in railcab-trans-new.maude 
in model-checker.maude 

    
--- assumptions of update 
--- 1. current state should be preserved 
--- 2. new functionalities should be initialized 

--- Critera of correct update 

--- 1. it should finally reach an updatable state, otherwise, it must be braked  
--- 2. after being updated, system should satisfy desired properties 
--- In this example, the problem is 
--- a. when railcab is crossing the intersection, gate must be closed. 
--- b. when railcab can cross the intersection (when gate is closed and railcab 
--- is granted to cross, it must cross) 


mod RAILCAB-UPDATE-2 is 
    inc RAILCAB-NEW .
    inc RAILCAB-OLD . 

    sort ONState .
    subsort OldState NewState < ONState .
    var LOC : Location .
    var T : Status .
    vars CH1 CH2 : QMsg .
    var B : Bool .
    var S : Signal .
    var L : Label .    
    
    op convert : QMsg -> QMsgNew .
    eq convert(empty) = emptyNew .
    eq convert(M:Msg & Q:QMsg) = (M:Msg && convert(Q:QMsg)) .
    

    --- this is a safe update 
    --- there are three sufficient conditions 
    --- 1. channel1-o must be empty 
    --- 2. controler must be at s1 
    --- 3. RailCab must not be at noReturn 

    crl [update-2] :
	(loc-o: LOC:Location) 
	(rStatus-o: running) 
	(pass-o: S:Signal) 
	(channel1-o: empty)   
	(channel2-o: CH2:QMsg) 
	(conLoc-O: s1) 
	(gate-o: B) => 
	(loc-n: LOC), 
	(rStatus-n: running), 
	(pass-n: S), 
	(channel1-n: emptyNew),   
	(channel2-n: convert(CH2)), 
	(conLoc-N: s1), 
	(gate-n: B),  
	(appResult: (if B then grant else unknown fi)) 
      if not (LOC = noReturn) .

endm 


mod PREDICATE is 
    including MODEL-CHECKER .
    inc RAILCAB-UPDATE-2 .

    subsort ONState < State . 
    op @noReturn : -> Prop .
    op updated : -> Prop .
    op braked : -> Prop .
    op granted : -> Prop .
    
    eq (rStatus-o: eBraked) OS:OldState |= braked = true .
    eq (loc-n: noReturn), NS:NewState |= @noReturn = true .
    eq (pass-n: grant), NS:NewState |= granted = true .
    
    eq NS:NewState |= updated = true .

    eq S:State |= P:Prop = false [owise] .    

    op fair : -> Formula .

    op updatable : -> Prop .
    var L : Location .
    
    --- define the condition of updatable state 
    var LB : Label .

    ceq (loc-o: L) (rStatus-o: running) (conLoc-O: s1) (channel1-o: empty) 
	OS:OldState |= updatable = true
      if not (L = noReturn) . 
    
    eq fair = (updatable -> (O updated)) .

    op closedGate : -> Prop .
    eq (gate-n: true), NS:NewState |= closedGate = true .
    
endm 

eof 

--- formula of the properties 
---    1. Updatability,  <> updatable or <> braked 
    
red modelCheck(init-o, (<> updatable) \/ (<> braked)) . 
    
--- it is true 
    
--- a. The main property, when crossing, gate must be closed 
--- [](@noReturn -> closedGate)

red modelCheck(init-o, [] (@noReturn -> closedGate)) .

--- it is true. 


--- b. no deadlock, i.e., if it can cross, it must cross 
red modelCheck(init-o, [] ((granted /\ closedGate) -> <> @noReturn)) .