ppt 40589 Awesome Multimedia Tool for Your Green Business Traffic Geyser 2 0 and Instant Customer
Traffic PPT
-
Upload
sanjana-singh -
Category
Documents
-
view
226 -
download
0
description
Transcript of Traffic PPT
![Page 1: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/1.jpg)
Traffic Light Controller Examples in SMV
Himanshu JainBug catching (Fall 2007)
![Page 2: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/2.jpg)
2
Plan for today
Modeling Traffic Light Controller in SMV
Properties to Check
Four different SMV models for traffic light controller
![Page 3: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/3.jpg)
3
N
S
W
Scenario
![Page 4: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/4.jpg)
4
N
S
W
No turning
![Page 5: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/5.jpg)
5
N
S
W
Binary traffic lights
![Page 6: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/6.jpg)
6
N
S
W
SafetyProperty
This should nothappen
![Page 7: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/7.jpg)
7
N
S
W
SafetyProperty
This should nothappen
![Page 8: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/8.jpg)
8
N
S
W
LivenessProperty
When will the stupid light
become green again
![Page 9: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/9.jpg)
9
N
S
W
LivenessProperty
Thank God!
Traffic in each direction must
be served
![Page 10: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/10.jpg)
10
Let’s see how to model all this in SMV
![Page 11: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/11.jpg)
11
N
S
W
SMV variables N-go=0
S-go=0 W-go=1
Three Boolean variables track the
status of lights
![Page 12: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/12.jpg)
12
N
S
W
SMV variables
Three Boolean variables sense
the traffic in each direction
N-sense =1
S-sense =1
W-sense =0
These variables are called N, Sy, W in thecode I will show you
![Page 13: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/13.jpg)
13
Properties we would like to check
Mutual exclusion SPEC AG !(W-Go & (N-Go | S-Go))
Liveness in North directionSPEC AG(N-sense & !N-Go -> AF N-Go)
Similar liveness properties for south and west
![Page 14: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/14.jpg)
14
Properties we would like to check
No strict sequencingWe don’t want the traffic lights to give turns to each other
(if there is no need for it)For example, if there is no traffic on west lane, we do not
want W-go becoming 1 periodically
We can specify such properties atleast partially AG(W-Go -> A[W-Go U (!W-Go & A[!W-Go U (N-Go | S-Go)])])See code other such propertiesWe want these properties to FAIL
![Page 15: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/15.jpg)
15
N
S
W
SMV modules
North modulewill control
South modulewill control
West modulewill control
Main module will-Initialize variables-Start north, south, west modules
![Page 16: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/16.jpg)
16
N
S
W
What if north light is always green and there is always traffic in north direction
![Page 17: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/17.jpg)
17
Fairness Constraints What if north light is always green and there is always
traffic in north direction
We will avoid such scenarios by means of fairness constraints
FAIRNESS running & !(N-Go & N-sense)
On an infinite execution, there are infinite number of states where either north light is not green or there is no traffic in north direction
Similar, fairness constraints for south and west directions
![Page 18: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/18.jpg)
18
Now we look at some concrete implementations
![Page 19: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/19.jpg)
19
Some more variables
To ensure mutual exclusion We will have two Boolean variablesNS-Lock: denotes locking of north/south laneEW-Lock: denotes locking of west lane
To remember that there is traffic on a laneBoolean variables: N-Req, S-Req, W-ReqIf N-sense becomes 1, then N-Req is set to trueSimilarly, for others….
