Objectives:
1. (24 points) For each of the following properties: label as either safety or liveness. Give an accompanying counter-example to the property. If the property is a safety property, further indicate if it is a regular safety property, and if regular, give the NFA to verify it.
2. (20 points) This problem is Exercise 5.5 in Principles of Model Checking (page 321 of the PDF document). Consider an elevator system that services N > 0 floors numbered 0 through N-1. There is an elevator door at each floor with a call-button and an indicator light that signals whether or not the elevator has been called. The system must have the following properties:
Write a PROMELA verification model for the elevator. Identify which properties are safety properties. For the safety properties, verifying them with assertions or with a never claim if the bad prefixes can be described by a regular language.
3. (30 points) This problem is Exercise 5.25 in Principles of Model Checking (page 327 of the PDF document). Consider an arbitrary, but finite, number of identical processes, that execute in parallel. Each process consists of a noncritical part and a critical part, usually called the critical section. In this exercise we are concerned with the verification of a mutual exclusion protocol, that is, a protocol that should ensure that at any moment of time at most one process (among the N processes in our configuration) is in its critical section. In this exercise we are concerned with Szymanski’s protocol. Assume there are N processes for some fixed N > 0. There is a global variable, referred to as flag, which is an array of length N, such that flag[i] is a value between 0 and 4 (for $0 \le i < N$). The idea is that flag[i] indicates the status of process i. The protocol executed by process i looks as follows:
l0: loop forever do begin l1: Noncritical section l2: flag[i] := 1; l3: wait until (flag[0] < 3 and flag[1] < 3 and . . . and flag[N-1] < 3) l4: flag[i] := 3; l5: if (flag[0]=1 or flag[1]=1 or ... or flag[N-1]=1) then begin l6: flag[i] := 2; l7: wait until (flag[0] = 4 or flag[1] = 4 or ... or flag[N-1] = 4) end l8: flag[i] := 4; l9: wait until (flag[0] < 2 and flag[1] < 2 and ... and flag[i-1] < 2) l10: Critical section l11: wait until (flag[i+1] ∈ {0,1,4}) and ... and (flag[N-1] ∈ {0,1,4}) l12: flag[i] := 0; end.
Before doing any of the exercises listed below, try first to informally understand what the protocol is doing and why it could be correct in the sense that mutual exclusion is ensured. If you are convinced of the fact that the correctness of this protocol is not easy to see (otherwise please inform me) then start with the following questions.
4. (30 points) This problem is Exercise 5.26 in Principles of Model Checking (page 328 of the PDF document). We assume N processes in a ring topology, connected by unbounded queues. A process can only send messages in a clockwise manner. Initially, each process has a unique identifier ident (which is assumed to be a natural number). A process can be either active or relaying. Initially a process is active. In Peterson’s leader election algorithm (1982) each process in the ring carries out the following task:
active: d := ident; do forever begin /* start phase */ send(d); receive(e); if e = ident then announce elected; if d > e then send(d) else send(e); receive(f ); if f = ident then announce elected; if e >= max(d,f) then d := e else goto relay; end relay: do forever begin receive(d); if d = ident then announce elected; send(d) end
Model Peterson’s leader election protocol in Promela (avoiding invalid end states) and verify any of the following properties that are regular safety properties:
5. (20 points) Do Exercise 4.5 in Principles of Model Checking (page 236 of the PDF document). The question asks to compute the intersection of an Automaton with a labeled transition system. Show the automaton for the resulting intersection. Is the language empty?