1.1

1.2

1.3

1.4

1.5

TableofContentsIntroduction

FirstChapter

SecondChapter

ThirdChapter

FourthChapter

2

IntroductionThisreportdocumentsthedevelopmentoftheautonomousversionofthechemicaldetector.Chapter1presentstheinitialmodeloftheautonomouschemicaldetector,andidentifiesissuesthathindertheverificationofbasicproperties,andChapter2presentsanupdatedversionofthemodelthatabstractsawaysomeofthedatatypestoallowthemodelcheckingofbasicpropertiesandidentifysomemistakes.Chapter3furtherchangesthemodeltoestablishtherequirementsbelow.Chapter4discussesaoptimisationofthemodelbasedonremovinglocalvariables.

Asabasisforverification,wedefineafewrequirementsfortheautonomouschemicaldetectorandencodethemasCSPprocesses:

A)BasicRequirements

1)GasAnalysisisdeterministic.

2)GasAnalysisisdivergencefree.

3)GasAnalysisshoulddeadlockonlyonarrivalofastopevent.

4)Movementisdeterministic.

5)Movementisdivergencefree.

6)Movementshoulddeadlockonlyonarrivalofaflagevent.

7)ChemicalDetectorshoulddeadlockonlyonterminationofindividualcontrollers.

Tocheckthatdeadlockoccursonlyinspecialcircumstancesasinrequirements3,6,and7,weconsideraparallelism.Forinstance,weanalyseChemicalDetectorinparallelwithaspecialprocessflag->DONE,whereDONE=done->DONE,isdeadlockfree.

channeldone

DONE=done->DONE

assertChemicalDetector_O[|{|flag|}|]flag->DONE:[deadlockfree]

B)ModelRequirements

Introduction

3

1)Everygasreadingshouldleadtoacommandresume,stoporturn.

Themachinecanterminateinsteadofreceivingagasreading.

Spec1=

GasAnalysis_gas?x->(

|~|e:{|GasAnalysis_resume,GasAnalysis_stop,GasAnalysis_turn|}@e->Spec1

)

|~|

SKIP

assertSpec1[FD=GasAnalysis

2)Everycommandtomovetherobot(resume,stop,turn)leadstoareactionbytherobot,beforeanothercommandisissued.

Spec2=let

Init=randomWalkCall->randomWalkRet->SKIP

Reaction=|~|e:{|moveCall,moveRet,randomWalkCall,randomWalkRet,flag,obstacle,od

ometer|}@e->(Reaction|~|SKIP)

T=(SKIP|~|(|~|e:{|Movement_resume,Movement_turn,Movement_stop|}@e->SKIP);React

ion;T)

within

Init|||T

assertSpec2[FD=Movement_O

3)Ifthereisnogas,thechemicaldetectordoesnotterminate.

NoGas=gas.<(0,0)>->NoGas

assertChemicalDetector_O[|{|gas|}|]NoGas:[deadlockfree]

Introduction

4

AutonomousChemicalDetector1Inordertosupportmodelchecking,thetoolinstantiatescoretypessuchasnatas{0,1}andrealas{-1,0,1},butthemodelusesvaluessuchas-90,90and180inchannelstypedbyreal,whichleadstoerrorsinthemodel.

Itispossibletoeditthegeneratecodetoinstantiatethetypesasalargerrangeofvaluesthatavoidthiserror.Forexample,realcanbedefinedas{-90..180}.Thischange,however,leadstoastateexplosion,and,inordertoavoidthisproblem,weabstractawaythistypesusingenumerationsinthenextchapter.

Model

FirstChapter

5

FirstChapter

6

FirstChapter

7

FirstChapter

8

AutonomousChemicalDetector2Toavoidtheproblemfoundinthepreviouschapter,weabstractedthetypeofthevaluesassociatedwithturningtherobottoanenumerationAnglecontainingfourvalue.Inthiscase,itispossibletochecktherequirementsidentifiedintheintroduction.

Tworequirementsfail:A.5andB.2.WhileA.5isnotatrivialproblemtodebug,thecauseofB.2isclearer.ThereasontworesumeeventscanhappeninsequenceisbecausetheoperationrandomWalkiscalledintheduringaction,whichmeansthepotentialreactiontoresumecanimmediatelybeinterruptedbyanotherresumeevent.Thisviolationisduetomissingtiminginformationregardingtheoccurrencesandprocessingofgasreadings.

