| 1 | | % (c) 2014-2025 Lehrstuhl fuer Softwaretechnik und Programmiersprachen, |
| 2 | | % Heinrich Heine Universitaet Duesseldorf |
| 3 | | % This software is licenced under EPL 1.0 (http://www.eclipse.org/org/documents/epl-v10.html) |
| 4 | | |
| 5 | | % A model checker for safety properties. |
| 6 | | |
| 7 | | % At this point the property intended to be checked has been recognized as a safety property. |
| 8 | | % As a consequence the negation of the property is represented by a finite automaton which |
| 9 | | % accepts all bad prefixes violating the safety property. The algorithm implemented in this module |
| 10 | | % traverses on-the-fly the state space and simulates at the same time movement through the automaton |
| 11 | | % in regard to the evaluation of the atomic propositions. The algorithm halts when either a final |
| 12 | | % state of the automaton is visited (bad prefix for the property has been found and will be reported as a counter-example) |
| 13 | | % or when all nodes of the state space has been visited. |
| 14 | | |
| 15 | | % TODO: we currently ignore ltllimit in the safety model checker |
| 16 | | % TODO/Warning: the atom/3 terms contain a list of formulas; this seems relevant only for ProB for Rodin |
| 17 | | % and do_ltl_modelcheck in eclipse_interface; we set the list to [1] on the assumption there is only one safety |
| 18 | | % formula; but this is probably wrong for more complex safety properties and will break Rodin LTL visualization |
| 19 | | |
| 20 | | :- module(safety_mc,[start_mc_safety_property/3]). |
| 21 | | |
| 22 | | :- use_module(probsrc(error_manager), [add_error_fail/3, add_error/3, add_warning/2, add_error_and_fail/2, add_error/2, add_warning/3]). |
| 23 | | %:- use_module(probsrc(preferences),[set_preference/2, get_preference/2]). |
| 24 | | :- use_module(probsrc(specfile),[animation_mode/1]). |
| 25 | | :- use_module(probsrc(debug),[debug_println/2, formatsilent/2, debug_format/3]). |
| 26 | | :- use_module(probsrc(tools),[cputime/1]). |
| 27 | | :- use_module(probsrc(bsyntaxtree),[is_truth/1]). |
| 28 | | |
| 29 | | %%% state space exploration modules |
| 30 | | :- use_module(probsrc(state_space),[visited_expression_id/1, |
| 31 | | transition/4, visited_expression/2, |
| 32 | | not_all_transitions_added/1, retract_open_node/1, |
| 33 | | set_context_state/1, clear_context_state/0]). |
| 34 | | %% :- use_module(probsrc(state_space_open_nodes), [retract_open_node_direct/1]). |
| 35 | | |
| 36 | | %%% ltl modules |
| 37 | | %:- use_module(probsrc(state_space),[find_initialised_states/1]). |
| 38 | | :- use_module(probltlsrc(ltl_safety),[aut_transition/3, aut_final_state/1, aut_initial_state/1]). |
| 39 | | :- use_module(probltlsrc(state_space_explorer),[compute_transitions_opt/3,get_b_optimisation_options/2]). |
| 40 | | |
| 41 | | %%% library modules |
| 42 | | :- use_module(library(file_systems)). |
| 43 | | :- use_module(library(ordsets)). |
| 44 | | :- use_module(library(random)). |
| 45 | | :- use_module(library(lists)). |
| 46 | | |
| 47 | | :- use_module(probsrc(module_information),[module_info/2]). |
| 48 | | :- module_info(group,ltl). |
| 49 | | :- module_info(description,'This module provides predicates for automata-based model checking of safety properties.'). |
| 50 | | |
| 51 | | :- dynamic visited_pair/3, visited_pair_origin/6, visited_pair_df/2, accepting_state/3. |
| 52 | | |
| 53 | | %% profiler modules |
| 54 | | %% :- use_module('../../extensions/profiler/profiler.pl'). |
| 55 | | %% :- use_module('../../extensions/profiler/profiler_te.pl'). |
| 56 | | |
| 57 | | %% :- enable_profiling(add_state_at_end/3). |
