UPPAAL - Webcourse

UPPAAL - Webcourse
UPPAAL – user experience
Start the UPPAAL application:
Open a terminal window, navigate to the course folder and run the UPPAAL script:
/usr/local/cs236800/up4all/uppaal
For the exercises download the zip file UPPAAL.zip from the course site and extract it to a
location of your choice.
Exercises 1 – getting to know the UPPAAL interface
When the UPPAAL GUI is opened you are first looking at the editor tab. There you can see
the workspace were you will build your automaton model to the right of the screen, and the
Project tree where you will declare templates, variables, clocks etc' for your system and
components.
Building a simple automaton
Add a second location (state) to the existing initial state. In the editor Click on the “Add
Location” button in the tool bar:
initial location.
and then click in the drawing area, a bit next to the
Give the location names:
Use the “Selection Tool”:
to select a location then right click on it and select "edit
location". Give the starting location the name start and the other location the name end.
Adding edges:
Choose the "Add edge" button:
click on the start location and on the end location.
You now have the automaton ready.
Tip: In the editor on the bottom of the screen, there is a bar which you can “drag up”. This
will open a table with rows Position and Description which is most likely empty at that
moment. Later, it will contain very useful information about syntactical compile errors that
your model contains. Using this will make it much easier to find and fix them.
Your GUI should look like this now:
Simulate the model
Click on the Simulator tab to start the simulator, click on the yes button in the window that
will pop.
 On the upper left part you will find the control part where you can choose the
transitions between states that are possible from the current state.
 On the lower left part you can look at an existing trace.
 In the middle of the screen are the variables.
 On the right you see the system itself.
 Below the system, you will see what happens in which process.
To simulate our system pick one of the enabled transitions in the list in the upper left part of
the screen (there is only one transition in this example). Click Next.
The process view to the right will change (the red dot indicating the current location will
move) and the simulation trace will grow. You will note that more transitions are actually not
possible, so the system is deadlocked.
Verify the model
Click on the Verifier tab.
The upper section allows you to specify queries to the system.
The lower part logs the communication with the model-checking engine.
Enter the text: E<>Process.end in the Query field below the Overview (this is the UPPAAL
syntax for temporal logic formulas). The meaning of this formula is: it is possible to reach
the location end in automaton Process.
Click Check to let the engine verify this. The bullet in the overview will turn green indicating
that the property is satisfied.
Your GUI should look like this now:
Exercise 2 – design a model for a Train and a Gate controller
In this exercise we will build a Train model that communicates with a Gate controller. The
Gate controller is already prepared for use, and you will be asked to prepare the Train
model.
The Train-Gate model specification
A railway control system controls access to a Gate for several Trains. The Gate is a critical
shared resource that may be accessed only by one Train at a time. The system is defined as
a number of Trains (you can assume 4 for this example) and a Gate controller. A Train
cannot be stopped instantly and restarting also takes time. Therefore, there are timing
constraints on the Trains before entering the Gate. When approaching, a Train sends a
signal. Then, it has 10 time units to receive a stop signal. This allows it to stop safely before
the Gate. After these 10 time units, it takes 10 time units to reach the Gate if the Train is
not stopped. When a Train leaves the Gate it sends a leaving signal. Then the controller can
send a go signal to a Train that is waiting (in a stop state).
Design the Train template
In the UPPAAL GUI:
Choose File->open system choose the Train-Gate.xml file from the location where you
extracted the zip to and press open.
If UPPAAL asks to choose a query file choose the Train-Gate.q file from the location where
you extracted the zip to and press open.
Also, if needed, choose "don't save" every time UPPAAL asks you to save your previews
work from the first exercise.
Go to the Editor tab. On the left in the Project tree press the Train template. You can see
5 locations are ready for this model: Safe, Appr, Stop, Start, and Cross. The initial
location is Safe, which corresponds to a Train not approaching the Gate yet.
Adding edges
Add edges between the locations to match the specification of the Train (for now don’t
worry about variables and clocks).
