/// <summary>
/// Returns a <see cref="Formula" /> that applies the implication operator to <paramref name="leftOperand" /> (the antecedent)
/// and
/// <paramref name="rightOperand" /> (the succedent).
/// </summary>
/// <param name="leftOperand">The formula representing the antecedent of the implication.</param>
/// <param name="rightOperand">The formula representing the succedent of the implication.</param>
public static Formula Implies(this Formula leftOperand, Formula rightOperand)
{
Requires.NotNull(leftOperand, nameof(leftOperand));
Requires.NotNull(rightOperand, nameof(rightOperand));
return new BinaryFormula(leftOperand, BinaryOperator.Implication, rightOperand);
}
private static bool IsStructurallyEquivalent(Formula f1, Formula f2)
{
var stateFormula1 = f1 as StateFormula;
var stateFormula2 = f2 as StateFormula;
var unaryFormula1 = f1 as UnaryFormula;
var unaryFormula2 = f2 as UnaryFormula;
var binaryFormula1 = f1 as BinaryFormula;
var binaryFormula2 = f2 as BinaryFormula;
if (stateFormula1 != null && stateFormula2 != null)
{
// Unfortunately, the C# compiler generates different methods for the same lambdas, so we
// can't simply compare the delegates
// We execute the expressions instead, that way we can at least guess whether they are the same
return stateFormula1.Expression() == stateFormula2.Expression();
}
if (unaryFormula1 != null && unaryFormula2 != null)
{
return unaryFormula1.Operator == unaryFormula2.Operator &&
IsStructurallyEquivalent(unaryFormula1.Operand, unaryFormula2.Operand);
}
if (binaryFormula1 != null && binaryFormula2 != null)
{
return binaryFormula1.Operator == binaryFormula2.Operator &&
IsStructurallyEquivalent(binaryFormula1.LeftOperand, binaryFormula2.LeftOperand) &&
IsStructurallyEquivalent(binaryFormula1.RightOperand, binaryFormula2.RightOperand);
}
return false;
}
protected override void Check()
{
var x = 0;
Formula g = null;
f = x == 2 || x == 3;
g = x == 3;
P = x == 4;
Check(f, () => x == 2 || x == 3);
Check(g, () => x == 3);
Check(P, () => x == 4);
x = 2;
Check(f, () => x == 2 || x == 3);
Check(g, () => x == 3);
Check(P, () => x == 4);
x = 3;
Check(f, () => x == 2 || x == 3);
Check(g, () => x == 3);
Check(P, () => x == 4);
x = 4;
Check(f, () => x == 2 || x == 3);
Check(g, () => x == 3);
Check(P, () => x == 4);
}
private bool this[Formula actual, Func<bool> expected]
{
get
{
Check(actual, expected);
return true;
}
}
protected bool Check(Formula formula, params IComponent[] components)
{
var modelChecker = CreateModelChecker();
var result = modelChecker.Check(TestModel.InitializeModel(components), formula);
CounterExample = result.CounterExample;
return result.FormulaHolds;
}
/// <summary>
/// Initializes a new instance of the <see cref="UnaryFormula" /> class.
/// </summary>
/// <param name="operand">The operand of the unary formula.</param>
/// <param name="unaryOperator">The operator of the unary formula.</param>
internal UnaryFormula(Formula operand, UnaryOperator unaryOperator)
{
Requires.NotNull(operand, nameof(operand));
Requires.InRange(unaryOperator, nameof(unaryOperator));
Operand = operand;
Operator = unaryOperator;
}
private void Check(int value, Formula[] g)
{
x = value;
Check(g[0], () => x == 2);
Check(g[1], () => x == 3);
Check(_f[0], () => x == 3);
Check(F[0], () => x == 4);
Check(_i[0], () => x == 5);
}
/// <summary>
/// Initializes a new instance of the <see cref="BinaryFormula" /> class.
