Ten Diverse Formal Models for a CBTC Automatic Train Supervision System
JJohn P. Gallagher, Rob van Glabbeek and Wendelin Serwe (Eds):Models for Formal Analysis of Real Systems (MARS’18)and Verification and Program Transformation (VPT’18)EPTCS 268, 2018, pp. 104–149, doi:10.4204/EPTCS.268.4 c (cid:13)
F. Mazzanti & A. FerrariThis work is licensed under theCreative Commons Attribution License.
Ten Diverse Formal Modelsfor a CBTC Automatic Train Supervision System
Franco Mazzanti
CNR-ISTIPisa, Italy [email protected]
Alessio Ferrari
CNR-ISTIPisa, Italy [email protected]
Communications-based Train Control (CBTC) systems are metro signalling platforms, which coordi-nate and protect the movements of trains within the tracks of a station, and between different stations.In CBTC platforms, a prominent role is played by the Automatic Train Supervision (ATS) system,which automatically dispatches and routes trains within the metro network. Among the various func-tions, an ATS needs to avoid deadlock situations, i.e., cases in which a group of trains block eachother. In the context of a technology transfer study, we designed an algorithm for deadlock avoidancein train scheduling. In this paper, we present a case study in which the algorithm has been applied.The case study has been encoded using ten different formal verification environments, namely UMC,SPIN, NuSMV/nuXmv, mCRL2, CPN Tools, FDR4, CADP, TLA+, UPPAAL and ProB. Based onour experience, we observe commonalities and differences among the modelling languages consid-ered, and we highlight the impact of the specific characteristics of each language on the presentedmodels.
Communications-based Train Control (CBTC) systems are the de-facto standard for metro signalling andcontrol, including several interacting wayside and onboard components that ensure safety and availabilityof trains within the metro network. In the context of a technology transfer project named TRACE-IT,the authors of the current paper, together with representatives of a large railway company, designed oneof the main components of a CBTC system prototype, namely the Automatic Train Supervision (ATS)system [10]. This is a wayside system that dispatches and monitor trains along the metro network,according to a set of predefined missions. The ATS includes a scheduling kernel, which shall ensurethat, regardless of train delays, no deadlock situation occurs, i.e., the missions are designed in sucha way that it never happens that two or more trains block each other from completing their missions.In the context of the project, we applied formal methods to design and verify a scheduling algorithmthat addresses the deadlock avoidance problem [25]. The application of the algorithm to the TRACE-IT case study was initially modelled and verified by means of the UMC tool [30, 4, 20]. Then, thedesign of the case study was replicated with other six different formal frameworks – i.e., SPIN [16, 29],NuSMV/nuXmv [5, 18], mCRL2 [14, 9], CPN Tools [17, 31], FDR4 [13, 27] and CADP [11, 6] – toexplore the potential of formal methods diversity [24]. This is the usage of different formal tools tovalidate the same design, to increase the confidence on the verification results [19]. In the current paper,we present the models discussed in [24], focusing on the differences between the modelling languages,rather than on formal verification diversity. Furthermore, we provide three additional models, usingTLA+ [21, 7], ProB [2, 15] and UPPAAL [8, 32]. Within the context of this paper, our goal is toprovide some feedback on the differences and traps that should be tackled when changing the reference.Mazzanti &A.Ferrari 105frameworks, and the commonalities that would allow a simple translation from one framework to another.The models are made available in Appendix A and in attachment to this paper.The remainder of the paper is structured as follows. In Sect. 2 we provide an overview of the mod-elled algorithm. In Sect. 3 we present the different models, discussing commonalities and differenceswith a focus on syntactic and semantics discrepancies. Sect. 4 concludes the paper. In Appendix A, wereport the different models presented.
This section describes basic elements of the modelled algorithm, which was defined in our previousworks [26, 25]. Fig. 1 shows the structure of the railway layout considered in this study. Nodes in theyard correspond to itinerary endpoints, and the connecting lines correspond to the entry/exit itinerariesto/from those endpoints. Eight trains are placed in the layout. Each train has its own mission to execute,defined as a sequence of itinerary endpoints. For example, the mission of train0 , which traversesthe layout from left to right along top side of the yard, is defined by the mission vector: T = [ , , , , , , ] (the numbers in the vector refer to the sequence of traversed endpoints in the diagram ofFig. 1). The mission of train7 , which instead traverses the layout from right to left, is defined bythe vector: T = [ , , , , , , ] . The progress status of each train is represented by the index,pointing to a position in the mission vector, which allows the identification of the endpoint in whichthe train is at a certain moment. We will have 8 variables P , . . . , P , one for each train, which store thecurrent index for the train. For example, at the beginning, we have P = , . . . , P =
0, since all the trainsoccupy the initial endpoints of their missions – at index 0 in the vector.
BCA03 Piazza DanteIIIIIIBCA05 Via Marco PoloVia Roma Viale dei Giardini Parco della VittoriaIIIIII IIIIIIIV
12 101112 15161718 2022 2324252627
34 13train0train2train3train1 train4train6train7train5
Figure 1: A fragment of the yard layout and the 8 missions of the trainsIf the 8 trains are allowed to move freely, i.e., if their next endpoint is free, there is the possibility ofcreating deadlocks, i.e., a situation in which the 8 trains block each other in their expected progression.To solve this problem the scheduling algorithm of the ATS must take into consideration two criticalsections
A and B – i.e., zones of the layout in which a deadlock might occur – which have the form ofa ring of length 8 (see Fig. 2), and guarantee that these rings are never saturated with 8 trains – furtherinformation on how critical sections are identified can be found in our previous work [25]. This can bemodelled by using two global counters RA and RB , which record the current number of trains inside thesecritical sections, and by updating them whenever a train enters or exits these sections. For this purpose,each train mission T i , with i = . . . MISSION LEN (in our case MISSION LEN = 7) , is associated with:a vector of increments/decrements A i to be applied to counter RA at each step of progression; a vector B i of increments/decrements to be applied to counter RB .06 TenDiverseFMsfor anATSFor example, given T = [ , , , , , , ] , and A = [ , , , , , − , ] , when train0 movesfrom endpoint 10 to endpoint 13 ( P =
3) we must check that the +1 increment of RA does not saturatethe critical section A, i.e., RA + A [ P ] ≤ LA (in our case, LA = 7); if the check passes then the train canproceed and safely update the counter RA : = RA + A [ P ] . The maximum number of trains allowed ineach critical section (i.e., 7), will be expressed as LA and LB in the following. BCA03 Piazza DanteIIIIIIBCA05 Via Marco PoloVia Roma Viale dei Giardini Parco della VittoriaIIIIII IIIIIIIV
13 AB
Figure 2: The critical section A and B which must not be saturated by 8 trainsThe models presented in Appendix A, which implement the algorithm described above, are deadlock-free, since the verification is being carried on as a final validation of a correct design. The actualpossibility of having deadlocks, if the critical sections management were not supported or incorrectlyimplemented, can easily be observed by raising from 7 to 8 the values of the variables LA or LB .The case study presented here is actually a fragment of the complete TRACE-IT case study. Inthe original model the railway layout is much larger and the trains continually repeat cycling roundmissions. In that configuration further deadlocks situations may occur and further critical sections haveto be defined and managed. The model considered in this case study represents just one of the threefragments in which the complete TRACE-IT layout has been decomposed to render the complexity ofthe problem amenable for formal verification. This is a typical procedure in the verification of real-worldrailway problems [33].The current design, in which each system state logically corresponds to a set of train progresses andeach train movement logically corresponds to an atomic system evolution step, leads to a state-space of1,636,535 configurations. This data is useful because it allows the user to cross-check the correctness ofthe encoding of this logical design in the various frameworks. We want to build a model that describes all the possible evolutions of the system composed by the 8trains, with purpose of verifying the correctness of the A0, ..., A7 and B0, ..., B7 tables that controlthe non saturation of the sections A and B, and the correctness of the assumption that the A and Bsections are the only zones where a deadlock might occur. The design skeleton we have in mind isthat of a blackboard model, where a global space of common variables is read and updated by a setof atomic transformation operations. An atomic system evolution corresponds to a one-step movementof one train in the yard, which can occur when the next endpoint is free and when the move does notsaturate neither the A section, nor the B section. We have encoded the above simple skeleton design.Mazzanti &A.Ferrari 107Table 1: Different models developed with associated frameworks.
Framework File Name DescriptionCADP cadp oneway8par.lnt Parallel without shared memorycadp oneway8seq.lnt Sequential
CPN Tools cpn-oneway < X > .xml Parallel without shared memory with X trains FDR4 fdr4 oneway8par.txt Parallel without shared memoryfdr4 oneway8seq.txt Sequential mCRL2 mcrl2 oneway8par.txt Parallel without shared memorymcrl2 oneway8seq.txt Sequential
ProB prob oneway8seq.mch Sequential
NuSMV/nuXmv smv oneway8-SM.smv Sequential
SPIN spin oneway8.pml Sequential
TLA+ tla oneway8.txt Sequential
UMC umc oneway8seq.txt Sequential
UPPAAL uppaal-oneway8par.ta Parallel with shared memoryuppaal-oneway8seq.ta Sequential using notations supported by 10 verification frameworks, namely UMC, Promela/SPIN, NuSMV/nuXmv,mCRL2, CPN Tools, FDR4, CADP, TLA+, UPPAAL and ProB. Within the context of this paper, ourgoal is to provide some feedback on the differences and traps that should be tackled when changing thereference frameworks, and the commonalities that would allow a simple translation from one frameworkto another. Each framework surely has its own typical set of features that might lead to the best modellingand verification of a system, but, in this work, we are not interested in comparing the best way in whichall the 10 frameworks could model the system. Instead, we are interested in seeing if, and to which extent,our basic design skeleton could be fitted with minimal transformations in all the frameworks taken intoconsideration.In the following subsections we summarise some of the aspects that appear to characterise the dif-ferences of the various frameworks as evidenced by our specification problem. These observations cansupport the reader in making sense of the different models that are reported in Appendix A , and attachedto the current paper. More specifically, for each framework, we provide one or more model variants. Thevariants represent different modelling styles, according to the classification provided in Sect. 3.2. Inthe case of CPN Tools, the different variants are associated to models with a different number of trains.Indeed, in our experiments, presented in [24, 23], CPN Tools was not able to verify the case with eighttrains, and models with a lower number or trains were tested. Table 1 provides a brief description of thedifferent variants considered, with the associated file names. The frameworks taken into account allow different kinds of model structures, which can be seen in ourvariants.
Sequential
With the sequential design structure the global system status is read and updated by a singlesequential, nondeterministic process. This is the case that more directly reflects our initial designskeleton, and this structure has been modelled in all the considered frameworks , with the excep- In Appendix A we report solely the sequential cases – according to the classification in Sect. 3.2 – which are the mostrepresentative for our design. mcrl2 oneway8seq.ta, cadp oneway8seq.lnt, fdr4 oneway8seq.csp, umc oneway8seq.txt, spin oneway8.pml, prob -oneway8.mch, tla oneway8.txt, smv oneway8-SM.smv
08 TenDiverseFMsfor anATStion of CPN Tools. Indeed, this modelling style can be reproduced with CPN Tools, but it is not inline with the typical use of Petri Nets.
Parallel without Shared Memory
With this design structure we indicate the case in which differentparallel process interact among themselves in the absence of a common shared memory that couldbe directly read and updated by the processes. This is in general the case of concurrent frameworks,such as UMC, CPN, FDR4, CADP, mCRL2, where sets of processes (or a network layout in thecase of Petri Nets) are used to model the system, and where a single entity might model theevolutions in time of a specific component of the system status (e.g., a variable). This is not ourmain reference scenario, however in the case of mCRL2, CADP, FDR4, CPN Tools we showalternative modelling examples that follow this design structure . Parallel with Shared Memory
With this design structure a set of parallel processes share a commonmemory space, and, at the same time, may interact through inter-process communication. SPINand UPPAAL are the only frameworks that allow the user to design a system in this way. Anexample of this model structure has been shown only in the case of UPPAAL .subsectionLanguage StyleAnother evident difference among the various frameworks, is the overall style of the language used tospecify the system. For example, if we consider the way in which the transition relation (i.e., the systemevolutions) are described, we can observe that three main approaches are followed by our consideredframeworks. These three language styles can be qualified as imperative , logical and algebraic , and areexemplified below with small fragments of code in the style of CADP-LNT [12] , TLA+ and FDR4,respectively. if P0<6 then (P0 < 6) & System(P0,RA) =P0 := P0+1; (P0’ = P0+1) & (P0 <6) ->RA := RA+A0[P0]; (RA’ = RA+A0[P0+1]) System(P0+1,RA+A0[P0+1])end; In spite of the apparent difference, if the state transformation to be carried out during a systemevolution is simple (like it happens in our case), the three styles are roughly equivalent, and translationfrom one style to the other can be performed with limited effort.
