CSC 2108F : Automated Verification
Assignment 2
Due: Friday November 19, classtime
This assignment consists of three parts:
- Theoretical (specification of LTL properties of the controller of Assignment 1); and
- "Practical" (specification and verification of a model of a different controller -
an elevator).
- "Fuzzy" (answers to questions).
Part 1. LTL properties of Assignment 1 controller.
Rewrite the following properties in LTL:
-
Initially, the north and south lights should be GREEN, the east
light should be RED, and all turn arrows should be off.
-
Each light must be one and only one of the following states: RED,
YELLOW, GREEN.
-
Safe behavior in the evolution of the lights:
-
It is not possible that a light becomes RED right after being
GREEN.
-
It is not possible that a light becomes YELLOW right after being
RED.
-
It is not possible that a light becomes GREEN right after being
YELLOW.
-
Traffic safety:
-
East lights: If the East light is not RED, then all other
lights must be RED and the NW arrow must be OFF.
The SE arrow is ON when the East light is GREEN.
If the ES arrow is ON, the southbound traffic must not be circulating.
-
South light: If the South light is not RED, then the
East light must be RED and all turn arrows must be OFF.
If the South light is RED, then either the East light is not RED
or the NW arrow is ON or it just turned OFF.
-
North light: If the North light is RED then it must be the case
that either the South light is RED or the East light is not GREEN.
If the North light is not RED, then the East light must be RED.
-
NW arrow: If the NW arrow is ON, then the South and East
lights must be RED. If the NW arrow is OFF,
then
it is either the case that the South light is GREEN or either
the East light was GREEN or the arrow just turned OFF.
-
ES arrow: If the ES arrow is ON, then the South light must
be RED. If the ES arrow is OFF, then the East light
must not be GREEN.
-
North & South: It is not possible that any arrow is ON while
the north and south traffic is flowing. It is possible that the North
and South lights are GREEN simultaneously.
-
Absence of starvation in any of the lights. If a sensor is tripped
while the corresponding light is RED, the light will eventually
become GREEN. Similarly for the arrows.
-
Lights evolve from GREEN to YELLOW when cars are waiting
in opposing sides of the intersection. Similarly with arrows.
Note that the above list may be incomplete. If you can think of other properties
vital to the correct behavior of the controller, please add them
to this list.
You may want to use nuSMV to check these properties on your model.
Part 2. Controlling Elevators.
You are to specify and verify the behavior of a controller for
an elevator system for an appartment building.
The system consists of two elevators that service 4 floors of
the building.
Each floor has a request button that a
user presses to get the elevator to come to that floor and open its
doors. Inside the elevator, there is one request button for
each of the 4 floors; passengers press these buttons to get the
elevator to go to a particular floor and open its doors.
Each elevator takes one "time unit" to go between floors n and n-1.
If there are no requests to service, each elevator stays at a
floor with its doors open. As passengers press buttons, the controller
schedules elevators to service the requests, trying to minimize
the waiting time. If a button is pressed on a floor (as opposed
to inside the elevator), only one elevator will be scheduled to
service it. Each elevator has a "passenger present" detector and
a "door open" button.
When someone steps into the elevator, the doors should close
and remain closed unless the "door open" button
is pressed. However, a user should not be able to keep the doors open indefinitely if the
elevator has other requests to service.
As passengers leave the elevator, the "passenger present"
detector is reset.
You will specify the behavior of your elevator system using Promela.
Make sure you model the environment correctly.
The following properties need to be re-written as
LTL formulae and/or using Promela's assert statements:
- Requests to use the elevator are eventually serviced.
- Requests to be delivered to a particular floor are eventually serviced.
- The elevator never moves with its doors open.
- Two elevators are never scheduled to service the same floor,
unless the request can from within the elevator.
- Doors will close after someone enters an elevator unless
the "door open" button is pressed.
- The elevator will not react to "door open" button if there are other
requests to be serviced.
Note that some of the properties can only be expressed in LTL. Identify which ones.
Think of and add at least two more LTL properties (not equivalent to
the ones presented above) that are vital to the correct operation
of your elevator system.
Using the SPIN model checker, verify that your specification
satisfies all of these properties.
Part III. General questions.
Please answer the following questions:
- Which modeling language (SMV or Promela) is easier and more natural
to use? Which features of the language make it so?
- Describe your experience using SPIN vs SMV. What types of problems
can be associated with verification using these two systems?
- Please describe any "catches" of Promela/SPIN that you have discovered.
A "catch" is something that
will prevent successful refinement of the model into a working program.
Please describe them.
Presentation
You may work by yourself or in groups of 2.
Warning: It will take you much
longer to complete the assignment if you work on your own.
E-mail me a copy of your group's Promela specification, including
all of the LTL formulae and asserts you were able
to verify.
Bring to class (to hand in) one hardcopy of your group's Promela
specification.
Please indicate on your assignment the members of your group, the account
in which your group's assignment resides, and the name of the file(s)
containing your assignment.
I would like to have some group present their specification
of the elevators on November 15. If you are interested in
presenting, please let me know.
People who are not taking the course for credit are still required to
participate in the assignment. The goal of this course is to gain practical
experience with specification and verification tools, and you can achieve
this goal only by doing the assignments.
Finally, if you discover any typos or other problems with the assignment,
please bring them to my attention.
Final note: If you are having problems
with the assignment, PLEASE SEE ME!
chechik@cs.toronto.edu