知识点的理解。

SHANGHAI UNIVERSITY毕业设计（论文）UNDERGRADUATE PROJECT (THESIS)题目从状态迁移图到SMV程序自动转换器的设计与实现学院计算机工程与科学学院专业计算机科学与技术学号学生姓名指导教师缪淮扣起讫日期2014.2.21 2014.5.30目录摘要 (3)ABSTRACT (4)第一章绪论 (5)1.1 课题研究的背景及意义 (5)1.2相关课题国内外现状 (5)1.3 研究内容 (6)第二章相关技术及开发工具介绍 (8)2.1画图工具介绍 (8)2.1.1 ArgoUML (8)2.1.2 Jude (9)2.2 相关开发工具介绍 (10)2.3 开发语言java介绍 (13)第三章系统可行性与需求分析 (16)3.1 可行性分析 (16)3.2 功能需求分析 (17)3.2.1 系统更能流程设计 (17)3.2.2 操作界面的设计 (18)3.3 性能需求分析 (18)第四章系统设计与实现 (20)4.1 状态迁移图转换为xmi（xml） (20)4.2 对xmi（xml）进行解析 (20)4.2.1 对xmi进行解析 (20)4.2.2 对xml进行解析 (24)4.3 将解析后的语言转换为smv语言 (26)4.4对smv进行验证 (30)4.5 操作界面的设计 (31)4.5.1 打开文件功能 (31)4.5.2 保存功能 (32)4.5.3 转换功能 (32)4.5.4 退出功能 (33)第五章系统运行演示 (35)5.1 操作界面演示 (35)5.2状态迁移图的解析测试与转换 (38)5.2.1 dg.xmil状态图和解析测试结果 (38)5.2.2 TestGenerator.xmi状态图和解析测试结果 (39)5.2.3 TestGenerator.xmi转换成的smv语言 (41)5.2.4 mc-statechart.xmi状态图和解析测试结果 (45)5.2.5 mc-statechart.xmi转换成的smv语言 (46)第六章总结与展望 (48)6.1总结 (48)6.2展望 (48)致谢 (500)参考文献 (511)附录部分源代码清单 (512)摘要随着Internet的迅猛发展，当今社会已逐渐步入信息时代。

3)本课题研究得到国家自然科学基金(No.60573085)和国家重点基础研究973计划(No.2002CB312001)的资助。

陈铭松　硕士研究生,主要研究方向为模型检验、软件测试;赵建华　教授,硕导,主要研究方向为形式化方法、软件工程及程序设计语言;李宣东　教授,博导,主要研究方向为面向对象技术、形式化方法;郑国梁　教授,博导,主要研究方向为软件工程、软件开发环境及面向对象技术。

计算机科学2007Vol 134№11一种动态消减时间自动机可达性搜索空间的方法3)陈铭松　赵建华　李宣东　郑国梁(南京大学计算机软件新技术国家重点实验室,南京大学计算机科学与技术系　南京210093)摘　要　时间自动机的可达性分析算法通常采用对符号状态的枚举来遍历其状态空间。

符号状态由位置与时间区域组成,时间区域用形如x -y ≤(<)n 的原子公式的合取式来表示。

在对时间自动机进行可达性分析的过程中,分析算法将生成大量的符号状态,往往导致对计算机内存的需求超出了可行的范围。

本文给出了一个消减符号状态个数的方法。

该方法通过对符号状态间的依赖关系进行分析,在不影响分析结果的前提下消去某些时间区域的原子公式,从而扩展符号状态。

扩展后的符号状态包含有更加多的其它的状态,通过删除掉那些被包含的符号状态可以减少算法存储的状态个数,节省存储空间。

本文最后给出了相关的案例分析,结果表明这个算法有效地减少了某些时间自动机可达性分析过程中所需的存储空间。

关键词　时间自动机,模型检验,符号状态,时间区域　An Algorithm to Dynamically R educe the State Space of TimedAutomata during the R eachability AnalysisCH EN Ming 2Song ZHAO Jian 2Hua L I Xuan 2Dong ZH EN G Guo 2Liang(National Laboratory of Novel Software Technology ,Depart ment of Computer Science and Technology ,Nanjing University ,Nanjing 210093)Abstract The reachability analysis algorithm explores the state space of a timed automaton by enumeration of symbolic states.Each symbolic state consists of a location and a time zone which are conjunctions of automatic formulae in the form x -y ≤(<)n .Sometimes the amount of generated symbolic states is very large ,the memory required to store the generated symbolic states is not feasible.In this paper ,we present an approach to reduce the memory requirement of the reachability analysis algorithm.By analyzing the dependence relation between symbolic states ,we can expand some of the symbolic states by removing specific kinds of atomic formulae without changing the reachability analysis re 2sult.The expanded states can contain more symbolic states.Removing these contained states can reduce the memory requirement of reachability analysis.The case studies presented in this paper show that our algorithm can save memory in the practical application efficiently.K eyw ords Timed automata ,Model checking ,Symbolic state ,Time zone 1　引言模型检验(model checking )[1]是一种被用来自动验证有穷状态系统的形式化技术。

