Automated Reasoning 2nd Coursework Elaine Murphy Oct 30th Elaine - - PowerPoint PPT Presentation

Automated Reasoning 2nd Coursework

Elaine Murphy Oct 30th

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

1

Information

Demonstrator: Elaine Murphy s0094243@sms.ed.ac.uk Lab sessions: AT level 5 South lab. Mon 14.10 - 15.00 Wed 16.10 - 17.00 Submission Deadline: 4pm Fri 23rd Nov

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

2

Objectives

• Correct

the Promela model (in file WestEnd), particularly proctype cycleLights() − cycleLights() sets the boolean array variable travelling from[Road1].going to[Road2] in stages. − travelling from[Road1].going to[Road2]=GREEN means that the traffic light for cars travelling from Road1 to Road 2 is GREEN

• Write the never claims used for verifying that the model satisfies all the

restrictions.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

3

Assumptions

• Only model the main traffic signals for cars (not pedestrians) going from one

road to another.

• Before beginning a new stage, all lights are RED
• The intersection is big enough for two or more routes to be GREEN at the

same time (under certain restrictions).

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

4

Road Restrictions

R1: No U-turns are permitted at the intersection. R2: Rutland Street is a one way road where traffic can only travel in the direction away from the intersection. R3: Queensferry Street traffic can not turn onto: − Princes Street − Shandwick Place − Lothian Road

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

5

− Rutland Street. R4: Hope Street traffic can not turn onto: − Princes Street − Queensferry Street − Lothian Road − Rutland Street R5: Shandwick Place traffic can not turn onto Rutland Street.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

6

Verifying No U-Turns

• Let’s look at how we can verify that the model satisfies R1
• One

way to make sure that the model has no runs satisfying <>greenForUTurns where greenForUTurns is defined to be: travelling from[LOTHIAN ROAD].going to[LOTHIAN ROAD] = GREEN || travelling from[PRINCES STREET].going to[PRINCES STREET] = GREEN|| ... And so enumerate through all possible u-turns.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

7

• A never claim for the above forbidden property can be generated using spin

spin -f ’<>greenForUTurns’

• An alternative method

− create a new process (call it setupTraffic) which non-deterministically chooses a road; − mark as active (to start it running with the model) − write a never claim which ensures that the chosen road satisfies the property − verifier reports errors if setupTraffic can choose a road which violates the property.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

8

• Never claim for <>greenForUTurns.

#define greenForUTurns (travelling_from[PRINCES_STREET].going_to[PRINCES_STREET]==GREEN || travelling_from[LOTHIAN_ROAD].going_to[LOTHIAN_ROAD]==GREEN || travelling_from[RUTLAND_STREET].going_to[RUTLAND_STREET]==GREEN || travelling_from[SHANDWICK_PLACE].going_to[SHANDWICK_PLACE]==GREEN || travelling_from[QUEENSFERRY_STREET].going_to[QUEENSFERRY_STREET]==GREEN || travelling_from[HOPE_STREET].going_to[HOPE_STREET]==GREEN ) never { /* <>greenForUTurns */ TO_init: if :: greenForUTurns -> goto accept_all :: (1) -> goto TO_init fi; accept_all: skip } Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

9

• Non-deterministically choosing a road:

inline setRoadRandomly(x){ if :: true -> x=PRINCES_STREET; :: true -> x=LOTHIAN_ROAD; :: true -> x=RUTLAND_STREET; :: true -> x=SHANDWICK_PLACE; :: true -> x=QUEENSFERRY_STREET; :: true -> x=HOPE_STREET fi;} Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

10

• An Alternative Method

int randomRoad; active proctype setupTraffic() { setRoadRandomly(randomRoad); setupTrafficDone = true } #define roadHasGreenLightForUTurn (travelling_from[randomRoad].going_to[randomRoad] == GREEN) never { /* <> roadHasGreenLightForUTurn */ TO_init: if :: ((roadHasGreenLightForUTurn)) -> goto accept_all :: (1) -> goto TO_init fi; accept_all: skip } Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

11

• Using the latter method, no need to enumerate all possible cases when

specifiying properties in LTL.

