CS195Y Lecture 23

4/3/2017

---

Traffic Light

What properties do we want to be true about our system of 2 one way roads that intersect and a set of traffic lights?

• Both lights are not green at the same time
• Refinement of above: Always have R1 or R2
• Order: R -> G -> Y -> R
• Always eventually G1 and eventually G2

When we watch you set of lights go what should we be watching out for?

1. (R, R) ----> (Y, G) :(
2. (R, R) --------------> (One side never gets to go, no G1 or G2 for all of eternity)

We have 2 types of issues:

1. Safety Properties (something bad never happens)
2. Liveness properties (something good eventually happens)

We are switching from Alloy (a research tool) to something more industrially heavyweight.

See files for the mini traffic light spec in Alloy.

The safety properties are pretty easy to check in Alloy but the Liveness is not as simple. We want this to be easier and we want longer traces. For this reason, we will transition to a class of tools called model checkers. With model checkers we can have much longer traces and also can do real 32-bit arithmetic!

Let's try one out:

#define RED 1
#define YELLOW 2
#define GREEN 3

byte colors[2];
byte turn = 0;

proctype Light(byte myId){
do
:: (turn == myID && colors[myID] == RED) ->
  colors[myId] = GREEN;
:: (turn == myID && colors[myID] == GREEN) ->
  colors[myId] = YELLOW;
:: (turn == myID && colors[myID] == YELLOW) ->
    colors[myId] = RED;
    turn = turn -1;
od;
}
init{
  run Light(0)
  run Light(1)

  do
  :: assert (colors[0] == RED || colors[1] == RED)
  od;
}

This program will run on a single thread but the proctypes run concurrently. Anyone who can go will go. If it's Light 0's turn then Light1 will block (wait). Here we have mutal exclusion but in other cases you might see places were we have a choice of what to do. Then what? We might pick randomly but that's not great for verification.

Why not?
There may be some run such that the scheduler starves the assertion process. Then we wouldn't be able to see if our program is right which would be sad. We can get some intstances with interesting preemption cases so be on the lookout for those. We can see this happened here because of the misordering of the print statements.

This is a C-like language but even if you hate C or don't know C it's going to be ok! We'll have all live coding lectures for the next two weeks and you'll learn everything you need for the homework.