Declare variables and clocks
First we will declare the Train template clock. The Train has a clock that will count it's time
units (remember the Train has a response time and the clock will model it).
Press the tiny circle sign next to Train in the Project tree. Press the Declarations section
and add the text: clock x; to the declaration of the Train template in the right pane.
Second, we will define the communication channels of the Train and the Gate. In the Project
Tree right under the root of the tree press Declarations (these are global declarations that
all the components of the system will know).
Add to the declarations pane to the right the following text:
const int N = 4;
typedef int[0,N-1] id_t;
chan appr[N], stop[N], leave[N];
urgent chan go[N];
Notes:
 The constant N will denote the number of Trains in the system.
 Each Train needs a communication channel with the Gate which is why we declared
the channels as arrays.
 Urgent channels are similar to regular channels, except that it is not possible to delay
in the source state if it is possible to trigger synchronization over an urgent channel
(also note that clock guards are not allowed on edges with urgent channels).
 The Gate has a more complex declarations section, in this example the Gate
declarations are already included, but it is recommended to take a look at them.
Adding Gourds and synchronization
Now we will add the time constraints and message passing to the Train template.
Go back to the Train template view above the editor there is a text line named
parameters.
Add in it the following text: const id_t id
This will define the local constant id for each instance of the Train template (remember the
range of id_t is the number of Trains we want).
Using the select tool, select the edge between Appr and Stop then right click on it and
choose edit edge.
The specification tells us the Train can be stopped with in 10 time units from appearing at
the Gate this means we can only stop if we are 10 time units or less away from the Gate so
to model this add the guard: x<=10 in the gourd box.
Also, remember that the Train can enter into stop mode only if the controller ordered it. For
that we need to receive a stop message from it.
Add the stop[id]? in the Sync box.
Now select the edge between Safe and Appr. We need to inform the controller the Train is
approaching the Gate, and we need to start counting the time since we were in Safe state
up until now.
For that add: appr[id]! in the Sync box and add x=0 in the update box (this resets the
clock to 0).
Try adding the rest of the Gourds, updates and synchronizations to the Train transitions.
Remember we have 4 communication channels and one clock.
The system model should be ready for running now.
Exercise 3 - simulate the system model
Go to the simulator tab and play with the transitions a bit to get the feel of the model.
Exercise 4 - verify properties of the model
Now, we will verify properties of the model. Go to the Verifier tab. for each of the following
formulas (and claims) press the insert button and add the formula, then click the check
button.
Reachability:
Verify the claim: Train 1 can cross the bridge.
The formula for this in UPPAAL syntax: E<>Train(1).Cross
Try it yourself. Write the formula for the claim: Train 1 can be crossing the bridge while
Train 2 is waiting to cross. Did you get a green light?
Safety:
The claim: there is not more than one Train crossing the bridge at any time.
The formula:
A[] Train(0).Cross+Train(1).Cross+Train(2).Cross+Train(3).Cross<=1
(This expression uses the fact that Train1.Cross evaluates to true or false, i.e., 1 or 0)
Try to prove yourself. Write the formula for the claim: the system is deadlock free
Hint: you can use the special reserved word deadlock.
Exercise 5 - using a trace
Go to the Verifier tab.
Choose Options -> Diagnostic Trace -> Some.
Try to prove livens. The livens claim is: whenever Train 1 approaches the bridge, it will
eventually cross.
The formula: Train(1).Appr-->Train(1).Cross
Did it verify? (Probably not...)
Note: in case you get the following messages:
Press yes for each message.
Go to the simulator tab. The trace in it will show a counter example of the property we
checked, go over the trace and decide what the problem is.
Fix the model so it will pass the verification.
Hint: remember you can add invariants on the locations and clock resets.
Questioner
Pleas answer the following questions and send your answers to:
seinzuk@t2.technion.ac.il
1. Were the lecture topics clear? Was it well organized? Is there any particular subject
you wish there was more/less focus on?
2. Do you find UPPAAL to be a useful tool?
3. Did the user experience help in understanding the use and strength of the tool?
4. Any other comments?
Good Luck!
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertising