forked from cubicle-model-checker/cubicle
-
Notifications
You must be signed in to change notification settings - Fork 0
/
futurebus.cub
121 lines (105 loc) · 2.37 KB
/
futurebus.cub
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
(* from "Regular Model Checking without Transducers
(on efficient verification of parameterized systems)"
Adulla et. al.
Tech report 2006-052 Uppsala Universitet
*)
type t =
| Inv | ShU | ExclU | ExclM | PendR | PendE | PendSU | PendEW | PendW
array A[proc] : t
init (z) { A[z] = Inv }
unsafe (z1 z2) { A[z1] = ShU && A[z2] = ExclM }
unsafe (z1 z2) { A[z1] = ShU && A[z2] = ExclU }
unsafe (z1 z2) { A[z1] = ExclU && A[z2] = ExclU }
unsafe (z1 z2) { A[z1] = ExclU && A[z2] = ExclM }
unsafe (z1 z2) { A[z1] = PendW && A[z2] = PendW }
unsafe (z1 z2) { A[z1] = PendW && A[z2] = PendR }
transition t1 (x)
requires { A[x] = Inv && forall_other j. A[j] <> PendW }
{
A[j] := case
| j = x : PendR
| A[j] = ExclM : PendE
| A[j] = ShU : PendSU
| A[j] = ExclU : PendSU
| _ : A[j]
}
transition t2 (x)
requires { A[x] = PendE }
{
A[j] := case
| j = x : ShU
| A[j] = PendR : ShU
| _ : A[j]
}
transition t3 (x)
requires { A[x] = PendSU }
{
A[j] := case
| j = x : ShU
| A[j] = PendR : ShU
| A[j] = PendSU : ShU
| _ : A[j]
}
transition t4 (x y)
requires { A[x] = PendR &&
forall_other j. (A[j]<>PendSU && A[j]<>PendE) &&
A[y] = PendR }
{
A[j] := case
| j = x : ShU
(* | j = y : ShU (* pas necessaire *)*)
| A[j] = PendR : ShU
| _ : A[j]
}
transition t5 (x)
requires { A[x] = PendR &&
forall_other j. (A[j] <> PendSU && A[j] <> PendE && A[j] <> PendR) }
{
A[j] := case
| j = x : ExclU
| _ : A[j]
}
transition t6 (x)
requires { A[x] = Inv && forall_other j. A[j] <> PendW }
{
A[j] := case
| j = x : PendW
| A[j] = PendE : Inv
| A[j] = ShU : Inv
| A[j] = ExclU : Inv
| A[j] = PendSU : Inv
| A[j] = PendR : Inv
| A[j] = PendEW : Inv
| A[j] = ExclM : PendEW
| _ : A[j]
}
transition t7 (x)
requires { A[x] = PendEW }
{
A[j] := case
| j = x : Inv
| A[j] = PendW : ExclM
| _ : A[j]
}
transition t8 (x)
requires { A[x] = PendW && forall_other j. A[j] <> PendEW }
{
A[j] := case
| j = x : ExclM
| A[j] = PendW : ExclM
| _ : A[j]
}
transition t9 (x)
requires { A[x] = ExclU }
{ A[j] := case | j = x : ExclM | _ : A[j] }
transition t10 (x)
requires { A[x] = ExclM }
{ A[j] := case | j = x : ExclM | _ : A[j] }
transition t11 (x)
requires { A[x] = ShU }
{
A[j] := case
| j = x : ExclM
| A[j] = ShU : Inv
| _ : A[j]
}