S b li M d l Ch ki 软件形式化验证Symbolic Model Checking贺飞清华大学软件学院2010年3月1y gSymbolic Model CheckingUsing symbolic BDD techniques an FSM can be traversedUsing symbolic BDD techniques, an FSM can be traversed without explicit constructing the STG.BDD is used to represent a set of states or a machine’s BDD is used to represent a set of states or a machine stransition relation.The basic idea underlying symbolic methods is to be able to represent very large sets of states concisely and to manipulate them, as if they were in bulk.This technique is more powerful than the explicit graph-based methods and has successfully handled machines with more than 1020states.NotationsLet M= (S, R, L) be a Kripke structure.For a CTL formula f, denote by SAT(f ) the set of states which satisfy f, i.e. SAT(f ) = {s ∈S| s |= f }.For a set X⊆S, definePre∃(X) = {s ∈S| ∃s’, R(s, s’ ) ∧s’∈X}Pre (X) = {s ∈S| ∀s’, R(s, s’ ) →s’∈X∀(){|,(,)} Pre∀(X) = S-Pre∃(S-X)MC Algorithms (in term of sets)function SAT( f ) /* determine the set of states satisfying f */begin casef is True: return S;f is False: return ∅;f is atomic: return {s ∈S | f ∈L(s)};f is ¬f 1: return S-SAT(f 1); f is f 1 ∧f 2: return SAT(f 1) ∩SAT(f 2) ;f is f ∨f :return SAT(f ) ∪SAT(f ) ; 1 2(1)(2)f is f 1 →f 2: return SAT(¬f 1 ∨f 2);f is AXf 1 :return SAT(¬EX ¬f 1); f is EXf 1 : return Pre ∃(f 1) ;f is A (f 1 U f 2):return SAT (¬E [¬f 2 U (¬f 1 ∧¬f 2)] ∨EG ¬f 2)); f is E (f 1 U f 2):return SAT EU (f 1, f 2);f is EFf 1: return SAT( E( True U f 1));f is EGf 1:return SAT EG (f 1); f is AFf 1: return SAT(¬EG ¬f 1); f is AGf 1: return SAT(¬EF ¬f 1); end case end functionSymbolic Model Checking Algorithmf function SAT EG (f)Y = SAT(f);Function SAT EU (f 1, f 2)W = SAT(f 1);X = ∅;repeat until X == YX = Y;X = S;Y = SAT(f 2);repeat until X == Y X Y;Y = Y ∩pre ∃(Y)return Y repeat until X YX = Y;Y = Y ∪(W ∩pre (Y) )end(p ∃())return YendImplementation IssuesTo implement the iterative computation of SAT(f), we needA symbolic representation of SAT(p)for each proposition p,An algorithm to compute pre∃(X)from a symbolicrepresentation of X,Algorithms to compute the complement, the union and the intersection of the symbolic representations of the sets,An algorithm to tell whether two symbolic representations represent the same set.With BDD, all above requirements can be met.Computation of pre∃(X)Let X⊆S be a set of states, R be the transition relation, B X and B R are the corresponding BDDs,To compute pre∃(X) Construct a BDD B’in which each variable v in B is replaced X Xpby its copy v’.Compute B ’∧Bp X RApply the abstraction operation ∃v’Example: Counter(0, 0)(1, 0)(00)(10)(1, 1)(0, 1)State variables: v0, v1Next state variables: v0, v1’ v’Transition relation: R= (v0’ ⇔¬v0) ∧(v1’ ⇔(v0 ⊕v1))Symbolic Previous States Computationv)= <0 0> = <v=0v=0> =B X(v0, v1)<0, 0> <v00, v10> ¬v0∧¬v1R(v0, v1, v0’, v1’) = (v0’ ⇔¬v0) ∧(v1’ ⇔(v0⊕v1))(’’)B X’(v0’, v1’)= ¬v0’ ∧¬v1’B X’(v0’, v1’) ∧R (v0, v1, v0’, v1’)= (¬v0’ ∧¬v1’) ∧(v0’ ⇔¬v0) ∧(v1’ ⇔(v0⊕v1))= ¬v0’ ¬v1’ v0 v1=f(v0, v1, v0’, v1’)∃v ’ ’ f(v’, v’)∃v0∃v1 f(v0, v1, v0, v1) = v0v1= <1, 1>CorrectnessDoes the algorithm terminate?Is the algorithm correct ?p yWe need the fixpoint theory.ReferencesK. L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993.J. R. Burch, E. M. Clarke, D. Long, K. L. McMillan, D. L. Dill. Symbolicd l h ki f s ti l i it ifi ti IEEE T s ti smodel checking for sequential circuit verification. IEEE Transactions on CAD, 13(4), 1994, pp. 401-424.O Coudert I C Madre and C Berthet Verifying temporal properties O. Coudert, I.C. Madre, and C. Berthet. Verifying temporal propertiesof sequential machines without building their date diagrams. InProceedings of the Workshop on Computer-Aided Verification (CAV90).J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang.S b li d l h ki 10t t d b d I f ti d Symbolic model checking: 1020states and beyond. Information andComputation, 98(2), June 1992.April 25, 201111。

软件测试中的模型检测方法分析在软件开发中，测试是至关重要的一环。

软件测试可以保证软件的质量，以及减少软件产生的错误和bug。

软件测试的方法有很多，其中一种比较新颖的测试方法就是模型检测（Model Checking）。

模型检测是一种形式化验证方法，它通过将软件的状态表示为有限状态自动机（Finite State Machine）或有限状态转换系统（Finite State Transition System），并通过计算机算法对它们进行验证。

这种方法不仅可以用来检测软件系统的正确性，也可以用来检测通信协议、硬件电路等各种不同的系统。

软件测试中的模型检测方法可以分为静态模型检测和动态模型检测两种方式。

静态模型检测静态模型检测是指通过在编译时对软件的源代码进行分析，来发现可能导致错误的代码段。

静态模型检测不需要程序运行过程中的输入数据，因此可以节省软件测试过程中的时间和人力成本。

静态模型检测的方法有很多，其中比较常见的方式是通过数据流分析（Data Flow Analysis）或控制流分析（Control Flow Analysis）来进行。

