CSC 2108S : Automated Verification
Assignment 2
Due: Wednesday March 3, classtime
You are to specify and verify the behavior of a traffic controller described
in Part 2 of Assignment 1. Specify the behavior of the system in
PROMELA,
making sure that the lights are represented by at least two asynchronous
processes.
Rewrite the following properties in LTL or using PROMELA's assert
statements:
-
Initially, the north and south lights should be GREEN, the east
light should be RED, and all turn arrows should be off.
-
Each light must be one and only one of the following states: RED,
YELLOW, GREEN.
-
Safe behavior in the evolution of the lights:
-
It is not possible that a light becomes RED right after being
GREEN.
-
It is not possible that a light becomes YELLOW right after being
RED.
-
It is not possible that a light becomes GREEN right after being
YELLOW.
-
Traffic safety:
-
East lights: If the East light is not RED, then all other
lights must be RED and the NW arrow must be OFF.
The SE arrow is ON when the East light is GREEN.
If the ES arrow is ON, the southbound traffic must not be circulating.
-
South light: If the South light is not RED, then the
East light must be RED and all turn arrows must be OFF.
If the South light is RED, then either the East light is not RED
or the NW arrow is ON or it just turned OFF.
-
North light: If the North light is RED then it must be the case
that either the South light is RED or the East light is not GREEN.
If the North light is not RED, then the East light must be RED.
-
NW arrow: If the NW arrow is ON, then the South and East
lights must be RED. If the NW arrow is not present, then
it is either the case that the South light was not GREEN or either
the East light was not GREEN or just turned OFF.
-
ES arrow: If the ES arrow is ON, then the South light must
be RED. If the ES arrow is OFF, then the East light
must not be GREEN.
-
North & South: It is possible that any arrow is ON while
the north and south traffic is flowing. It is possible that the North
and South lights are GREEN simultaneously.
-
Absence of strarvation in any of the lights. If a sensor is tripped
while the corresponding light is RED, the light will eventually
become GREEN. Similarly for the arrows.
-
Lights evolve from GREEN to YELLOW when cars are waiting
in opposing sides of the intersection. Similarly with arrows.
Note that the above list may be incomplete. If you can think of other properties
vital to the correct behavior of the controller, please add them
to this list.
Using the SPIN model checker, verify that your specification satisfies
the above properties.
General Questions:
-
Which modeling language (SMV or Promela) easier and more natural to use?
Which features of the language make it so?
-
How does the performance of SMV compare with performance of SPIN?
What about the number of states?
-
Some of the above properties can only be expressed in LTL. Which
ones? Please explain why.
Presentation You may work my yourself or in groups of 2.
Warning: It will take you much longer to complete the assignment if
you work on your own.
You must complete the project before class time on March 3 because we
will discuss the assignment in class. E-mail me a working copy of
the Promela specification including all of the LTL formulae and asserts
you attempted to verify. Bring to class (to hand in) one hardcopy of your
group's Promela specification and answers to questions. Please make
sure that your submission includes names of the group members.
I am looking for one group to volunteer to present their specifications
in class on the due date. If you are interested in presenting, let
me know. I am looking for a 15-minute presentation.
People who are not taking the course for credit are still required to
participate in the assignment. The goal of this course is to gain practical
experience with specification and verification tools, and you can achieve
this goal only by doing the assignments.
Finally, if you discover any typos or other problems with the assignment,
please bring them to my attention.
chechik@cs.toronto.edu