================================================================= 22c:181 Formal Methods in Software Engineering, Spring 2008 Exercise 4 Solutions ================================================================= A.1. node Requirements( Floor_1, Floor_2, Door_Closed, Call_1, Call_2, Stop : bool ) returns ( R1, R2, R3, R4, R5 : bool ); var Motor_Up, Motor_Down, Moving, Halts : bool; let (Motor_Up, Motor_Down) = Control(Floor_1, Floor_2, Door_Closed, Call_1, Call_2, Stop); -- auxiliary streams Moving = Motor_Up or Motor_Down; Halts = not Moving and (false -> pre Moving); -- The elevator moves only when the door is closed and -- the Stop button is not pressed. R1 = Moving => Door_Closed and not Stop; -- The elevator will not pass the end positions, that is, -- go through the roof or the floor. R2 = (Floor_1 => not Motor_Down) and (Floor_2 => not Motor_Up); -- A moving elevator halts only if -- the Stop button is pressed, or the door is opened, -- or the elevator has arrived at the destination floor. R3 = Halts => (Stop or not Door_Closed or ((true -> pre Motor_Down) and Floor_1) or ((true -> pre Motor_up) and Floor_2) ); -- The elevator halts before changing direction. R4 = true -> (Motor_Up => (not pre Motor_Down)) and (Motor_Down => (not pre Motor_Up)); -- The signals sent to the motor are not contradictory R5 = not (Motor_Up and Motor_Down); tel A.2 The original requirement was: If the elevator is at a floor, someone presses the Call button on the other floor, no one presses the Stop button at the same time, and the door is closed, then the elevator will move. This requirement is simply not satisfied by the system. Depending on your implementation, more things have to hold for the elevator to move: - The other call button must not be pressed at the same time - The call signal might be ignored if the elevator has arrived at the floor in this very moment (due to R4) With these additional assumptions the requirement is: R6 = (((Floor_1 and Call_2) or (Floor_2 and Call_1)) and not Stop and Door_Closed and not(Call_1 and Call_2) and not (false -> pre Moving) ) => Moving; Unfortunately, this requirement is not satisfied either! A counter-example can be found by setting the initial values of Floor_1 and Floor_2 both to true. Since it is not in the controller's power to rule out that possibility (Floor_1 and Floor_2 are inputs), we must exclude it in the requirement itself, by adding as a precondition also that the elevator is not a both floors of the same time: R6 = (((Floor_1 and Call_2) or (Floor_2 and Call_1)) and not Stop and Door_Closed and not(Call_1 and Call_2) and not (false -> pre Moving) and not (Floor_1 and Floor_2) --- ) => Moving; B.1. The induction depth for R1 and R2 is 0 since no information about the previous state is needed; they express a direct relation between input and output in one clock cycle. The induction depth for R3 is 1, since information from the previous state is needed, namely that X = pre X. B.2. If the property does not hold and the procedure (on page 14 of the class notes) terminates with some value of k, it must have returned from line 5. This means that it has found a counterexample of length k, that is, a trace starting in the initial state, going through successive k-1 states where the property holds, and ending in a k-th state where the property does not hold. Moreover, since k starts at 0 and is incremented by 1 each time, we are guaranteed that there are no shorter counter-examples (otherwise they would have been found at a previous iteration). B.3 First observe that if the property holds and the procedure terminates, it must have returned from line 9. Now consider a configuration starting anywhere in the state space, going through states where the property holds, and ending in a state where the property does not hold. Clearly, this trace cannot start in the initial state, otherwise it would constitute a counter-example for the property, which however we know to hold. Moreover, its length must be at most k+1. We know it cannot be longer because we know that the formula checked line 7 is valid. That entails that if the first k+1 states of trace satisfy the property, then all states the trace do.