• But can be slow: new active process means number of states multiplies.
• More generally a route can be randomly chosen

typedef Route {int from, to;} inline setRouteRanomly(x) { atomic { setRoadRandomly(x.from); setRoadRandomly(x.to); } } Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

12

• This can then be used as follows:

Route someRoute; active proctype setupTraffic() { setRouteRandomly(someRoute); setupTrafficDone = true; waitForSetupDone(); printRoute(TRAFFIC_INFO_CHECKING, someRoute);} mtype = {TRAFFIC_ERROR_U_TURN_ALLOWED}; #define uTurnHasGreenLight ((someRoute.from == someRoute.to) && LIGHT_FOR_ROUTE(someRoute)==GREEN)) never { /* <> uTurnHasGreenLight */ waitForSetupDone(); do :: uTurnHasGreenLight -> break; :: else -> skip

• d;

printRoute(TRAFFIC_ERROR_U_TURN_ALLOWED, someRoute); } Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

13

Task 1

Task 1: Use NeverUTurns to check that the WestEnd model does not permit u-turns. If errors are found, make necessary corrections in the model. Helpful commands

spin -a -N NeverUTurns WestEnd #Build the verifier for the model using the never claim in NeverUTurns cc -o pan pan.c #Compile the verifier ./pan -e #Find all error trails ./pan -r1|grep TRAFFIC #Simulate error trail 1, filter the

• utput (display lines beginning

with TRAFFIC) Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

14

Task 2

Task2: Write a never claim and an LTL formula in the template file RutlandOneWay and use it to check whether the model satisfies R2. Make appropriate corrections if errors are found. Note: LTL formula should specify the forbidden behaviour You may use NeverUTurns as an example. Introduce new identifiers if appropriate Note: Write the LTL formula used as a comment in the file. You don’t need to expand the #define identifier used in the formula, the definition for it should have been declared somewhere in the file.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

15

Tasks 3 and 4

Task 3: Write a never claim and an LTL formula in file NeverDisallowed, and use it to check whether the model satisfies R3, R4 and R5. Make appropriate corrections to the model if errors are found. Task 4: Write a never claim and an LTL formula in the template file NeverMerge and use it to check whether the model ensures that traffic from different roads do not travel to the same road.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

16

Tasks 5 and 6

Task 5: Write a never claim and LTL formula in the file NeverCrash and use it to check whether the model ensures that two flows of traffic may not cross each other. Make corrections if errors are found. − For example this would happen if traffic from Lothian Road could travel to Queensferry Street at the same time as traffic from Shandwick Place was travelling to Princes Street. Task 6: Write a never claim and LTL formula in the file Liveness and use to check whether the model gives all permitted routes a green light at some stage

• f the cycle. Make corrections if errors are found.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

17

Guidelines to Part 2

For UG4, try to answer each of these questions (in a few paragraphs)

• 1. What were the difficulties and/or weaknesses of using Spin?
• 2. What were its strengths (if any)?
• 3. Do you think the West End intersection could be formalised and verified using

Isabelle? If so, in your opinion would it have been easier or harder than using Spin? Why?

• 4. And, if so, how would do the formalisation in Isabelle (a brief sketch)?

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

18

For MSc, imagine you have been hired by the City Council. You have produced a Promela model of the traffic lights at the West End that meets their

• specification. Write a report to them:
• 1. Argue that they can safely go live with the produced model;
• 2. Give due considerations for potential objections;
• 3. If more work is needed to attain sufficient confidence, describe the necessary

work and justify the cost (e.g time and money) of doing so. The purpose of the last two parts is to enable you to analyse and explain, not just the strengths fo the technique, but also the potential problems that might

• ccur and how they can be fixed.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th

19

Plan to write from 1 page to 2 pages. Only the content of you writing, not its formality as a report, will be assessed.

Elaine Murphy Automated Reasoning 2nd Coursework Oct 30th