/// </summary>
/// <param name="leftOperand">The formula on the left-hand side of the binary operator.</param>
/// <param name="binaryOperator">The operator of the binary formula.</param>
/// <param name="rightOperand">The formula on the right-hand side of the binary operator.</param>
internal BinaryFormula(Formula leftOperand, BinaryOperator binaryOperator, Formula rightOperand)
{
Requires.NotNull(leftOperand, nameof(leftOperand));
Requires.InRange(binaryOperator, nameof(binaryOperator));
Requires.NotNull(rightOperand, nameof(rightOperand));
LeftOperand = leftOperand;
Operator = binaryOperator;
RightOperand = rightOperand;
}
/// <summary>
/// Initializes a new instance.
/// </summary>
/// <param name="model">The <see cref="Model" /> instance the safety analysis was conducted for.</param>
/// <param name="hazard">The hazard the analysis was conducated for.</param>
/// <param name="suppressedFaults">The faults whose activations have been completely suppressed during analysis.</param>
/// <param name="forcedFaults">The faults whose activations have been forced during analysis.</param>
/// <param name="heuristics">The heuristics that are used during the analysis.</param>
/// <param name="activationBehavior">The fault acitvation behavior used during the analysis.</param>
internal SafetyAnalysisResults(ModelBase model, Formula hazard, IEnumerable<Fault> suppressedFaults,
IEnumerable<Fault> forcedFaults, IEnumerable<IFaultSetHeuristic> heuristics,
FaultActivationBehavior activationBehavior)
{
Model = model;
Hazard = hazard;
SuppressedFaults = suppressedFaults;
ForcedFaults = forcedFaults;
Heuristics = heuristics.ToArray(); // make a copy so that later changes to the heuristics don't affect the results
FaultActivationBehavior = activationBehavior;
}
protected override void Check()
{
var g = new Formula[2];
g[0] = x == 2;
g[1] = x == 3;
_f[0] = x == 3;
F[0] = x == 4;
this[0] = x == 5;
Check(2, g);
CheckParams(2, x == 2, x == 3);
}
protected void Check(Formula actual, Formula expected)
{
var builder = new StringBuilder();
builder.AppendLine("Actual:");
builder.AppendLine(actual.ToString());
builder.AppendLine();
builder.AppendLine("Expected:");
builder.AppendLine(expected.ToString());
Output.Log("{0}", builder);
IsStructurallyEquivalent(actual, expected).ShouldBe(true);
}
protected bool CheckInvariant(Formula invariant, params IComponent[] components)
{
var modelChecker = CreateModelChecker();
if (Arguments.Length > 1 && (bool)Arguments[1])
{
var results = modelChecker.CheckInvariants(TestModel.InitializeModel(components), invariant);
CounterExample = results[0].CounterExample;
return results[0].FormulaHolds;
}
Result = modelChecker.CheckInvariant(TestModel.InitializeModel(components), invariant);
CounterExample = Result.CounterExample;
return Result.FormulaHolds;
}
/// <summary>
/// Checks whether the <paramref name="formula" /> holds in all states of the <paramref name="model" />.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="formula">The formula that should be checked.</param>
public AnalysisResult Check(ModelBase model, Formula formula)
{
Requires.NotNull(model, nameof(model));
Requires.NotNull(formula, nameof(formula));
var visitor = new IsLtlFormulaVisitor();
visitor.Visit(formula);
if (!visitor.IsLtlFormula)
throw new NotSupportedException("CTL model checking is currently not supported with LtsMin.");
var transformationVisitor = new LtsMinLtlTransformer();
transformationVisitor.Visit(new UnaryFormula(formula, UnaryOperator.Next));
return Check(model, formula, $"--ltl=\"{transformationVisitor.TransformedFormula}\"");
}
/// <summary>
/// Checks whether the <paramref name="invariant" /> holds in all states of the <paramref name="model" />.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="invariant">The invariant that should be checked.</param>
