CSC 2108S : Automated Verification
Assignment 1
Due: Wednesday February 10, classtime
You are to specify and verify the behavior of a traffic controller.
Part 1. Simple traffic controller.
Description of the problem. This specification describes the
controller for managing the traffic lights and turn at a particular intersection,
depicted in Figure 1. Traffic can move along this road going northbound
(N), southbound (S), and eastbound (E) (east to north or east to
south). In addition, northbound traffic can turn left, and southbound
traffic can turn right. There is a set of traffic light controlling
all northbound, southbound, and eastbound lanes. There are no special
arrows for turns, and they can be made under the following condition:
southbound and eastbound traffic can turn right on regardless of the light,
as long as there are no cars. East to north and south to west
traffic can make their left turn if the corresponding light (E, N) is green
and there are no cars in the intersection.
Figure 1.
Inputs. Sensors underway the roadway provide the only input
to the system. There are 3 sensors: one for all eastbound lanes,
one for all southbound (S) lanes, and one for all northbound (N)
lanes. A sensor will emit a signal only if at least one car is in
the corresponding lane. The rate at which sensors emit signals is
arbitrary (and should not be relevant to correctness of the spec).
Sensor signals are indicated by the input signals Sensor_N, Sensor_E,
Sensor_S.
For example, the signal
Sensor_N means that at least one car is
waiting in the north lane.
You may assume that all three inputs may be provided to your system
simultaneously. You may assume as well that it is possible that cars
can run past RED lights, i.e., a sensor can be ON with
the corresponding light
RED and then be OFF before the
light becomes GREEN.
Outputs. At every state change the system provides
several outputs. These outputs signify the state of every traffic
light. This state is indicated by the color of the light. For
example, if the southbound light is to be green in one time instant, the
system indicates this with the output S_GREEN in such time instant.
The system takes its inputs and produces outputs in the next state.
Then it halts, waiting for new inputs.
Specify the behavior of your traffic controller in the SMV input language.
Rewrite the following properties as CTL formulae and verify them using
SMV.
-
Each light must be either RED, or YELLOW, or GREEN.
-
Progression of lights is from GREEN to YELLOW to RED.
I.e., Ii is not possible for a light to become RED after being
GREEN, YELLOW right after being RED, or GREEN
right after being YELLOW.
-
If any light becomes YELLOW, it must become RED one time
unit after becoming YELLOW.
-
If a sensor is tripped while the corresponding light is RED, the
light will eventually become GREEN.
-
Lights eventually evolve from GREEN to YELLOW when cars
are waiting in opposite sides of the intersection.
In addition, specify properties to control traffic safety. For example,
-
If the north light is RED then it must be the case that either
the south light is RED or the east light is not GREEN.
If the north light is not RED, then the east light must be RED.
Using the SMV model checker, verify that your specification satisfies the
above properties.
Part II. More complex traffic controller.
Now, let's look at a more complex controller. This one includes turn
arrows and an extra sensor, indicating the presence of cars in the NW line.
The intersection is depicted in Figure 2. The arrows are for
the north to west (NW) and the east to south (ES) turn lanes.
Now cars can turn east to south only if the arrow is green.
Figure 2
Inputs. The NW sensor is called Sensor_NW.
Outputs. Additional outputs indicate the state of each
turn arrow. For example, the NW_ARROW output indicates that
the north to west turn arrow is to be illuminated and the ES_ARROW
output indicates that the east to south turn arrow is to be illuminated.
Specify the behavior of your traffic controller in the SMV input language.
Rewrite the following (additional) properties as CTL formulae and verify
them using SMV.
-
Initially, the north and south lights are GREEN, the east light
is RED, and all turn arrows are off.
-
If a sensor is tripped while the corresponding arrow is off, it will eventually
be on.
-
Arrows eventually evolve from off to on when cars are waiting in opposite
sides of the intersection.
Specify reasonable traffic safety properties, e.g.
-
If the south light is not RED, then the east light must be RED
and all turn arrows must be off. If the south light is RED,
then either the east light is not RED or the NW arrow is on or is just
turned off.
Presentation You may work my yourself or in groups of 2. Warning:
It will take you much longer to complete the assignment if you work on
your own.
You must complete the project before class time on February 10 because
we will discuss the assignment in class. E-mail me a working copy
of the SMV specification (part 1 and 2 separately) including all of the
CTL formulae you attempted to verify. Bring to class (to hand in) one hardcopy
of your group's SMV specification for each part. Please indicate on your
assignment the members of your group.
I am looking for one group to volunteer to present their specifications
in class on Feb. 10. If you are interested in presenting, let me
know. I am looking for a 15-minute presentation of each specification.
People who are not taking the course for credit are still required to
participate in the assignment. The goal of this course is to gain practical
experience with specification and verification tools, and you can achieve
this goal only by doing the assignments.
Finally, if you discover any typos or other problems with the assignment,
please bring them to my attention.
chechik@cs.toronto.edu