In our example we do not have the need to use sophisticated data structures, and our design skeleton is justbased on integer values and fixed-size tables of numbers. Sometimes, e.g., in the case of UMC, SPIN,NuSMV/nuXmv, CADP-LNT, UPPAAL, TLA+, array-like types and indexing operations are nativelysupported by the specification language; other times, e.g., in the case of CPN Tools, FDR4, mCRL2,arrays should be represented as functions, or sequences, or lists, and the indexing operations possiblymanually encoded as custom recursive functions. For example, in the case of FDR4 we have:
M0 = <1,9,10,13,15,20,23> -- list of endpoint for the mission of train0select_item(list,index) = -- item selection, given an indexif index==0 then -- (assuming index in the appropriate range) mcrl2 oneway8par.ta, cadp oneway8par.lnt, fdr4 oneway8par.csp, cpn oneway8.xml, cpn oneway6-nocol.xml uppal-oneway8seq.ta LTN is one of the languages supported by CADP, and is the language chosen for our experiment. .Mazzanti &A.Ferrari 109 head(list)elseselect_item(tail(list),index-1);
The different ways in which the frameworks treat system initialisation point out a difference that mighttrick an inexperienced designer. Three different approaches can be recognised when a state variable indefined by the model, but not explicitly initialised at system startup.
Default Value
The uninitialised variables might get some default initial value (typically 0 for integers).This is the approach found in UMC, SPIN, UPPAAL.
Error
The situation can be statically recognised as a design error, and notified to the designer. This isthe approach followed by TLA+, ProB, CPN Tools, FDR4, mCRL2, CADP-LNT.
Nondeterministic Assignment
The not explicitly initialised variable may nondeterministically get anyof the possible values allowed by its type. This approach has been encountered only in in Nu-SMV/nuXmv. From one side this choice provides a powerful and flexible way to specify a richset of possible system initial values, from the other side it might trick an inexperienced designerwrongly thinking that a classical default value (like 0) is used instead.
In all the considered frameworks the transition relation is defined by rules that have the form: guard-condition / state-transformation-effects . A possible question is what happens to the variables that are notexplicitly modified by the state-transformation-effects . The situation is similar to the initialisation issuepreviously seen. Also in this case we have three different approaches:
Previous Value
The not explicitly assigned state variables preserve their previous value. This is theapproach followed by CPN, UPPAAL, FDR4, mCRL2, SPIN, UMC, ProB, CADP-LNT.
Default Value
The not explicitly assigned state variables get a default null value. This is what happensin the case of TLA+.
Nondeterministic Assignment
The not explicitly assigned variable may nondeterministically get anyof the possible values allowed by its type. This is what happens in the NuSMV/nuXmv case.The difference among the three classes is evident if we compare the fragments of state-transformation-effects as they occur in CADP-LNT, TLA+ and NuSMV/nuXmv:
P0 := P0+1; (P0’ = P0+1) & next(P0) in P0+1 &UNCHANGED<
While with CADP-LNT it is not needed to make explicit that
P1 ... P7 do not change their value,in TLA+ we need to use the keyword
UNCHANGED , and in NuSMV/nuXmv we have to explicitly state, foreach variable, that the next value is equal to the one at the previous execution step.Another relevant difference among the various frameworks is whether they allow the transition rela-tion to be only partially defined, i.e., are certain inputs and certain states allowed not to trigger a systemevolution?10 TenDiverseFMsfor anATSIn our problem this situation actually occurs. For example, when a train cannot proceed because itsnext endpoint is occupied by another train, the rule describing the train progress cannot be applied. In allframeworks, with the exception of NuSMV/nuXmv, this does not represent a problem. It simply meansthat from such a system configuration state there is no outgoing edge corresponding to the movement ofthat train.In the case of NuSMV/nuXmv instead the transition relation must be a total function. This meansthat if a certain state configuration and a certain system input does not trigger an actual system evolution,we should equally explicitly state that the next system state is unchanged. If we fail to explicitly statethat, the consequence is that the next state can become any state where all the system state variables non-deterministically get any of the values allowed by their type. Notice that in this way we are introducingself loops in many states of the graph describing the system behaviour, and this has a certain impact onthe way in which the system properties could be stated and verified. For example, the user might beconstrained to specify fairness constraints, or avoid the use of LTL formulas, or avoid CTL formulas like AF < statepredicate > . Indeed the verification approach of NuSMV always takes into consideration onlyinfinite – possibly fair, if requested – traces . In our case the property we want to verify is that for all possible executions all the trains eventuallycomplete their missions . This property can be easily specified and verified in all the considered frame-works. However each framework provides original advanced verification features not supported by otherframeworks. The possibility to translate a specification from a formalism to another might lead to severaladvantages: • We can increase the confidence of the verification results, given that none of the analysed frame-works are qualified at the highest integrity levels usually required by safety critical standards. • We can exploit the specific strong points of more than one framework (e.g. the friendliness of auser interface, the ability to scale well, the possibility of generating program code or performingmodel based testing). • We can verify a wider class of properties. For example, by importing a FDR4 model into ProB wecan verify also LTL/CTL properties, by translating a model into UPPAAL we can introduce andverify further time related aspects, and so on. Table 2 summarises the basic verification featuresthat the considered frameworks make available.
It is not a goal of our paper to make a comparative evaluation of the various frameworks in terms of scal-ability or performance. Nevertheless a summary of the experienced times when evaluating the propertythat for all possible executions all the trains eventually complete their missions might still be a usefulapproximate indication of the impact of a certain system design approach / formal verification techniquein terms of performance. The verification times presented in Table 3 are expressed as ranges becausethey actually depend of the specific design approach adopted, on the specific formulas being evaluated,and on the specific options used during the tool execution. We refer to [24] for additional details. when using the -bmc option the behaviour might be different .Mazzanti &A.Ferrari 111Table 2: Verification features supported by the various frameworks Framework Supported Verification TechniquesUMC model checking CTL-like, state-event based logics
SPIN model checking LTL, fairness requirements
NuSMV/nuXMV
LTL, CTL, PSL [1], SMT model checking, fairness requirements
CADP
MCL [22], Parametric Mu-Calculus model checking, equivalence checking
UPPAAL
MITL [3], time-related, and probability related properties
TLA+
LTL, Theorem Proving, Proof Validations
ProB
LTL, CTL model checking, constraints based checking mCRL2
Parametric Mu Calculus model checking, equivalence checking
FDR4
Refinement Checking, fairness requirements
CPN
CTL, custom ML properties
Table 3: Indicative Summary of Evaluation Times
Framework Range of evalution timesUMC
38 - 86 seconds
SPIN
13 - 47 seconds
NuSMV/nuXMV
CADP
29 seconds
UPPAAL
16 seconds
TLA+
ProB
32 minutes mCRL2
FDR4
15 seconds - 20 minutes
CPN unable to deal with the state-space size
The availability of CBTC systems relies on the existence of smart ATS systems that prevent the oc-currence of deadlock situations in the metro network. In this paper, we present different models of ascheduling algorithm for an ATS, which was designed and verified to avoid deadlocks. Ten differentformal frameworks are used, and different variants of system design structure are presented, accordingto the features made available by the frameworks. Differences in terms of language style, allowed datatypes, and treatments of the system evolution are observed, based on the developed models. In our futurework, we plan to adapt our design to tools for model-based development such as Simulink/Stateflow, andSCADE, to explore their potential in terms of modelling styles and verification capabilities, and com-pare them with the other frameworks. Furthermore, in the context of the EU ASTRail project we areinvolved in a comparative analysis of formal and semi-formal tools in the railway domain. The experi-ence gained with the different frameworks will be applied to provide diverse models for ERTMS/ETCS(European Rail Traffic Management System/European Train Control System) Level 3, the next evolutionof ERTMS/ETCS. This will allow us to further stress the capability of the frameworks with a differentdesign, including time and probabilistic aspects. It shall be noticed that, in the current work, we did notdiscuss aspects related to the usability of the various frameworks. This issue is of paramount importance,as highlighted, among others, by Sirjani [28], and is also going to be considered in the context of theASTRail project.
12 TenDiverseFMsfor anATS
Acknowledgements
This work has been partially funded by the ASTRail project. This project receivedfunding from the Shift2Rail Joint Undertaking under the European Unions Horizon 2020 research andinnovation programme under grant agreement No 777561. The content of this paper reflects only theauthors view and the Shift2Rail Joint Undertaking is not responsible for any use that may be made of theincluded information.
References [1] (2010):
IEEE Standard for Property Specification Language (PSL) . IEEEStd1850-2010(RevisionofIEEEStd1850-2005), pp. 1–182, doi: .[2] Jean-Raymond Abrial (2010):
Modeling in Event-B: System and Software Engineering . Cambridge Univer-sity Press, doi: .[3] Rajeev Alur, Tom´as Feder & Thomas A. Henzinger (1991):
The Benefits of Relaxing Punctuality . In: Pro-ceedingsoftheTenthAnnualACMSymposiumonPrinciplesofDistributedComputing,Montreal,Quebec,Canada,August19-21,1991, pp. 139–152, doi: .[4] Maurice H ter Beek, Stefania Gnesi & Franco Mazzanti (2015):
From EU projects to a family of modelcheckers . In: Software, Services, and Systems, LNCS 8950, Springer, pp. 312–328, doi: .[5] Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, AndreaMicheli, Sergio Mover, Marco Roveri & Stefano Tonetta (2014):
The nuXmv Symbolic Model Checker .In: CAV, pp. 334–342, doi: .[6] INRIA CONVECS (2018):
CADP Home Page . https://cadp.inria.fr.[7] Microsoft Corp. (2018):
The TLA Toolbox Home Page . https://lamport.azurewebsites.net/tla/toolbox.html.[8] Alexandre David, Kim G. Larsen, Axel Legay, Marius Mikuˇcionis & Danny Bøgsted Poulsen (2015):
UppaalSMC tutorial . InternationalJournalonSoftwareToolsforTechnologyTransfer 17(4), pp. 397–415, doi: .[9] Technische Universiteit Eindhoven (2018): mCRL2 Home Page
From commercialdocuments to system requirements: an approach for the engineering of novel CBTC solutions . Inter-national Journal on Software Tools for Technology Transfer, STTT 16(6), pp. 647–667, doi: .[11] Hubert Garavel, Fr´ed´eric Lang, Radu Mateescu & Wendelin Serwe (2013):
CADP 2011: a toolboxfor the construction and analysis of distributed processes . STTT 15(2), pp. 89–107, doi: .[12] Hubert Garavel, Fr´ed´eric Lang & Wendelin Serwe (2017):
From LOTOS to LNT . In: ModelEd, TestEd,TrustEd-EssaysDedicatedtoEdBrinksmaontheOccasionofHis60thBirthday, pp. 3–26, doi: .[13] Thomas Gibson-Robinson, Philip Armstrong, Alexandre Boulgakov & Andrew W Roscoe (2014):
FDR3 Amodern refinement checker for CSP . In: InternationalConferenceonToolsandAlgorithmsfortheConstruc-tionandAnalysisofSystems, Springer, pp. 187–201, doi: .[14] Jan Friso Groote & Mohammad Reza Mousavi (2014):
Modeling and analysis of communicating systems .MIT Press.[15] Heinrich-Heine-University (2018):
The ProB Animator and Model Checker
The Spin Model Checker: Primer and Reference Manual . Addison-Wesley Pro-fessional. .Mazzanti &A.Ferrari 113 [17] Kurt Jensen & Lars M Kristensen (2009):
Coloured Petri nets: modelling and validation of concurrentsystems . Springer Science & Business Media, doi: .[18] Fondazione Bruno Kessler (2018):
The nuXmv model checker Home Page . https://nuxmv.fbk.eu/.[19] Tuomas Kuismin & Keijo Heljanko (2013):
Increasing confidence in liveness model checking results withproofs . In: Haifa Verification Conference, Springer, pp. 32–43, doi: .[20] ISTI-FMT Laboratory (2018):
KandISTI-UMC Home Page . https://fmt.isti.cnr.it/umc.[21] Leslie Lamport (2002):
Specifying Systems . https://lamport.azurewebsites.net/tla/book-02-08-08.pdf.[22] Radu Mateescu & Damien Thivolle (2008):
A model checking language for concurrent value-passingsystems . In: International Symposium on Formal Methods, Springer, pp. 148–164, doi: .[23] Franco Mazzanti, Alessio Ferrari & Giorgio Oronzo Spagnolo (2014):
Experiments in Formal Modelling of aDeadlock Avoidance Algorithm for a CBTC System . In: InternationalSymposiumonLeveragingApplicationsof Formal Methods - ISoLA 2016, Volune Part II, LNCS 9953, Springer, pp. 297–314, doi: .[24] Franco Mazzanti, Alessio Ferrari & Giorgio Oronzo Spagnolo (2018):
Towards Formal Methods Diversityin Railways: an Experience Report with Seven Frameworks . International Journal on Software Tools forTechnologyTransfer,STTT 20(3), doi: .[25] Franco Mazzanti, Giorgio Oronzo Spagnolo, Simone Della Longa & Alessio Ferrari (2014):
Deadlockavoidance in train scheduling: a model checking approach . In: International Workshop on Formal Meth-ods for Industrial Critical Systems, FMICS 2014, LNCS 8718, Springer, pp. 109–123, doi: .[26] Franco Mazzanti, Giorgio Oronzo Spagnolo & Alessio Ferrari (2014):
Designing a deadlock-free train sched-uler: A model checking approach . In: NASA Formal Methods Symposium, LNCS 8430, Springer, pp.264–269, doi: .[27] University of Oxford (2018):
FDR4 The CSP Refinement Checker Home Page
Power is Overrated, Go for Friendliness! Expressiveness, Faithfulness and Usabilityin Modeling - The Actor Experience . In: PrinciplesofModeling-EssaysdedicatedtoEdwardA.LeeontheOccasion of his 60th Birtday. Available at http://rebeca-lang.org/assets/papers/2017/Friendliness.pdf .[29] spinroot (2018):
Verifying Multi-threaded Software with Spin . http://spinroot.com/spin/whatispin.html.[30] Maurice H Ter Beek, Alessandro Fantechi, Stefania Gnesi & Franco Mazzanti (2011):
A state/event-basedmodel-checking approach for the analysis of abstract system properties . ScienceofComputerProgramming76(2), pp. 119–135, doi: .[31] CPN Tools (2018):
CPN Tools Home Page . http://cpntools.org/.[32] Uppsala University and Aalborg University (2015):
UPPAAL Home Page
Modelling large railway interlockings and model checking smallones . In: Proceedingsofthe26thAustralasiancomputerscienceconference-Volume16, Australian ComputerSociety, Inc., pp. 309–316.
Appendix A
This appendix includes the sequential models for the different tools (when a textual representation isavailable). The all these models, together with the other graphical models for CPN Tools and ProB, canbe retrieved from the MARS repository.14 TenDiverseFMsfor anATS module CADP_ONEWAY8SEQ is------------------------------------------------------------------------------type Train_Number isrange 0 .. 7 of natend type------------------------------------------------------------------------------type Train_Mission isarray [0 .. 6] of natend type------------------------------------------------------------------------------type Train_Constraint isarray [0 .. 6] of int -- actually, of range -1 .. 1end type------------------------------------------------------------------------------channel Movement is(Train : Train_Number)end channel------------------------------------------------------------------------------process MAIN [MOVE : Movement, ARRIVED : none] isvar P0, P1, P2, P3, P4, P5, P6, P7 : nat,RA, RB : int,LA, LB : int,T0, T1, T2, T3, T4, T5, T6, T7 : Train_Mission,A0, A1, A2, A3, A4, A5, A6, A7 : Train_Constraint,B0, B1, B2, B3, B4, B5, B6, B7 : Train_Constraintin P0 := 0;P1 := 0;P2 := 0;P3 := 0;P4 := 0;P5 := 0;P6 := 0;P7 := 0;RA := 1;RB := 1;LA := 7; -- limit for region ALB := 7; -- limit for region B-- ------------ train missions ------------T0 := Train_Mission ( 1, 9,10,13,15,20,23);T1 := Train_Mission ( 3, 9,10,13,15,20,24);T2 := Train_Mission ( 5,27,11,13,16,20,25);T3 := Train_Mission ( 7,27,11,13,16,20,26);T4 := Train_Mission (23,22,17,18,11, 9, 2);T5 := Train_Mission (24,22,17,18,11, 9, 4);T6 := Train_Mission (25,22,17,18,12,27, 6);T7 := Train_Mission (26,22,17,18,12,27, 8);-- ------------------------------------------- ----- region A: train constraints ------A0 := Train_Constraint ( 0, 0, 0, 1, 0,-1, 0);A1 := Train_Constraint ( 0, 0, 0, 1, 0,-1, 0); .Mazzanti &A.Ferrari 115
A2 := Train_Constraint ( 0, 0, 1,-1, 0, 1, 0);A3 := Train_Constraint ( 0, 0, 1,-1, 0, 0, 0);A4 := Train_Constraint ( 0, 1, 0, 0,-1, 0, 0);A5 := Train_Constraint ( 0, 1, 0, 0,-1, 0, 0);A6 := Train_Constraint ( 0, 0, 0,-1, 0, 0, 0);A7 := Train_Constraint ( 0, 1, 0,-1, 0, 0, 0);-- ------------------------------------------- ----- region B: train constraints ------B0 := Train_Constraint ( 0, 0, 0, 1, 0,-1, 0);B1 := Train_Constraint ( 0, 0, 0, 1, 0,-1, 0);B2 := Train_Constraint ( 0, 0, 1,-1, 0, 0, 0);B3 := Train_Constraint ( 0, 0, 1,-1, 0, 1, 0);B4 := Train_Constraint ( 0, 1, 0, 0,-1, 0, 0);B5 := Train_Constraint ( 0, 1, 0, 0,-1, 0, 0);B6 := Train_Constraint ( 0, 1, 0,-1, 0, 0, 0);B7 := Train_Constraint ( 0, 0, 0,-1, 0, 0, 0);-- -----------------------------------------loopselectonly if(P0 < 6) and(T0 [P0+1] != T1 [P1]) and -- next place of train0 not occupied by train1(T0 [P0+1] != T2 [P2]) and -- next place of train0 not occupied by train2(T0 [P0+1] != T3 [P3]) and(T0 [P0+1] != T4 [P4]) and(T0 [P0+1] != T5 [P5]) and(T0 [P0+1] != T6 [P6]) and(T0 [P0+1] != T7 [P7]) and -- next place of train0 not occupied by train7(RA + A0 [P0+1] <= LA) and -- progress of train0 does not saturate RA(RB + B0 [P0+1] <= LB) -- progress of train0 does not saturate RDthenMOVE (0 of Train_Number);P0 := P0 + 1;RA := RA + A0 [P0];RB := RB + B0 [P0]end if[]only if(P1 < 6) and(T1 [P1+1] != T0 [P0]) and(T1 [P1+1] != T2 [P2]) and(T1 [P1+1] != T3 [P3]) and(T1 [P1+1] != T4 [P4]) and(T1 [P1+1] != T5 [P5]) and(T1 [P1+1] != T6 [P6]) and(T1 [P1+1] != T7 [P7]) and(RA + A1 [P1+1] <= LA) and(RB + B1 [P1+1] <= LB)thenMOVE (1 of Train_Number);P1 := P1 + 1;RA := RA + A1 [P1];RB := RB + B1 [P1]end if[]only if(P2 < 6) and(T2 [P2+1] != T0 [P0]) and(T2 [P2+1] != T1 [P1]) and(T2 [P2+1] != T3 [P3]) and(T2 [P2+1] != T4 [P4]) and(T2 [P2+1] != T5 [P5]) and
16 TenDiverseFMsfor anATS (T2 [P2+1] != T6 [P6]) and(T2 [P2+1] != T7 [P7]) and(RA + A2 [P2+1] <= LA) and(RB + B2 [P2+1] <= LB)thenMOVE (2 of Train_Number);P2 := P2 + 1;--if ( P2 == 13 ) then P2 := 0 end if;RA := RA + A2 [P2];RB := RB + B2 [P2]end if[]only if(P3 < 6) and(T3 [P3+1] != T0 [P0]) and(T3 [P3+1] != T1 [P1]) and(T3 [P3+1] != T2 [P2]) and(T3 [P3+1] != T4 [P4]) and(T3 [P3+1] != T5 [P5]) and(T3 [P3+1] != T6 [P6]) and(T3 [P3+1] != T7 [P7]) and(RA + A3 [P3+1] <= LA) and(RB + B3 [P3+1] <= LB)thenMOVE (3 of Train_Number);P3 := P3 + 1;RA := RA + A3 [P3];RB := RB + B3 [P3]end if[]only if(P4 < 6) and(T4 [P4+1] != T0 [P0]) and(T4 [P4+1] != T1 [P1]) and(T4 [P4+1] != T2 [P2]) and(T4 [P4+1] != T3 [P3]) and(T4 [P4+1] != T5 [P5]) and(T4 [P4+1] != T6 [P6]) and(T4 [P4+1] != T7 [P7]) and(RA + A4 [P4+1] <= LA) and(RB + B4 [P4+1] <= LB)thenMOVE (4 of Train_Number);P4 := P4 + 1;RA := RA + A4 [P4];RB := RB + B4 [P4]end if[]only if(P5 < 6) and(T5 [P5+1] != T0 [P0]) and(T5 [P5+1] != T1 [P1]) and(T5 [P5+1] != T2 [P2]) and(T5 [P5+1] != T3 [P3]) and(T5 [P5+1] != T4 [P4]) and(T5 [P5+1] != T6 [P6]) and(T5 [P5+1] != T7 [P7]) and(RA + A5 [P5+1] <= LA) and(RB + B5 [P5+1] <= LB)thenMOVE (5 of Train_Number);P5 := P5 + 1;RA := RA + A5 [P5];RB := RB + B5 [P5]end if .Mazzanti &A.Ferrari 117 []only if(P6 < 6) and(T6 [P6+1] != T0 [P0]) and(T6 [P6+1] != T1 [P1]) and(T6 [P6+1] != T2 [P2]) and(T6 [P6+1] != T3 [P3]) and(T6 [P6+1] != T4 [P4]) and(T6 [P6+1] != T5 [P5]) and(T6 [P6+1] != T7 [P7]) and(RA + A6 [P6+1] <= LA) and(RB + B6 [P6+1] <= LB)thenMOVE (6 of Train_Number);P6 := P6 + 1;RA := RA + A6 [P6];RB := RB + B6 [P6]end if[]only if(P7 < 6) and(T7 [P7+1] != T0 [P0]) and(T7 [P7+1] != T1 [P1]) and(T7 [P7+1] != T2 [P2]) and(T7 [P7+1] != T3 [P3]) and(T7 [P7+1] != T4 [P4]) and(T7 [P7+1] != T5 [P5]) and(T7 [P7+1] != T6 [P6]) and(RA + A7 [P7+1] <= LA) and(RB + B7 [P7+1] <= LB)thenMOVE (7 of Train_Number);P7 := P7 + 1;RA := RA + A7 [P7];RB := RB + B7 [P7]end if[]-- ALL TRAINS RUNNINGonly if (P0 == 6) and (P1 == 6) and (P2 == 6) and (P3 == 6) and(P4 == 6) and (P5 == 6) and (P6 == 6) and (P7 == 6)thenARRIVEDend ifend selectend loopend varend processend module---- lnt.open cadp_oneway8.lnt generator x-- bcg_info x.bcg---- 1_636_545 states-- 7_134_233 transitions---- time lnt.open cadp_oneway8small.lnt evaluator4 cadpafarr.mcl-- cadpafarr.mcl == mu XXX.(([not ARRIVED] XXX) and (
18 TenDiverseFMsfor anATS -- > user 0m28.341s-- > sys 0m1.078s-- Evaluator4 Memory 78MB--
M0 = < 1, 9,10,13,15,20,23>M1 = < 3, 9,10,13,15,20,24>M2 = < 5,27,11,13,16,20,25>M3 = < 7,27,11,13,16,20,26>M4 = <23,22,17,18,11, 9, 2>M5 = <24,22,17,18,11, 9, 4>M6 = <25,22,17,18,12,27, 6>M7 = <26,22,17,18,12,27, 8>------ region A: train constraints ------A0 = < 0, 0, 0, 1, 0,-1, 0> -- G1A1 = < 0, 0, 0, 1, 0,-1, 0> -- R1A2 = < 0, 0, 1,-1, 0, 1, 0> -- Y1A3 = < 0, 0, 1,-1, 0, 0, 0> -- B1A4 = < 0, 1, 0, 0,-1, 0, 0> -- G2A5 = < 0, 1, 0, 0,-1, 0, 0> -- R2A6 = < 0, 0, 0,-1, 0, 0, 0> -- Y2A7 = < 0, 1, 0,-1, 0, 0, 0> -- B2------------------------------------------------- region B: train constraints ------B0 = < 0, 0, 0, 1, 0,-1, 0> -- G1B1 = < 0, 0, 0, 1, 0,-1, 0> -- R1B2 = < 0, 0, 1,-1, 0, 0, 0> -- Y1B3 = < 0, 0, 1,-1, 0, 1, 0> -- B1B4 = < 0, 1, 0, 0,-1, 0, 0> -- G2B5 = < 0, 1, 0, 0,-1, 0, 0> -- R2B6 = < 0, 1, 0,-1, 0, 0, 0> -- Y2B7 = < 0, 0, 0,-1, 0, 0, 0> -- B2------------------------------------------LA = 7LB = 7el(y,x) = if x==0 then head(y) else el(tail(y),x-1)--channel move:{1..27}.{1..27}.{ -1..1}.