public AnalysisResult CheckInvariant(ModelBase model, Formula invariant)
{
Requires.NotNull(model, nameof(model));
Requires.NotNull(invariant, nameof(invariant));
var visitor = new IsStateFormulaVisitor();
visitor.Visit(invariant);
if (!visitor.IsStateFormula)
throw new InvalidOperationException("Invariants must be non-temporal state formulas.");
var transformationVisitor = new LtsMinLtlTransformer();
transformationVisitor.Visit(invariant);
return Check(model, invariant,
$"--invariant=\"({RuntimeModel.ConstructionStateName} == 1) || ({transformationVisitor.TransformedFormula})\"");
}
protected override void Check()
{
const int count = 31;
const int start = 2;
var c = new C { X = start };
var formulas = new Formula[count];
for (var i = 0; i < count; ++i)
{
var j = i;
formulas[i] = c.X != start + j;
}
var results = CheckInvariants(c, formulas);
for (var i = 0; i < count; ++i)
{
results[i].ShouldBe(false);
CounterExamples[i].ShouldNotBeNull();
CounterExamples[i].StepCount.ShouldBe(i + 1);
SimulateCounterExample(CounterExamples[i], simulator =>
{
c = (C)simulator.Model.Roots[0];
c.X.ShouldBe(start);
for (var j = start + 1; j < start + i; ++j)
{
simulator.SimulateStep();
c.X.ShouldBe(j);
simulator.IsCompleted.ShouldBe(false);
}
simulator.SimulateStep();
c.X.ShouldBe(start + i);
simulator.IsCompleted.ShouldBe(true);
});
}
}
protected SafetyAnalysisResults DccaWithMaxCardinality(ModelBase model, Formula hazard, int maxCardinality)
{
var analysis = new SafetyAnalysis
{
Backend = (SafetyAnalysisBackend)Arguments[0],
Configuration =
{
StateCapacity = 1 << 10,
TransitionCapacity = 1 << 12,
GenerateCounterExample = !SuppressCounterExampleGeneration
}
};
analysis.OutputWritten += message => Output.Log("{0}", message);
if (Heuristics != null)
analysis.Heuristics.AddRange(Heuristics);
var result = analysis.ComputeMinimalCriticalSets(model, hazard, maxCardinality);
Output.Log("{0}", result);
result.Model.ShouldBe(model);
return result;
}
protected SafetyAnalysisResults Dcca(ModelBase model, Formula hazard)
{
return DccaWithMaxCardinality(model, hazard, Int32.MaxValue);
}
/// <summary>
/// Initializes a new instance.
/// </summary>
/// <param name="formula">The formula that should be wrapped by this instance.</param>
internal CtlFormula(Formula formula)
{
Requires.NotNull(formula, () => formula);
Formula = formula;
}
protected OrderAnalysisResults AnalyzeOrder(Formula hazard, params IComponent[] components)
{
var configuration = AnalysisConfiguration.Default;
configuration.StateCapacity = 1 << 10;
configuration.TransitionCapacity = 1 << 12;
configuration.GenerateCounterExample = !SuppressCounterExampleGeneration;
configuration.ProgressReportsOnly = true;
var analysis = new OrderAnalysis(DccaWithMaxCardinality(hazard, Int32.MaxValue, components), configuration);
analysis.OutputWritten += message => Output.Log("{0}", message);
var result = analysis.ComputeOrderRelationships();
Output.Log("{0}", result);
return result;
}
public Properties()
{
f2 = x == 4;
}
/// <summary>
/// Returns a <see cref="Formula" /> that applies the equivalence operator to <paramref name="leftOperand" /> and
/// <paramref name="rightOperand" />.
/// </summary>
/// <param name="leftOperand">The value on the left-hand side that should be equivalent.</param>
/// <param name="rightOperand">The formula on the right-hand side that should be equivalent.</param>
public static Formula EquivalentTo(this bool leftOperand, Formula rightOperand)
{
return EquivalentTo(new StateFormula(() => leftOperand), rightOperand);
}
/// <summary>
/// Returns a <see cref="Formula" /> that applies the implication operator to <paramref name="leftOperand" /> (the antecedent)
/// and <paramref name="rightOperand" /> (the succedent).
