Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First...
Transcript of Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First...
![Page 1: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/1.jpg)
![Page 2: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/2.jpg)
1.1
1.2
1.3
1.4
1.5
TableofContentsIntroduction
FirstChapter
SecondChapter
ThirdChapter
FourthChapter
2
![Page 3: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/3.jpg)
IntroductionThisreportdocumentsthedevelopmentoftheautonomousversionofthechemicaldetector.Chapter1presentstheinitialmodeloftheautonomouschemicaldetector,andidentifiesissuesthathindertheverificationofbasicproperties,andChapter2presentsanupdatedversionofthemodelthatabstractsawaysomeofthedatatypestoallowthemodelcheckingofbasicpropertiesandidentifysomemistakes.Chapter3furtherchangesthemodeltoestablishtherequirementsbelow.Chapter4discussesaoptimisationofthemodelbasedonremovinglocalvariables.
Asabasisforverification,wedefineafewrequirementsfortheautonomouschemicaldetectorandencodethemasCSPprocesses:
A)BasicRequirements
1)GasAnalysisisdeterministic.
2)GasAnalysisisdivergencefree.
3)GasAnalysisshoulddeadlockonlyonarrivalofastopevent.
4)Movementisdeterministic.
5)Movementisdivergencefree.
6)Movementshoulddeadlockonlyonarrivalofaflagevent.
7)ChemicalDetectorshoulddeadlockonlyonterminationofindividualcontrollers.
Tocheckthatdeadlockoccursonlyinspecialcircumstancesasinrequirements3,6,and7,weconsideraparallelism.Forinstance,weanalyseChemicalDetectorinparallelwithaspecialprocessflag->DONE,whereDONE=done->DONE,isdeadlockfree.
channeldone
DONE=done->DONE
assertChemicalDetector_O[|{|flag|}|]flag->DONE:[deadlockfree]
B)ModelRequirements
Introduction
3
![Page 4: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/4.jpg)
1)Everygasreadingshouldleadtoacommandresume,stoporturn.
Themachinecanterminateinsteadofreceivingagasreading.
Spec1=
GasAnalysis_gas?x->(
|~|e:{|GasAnalysis_resume,GasAnalysis_stop,GasAnalysis_turn|}@e->Spec1
)
|~|
SKIP
assertSpec1[FD=GasAnalysis
2)Everycommandtomovetherobot(resume,stop,turn)leadstoareactionbytherobot,beforeanothercommandisissued.
Spec2=let
Init=randomWalkCall->randomWalkRet->SKIP
Reaction=|~|e:{|moveCall,moveRet,randomWalkCall,randomWalkRet,flag,obstacle,od
ometer|}@e->(Reaction|~|SKIP)
T=(SKIP|~|(|~|e:{|Movement_resume,Movement_turn,Movement_stop|}@e->SKIP);React
ion;T)
within
Init|||T
assertSpec2[FD=Movement_O
3)Ifthereisnogas,thechemicaldetectordoesnotterminate.
NoGas=gas.<(0,0)>->NoGas
assertChemicalDetector_O[|{|gas|}|]NoGas:[deadlockfree]
Introduction
4
![Page 5: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/5.jpg)
AutonomousChemicalDetector1Inordertosupportmodelchecking,thetoolinstantiatescoretypessuchasnatas{0,1}andrealas{-1,0,1},butthemodelusesvaluessuchas-90,90and180inchannelstypedbyreal,whichleadstoerrorsinthemodel.
Itispossibletoeditthegeneratecodetoinstantiatethetypesasalargerrangeofvaluesthatavoidthiserror.Forexample,realcanbedefinedas{-90..180}.Thischange,however,leadstoastateexplosion,and,inordertoavoidthisproblem,weabstractawaythistypesusingenumerationsinthenextchapter.
Model
FirstChapter
5
![Page 6: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/6.jpg)
FirstChapter
6
![Page 7: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/7.jpg)
FirstChapter
7
![Page 8: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/8.jpg)
FirstChapter
8
![Page 9: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/9.jpg)
AutonomousChemicalDetector2Toavoidtheproblemfoundinthepreviouschapter,weabstractedthetypeofthevaluesassociatedwithturningtherobottoanenumerationAnglecontainingfourvalue.Inthiscase,itispossibletochecktherequirementsidentifiedintheintroduction.
Tworequirementsfail:A.5andB.2.WhileA.5isnotatrivialproblemtodebug,thecauseofB.2isclearer.ThereasontworesumeeventscanhappeninsequenceisbecausetheoperationrandomWalkiscalledintheduringaction,whichmeansthepotentialreactiontoresumecanimmediatelybeinterruptedbyanotherresumeevent.Thisviolationisduetomissingtiminginformationregardingtheoccurrencesandprocessingofgasreadings.
