1

I want to model a symmetric distributed four processor three coloring protocol with nuSMV. My specification - which I am sure about its correctness - must be true but when I use keyword "F" for "Finally" property, nuSMV gives me a counterexample at very first step and stops processing next states. What should I do to make it fixed and check Finally property in LTL?

Here is my SMV code:

MODULE proc(former_proc ,further_proc )
  VAR
  self_proc : {zero, on, two};  

  ASSIGN
  init(self_proc) :={zero, on, two};
  next(self_proc) :=
  case
    (self_proc = two) & (further_proc = two | further_proc = zero) & (former_proc = two) : on;
    (self_proc = two) & (further_proc = two) & (former_proc = zero) : zero;
    (self_proc = on) & (further_proc = two | further_proc = on) & (former_proc = on) : zero;
    (self_proc = on | self_proc = zero) & (further_proc = on) & (former_proc = zero) : two;
    (self_proc = on) & (further_proc = zero) & (former_proc = on) : two;
    (self_proc = zero) & (further_proc = zero) & (former_proc = on | former_proc = zero) : two; 
    TRUE : self_proc;   
  esac; 

MODULE main
  VAR 
  p1 : process proc( p4.self_proc ,p2.self_proc );
  p2 : process proc( p1.self_proc ,p3.self_proc );
  p3 : process proc( p2.self_proc ,p4.self_proc );
  p4 : process proc( p3.self_proc ,p1.self_proc );


  FAIRNESS running

  LTLSPEC F((p1.self_proc != p2.self_proc) & (p1.self_proc != p4.self_proc) & (p2.self_proc != p3.self_proc) & (p3.self_proc != p4.self_proc))

and here is my counterexample from nuSMV:

-- specification  F (((p1.self_proc != p2.self_proc & p1.self_proc != p4.self_proc) & p2.self_proc != p3.self_proc) & p3.self_proc != p4.self_proc)  is false
-- as demonstrated by the following execution sequence
Trace Description: LTL Counterexample 
Trace Type: Counterexample 
-- Loop starts here
-> State: 1.1 <-
  p1.self_proc = on
  p2.self_proc = on
  p3.self_proc = zero
  p4.self_proc = zero
-> Input: 1.2 <-
  _process_selector_ = main
  running = TRUE
  p4.running = FALSE
  p3.running = FALSE
  p2.running = FALSE
  p1.running = FALSE
-- Loop starts here
-> State: 1.2 <-
-> Input: 1.3 <-
-> State: 1.3 <-

Thank you.

Patrick Trentin
  • 7,126
  • 3
  • 23
  • 40
mirzanahal
  • 167
  • 2
  • 12
  • 1
    I searched more and found http://www.cs.cmu.edu/~modelcheck/tour.htm and realized that I have used "FAIRNESS" keyword in a wrong way. I should use it in my proc module instead of main module. Thank you. – mirzanahal Feb 05 '17 at 06:29

0 Answers0