CSC 2108S: Automated Verification

Assignment 4

Due: Wednesday, April 7, classtime

The purpose of this assignment is to gain experience in using theorem-proving for verification of system specifications.

You are to specify and verify two abstract data types for a traffic controller. First, write axioms for the data types and run LSL to check them for consistency and generate proof obligations for LP. Then run LP to prove that your spec is correct. We are looking at the first traffic controller of Assignment 1, the one without arrows.

Submit your model (carefully documented), a list of properties you generated and a list of properties LSL generated, if any. Also, submit scripts of all proofs you've done for these properties and answers to the questions at the end of the assignment. Submit your model and your properties electronically.

Light Datatype

One datatype specifies the behavior of a light. There are operations for creating an initial light (which is red), for changing the states of the light (i.e., making it red, yellow or green), and for querying the current state of the light. The syntax and informal semantics of the data type operations follow:

/* creates a new, red, light */
NewLight: -> Light
/* changes the state of the light to Color (color is one of red, yellow, green) */
ChangeColor: Light, Color -> Light
/* no operation - the light stays in the same state */
NOP: Light -> Light
/* returns the value of the light */
WhichLight: Light -> {red, yellow, green}

Sensor Queue Datatype

The second datatype defines a queue of sensors. There can be up to three sensors in the queue. The operations include creating the queue, which is empty, adding elements to the queue, deleting elements from the queue, and querying the current state of the queue. The syntax and informal semantics of the data type operations follow:

/* creates a new, empty, queue */
NewQueue: -> Queue
/* adds a sensor to the queue. Sensor consists of N, E, S. */
/* repeated elements are not added to the queue */ Enqueue: Queue, Sensor -> Queue
/* removes a top sensor from the queue */
Dequeue: Queue -> Queue
/* no operation - the queue stays in the same state */
NOP: Queue -> Queue
/* returns the top of the queue */
Top: Queue -> Signal
/* returns the size of the queue */
Size: Queue -> Natural
/* flushes the entire queue */
Flush: Queue -> Queue
/* checks if a given sensor is in the queue */ In: Queue, Sensor -> Boolean

You are to write axioms for the above abstract data types. You may use existing Larch specifications for Boolean, Natural number and Enumerated (if one exists) data types. You are to use the Larch Prover to verify the following properties:

  1. WhichLight(NOP(Change(l,c))) == c
  2. Change(l,red) == NewLight
  3. Top(NOP(Enqueue(NewQueue,s))) == s
  4. Dequeue(Enqueue(NewQueue,s)) == NewQueue
  5. Dequeue(Enqueue(Enqueue(NewQueue, s), s')) == Enqueue(NewQueue, s')
  6. Size(Enqueue(q,s)) == (3 | (Size(q) + 1))
  7. Size(Flash(q)) == 0
  8. Size(Dequeue(q)) == (0 | Size(q) - 1)
  9. (0 <= Size(q)) & (Size(q) <= 3)
  10. Flash(q) == NewQueue
  11. In(q,s) => In(Enqueue(q,s'),s)
In addition, define and prove at least three more properties of the above datatypes. Here, q is an arbitrary queue, s,s' are arbitrary signals, l is an arbitrary light, and c is an arbitrary color.

Additional questions

If you are interested in presenting your specification, please let me know.


Marsha Chechik