{ -1..1}channel movechannel arrivedAllTrains (P0, P1, P2, P3, P4, P5, P6, P7, RA, RB) =(P0 < 6 and -- train0 has not yet reached all the steps of its missionel(T0,P0+1) != el(T1,P1) and -- next place of train0 not occupied by train1el(T0,P0+1) != el(T2,P2) and -- next place of train0 not occupied by train2el(T0,P0+1) != el(T3,P3) andel(T0,P0+1) != el(T4,P4) andel(T0,P0+1) != el(T5,P5) andel(T0,P0+1) != el(T6,P6) andel(T0,P0+1) != el(T7,P7) and -- next place of train0 not occupied by train7RA + el(A0,P0+1) <= LA and -- progress of train0 does not saturate RARB + el(B0,P0+1) <= LB -- progress of train0 does not saturate RB) &move -> AllTrains(P0+1,P1,P2,P3,P4,P5,P6,P7,RA+el(A0,P0+1),RB+el(B0,P0+1))[] .Mazzanti &A.Ferrari 119 (P1 < 6 andel(T1,P1+1) != el(T0,P0) andel(T1,P1+1) != el(T2,P2) andel(T1,P1+1) != el(T3,P3) andel(T1,P1+1) != el(T4,P4) andel(T1,P1+1) != el(T5,P5) andel(T1,P1+1) != el(T6,P6) andel(T1,P1+1) != el(T7,P7) andRA + el(A1,P1+1) <= LA andRB + el(B1,P1+1) <= LB) &move -> AllTrains(P0,P1+1,P2,P3,P4,P5,P6,P7,RA+el(A1,P1+1),RB+el(B1,P1+1))[](P2 < 6 andel(T2,P2+1) != el(T0,P0) andel(T2,P2+1) != el(T1,P1) andel(T2,P2+1) != el(T3,P3) andel(T2,P2+1) != el(T4,P4) andel(T2,P2+1) != el(T5,P5) andel(T2,P2+1) != el(T6,P6) andel(T2,P2+1) != el(T7,P7) andRA + el(A2,P2+1) <= LA andRB + el(B2,P2+1) <= LB) &move -> AllTrains(P0,P1,P2+1,P3,P4,P5,P6,P7,RA+el(A2,P2+1),RB+el(B2,P2+1))[](P3 < 6 andel(T3,P3+1) != el(T0,P0) andel(T3,P3+1) != el(T1,P1) andel(T3,P3+1) != el(T2,P2) andel(T3,P3+1) != el(T4,P4) andel(T3,P3+1) != el(T5,P5) andel(T3,P3+1) != el(T6,P6) andel(T3,P3+1) != el(T7,P7) andRA + el(A3,P3+1) <= LA andRB + el(B3,P3+1) <= LB) &move -> AllTrains(P0,P1,P2,P3+1,P4,P5,P6,P7,RA+el(A3,P3+1),RB+el(B3,P3+1))[](P4 < 6 andel(T4,P4+1) != el(T0,P0) andel(T4,P4+1) != el(T1,P1) andel(T4,P4+1) != el(T2,P2) andel(T4,P4+1) != el(T3,P3) andel(T4,P4+1) != el(T5,P5) andel(T4,P4+1) != el(T6,P6) andel(T4,P4+1) != el(T7,P7) andRA + el(A4,P4+1) <= LA andRB + el(B4,P4+1) <= LB) &move -> AllTrains(P0,P1,P2,P3,P4+1,P5,P6,P7,RA+el(A4,P4+1),RB+el(B4,P4+1))[](P5 < 6 andel(T5,P5+1) != el(T0,P0) andel(T5,P5+1) != el(T1,P1) andel(T5,P5+1) != el(T2,P2) andel(T5,P5+1) != el(T3,P3) andel(T5,P5+1) != el(T4,P4) andel(T5,P5+1) != el(T6,P6) andel(T5,P5+1) != el(T7,P7) andRA + el(A5,P5+1) <= LA andRB + el(B5,P5+1) <= LB) &move -> AllTrains(P0,P1,P2,P3,P4,P5+1,P6,P7,RA+el(A5,P5+1),RB+el(B5,P5+1))[]
20 TenDiverseFMsfor anATS (P6 < 6 andel(T6,P6+1) != el(T0,P0) andel(T6,P6+1) != el(T1,P1) andel(T6,P6+1) != el(T2,P2) andel(T6,P6+1) != el(T3,P3) andel(T6,P6+1) != el(T4,P4) andel(T6,P6+1) != el(T5,P5) andel(T6,P6+1) != el(T7,P7) andRA + el(A6,P6+1) <= LA andRB + el(B6,P6+1) <= LB) &move -> AllTrains(P0,P1,P2,P3,P4,P5,P6+1,P7,RA+el(A6,P6+1),RB+el(B6,P6+1))[](P7 < 6 andel(T7,P7+1) != el(T0,P0) andel(T7,P7+1) != el(T1,P1) andel(T7,P7+1) != el(T2,P2) andel(T7,P7+1) != el(T3,P3) andel(T7,P7+1) != el(T4,P4) andel(T7,P7+1) != el(T5,P5) andel(T7,P7+1) != el(T6,P6) andRA + el(A7,P7+1) <= LA andRB + el(B7,P7+1) <= LB) &move -> AllTrains(P0,P1,P2,P3,P4,P5,P6,P7+1,RA+el(A7,P7+1),RB+el(B7,P7+1))[]((P0 == 6) and (P1 ==6) and (P2 ==6) and (P3 ==6) and(P4 ==6) and (P5 ==6) and (P6 ==6) and (P7 ==6)) &arrived -> STOP--------------------------ASYS = AllTrains(0,0,0,0,0,0,0,0, 1,1)\{move}---------------------------- compression is helpful for two verifications/visualization-- NSYS = normal(ASYS)-- assert SPEC [FD= NSYS----------------------------------------------------SPEC = arrived -> STOP--------------------------assert SPEC [FD= ASYS-- -------- verfication process : ----------------- time refines --refinement-storage-file-path swapdir fdr4_oneway8seq.txt-- %--------------------------------------------------------------% T0 := [ 1, 9,10,13,15,20,23,22]; -- G1% T1 := [ 3, 9,10,13,15,20,24,22]; -- R1% T2 := [ 5,27,11,13,16,20,25,22]; -- Y1% T3 := [ 7,27,11,13,16,20,26,22]; -- B1% T4 := [23,22,17,18,11, 9, 2, 1]; -- G2% T5 := [24,22,17,18,11, 9, 4, 3]; -- R2 .Mazzanti &A.Ferrari 121 % T6 := [25,22,17,18,12,27, 6, 5]; -- Y2% T7 := [26,22,17,18,12,27, 8, 7]; -- B2%--------------------------------------------------------------map T0: Nat -> Nat;eqn T0(0)= 1; T0(1)= 9; T0(2)=10; T0( 3)=13; T0( 4)=15; T0( 5)=20; T0( 6)=23;map T1: Nat -> Nat;eqn T1(0)= 3; T1(1)=9; T1(2)=10; T1( 3)=13; T1( 4)=15; T1( 5)=20; T1( 6)=24;map T2: Nat -> Nat;eqn T2(0)= 5; T2(1)=27; T2(2)=11; T2( 3)=13; T2( 4)=16; T2( 5)=20; T2( 6)=25;map T3: Nat -> Nat;eqn T3(0)= 7; T3(1)=27; T3(2)=11; T3( 3)=13; T3( 4)=16; T3( 5)=20; T3( 6)=26;map T4: Nat -> Nat;eqn T4(0)=23; T4(1)=22; T4(2)=17; T4( 3)=18; T4( 4)=11; T4( 5)= 9; T4( 6)= 2;map T5: Nat -> Nat;eqn T5(0)=24; T5(1)=22; T5(2)=17; T5( 3)=18; T5( 4)=11; T5( 5)=9; T5( 6)= 4;map T6: Nat -> Nat;eqn T6(0)=25; T6(1)=22; T6(2)=17; T6(3)=18; T6(4)=12; T6(5)=27; T6(6)=6;T6(7)= 5; T6(8)=27; T6(9)=11; T6(10)=13; T6(11)=16; T6(12)=20; T6(13)=25;map T7: Nat -> Nat;eqn T7(0)=26; T7(1)=22; T7(2)=17; T7( 3)=18; T7( 4)=12; T7( 5)=27; T7( 6)= 8;% ------ region A: train constraints ------% 0 1 2 3 4 5 6% A0 := [ 0, 0, 0, 1, 0,-1, 0]; -- G1% A1 := [ 0, 0, 0, 1, 0,-1, 0]; -- R1% A2 := [ 0, 0, 1,-1, 0, 1, 0]; -- Y1% A3 := [ 0, 0, 1,-1, 0, 0, 0]; -- B1% A4 := [ 0, 1, 0, 0,-1, 0, 0]; -- G2% A5 := [ 0, 1, 0, 0,-1, 0, 0]; -- R2% A6 := [ 0, 0, 0,-1, 0, 0, 0]; -- Y2% A7 := [ 0, 1, 0,-1, 0, 0, 0]; -- B2% ------------------------------------------map LA: Nat; % limit for region Aeqn LA = 7;map A0: Nat -> Int;eqn A0(0)=0; A0(1)=0; A0(2)=0; A0( 3)= 1; A0( 4)=0; A0( 5)=-1; A0( 6)=0;map A1: Nat -> Int;eqn A1(0)=0; A1(1)=0; A1(2)=0; A1( 3)= 1; A1( 4)=0; A1( 5)=-1; A1( 6)=0;map A2: Nat -> Int;eqn A2(0)=0; A2(1)=0; A2(2)= 1; A2( 3)=-1; A2( 4)=0; A2( 5)= 1; A2( 6)=0;map A3: Nat -> Int;eqn A3(0)=0; A3(1)=0; A3(2)= 1; A3( 3)=-1; A3( 4)=0; A3( 5)= 0; A3( 6)=0;map A4: Nat -> Int;eqn A4(0)=0; A4(1)=1; A4(2)=0; A4( 3)=0; A4( 4)=-1; A4( 5)= 0; A4( 6)=0;map A5: Nat -> Int;eqn A5(0)=0; A5(1)=1; A5(2)=0; A5( 3)=0; A5( 4)=-1; A5( 5)= 0; A5( 6)=0;map A6: Nat -> Int;eqn A6(0)=0; A6(1)=0; A6(2)=0; A6( 3)=-1; A6( 4)=0; A6( 5)= 0; A6( 6)=0;map A7: Nat -> Int;
22 TenDiverseFMsfor anATS eqn A7(0)=0; A7(1)=1; A7(2)=0; A7( 3)=-1; A7( 4)=0; A7( 5)= 0; A7( 6)=0;% ------- region B: train constraints ------% 0 1 2 3 4 5 6% B0 := [ 0, 0, 0, 1, 0,-1, 0]; -- G1% B1 := [ 0, 0, 0, 1, 0,-1, 0]; -- R1% B2 := [ 0, 0, 1,-1, 0, 0, 0]; -- Y1% B3 := [ 0, 0, 1,-1, 0, 1, 0]; -- B1% B4 := [ 0, 1, 0, 0,-1, 0, 0]; -- G2% B5 := [ 0, 1, 0, 0,-1, 0, 0]; -- R2% B6 := [ 0, 1, 0,-1, 0, 0, 0]; -- Y2% B7 := [ 0, 0, 0,-1, 0, 0, 0]; -- B2% ------------------------------------------map LB: Nat; % limit for region Beqn LB = 7;map B0: Nat -> Int;eqn B0(0)=0; B0(1)=0; B0(2)=0; B0( 3)= 1; B0( 4)=0; B0( 5)=-1; B0( 6)=0;map B1: Nat -> Int;eqn B1(0)=0; B1(1)=0; B1(2)=0; B1( 3)= 1; B1( 4)=0; B1( 5)=-1; B1( 6)=0;map B2: Nat -> Int;eqn B2(0)=0; B2(1)=0; B2(2)= 1; B2( 3)=-1; B2( 4)=0; B2( 5)= 0; B2( 6)=0;map B3: Nat -> Int;eqn B3(0)=0; B3(1)=0; B3(2)= 1; B3( 3)=-1; B3( 4)=0; B3( 5)= 1; B3( 6)=0;map B4: Nat -> Int;eqn B4(0)=0; B4(1)=1; B4(2)=0; B4( 3)=-0; B4( 4)=-1; B4( 5)= 0; B4( 6)=0;map B5: Nat -> Int;eqn B5(0)=0; B5(1)=1; B5(2)=0; B5( 3)=0; B5( 4)=-1; B5( 5)= 0; B5( 6)=0;map B6: Nat -> Int;eqn B6(0)=0; B6(1)=1; B6(2)=0; B6( 3)=-1; B6( 4)=0; B6( 5)= 0; B6( 6)=0;map B7: Nat -> Int;eqn B7(0)=0; B7(1)=0; B7(2)=0; B7( 3)=-1; B7( 4)=0; B7( 5)= 0; B7( 6)=0;act arrived;move: Nat;proc AllTrains(P0:Nat,P1:Nat,P2:Nat,P3:Nat,P4:Nat,P5:Nat,P6:Nat,P7:Nat,RA: Int,RB: Int) =(P0 < 6 && % train0 has not yet reached all the steps of its missionT0(P0+1) != T1(P1) && % next place of train0 not occupied by train1T0(P0+1) != T2(P2) && % next place of train0 not occupied by train2T0(P0+1) != T3(P3) &&T0(P0+1) != T4(P4) &&T0(P0+1) != T5(P5) &&T0(P0+1) != T6(P6) &&T0(P0+1) != T7(P7) && % next place of train0 not occupied by train7RA + A0(P0+1) <= LA && % progress of train0 does not saturate RARB + B0(P0+1) <= LB % progress of train0 does not saturate RB) ->move(0). AllTrains(P0+1,P1,P2,P3,P4,P5,P6,P7,RA+A0(P0+1),RB+B0(P0+1))+(P1 < 6 &&T1(P1+1) != T0(P0) &&T1(P1+1) != T2(P2) &&T1(P1+1) != T3(P3) &&T1(P1+1) != T4(P4) &&T1(P1+1) != T5(P5) &&T1(P1+1) != T6(P6) && .Mazzanti &A.Ferrari 123
T1(P1+1) != T7(P7) &&RA + A1(P1+1) <= LA &&RB + B1(P1+1) <= LB) ->move(1). AllTrains(P0,P1+1,P2,P3,P4,P5,P6,P7,RA+A1(P1+1),RB+B1(P1+1))+(P2 < 6 &&T2(P2+1) != T0(P0) &&T2(P2+1) != T1(P1) &&T2(P2+1) != T3(P3) &&T2(P2+1) != T4(P4) &&T2(P2+1) != T5(P5) &&T2(P2+1) != T6(P6) &&T2(P2+1) != T7(P7) &&RA + A2(P2+1) <= LA &&RB + B2(P2+1) <= LB) ->move(2). AllTrains(P0,P1,P2+1,P3,P4,P5,P6,P7,RA+A2(P2+1),RB+B2(P2+1))+(P3 < 6 &&T3(P3+1) != T0(P0) &&T3(P3+1) != T1(P1) &&T3(P3+1) != T2(P2) &&T3(P3+1) != T4(P4) &&T3(P3+1) != T5(P5) &&T3(P3+1) != T6(P6) &&T3(P3+1) != T7(P7) &&RA + A3(P3+1) <= LA &&RB + B3(P3+1) <= LB) ->move(3). AllTrains(P0,P1,P2,P3+1,P4,P5,P6,P7,RA+A3(P3+1),RB+B3(P3+1))+(P4 < 6 &&T4(P4+1) != T0(P0) &&T4(P4+1) != T1(P1) &&T4(P4+1) != T2(P2) &&T4(P4+1) != T3(P3) &&T4(P4+1) != T5(P5) &&T4(P4+1) != T6(P6) &&T4(P4+1) != T7(P7) &&RA + A4(P4+1) <= LA &&RB + B4(P4+1) <= LB) ->move(4). AllTrains(P0,P1,P2,P3,P4+1,P5,P6,P7,RA+A4(P4+1),RB+B4(P4+1))+(P5 < 6 &&T5(P5+1) != T0(P0) &&T5(P5+1) != T1(P1) &&T5(P5+1) != T2(P2) &&T5(P5+1) != T3(P3) &&T5(P5+1) != T4(P4) &&T5(P5+1) != T6(P6) &&T5(P5+1) != T7(P7) &&RA + A5(P5+1) <= LA &&RB + B5(P5+1) <= LB) ->move(5). AllTrains(P0,P1,P2,P3,P4,P5+1,P6,P7,RA+A5(P5+1),RB+B5(P5+1))+(P6 < 6 &&T6(P6+1) != T0(P0) &&T6(P6+1) != T1(P1) &&T6(P6+1) != T2(P2) &&T6(P6+1) != T3(P3) &&T6(P6+1) != T4(P4) &&T6(P6+1) != T5(P5) &&
24 TenDiverseFMsfor anATS
T6(P6+1) != T7(P7) &&RA + A6(P6+1) <= LA &&RB + B6(P6+1) <= LB) ->move(6). AllTrains(P0,P1,P2,P3,P4,P5,P6+1,P7,RA+A6(P6+1),RB+B6(P6+1))+(P7 < 6 &&T7(P7+1) != T0(P0) &&T7(P7+1) != T1(P1) &&T7(P7+1) != T2(P2) &&T7(P7+1) != T3(P3) &&T7(P7+1) != T4(P4) &&T7(P7+1) != T5(P5) &&T7(P7+1) != T6(P6) &&RA + A7(P7+1) <= LA &&RB + B7(P7+1) <= LB) ->move(7). AllTrains(P0,P1,P2,P3,P4,P5,P6,P7+1,RA+A7(P7+1),RB+B7(P7+1))+((P0 ==6) && (P1 ==6) && (P2 ==6) && (P3 ==6) &&(P4 ==6) && (P5 ==6) && (P6 ==6) && (P7 ==6)) ->arrived . AllTrains(P0,P1,P2,P3,P4,P5,P6,P7,RA,RB);init AllTrains(0,0,0,0,0,0,0,0, 1,1);%%%%%%%%%%% verfication process : %%%%%%%%%%%%%%%%%%% mcrl22lps mcrl2_oneway8seq.txt temp.lps% lps2pbes -fformula.mcf temp.lps temp.pbes% formula.mcf= "mu X.(([!arrived]X) && (
26 TenDiverseFMsfor anATS
A6 : 0..6 --> -1..1 &A7 : 0..6 --> -1..1 &B0 : 0..6 --> -1..1 &B1 : 0..6 --> -1..1 &B2 : 0..6 --> -1..1 &B3 : 0..6 --> -1..1 &B4 : 0..6 --> -1..1 &B5 : 0..6 --> -1..1 &B6 : 0..6 --> -1..1 &B7 : 0..6 --> -1..1 &T0(0)= 1 & T0(1)= 9 & T0(2)=10 & T0(3)=13 & T0(4)=15 & T0(5)=20 & T0(6)=23 &T1(0)= 3 & T1(1)= 9 & T1(2)=10 & T1(3)=13 & T1(4)=15 & T1(5)=20 & T1(6)=24 &T2(0)= 5 & T2(1)=27 & T2(2)=11 & T2(3)=13 & T2(4)=16 & T2(5)=20 & T2(6)=25 &T3(0)= 7 & T3(1)=27 & T3(2)=11 & T3(3)=13 & T3(4)=16 & T3(5)=20 & T3(6)=26 &T4(0)=23 & T4(1)=22 & T4(2)=17 & T4(3)=18 & T4(4)=11 & T4(5)= 9 & T4(6)=2 &T5(0)=24 & T5(1)=22 & T5(2)=17 & T5(3)=18 & T5(4)=11 & T5(5)= 9 & T5(6)=4 &T6(0)=25 & T6(1)=22 & T6(2)=17 & T6(3)=18 & T6(4)=12 & T6(5)=27 & T6(6)=6 &T7(0)=26 & T7(1)=22 & T7(2)=17 & T7(3)=18 & T7(4)=12 & T7(5)=27 & T7(6)=8 &A0(0)=0 & A0(1)=0 & A0(2)=0 & A0(3)= 1 & A0(4)= 0 & A0(5)=-1 & A0( 6)=0 &A1(0)=0 & A1(1)=0 & A1(2)=0 & A1(3)= 1 & A1(4)= 0 & A1(5)=-1 & A1( 6)=0 &A2(0)=0 & A2(1)=0 & A2(2)=1 & A2(3)=-1 & A2(4)= 0 & A2(5)= 1 & A2( 6)=0 &A3(0)=0 & A3(1)=0 & A3(2)=1 & A3(3)=-1 & A3(4)= 0 & A3(5)= 0 & A3( 6)=0 &A4(0)=0 & A4(1)=1 & A4(2)=0 & A4(3)= 0 & A4(4)=-1 & A4(5)= 0 & A4( 6)=0 &A5(0)=0 & A5(1)=1 & A5(2)=0 & A5(3)= 0 & A5(4)=-1 & A5(5)= 0 & A5( 6)=0 &A6(0)=0 & A6(1)=0 & A6(2)=0 & A6(3)=-1 & A6(4)= 0 & A6(5)= 0 & A6( 6)=0 &A7(0)=0 & A7(1)=1 & A7(2)=0 & A7(3)=-1 & A7(4)= 0 & A7(5)= 0 & A7( 6)=0 &B0(0)=0 & B0(1)=0 & B0(2)=0 & B0(3)= 1 & B0(4)= 0 & B0(5)=-1 & B0( 6)=0 &B1(0)=0 & B1(1)=0 & B1(2)=0 & B1(3)= 1 & B1(4)= 0 & B1(5)=-1 & B1( 6)=0 &B2(0)=0 & B2(1)=0 & B2(2)=1 & B2(3)=-1 & B2(4)= 0 & B2(5)= 0 & B2( 6)=0 &B3(0)=0 & B3(1)=0 & B3(2)=1 & B3(3)=-1 & B3(4)= 0 & B3(5)= 1 & B3( 6)=0 &B4(0)=0 & B4(1)=1 & B4(2)=0 & B4(3)=-0 & B4(4)=-1 & B4(5)= 0 & B4( 6)=0 &B5(0)=0 & B5(1)=1 & B5(2)=0 & B5(3)= 0 & B5(4)=-1 & B5(5)= 0 & B5( 6)=0 &B6(0)=0 & B6(1)=1 & B6(2)=0 & B6(3)=-1 & B6(4)= 0 & B6(5)= 0 & B6( 6)=0 &B7(0)=0 & B7(1)=0 & B7(2)=0 & B7(3)=-1 & B7(4)= 0 & B7(5)= 0 & B7( 6)=0 &LA=7 & LB=7VARIABLESP0,P1,P2,P3,P4,P5,P6,P7,RA,RBINVARIANTP0:0..6 & P1:0..6 & P2:0..6 & P3:0..6 & P4:0..6 & P5:0..6 & P6:0..6 & P7:0..6 &RA:0..8 & RB:0..8INITIALISATIONP0:=0; P1:=0; P2:=0; P3:=0; P4:=0; P5:=0; P6:=0; P7:=0; RA:=1; RB:=1OPERATIONSmove0 =PRE P0<6 &T0(P0+1) /= T1(P1) &T0(P0+1) /= T2(P2 )&T0(P0+1) /= T3(P3 )&T0(P0+1) /= T4(P4) &T0(P0+1) /= T5(P5) &T0(P0+1) /= T6(P6) &T0(P0+1) /= T7(P7) &RA + A0(P0+1) <= LA &RB + B0(P0+1) <= LBTHENP0 := P0+1; .Mazzanti &A.Ferrari 127
RA := RA + A0(P0);RB := RB + B0(P0)END ;move1 =PRE P1<6 &T1(P1+1) /= T0(P0) &T1(P1+1) /= T2(P2) &T1(P1+1) /= T3(P3) &T1(P1+1) /= T4(P4) &T1(P1+1) /= T5(P5) &T1(P1+1) /= T6(P6) &T1(P1+1) /= T7(P7) &RA + A1(P1+1) <= LA &RB + B1(P1+1) <= LBTHENP1 := P1+1;RA := RA + A1(P1);RB := RB + B1(P1)END ;move2 =PRE P2<6 &T2(P2+1) /= T0(P0) &T2(P2+1) /= T1(P1) &T2(P2+1) /= T3(P3) &T2(P2+1) /= T4(P4) &T2(P2+1) /= T5(P5) &T2(P2+1) /= T6(P6) &T2(P2+1) /= T7(P7) &RA + A2(P2+1) <= LA &RB + B2(P2+1) <= LBTHENP2 := P2+1;RA := RA + A2(P2);RB := RB + B2(P2)END ;move3 =PRE P3<6 &T3(P3+1) /= T0(P0) &T3(P3+1) /= T1(P1) &T3(P3+1) /= T2(P2) &T3(P3+1) /= T4(P4) &T3(P3+1) /= T5(P5) &T3(P3+1) /= T6(P6) &T3(P3+1) /= T7(P7) &RA + A3(P3+1) <= LA &RB + B3(P3+1) <= LBTHENP3 := P3+1;RA := RA + A3(P3);RB := RB + B3(P3)END ;move4 =PRE P4<6 &T4(P4+1) /= T0(P0) &T4(P4+1) /= T1(P1) &T4(P4+1) /= T2(P2) &T4(P4+1) /= T3(P3) &T4(P4+1) /= T5(P5) &T4(P4+1) /= T6(P6) &T4(P4+1) /= T7(P7) &RA + A4(P4+1) <= LA &
28 TenDiverseFMsfor anATS
RB + B4(P4+1) <= LBTHENP4 := P4+1;RA := RA + A4(P4);RB := RB + B4(P4)END ;move5 =PRE P5<6 &T5(P5+1) /= T0(P0) &T5(P5+1) /= T1(P1) &T5(P5+1) /= T2(P2) &T5(P5+1) /= T3(P3) &T5(P5+1) /= T4(P4) &T5(P5+1) /= T6(P6) &T5(P5+1) /= T7(P7) &RA + A5(P5+1) <= LA &RB + B5(P5+1) <= LBTHENP5 := P5+1;RA := RA + A5(P5);RB := RB + B5(P5)END ;move6 =PRE P6<6 &T6(P6+1) /= T0(P0) &T6(P6+1) /= T1(P1) &T6(P6+1) /= T2(P2) &T6(P6+1) /= T3(P3) &T6(P6+1) /= T4(P4) &T6(P6+1) /= T5(P5) &T6(P6+1) /= T7(P7) &RA + A6(P6+1) <= LA &RB + B6(P6+1) <= LBTHENP6 := P6+1;RA := RA + A6(P6);RB := RB + B6(P6)END ;move7 =PRE P7<6 &T7(P7+1) /= T0(P0) &T7(P7+1) /= T1(P1) &T7(P7+1) /= T2(P2) &T7(P7+1) /= T3(P3) &T7(P7+1) /= T4(P4) &T7(P7+1) /= T5(P5) &T7(P7+1) /= T6(P6) &RA + A7(P7+1) <= LA &RB + B7(P7+1) <= LBTHENP7 := P7+1;RA := RA + A7(P7);RB := RB + B7(P7)END ;arrived =PREP0=6 & P1=6 & P2=6 & P3=6 & P4=6 & P5=6 & P6=6 & P7=6THENskipENDEND .Mazzanti &A.Ferrari 129 //--------------------// SEARCHING DEADLOCKS: 1_636_547 states, 7_134_235 trans. TIME 32 min VMEM 3 GB//-------------------
MODULE main------- train missions ------------------DEFINET0 := [ 1, 9,10,13,15,20,23]; -- G1T1 := [ 3, 9,10,13,15,20,24]; -- R1T2 := [ 5,27,11,13,16,20,25]; -- Y1T3 := [ 7,27,11,13,16,20,26]; -- B1T4 := [23,22,17,18,11, 9, 2]; -- G2T5 := [24,22,17,18,11, 9, 4]; -- R2T6 := [25,22,17,18,12,27, 6]; -- Y2T7 := [26,22,17,18,12,27, 8]; -- B2------ region A: train constraints ------A0 := [ 0, 0, 0, 1, 0,-1, 0]; -- G1A1 := [ 0, 0, 0, 1, 0,-1, 0]; -- R1A2 := [ 0, 0, 1,-1, 0, 1, 0]; -- Y1A3 := [ 0, 0, 1,-1, 0, 0, 0]; -- B1A4 := [ 0, 1, 0, 0,-1, 0, 0]; -- G2A5 := [ 0, 1, 0, 0,-1, 0, 0]; -- R2A6 := [ 0, 0, 0,-1, 0, 0, 0]; -- Y2A7 := [ 0, 1, 0,-1, 0, 0, 0]; -- B2------------------------------------------------- region B: train constraints ------B0 := [ 0, 0, 0, 1, 0,-1, 0]; -- G1B1 := [ 0, 0, 0, 1, 0,-1, 0]; -- R1B2 := [ 0, 0, 1,-1, 0, 0, 0]; -- Y1B3 := [ 0, 0, 1,-1, 0, 1, 0]; -- B1B4 := [ 0, 1, 0, 0,-1, 0, 0]; -- G2B5 := [ 0, 1, 0, 0,-1, 0, 0]; -- R2B6 := [ 0, 1, 0,-1, 0, 0, 0]; -- Y2B7 := [ 0, 0, 0,-1, 0, 0, 0]; -- B2------------------------------------------LA := 7;LB := 7;IVAR-- (unfair) selector of the train transitionRUNNING: {0,1,2,3,4,5,6,7};VAR-- vector of train progesses in the execution of their missionsP0: 0..6;P1: 0..6;P2: 0..6;P3: 0..6;P4: 0..6;P5: 0..6;P6: 0..6;P7: 0..6;------ the occupation status for regions A and B
30 TenDiverseFMsfor anATS