/// </summary>
/// <param name="leftOperand">The value representing the antecedent of the implication.</param>
/// <param name="rightOperand">The formula representing the succedent of the implication.</param>
public static Formula Implies(this bool leftOperand, Formula rightOperand)
{
return Implies(new StateFormula(() => leftOperand), rightOperand);
}
protected SafetyAnalysisResults DccaWithMaxCardinality(Formula hazard, int maxCardinality, params IComponent[] components)
{
return DccaWithMaxCardinality(TestModel.InitializeModel(components), hazard, maxCardinality);
}
/// <summary>
/// Calculates the probability to reach a state where <paramref name="stateFormula" /> holds.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="stateFormula">The state formula which _must_ finally be true.</param>
public static ProbabilityRange CalculateProbabilityRangeToReachState(ModelBase model, Formula stateFormula)
{
var finallyStateFormula = new UnaryFormula(stateFormula, UnaryOperator.Finally);
return(CalculateProbabilityRangeOfFormula(model, finallyStateFormula));
}
/// <summary>
/// Checks whether the <paramref name="formula" /> holds in all states of the <paramref name="model" />.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="formula">The formula that should be checked.</param>
/// <param name="checkArgument">The argument passed to LtsMin that indicates which kind of check to perform.</param>
private AnalysisResult Check(ModelBase model, Formula formula, string checkArgument)
{
try
{
using (var modelFile = new TemporaryFile("ssharp"))
{
File.WriteAllBytes(modelFile.FilePath, RuntimeModelSerializer.Save(model, formula));
try
{
CreateProcess(modelFile.FilePath, checkArgument);
Run();
}
catch (Win32Exception e)
{
throw new InvalidOperationException(
"Failed to start LTSMin. Ensure that pins2lts-seq.exe can be found by either copying it next " +
"to the executing assembly or by adding it to the system path. The required cygwin dependencies " +
$"must also be available. The original error message was: {e.Message}", e);
}
var success = InterpretExitCode(_ltsMin.ExitCode);
return new AnalysisResult { FormulaHolds = success };
}
}
finally
{
_ltsMin = null;
}
}
/// <summary>
/// Calculates the probability of formula.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="formula">The state formula to be checked.</param>
/// <param name="terminateEarlyFormula">When terminateEarlyFormula is satisfied stop building the state space.</param>
/// <param name="bound">The maximal number of steps. If stateFormula is satisfied the first time any step later than bound, this probability does not count into the end result.</param>
public static ProbabilityRange CalculateProbabilityRangeOfFormulaBounded(ModelBase model, Formula formula, Formula terminateEarlyFormula, int bound)
{
ProbabilityRange probabilityRangeToReachState;
var createModel = SafetySharpRuntimeModel.CreateExecutedModelFromFormulasCreator(model);
var nmdpGenerator = new NmdpFromExecutableModelGenerator <SafetySharpRuntimeModel>(createModel)
{
Configuration = TraversalConfiguration
};
nmdpGenerator.AddFormulaToCheck(formula);
var nmdp = nmdpGenerator.GenerateMarkovDecisionProcess(terminateEarlyFormula);
if (_convertNmdpToMdp)
{
var nmdpToMpd = new NmdpToMdp(nmdp);
var mdp = nmdpToMpd.MarkovDecisionProcess;
using (var modelChecker = new BuiltinMdpModelChecker(mdp, System.Console.Out))
{
probabilityRangeToReachState = modelChecker.CalculateProbabilityRange(formula);
}
}
else
{
using (var modelChecker = new BuiltinNmdpModelChecker(nmdp, System.Console.Out))
{
probabilityRangeToReachState = modelChecker.CalculateProbabilityRange(formula);
}
}
return(probabilityRangeToReachState);
}
/// <summary>
/// Calculates the probability to reach a state whether <paramref name="stateFormula" /> holds.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="stateFormula">The state formula which _must_ finally be true.</param>
/// <param name="bound">The maximal number of steps. If stateFormula is satisfied the first time any step later than bound, this probability does not count into the end result.</param>
public static ProbabilityRange CalculateProbabilityRangeToReachStateBounded(ModelBase model, Formula stateFormula, int bound)
{
var formula = new BoundedUnaryFormula(stateFormula, UnaryOperator.Finally, bound);
return(CalculateProbabilityRangeOfFormulaBounded(model, formula, stateFormula, bound));
}
/// <summary>
/// Returns a <see cref="Formula" /> that applies the equivalence operator to <paramref name="leftOperand" /> and
/// <paramref name="rightOperand" />.
