-- this is a transition-based CafeOBJ specification -- formally specifying the RailCab crossing system (old version) mod! LOCATION { [Location] ops endOfTS lastBrake leBrake noReturn opposite : -> Location . eq (endOfTS = lastBrake) = false . eq (endOfTS = leBrake) = false . eq (endOfTS = noReturn) = false . eq (endOfTS = opposite) = false . eq (lastBrake = leBrake) = false . eq (lastBrake = noReturn) = false . eq (lastBrake = opposite) = false . eq (leBrake = noReturn) = false . eq (leBrake = opposite) = false . eq (noReturn = opposite) = false . } mod! STATUS { [Status] ops running braked eBraked : -> Status . } mod! SIGNAL { [Signal] ops unknown grant reject : -> Signal . } mod! MSG { pr(SIGNAL) [Msg] op respMsg : Signal -> Msg . op passed : -> Msg . op reqMsg : -> Msg . } mod! QUEUE (X :: TRIV) { [Elt.X < Queue] op empty : -> Queue {constr} . op _&_ : Queue Queue -> Queue {assoc id: empty} . vars E1 E2 : Elt . vars Q1 Q2 : Queue . eq (empty = E:Elt & Q:Queue) = false . eq ((E1 & Q1) = (E2 & Q2)) = ((E1 = E2) and (Q1 = Q2)) . } mod! QueueMsg { pr(QUEUE(MSG{sort Elt -> Msg})*{sort Queue -> QMsg}) op resp : QMsg -> Bool . eq resp(empty) = false . var NW : QMsg . eq resp(respMsg(S:Signal) & NW) = true . eq resp(passed & NW) = false . eq resp(reqMsg & NW) = false . } mod! LABEL { [Label] ops s1 s2 s3 s4 : -> Label . } mod! RAILCAB-OLD { pr(LOCATION) pr(STATUS) pr(LABEL) pr(SIGNAL) pr(QueueMsg) [OldState] op __ : OldState OldState -> OldState {comm assoc} . op loc-o:_ : Location -> OldState {constr} . op channel1-o:_ : QMsg -> OldState {constr} . op channel2-o:_ : QMsg -> OldState {constr} . op rStatus-o:_ : Status -> OldState {constr} . op conLoc-O:_ : Label -> OldState {constr} . op gate-o:_ : Bool -> OldState {constr} . op pass-o:_ : Signal -> OldState {constr} . op init-o : -> OldState {constr} . var NW : QMsg . vars B B' : Bool . vars S S' : Signal . eq init-o = (loc-o: endOfTS) (rStatus-o: running) (pass-o: unknown) (channel1-o: empty) (channel2-o: empty) (conLoc-O: s1) (gate-o: false) . trans [sendReq] : (loc-o: endOfTS) (channel1-o: NW) => (loc-o: lastBrake) (channel1-o: (reqMsg & NW)) . trans [recResp] : (channel2-o: (NW & respMsg(S))) (pass-o: S') => (channel2-o: NW) (pass-o: S) . trans [brake] : (rStatus-o: running) (loc-o: lastBrake) (pass-o: reject) => (rStatus-o: braked) (loc-o: lastBrake) (pass-o: reject) . trans [move2LEB1] : (rStatus-o: running) (loc-o: lastBrake) (pass-o: grant) => (rStatus-o: running) (loc-o: leBrake) (pass-o: grant) . trans [move2LEB2] : (rStatus-o: running) (loc-o: lastBrake) (pass-o: unknown) => (rStatus-o: running) (loc-o: leBrake) (pass-o: unknown) . trans [eBrake1] : (rStatus-o: running) (loc-o: leBrake) (pass-o: reject) => (rStatus-o: eBraked) (loc-o: leBrake) (pass-o: reject) . -- case 2 : if no response message in the network ctrans [eBrake2] : (rStatus-o: running) (loc-o: leBrake) (pass-o: unknown) (channel2-o: NW) => (rStatus-o: eBraked) (loc-o: leBrake) (pass-o: unknown) (channel2-o: NW) if not resp(NW) . -- move to the section where brake cannot be allowed trans [move2nr] : (rStatus-o: running) (loc-o: leBrake) (pass-o: grant) => (rStatus-o: running) (loc-o: noReturn) (pass-o: grant) . -- pass trans [pass] : (loc-o: noReturn) => (loc-o: opposite) . trans [sendPass] : (loc-o: opposite) (channel1-o: NW) (pass-o: S) => (pass-o: unknown) (loc-o: endOfTS) (channel1-o: (passed & NW)) . -- behavior of controller -- get the request message trans [recReq] : (conLoc-O: s1) (channel1-o: (NW & reqMsg)) => (conLoc-O: s2) (channel1-o: NW) . -- send response, if gate B is true (closed), the requesting railCab cannot pass trans [sendResp1] : (conLoc-O: s2) (channel2-o: NW) (gate-o: true) => (conLoc-O: s1) (gate-o: true) (channel2-o: (respMsg(reject) & NW)) . trans [sendResp2] : (conLoc-O: s2) (channel2-o: NW) (gate-o: false) => (conLoc-O: s3) (channel2-o: (respMsg(grant) & NW)) (gate-o: false) . -- trans [closeGate] : (conLoc-O: s3) (gate-o: B) => (conLoc-O: s1) (gate-o: true) . trans [getPass] : (conLoc-O: s1) (channel1-o: (NW & passed)) => (conLoc-O: s4) (channel1-o: NW) . trans [openGate] : (conLoc-O: s4) (gate-o: B) => (conLoc-O: s1) (gate-o: false) . } eof -- a state is found which means that it is possible that -- a railCab can cross the gate when the gate is open open RAILCAB-OLD . red init-o =(*,*)=>+ (gate-o: false) (loc-o: noReturn) S:OldState . close