| 58 | | %% :- enable_profiling(pop_state_from_end/1). |
| 59 | | %% :- enable_profiling(check_for_aut_transition/4). |
| 60 | | %% :- enable_profiling(compute_all_product_transitions/4). |
| 61 | | |
| 62 | | % the automata-based safety model checker |
| 63 | | start_mc_safety_property(SearchMode,StartNodes,Result) :- |
| 64 | | prepare_mc_safety_property, |
| 65 | | animation_mode(MODE), |
| 66 | | get_b_optimisation_options(MODE,Optimizations), |
| 67 | | %% perform_static_analyses(MODE,Optimizations), |
| 68 | ? | initial_states_mc_safety_property(StartNodes,Optimizations,ProductInitStates), |
| 69 | | (ProductInitStates == [], non_empty_automaton |
| 70 | | -> %add_warning(run_mc_safety_property,'No initial states of the product transition system have been generated.'), |
| 71 | | Result = none, |
| 72 | | print('All relevant states visited (no initial LTL states feasible)! Product states analysed: '), print(0), nl |
| 73 | | ; |
| 74 | | (\+ aut_final_state_reached(_) |
| 75 | | -> add_warning(run_mc_safety_property,'No accept_all state has been found. The property is possibly not a safety property.') |
| 76 | | ; true), |
| 77 | ? | (select((State,AutState,AId),ProductInitStates,Rest), aut_final_state_reached(AutState) |
| 78 | | -> Initial = [(State,AutState,AId) | Rest] |
| 79 | | ; Initial = ProductInitStates |
| 80 | | ), |
| 81 | | %format('Running LTL Safety MC in mode ~w : ~w~n',[SearchMode,Initial]), |
| 82 | ? | run_mc_safety_property(SearchMode,Initial,Optimizations,Result) |
| 83 | | ). |
| 84 | | |
| 85 | | run_mc_safety_property(breadth_first,ProductInitStates,Optimizations,Result) :- !, |
| 86 | | cputime(T1), |
| 87 | ? | run_mc_safety_property_bf(ProductInitStates,Optimizations,IntermediateResult), |
| 88 | | cputime(T2), D is T2-T1, |
| 89 | | format('% Overall Checking Time: ~w ms~n',[D]), |
| 90 | | cputime(T1_CE), |
| 91 | | get_bf_search_result(IntermediateResult,Result,Length), |
| 92 | | cputime(T2_CE), |
| 93 | | D_CE is T2_CE-T1_CE, |
| 94 | | write(result(Result)),nl, |
| 95 | | format('% Time to get result (~w) of length ~w from breadth-first safety model checking: ~w ms~n',[IntermediateResult,Length,D_CE]). |
| 96 | | run_mc_safety_property(random,ProductInitStates,Optimizations,Result) :- !, |
| 97 | | cputime(T1), |
| 98 | | (run_mc_safety_property_df(ProductInitStates,Optimizations,Result) -> |
| 99 | | cputime(T2), |
| 100 | | print('Counter-example has been found'),nl, |
| 101 | | print(counter_example(Result)),nl |
| 102 | | ; |
| 103 | | cputime(T2), |
| 104 | | get_state_space_statistics(TS,Product), |
| 105 | | print('All nodes visited. No counter-example has been found.'), nl, |
| 106 | | print('Number of states checked: '), print(Product), print(', where '), |
| 107 | | print('number of states of the transition system is: '), print(TS), nl, |
| 108 | | Result = none |
| 109 | | ), |
| 110 | | print('% Overall Checking Time: '), D is T2-T1, print(D), print(' ms'),nl. |
| 111 | | run_mc_safety_property(Otherwise,_ProductInitStates,_,_Result) :- |
| 112 | | add_error_fail(run_mc_safety_property,'Unknown search mode: ', Otherwise). |
| 113 | | |
| 114 | | /* The algorithm for performing breadth-first search LTL safety model checking */ |
| 115 | | run_mc_safety_property_bf(ProductInitStates,Optimizations,Result) :- |
| 116 | | maplist(create_and_add_init_state,ProductInitStates), |
| 117 | | Nr = 0, |
| 118 | | statistics(walltime,[W1,_]), |
| 119 | ? | open_search(Nr,W1,Optimizations,Result). |
| 120 | | |
| 121 | | :- use_module(probsrc(model_checker),[get_model_check_stats/6]). |
| 122 | | open_search(Nr,RefWallTime,Optimizations,Result) :- |
| 123 | | get_next_node(CurId,AutState,ActionId),!, |
