in railcab-trans-old.cafe mod! LOCATION-NEW { ex(LOCATION) -- newly added op appCross : -> Location . } mod! MSG-NEW { ex(MSG) -- newly added op chkMsg : -> Msg . op gateMsg : Bool -> Msg . } mod! QueueMsg { pr(QUEUE(MSG-NEW{sort Elt -> Msg})*{sort Queue -> QMsg}) op resp : QMsg -> Bool . eq resp(empty) = false . var NW : QMsg . eq resp(respMsg(S:Signal) & NW) = true . eq resp(passed & NW) = false . eq resp(reqMsg & NW) = false . eq resp(chkMsg & NW) = false . eq resp(gateMsg(B:Bool) & NW) = false . op respG : QMsg -> Bool . eq respG(empty) = false . eq respG(respMsg(S:Signal) & NW) = false . eq respG(passed & NW) = false . eq respG(reqMsg & NW) = false . eq respG(chkMsg & NW) = false . eq respG(gateMsg(B:Bool) & NW) = true . } mod! LABEL-NEW { ex(LABEL) -- newly added ops s5 : -> Label . } mod! RAILCAB-NEW { pr(LOCATION-NEW) pr(STATUS) pr(LABEL-NEW) pr(SIGNAL) pr(QueueMsg) [NewState] op _,_ : NewState NewState -> NewState {comm assoc} . op loc-n:_ : Location -> NewState {constr} . op channel1-n:_ : QMsg -> NewState {constr} . op channel2-n:_ : QMsg -> NewState {constr} . op rStatus-n:_ : Status -> NewState {constr} . op conLoc-N:_ : Label -> NewState {constr} . op gate-n:_ : Bool -> NewState {constr} . op pass-n:_ : Signal -> NewState {constr} . -- newly added op appResult:_ : Signal -> NewState {constr} . op init-n : -> NewState . var NW : QMsg . vars B B' : Bool . vars S S' : Signal . var ST : Status . -- modified (a new component is added) eq init-n = (loc-n: endOfTS), (rStatus-n: running), (pass-n: unknown), (channel1-n: empty), (channel2-n: empty), (conLoc-N: s1), (gate-n: false), (appResult: unknown) . -- modified (after sending request, it goes to appCross not in lastBrake) trans [sendReq] : (loc-n: endOfTS), (channel1-n: NW) => (loc-n: appCross), (channel1-n: (reqMsg & NW)) . -- newly added (to send a check gate-n status message at appCross location), trans [sendApp] : (loc-n: appCross), (channel1-n: NW) => (loc-n: lastBrake), (channel1-n: (chkMsg & NW)) . trans [recResp] : (channel2-n: (NW & respMsg(S))), (pass-n: S') => (channel2-n: NW), (pass-n: S) . -- newly added two transitions (to receive gate-n status message) trans [recApp1] : (channel2-n: (NW & gateMsg(true))), (appResult: S') => (channel2-n: NW), (appResult: grant) . trans [recApp2] : (channel2-n: (NW & gateMsg(false))), (appResult: S') => (channel2-n: NW), (appResult: reject) . trans [brake] : (rStatus-n: running), (loc-n: lastBrake), (pass-n: reject) => (rStatus-n: braked), (loc-n: lastBrake), (pass-n: reject) . -- another case of braking trans [brake] : (rStatus-n: running), (loc-n: lastBrake), (appResult: reject) => (rStatus-n: braked), (loc-n: lastBrake), (appResult: reject) . -- modified trans [move2LEB1] : (rStatus-n: running), (loc-n: lastBrake), (pass-n: grant), (appResult: grant) => (rStatus-n: running), (loc-n: leBrake), (pass-n: grant), (appResult: grant) . trans [move2LEB2] : (rStatus-n: running), (loc-n: lastBrake), (pass-n: unknown), (appResult: grant) => (rStatus-n: running), (loc-n: leBrake), (pass-n: unknown), (appResult: grant) . -- newly added (to another cases when a railCab can enter leBrake) trans [move2LEB1] : (rStatus-n: running), (loc-n: lastBrake), (pass-n: grant), (appResult: unknown) => (rStatus-n: running), (loc-n: leBrake), (pass-n: grant), (appResult: unknown) . trans [move2LEB2] : (rStatus-n: running), (loc-n: lastBrake), (pass-n: unknown), (appResult: unknown) => (rStatus-n: running), (loc-n: leBrake), (pass-n: unknown), (appResult: unknown) . trans [eBrake1] : (rStatus-n: running), (loc-n: leBrake), (pass-n: reject) => (rStatus-n: eBraked), (loc-n: leBrake), (pass-n: reject) . -- case 2 : if no response message in the network ctrans [eBrake2] : (rStatus-n: running), (loc-n: leBrake), (pass-n: unknown), (channel2-n: NW) => (rStatus-n: eBraked), (loc-n: leBrake), (pass-n: unknown), (channel2-n: NW) if not resp(NW) . -- newly added (another two cases of emergency brake) trans [eBrake3] : (rStatus-n: running), (loc-n: leBrake), (appResult: reject) => (rStatus-n: eBraked), (loc-n: leBrake), (appResult: reject) . ctrans [eBrake4] : (rStatus-n: running), (loc-n: leBrake), (appResult: unknown), (channel2-n: NW) => (rStatus-n: eBraked), (loc-n: leBrake), (appResult: unknown), (channel2-n: NW) if not respG(NW) . -- move to the section where brake cannot be allowed -- modified (a new condition is added) trans [move2nr] : (rStatus-n: running), (loc-n: leBrake), (pass-n: grant), (appResult: grant) => (rStatus-n: running), (loc-n: noReturn), (pass-n: grant), (appResult: grant) . -- pass-n trans [pass-n] : (loc-n: noReturn) => (loc-n: opposite) . trans [sendPass] : (loc-n: opposite), (channel1-n: NW), (pass-n: S), (appResult: S') => (pass-n: unknown), (appResult: unknown), (loc-n: endOfTS), (channel1-n: (passed & NW)) . -- newly added (to switch from brake to running, this happens when -- the railCab receives message after being braked) trans [toRun1] : (rStatus-n: braked), (pass-n: grant), (appResult: grant) => (rStatus-n: running), (pass-n: grant), (appResult: grant) . trans [toRun2] : (rStatus-n: eBraked), (pass-n: grant), (appResult: grant) => (rStatus-n: running), (pass-n: grant), (appResult: grant) . -- behavior of controller -- get the request message trans [recReq] : (conLoc-N: s1), (channel1-n: (NW & reqMsg)) => (conLoc-N: s2), (channel1-n: NW) . -- send response, if gate-n B is true (closed), the requesting railCab cannot pass-n trans [sendResp1] : (conLoc-N: s2), (channel2-n: NW), (gate-n: true) => (conLoc-N: s1), (gate-n: true), (channel2-n: (respMsg(reject) & NW)) . trans [sendResp2] : (conLoc-N: s2), (channel2-n: NW), (gate-n: false) => (conLoc-N: s3), (channel2-n: (respMsg(grant) & NW)), (gate-n: false) . -- trans [closeGate-N] : (conLoc-N: s3), (gate-n: B) => (conLoc-N: s1), (gate-n: true) . trans [getPass-N] : (conLoc-N: s1), (channel1-n: (NW & passed)) => (conLoc-N: s4), (channel1-n: NW) . trans [open] : (conLoc-N: s4), (gate-n: B) => (conLoc-N: s1), (gate-n: false) . -- newly added trans [recAppMsg] : (conLoc-N: s1), (channel1-n: (NW & chkMsg)) => (conLoc-N: s5), (channel1-n: NW) . trans [sendAppVal] : (conLoc-N: s5), (channel2-n: NW), (gate-n: B) => (conLoc-N: s1), (channel2-n: (gateMsg(B) & NW)), (gate-n: B) . } eof -- we check whether there exists a reachable state -- where the RailCab is at noReturn location, -- but gate-n is open -- CafeOBJ returns false open RAILCAB-NEW . red init-n =(*,*)=>+ (loc-n: noReturn), (gate-n: false), S:NewState . close