/// </summary>
/// <param name="leftOperand">The formula on the left-hand side that should be equivalent.</param>
/// <param name="rightOperand">The formula on the right-hand side that should be equivalent.</param>
public static Formula EquivalentTo(this Formula leftOperand, Formula rightOperand)
{
Requires.NotNull(leftOperand, nameof(leftOperand));
Requires.NotNull(rightOperand, nameof(rightOperand));
return new BinaryFormula(leftOperand, BinaryOperator.Equivalence, rightOperand);
}
/// <summary>
/// Checks whether the <paramref name="formula" /> holds in all states of the <paramref name="model" />. The appropriate model
/// checker is chosen automatically.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="formula">The formula that should be checked.</param>
public static AnalysisResult <SafetySharpRuntimeModel> Check(ModelBase model, Formula formula)
{
return(new LtsMin().Check(SafetySharpRuntimeModel.CreateExecutedModelCreator(model, formula), formula));
}
/// <summary>
/// Returns a <see cref="Formula" /> that applies the 'until' operator to <paramref name="leftOperand" /> and
/// <paramref name="rightOperand" /> for any path.
/// </summary>
/// <param name="leftOperand">The operand on the left-hand side of the 'until' operator.</param>
/// <param name="rightOperand">The operand on the right-hand side of the 'until' operator.</param>
public static Formula EU(Formula leftOperand, Formula rightOperand)
{
return E(U(leftOperand, rightOperand));
}
/// <summary>
/// Calculates the probability of formula.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="formula">The state formula to be checked.</param>
public static ProbabilityRange CalculateProbabilityRangeOfFormula(ModelBase model, Formula formula)
{
ProbabilityRange probabilityRangeToReachState;
var createModel = SafetySharpRuntimeModel.CreateExecutedModelFromFormulasCreator(model);
var ltmdpGenerator = new MarkovDecisionProcessFromExecutableModelGenerator <SafetySharpRuntimeModel>(createModel)
{
Configuration = TraversalConfiguration
};
ltmdpGenerator.AddFormulaToCheck(formula);
ltmdpGenerator.Configuration.SuccessorCapacity *= 8;
ltmdpGenerator.Configuration.UseCompactStateStorage = true;
var ltmdp = ltmdpGenerator.GenerateLabeledTransitionMarkovDecisionProcess();
using (var modelChecker = new ConfigurationDependentLtmdpModelChecker(ltmdpGenerator.Configuration, ltmdp, TraversalConfiguration.DefaultTraceOutput))
{
probabilityRangeToReachState = modelChecker.CalculateProbabilityRange(formula);
}
System.GC.Collect();
return(probabilityRangeToReachState);
}
/// <summary>
/// Calculates the probability to reach a state where <paramref name="stateFormula" /> holds.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="stateFormula">The state formula which _must_ finally be true.</param>
public static ProbabilityRange CalculateProbabilityRangeToReachState(ModelBase model, Formula stateFormula)
{
ProbabilityRange probabilityRangeToReachState;
var probabilityToReachStateFormula = new UnaryFormula(stateFormula, UnaryOperator.Finally);
var createModel = SafetySharpRuntimeModel.CreateExecutedModelFromFormulasCreator(model);
var nmdpGenerator = new NmdpFromExecutableModelGenerator <SafetySharpRuntimeModel>(createModel)
{
Configuration = TraversalConfiguration
};
nmdpGenerator.AddFormulaToCheck(probabilityToReachStateFormula);
nmdpGenerator.Configuration.SuccessorCapacity *= 8;
var nmdp = nmdpGenerator.GenerateMarkovDecisionProcess(stateFormula);
if (_convertNmdpToMdp)
{
var nmdpToMpd = new NmdpToMdp(nmdp);
var mdp = nmdpToMpd.MarkovDecisionProcess;
using (var modelChecker = new BuiltinMdpModelChecker(mdp, System.Console.Out))
{
probabilityRangeToReachState = modelChecker.CalculateProbabilityRange(probabilityToReachStateFormula);
}
}
else
{
using (var modelChecker = new BuiltinNmdpModelChecker(nmdp, System.Console.Out))
{
probabilityRangeToReachState = modelChecker.CalculateProbabilityRange(probabilityToReachStateFormula);
}
}
return(probabilityRangeToReachState);
}