| 124 | | debug_format(5,'~nProcessing B state ~w, BA state:~w, next action:~w~n',[CurId,AutState,ActionId]), |
| 125 | | (aut_final_state_reached(AutState) -> % bad prefix has been found |
| 126 | | Result = counter_example_found, |
| 127 | | format('Found counter example (bad prefix) leading to state [~w: BA ~w]~n',[CurId,AutState]) |
| 128 | | ; % continue the search |
| 129 | | Nr1 is Nr +1, |
| 130 | ? | (print_progress(Nr1,RefWallTime,NewRefTime) |
| 131 | | -> DeltaW is (NewRefTime-RefWallTime)/1000, |
| 132 | | get_model_check_stats(SS,TT,_,Perc,_,_), |
| 133 | | formatsilent('Safety model checker progress: ~w product states processed (delta = ~1f sec)~nState space statistics: ~w states checked (~1f%), ~w transitions~n',[Nr1,DeltaW,SS,Perc,TT]) |
| 134 | | ; NewRefTime=RefWallTime), |
| 135 | | compute_state_space_transitions_if_necessary(CurId,Optimizations,ActionsAndIDs), |
| 136 | | % format(' Transitions for ~w: ~w~n',[CurId,ActionsAndIDs]), |
| 137 | ? | compute_all_product_transitions(CurId,AutState,ActionId,ActionsAndIDs,Optimizations), |
| 138 | ? | open_search(Nr1,NewRefTime,Optimizations,Result) |
| 139 | | ). |
| 140 | | open_search(Nr,_,_Optimizations,Res) :- |
| 141 | | Res = none, |
| 142 | | format('All relevant states visited!~nProduct states analysed: ~w~n',[Nr]). % these are product states |
| 143 | | |
| 144 | | |
| 145 | | print_progress(Nr1,_,NewRefTime) :- Nr1 mod 10000 =:= 0, statistics(walltime,[NewRefTime,_]). |
| 146 | | print_progress(Nr1,RefWallTime,NewRefTime) :- Nr1 mod 100 =:= 0, statistics(walltime,[NewRefTime,_]), |
| 147 | | NewRefTime-RefWallTime > 10000. % more than 10 secs passed |
| 148 | | |
| 149 | | compute_state_space_transitions_if_necessary(CurId,Optimizations,ActionsAndIDs) :- |
| 150 | | compute_state_space_transitions_if_necessary2(CurId,Optimizations), |
| 151 | | findall((ActId,ActionAsTerm,DestId), |
| 152 | | transition(CurId,ActionAsTerm,ActId,DestId), |
| 153 | | ActionsAndIDs). |
| 154 | | |
| 155 | | compute_state_space_transitions_if_necessary2(CurId,Optimizations) :- |
| 156 | | (not_all_transitions_added(CurId), |
| 157 | | %format('Computing transitions for ~w (~w)~n',[CurId,Optimizations]), |
| 158 | | (retract_open_node(CurId) -> true ; add_warning(safety_mc,'Not open node: ',CurId)) |
| 159 | | -> % if node is still not retracted from queue |
| 160 | | % TODO: keep track of ltllimit maximum number of new nodes to explore |
| 161 | | set_context_state(CurId), |
| 162 | | visited_expression(CurId,CurState), |
| 163 | | compute_transitions_opt(Optimizations,CurId,CurState), |
| 164 | | clear_context_state |
| 165 | | ; true % nothing to do |
| 166 | | ). |
| 167 | | |
| 168 | | % compute new AutomataState |
| 169 | | % The formal model reaches a new state (DestId), we execute a Büchi Automaton transition |
| 170 | | % based on the atomic properties of DstId |
| 171 | | % ActionID is either a variable, or a transition number ensuring that AutState is mapped to CurID (for [X] properties) |
| 172 | | compute_all_product_transitions(CurId,AutState,ActionId,ActionsAndIDs,Optimizations) :- |
| 173 | | copy_term(ActionId,OrigActionId), |
| 174 | ? | member((ActionId,_Term,DestId),ActionsAndIDs), |
| 175 | | % format(' Processing state transition: (B:~w,BuechiAut:~w) --~w--> B:~w~n',[CurId,AutState,ActionId,DestId]), |
| 176 | | compute_state_space_transitions_if_necessary2(DestId,Optimizations), |
| 177 | ? | get_aut_successor(AutState,NextAutState), |
| 178 | | % backtrack over candidate successor automata states first to perform visited_pair check, |
| 179 | | % before finding all matching B transitions (NextActionId, if any) |