ThefailuresofrequirementA.5showsthatthemachineMovementisnotpreparedtotreatcommandsresume,turnandstopincertainstates.Forexample,whileinthestateAvoiding,theonlyacceptablecommandisturn,butturnisonlyproducedbyGasAnalysisifsomegasisdetected,butnotaboveathreshold.Ifnogasisdetected,oriftheintensityisabovethethreshold,gasanalysiswouldsendaresumecommandorastopcommand,neitherofwhichAvoidingispreparedtotreat.Furthermore,theseeventswillnotbetreatableuntilaturnhappens,whichmightnotbepossible.Thiscanbesolvedbyaddingtransitionstomoststatestoallowthetreatmentofeventsstopandresume.
Inthenextchapter,weaddthemissingtransitionsandre-analysethemodel.Alternatively,itmaybepossibletoprovethatgivenappropriateimplementationsofthefunctionsanalysis,locationandangle,onlythecorrectorderofcommandsisproduced.
Model
SecondChapter
9
![Page 10: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/10.jpg)
Analysis
Requirement Result
A.1GasAnalysisdeterministic true
A.2GasAnalysisdivergencefree true
A.3Movementdeterminisitc true
A.4Movementdivergencefree true
A.5ChemicalDetectordeadlocksafterflag
false
B.1Everygasleadstocommand true
B.2Everycommandscausesareaction false,resumecanhappenwithoutareaction
B.3Nogas,nodeadlock true
SecondChapter
10
![Page 11: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/11.jpg)
AutonomousChemicalDetector3Inthismodel,weaddanumberofextratransitionstotheMovementstatemachinetoavoidthedeadlockscenariosidentifiedinthepreviouschapter.Inparticular,stateswithasingletransitionsguardedbyturnneedtheseextratransitions.Afterthischange,themodelsatisfiesalltherequirements,exceptB.2,whichiscausedbymissingtiminginformationinthemodel,butisbeyondthescopeofthisreportandisleftasfuturework.
Model
Analysis
ThirdChapter
11
![Page 12: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/12.jpg)
Requirement Result
A.1GasAnalysisdeterministic true
A.2GasAnalysisdivergencefree true
A.3Movementdeterminisitc true
A.4Movementdivergencefree true
A.5ChemicalDetectordeadlocksafterflag true
B.1Everygasleadstocommand true
B.2Everycommandscausesareaction false
B.3Nogas,nodeadlock true
ThirdChapter
12
![Page 13: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/13.jpg)
AutonomousChemicalDetector:statevariableremovalInthischapter,wedescribeasimplestrategytoremovestatevariablesundercertainconditions.Toillustratethis,weshowthegasanalysisstatemachine,inwhichthestatemachinevariablesa,iandstareusedlocallytoimprovereadabilityofthemodel.Thesevariablescanberemovedtoreducethesizeofthestatespacegeneratedbythemodel,which,dependingonthetypesassociatedwiththesevariables,canleadtosignificantimprovementincompilationandanalysistimesinFDR.
WehaveverifiedthatthestatemachineGasAnalysisofthisChapterandtheoneinChapter2areequivalent.Furthermore,whilethepropertychecktimes betweenthetwoversionofthestatemachinesaresimilar(0.03sforChapter2and0.05sforChapter4),thecompilationtimesareradicallydifferent.ThestatemachineinChapter2takes12.55stocompile(beforethecheckcanbeperformed),whilethestatemachineinChapter4(withouttheredundantstatevariables)takes0.54stocompile.Thisanalysiswasperformedbyinstantiatingprimitivesetstocontainonly3values,andlimitingthesizeofsequencestoatmost2.
Ifweincreasethemaximumsizeofsequencesto3,thestatemachineinChapter2nolongercompilesasthemachinerunsoutofmemory .ThemachineinChapter4,ontheotherhand,managestocompilein84.33sandperformthepropertycheckin0.03s.
Thissuggeststhateliminatingredundantstatevariablesisaneffectivestrategy,evenwhennoneoftheeliminatedvariablesindividuallycausestateexplosion.Inourexample,themaincauseforlongcompilationtimesisthevariablegs(andeventscommunicatingsequences)
1
2
FourthChapter
13
![Page 14: Table of Contents - University of York · 1.1 1.2 1.3 1.4 1.5 Table of Contents Introduction First Chapter Second Chapter Third Chapter Fourth Chapter 2](https://reader034.fdocuments.net/reader034/viewer/2022052004/601781746c427413e5733186/html5/thumbnails/14.jpg)
asindicatedbythedifferenceincompilationtimesbytheincreaseinthemaximumsizeofsequences.Nevertheless,theeliminationofvariablesthatonlycommunicatevaluesdrawnfromsmallsets(size3)hasasignificantimpactonthecompilationphase.
ThecompilationandverificationstatisticswereobtainedbyrunnningFDR4onManjaroLinuxonaLaptopwithaIntel(R)Core(TM)[email protected].
Thecompilationwasabortedwhenmemoryusageincreasedbeyond30GBbecausereaching32GBcrashesthesystemandrequiresreboot.
1
2
FourthChapter
14