---------------------------------------------------------------------- -- This is an implementation of a simple traffic light system with one -- (bi-directional) car lane and one pedestrian crossing. -- -- ooo -- ------------------==------------------- -- == -- == -- ------------------==------------------- -- ooo -- -- Simulate it in luke. Try to find problems in the implementation. ---------------------------------------------------------------------- node TrafficLight( Button : bool ) returns ( Red, Yellow, Green, Walk, DontWalk : bool ); var Phase, prePhase : int; let prePhase = 0 -> pre Phase; Phase = if Button then 1 else if prePhase > 0 and prePhase < 10 then prePhase+1 else 0; Green = Phase = 0; Yellow = Phase = 1; Red = Phase > 1; Walk = Phase > 2 and Phase < 10; DontWalk = not Walk; tel ---------------------------------------------------------------------- -- A synchronous observer that checks a number of safety properties -- for the TrafficLight. -- -- Try to prove them using -- "luke ---node ReqTrafficLight traffic.lus --verify". -- If a property is falsifiable, inspect the counter example in luke, -- and try to fix the bug. -- -- Try to specify additional properties and verify these. Avoid -- redundancies in your properties if you can. ---------------------------------------------------------------------- node ReqTrafficLight( Button : bool ) returns (R1, R2, R3, R4, R5, R6, R7, R8, R9, R10: bool); var CarsAllowed, Red, Yellow, Green, Walk, DontWalk : bool; let (Red, Yellow, Green, Walk, DontWalk) = TrafficLight(Button); CarsAllowed = Green or Yellow; R1 = not (CarsAllowed and Walk); R2 = not (Red and Green); R3 = Red or Yellow or Green; R4 = Walk => Red; R5 = Walk xor DontWalk; R6 = true -> not (Red and pre Green); R7 = true -> not (Walk and pre CarsAllowed); R8 = true -> not (CarsAllowed and pre Walk); R9 = true -> not (Yellow and pre Yellow); R10 = true -> (pre Red and not Red) => Green; tel