CSC 2108F : Automated Verification

Assignment 2

Due: Wednesday November 1, classtime

In this assignment you will create an asynchronous controller for your favourite elevators in Promela and verify them using SPIN. Note that there is no notion of time in Promela. Thus, if you want to model time, you will need to define a variable which you increment YOURSELF! Note also that you need to verify LTL formulas one at a time, unlike in SMV.

Part I

You are to specify and verify the behavior of a controller for an elevator system for an appartment building. The system consists of two elevators that service 4 (3 if you are unable to verify this with 4) floors of the building. Each floor has a request button that a user presses to get the elevator to come to that floor and open its doors. Inside the elevator, there is one request button for each of the 4 floors; passengers press these buttons to get the elevator to go to a particular floor and open its doors. Each elevator takes one time unit to go between floors n and n-1. If there are no requests to service, each elevator stays at a floor with its doors open. As passengers press buttons, the controller schedules elevators to service the requests, trying to minimize the waiting time. If a button is pressed on a floor (as opposed to inside the elevator), only one elevator will be scheduled to service it. Each elevator as a "passenger present" detector and a "door open" button. When someone steps into the elevator, the doors should close within one time unit and remain closed unless the "door open" button is pressed. Since we do not want the passenger to keep doors open, the elevator can react to the "door open" button at most twice. As passengers leave the elevator, the "passenger present" detector is reset.

You will specify the behavior of your elevator system using Promela. Make sure you model the environment correctly. The following properties need to be re-written as LTL formulae and/or using Promela's assert statements.

• Requests to use the elevator are eventually serviced.
• Requests to be delivered to a particular floor are eventually serviced.
• The elevator never moves with its doors open.
• Two elevators are never scheduled to service the same floor, unless the request can from within the elevator.
• Doors will close after someone enters an elevator unless the "door open" button is pressed.
• The elevator will not react to "door open" button indefinately, if there are other requests to be serviced.

Note that some of the properties can only be expressed in LTL. Identify which ones.

Express and verify at least two more properties (not equivalent to the ones presented above) that are vital to the correct operation of your elevator system. One should be expressible as an asssert, and another as an LTL formula.

Using the SPIN model checker, verify that your specification satisfies all of these properties.

Part II. General questions.

Please answer the following questions:

• Which of the following pairs of LTL formulas are equivalent? For the equivalent formulas, show the equivalence. For those that are not, exhibit a model of one of the pair that is not the model of the other.
• [] (p & q) and [] p & [] q
• [] (p | q) and [] p | [] q
• o (p U q) and (p U o q) | q
• assert p (as a Promela command) and [] p
• Can the entire LTL be specified using only o (next) and U (until)?  If so, show how <> and [] be specified in terms of o and U.

The following questions are aimed to capture your experience with the Promela/SPIN systems.

• Which modeling language (SMV or Promela) is easier and more natural to use? Which features of the language make it so?
• Describe your experience using SPIN vs SMV. What problems did you encounter while using these systems.  If you have used several SMV implementations, please comment on relative qualities of each.
• Please describe any "catches" of Promela/SPIN that you have discovered. A "catch" is something that will prevent successful refinement of the model into a working program. Please describe them.

Presentation You may work by yourself or in groups of 2. Warning: It will take you much longer to complete the assignment if you work on your own.

E-mail me a copy of your group's Promela specification, including all of the LTL formulae and asserts you were able to verify. Also indicate how long verification of each formula took and compare with your SMV experience. Bring to class (to hand in) one hardcopy of your group's Promela specification. Please indicate on your assignment the members of your group.

I would like to have some group present their specification of the elevators on November 1. If you are interested in presenting, please let me know.

People who are not taking the course for credit are still required to participate in the assignment. The goal of this course is to gain practical experience with specification and verification tools, and you can achieve this goal only by doing the assignments.

Finally, if you discover any typos or other problems with the assignment, please bring them to my attention.

Final note:  If you are having problems with the assignment, PLEASE SEE ME!

chechik@cs.toronto.edu