CSC2108F : Automated Verification

Assignment 1

Due: Wednesday, October 11 (extended to Oct. 18), classtime

Part I

You are to specify and verify the behavior of a simple elevator system. The system consists of one elevator that services 2 floors of a very short apartment building. Each floor has a request button that a user presses to get the elevator to come to that floor and open its doors. Inside the elevator, there is one request button for each of the two floors; passengers press these buttons to get the elevator to go to a particular floor and open its doors. If the elevator moves between floors, it should do so within 1 time unit (i.e., the elevator should not move for two consecutive states). If the elevator's doors open, they should stay open for 1 time unit (i.e., the doors should not stay open for two consecutive states).

You will specify the behavior of your elevator system in the SMV input language. The following properties need to be re-written as CTL formulae.

• Requests to use the elevator are eventually serviced.
• Requests to be delivered to a particular floor are eventually serviced.
• The elevator never moves with its doors open.

Using the NuSMV model checker, verify that your specification satisfies the above properties.

Part II

Better Elevator Now we will specify a more complex elevator controller. The system will consist of two elevators that service 4 floors of the building. Each floor has a request button that a user presses to get the elevator to come to that floor and open its doors. Inside the elevator, there is one request button for each of the 4 floors; passengers press these buttons to get the elevator to go to a particular floor and open its doors. Each elevator takes one "time unit" to go between floors n and n-1. If there are no requests to service, each elevator stays at a floor with its doors open. As passengers press buttons, the controller schedules elevators to service the requests, trying to minimize the waiting time. If a button is pressed on a floor (as opposed to inside the elevator), only one elevator will be scheduled to service it. Each elevator has a "passenger present" detector and a "door open" button. When someone steps into the elevator, the doors should close and remain closed unless the "door open" button is pressed. However, a user should not be able to keep the doors open indefinitely if the elevator has other requests to service. As passengers leave the elevator, the "passenger present" detector is reset.

You will specify and verify the behavior of your elevator system using NuSMV. Make sure you model the environment correctly and that your properties do not hold vacuously. The following properties need to be re-written in CTL:

• Requests to use the elevator are eventually serviced.
• Requests to be delivered to a particular floor are eventually serviced.
• The elevator never moves with its doors open.
• Two elevators are never scheduled to service the same floor, unless the request can from within the elevator.
• Doors will close after someone enters an elevator unless the "door open" button is pressed.
• The elevator will not react to "door open" button if there are other requests to be serviced.

Think of and add at least one more CTL property (not equivalent to the ones presented above) that is vital to the correct operation of your elevator system.

Using the NuSMV model checker, verify that your specification satisfies all of these properties.

Part III (Theoretical)

• Solve the following problem: Use the definition of |= between states and CTL formulas to explain why s |= AG AF p means that p is true infinitely often along every path starting at s.
• Formalize each of the following statements in CTL. You may invent any boolean variables necessary to express atomic propositions.
  • Both of those things may happen, but not at the same time.
  • If that ever happens, it won't keep happening forever.
  • When this situation happens, it may persist for a while, but not forever, and it is always followed immediately by that situation.
  • Whenever we get into that situation, we can get out of it.
  • Whenever we get into that situation, we will get out of it.
• Which of the following pairs of CTL formulas are equivalent? For those that are not, exhibit a model of one of the pair that is not the model of the other.
  • EF p and EG p
  • AF ~p and ~EG p
  • EF ~p and ~AF p
  • A[p U A[q U r]] and A[A[p U q] U r]

What to turn in

Part I and II:

Turn in a listing of your (well-commented) models, a list of properties for each part (each property should be annotated in English), a state machine for your controllers, and results of verification: how many states your system had, how long it took to verify each property, which properties you verified, etc. For each FAIRNESS condition you have in the model, include an informal statement explaining why this condition is reasonable. Of all properties you have verified, identify which properties are safety and which are liveness . Also, e-mail me the tar file containing the .smv files you wrote.

Part III:

Turn in hand-written (LEGIBLY!) solutions.

Presentation You may work by yourself or in groups of two. Warning: It will take you much longer to complete the assignment if you work on your own.

You must complete the project before class time on October 11 because we will discuss the assignment in class. We will need two groups to volunteer presenting the models of the elevator (Part I and Part II) on October 11. If you are interested in presenting, let me know. I am looking for a 15-minute presentation of each specification.

People who are not taking the course for credit are still required to complete parts I and II of the assignment. The goal of this course is to gain practical experience with specification and verification tools, and you can achieve this goal only by doing the assignments.

PLEASE SEE ME if you want to attempt to specify an elevator for a taller building or if you want to attempt to specify a system that has more than two elevators.