Following is my promela program of a railway station and my assertion is getting violated when I used "SETUP" function, kindly give me a workaround (SETUP process is mandatory)
mtype = { T1, T2, ENTRY, PERMISSION, EXIT, EMPTY, ALLOWED, NOT_ALLOWED }
#define a (len(TunnelAB) < 2 && len(TunnelBC) < 2 && len(TunnelCD) < 2 && len(TunnelDA) < 2);
#define b (((stat_sigboxA == PERMISSION) -> (sigbox_statA == ALLOWED)) && ((stat_sigboxB == PERMISSION) -> (sigbox_statB == ALLOWED)) && ((stat_sigboxC == PERMISSION) -> (sigbox_statC == ALLOWED)) && ((stat_sigboxD == PERMISSION) -> (sigbox_statD == ALLOWED)));
chan TunnelAB = [2] of { mtype };
chan TunnelBC = [2] of { mtype };
chan TunnelCD = [2] of { mtype };
chan TunnelDA = [2] of { mtype };
chan stat_sigboxA = [0] of { mtype };
chan sigbox_statA = [0] of { mtype };
chan stat_sigboxB = [0] of { mtype };
chan sigbox_statB = [0] of { mtype };
chan stat_sigboxC = [0] of { mtype };
chan sigbox_statC = [0] of { mtype };
chan stat_sigboxD = [0] of { mtype };
chan sigbox_statD = [0] of { mtype };
chan signalboxAB = [0] of { mtype };
chan signalboxDA = [0] of { mtype };
chan signalboxBC = [0] of { mtype };
chan signalboxCD = [0] of { mtype };
proctype Station(chan exit_tunnel, enter_tunnel, signalIn, signalOut; byte count)
{
byte train;
bool EntrySignal = false;
mtype val;
do
:: exit_tunnel?train -> signalIn!ENTRY; count++;
:: (count > 0) ->
if
::(EntrySignal == true) -> signalIn!EXIT; enter_tunnel!train; count--;
::(EntrySignal == false) ->signalIn!PERMISSION;
fi;
signalOut?val;
if
::(val == ALLOWED) -> EntrySignal = true;
::(val == NOT_ALLOWED) -> EntrySignal = false;
fi;
od;
}
proctype SignalBox(chan StationOut, StationIn, PrevSigBox, ForwardSigBox)
{
bool FreeTrack = true;
mtype val;
do
::StationOut?val
if
::(val == ENTRY) -> PrevSigBox!EMPTY;
::(val == EXIT) -> FreeTrack = false; StationIn!NOT_ALLOWED;
::(val == PERMISSION) ->
if
::(FreeTrack == true) -> StationIn!ALLOWED;
::else -> StationIn!NOT_ALLOWED;
fi
fi;
::ForwardSigBox?val
if
::(val == EMPTY) -> FreeTrack = true;
fi;
od;
}
active proctype monitor()
{
assert ((len(TunnelAB) < 2 && len(TunnelBC) < 2 && len(TunnelCD) < 2 && len(TunnelDA) < 2));
}
proctype Setup(chan tunnel; byte train)
{
tunnel!train;
}
init
{
atomic
{
run Setup(TunnelBC, T1);
run Setup(TunnelDA, T2);
run Station(TunnelDA, TunnelAB, stat_sigboxA, sigbox_statA, 0);
run Station(TunnelAB, TunnelBC, stat_sigboxB, sigbox_statB, 1);
run Station(TunnelBC, TunnelCD, stat_sigboxC, sigbox_statC, 0);
run Station(TunnelCD, TunnelDA, stat_sigboxD, sigbox_statD, 1);
run SignalBox(stat_sigboxA, sigbox_statA, signalboxDA, signalboxAB);
run SignalBox(stat_sigboxB, sigbox_statB, signalboxAB, signalboxBC);
run SignalBox(stat_sigboxC, sigbox_statC, signalboxBC, signalboxCD);
run SignalBox(stat_sigboxD, sigbox_statD, signalboxCD, signalboxDA);
}
}
(safety property).
ltl p1 { always a }
(liveness property)
ltl p2 { always eventually b }
Tried everything, so the whole code crashes at 9998.