数据流分析是指通过分析程序中的数据流和变量的使用情况，来判断程序的潜在缺陷。

例如，如果一个变量在某个分支中没有被初始化，但却在其它判断下被使用了，那么就可能出现未定义的行为。

通过数据流分析，就可以发现这类问题。

控制流分析是指通过分析程序的执行流程，来判断程序中可能存在的错误。

例如，在一个变量使用之前，如果没有对其进行初始化或赋值，那么就可能出现未定义的行为。

通过控制流分析，就可以发现这类问题。

动态模型检测动态模型检测是指在程序运行时，通过模拟程序的行为路径，来检测软件系统中的错误。

动态模型检测需要输入一组合适的测试用例，来模拟程序的运行流程。

动态模型检测的方法包括基于符号执行（Symbolic Execution）的方法和基于模拟（Simulation）的方法。

设计正确性的验证问题是目前学术界和工业界均予以关注的重要研究课题。

在学术界，对相关课题的研究集中了世界上最优秀的数学家和计算机科学家，他们广泛分布于世界上最著名的高校、科研机构和公司；在工业界，几乎所有的世界顶尖IT公司都投入大量的人力和物力来开发它们的验证和测试工具。

而且，学术界和产业界的密切结合也是该领域的一个突出现象。

设计正确性验证的重要性我们可从以下两个事件切实感受到设计正确性验证的重要性。

1994年，奔腾处理器被发现在执行某个特定的浮点运算时出现错误，这种错误27000年才可能出现一次。

对此，Intel付出4.75亿美元的巨额代价回收有缺陷的奔腾处理器。

1996年6月4日，欧洲航天局研制的阿里亚娜五型火箭在发射后不到40秒爆炸。

事后调查发现，错误发生于当一个很大的64位浮点数转换为16位带符号整数时出现异常。

细微错误，使得十年的努力毁于一旦。

从以上事件可以看出，无论是在高危险性领域中使用的还是普通家用的数字系统，保证设计正确性都是至关重要的。

软件、硬件和协议是目前数字系统设计所包含的三种最基本的形式，任何复杂的数字系统大致都由这三个部分组成。

如果说在复杂系统设计过程中错误是难免的，那么出现事故的惟一原因就是：没有在产品使用前对其进行完备的置信(validation)工作，即确认系统已经完全实现了设计者的意图。