protected SafetyAnalysisResults Dcca(Formula hazard, params IComponent[] components)
{
return DccaWithMaxCardinality(hazard, Int32.MaxValue, components);
}
/// <summary>
/// Calculates the probability of formula.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="formula">The state formula to be checked.</param>
/// <param name="terminateEarlyFormula">When terminateEarlyFormula is satisfied stop building the state space.</param>
/// <param name="bound">The maximal number of steps. If stateFormula is satisfied the first time any step later than bound, this probability does not count into the end result.</param>
public static Probability CalculateProbabilityOfFormulaBounded(ModelBase model, Formula formula, Formula terminateEarlyFormula, int bound)
{
Probability probability;
var createModel = SafetySharpRuntimeModel.CreateExecutedModelFromFormulasCreator(model);
var markovChainGenerator = new DtmcFromExecutableModelGenerator <SafetySharpRuntimeModel>(createModel)
{
Configuration = TraversalConfiguration
};
markovChainGenerator.Configuration.SuccessorCapacity *= 2;
markovChainGenerator.AddFormulaToCheck(formula);
var markovChain = markovChainGenerator.GenerateMarkovChain(terminateEarlyFormula);
using (var modelChecker = new BuiltinDtmcModelChecker(markovChain, System.Console.Out))
{
probability = modelChecker.CalculateProbability(formula);
}
return(probability);
}
/// <summary>
/// Checks whether the <paramref name="invariant" /> holds in all states of the <paramref name="model" />. The appropriate
/// model checker is chosen automatically.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="invariant">The invariant that should be checked.</param>
public static AnalysisResult <SafetySharpRuntimeModel> CheckInvariant(ModelBase model, Formula invariant)
{
var createModel = SafetySharpRuntimeModel.CreateExecutedModelCreator(model, invariant);
var qualitativeChecker = new QualitativeChecker <SafetySharpRuntimeModel> {
Configuration = TraversalConfiguration
};
return(qualitativeChecker.CheckInvariant(createModel, formulaIndex: 0));
}
/// <summary>
/// Calculates the probability to reach a state where <paramref name="stateFormula" /> holds and on its way
/// invariantFormula holds in every state, or more formally Pr[invariantFormula U stateFormula].
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="stateFormula">The state formula which _must_ finally be true.</param>
/// <param name="invariantFormula">The state formulas which must hold until stateFormula is satisfied.</param>
/// <param name="bound">The maximal number of steps. If stateFormula is satisfied the first time any step later than bound, this probability does not count into the end result.</param>
public static ProbabilityRange CalculateProbabilityRangeToReachStateBounded(ModelBase model, Formula stateFormula, Formula invariantFormula, int bound)
{
var formula = new BoundedBinaryFormula(invariantFormula, BinaryOperator.Until, stateFormula, bound);
return(CalculateProbabilityRangeOfFormulaBounded(model, formula, stateFormula, bound));
}
public C()
{
Invariant1 = _f != 3;
Invariant2 = _f != 4;
}
public C()
{
X = F != 2;
}
public C()
{
X = F == 3 || F == 5;
}
/// <summary>
/// Checks whether the <paramref name="invariant" /> holds in all states of the <paramref name="model" />. The appropriate
/// model checker is chosen automatically.
/// </summary>
/// <param name="model">The model that should be checked.</param>
/// <param name="invariant">The invariant that should be checked.</param>
public static SafetySharpInvariantAnalysisResult CheckInvariant(ModelBase model, Formula invariant)
{
var createModel = SafetySharpRuntimeModel.CreateExecutedModelCreator(model, invariant);
var qualitativeChecker = new QualitativeChecker <SafetySharpRuntimeModel>(createModel)
{
Configuration = TraversalConfiguration
};
var result = qualitativeChecker.CheckInvariant(formulaIndex: 0);
return(SafetySharpInvariantAnalysisResult.FromInvariantAnalysisResult(result, createModel));
}
