3 Overview of Uppaal toolkit
GUI of the Java client: the editor, the simulator, the verifier.
3.1 The editor
-
Global declaration Contains global integer variables, clocks, synchronisation channels, and constants.
-
Templates Train, Gate, and IntQueue are different parameterised timed automata. A template may have local declarations of variables, channels, and constants.
模板里有局部变量的声明; -
Process assignments Templates are instantiated into processes. The process assignment section contains declarations for these instances.
进程赋值:我用的版本里没有这个功能,那如何初始化进程呢? -
System definition The list of processes(模板实例化后即:进程) in the system.
示例如下所示:
3.2 The simulator
The simulator can be used in three ways:
the user can run the system manually and choose which transitions to take the random mode can be toggled to let the system run on its own or the user can go through a trace (saved or imported from the verifier) to see how certain states are reachable.The simulator is divided into four parts:
- The control part is used to choose and fire enabled transitions, go through a trace, and toggle the random simulation.
- The variable view shows the values of the integer variables and the clock constraints.
- The system view shows all instantiated automata and active locations of the current state.
- The message sequence chart shows the synchronisations between the different processes as well as the active locations at every step.
3.3 The verifier
When trace generation is enabled and the model-checker finds a trace, the user is asked if she wants to import it into the simulator. Satisfied properties are marked green and violated ones red. In case either an over approximation or an under approximation has been selected in the options menu, then it may happen that the verification is inconclusive with the approximation used. In that case the properties are marked yellow.
4 Example 1: The train gate
4.1 Question Description
-
It is a railway control system which controls access to a bridge for several trains. The bridge is a critical shared resource that may be accessed only by one train at a time.
铁路控制系统:调控多辆火车之间 bridge 的访问;桥是一种关键的共享资源,一次只能被一列火车访问;系统建模为:4 辆火车、一个控制者; -
A train can not be stopped instantly and restarting also takes time.
Therefor, there are timing constraints on the trains before entering the bridge.
火车不能立刻停下来,启动同样需要花费时间;
即:在进入 bridge 的时候需要添加时间限制; -
When approaching, a train sends a appr! signal. Thereafter, it has 10 time units to receive a stop signal. This allows it to stop safely before the bridge.
After these 10 time units, it takes further 10 time units to reach the bridge if the train is not stopped.
即将到达时,火车发送 appr 信号,随后,它有10个时间单元来接收停止信号。这能够保证火车在 bridge 之前安全的停下来。在这10个时间单位之后,如果火车未停止,则需要进一步的10个时间单位来到达 bridge。 -
If a train is stopped, it resumes its course when the controller sends a go! signal to it after a previous train has left the bridge and sent a leave! signal.
若某辆火车A处于停止状态,当前一辆火车已经离开并且 bridge 发送了 leave 信号后,控制者发送 go 信号给A来恢复A的行程。 -
刨析问题给出流程图便于理解:
4.2 列车模型
The model of the train gate has three templates:
1. the model of a train
模板局部声明:clock x;
模板的参数含义是,实例化模板为一个 process 进程的时候,可以通过传递参数建立多个进程,比如一个 train 模板可以实例化为 train1,train2等,这些实例的不同由初始化的参数决定。不同的参数之间用逗号 , 隔开,const 类型要加上变量的属性名,其他变量要在形参之前加符号 &.
有五个 location,Safe,Appr, Stop, Start, and Cross
-
Safe:安全位置,对应于尚未到达的列车;这个位置没有不变量,这意味着列车可以无限制时间的处于这个位置;
当一辆列车即将到达时,发送 appr 信号并同步通信于模板 controller;同时,时钟 x 也被重置,变量 e 用来标识区别列车,e 后续将用于队列来调配列车; -
Appr:即将到达位置,不变量 x<=20,即:必须在 20 个时间单位之内离开该位置;
从 Appr 射出的两条边上的 transition,守卫条件分别是 x<=10 x>=10,分别对应到达 bridge 之前的两种情况:可以停下来,不能够停下来;
⭐火车在 approaching 状态时,在 20 tn之内必须转换状态,只有两种选择:开过通道 cross,或停下列车 stop;
在 x 值为10 时,两种转换选哪个都可以,这样我们可以根据速度不同做出不同的选择,意思就是开的快就通过 cross,慢就停下来;
当 x<=10,车可以停下来,转到 Stop 状态的边上有守卫条件: e==id,并且收到同步信号 stop;
当 controller 决定控制某辆列车停下来,它就让那个 id 的车发送 stop 信号; -
Stop:该位置没有守卫条件,一辆列车可以在此停留任意久的时间,该状态等待 go 信号来触发转向 Start 的transition,守卫条件 e==id 确保启动的是正确的那辆车;
本模型是简化的,没有考虑到 stop 状态下正在停、还没完全停下来的列车收到信号 go 时应该怎么办,这种情况会给出一个不确定的重启时间。 -
Start:不变量 x<=15,edge 上守卫条件为 x>=7,含义就是,在 7-15 个时间单位内,列车重新启动到达 cross 部分;
-
Cross:和 Start 一样,要求列车在 3-5 个时间单位内通过离开;
2. Gate is the model of the gate controller
控制模板主要用来与列车、队列模板通信,基本上他们都是承诺位置 committed locations,如下图所示,有些位置可以没有名字。
-
Free:首先,队列为空时,收到 empty? 然后等待 appr? 即有列车即将到来;
当收到 appr?时,立即发送 add! 将该火车加入队列; -
Send:如果队列不为空,当前队列的第一辆火车(head)将收到 hd!信号,控制器接着发送 go!信号代表该列车可以启动出发了;
-
Occ:当控制器收到列车 leave?信号,说明列车已经通过了 cross 将要驶离;
此时若有其他列车将要到来,Occ接收到 appr?信号,马上发送 stop!信号,让列车停止;
并把该列车加入等待队列中,发送 add!信号;
当列车已经安全 leave 走了,控制器会收到 leave?信号,然后当收到 rem?信号时,控制系统又回到 Free状态;
3. IntQueue is the model of the queue of the controller, It is simpler to separate the queue from the controller, which makes it easier to get the model right.
为了更好的确保模型的正确性,将控制器与队列分成两个模板,控制器的“门”由模板 gate控制,控制器队列是模板 IntQueue,如下图所示:
-
Start:初始状态,等待 controller发出的各种信号;
-
ShiftDown:用来计算队列的变换(当队首元素移除时,就必须要进行一次变换);
模板使用整型数组,并且队列采用 FIFO算法(先进先出); -
当 len==0的时候,即队列为空,发送 empty!信号;
当 len>0 时,队列不为空,发送 notempty!信号;
当收到 add?信号的时候,执行 update 操作:将 e 赋值给 list[len],len++;
当收到 hd?信号时,update:将 list[0] 的值赋给 e;
当 len>=1 时,发送 rem!信号,然后执行 update:len–,i 赋值为0;
当 len > i 时,执行 list[i] := list[i+1],i++;
当 len == i 时,执行 list[i] := 0, i:=0;
4.2 验证
7928
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