| 180 | | |
| 181 | | % format(' Attempting to find compatible transitions to BA state ~w~n',[NextAutState]), |
| 182 | | % if NextActionId is a variable, then any transition is ok |
| 183 | | % now add all next actions to the queue which lead to NextAutState |
| 184 | ? | check_for_aut_transition(AutState,DestId,NextAutState,NextActionId), % NextActionId is variable if no constraint on it |
| 185 | | % format(' reaching: ~w * ~w (automata state via forced next action ~w)~n',[DestId,NextAutState,NextActionId]), |
| 186 | | |
| 187 | ? | \+ already_visited(DestId,NextAutState,NextActionId), % pair not yet processed; |
| 188 | | % format(' Asserting ~w~n',[visited_pair(DestId,NextAutState,NextActionId)]), |
| 189 | | assertz(visited_pair(DestId,NextAutState,NextActionId)), % mark as processed / to-be-processed in queue |
| 190 | | (aut_final_state_reached(NextAutState) -> |
| 191 | | add_state_to_queue(DestId,NextAutState,NextActionId,coming_from(CurId,AutState,OrigActionId)) |
| 192 | | ; |
| 193 | | add_state_at_queue_end(DestId,NextAutState,NextActionId,coming_from(CurId,AutState,OrigActionId)), |
| 194 | | fail |
| 195 | | ). |
| 196 | | compute_all_product_transitions(_CurId,_AutState,_ActionId,_ActionsAndIDs,_). |
| 197 | | |
| 198 | | already_visited(DestId,NextAutState,NextActionId) :- |
| 199 | ? | visited_pair(DestId,NextAutState,OtherActionId), |
| 200 | | (var(OtherActionId) -> true % we have already processed this product state without a constraint on the next action |
| 201 | | ; var(NextActionId) -> false % we now process the product state with unrestricted next action id: could be more behaviour |
| 202 | | ; NextActionId = OtherActionId). |
| 203 | | |
| 204 | | %%% getting the initial states with respect to the the safety property |
| 205 | | initial_states_mc_safety_property(StartNodes,Optimizations,ProductInitStatesSet) :- |
| 206 | | findall(Init,aut_initial_state(Init),InitStates), |
| 207 | ? | get_product_init_states(StartNodes,InitStates,Optimizations,ProductInitStates), |
| 208 | | list_to_ord_set(ProductInitStates,ProductInitStatesSet), |
| 209 | | debug_println(9,init_states(ProductInitStatesSet)). |
| 210 | | |
| 211 | | get_product_init_states([],_InitStates,_Optimizations,[]). |
| 212 | | get_product_init_states([StartNode|Nodes],InitStates,Optimizations,Res) :- |
| 213 | ? | (ltl_safety:tps_occurring % for transition properties we need to have outgoing transitions |
| 214 | | -> compute_state_space_transitions_if_necessary2(StartNode,Optimizations) |
| 215 | | ; true), |
| 216 | ? | get_init_product(StartNode,InitStates,IStates), |
| 217 | | append(IStates,Res1,Res), |
| 218 | ? | get_product_init_states(Nodes,InitStates,Optimizations,Res1). |
| 219 | | |
| 220 | | get_init_product(_StartNode,[],[]). |
| 221 | | get_init_product(StartNode,[Init|Inits],Res) :- |
| 222 | | findall(Succ,get_ba_successor_state(StartNode,Init,Succ),L), |
| 223 | | append(L,Res1,Res), |
| 224 | ? | get_init_product(StartNode,Inits,Res1). |
| 225 | | |
| 226 | | % after reaching an initial state we execute one transition in the Büchi Automata |
| 227 | | get_ba_successor_state(StartNode,Init,(StartNode,Next,ActionId)) :- |
| 228 | ? | aut_transition(Init,Label,Next), % Büchi Automata transition via Label |
| 229 | ? | check_transition(Label,StartNode,ActionId). % ActionId: id required to satisfy Label (if it has a transition property) |
| 230 | | |
| 231 | | %--------------------------------------------------------------------- |
| 232 | | |
| 233 | | %%% utility predicates |
| 234 | | prepare_mc_safety_property :- |
| 235 | | retractall(product(_,_,_)), |
