CSC 2108F : Automated Verification

Assignment 1

Due: Friday October 29, classtime

You are to specify and verify the behavior of a traffic controller.

Part 1.  Simple traffic controller.

Description of the problem.  This specification describes the controller for managing the traffic lights and turn at a particular intersection, depicted in Figure 1.  Traffic can move along this road going northbound (N), southbound (S),  and eastbound (E) (east to north or east to south).  In addition, northbound traffic can turn left, and southbound traffic can turn right.   There is a set of traffic light controlling all northbound, southbound, and eastbound lanes.  There are no special arrows for turns, and they can be made under the following condition:  southbound and eastbound traffic can turn right regardless of the light, as long as there are no cars.   East to north and north to west traffic can make their left turn if the corresponding light (E, N) is green and there are no cars in the intersection.
 

   Figure 1.

Inputs.  Sensors underway the roadway provide the only input to the system.  There are 3 sensors:  one for all eastbound lanes, one for all southbound (S) lanes,  and one for all northbound (N) lanes.  A sensor will emit a signal only if at least one car is in the corresponding lane.  The rate at which sensors emit signals is arbitrary (and should not be relevant to correctness of the spec).  Sensor signals are indicated by the input signals Sensor_N, Sensor_E, Sensor_S.  For example, the signal Sensor_N means that at least one car is waiting in the north lane.

You may assume that all three inputs may be provided to your system simultaneously.  You may assume as well that it is possible that cars can run past RED lights, i.e., a sensor can be ON with the corresponding light RED and then be OFF before the light becomes GREEN.

Outputs.  At  every state change the system provides several outputs.  These outputs signify the state of every traffic light.  This state is indicated by the color of the light.  For example, if the southbound light is to be green in one time instant, the system indicates this with the output S_GREEN in such time instant.

The system takes its inputs and produces outputs in the next state.  Then it halts, waiting for new inputs.

Your task:

• Model the environment in the SMV input language.  Ask yourself the following questions:
• What inputs can the environment generate?  (These can only come from the sensors!)
• Which inputs can be generated simultaneously?
• Model the controller in the SMV input language.
• Think of it as a synchronous system.
• Model the state of the controller AND the outputs.
• Think about which values the outputs should have in the next state of the system.
• Rewrite the following properties as CTL formulae and verify them using SMV.
• Each light must be either RED, or YELLOW, or GREEN.
• Progression of lights is from GREEN to YELLOW to RED.  I.e., it is not possible for a light to become RED after being GREEN, YELLOW right after being RED, or GREEN right after being YELLOW.
• If any light becomes YELLOW, it must become RED one time unit after becoming YELLOW.
• If a sensor is tripped while the corresponding light is RED, the light will eventually become GREEN.
• Lights eventually evolve from GREEN to YELLOW when cars are waiting in opposite sides of the intersection.
• Create three additional properties yourself.  Write them in English and in CTL.  These properties should control traffic safety and should be different from the properties you have verified in the previous case.  Here is one property I came up with:
• If the north light is RED then it must be the case that either the south light is RED or the east light is not GREEN.  If the north light is not RED, then the east light must be RED.
Using the SMV model-checker, verify that your specification satisfies the above properties.

Part II.  A more complex traffic controller.

Now, let's look at a more complex controller.  This one includes turn arrows and one extra sensor, indicating the presence of cars in the NW line.  The intersection is depicted in Figure 2.   The arrows are for the north to west  (NW) and the east to south (ES) turn lanes.  Now cars can turn east to south only if the arrow is ON.
 

   Figure 2

Inputs.  The NW sensor is called Sensor_NW.

Outputs.  Additional outputs indicate the state of each turn arrow.  For example, the NW_ARROW output indicates that the north to west turn arrow is to be illuminated and the ES_ARROW output indicates that the east to south turn arrow is to be illuminated.

Specify the behavior of your traffic controller in the SMV input language.  Rewrite the following (additional) properties as CTL formulae and verify them using SMV.

• Initially, the north and south lights are GREEN, the east light is RED, and all turn arrows are OFF.
• If a sensor is tripped while the corresponding arrow is OFF, it will eventually be ON.
• Arrows eventually evolve from OFF to ON when cars are waiting in opposite sides of the intersection.

The system should also satisfy a number of traffic safety properties, e.g.

• If the south light is not RED, then the east light must be RED and all turn arrows must be OFF.  If the south light is RED, then either the east light is not RED or the NW arrow is ON or is just turned OFF.

You do not have to specify this property.  However, come up with at least two additional traffic safety properties involving arrows (that is, the ones you have not used in Part I of this assignment).  Specify them in English and CTL.  Verify them using SMV.

Hint:  In this assignment it may be useful to think of the states of the system before you start coding it in SMV.

Presentation. You may work by yourself or in groups of 2. Warning: It will take you much longer to complete the assignment if you work on your own.

You must complete the project before class time on October 29 because we will discuss the assignment in class.  E-mail me a working copy of the SMV specification (part 1 and 2 separately) including all of the CTL formulae you attempted to verify. Bring to class (to hand in) one hardcopy of your group's SMV specification for each part. Please indicate on your assignment the members of your group.

I am looking for one group to volunteer to present their specifications in class on October 29.  If you are interested in presenting, let me know. I am looking for a 15-minute presentation of each specification.

People who are not taking the course for credit are still required to participate in the assignment. The goal of this course is to gain practical experience with specification and verification tools, and you can achieve this goal only by doing the assignments.

Finally, if you discover any typos or other problems with the assignment, please bring them to my attention.

Final note:  If you are having problems with the assignment, PLEASE SEE ME!

chechik@cs.toronto.edu