RA: 0..8;RB: 0..8;ASSIGN-- the initial vector of train progessesinit(P0) := 0;init(P1) := 0;init(P2) := 0;init(P3) := 0;init(P4) := 0;init(P5) := 0;init(P6) := 0;init(P7) := 0;---- the initial occupation status for regions A and Binit(RA) := 1;init(RB) := 1;TRANS-- progression rules for the evolving train 0RUNNING =0 &-- the current train has not yet completed its missionP0 < 6 &---- the next place is not occupied by other trainsT0[P0+1] != T1[P1] &T0[P0+1] != T2[P2] &T0[P0+1] != T3[P3] &T0[P0+1] != T4[P4] &T0[P0+1] != T5[P5] &T0[P0+1] != T6[P6] &T0[P0+1] != T7[P7] &---- the progression step of id satisfies all contraintsRA + A0[P0+1] <= LA &RB + B0[P0+1] <= LB? next(P0) in (P0+1) &next(P1) in P1 &next(P2) in P2 &next(P3) in P3 &next(P4) in P4 &next(P5) in P5 &next(P6) in P6 &next(P7) in P7 &next(RA) in (RA + A0[P0+1]) &next(RB) in (RB + B0[P0+1]):RUNNING = 1 &P1 < 6 &T1[P1+1] != T0[P0] &T1[P1+1] != T2[P2] &T1[P1+1] != T3[P3] &T1[P1+1] != T4[P4] &T1[P1+1] != T5[P5] &T1[P1+1] != T6[P6] &T1[P1+1] != T7[P7] &RA + A1[P1+1] <= LA &RB + B1[P1+1] <= LB? next(P0) in P0 &next(P1) in (P1+1) &next(P2) in P2 &next(P3) in P3 & .Mazzanti &A.Ferrari 131 next(P4) in P4 &next(P5) in P5 &next(P6) in P6 &next(P7) in P7 &next(RA) in (RA + A1[P1+1]) &next(RB) in (RB + B1[P1+1]):RUNNING =2 &P2 < 6 &T2[P2+1] != T0[P0] &T2[P2+1] != T1[P1] &T2[P2+1] != T3[P3] &T2[P2+1] != T4[P4] &T2[P2+1] != T5[P5] &T2[P2+1] != T6[P6] &T2[P2+1] != T7[P7] &RA + A2[P2+1] <= LA &RB + B2[P2+1] <= LB? next(P0) in P0 &next(P1) in P1 &next(P2) in (P2+1) &next(P3) in P3 &next(P4) in P4 &next(P5) in P5 &next(P6) in P6 &next(P7) in P7 &next(RA) in (RA + A2[P2+1]) &next(RB) in (RB + B2[P2+1]):RUNNING =3 &P3 < 6 &T3[P3+1] != T0[P0] &T3[P3+1] != T1[P1] &T3[P3+1] != T2[P2] &T3[P3+1] != T3[P3] &T3[P3+1] != T4[P4] &T3[P3+1] != T5[P5] &T3[P3+1] != T6[P6] &T3[P3+1] != T7[P7] &RA + A3[P3+1] <= LA &RB + B3[P3+1] <= LB? next(P0) in P0 &next(P1) in P1 &next(P2) in P2 &next(P3) in (P3+1) &next(P4) in P4 &next(P5) in P5 &next(P6) in P6 &next(P7) in P7 &next(RA) in (RA + A3[P3+1]) &next(RB) in (RB + B3[P3+1]):RUNNING =4 &P4 < 6 &T4[P4+1] != T0[P0] &T4[P4+1] != T1[P1] &T4[P4+1] != T2[P2] &T4[P4+1] != T3[P3] &T4[P4+1] != T4[P4] &T4[P4+1] != T5[P5] &T4[P4+1] != T6[P6] &T4[P4+1] != T7[P7] &
32 TenDiverseFMsfor anATS
RA + A4[P4+1] <= LA &RB + B4[P4+1] <= LB? next(P0) in P0 &next(P1) in P1 &next(P2) in P2 &next(P3) in P3 &next(P4) in (P4+1) &next(P5) in P5 &next(P6) in P6 &next(P7) in P7 &next(RA) in (RA + A4[P4+1]) &next(RB) in (RB + B4[P4+1]):RUNNING =5 &P5 < 6 &T5[P5+1] != T0[P0] &T5[P5+1] != T1[P1] &T5[P5+1] != T2[P2] &T5[P5+1] != T3[P3] &T5[P5+1] != T4[P4] &T5[P5+1] != T6[P6] &T5[P5+1] != T7[P7] &RA + A5[P5+1] <= LA &RB + B5[P5+1] <= LB? next(P0) in P0 &next(P1) in P1 &next(P2) in P2 &next(P3) in P3 &next(P4) in P4 &next(P5) in (P5+1) &next(P6) in P6 &next(P7) in P7 &next(RA) in (RA + A5[P5+1]) &next(RB) in (RB + B5[P5+1]): RUNNING = 6 &P6 < 6 &T6[P6+1] != T0[P0] &T6[P6+1] != T1[P1] &T6[P6+1] != T2[P2] &T6[P6+1] != T3[P3] &T6[P6+1] != T4[P4] &T6[P6+1] != T5[P5] &T6[P6+1] != T6[P6] &T6[P6+1] != T7[P7] &RA + A6[P6+1] <= LA &RB + B6[P6+1] <= LB? next(P0) in P0 &next(P1) in P1 &next(P2) in P2 &next(P3) in P3 &next(P4) in P4 &next(P5) in P5 &next(P6) in (P6+1) &next(P7) in P7 &next(RA) in (RA + A6[P6+1]) &next(RB) in (RB + B6[P6+1]):RUNNING =7 &-- the current train has not yet completed its missionP7 < 6 &-- .Mazzanti &A.Ferrari 133 -- the next place is not occupied by other trainsT7[P7+1] != T0[P0] &T7[P7+1] != T1[P1] &T7[P7+1] != T2[P2] &T7[P7+1] != T3[P3] &T7[P7+1] != T4[P4] &T7[P7+1] != T5[P5] &T7[P7+1] != T6[P6] &T7[P7+1] != T7[P7] &---- the progression step of id satisfies all contraintsRA + A7[P7+1] <= LA &RB + B7[P7+1] <= LB? next(P0) in P0 &next(P1) in P1 &next(P2) in P2 &next(P3) in P3 &next(P4) in P4 &next(P5) in P5 &next(P6) in P6 &next(P7) in (P7+1) &next(RA) in (RA + A7[P7+1]) &next(RB) in (RB + B7[P7+1]): next(P0) in P0 &next(P1) in P1 &next(P2) in P2 &next(P3) in P3 &next(P4) in P4 &next(P5) in P5 &next(P6) in P6 &next(P7) in P7 &next(RA) in RA &next(RB) in RB-- FAIRNESS RUNNING = 0;-- FAIRNESS RUNNING = 1;-- FAIRNESS RUNNING = 2;-- FAIRNESS RUNNING = 3;-- FAIRNESS RUNNING = 4;-- FAIRNESS RUNNING = 5;-- FAIRNESS RUNNING = 6;-- FAIRNESS RUNNING = 7;-- CTLSPEC-- AF ((P0=6) & (P1=6) & (P2=6) & (P3=6) & (P4=6) & (P5=6) & (P6=6) & (P7=6))-- LTLSPEC-- F ((P0=6) & (P1=6) & (P2=6) & (P3=6) & (P4=6) & (P5=6) & (P6=6) & (P7=6))CTLSPECAG EF ((P0=6) & (P1=6) & (P2=6) & (P3=6) & (P4=6) & (P5=6) & (P6=6) & (P7=6))-------------------------------- end main -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Batch Verification:------------------------------------------ time nusmv -r -v 1 smv_oneway8-SM.smv-- FAIRNESS RUNNING = 1; ... RUNNING = 7;-- LTLSPEC F ((0=6) & ... & P7=6))-- >-- > reachable states: 1.63654e+06 (2ˆ20.6422) out of 4.66949e+08 (2ˆ28.7987)
34 TenDiverseFMsfor anATS -- > Successful termination-- > real 0m43.609s-- > user 0m43.431s------------------------------------------ time nusmv -r -v 1 smv_oneway8-SM.smv-- FAIRNESS RUNNING = 1; ... RUNNING = 7;-- CTLSPEC AF ((0=6) & ... & P7=6))-- >-- > reachable states: 1.63654e+06 (2ˆ20.6422) out of 4.66949e+08 (2ˆ28.7987)-- > Successful termination-- > real 0m39.211s-- > user 0m39.015s------------------------------------------ time nusmv -r -v 1 smv_oneway8-SM.smv-- CTLSPEC AG EF ((0=6) & ... & P7=6))-- >-- > reachable states: 1.63654e+06 (2ˆ20.6422) out of 4.66949e+08 (2ˆ28.7987)-- > Successful termination-- > real 0m2.807s-- > user 0m2.771s-- > USED MEMORY 74 MB------------------------------------------ nusmv -v 2 -ctt -r -is smv_oneway8-SM.smv-- -ctt checks totatlity of transition relation function-- -r prints actual number of reachable states-- -v 1 verbose (1..4)-- -is ignore SPEC properties-- -AG used ad hoc algorithm for AG-only properties-- nusmv -v 1 -bmc -bmc_length 100 cyclic8-smv.txt-------------------------------------------- Interactive Verification:-- ./NuSMV -int-- read_model -i smv_oneway8-SM.smv-- flatten_hierarchy-- encode_variables-- build_model-- check_ctlspec -p "AF (P0 = 0)"--------------- other commands ----------check_ctlspec [-h] [-m | -o output-file] [-n number | -p-- "ctl-expr [IN context]" | -P "name"]--go--pick_state -i--simulate -i--------------------------------------- /* TRAIN MISSION DATA */byte T0[14];byte T1[14];byte T2[14];byte T3[14];byte T4[14];byte T5[14];byte T6[14];byte T7[14];/* TRAIN PROGRESS DATA */byte P0,P1,P2,P3,P4,P5,P6,P7;/* CONSTRAINTs DATA FOR REGIONS A,B */ .Mazzanti &A.Ferrari 135 byte RA; // occupancy of region Abyte RB; // occupancy of region Bbyte LA; // limit of region Abyte LB; // limit if region Bshort A0[14]; // Constraints of Train 0 for Region Ashort A1[14]; // Constraints of Train 1 for Region Ashort A2[14]; // Constraints of Train 2 for Region Ashort A3[14]; // ...short A4[14];short A5[14];short A6[14];short A7[14];short B0[14]; // Constraints of Train 0 for Region Bshort B1[14]; // Constraints of Train 1 for Region Bshort B2[14]; // Constraints of Train 2 for Region Bshort B3[14]; // ...short B4[14];short B5[14];short B6[14];short B7[14];/* INITIALIZATIONS */init {atomic {//--------------------------------------------------------------// T0 := [ 1, 9,10,13,15,20,23,22]; -- G1// T1 := [ 3, 9,10,13,15,20,24,22]; -- R1// T2 := [ 5,27,11,13,16,20,25,22]; -- Y1// T3 := [ 7,27,11,13,16,20,26,22]; -- B1// T4 := [23,22,17,18,11, 9, 2, 1]; -- G2// T5 := [24,22,17,18,11, 9, 4, 3]; -- R2// T6 := [25,22,17,18,12,27, 6, 5]; -- Y2// T7 := [26,22,17,18,12,27, 8, 7]; -- B2//--------------------------------------------------------------T0[0]= 1; T0[1]= 9; T0[2]=10; T0[3]=13; T0[4]=15; T0[5]=20; T0[6]=23;T1[0]= 3; T1[1]=9; T1[2]=10; T1[3]=13; T1[4]=15; T1[5]=20; T1[6]=24;T2[0]= 5; T2[1]=27; T2[2]=11; T2[3]=13; T2[4]=16; T2[5]=20; T2[6]=25;T3[0]= 