| 236 | | retractall(visited_pair(_,_,_)), |
| 237 | | retractall(visited_pair_origin(_,_,_, _,_,_)), |
| 238 | | retractall(visited_pair_df(_,_)), |
| 239 | | retractall(accepting_state(_,_,_)). |
| 240 | | |
| 241 | | % automata relevant functions |
| 242 | ? | aut_final_state_reached(AutState) :- aut_final_state(AutState), |
| 243 | | (AutState = 'accept_all' -> true ; aut_transition(AutState,true,AutState)). |
| 244 | | |
| 245 | | % Checking whether the automaton expresses the trivial property 'true'. |
| 246 | | % If so, a counter-example [inital_state] is returned |
| 247 | | trivial_automaton :- |
| 248 | | aut_transition(P,L,Q), |
| 249 | | (P=='accept_init',(L = ap(bpred(Pred))->is_truth(Pred);fail),Q =='accept_init'). |
| 250 | | |
| 251 | | non_empty_automaton :- |
| 252 | | aut_transition(_P,_L,_Q). |
| 253 | | |
| 254 | | % state space statistics |
| 255 | | get_state_space_statistics(TS,Product) :- |
| 256 | | findall((X,Y),visited_pair_df(X,Y),L), |
| 257 | | debug_println(9,product_states(L)), |
| 258 | | length(L,Product), |
| 259 | | findall(ID,visited_expression_id(ID),IDL), |
| 260 | | length(IDL,TS). |
| 261 | | %------------------------------------------- |
| 262 | | |
| 263 | | %%% Queue operations |
| 264 | | :- dynamic product/3. |
| 265 | | |
| 266 | | create_and_add_init_state((CurId,AutState,ActionId)) :- |
| 267 | | debug_format(5,'Creating initial state [~w:BA ~w] -- ~w -->~n',[CurId,AutState,ActionId]), |
| 268 | | (already_visited(CurId,AutState,ActionId) -> fail ; assertz(visited_pair(CurId,AutState,ActionId)) ), |
| 269 | | add_state_to_queue(CurId,AutState,ActionId,coming_from(root,root,none)). |
| 270 | | |
| 271 | | get_next_node(CurId,AutState,ActionId) :- |
| 272 | | pop_state_from_end(product(CurId,AutState,ActionId)). |
| 273 | | |
| 274 | | add_state_to_queue(State,AutState,ActionId,From) :- |
| 275 | | (aut_final_state_reached(AutState) -> |
| 276 | | add_state_at_queue_front(State,AutState,ActionId,From), |
| 277 | | debug_format(19,'** Found Accepting state ~w~n',[(State,AutState,ActionId)]), |
| 278 | | assertz(accepting_state(State,AutState,ActionId)) % save accepting state (for building later the counter-example) |
| 279 | | ; add_state_at_queue_end(State,AutState,ActionId,From) |
| 280 | | ). |
| 281 | | add_state_at_queue_end(State,AutState,ActionId,coming_from(PrevState,PrevAutState,PrevActionId)) :- |
| 282 | | % format('QUEUING: (~w,~w) --~w--> ~n',[State,AutState,ActionId]), |
| 283 | | assertz(product(State,AutState,ActionId)), |
| 284 | | assertz(visited_pair_origin(State,AutState,ActionId,PrevState,PrevAutState,PrevActionId)). |
| 285 | | add_state_at_queue_front(State,AutState,ActionId,coming_from(PrevState,PrevAutState,PrevActionId)) :- |
| 286 | | % format('QUEUING at FRONT: (~w,~w) --~w--> ~n',[State,AutState,ActionId]), |
| 287 | | asserta(product(State,AutState,ActionId)), |
| 288 | | assertz(visited_pair_origin(State,AutState,ActionId,PrevState,PrevAutState,PrevActionId)). |
| 289 | | |
| 290 | | %add_state_at_front(State,AutState,ActionId) :- |
| 291 | | % asserta(product(State,AutState,ActionId)). |
| 292 | | pop_state_from_end(Node) :- |
| 293 | ? | retract(product(State,AutState,ActionId)),!, |
| 294 | | Node = product(State,AutState,ActionId). |
| 295 | | %------------------- |
| 296 | | |
| 297 | | /* An algorithm for checking safety LTL properties in depth-first manner. |
| 298 | | First tryouts showed that the depth-first search is much more effective than the breadth-first mode. */ |
| 299 | | |
| 300 | | run_mc_safety_property_df(InitStates,Optimizations,Result) :- |
| 301 | | member((CurId,AutState,ActionId),InitStates), |