![Page 20: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/20.jpg)
20
Traffic1.smvMODULE mainVAR N : boolean; --senses traffic going along north Sy : boolean; --senses traffic going along south W : boolean; --senses traffic going westward N-Req : boolean; --rememebers that there is traffic along north that needs to go S-Req : boolean; --rememebers that there is traffic along south that needs to go W-Req : boolean; --rememebers that there is traffic along west that needs to go N-Go : boolean; --north direction green light on S-Go : boolean; --south direction green light on W-Go : boolean; --west direction green light on NS-Lock : boolean; --north/south lane locked EW-Lock : boolean; --east/west lane locked
north : process north1(NS-Lock, EW-Lock, N-Req, N-Go,N,S-Go); south : process south1(NS-Lock,EW-Lock,S-Req,S-Go,Sy,N-Go); west : process west1(NS-Lock,EW-Lock,W-Req,W-Go,W);
ASSIGN init(NS-Lock) := 0; init(Sy) := 0; init(W) := 0; init(W-Req) := 0; …………………..OTHER INITIALIZATIONS
![Page 21: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/21.jpg)
21MODULE north(NS-Lock, EW-Lock, N-Req, N-Go,N,S-Go)VAR state : {idle, entering , critical , exiting};ASSIGN init(state) := idle; next(state) := case state = idle : case N-Req = 1 : entering; 1 : state; esac; state = entering & !EW-Lock : critical; state = critical & !N : exiting; state = exiting : idle; 1 : state; esac;
next(NS-Lock) := case state = entering & !EW-Lock : 1 ; state = exiting & !S-Go : 0; 1 : NS-Lock; esac;
next(N-Req) := case !N-Req & N : 1; state = exiting : 0; 1 : N-Req; esac;
next(N-Go) := case state = critical : 1; state = exiting : 0; 1 : N-Go; esac;
-- non-deterministically chose N next(N) := {0,1};
FAIRNESS running & !(N-Go & N)
![Page 22: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/22.jpg)
22
Module south is similar
Module west1 is a little different
Everything seems ok!
Let us run a model checker
![Page 23: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/23.jpg)
23
Mutual exclusion fails (Counterexample)1. All variables zero2. N-sense=1 (North module executed)3. S-sense=1 (South module executed)4. S-Req=15. south.state=entering6. S-sense=0, NS-Lock=1, south.state=critical7. S-sense=1,S-go=1,south.state=exiting8. N-Req=19. north.state=entering10. north.state=critical11. S-Req=0, S-Go=0, NS-Lock=0, south.state=idle12. W=113. W-Req=114. west.state=entering15. EW-lock=1, west.state=critical16. W-Go=117. N-Go=1
One module is executing
at each step
![Page 24: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/24.jpg)
24
Mutual exclusion fails (Counterexample)1. All variables zero2. N-sense=1 (North module executed)3. S-sense=1 (South module executed)4. S-Req=15. south.state=entering6. S-sense=0, NS-Lock=1, south.state=critical7. S-sense=1,S-go=1,south.state=exiting8. N-Req=19. north.state=entering10. north.state=critical11. S-Req=0, S-Go=0, NS-Lock=0, south.state=idle12. W=113. W-Req=114. west.state=entering15. EW-lock=1, west.state=critical16. W-Go=117. N-Go=1
One module is executing
at each step
Even though north.state is critical the NS-lock is released
![Page 25: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/25.jpg)
25
Mutual exclusion fails (Counterexample)1. All variables zero2. N-sense=1 (North module executed)3. S-sense=1 (South module executed)4. S-Req=15. south.state=entering6. S-sense=0, NS-Lock=1, south.state=critical7. S-sense=1,S-go=1,south.state=exiting8. N-Req=19. north.state=entering10. north.state=critical11. S-Req=0, S-Go=0, NS-Lock=0, south.state=idle12. W=113. W-Req=114. west.state=entering15. EW-lock=1, west.state=critical16. W-Go=117. N-Go=1
One module is executing
at each step
One problem is the one-step difference Between North.state=critical and N-Go=1
![Page 26: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/26.jpg)
26MODULE north(NS-Lock, EW-Lock, N-Req, N-Go,N,S-Go)VAR state : {idle, entering , critical , exiting};ASSIGN init(state) := idle; next(state) := case state = idle : case N-Req = 1 : entering; 1 : state; esac; state = entering & !EW-Lock : critical; state = critical & !N : exiting; state = exiting : idle; 1 : state; esac;
next(NS-Lock) := case state = entering & !EW-Lock : 1 ; state = exiting & !S-Go : 0; 1 : NS-Lock; esac;