7; T3[1]=27; T3[2]=11; T3[3]=13; T3[4]=16; T3[5]=20; T3[6]=26;T4[0]=23; T4[1]=22; T4[2]=17; T4[3]=18; T4[4]=11; T4[5]= 9; T4[6]= 2;T5[0]=24; T5[1]=22; T5[2]=17; T5[3]=18; T5[4]=11; T5[5]= 9; T5[6]= 4;T6[0]=25; T6[1]=22; T6[2]=17; T6[3]=18; T6[4]=12; T6[5]=27; T6[6]= 6;T7[0]=26; T7[1]=22; T7[2]=17; T7[3]=18; T7[4]=12; T7[5]=27; T7[6]= 8;//// ------ initial train positions --------// Pi=0 as default value. no need of explicit initialization// ------ region A: train constraints ------A0[3] = 1; A0[5] = -1; A0[ 7]= 1; A0[10] = -1;A1[3] = 1; A1[5] = -1; A1[ 7]= 1; A1[10] = -1;A2[2] = 1; A2[3] = -1; A2[ 5]= 1; A2[ 9] = -1;A3[2] = 1; A3[3] = -1; A3[ 7]= 1; A3[ 9] = -1;A4[1] = 1; A4[4] = -1; A4[10]= 1; A4[12] = -1;A5[1] = 1; A5[4] = -1; A5[10]= 1; A5[12] = -1;A6[3] =-1; A6[ 9] = 1; A6[10]= -1; A6[12] = 1;A7[1] = 1; A7[3] = -1; A7[ 9]= 1; A7[10] = -1;// ------- region B: train constraints ------B0[3] = 1; B0[5] = -1; B0[ 7] = 1; B0[10] = -1;B1[3] = 1; B1[5] = -1; B1[ 7] = 1; B1[10] = -1;B2[2] = 1; B2[3] = -1; B2[ 7] = 1; B2[ 9] = -1;B3[2] = 1; B3[3] = -1; B3[ 5] = 1; B3[ 9] = -1;B4[1] = 1; B4[4] = -1; B4[10] = 1; B4[12] = -1;B5[1] = 1; B5[4] = -1; B5[10] = 1; B5[12] = -1;
36 TenDiverseFMsfor anATS
B6[1] = 1; B6[3] = -1; B6[ 9] = 1; B6[10] = -1;B7[3] = -1; B7[9] = 1; B7[10] = -1; B7[12] = 1;RA = 1;RB = 1;LA =7;LB =7;}do:: atomic {(P0 < 6 &&T0[P0+1] != T1[P1] && // next place of train0 not occupied by train1T0[P0+1] != T2[P2] && // next place of train0 not occupied by train2T0[P0+1] != T3[P3] &&T0[P0+1] != T4[P4] &&T0[P0+1] != T5[P5] &&T0[P0+1] != T6[P6] &&T0[P0+1] != T7[P7] && // next place of train0 not occupied by train7(RA + A0[P0+1]) <= LA && // progress of train0 does not saturate RA(RB + B0[P0+1]) <= LB // progress of train0 does not saturate RB) ->P0 = (P0+1);RA = RA + A0[P0]; // update occupancy of RA according to the stepRB = RB + B0[P0]; // update occupancy of RB according to the step};:: atomic {(P1 < 6 &&T1[P1+1] != T0[P0] &&T1[P1+1] != T2[P2] &&T1[P1+1] != T3[P3] &&T1[P1+1] != T4[P4] &&T1[P1+1] != T5[P5] &&T1[P1+1] != T6[P6] &&T1[P1+1] != T7[P7] &&(RA + A1[P1+1]) <= LA &&(RB + B1[P1+1]) <= LB // progress of train0 does not saturate RD) ->P1 = (P1+1);RA = RA + A1[P1];RB = RB + B1[P1];};:: atomic {(P2 < 6 &&T2[P2+1] != T0[P0] &&T2[P2+1] != T1[P1] &&T2[P2+1] != T3[P3] &&T2[P2+1] != T4[P4] &&T2[P2+1] != T5[P5] &&T2[P2+1] != T6[P6] &&T2[P2+1] != T7[P7] &&(RA + A2[P2+1]) <= LA &&(RB + B2[P2+1]) <= LB) ->P2 = (P2+1);RA = RA + A2[P2]; // update occupancy of RA according to the stepRB = RB + B2[P2];};:: atomic {(P3 < 6 &&T3[P3+1] != T0[P0] &&T3[P3+1] != T1[P1] &&T3[P3+1] != T2[P2] &&T3[P3+1] != T4[P4] &&T3[P3+1] != T5[P5] &&T3[P3+1] != T6[P6] && .Mazzanti &A.Ferrari 137
T3[P3+1] != T7[P7] &&(RA + A3[P3+1]) <= LA &&(RB + B3[P3+1]) <= LB) ->P3 = (P3+1);RA = RA + A3[P3]; // update occupancy of RA according to the stepRB = RB + B3[P3];};:: atomic {(P4 < 6 &&T4[P4+1] != T0[P0] &&T4[P4+1] != T1[P1] &&T4[P4+1] != T2[P2] &&T4[P4+1] != T3[P3] &&T4[P4+1] != T5[P5] &&T4[P4+1] != T6[P6] &&T4[P4+1] != T7[P7] &&(RA + A4[P4+1]) <= LA &&(RB + B4[P4+1]) <= LB) ->P4 = (P4+1);RA = RA + A4[P4]; // update occupancy of RA according to the stepRB = RB + B4[P4];};:: atomic {(P5 < 6 &&T5[P5+1] != T0[P0] &&T5[P5+1] != T1[P1] &&T5[P5+1] != T2[P2] &&T5[P5+1] != T3[P3] &&T5[P5+1] != T4[P4] &&T5[P5+1] != T6[P6] &&T5[P5+1] != T7[P7] &&(RA + A5[P5+1]) <= LA &&(RB + B5[P5+1]) <= LB) ->P5 = (P5+1);RA = RA + A5[P5]; // update occupancy of RA according to the stepRB = RB + B5[P5];};:: atomic {(P6 < 6 &&T6[P6+1] != T0[P0] &&T6[P6+1] != T1[P1] &&T6[P6+1] != T2[P2] &&T6[P6+1] != T3[P3] &&T6[P6+1] != T4[P4] &&T6[P6+1] != T5[P5] &&T6[P6+1] != T7[P7] &&(RA + A6[P6+1]) <= LA &&(RB + B6[P6+1]) <= LB) ->P6 = (P6+1);RA = RA + A6[P6]; // update occupancy of RA according to the stepRB = RB + B6[P6];};:: atomic {(P7 < 6 &&T7[P7+1] != T0[P0] &&T7[P7+1] != T1[P1] &&T7[P7+1] != T2[P2] &&T7[P7+1] != T3[P3] &&T7[P7+1] != T4[P4] &&T7[P7+1] != T5[P5] &&T7[P7+1] != T6[P6] &&
38 TenDiverseFMsfor anATS (RA + A7[P7+1]) <= LA &&(RB + B7[P7+1]) <= LB) ->P7 = (P7+1);RA = RA + A7[P7]; // update occupancy of RA according to the stepRB = RB + B7[P7];};:: (P0 == 6) && (P1 == 6) && (P2 == 6) && (P3 == 6) &&(P4 == 6) && (P5 == 6) && (P6 == 6) && (P7 == 6) -> skip;od;}/* PROPERTIES */ltl p1{ <> ((P0==6) && (P1==6) && (P2==6) && (P3==6) &&(P4==6) && (P5==6) && (P6==6) && (P7==6)) }/* verfication process// DEPTH FIRSTspin -a spin_oneway8small.pmlgcc -O3 -o pan pan.ctime pan -a>> Full statespace search for:> never claim + (p1)>> 1636546 states, stored> 7134234 transitions>> real 0m13.110s> user 0m12.683s> sys 0m0.411s> USED VIRTUAL MEMORY (pan): 1.02 GB// BREADTH FIRSTspin -a spin_oneway8.pmlgcc -O3 -DBFS -DBFS_DISK -DVECTORSZ=256000 -o pan pan.cgcc -O3 -DBFS -DVECTORSZ=256000 -o pan pan.ctime pan -m500000 -v -w33>> Full statespace search for:>never claim + (p1)>> 1636545 states, stored> 7134237 transitions>> real 1m3.582s> user 0m31.621s> sys 0m29.806s*//* other commandsspin -t[N] -- follow [Nth] simulation trail, see also -kpan -c0 -- counts all errorspan -c -- saves in the trail file the info for 3rd errorpan -e -c0 -- saves all errors trails each one in file specI.trailspin -k specI.trail -c spec.pml -- displays the trail for error Ipan -r trailfilename --read and execute trail in filepan -rN -- read and execute N-th error trailpan -C -- read and execute trail - columnated output (can add -v,-n)pan -r -PN read and execute trail - restrict trail output to proc Npan - (for help on options)pan -w32 -v -D (dot format!)------ .Mazzanti &A.Ferrari 139 */ ------------------ MODULE oneway ---------------EXTENDS IntegersVARIABLEP0,P1,P2,P3,P4,P5,P6,P7,RA,RBvars == <
40 TenDiverseFMsfor anATS /\ RA’ = RA + A0[P0+2]/\ RB’ = RB + B0[P0+2]/\ UNCHANGED <
42 TenDiverseFMsfor anATS
Spec == Init /\ [][Next]_varsSFairSpec == Init /\ [][Next]_vars /\ SF_vars (Next) (*for LTL verification*)(**************************************************)(* Property: <>Arrived, Behavior Spec: SFairSpec *)(* States: 1636545, Result: TRUE, Time 3m17s *)(**************************************************)(* Model Overview: setting Temporal formula == "Spec" *)(* Deadlock Found: trace for P0=6 & P4=6 *)(* PROPERTIES: <>Arrivedis FALSE, because of implicit stuttering*)(* Model Overview: setting Temporal formula == "SFairSpec" *)(* Deadlock Found: trace for P0=6 & P4=6 (stuttering does not avoids deadlocks)*)(* PROPERTIES: <>Arrived is TRUE, stuttering ignored *)===============================================
10 UMC
Class REGION2 isVars:---------------------------------------------------------------T0: int[] := [ 1, 9,10,13,15,20,23]; -- G1T1: int[] := [ 3, 9,10,13,15,20,24]; -- R1T2: int[] := [ 5,27,11,13,16,20,25]; -- Y1T3: int[] := [ 7,27,11,13,16,20,26]; -- B1T4: int[] := [23,22,17,18,11, 9, 2]; -- G2T5: int[] := [24,22,17,18,11, 9, 4]; -- R2T6: int[] := [25,22,17,18,12,27, 6]; -- Y2T7: int[] := [26,22,17,18,12,27, 8]; -- B2----------------------------------------------------------------P0: int :=0;P1: int :=0;P2: int :=0;P3: int :=0;P4: int :=0;P5: int :=0;P6: int :=0;P7: int :=0;---------------------------------------------------------------------- region A: train constraints ------A0: int[] := [ 0, 0, 0, 1, 0,-1, 0]; -- G1A1: int[] := [ 0, 0, 0, 1, 0,-1, 0]; -- R1A2: int[] := [ 0, 0, 1,-1, 0, 1, 0]; -- Y1A3: int[] := [ 0, 0, 1,-1, 0, 0, 0]; -- B1A4: int[] := [ 0, 1, 0, 0,-1, 0, 0]; -- G2A5: int[] := [ 0, 1, 0, 0,-1, 0, 0]; -- R2A6: int[] := [ 0, 0, 0,-1, 0, 0, 0]; -- Y2A7: int[] := [ 0, 1, 0,-1, 0, 0, 0]; -- B2------------------------------------------------- region B: train constraints ------B0: int[] := [ 0, 0, 0, 1, 0,-1, 0]; -- G1B1: int[] := [ 0, 0, 0, 1, 0,-1, 0]; -- R1B2: int[] := [ 0, 0, 1,-1, 0, 0, 0]; -- Y1B3: int[] := [ 0, 0, 1,-1, 0, 1, 0]; -- B1B4: int[] := [ 0, 1, 0, 0,-1, 0, 0]; -- G2B5: int[] := [ 0, 1, 0, 0,-1, 0, 0]; -- R2B6: int[] := [ 0, 1, 0,-1, 0, 0, 0]; -- Y2 .Mazzanti &A.Ferrari 143
