--- this is a rewrite theory specification in Maude --- formally specifying the RailCab crossing system (old version) fmod LOCATION is sort Location . ops endOfTS lastBrake leBrake noReturn opposite : -> Location . op _=_ : Location Location -> Bool [comm] . var L : Location . eq (L = L) = true . eq (L = L':Location) = false [owise] . endfm fmod STATUS is sort Status . ops running braked eBraked : -> Status . endfm fmod SIGNAL is sort Signal . ops unknown grant reject : -> Signal . endfm fmod MSG is pr SIGNAL . sort Msg . op respMsg : Signal -> Msg . op passed : -> Msg . op reqMsg : -> Msg . endfm fmod QUEUE{X :: TRIV} is sort Queue{X} . subsort X$Elt < Queue{X} . op empty : -> Queue{X} [ctor] . op _&_ : Queue{X} Queue{X} -> Queue{X} [assoc id: empty] . vars E1 E2 : X$Elt . vars Q1 Q2 : Queue{X} . --- eq (empty = (E:X$Elt & Q:Queue{X})) = false . --- eq ((E1 & Q1) = (E2 & Q2)) = ((E1 = E2) and (Q1 = Q2)) . endfm view VMSG from TRIV to MSG is sort Elt to Msg . endv fmod QueueMsg is pr QUEUE{VMSG}*(sort Queue{VMSG} to QMsg) . op resp : QMsg -> Bool . eq resp(empty) = false . var NW : QMsg . eq resp(respMsg(S:Signal) & NW) = true . eq resp(passed & NW) = false . eq resp(reqMsg & NW) = false . endfm fmod LABEL is sort Label . ops s1 s2 s3 s4 : -> Label . op _=_ : Label Label -> Bool [comm] . vars L1 L2 : Label . eq (L1 = L1) = true . eq (L1 = L2) = false [owise] . endfm mod RAILCAB-OLD is pr LOCATION . pr STATUS . pr LABEL . pr SIGNAL . pr QueueMsg . sort OldState . op __ : OldState OldState -> OldState [comm assoc] . op loc-o:_ : Location -> OldState [ctor] . op channel1-o:_ : QMsg -> OldState [ctor] . op channel2-o:_ : QMsg -> OldState [ctor] . op rStatus-o:_ : Status -> OldState [ctor] . op conLoc-O:_ : Label -> OldState [ctor] . op gate-o:_ : Bool -> OldState [ctor] . op pass-o:_ : Signal -> OldState [ctor] . op init-o : -> OldState [ctor] . var NW : QMsg . vars B B' : Bool . vars S S' : Signal . eq init-o = (loc-o: endOfTS) (rStatus-o: running) (pass-o: unknown) (channel1-o: empty) (channel2-o: empty) (conLoc-O: s1) (gate-o: false) . rl [sendReq] : (loc-o: endOfTS) (channel1-o: NW) => (loc-o: lastBrake) (channel1-o: (reqMsg & NW)) . rl [recResp] : (channel2-o: (NW & respMsg(S))) (pass-o: S') => (channel2-o: NW) (pass-o: S) . rl [brake] : (rStatus-o: running) (loc-o: lastBrake) (pass-o: reject) => (rStatus-o: braked) (loc-o: lastBrake) (pass-o: reject) . rl [move2LEB1] : (rStatus-o: running) (loc-o: lastBrake) (pass-o: grant) => (rStatus-o: running) (loc-o: leBrake) (pass-o: grant) . rl [move2LEB2] : (rStatus-o: running) (loc-o: lastBrake) (pass-o: unknown) => (rStatus-o: running) (loc-o: leBrake) (pass-o: unknown) . rl [eBrake1] : (rStatus-o: running) (loc-o: leBrake) (pass-o: reject) => (rStatus-o: eBraked) (loc-o: leBrake) (pass-o: reject) . --- case 2 : if no response message in the network crl [eBrake2] : (rStatus-o: running) (loc-o: leBrake) (pass-o: unknown) (channel2-o: NW) => (rStatus-o: eBraked) (loc-o: leBrake) (pass-o: unknown) (channel2-o: NW) if not resp(NW) . --- move to the section where brake cannot be allowed rl [move2nr] : (rStatus-o: running) (loc-o: leBrake) (pass-o: grant) => (rStatus-o: running) (loc-o: noReturn) (pass-o: grant) . --- pass rl [pass] : (loc-o: noReturn) => (loc-o: opposite) . rl [sendPass] : (loc-o: opposite) (channel1-o: NW) (pass-o: S) => (pass-o: unknown) (loc-o: endOfTS) (channel1-o: (passed & NW)) . --- behavior of controller --- get the request message rl [recReq] : (conLoc-O: s1) (channel1-o: (NW & reqMsg)) => (conLoc-O: s2) (channel1-o: NW) . --- send response, if gate B is true (closed), the requesting railCab cannot pass rl [sendResp1] : (conLoc-O: s2) (channel2-o: NW) (gate-o: true) => (conLoc-O: s1) (gate-o: true) (channel2-o: (respMsg(reject) & NW)) . rl [sendResp2] : (conLoc-O: s2) (channel2-o: NW) (gate-o: false) => (conLoc-O: s3) (channel2-o: (respMsg(grant) & NW)) (gate-o: false) . --- rl [closeGate] : (conLoc-O: s3) (gate-o: B) => (conLoc-O: s1) (gate-o: true) . rl [getPass] : (conLoc-O: s1) (channel1-o: (NW & passed)) => (conLoc-O: s4) (channel1-o: NW) . rl [openGate] : (conLoc-O: s4) (gate-o: B) => (conLoc-O: s1) (gate-o: false) . endm eof --- a state is found which means that it is possible that --- a railCab can cross the gate when the gate is open search init-o =>* (gate-o: false) (loc-o: noReturn) S:OldState .