1

I am running Train Gate example, and I want to run a verification property

Pr[<=100] (<> Train(0).Cross)
Saying what is the probability of Crossing of Train(0) in 100-time units.

I have added the clock to Safe state, as shown in the attached file.

enter image description here

By running the above-given property it is giving me the following error;

Location Train(1).Safe [ Train(0).x=19.641971035860478878021240234375 Train(1).x=4.758311911486089229583740234375 Train(2).x=19.416877078358083963394165039062 Train(3).x=19.25746748410165309906005859375 Train(4).x=19.96133429370820522308349609375 Train(5).x=19.875009718351066112518310546875 #time=20.623387750703841447830200195312 ] Gate.list[0]=4 Gate.list1=5 Gate.list[2]=0 Gate.list[3]=2 Gate.list[4]=3 Gate.list[5]=0 Gate.list[6]=0 Gate.len=5 violates model sanity with transition Train(1).Cross->Train(1).Safe { x >= 3, leave[id]!, 1 } Gate.Occ->Gate.Free { 1 == front(), leave1?, dequeue() }

In the second last line it says that "violates model sanity with transition". I have been looking (googling) for this error but no luck so far, can somebody help me fix it.

Thanks!

Patrick Trentin
  • 7,126
  • 3
  • 23
  • 40
Muhammad Hammad Saghir
  • 11
  • 4
  • Hi, welcome to the site. I am not an `Uppaal` expert, however by looking at the image I guess that the problem is that the clock `x` is not reset by transition `leave[id]!`. `Train(1)` moves from state `Cross` to `Safe` with a clock equal to `4.7...`, but then to remain in `Safe` the clock should be smaller or equal `2`, which is a contradiction. So the *Sanity Error* indicates that the model is inconsistent, and it is not really related to the property you are trying to verify. – Patrick Trentin Sep 04 '18 at 16:09
  • Hello @Patrick, thanks for explaining. Just one query, 4.7 is the according to our guard that x should be greater than 3, but after reaching to Safe it should move to next state within 2 seconds; should I just reset the clock at 'leave' transition? – Muhammad Hammad Saghir Sep 08 '18 at 16:14
  • If that's the semantic you want to apply, yes. Beware that, if I understood correctly the changes you applied to the original model, this changes the overall behavior when one considers state `Appr`. With this change its guard no longer means `20` seconds from `Cross` but rather `20` seconds from `Safe`. To preserve the original meaning it would be best to use separate timers. – Patrick Trentin Sep 08 '18 at 16:26

1 Answers1

1

The issue is that when train goes from Cross to Safe the clock x has valuation greater or equal to 3, which contradicts the invariant on Safe (x<=2), thus SMC complains that the model does not fullfill the assumptions about the model.

The fix is to reset the clock with x=0 on the edge from Cross to Safe.

There are many assumptions in SMC:

  1. the system should not contain deadlocks
  2. the system should not contain timelocks (should not stop time)
  3. the system should not contain zeno behavior
  4. the input handling should be deterministic
  5. processes should be able to progress independently: only broadcast synchronization is allowed, the inputs cannot force the outputs.

just to name a few...

mariusm
  • 1,483
  • 1
  • 11
  • 26