验证技术的方法和困难为什么验证一个系统的正确性会如此困难呢？让我们首先来了解一下主要的验证方法。

迄今的验证方法可分为模拟、仿真和形式验证三种。

模拟验证是传统的验证方法，而且目前仍然是主流的验证方法。

模拟验证是将激励信号施加于设计，进行计算并观察输出结果，并判断该结果是否与预期一致。

模拟验证的主要缺点是非完备性，即只能证明有错而不能证明无错。

因此，模拟一般适用于在验证初期发现大量和明显的设计错误，而难以胜任复杂和微妙的错误。

模拟验证还严重依赖于测试向量的选取，而合理而充分地选取测试向量，达到高覆盖率是一个十分艰巨的课题。

Demonstration Programsfor CTL andµ-CalculusSymbolic Model CheckingbyMartin Richardsmr@uk.ac.cam.cl/users/mr/Computer LaboratoryUniversity of CambridgeSeptember15,2005AbstractThis paper presents very simple implementations of Symbolic Model Checkers for both Computational Tree Logic(CTL)andµ-calculus.They are intended to be educational rather than practical.Thefirst program discovers,for a given non-deterministicfinite state machine(NFSM),the states for which a given CTL formula holds.The second program does the same job forµ-calculus formulae.For simplicity the number of states in the NFSM has been limited to32and a bit pattern representation is used to represent the boolean functions involved.It would be easy to extend both programs to use ordered binary decision diagrams more normally used in symbolic model checking.The programs include lexical and syntax analysers for the formulae,the model checking algorithms and drivers to exercise them with respect to various simple machines.The programs is implemented in MCPL.A brief summary of MCPL is given at the end.KeywordsSymbolic model checking,Computational Tree Logic,µ-calculus,finite state ma-chines,boolean functions,bit patterns,MCPL.CONTENTS i Contents1Introduction1 2CTL Model Checking12.1Computational Tree Logic (1)2.2Semantics of CTL (2)2.3Syntax Analysis (3)2.4The CTL Model Checking Algorithm (4)2.5The CTL Model Checker Program (6)2.6The Output from the CTL Checker (13)3Aµ-Calculus Model Checker173.1A syntax forµ-calculus (17)3.2Semantics ofµ-calculus (17)3.3Syntax Analysis (19)3.4The Model Checking Algorithm (20)3.5Theµ-Calculus Model Checker Program (22)3.6Output from theµ-Calculus Checker (29)A Summary of MCPL34A.1Outermost level declarations (34)A.2Expressions (34)A.3Constant expressions (38)A.4Patterns (39)A.5Arguments (40)Bibliography41ii CONTENTS1 1IntroductionThis report describes two programs to illustrate how symbolic model checkersworks,one uses Computational Tree Logic(CTL)and the other usesµ-calculus.Symbolic model checking normally relies on the use of ordered binary decisiondiagrams(OBDDs)to allow substantial problems to be tested,but,for simplicity,these are not used here.Instead,the boolean functions are represented directlyusing bit patterns of length32,and the transition relations for the non deter-ministicfinite state machines(NFSMs)are encoded by a32×32bit matrices.In this implementation,the size of the NFSMs are thus limited to32states,butthis is sufficient to illustrate the capabilities of these two logics.Thefirst program presented is essentially an implementation,inMCPL[Ric97],of the algorithm described in Symbolic Model Checking byMcMillan[McM93],and the second is based on a paper by Berezin,Clarke,Jhaand Marrero[SBM96].The MCPL code should be comprehensible without previ-ous knowledge of the language,but a brief summary of the language is given atthe end.2CTL Model CheckingGiven a non deterministicfinite state machine(NFSM),we can identify its statesusing binary integers encoded by a sequence of Booleans(v1,v2,...v n).We canimagine properties that are satisfied by some states and not others.Such prop-erties can be defined by functions of type{0,1}n→{0,1}.These functions can be specified by propositional formulae involving the variables(v1,v2,...v n)andthe operators¬,∧,∨,⇒,and⇔.But more interesting properties depend also onthe transitions of the NFSM;for example:is there a path from the given stateto one in which v1∧v2is true?Many such properties can be described using CTL[CE81]described in the next section.A Symbolic model checker is a program to determine for which states a givenformula holds with respect to a given NFSM.Often we wish to check that theformula holds for all states.In general,the cost of the algorithm grows expo-nentially with n,but,by cunning encoding and the use of OBDDs,significantproblems can often be solved in reasonable time for even quite large values of n.2.1Computational Tree LogicA CTL formula defines a function of type{0,1}n→{0,1},whose argument variables(v1,v2,...v n)identify a state in the given NFSM,and whose result22CTL MODEL CHECKING indicates whether the formula is satisfied at this state.For this demonstration,onlyfive variables(a,b,c,d,e)are allowed,limiting the number of NFSM states to32.CTL formulae are formed as follows:•a,b,c,d,e,T,and F are formulae•assuming f and g are formulae then so are:(f),~f,f=g,f&g,f|g,f->g,AX f,AF f,AG f,EX f,EF f,EG f,A(f U g),E(f U g)2.2Semantics of CTLA CTL formula is evaluated with respect to a current state,represented by a 5-tuple of truth values(a,b,c,d,e),and a given NFSM.The meaning of a CTL formula depends on its syntactic form as follows:a is true if and only if a is true in the5-tuple representing the current state. The other simple variables forms are defined similarly.F is false for all states,and T is true for all states.(f)is true if and only if f is satisfied in the current state.~f is true if and only if f is false in the current state.f=g is true if and only if both operands have the same value in the current state.f&g is true if and only if both operands are satisfied in the current state.f|g is true if and only if one or both operands are satisfied in the current state.f->g is equivalent to~f|g.AX f is true if and only if f is true for every immediate successor state.AF f is true if and only if f is true in the current state,or AF f is true for every immediate successor state of which there must be at least one.AG f is true if and only if f is true in the current state and AG f is true for every immediate successor state.EX f is true if and only if f is true for at least one immediate successor state.EF f is true if and only if f is true in the current state,or EF f is true for at least one immediate successor state.EG f is true if and only if f is true in the current state and EG f is true for at least one immediate successor state.2.3Syntax Analysis3A(f U g)is true if and only if g is true in the current state,or f is true in the current state and A(f U g)is true for every immediate successor state of which there must be at least one.E(f U g)is true if and only if g is true in the current state,or f is true in the current state and E(f U g)is true for at least one immediate successor state. Note that the semantics given above permit the NFSM to contain states that have no successors.2.3Syntax AnalysisThe program given in Section2.5parses and evaluates various CTL formulae. The structure of the parse tree is as follows:T→[Atom,bits]—a,b,c,d,e,T,F[Not,T f]—~f[Eq,T f,T g]—f=g[And,T f,T g]—f&g[Or,T f,T g]—f|g[Imp,T f,T g]—f->g[EX,T f]—EX f[EF,T f]—EF f[EG,T f]—EG f[AX,T f]—AX f[AF,T f]—AF f[AG,T f]—AG f[EU,T f,T g]—E(f U g)[AU,T f,T g]—A(f U g)wherebits is a bit pattern representing a subset of S,andT f and T g represent the parse trees for f and g.Parsing is done by recursive descent using the functions:•exp to parse expressions of a given precedence,and•prim to parse primary expressions.They both read lexical tokens using lex.The implementation of lex is particu-larly simple since tokens are longer than two characters.The next two characters42CTL MODEL CHECKING are held in ch and nch and both are used in the MATCH statement that forms the body of lex.Note that a zero byte marks the end of an MCPL string.The parse tree can be printed using prtree;for instance:the call prtree(parse"AG(a&b->c)->A(d U~e)")generates the following output: Imp*-AG!*-Imp!*-And!!*-a!!*-b!*-c*-AU*-d*-Not*-e2.4The CTL Model Checking AlgorithmA boolean function offive boolean variables(a,b,c,d,e)is represented by a bit pattern whose i th bit holds the result where i=a+2b+4c+8d+16e(with true represented by1and false by0).Thus,the bit pattern#xFFFFFFFF represents the function that always yields true,and#x00000000represents the function that always yields false.These are given manifest names True and False,respectively. The function:f(a,b,c,d,e)=a is represented by the pattern#xAAAAAAAA which is given the manifest name Abits.The name Bbits,Cbits,Dbits and Ebits are similarly defined.Notice that a function such as:f(a,b,c,d,e)=a&b is represented by Abits&Bbits.The function eval computes the bit pattern representation of the boolean function corresponding to a given CTL formula.For the atomic formulae(a to e,T and F),the result is respectively Abits to Ebits,True and False.For the propositional operators,(~,=,&,|and->),the result is obtained by applying the operator to the operand value(s).The value of EX f is obtained by applying evalEX to the bit pattern repre-senting f,where evalEX is defined as follows:FUN evalEX:w=>LET res=0LET p=predsWHILE w DO{IF w&1DO res|:=!pw>>:=1p+++}RETURN resThe NFSM is represented by the vector preds whose i th element is the bit pattern giving the set of predecessors of state i.The argument w is the bit pattern2.4The CTL Model Checking Algorithm5 representing f(i.e.the set of states for which f is satisfied),and the result is obtained by or-ing together the elements of preds corresponding to the states identified in w.So,if bit i of w is set,then element i of preds is or-ed into the result.The expression AX f is also evaluated using evalEX using the observation that: AX f=~EX~f.The value of E(f U g)is obtained by applying evalEU to the bit patterns for f and g.The definition of evalEU is as follows:FUN evalEU:f,g=>//Computes:E(f U g)LET y=g{LET a=g|f&evalEX yIF a=y RETURN yy:=a}REPEATThe correctness of the definition of evalEU depends on the observation that: E(f U g)=g|f&EX E(f U g).The evaluation of formulae with lead-ing operators EF and AG rely on the observations that:EF f=E(T U f)and AG f=~E(T U~f).The value of A(f U g)is obtained by applying evalAU to the bit patterns for f and g.The definition of evalAU is as follows:FUN evalAU:f,g=>//Computes:A(f U g)LET succs=evalEX TrueLET y=g{LET a=g|f&succs&~evalEX(~y)IF a=y RETURN yy:=a}REPEATThe correctness of the definition of evalAU depends on the observation that: A(f U g)=g|f&EX T&~EX~A(f U g).Note that the term EX T is true for any state that has one or more successors.AF f is computed using evalAU based on the fact that:AF f=A(T U f),andfinally,the value of EG f is obtained by applying evalEG to the bit pattern representing f,where evalEG is defined as follows:FUN evalEG:f=>//Computes:EG fLET nosuccs=~evalEX TrueLET y=f{LET a=f&(nosuccs|evalEX y)IF a=y RETURN yy:=a}REPEATThe correctness of the definition of evalEG depends on the observation that: EG f=f&(~EX T|EX EG f).Note that the term~EX T is satisfied for any state that has no successors.62CTL MODEL CHECKING It is easy to show,using monotonicity,that all the above computations ter-minate.The algorithm can be simplified slightly if every state is known to have at least one successor.2.5The CTL Model Checker ProgramGET"mcpl.h"MANIFESTId,Atom,Not,And,Or,Imp,Eq,//TokensEX,EF,EG,EU,E,AX,AF,AG,AU,A,U,Lparen,Rparen,Eof,E_syntax=100,E_space,E_eval,//Exceptions//Atomic boolean functionsTrue=#xFFFFFFFF,//f(a,b,c,d,e)=TFalse=#x00000000,//f(a,b,c,d,e)=FAbits=#xAAAAAAAA,//f(a,b,c,d,e)=aBbits=#xCCCCCCCC,//f(a,b,c,d,e)=bCbits=#xF0F0F0F0,//f(a,b,c,d,e)=cDbits=#xFF00FF00,//f(a,b,c,d,e)=dEbits=#xFFFF0000//f(a,b,c,d,e)=e2.5The CTL Model Checker Program7//**********Model checking algorithm*************************//The transition relation will be represented by the vector preds//preds!i will be the bit pattern representing the set of immediate//predecessors of state iSTATIC preds=VEC#b11111//Initialised later.FUN eval:[Atom,bits]=>bits:[Not,f]=>~eval f:[And,f,g]=>eval f&eval g:[Or,f,g]=>eval f|eval g:[Imp,f,g]=>~eval f|eval g:[Eq,f,g]=>~(eval f XOR eval g):[EX,f]=>evalEX(eval f):[AX,f]=>~evalEX(~eval f):[EF,f]=>evalEU(True,eval f):[AG,f]=>~evalEU(True,~eval f):[AF,f]=>evalAU(True,eval f):[EU,f,g]=>evalEU(eval f,eval g):[EG,f]=>evalEG(eval f):[AU,f,g]=>evalAU(eval f,eval g):=>RAISE E_evalFUN evalEX:w=>//Computes:EX wLET res=0LET p=predsWHILE w DO{IF w&1DO res|:=!pw>>:=1p+++}RETURN resFUN evalEU:f,g=>//Computes:E(f U g)LET y=g{LET a=g|f&evalEX yIF a=y RETURN yy:=a}REPEATFUN evalAU:f,g=>//Computes:A(f U