| 302 | | (trivial_automaton -> % the automaton is trivial , i.e. we have checked the formula 'false' and need to return one of the initial states as a counter-example |
| 303 | | %% CEPath = [atom(CurId,CurId,none)], |
| 304 | | Result=model([atom(CurId,[1],none)],no_loop) |
| 305 | | ; |
| 306 | | mc_safety_property_init((CurId,AutState,ActionId),Optimizations,CEPath,CEPath,Result) |
| 307 | | ). |
| 308 | | |
| 309 | | % at the init state we already checked for next automaton transitions |
| 310 | | mc_safety_property_init((CurId,AutState,ActionId),Optimizations,History,HTail,Result) :- |
| 311 | | (transition(CurId,_Op,ActionId,CurId) -> true ; assertz(visited_pair_df(CurId,AutState))), |
| 312 | | mc_safety_property_next_state((CurId,AutState,ActionId),Optimizations,History,HTail,Result). |
| 313 | | |
| 314 | | % model_checker: get_open_node_to_check(DFMODE,NodeID) |
| 315 | | mc_safety_property((CurId,AutState,ActionId),Optimizations,History,HTail,Result) :- |
| 316 | | assertz(visited_pair_df(CurId,AutState)), |
| 317 | | debug_println(19,current_history(CurId,History)), |
| 318 | | check_for_aut_transition(AutState,CurId,NextAutState,ActionId), |
| 319 | | mc_safety_property_next_state((CurId,NextAutState,ActionId),Optimizations,History,HTail,Result). |
| 320 | | |
| 321 | | mc_safety_property_next_state((CurId,AutState,ActionId),_Optimizations,History,[atom(CurId,[1],ActionId1)],Result) :- |
| 322 | | aut_final_state_reached(AutState),!, |
| 323 | | ( nonvar(ActionId) -> ActionId1=ActionId; ActionId1 = none), |
| 324 | | print(found_error(counter_example_found,CurId,History)),nl, |
| 325 | | Result = model(History,no_loop). |
| 326 | | mc_safety_property_next_state((CurId,AutState,ActionId),Optimizations,History,HTail,Result) :- |
| 327 | | compute_state_space_transitions_if_necessary(CurId,Optimizations,ActionsAndIDs), |
| 328 | | random_permutation(ActionsAndIDs,ActionsAndIDs1), |
| 329 | | HTail = [atom(CurId,[1],ActionId)|HTail2], |
| 330 | | get_next_state(ActionsAndIDs1,ActionId,DestId), |
| 331 | | \+ visited_pair_df(DestId,AutState), |
| 332 | | (ltl_safety:tps_occurring % if there is a transition property, we need outgoing transitions |
| 333 | | -> compute_state_space_transitions_if_necessary2(DestId,Optimizations) |
| 334 | | ; true), |
| 335 | | mc_safety_property((DestId,AutState,_NewActionId),Optimizations,History,HTail2,Result). |
| 336 | | |
| 337 | | % try and get accepting state first |
| 338 | | get_aut_successor(AutState,accept_all) :- (aut_transition(AutState,_,accept_all) -> true). |
| 339 | | get_aut_successor(AutState,NextAutState) :- % TODO: randomise and succeed only once if multiple transitions lead |
| 340 | ? | aut_transition(AutState,true,NextAutState), |
| 341 | | %(the idea is to execute as soon as possible transitions that do not have the label 'true') |
| 342 | | NextAutState \= accept_all. |
| 343 | | get_aut_successor(AutState,NextAutState) :- % TODO: randomise and succeed only once if multiple transitions lead |
| 344 | ? | aut_transition(AutState,Label,NextAutState), Label \= true, NextAutState \= accept_all. |
| 345 | | |
| 346 | | check_for_aut_transition(AutState,CurId,NextAutState,ActionId) :- |
| 347 | | aut_transition(AutState,Label,NextAutState), |
| 348 | ? | check_transition(Label,CurId,ActionId). % check if label matches transition ActionId from B State CurId |
| 349 | | |
| 350 | | /* |
| 351 | | check_for_aut_transition_random(AutState,CurId,NextAutState,ActionId) :- |
| 352 | | get_randomised_next_aut_states(AutState,Trans), |
| 353 | | member((Label,NextAutState),Trans), |
| 354 | | %format('Checking transition ~w from state ~w with label ~w (~w->~w)~n',[ActionId,CurId,Label,AutState,NextAutState]), |
