--- CISC/CMPE 422, CISC 835--- ASSIGNMENT 4--- Author: Juergen DingelMOD

1. --- CISC/CMPE 422, CISC 835
2. --- ASSIGNMENT 4
3. --- Author: Juergen Dingel
4.  
5. MODULE Generator(N, out)
6. -- input: 'N' is number of non-'nil' outputs to generate
7. -- output: 'out' is one of {destA, destB, destC, destD, nil}
8. -- DON'T MODIFY!
9.  
10. VAR
11. c: 0..N; -- number of non-'nil' coutries picked
12. cA: 0..N; -- number of times 'destA' has been picked
13. cB: 0..N;
14. cC: 0..N;
15. cD: 0..N;
16. done: boolean; -- set when loop counter i reaches N
17. pc: { -- program counter
18. checking,
19. computing,
20. outputting
21. };
22. ASSIGN
23. init(c):=0;
24. init(cA):=0;
25. init(cB):=0;
26. init(cC):=0;
27. init(cD):=0;
28. init(done):=FALSE;
29. init(pc):=checking;
30. next(out):=
31. case
32. pc=checking : nil; -- no output is produced while we check
33. pc=computing : {destA, destB, destC, destD}; -- pick a destination non-deterministically
34. pc=outputting: nil; -- reset output
35. esac;
36. next(c):=
37. case
38. pc=computing & next(out)!=nil & c<N : c+1; -- increment count of all pieces generated
39. TRUE : c;
40. esac;
41. next(cA):=
42. case
43. pc=computing & next(out)=destA & cA<N : cA+1; -- increment count of pieces destined for destA generated
44. TRUE : cA;
45. esac;
46. next(cB):=
47. case
48. pc=computing & next(out)=destB & cB<N : cB+1; -- increment count of pieces destined for destB generated
49. TRUE : cB;
50. esac;
51. next(cC):=
52. case
53. pc=computing & next(out)=destC & cC<N : cC+1; -- increment count of pieces destined for destC generated
54. TRUE : cC;
55. esac;
56. next(cD):=
57. case
58. pc=computing & next(out)=destD & cD<N : cD+1; -- increment count of pieces destined for destD generated
59. TRUE : cD;
60. esac;
61. next(done):=
62. case
63. pc=outputting & c=N: TRUE; -- done
64. TRUE: done;
65. esac;
66. next(pc):=
67. case
68. pc=checking & c<N : computing; -- not done yet; start another iteration
69. pc=computing : outputting; -- output what has been produced
70. pc=outputting : checking; -- start again
71. TRUE : pc;
72. esac;
73. -- END MODULE Generator(N, out)
74.  
75. MODULE Switch(inp, level, leftOut, rightOut)
76. VAR
77. pc: {one, two, three};
78. inpCopy: {destA, destB, destC, destD, nil};
79. dir: {left, right};
80. ASSIGN
81. init(pc):= one;
82. init(inpCopy):= nil;
83. init(dir):= {left, right}; -- arbitrary initialization
84. next(pc) :=
85. case
86. pc=one & inp=nil : one;
87. pc=one & inp!=nil : two;
88. pc=two : three;
89. pc=three : one;
90. TRUE : one;
91. esac;
92. next(inpCopy):=
93. case
94. pc=one : inp;
95. pc=three: nil;
96. TRUE : inpCopy;
97. esac;
98. next(dir):=
99. case
100. pc=two & level=0 & (inpCopy=destA | inpCopy=destB): left;
101. pc=two & level=0 & (inpCopy=destC | inpCopy=destD): right;
102. pc=two & level=1 & (inpCopy=destA | inpCopy=destC): left;
103. pc=two & level=1 & (inpCopy=destB | inpCopy=destD): right;
104. TRUE: right;
105. esac;
106. next(leftOut):=
107. case
108. pc=three & dir=left : inpCopy;
109. TRUE: nil;
110. esac;
111. next(rightOut):=
112. case
113. pc=three & dir=right : inpCopy;
114. TRUE: nil;
115. esac;
116. -- END MODULE Switch(inp, level, leftOut, rightOut)
117.  
118. MODULE Bin(dest, inp, N)
119. -- input: 'dest' is destination this bin is for, 'inp' is where the input is delivered, and
120. -- 'N' is the number of pieces to generate
121. -- DON'T MODIFY!
122. VAR
123. cnt: 0..N;
124. err: 0..N;
125. ASSIGN
126. init(cnt):= 0;
127. init(err):= 0;
128. next(cnt):= case
129. inp=dest & cnt<N: cnt+1; -- increment count of correctly delivered pieces
130. TRUE: cnt;
131. esac;
132. next(err):= case
133. inp!=nil & inp!=dest & err<N : err+1; -- increment count of incorrectly delivered pieces
134. TRUE: err;
135. esac;
136. -- END MODULE Bin(dest, inp, N)
137.  
138. MODULE main
139. -- Creates sorter, sets 'N', and initializes shared variables
140. -- No need to modify, except for changing the value of 'N'
141. DEFINE
142. N := 8;
143. VAR
144. g_to_s1 : {destA, destB, destC, destD, nil};
145. s1_to_s2 : {destA, destB, destC, destD, nil};
146. s1_to_s3 : {destA, destB, destC, destD, nil};
147. s2_to_bA : {destA, destB, destC, destD, nil};
148. s2_to_bB : {destA, destB, destC, destD, nil};
149. s3_to_bC : {destA, destB, destC, destD, nil};
150. s3_to_bD : {destA, destB, destC, destD, nil};
151. g: Generator(N, g_to_s1);
152. s1: Switch(g_to_s1, 0, s1_to_s2, s1_to_s3);
153. s2: Switch(s1_to_s2, 1, s2_to_bA, s2_to_bB);
154. s3: Switch(s1_to_s3, 1, s3_to_bC, s3_to_bD);
155. bA: Bin(destA, s2_to_bA, N);
156. bB: Bin(destB, s2_to_bB, N);
157. bC: Bin(destC, s3_to_bC, N);
158. bD: Bin(destD, s3_to_bD, N);
159. ASSIGN
160. init(g_to_s1):= nil;
161. init(s1_to_s2) := nil;
162. init(s1_to_s3) := nil;
163. init(s2_to_bA) := nil;
164. init(s2_to_bB) := nil;
165. init(s3_to_bC) := nil;
166. init(s3_to_bD) := nil;
167. -- END MODULE main
168.  