g)LET succs=evalEX TrueLET y=g{LET a=g|f&succs&~evalEX(~y)IF a=y RETURN yy:=a}REPEATFUN evalEG:f=>//Computes:EG fLET nosuccs=~evalEX TrueLET y=f{LET a=f&(nosuccs|evalEX y)IF a=y RETURN yy:=a}REPEAT//**********End of Model checking algorithm******************82CTL MODEL CHECKING/*******************Syntax Analyser**************************STATIC str,strp,ch,nch,token,lexvalFUN rch:=>ch,nch:=nch,%strpIF nch DO strp++FUN lex_init:formula=>str:=formula;strp:=formula;rch();rch()FUN lex:=>MATCH(ch,nch):’’|’\n’=>rch();lex()//Ignore white space:0=>token:=Eof//End of file:’a’=>token:=Id;lexval:=Abits;rch():’b’=>token:=Id;lexval:=Bbits;rch():’c’=>token:=Id;lexval:=Cbits;rch():’d’=>token:=Id;lexval:=Dbits;rch():’e’=>token:=Id;lexval:=Ebits;rch():’T’=>token:=Id;lexval:=True;rch():’F’=>token:=Id;lexval:=False;rch():’(’=>token:=Lparen;rch():’)’=>token:=Rparen;rch():’~’=>token:=Not;rch():’=’=>token:=Eq;rch():’&’=>token:=And;rch():’|’=>token:=Or;rch():’-’,’>’=>token:=Imp;rch();rch():’A’,’X’=>token:=AX;rch();rch():’A’,’F’=>token:=AF;rch();rch():’A’,’G’=>token:=AG;rch();rch():’E’,’X’=>token:=EX;rch();rch():’E’,’F’=>token:=EF;rch();rch():’E’,’G’=>token:=EG;rch();rch():’A’=>token:=A;rch():’E’=>token:=E;rch():’U’=>token:=U;rch():=>RAISE E_syntax2.5The CTL Model Checker Program9FUN parse:formula=>lex_init formula;LET tree=nexp0chkfor EofRETURN treeFUN chkfor:tok=>UNLESS token=tok RAISE E_syntaxlex()FUN prim:=>MATCH token:Id=>LET a=lexval;lex();RETURN mk2(Atom,a):Lparen=>LET a=nexp0;chkfor Rparen;RETURN a:Not|AX|AF|AG|EX|EF|EG=>LET op=token;RETURN mk2(op,nexp5):A|E=>LET op=token=A->AU,EUlex()chkfor LparenLET a=exp0chkfor ULET b=exp0chkfor RparenRETURN mk3(op,a,b):=>RAISE E_syntaxFUN nexp:n=>lex();exp nFUN exp:n=>LET a=prim()MATCH(token,n):Eq,<4=>a:=mk3(Eq,a,nexp4):And,<3=>a:=mk3(And,a,nexp3):Or,<2=>a:=mk3(Or,a,nexp2):Imp,<1=>a:=mk3(Imp,a,nexp1):=>RETURN a.REPEAT102CTL MODEL CHECKING//*********************Space Allocation******************STATIC spacev,spacepFUN mk_init:upb=>spacev:=getvec upbUNLESS spacev RAISE E_spacespacep:=@spacev!upbFUN mk_close:=>freevec spacevFUN mk1:x=>!---spacep:=x;spacepFUN mk2:x,y=>mk1y;mk1xFUN mk3:x,y,z=>mk1z;mk1y;mk1x//**************Print tree function**********************STATIC prlinev=VEC50FUN prtree:0,?,?=>writef"Nil":?,depth,=depth=>writef"Etc":x,depth,maxdepth=>LET upb=1MATCH x:[Atom,=Abits]=>writef"a";RETURN:[Atom,=Bbits]=>writef"b";RETURN:[Atom,=Cbits]=>writef"c";RETURN:[Atom,=Dbits]=>writef"d";RETURN:[Atom,=Ebits]=>writef"e";RETURN:[Atom,=True]=>writef"T";RETURN:[Atom,=False]=>writef"F";RETURN:[Not,f]=>writes"Not":[Eq,f,g]=>writes"Eq";upb:=2:[And,f,g]=>writes"And";upb:=2:[Or,f,g]=>writes"Or";upb:=2:[Imp,f,g]=>writes"Imp";upb:=2:[EX,f]=>writes"EX":[EU,f,g]=>writes"EU";upb:=2:[EG,f]=>writes"EG":[EF,f]=>writes"EF":[AX,f]=>writes"AX":[AG,f]=>writes"AG":[AU,f,g]=>writes"AU";upb:=2:=>writes"Unknown";upb:=0.FOR i=1TO upb DO{newline()FOR j=0TO depth-1DO writes(prlinev!j)writes("*-")prlinev!depth:=i=upb->"","!"prtree(x!i,depth+1,maxdepth)}2.5The CTL Model Checker Program11//*********************Main Program**************************FUN try:e=>{mk_init100_000writef("\n%s\n",e)LET exp=parse e//prtree(exp,0,20)LET res=eval expFOR v=#b00000TO#b11111DO{UNLESS v MOD8DO newline()writef("%5b%c",v,res&1=0->’’,’Y’)res>>:=1}newline()}HANDLE:E_syntax=>writef("Bad Syntax\n%s\n",str)FOR i=str TO strp-4DO wrch’’writes"^\n":E_space=>writef"Insufficient space\n":E_eval=>writef"Error in eval\n".mk_close()FUN start:=>init_nfsm_5Dcube()try"d&e->a&b&c"try"EX a&EX b&EX c&EX d&EX e"try"EX EX(a&b&c&d&e)"try"EG~EX EX(a&b&c&d&e)"try"EX~(a|b|c|d|e)"init_nfsm_glasses()try"~a&~b&~c->AF~(d|e)"try"AF~(d|e)"try"AG~(a&b&c)"try"AX F"init_nfsm_async()try"d&~c->AX AX A(~d U c)"try"d&~c->A(d|~c U c)"try"EG~(a&b&c&d)"try"EX EX EX EX EX EX(a&b&c&d)"RETURN0122CTL MODEL CHECKINGFUN edge:v1,v2=>rpredsv2XOR:=1<<v1//Add/remove an edgeFUN init_nfsm_5Dcube:=>writef"\n5D Cube\n"FOR v=#b00000TO#b11111DO preds!v:=0FOR v=#b00000TO#b11111DO//Form a5D cube with all edges{edge(v,v XOR#b00001)edge(v,v XOR#b00010)edge(v,v XOR#b00100)edge(v,v XOR#b01000)edge(v,v XOR#b10000)}edge(#b11111,#b00000)//But,add one more edgeedge(#b11000,#b11100)//and remove one edgeFUN init_nfsm_glasses:=>writef"\nThe Glasses Game\n"FOR v=#b00000TO#b11111DO preds!v:=0//A state is represented by two octal digits#gm//where g=0means all glasses are the same way up//g=1means one glass is the wrong way up//g=2means two adjacent glasses are the wrong way up//g=3means two opposite glasses are the wrong way up//and m=0..7is the move number.move2x0;move2a1;move2x2;move13;move2x4;move2a5;move2x6FUN move1:i=>edge(#10+i,#01+i)//Turn one glass overedge(#10+i,#21+i)edge(#10+i,#31+i)edge(#20+i,#11+i)edge(#30+i,#11+i)FUN move2x:i=>edge(#10+i,#11+i)//Turn two opposite glasses overedge(#20+i,#21+i)edge(#30+i,#01+i)FUN move2a:i=>edge(#10+i,#11+i)//Turn two adjacent glasses overedge(#20+i,#01+i)edge(#20+i,#31+i)edge(#30+i,#21+i)FUN init_nfsm_async:=>writef"\nAn Asynchronous Circuit\n"FOR v=#b00000TO#b11111DO preds!v:=0edge(2,0);edge(2,1);edge(2,3);edge(0,1)edge(3,1);edge(7,6);edge(7,4);edge(7,5)edge(6,4);edge(5,4);edge(13,15);edge(13,14)edge(13,12);edge(15,14);edge(12,14);edge(8,9)edge(8,11);edge(8,10);edge(9,11);edge(10,11)edge(1,5);edge(3,5);edge(3,7);edge(4,12)edge(5,12);edge(5,13);edge(14,10);edge(12,10)edge(12,8);edge(10,2);edge(10,3);edge(11,3)2.6The Output from the CTL Checker132.6The Output from the CTL CheckerThe program exercises the model checker on three simple non deterministicfinite state machines.Thefirst is essentially afive dimensional cube whose vertices have coordinates edcba.From each vertex there arefive outgoing edges to vertices that differ in only one coordinate variable.For this demonstration the edge 11000->11100has been removed and the edge11111->00000has been added. These changes show up in some of the tests below.5D Cubed&e->a&b&c00000Y00001Y00010Y00011Y00100Y00101Y00110Y00111Y01000Y01001Y01010Y01011Y01100Y01101Y01110Y01111Y10000Y10001Y10010Y10011Y10100Y10101Y10110Y10111Y 1100011001110101101111100111011111011111YEX a&EX b&EX c&EX d&EX e00000Y00001Y00010Y00011Y00100Y00101Y00110Y00111Y01000Y01001Y01010Y01011Y01100Y01101Y01110Y01111Y10000Y10001Y10010Y10011Y10100Y10101Y10110Y10111Y 