| 355 | | check_transition(Label,CurId,ActionId). |
| 356 | | |
| 357 | | get_randomised_next_aut_states(AutState,Res) :- |
| 358 | | % here we want to test first the non-truth automata transitions in order to terminate earlier in case of a counter-example |
| 359 | | % this is a type of selective randomising (the idea is to execute as soon as possible transitions that do not have the label 'true') |
| 360 | | findall((Labl,Next),(aut_transition(AutState,Labl,Next),\+is_truth_label(Labl)),L), |
| 361 | | random_permutation(L,L1), |
| 362 | | findall((Labl,Next),(aut_transition(AutState,Labl,Next),is_truth_label(Labl)),LTruth), |
| 363 | | append(L1,LTruth,Res). |
| 364 | | % TODO: optimize this; not very efficient |
| 365 | | |
| 366 | | is_truth_label(true). |
| 367 | | */ |
| 368 | | |
| 369 | | get_next_state(ActionsAndIDs,ActionId,DstId) :- |
| 370 | | member((ActionId,_Term,DstId),ActionsAndIDs). |
| 371 | | |
| 372 | | %%% for getting the result from LTL Safety Model Check |
| 373 | | get_bf_search_result(none,Result,Len) :- !, Result = none, Len=0. |
| 374 | | get_bf_search_result(counter_example_found,Result,Length) :- !, |
| 375 | | get_counter_example_from_product(Result,Length), |
| 376 | | debug_println(9,counter_example(Length,Result)). |
| 377 | | get_bf_search_result(Arg,_Result,_Len) :- |
| 378 | | add_error_fail(run_mc_safety_property_bf, 'Unknow result: ', Arg). |
| 379 | | |
| 380 | | get_counter_example_from_product(Result,Length) :- |
| 381 | | accepting_state(State,AutState,ActionId),!, |
| 382 | | (nonvar(ActionId) -> Trans = ActionId; Trans = none), |
| 383 | | debug_format(19,'Start constructing counter-example backwards from ~w:~w~n',[State,AutState]), |
| 384 | | %listing(accepting_state/3),nl, listing(visited_pair/3),nl, listing(visited_pair_origin/6),nl, |
| 385 | | get_counter_example_list(State,AutState,ActionId,[atom(State,[1],Trans)],ResList), |
| 386 | | Result = model(ResList,no_loop), |
| 387 | | length(ResList,Length). |
| 388 | | get_counter_example_from_product(Result,0) :- |
| 389 | | add_error(safety_mc,'No accepting state was found (this is an internal error in the model checker).'), |
| 390 | | Result=[]. |
| 391 | | |
| 392 | | get_counter_example_list(State,AutState,ActionId,CurRes,Result) :- |
| 393 | | visited_pair_origin(State,AutState,StoredActionId,root,root,none), |
| 394 | | (ActionId==StoredActionId -> true ; var(StoredActionId), var(ActionId)), |
| 395 | | !, % we found our way back to an initial state |
| 396 | | Result = CurRes. |
| 397 | | get_counter_example_list(State,AutState,ActionId,CurRes,Result) :- |
| 398 | | (%visited_pair(State,AutState,PrevState,PrevAutState,StoredActionId), % Note there could be several entries |
| 399 | | visited_pair_origin(State,AutState,StoredActionId,PrevState,PrevAutState,PrevActionId), |
| 400 | | (ActionId==StoredActionId -> true ; var(StoredActionId), var(ActionId)), |
| 401 | | debug_format(5,' [~w:BA ~w] ---counter_ex_trans:~w---> previous:[~w:BA ~w ~w]~n',[State,AutState,ActionId,PrevState,PrevAutState,PrevActionId]), |
| 402 | | copy_term(PrevActionId,GroundPrevActionId), |
| 403 | | transition(PrevState,_ActionAsTerm,GroundPrevActionId,State), % has only one solution if ActionId ground |
| 404 | | aut_transition(PrevAutState,_,AutState) |
| 405 | | -> get_counter_example_list(PrevState,PrevAutState,PrevActionId, |
| 406 | | [atom(PrevState,[1],GroundPrevActionId)|CurRes], Result) |
| 407 | | ; add_error(get_counter_example_list,'Could not find visited predecessor for: ',(State:AutState)), |
| 408 | | Result=CurRes |
| 409 | | ). |
