UPPAAL – user experience Start the UPPAAL application: Open a terminal window, navigate to the course folder and run the UPPAAL script: /usr/local/cs236800/up4all/uppaal For the exercises download the zip file UPPAAL.zip from the course site and extract it to a location of your choice. Exercises 1 – getting to know the UPPAAL interface When the UPPAAL GUI is opened you are first looking at the editor tab. There you can see the workspace were you will build your automaton model to the right of the screen, and the Project tree where you will declare templates, variables, clocks etc' for your system and components. Building a simple automaton Add a second location (state) to the existing initial state. In the editor Click on the “Add Location” button in the tool bar: initial location. and then click in the drawing area, a bit next to the Give the location names: Use the “Selection Tool”: to select a location then right click on it and select "edit location". Give the starting location the name start and the other location the name end. Adding edges: Choose the "Add edge" button: click on the start location and on the end location. You now have the automaton ready. Tip: In the editor on the bottom of the screen, there is a bar which you can “drag up”. This will open a table with rows Position and Description which is most likely empty at that moment. Later, it will contain very useful information about syntactical compile errors that your model contains. Using this will make it much easier to find and fix them. Your GUI should look like this now: Simulate the model Click on the Simulator tab to start the simulator, click on the yes button in the window that will pop. On the upper left part you will find the control part where you can choose the transitions between states that are possible from the current state. On the lower left part you can look at an existing trace. In the middle of the screen are the variables. On the right you see the system itself. Below the system, you will see what happens in which process. To simulate our system pick one of the enabled transitions in the list in the upper left part of the screen (there is only one transition in this example). Click Next. The process view to the right will change (the red dot indicating the current location will move) and the simulation trace will grow. You will note that more transitions are actually not possible, so the system is deadlocked. Verify the model Click on the Verifier tab. The upper section allows you to specify queries to the system. The lower part logs the communication with the model-checking engine. Enter the text: E<>Process.end in the Query field below the Overview (this is the UPPAAL syntax for temporal logic formulas). The meaning of this formula is: it is possible to reach the location end in automaton Process. Click Check to let the engine verify this. The bullet in the overview will turn green indicating that the property is satisfied. Your GUI should look like this now: Exercise 2 – design a model for a Train and a Gate controller In this exercise we will build a Train model that communicates with a Gate controller. The Gate controller is already prepared for use, and you will be asked to prepare the Train model. The Train-Gate model specification A railway control system controls access to a Gate for several Trains. The Gate is a critical shared resource that may be accessed only by one Train at a time. The system is defined as a number of Trains (you can assume 4 for this example) and a Gate controller. A Train cannot be stopped instantly and restarting also takes time. Therefore, there are timing constraints on the Trains before entering the Gate. When approaching, a Train sends a signal. Then, it has 10 time units to receive a stop signal. This allows it to stop safely before the Gate. After these 10 time units, it takes 10 time units to reach the Gate if the Train is not stopped. When a Train leaves the Gate it sends a leaving signal. Then the controller can send a go signal to a Train that is waiting (in a stop state). Design the Train template In the UPPAAL GUI: Choose File->open system choose the Train-Gate.xml file from the location where you extracted the zip to and press open. If UPPAAL asks to choose a query file choose the Train-Gate.q file from the location where you extracted the zip to and press open. Also, if needed, choose "don't save" every time UPPAAL asks you to save your previews work from the first exercise. Go to the Editor tab. On the left in the Project tree press the Train template. You can see 5 locations are ready for this model: Safe, Appr, Stop, Start, and Cross. The initial location is Safe, which corresponds to a Train not approaching the Gate yet. Adding edges Add edges between the locations to match the specification of the Train (for now don’t worry about variables and clocks). Declare variables and clocks First we will declare the Train template clock. The Train has a clock that will count it's time units (remember the Train has a response time and the clock will model it). Press the tiny circle sign next to Train in the Project tree. Press the Declarations section and add the text: clock x; to the declaration of the Train template in the right pane. Second, we will define the communication channels of the Train and the Gate. In the Project Tree right under the root of the tree press Declarations (these are global declarations that all the components of the system will know). Add to the declarations pane to the right the following text: const int N = 4; typedef int[0,N-1] id_t; chan appr[N], stop[N], leave[N]; urgent chan go[N]; Notes: The constant N will denote the number of Trains in the system. Each Train needs a communication channel with the Gate which is why we declared the channels as arrays. Urgent channels are similar to regular channels, except that it is not possible to delay in the source state if it is possible to trigger synchronization over an urgent channel (also note that clock guards are not allowed on edges with urgent channels). The Gate has a more complex declarations section, in this example the Gate declarations are already included, but it is recommended to take a look at them. Adding Gourds and synchronization Now we will add the time constraints and message passing to the Train template. Go back to the Train template view above the editor there is a text line named parameters. Add in it the following text: const id_t id This will define the local constant id for each instance of the Train template (remember the range of id_t is the number of Trains we want). Using the select tool, select the edge between Appr and Stop then right click on it and choose edit edge. The specification tells us the Train can be stopped with in 10 time units from appearing at the Gate this means we can only stop if we are 10 time units or less away from the Gate so to model this add the guard: x<=10 in the gourd box. Also, remember that the Train can enter into stop mode only if the controller ordered it. For that we need to receive a stop message from it. Add the stop[id]? in the Sync box. Now select the edge between Safe and Appr. We need to inform the controller the Train is approaching the Gate, and we need to start counting the time since we were in Safe state up until now. For that add: appr[id]! in the Sync box and add x=0 in the update box (this resets the clock to 0). Try adding the rest of the Gourds, updates and synchronizations to the Train transitions. Remember we have 4 communication channels and one clock. The system model should be ready for running now. Exercise 3 - simulate the system model Go to the simulator tab and play with the transitions a bit to get the feel of the model. Exercise 4 - verify properties of the model Now, we will verify properties of the model. Go to the Verifier tab. for each of the following formulas (and claims) press the insert button and add the formula, then click the check button. Reachability: Verify the claim: Train 1 can cross the bridge. The formula for this in UPPAAL syntax: E<>Train(1).Cross Try it yourself. Write the formula for the claim: Train 1 can be crossing the bridge while Train 2 is waiting to cross. Did you get a green light? Safety: The claim: there is not more than one Train crossing the bridge at any time. The formula: A Train(0).Cross+Train(1).Cross+Train(2).Cross+Train(3).Cross<=1 (This expression uses the fact that Train1.Cross evaluates to true or false, i.e., 1 or 0) Try to prove yourself. Write the formula for the claim: the system is deadlock free Hint: you can use the special reserved word deadlock. Exercise 5 - using a trace Go to the Verifier tab. Choose Options -> Diagnostic Trace -> Some. Try to prove livens. The livens claim is: whenever Train 1 approaches the bridge, it will eventually cross. The formula: Train(1).Appr-->Train(1).Cross Did it verify? (Probably not...) Note: in case you get the following messages: Press yes for each message. Go to the simulator tab. The trace in it will show a counter example of the property we checked, go over the trace and decide what the problem is. Fix the model so it will pass the verification. Hint: remember you can add invariants on the locations and clock resets. Questioner Pleas answer the following questions and send your answers to: firstname.lastname@example.org 1. Were the lecture topics clear? Was it well organized? Is there any particular subject you wish there was more/less focus on? 2. Do you find UPPAAL to be a useful tool? 3. Did the user experience help in understanding the use and strength of the tool? 4. Any other comments? Good Luck!
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project