1100011001Y11010Y11011Y11100Y11101Y11110Y11111YEX EX(a&b&c&d&e)0000000001000100001100100001010011000111Y 01000010010101001011Y0110001101Y01110Y01111 10000100011001010011Y1010010101Y10110Y10111 1100011001Y11010Y1101111100Y111011*********YEG~EX EX(a&b&c&d&e)00000Y00001Y00010Y00011Y00100Y00101Y00110Y0011101000Y01001Y01010Y010*******Y01101011100111110000Y10001Y10010Y1001110100Y10101101101011111000Y11001110101101111100111011111011111EX~(a|b|c|d|e)0000000001Y00010Y0001100100Y00101001100011101000Y0100101010010110110001101011100111110000Y10001100101001110100101011011010111 1100011001110101101111100111011111011111YThe second example and its solution was suggested by Stewart and VanInwegen[SV97].It is based on a game concerned with four empty glasses at the corners of a square tray.Initially some of the glasses may be upside-down.A player can cause(M1)one glass,or(M2A)two adjacent glasses,or(M2X)two opposite glasses to be turned over,but there is the complication that the tray is142CTL MODEL CHECKINGout of the sight of the player and may be rotated at any time and so the player cannot specify precisely which glasses are turned over.The game stops when all the glasses are the same way up.The move sequence M2X-M2A-M2X-M1-M2X-M2A-M2X guarantees that the game terminates in no more than 7steps.An NFSM for this game with 32states is shown in figure 1.00000M2XM2XM2XM2XM2AM2AM100001000100001100100001010011000111011111011111111011100110101100010110101001001010001000010001100101001110100101011011011110111011110011011110101100111000Figure 1:The Glasses Game NFSMThe state of the tray is represented by ed=00for all glasses the same way up,ed=01for one oriented differently from the other three,ed=10for two adjacent glasses oriented differently from the other two,and ed=11for two opposite glasses oriented differently from the other two,and the number of steps taken so far is represented by cba .Thus,the possible initial states are:00000,01000,10000and 11000,and the final states have the form:00XXX .That every initial state leads to a final state can be encoded in CTL as:~a&~b&~c ->AF ~(d|e).The evaluation of this and other formulae are shown below:2.6The Output from the CTL Checker15The Glasses Game~a&~b&~c->AF~(d|e)00000Y00001Y00010Y00011Y00100Y00101Y00110Y00111Y01000Y01001Y01010Y01011Y01100Y01101Y01110Y01111Y10000Y10001Y10010Y10011Y10100Y10101Y10110Y10111Y11000Y11001Y11010Y11011Y11100Y11101Y11110Y11111YAF~(d|e)00000Y00001Y00010Y00011Y00100Y00101Y00110Y00111Y01000Y01001Y01010Y01011Y0110001101011100111110000Y10001Y100101001110100Y10101Y101101011111000Y1100111010Y1101111100Y1110111110Y11111AG~(a&b&c)00000Y00001Y00010Y00011Y00100Y00101Y00110Y00111 010000100101010010110110001101011100111110000Y10001Y10010100111010010101101101011111000Y1100111010Y1101111100Y111011*********AX F00000Y00001Y00010Y00011Y00100Y00101Y00110Y00111Y 0100001001010100101101100011010111001111Y 1000010001100101001110100101011011010111Y 1100011001110101101111100111011111011111YAs afinal example,a simple asynchronous circuit is tested.There are four signals held in a four bit word dcba.The circuit is designed so that the signal values change according to the following rules:a:=~cb:=dc:=a&~d+c&(a|~d)d:=c&~b+d&(c|~b)but the assignments have random delays and so the number of signals that change at any transition is not deterministic.The possible transitions,represented as an NFSM,are shown infigure 2.Some tests with this circuit then follow.162CTL MODEL CHECKING0000001000010011011101010110010011001101111111101000100110111010Figure 2:The Asynchronous Circuit NFSMAn Asynchronous Circuit d&~c ->AX AX A(~d U c)00000Y 00001Y 00010Y 00011Y 00100Y 00101Y 00110Y 00111Y 010*******Y 01010Y 01011Y 01100Y 01101Y 01110Y 01111Y 10000Y 10001Y 10010Y 10011Y 10100Y 10101Y 10110Y 10111Y 11000Y 11001Y 11010Y 11011Y 11100Y 11101Y 11110Y 11111Yd&~c ->A(d|~c U c)00000Y 00001Y 00010Y 00011Y 00100Y 00101Y 00110Y 00111Y 01000Y 01001Y 01010Y 01011Y 01100Y 01101Y 01110Y 01111Y 10000Y 10001Y 10010Y 10011Y 10100Y 10101Y 10110Y 10111Y 1100011001110101101111100Y 11101Y 11110Y 11111YEG ~(a&b&c&d)00000Y 00001Y 00010Y 00011Y 00100Y 00101Y 00110Y 00111Y 01000Y 01001Y 01010Y 01011Y 01100Y 01101Y 01110Y 0111110000Y 10001Y 10010Y 10011Y 10100Y 10101Y 10110Y 10111Y 11000Y 11001Y 11010Y 11011Y 11100Y 11101Y 11110Y11111EX EX EX EX EX EX (a&b&c&d)0000000001000100001100100Y 00101Y 001100011101000Y 01001Y 01010Y 010*******Y 01101Y 01110Y 01111Y 1000010001100101001110100101011011010111110001100111010110111110011101111101111117 3Aµ-Calculus Model CheckerAnother language for describing properties of transition systems is theµ-calculus, and,as with CTL,it can be used in a model checker.Both the version ofµ-calculus and the checking algorithm presented here are based on the paper by Berezin et al.[SBM96].Theµ-Calculus extends CTL by,firstly,giving the non deterministic machine labels(called actions)on its transitions and,secondly, having explicit constructs for both the least and greatestfixed point operators. The resulting logic is more powerful than CTL but still simple enough to form the basis of a symbolic model checker.3.1A syntax forµ-calculusFormulae inµ-calculus are formed as follows:•a,b,c,d,e,T,F,x,y and z are formulae•assuming f and g are formulae then so are:(f),~f,f=g,f&g,f|g,f->g,<p>f,<q>f,<r>f,[p]f,[q]f,[r]f,Mx.f,My.f,Mz.f,Nx.f,Ny.f,Nz.fAs an example,the following is a syntactically correct formula:Ny.(<r>Mx.(<r>x|y&(a&b&c&d)))which,with the semantics given below,will evaluate to give the set of states for which there exist a path,using r-transitions,that visits either state01111or 11111infinitely often.This is an example of a property that cannot be stated in CTL.3.2Semantics ofµ-calculusAµ-calculus formula is evaluated with respect to an NSFM and an environment to yield a subset of the states of the NFSM for which the formula is said to be satisfied.We will assume that the set of states is S and we will assume that any state(s,say)in S can be identified by a5-bit binary integer edcba.We will use s p→t to mean that there is a transition in the NFSM from s to t labelled p,and we define s q→t and s r→t similarly.。