169. ---- QUESTION 1 -------------------------------------------------------------------------------
170. --- Item a)
171. -- "After two execution steps from the initial state, the generator will always be outputting"
172. SPEC AX AX g.pc=outputting
173. -- "The generator only produces non-nil output"
174. SPEC AG (g.pc=outputting -> g_to_s1!=nil)
175. -- "The total number of pieces of luggage generated is always equal to the sum of the numbers generated for each of the four destinations"
176. SPEC AG g.c=(g.cA+g.cB+g.cC+g.cD)
177. -- "The total number of pieces generated is never greater than the number of pieces requested"
178. SPEC AG g.c<=N
179. -- "The generator will always eventually stop"
180. SPEC AF g.done
181.  
182. --- Item b)
183. -- "Whenever generator has generated the requested number of pieces of luggage, then it is done"
184. -- This is incorrect because g.c could equal N but g could be in a state other than done
185. -- By changing the g.done imlpies g.c=N we know if the generator is done, the requested must equal the generated
186. SPEC AG (g.done -> g.c=N) -- false, uncomment to generate counter example
187. -- your corrected version here
188.  
189. -- "The generator is capable of eventually outputting a piece destined for each of the four destinations"
190. -- This is incorerct because what if g is done, then it can not produce a piece.
191. -- We have to ensure the generator isn't finished and also it can only go to a single destination
192. -- so we change the ors to ands.
193. SPEC AG (!g.done ->(EF g_to_s1=destA) | (EF g_to_s1=destB) | (EF g_to_s1=destC) | (EF g_to_s1=destD)) -- false
194. -- your corrected version here
195.  
196. -- "Whenever the generator is producing output, then along any sequence of three execution steps it will again produce output"
197. SPEC AG (g.pc = outputting & AX !g.done -> AX AX AX g.pc = outputting ) -- false
198. -- your corrected version here
199.  
200. ---- QUESTION 2 -------------------------------------------------------------------------------
201. -- Your CTL formulas for Item c) here
202.  
203. -- "Whenever a specific non-nil input arrives at switch s1, then s1 will always output that input to switch s2 two steps later, and s2 will always output that input to bin bA four steps later"
204. --SPEC AG (s1.inp != nil -> ((AX AX s2.inp = s1.inp) & (AX AX AX AX AX AX bA.inp = s1.inp)))
205.  
206. -- "Switch s1 will never output a non-nil value to switch s3"
207. --SPEC AG (s1_to_s3 = nil)
208.  
209. -- "It is possible for value destA to arrive at bin bA"
210. SPEC EF (bA.inp = destA)
211.  
212. -- "The number of pieces of luggage that have arrived at bins bB, bC, and bD is always zero"
213. --SPEC AG (bB.cnt = 0 & bC.cnt = 0 & bD.cnt = 0)
214.  
215. -- "Along all executions, the number of pieces of luggage that have arrived at bin bA correctly and incorrectly, will eventually be equal to the requested number of pieces"
216. --SPEC AF (bA.N = (bA.cnt + bA.err))
217.  
218. -- "It is possible for no pieces for destination destA to be generated, i.e., there exists an execution along which eventually the number of pieces that have errorneously arrived at bin bA is equal to the requested number of pieces"
219. --SPEC EF (bA.err = bA.N)
220.  
221. ---- QUESTION 3 -------------------------------------------------------------------------------
222. -- Your answers to the questions in Items b) to d) here
223. --"Along all paths, whenever the generator outputs a specific destination, then that output always arrives at the correct bin six steps later"
224. SPEC AF (g.out != nil -> ((g.out = destA & AX AX AX AX AX AX bA.inp = g.out) | (g.out = destB & AX AX AX AX AX AX bB.inp = g.out) | (g.out = destC & AX AX AX AX AX AX bC.inp = g.out) | (g.out = destD & AX AX AX AX AX AX bD.inp = g.out)))
225.  
226. --"Along all paths, eventually, done is set and the sum of the number of pieces correctly placed into all bins is equal to the number of requested pieces"
227. SPEC AG ((EF g.done) & (EF (bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.N))
228.  
229. --"The error counters of all bins are always equal to zero"
230. SPEC AG (bA.err = 0 & bB.err = 0 & bC.err = 0 & bD.err = 0)
231.  
232. SPEC EF (s1.inpCopy != nil & s2.inpCopy != nil & s3.inpCopy != nil)
233. SPEC EF (s1.inpCopy != nil & s2.inpCopy != nil)
234. SPEC EF (s2.inpCopy != nil & s3.inpCopy != nil)
235. SPEC EF (s1.inpCopy != nil & s3.inpCopy != nil)
236.  
237.  
238. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c)
239. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 1)
240. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 2)
241. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 3)
242. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 4)
243. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 5)
244. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 6)
245. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 7)
246. SPEC EF((bA.cnt + bB.cnt + bC.cnt + bD.cnt) = g.c - 8)