0

Suppose I have following structure M = (S, R, L) where S = {s0, s1, s2} is the set of possible states, R is a transition relation such that: s0 -> s1, s0 -> s2, s1 -> s0, s1 -> s2, and s2 -> s2, and L is the labeling function for each state defined by: L(s0) = {p, q}, L(s1) = {q, r}, and L(s2) = {r}. I am using notations describe in Logic in Computer Science textbook by Huth and Ryan.

Clearly, from such model, we have X r is satisfied in s0 (the initial state), since r is satisfied in s1 and s2. My NuSMV code for the Kripke structure is as follows (as described here).

MODULE main
VAR
    p : boolean;
    q : boolean;
    r : boolean;
    state : {s0, s1, s2};

ASSIGN
    init(state) := s0;
    next(state) := 
    case
        state = s0          : {s1, s2};
        state = s1          : {s2};
        state = s2          : {s2};
        TRUE                : state;
    esac;

   init(p) := TRUE; 
   init(q) := TRUE;
   init(r) := FALSE;

   next(p) :=
    case
        state = s1 | state = s2     : FALSE;
    esac;
    next(q) :=
    case
        state = s1                  : TRUE;
        state = s2                  : FALSE;
        TRUE                        : q;
    esac;
   next(r) :=
    case
        state = s1                  : FALSE;
        state = s2                  : TRUE;
        TRUE                        : r;
    esac;

LTLSPEC
    X r

But NuSMV returns that specification X r is false and yields a counterexample.

Community
  • 1
  • 1
Iqazra
  • 419
  • 1
  • 3
  • 11

1 Answers1

2

Your model is not correct. Initially, state is s0 and r is FALSE.

When next(r) is calculated, the state is still s0. Therefore, only the last case is true, where r remains FALSE. As a result, X r does not hold.

You can modify your model as follows, where DEFINE is used for defining the labeling function:

MODULE main
VAR
  state : {s0, s1, s2};

ASSIGN
  init(state) := s0;
  next(state) :=
  case
    state = s0          : {s1, s2};
    state = s1          : {s0, s2};
    state = s2          : {s2};
  esac;

DEFINE
  p := state = s0;
  q := state = s0 | state = s1;
  r := state = s1 | state = s2;

LTLSPEC
  X r
dejvuth
  • 6,986
  • 3
  • 33
  • 36
  • Thank you for your explanation. Is it alright to remove `TRUE : state` in the code? The reason I add `TRUE : state` is to prevent the "case conditions are not exhaustive" warning. My previous code was based on [this discussion](http://stackoverflow.com/questions/22884125/how-to-create-a-simple-kripke-model-in-nusmv). – Iqazra Dec 03 '15 at 02:30
  • Anyway, what does the warning "The initial states set of the finite state machine is empty. This might make results of model checking not trustable." means? This warning is shown before NuSMV produces that "specification X r is true". – Iqazra Dec 03 '15 at 03:33
  • You can remove the `TRUE` branch, if all possible values of `state` are already covered, which is the case here. – dejvuth Dec 03 '15 at 06:30
  • Strange, I don't have that warning... The initial state shouldn't be empty anyway, because we declared `init(state) := s0`. – dejvuth Dec 03 '15 at 06:32