危险变量污点分析方法危险变量污点分析（Dangerous Variable Taint Analysis）是一种用于检测软件系统中危险变量污染的方法。

危险变量污染指的是在程序中出现潜在的危险操作或错误处理的变量污染。

危险操作可能导致系统崩溃、信息泄露或安全漏洞等问题。

危险变量污染分析的目标是识别并修复这些潜在的问题，以确保系统的安全性和可靠性。

1. 控制流敏感的污点分析（Control Flow-sensitive Taint Analysis）：这种方法通过建立控制流图和数据流图来跟踪变量的流动。

对于每个可能的控制路径，将在进行数据流分析时考虑不同的变量流动情况。

这种方法能够更准确地定位可能出现问题的地方，但也导致了更多的计算和内存开销。

2. 上下文敏感的污点分析（Context-sensitive Taint Analysis）：这种方法在分析时考虑了变量的上下文信息。

例如，对于一个函数调用，会跟踪参数的传递，并将参数的污点状态传递到被调用的函数中。

这种方法可以更全面地分析变量的污点情况，但也需要更多的计算资源和时间。

3. 符号执行（Symbolic Execution）：符号执行是一种静态分析的方法，通过在变量上建立符号表达式来跟踪其值的可能范围。

在污点分析中，变量的污点状态可以用符号表示。

符号执行能够检测到潜在的不安全操作，并生成具体的测试用例以验证这些不安全操作。

4. 模型检测（Model Checking）：模型检测是一种形式的验证方法，通过枚举所有可能的状态和操作序列来验证系统的属性。

在危险变量污点分析中，可以建立一个有限状态机模型来描述系统的行为，并通过模型检测方法来验证危险变量和操作的关系。

5. 数据流分析（Data Flow Analysis）：数据流分析是静态分析的一种方法，用于跟踪程序中变量的流动路径。

在危险变量污点分析中，可以通过构建数据流图来跟踪变量的流动和可能的污点传播。