Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Example: traffic light controller Guarantee no collisions Guarantee eventual service E S N.

Published byNoel Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Example: traffic light controller Guarantee no collisions Guarantee eventual service E S N."— Presentation transcript:

1 1 Example: traffic light controller Guarantee no collisions Guarantee eventual service E S N

2 2 Specifications in temporal logic Safety (no collisions) G ~(E_Go & (N_Go | S_Go)); Liveness G (~N_Go & N_Sense -> F N_Go); G (~S_Go & S_Sense -> F S_Go); G (~E_Go & E_Sense -> F E_Go); Fairness constraints GF ~(N_Go & N_Sense); GF ~(S_Go & S_Sense); GF ~(E_Go & E_Sense); /* assume each sensor off infinitely often */

3 3 Controller program module main(N_SENSE,S_SENSE,E_SENSE,N_GO,S_GO,E_GO); input N_SENSE, S_SENSE, E_SENSE; output N_GO, S_GO, E_GO; reg NS_LOCK, EW_LOCK, N_REQ, S_REQ, E_REQ; /* set request bits when sense is high */ always begin if (!N_REQ & N_SENSE) N_REQ = 1; end always begin if (!S_REQ & S_SENSE) S_REQ = 1; end always begin if (!E_REQ & E_SENSE) E_REQ = 1; end

4 4 Example continued... /* controller for North light */ always begin if (N_REQ) begin wait (!EW_LOCK); NS_LOCK = 1; N_GO = 1; wait (!N_SENSE); if (!S_GO) NS_LOCK = 0; N_GO = 0; N_REQ = 0; end /* South light is similar... */

5 5 Example code, cont… /* Controller for East light */ always begin if (E_REQ) begin EW_LOCK = 1; wait (!NS_LOCK); E_GO = 1; wait (!E_SENSE); EW_LOCK = 0; E_GO = 0; E_REQ = 0; end

6 6 Counterexample East and North lights on at same time... E_Go E_Sense NS_Lock N_Go N_Req N_Sense S_Go S_Req S_Sense E_Req N light goes on at same time S light goes off. S takes priority and resets NS_Lock N light goes on at same time S light goes off. S takes priority and resets NS_Lock

7 7 Fixing the error Don’t allow N light to go on while south light is going off. always begin if (N_REQ) begin wait (!EW_LOCK & !(S_GO & !S_SENSE)); NS_LOCK = 1; N_GO = 1; wait (!N_SENSE); if (!S_GO) NS_LOCK = 0; N_GO = 0; N_REQ = 0; end

8 8 Another counterexample North traffic is never served... E_Go E_Sense NS_Lock N_Go N_Req N_Sense S_Go S_Req S_Sense E_ReqN and S lights go off at same time Neither resets lock Last state repeats forever

9 9 Fixing the liveness error When N light goes off, test whether S light is also going off, and if so reset lock. always begin if (N_REQ) begin wait (!EW_LOCK & !(S_GO & !S_SENSE)); NS_LOCK = 1; N_GO = 1; wait (!N_SENSE); if (!S_GO | !S_SENSE) NS_LOCK = 0; N_GO = 0; N_REQ = 0; end

10 10 All properties verified Guarantee no collisions Guarantee service assuming fairness Computational resources used: –57 states searched –0.1 CPU seconds

11 11 Summary Basic specification and verification techniques –Temporal logic model checking –Finite automata –Symbolic simulation Application at different levels –Local property verification –Abstract model verification –Local refinement verification Benefits –Find design errors (negative results) –Make assumptions explicit –Systematically rule out classes of design errors

Download ppt "1 Example: traffic light controller Guarantee no collisions Guarantee eventual service E S N."

Similar presentations

Part II Concepts.

Part II Concepts.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Model Checking and Testing combined

Model Checking and Testing combined
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Introduction to SMV Part 2

Introduction to SMV Part 2
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Traffic light contoller using FSM

Traffic light contoller using FSM
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
FSM Revisit Synchronous sequential circuit can be drawn like below  These are called FSMs  Super-important in digital circuit design FSM is composed.

FSM Revisit Synchronous sequential circuit can be drawn like below  These are called FSMs  Super-important in digital circuit design FSM is composed.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2) Hao Zheng U of South Florida.

Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, – ) Hao Zheng U of South Florida.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Multiple Shooting, CEGAR-based Falsification for Hybrid Systems

Multiple Shooting, CEGAR-based Falsification for Hybrid Systems
Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.

Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.

Similar presentations

Ads by Google