CSC 2108F : Automated Verification

Assignment 4, part II

Due: Wednesday December 5, classtime. Note: the assignment is fairly lengthy, so start early!

In this part you will create an asynchronous controller for your favorite elevators in Promela and verify them using SPIN. Note that there is no notion of time in Promela. Thus, if you want to model time, you will need to define a variable which you increment YOURSELF! Note also that you need to verify LTL formulas one at a time, unlike in SMV. There is also no notion of environment, so you need to create your own models of the environment.

You are to specify and verify the behavior of a controller for an elevator system for an apartment building. The system consists of an elevator that services 3 floors of the building and a controller that communicates with the elevator (using message passing rather than shared variables) and schedules its moves. Each floor has a request button that a user presses to get the elevator to come to that floor and open its doors. Inside the elevator, there is one request button for each of the 3 floors; passengers press these buttons to get the elevator to go to a particular floor and open its doors. To go from floor i to floor k, the elevator must visit floors i+1 through k-1, although it does not have to open doors there. If there are no requests to service, an elevator stays at a floor with its doors open. The elevator has a "passenger present" detector and a "door open" button. When someone steps into the elevator, the doors should close and remain closed unless the "door open" button is pressed. Since we do not want the passenger to keep doors open, the elevator can react to the "door open" button at most twice. As passengers leave the elevator, the "passenger present" detector is reset.

You will specify the behavior of your elevator system using Promela. Make sure you model the environment correctly. The following properties need to be re-written as LTL formulae and/or using Promela's assert statements.

Requests to use the elevator are eventually serviced.
Requests to be delivered to a particular floor are eventually serviced.
The elevator never moves with its doors open.
Doors will close after someone enters an elevator unless the "door open" button is pressed.
The elevator will not react to "door open" button indefinitely, if there are other requests to be serviced.

Express and verify at least two more properties (not equivalent to the ones presented above) that are vital to the correct operation of your elevator system. One should be expressible as an assert, and another as an LTL formula.

Using the SPIN model checker, verify that your specification satisfies all of these properties.

Presentation You may work by yourself or in groups of 2.

E-mail to Shiva a copy of your group's Promela specification, including all of the LTL formulae and asserts you were able to verify. For each of verification runs, include SPIN's report. Also indicate how long verification of each formula took and compare with your SMV experience. Bring to class (to hand in) one hardcopy of your group's Promela specification. Please indicate on your assignment the members of your group.

As in assignment 2, part 1, include a short write-up describing your design using SPIN. Your write-up should contain the following sections:

Problem Statement: Describe any additional requirements you considered in the design of your elevator system.

Environment: Describe your environment variables as well as the way you implemented the environment.

Design: Describe your design, e.g., the processes, the way these processes work and communicate, the type and format of messages communicated between these processes, etc.

Properties: Describe the correctness properties both in english and in LTL.

Vacuity: Describe what you did for vacuity checking.

Running Spin: Report on the amount of memory and time needed for verification of your elevator model.

Comparison with SMV: Briefly compare your SMV experiences with your Spin experiences, and discuss any problems you have encountered.

Appendix: Include Spin reports for all the properties.

I would like to have two groups present their specification of the elevators on December 5. If you are interested in presenting, please let me know.

Finally, if you discover any typos or other problems with the assignment, please bring them to my attention.

Final note: If you are having problems with the assignment, PLEASE SEE ME OR SHIVA!

chechik@cs.toronto.edu