next(N-Req) := case !N-Req & N : 1; state = exiting : 0; 1 : N-Req; esac;
next(N-Go) := case state = critical : 1; state = exiting : 0; 1 : N-Go; esac;
-- non-deterministically chose N next(N) := {0,1};
FAIRNESS running & !(N-Go & N)
![Page 27: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/27.jpg)
27
This problem is fixed in traffic2.smv
next(N-Go) := case state = entering & !EW-Lock : 1; --change here state = exiting : 0; 1 : N-Go; esac;
next(state) := case state = idle : case N-Req = 1 : entering; 1 : state; esac; state = entering & !EW-Lock : critical; state = critical & !N : exiting; state = exiting : idle; 1 : state; esac;
![Page 28: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/28.jpg)
28
Model checking traffic2.smv
Mutual exclusion property is satisfied
Liveness property for North direction fails AG ((N & !N-Go) -> AF N-Go) is false
![Page 29: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/29.jpg)
29
Counterexample for liveness property contains a loop
North.state=enteringS-sense=1,W-sense=1
EW-lock=1west.state = critical
W-Go=1
NS-lock=1south.state = critical
S-Go=1
![Page 30: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/30.jpg)
30
Counterexample for liveness property contains a loop
North.state=enteringS-sense=1,W-sense=1
EW-lock=1west.state = critical
W-Go=1
NS-lock=1south.state = critical
S-Go=1
North module given a chance to execute here. But it is of no use
![Page 31: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/31.jpg)
31
Ensuring liveness requires more workThis is in traffic3.smv
Introduce a Boolean variable called turnGive turn to others (if I have just exited the
critical section)turn = {nst, ewt}
![Page 32: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/32.jpg)
32MODULE north1(NS-Lock, EW-Lock, N-Req, N-Go,N,S-Go,S-Req,E-Req,turn)VAR state : {idle, entering , critical , exiting};
ASSIGN init(state) := idle; next(state) := case state = idle & N-Req = 1 : entering; state = entering & !EW-Lock & (!E-Req | turn=nst): critical; state = critical & !N : exiting; state = exiting : idle; 1 : state; esac;
next(turn) := case state=exiting & turn=nst & !S-Req : ewt; 1 : turn; esac;
Similar code in south and west modules
![Page 33: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/33.jpg)
33
Model check again
Mutual exclusion holds
What about liveness propertiesIn north direction?In south direction?In west direction?
![Page 34: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/34.jpg)
34
Model check again
Mutual exclusion holds
What about liveness propertiesIn north direction? HOLDSIn south direction? HOLDSIn west direction? FAILS
![Page 35: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/35.jpg)
35
Traffic4.smv Two more variables to distinguish between
north and south completionndone and sdone
When north module exits critical section ndone is set to 1Similarly for south module and sdone
When west module exits both sdone and ndone are set to 0
![Page 36: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/36.jpg)
36MODULE north1(NS-Lock, EW-Lock, N-Req, N-Go,N,S-Go,S-Req,E-Req,turn,ndone,sdone)VAR state : {idle, entering , critical , exiting};ASSIGNnext(state) := case state = idle & N-Req = 1 : entering; state = entering & !EW-Lock & (!E-Req | turn=nst): critical; state = critical & !N : exiting; state = exiting : idle; 1 : state; esac; next(turn) := case state=exiting & turn=nst & (!S-Req | (sdone & E-Req)): ewt; 1 : turn; esac;next(ndone) := case state=exiting : 1; 1 : ndone; esac;
![Page 37: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/37.jpg)
37
Hurray!
Mutual exclusion holds
Liveness for all three directions holds
Strict sequencing does not holdThat is what we want
![Page 38: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/38.jpg)
38
Think aboutHow to allow north, south, east, west traffic
How to model turns
Instead of writing code for four modules have a generic module Instantitate it with four times. Once for each direction
Ensure properties without changing fairness constraints
We will make the SMV code and slides available
![Page 39: Traffic PPT](https://reader035.fdocuments.net/reader035/viewer/2022062321/5695d0d11a28ab9b0293fb3b/html5/thumbnails/39.jpg)
39
QUESTIONS