| 410 | | %get_counter_example_list(State,AutState,CurRes,Result) :- |
| 411 | | % add_error(get_counter_example_list,'No visited_pair found for: ',(State:AutState)), |
| 412 | | % listing(safety_mc:visited_pair/4), |
| 413 | | % Result=CurRes. |
| 414 | | |
| 415 | | |
| 416 | | %------------------------------------------------------------------------------------------------------------------ |
| 417 | | |
| 418 | | |
| 419 | | %:- use_module(ltl_propositions,[check_enabled/2]). |
| 420 | | :- use_module(probltlsrc(ltl_propositions), [check_transition_pred/5, check_ap/2]). |
| 421 | | %%% synchronising the automaton transitions with the successor states of the model |
| 422 | | %%% for transition predicates (like [Event]) the ActionId will be instantiated, and the BA property relies on the Action to be taken next |
| 423 | | %%% if the ActionId remains a variable, then the property only depends on the state (like, {Pred} ) |
| 424 | | check_transition(true,_StateId,_ActionId) :- !. |
| 425 | | check_transition(false,_StateId,_ActionId) :- !, fail. |
| 426 | | check_transition(ap(AP),StateId,_ActionId) :- !, |
| 427 | ? | check_ap_at_state(AP,StateId). |
| 428 | | check_transition(tp(TP),StateId,ActionId) :- !, |
| 429 | | %check_enabled(TP,StateId), % not sure why this is required: it checks there is one solution; the code below will do that as well |
| 430 | ? | transition(StateId,Op,ActionId,DestId), |
| 431 | ? | check_transition_pred(TP,Op,StateId,ActionId,DestId). % ltl_propositions |
| 432 | | check_transition(not(AF),StateId,ActionId) :- !, |
| 433 | ? | check_transition_fail(AF,StateId,ActionId). |
| 434 | | check_transition(and(AF,AG),StateId,ActionId) :- !, |
| 435 | ? | check_transition(AF,StateId,ActionId), |
| 436 | ? | check_transition(AG,StateId,ActionId). |
| 437 | | check_transition(or(AF,AG),StateId,ActionId) :- !, |
| 438 | | (check_transition(AF,StateId,ActionId) ; |
| 439 | | check_transition(AG,StateId,ActionId)). |
| 440 | | check_transition(Label,_StateId,_ActionId) :- |
| 441 | | add_error_fail(check_transition,'Unknown Buchi automaton transition label: ', Label). |
| 442 | | |
| 443 | | check_transition_fail(true,_StateId,_ActionId) :- !, fail. |
| 444 | | check_transition_fail(false,_StateId,_ActionId) :- !. |
| 445 | | check_transition_fail(ap(AP),StateId,_ActionId) :- !, |
| 446 | | (check_ap_at_state(AP,StateId)-> fail; true). |
| 447 | | check_transition_fail(tp(TP),StateId,ActionId) :- !, |
| 448 | ? | transition(StateId,Op,ActionId,DestId), % we require DestId to be known |
| 449 | ? | \+ ltl_propositions:check_transition_pred(TP,Op,StateId,ActionId,DestId). |
| 450 | | check_transition_fail(not(AF),StateId,ActionId) :- !, |
| 451 | | check_transition(AF,StateId,ActionId). |
| 452 | | check_transition_fail(and(AF,AG),StateId,ActionId) :- !, |
| 453 | | (check_transition_fail(AF,StateId,ActionId) ; |
| 454 | | check_transition_fail(AG,StateId,ActionId) ). |
| 455 | | check_transition_fail(or(AF,AG),StateId,ActionId) :- !, |
| 456 | | check_transition_fail(AF,StateId,ActionId), |
| 457 | | check_transition_fail(AG,StateId,ActionId). |
| 458 | | check_transition_fail(Label,_StateId,_ActionId) :- |
| 459 | | add_error_fail(check_transition,'Unknown Buchi automaton transition label: ', Label). |
| 460 | | |
| 461 | | check_ap_at_state(deadlock,StateId) :- !, |
| 462 | | animation_mode(MODE), |
| 463 | | get_b_optimisation_options(MODE,Optimizations), |
| 464 | | compute_state_space_transitions_if_necessary2(StateId,Optimizations), |
| 465 | ? | \+ transition(StateId,_ActionId,_ActionAsTerm,_DestId). |
| 466 | | check_ap_at_state(AP,StateId) :- |
| 467 | ? | check_ap(AP,StateId). |
| 468 | | |