B7: int[] := [ 0, 0, 0,-1, 0, 0, 0]; -- B2-------------------------------------------------------------------------------------------------------RA: int :=1; -- initial value for region RARB: int :=1; -- initial value for region RBLA: int :=7; -- limit value for region RALB: int :=7; -- limit value for region RB-------------------------------------------------------------------State Top =s1Behavior:------------------------- train 0 -----------------------------s1 -> s1{- [P0 < 6 &T0[P0+1] != T1[P1] &T0[P0+1] != T2[P2] &T0[P0+1] != T3[P3] &T0[P0+1] != T4[P4] &T0[P0+1] != T5[P5] &T0[P0+1] != T6[P6] &T0[P0+1] != T7[P7] &RA + A0[P0+1] <= LA &RB + B0[P0+1] <= LB] /P0 := P0 +1;RA = RA + A0[P0];RB = RB + B0[P0];}------------------------- train 1 -----------------------------s1 -> s1{- [P1 < 6 &T1[P1+1] != T0[P0] &T1[P1+1] != T2[P2] &T1[P1+1] != T3[P3] &T1[P1+1] != T4[P4] &T1[P1+1] != T5[P5] &T1[P1+1] != T6[P6] &T1[P1+1] != T7[P7] &RA + A1[P1+1] <= LA &RB + B1[P1+1] <= LB ] /P1 := P1 +1;RA = RA + A1[P1];RB = RB + B1[P1];}------------------------- train 2 -----------------------------s1 -> s1{- [P2 < 6 &T2[P2+1] != T0[P0] &T2[P2+1] != T1[P1] &T2[P2+1] != T3[P3] &T2[P2+1] != T4[P4] &T2[P2+1] != T5[P5] &T2[P2+1] != T6[P6] &T2[P2+1] != T7[P7] &RA + A2[P2+1] <= LA &RB + B2[P2+1] <= LB ] /P2 := P2 +1;RA = RA + A2[P2];RB = RB + B2[P2];}
44 TenDiverseFMsfor anATS ------------------------- train 3 -----------------------------s1 -> s1{- [P3 < 6 &T3[P3+1] != T0[P0] &T3[P3+1] != T1[P1] &T3[P3+1] != T2[P2] &T3[P3+1] != T4[P4] &T3[P3+1] != T5[P5] &T3[P3+1] != T6[P6] &T3[P3+1] != T7[P7] &RA + A3[P3+1] <= LA &RB + B3[P3+1] <= LB ] /P3 := P3 +1;RA = RA + A3[P3];RB = RB + B3[P3];}------------------------- train 4 -----------------------------s1 -> s1{- [P4 < 6 &T4[P4+1] != T0[P0] &T4[P4+1] != T1[P1] &T4[P4+1] != T2[P2] &T4[P4+1] != T3[P3] &T4[P4+1] != T5[P5] &T4[P4+1] != T6[P6] &T4[P4+1] != T7[P7] &RA + A4[P4+1] <= LA &RB + B4[P4+1] <= LB ] /P4 := P4 +1;RA = RA + A4[P4];RB = RB + B4[P4];}------------------------- train 5 -----------------------------s1 -> s1{- [P5 < 6 &T5[P5+1] != T0[P0] &T5[P5+1] != T1[P1] &T5[P5+1] != T2[P2] &T5[P5+1] != T3[P3] &T5[P5+1] != T4[P4] &T5[P5+1] != T6[P6] &T5[P5+1] != T7[P7] &RA + A5[P5+1] <= LA &RB + B5[P5+1] <= LB] /P5 := P5 +1;RA = RA + A5[P5];RB = RB + B5[P5];}------------------------- train 6 -----------------------------s1 -> s1{- [P6 < 6 &T6[P6+1] != T0[P0] &T6[P6+1] != T1[P1] &T6[P6+1] != T2[P2] &T6[P6+1] != T3[P3] &T6[P6+1] != T4[P4] &T6[P6+1] != T5[P5] &T6[P6+1] != T7[P7] &RA + A6[P6+1] <= LA &RB + B6[P6+1] <= LB ] /P6 := P6 +1; .Mazzanti &A.Ferrari 145
RA = RA + A6[P6];RB = RB + B6[P6];}------------------------- train 7 -----------------------------s1 -> s1{- [P7 < 6 &T7[P7+1] != T0[P0] &T7[P7+1] != T1[P1] &T7[P7+1] != T2[P2] &T7[P7+1] != T3[P3] &T7[P7+1] != T4[P4] &T7[P7+1] != T5[P5] &T7[P7+1] != T6[P6] &RA + A7[P7+1] <= LA &RB + B7[P7+1] <= LB ] /P7 := P7 +1;RA = RA + A7[P7];RB = RB + B7[P7];}------------------------- termination -----------------------------s1 -> s1{- [(P0=6) and (P1=6) and (P2=6) and (P3=6)&(P4=6) and (P5=6) and (P6=6) and (P7=6)] / ARRIVED}end REGION2;Objects:Count: Token;SYS: REGION2;Abstractions {Action ARRIVED -> ARRIVEDAction Error -> Error-- State:-- SYS.P0=0 and-- SYS.P1=0 and-- SYS.P2=0 and-- SYS.P3=0 and-- SYS.P4=0 and-- SYS.P5=0 and-- SYS.P6=0 and-- SYS.P7=0 -> Home -- abstract label on final state}-- time umc -m3 -100 umc_oneway8.txt AFARR.txt---- > The Formula: "AF {ARRIVED} true"-- > is: TRUE-- > statspace stats: states generated= 1636545 ... evaluation time= 37.538 sec.---- > real 0m36.980s-- > user 1m23.800s-- > sys 0m1.735s-- USED VIRTUAL MEMORY: 2.98G---- time mcstats -m3 umc_oneway8.txt---- AFARR== "AF {ARRIVED} true"--------------------------------------------------------------------------------------------------------------------------------------
46 TenDiverseFMsfor anATS
11 UPPAAL //// global declarations////------- train missions ------const int T0[7] = { 1, 9,10,13,15,20,23};const int T1[7] = { 3, 9,10,13,15,20,24};const int T2[7] = { 5,27,11,13,16,20,25};const int T3[7] = { 7,27,11,13,16,20,26};const int T4[7] = {23,22,17,18,11, 9, 2};const int T5[7] = {24,22,17,18,11, 9, 4};const int T6[7] = {25,22,17,18,12,27, 6};const int T7[7] = {26,22,17,18,12,27, 8};const int LA =7; // limit value for region RAconst int LB =7; // limit value for region RB//------- region A: train constraints ------const int A0[7] = { 0, 0, 0, 1, 0,-1, 0}; //G1const int A1[7] = { 0, 0, 0, 1, 0,-1, 0}; // R1const int A2[7] = { 0, 0, 1,-1, 0, 1, 0}; // Y1const int A3[7] = { 0, 0, 1,-1, 0, 0, 0}; // B1const int A4[7] = { 0, 1, 0, 0,-1, 0, 0}; // G2const int A5[7] = { 0, 1, 0, 0,-1, 0, 0}; // R2const int A6[7] = { 0, 0, 0,-1, 0, 0, 0}; // Y2const int A7[7] = { 0, 1, 0,-1, 0, 0, 0}; // B2//------- region B: train constraints ------const int B0[7] = { 0, 0, 0, 1, 0,-1, 0}; // G1const int B1[7] = { 0, 0, 0, 1, 0,-1, 0}; // R1const int B2[7] = { 0, 0, 1,-1, 0, 0, 0}; // Y1const int B3[7] = { 0, 0, 1,-1, 0, 1, 0}; // B1const int B4[7] = { 0, 1, 0, 0,-1, 0, 0}; // G2const int B5[7] = { 0, 1, 0, 0,-1, 0, 0}; // R2const int B6[7] = { 0, 1, 0,-1, 0, 0, 0}; // Y2const int B7[7] = { 0, 0, 0,-1, 0, 0, 0}; // B2//------------------------------------------int P0 := 0;int P1 := 0;int P2 := 0;int P3 := 0;int P4 := 0;int P5 := 0;int P6 := 0;int P7 := 0;int RA :=1; // initial value for region RAint RB :=1; // initial value for region RBbroadcast chan move0,move1,move2,move3,move4,move5,move6,move7;//------------ template defintions ---------process Uppaal_Model() {state s0;urgent s0;init s0;transs0 -> s0 {guardP0 < 6 &&T0[P0+1] != T1[P1] &&T0[P0+1] != T2[P2] &&T0[P0+1] != T3[P3] && .Mazzanti &A.Ferrari 147
T0[P0+1] != T4[P4] &&T0[P0+1] != T5[P5] &&T0[P0+1] != T6[P6] &&T0[P0+1] != T7[P7] &&RA + A0[P0+1] <= LA &&RB + B0[P0+1] <= LB;sync move0!;assignP0 := P0+1,RA := RA + A0[P0],RB := RB + B0[P0];},s0 -> s0 {guardP1 < 6 &&T1[P1+1] != T0[P0] &&T1[P1+1] != T2[P2] &&T1[P1+1] != T3[P3] &&T1[P1+1] != T4[P4] &&T1[P1+1] != T5[P5] &&T1[P1+1] != T6[P6] &&T1[P1+1] != T7[P7] &&RA + A1[P1+1] <= LA &&RB + B1[P1+1] <= LB;sync move1!;assignP1 := P1+1,RA := RA + A1[P1],RB := RB + B1[P1];},s0 -> s0 {guardP2 < 6 &&T2[P2+1] != T0[P0] &&T2[P2+1] != T1[P1] &&T2[P2+1] != T3[P3] &&T2[P2+1] != T4[P4] &&T2[P2+1] != T5[P5] &&T2[P2+1] != T6[P6] &&T2[P2+1] != T7[P7] &&RA + A2[P2+1] <= LA &&RB + B2[P2+1] <= LB;sync move2!;assignP2 := P2+1,RA := RA + A2[P2],RB := RB + B2[P2];},s0 -> s0 {guardP3 < 6 &&T3[P3+1] != T0[P0] &&T3[P3+1] != T2[P2] &&T3[P3+1] != T1[P1] &&T3[P3+1] != T4[P4] &&T3[P3+1] != T5[P5] &&T3[P3+1] != T6[P6] &&T3[P3+1] != T7[P7] &&RA + A3[P3+1] <= LA &&RB + B3[P3+1] <= LB;sync move3!;assign
48 TenDiverseFMsfor anATS
P3 := P3+1,RA := RA + A3[P3],RB := RB + B3[P3];},s0 -> s0 {guardP4 < 6 &&T4[P4+1] != T0[P0] &&T4[P4+1] != T1[P1] &&T4[P4+1] != T2[P2] &&T4[P4+1] != T3[P3] &&T4[P4+1] != T5[P5] &&T4[P4+1] != T6[P6] &&T4[P4+1] != T7[P7] &&RA + A4[P4+1] <= LA &&RB + B4[P4+1] <= LB;sync move4!;assignP4 := P4+1,RA := RA + A4[P4],RB := RB + B4[P4];},s0 -> s0 {guardP5 < 6 &&T5[P5+1] != T0[P0] &&T5[P5+1] != T1[P1] &&T5[P5+1] != T2[P2] &&T5[P5+1] != T3[P3] &&T5[P5+1] != T4[P4] &&T5[P5+1] != T6[P6] &&T5[P5+1] != T7[P7] &&RA + A5[P5+1] <= LA &&RB + B5[P5+1] <= LB;sync move5!;assignP5 := P5+1,RA := RA + A5[P5],RB := RB + B5[P5];},s0 -> s0 {guardP6 < 6 &&T6[P6+1] != T0[P0] &&T6[P6+1] != T1[P1] &&T6[P6+1] != T2[P2] &&T6[P6+1] != T3[P3] &&T6[P6+1] != T4[P4] &&T6[P6+1] != T5[P5] &&T6[P6+1] != T7[P7] &&RA + A6[P6+1] <= LA &&RB + B6[P6+1] <= LB;sync move6!;assignP6 := P6+1,RA := RA + A6[P6],RB := RB + B6[P6];},s0 -> s0 {guardP7 < 6 && .Mazzanti &A.Ferrari 149.Mazzanti &A.Ferrari 149