ThefailuresofrequirementA.5showsthatthemachineMovementisnotpreparedtotreatcommandsresume,turnandstopincertainstates.Forexample,whileinthestateAvoiding,theonlyacceptablecommandisturn,butturnisonlyproducedbyGasAnalysisifsomegasisdetected,butnotaboveathreshold.Ifnogasisdetected,oriftheintensityisabovethethreshold,gasanalysiswouldsendaresumecommandorastopcommand,neitherofwhichAvoidingispreparedtotreat.Furthermore,theseeventswillnotbetreatableuntilaturnhappens,whichmightnotbepossible.Thiscanbesolvedbyaddingtransitionstomoststatestoallowthetreatmentofeventsstopandresume.

Inthenextchapter,weaddthemissingtransitionsandre-analysethemodel.Alternatively,itmaybepossibletoprovethatgivenappropriateimplementationsofthefunctionsanalysis,locationandangle,onlythecorrectorderofcommandsisproduced.

Model

SecondChapter

9

Analysis

Requirement Result

A.1GasAnalysisdeterministic true

A.2GasAnalysisdivergencefree true

A.3Movementdeterminisitc true

A.4Movementdivergencefree true

A.5ChemicalDetectordeadlocksafterflag

false

B.1Everygasleadstocommand true

B.2Everycommandscausesareaction false,resumecanhappenwithoutareaction

B.3Nogas,nodeadlock true

SecondChapter

10

AutonomousChemicalDetector3Inthismodel,weaddanumberofextratransitionstotheMovementstatemachinetoavoidthedeadlockscenariosidentifiedinthepreviouschapter.Inparticular,stateswithasingletransitionsguardedbyturnneedtheseextratransitions.Afterthischange,themodelsatisfiesalltherequirements,exceptB.2,whichiscausedbymissingtiminginformationinthemodel,butisbeyondthescopeofthisreportandisleftasfuturework.

Model

Analysis

ThirdChapter

11

Requirement Result

A.1GasAnalysisdeterministic true

A.2GasAnalysisdivergencefree true

A.3Movementdeterminisitc true

A.4Movementdivergencefree true

A.5ChemicalDetectordeadlocksafterflag true

B.1Everygasleadstocommand true

B.2Everycommandscausesareaction false

B.3Nogas,nodeadlock true

ThirdChapter

12

AutonomousChemicalDetector:statevariableremovalInthischapter,wedescribeasimplestrategytoremovestatevariablesundercertainconditions.Toillustratethis,weshowthegasanalysisstatemachine,inwhichthestatemachinevariablesa,iandstareusedlocallytoimprovereadabilityofthemodel.Thesevariablescanberemovedtoreducethesizeofthestatespacegeneratedbythemodel,which,dependingonthetypesassociatedwiththesevariables,canleadtosignificantimprovementincompilationandanalysistimesinFDR.

WehaveverifiedthatthestatemachineGasAnalysisofthisChapterandtheoneinChapter2areequivalent.Furthermore,whilethepropertychecktimes betweenthetwoversionofthestatemachinesaresimilar(0.03sforChapter2and0.05sforChapter4),thecompilationtimesareradicallydifferent.ThestatemachineinChapter2takes12.55stocompile(beforethecheckcanbeperformed),whilethestatemachineinChapter4(withouttheredundantstatevariables)takes0.54stocompile.Thisanalysiswasperformedbyinstantiatingprimitivesetstocontainonly3values,andlimitingthesizeofsequencestoatmost2.

Ifweincreasethemaximumsizeofsequencesto3,thestatemachineinChapter2nolongercompilesasthemachinerunsoutofmemory .ThemachineinChapter4,ontheotherhand,managestocompilein84.33sandperformthepropertycheckin0.03s.

Thissuggeststhateliminatingredundantstatevariablesisaneffectivestrategy,evenwhennoneoftheeliminatedvariablesindividuallycausestateexplosion.Inourexample,themaincauseforlongcompilationtimesisthevariablegs(andeventscommunicatingsequences)

1

2

FourthChapter

13

asindicatedbythedifferenceincompilationtimesbytheincreaseinthemaximumsizeofsequences.Nevertheless,theeliminationofvariablesthatonlycommunicatevaluesdrawnfromsmallsets(size3)hasasignificantimpactonthecompilationphase.

ThecompilationandverificationstatisticswereobtainedbyrunnningFDR4onManjaroLinuxonaLaptopwithaIntel(R)Core(TM)i7-4700MQCPU@2.40GHzprocessorand32GBofRAM.

Thecompilationwasabortedwhenmemoryusageincreasedbeyond30GBbecausereaching32GBcrashesthesystemandrequiresreboot.

1

2

FourthChapter

14