## Exercises

1. Exercises in lecture notes on sets and relations (selected solutions)
2. Exercises in lecture notes on an introduction to Alloy 4
3. Exercises in lecture notes on the academia model in Alloy
4. Exercises in lecture notes on dynamic models in Alloy
5. Lustre

### Simple nodes (solution)

Make sure to go over these notes before doing these exercises.
1. Write a node Sum, with one input stream X and one output stream S such that, at each instant, S contains the sum of all X's that the node has seen so far.

2. Implement SumReset, a version of Sum above with an additional Boolean input Reset that makes Sum start over from 0.

3. Implement a node Average with one integer input X and one Boolean input Reset, and that outputs the average of the stream X since the last time Reset was true.

4. Is the stream (Sofar(X) and Sofar(Y)) the same as the stream Sofar(X and Y)? And how about the streams (Sofar(X) or Sofar(Y)) and Sofar(X or Y)? Justify your answer.

### Elevator (solution)

Acknowledgements: This exercise is inspired by a similar assignment firstmade by Prover Technology AB, then adapted for previous versions of a similar course at Chalmers Universityby Carl Johan Lillieroth, K.V.S. Prasad, Mary Sheeran, Angela Wallenburg, andJan-Willem Roorda. The current version is our adaptation to the Luke tool, and focuses more on simulation than some of the previous versions.

#### The Elevator Consider a simple elevator, moving people up and down between two floors. Apicture of the situation is shown on the right.

In the elevator, there are three buttons: a button 1 to go to the first floor, a button 2 to go to the first floor, and a stop button to stop the elevator. On each floor, there is a button to call the elevator. Furthermore,the elevator has three sensors, the first indicating if the elevator is on the first floor or not, the second doing the same for the second floor, and the third indicating if the elevator's door is closed or not.

The elevator is moved up and down by a motor that is on the roof of thebuilding. The motor is controlled by two signals, one for moving the elevator up and one for moving it down.

You are to implement the control system for this elevator. Thecontrol system looks at the buttons that are being pressed and the sensors thatsay where the elevator is and if the door is open, and then decides if themotor should move the elevator up or down, or do nothing.

For simplicity, we do not distinguish between the case of someone on floor 2 pressing the call button and someone in the elevator pressing the button 2. Similarly for the call button on floor 1 and button 1 in the elevator.

#### Safety Requirements

To understand better what the control system of the elevator is supposed to do, here is a list of safety requirements that any decent control system should satisfy.

 R1 The elevator may only move when the door is closed and the stop button is notpressed. R2 The elevator may not pass the end positions, that is, go through the roof or the floor. R3 A moving elevator halts only if the stop button is pressed, or the door is opened, or the elevator has arrived at the destination floor. R4 The elevator must halt before changing direction. R5 The signals sent to the motor may not be contradictory.

If, during your implementation, you are ever in doubt about any issue notmentioned in the list above, you can make a reasonable assumption yourself.

#### Problems

1. Implement the control system as a Lustre node with the following interface:

```  node Control( Floor_1, Floor_2, Door_Open, Call_1, Call_2, Stop : bool )
returns ( Motor_Up, Motor_Down : bool );
```

The Boolean streams Floor_1 and Floor_2 represent the output of the floor sensors.The value of stream Call_1 is true at time n if and only if someone has pressed the call button on floor 1 or the button 1 in the elevator. Similarly for Call_2. The stream Door_Open is the output of the door sensor (true iff the elevator door is open). The output streams Motor_Up and Motor_Down represent the signals for the motor, to move the elevator up and down, respectively.

2. We want to simulate the system implemented by the Control node. For that, it is helpful to introduce an auxiliary node that produces reasonable values for the sensors Floor_1 and Floor_2.

One possibility is to use a "environment" node like the following:

```node Environment( Motor_Up, Motor_Down : bool )
returns ( Floor_1, Floor_2 : bool);
var L: int;
let
L = 0 -> if pre Motor_Up then (pre L) + 1
else if pre Motor_Down then (pre L) - 1
else pre L;
Floor_1 =  L = 0;
Floor_2 =  L = 5;
tel
```

In the definition above we make the assumptions at each tick of the system's clock lasts one second, and it takes the elevator 5 seconds to reach one floor from the other. So we can see it as going through 5 intermediate "levels" L when moving from one floor to the other.

Put together the two nodes Control and Environment, in a new node with (exactly) the following interface:

```node Simulate( Door_Open, Call_1, Call_2, Stop : bool)
returns ( Motor_Up, Motor_Down : bool );```

Use Luke to build a simulator for your system (using --node Simulate). Then use the simulator to check visually if the safety requirements above hold. Look at the values returned by Simulate to see where the elevator is actually going.

Your node should behave similarly to this sample Simulate.
The control node used in that simulator is actually buggy. Use the simulator to expose its bug(s).

### Elevator II (solution)

Consider again the elevator problem in the previous exercise.

1. Define a synchronous observer node that expresses each of the safety requirements listed in the previous exercise. Your observer should have (exactly) the following interface:

```node Requirements( Floor_1, Floor_2, Door_Open, Call_1, Call_2, Stop: bool)
returns ( R1, R2, R3, R4, R5 : bool );
```

Use the Luke tool to verify that the requirements hold! Modify the definition of the Control node as needed to satisfy all the requirements.
NB: The Environment and Simulate nodes are not to be used in this exercise.

2. Define a synchronous observer that formalizes the following requirement: "If the elevator is at a floor, someone presses the Call button on the other floor, no one presses the Stop button at the same time, and the door is closed, then the elevator will move."

What changes did you have to make to this requirement for it to go through?

Copyright: Cesare Tinelli, The University of Iowa, 2014   Credits