(*-------------------------------------------------------------------------*) MODEL garage_counter (* This is a UCLID model of the extended finite-state machine model * of a simple parking garage counter given in Chapter 3 of Lee & Seshia *) (*-------------------------------------------------------------------------*) (* global constants *) CONST N : BITVEC[8]; (*-------------------------------------------------------------------------*) MODULE ctr INPUT env.up : TRUTH; env.dn : TRUTH; VAR (* STATE VARIABLES *) count : BITVEC[8]; (*OUTPUTS*) CONST init_cnt : BITVEC[8]; DEFINE up := env.up; dn := env.dn; zero_hex := (0x00 # [7:0]); one_hex := (0x01 # [7:0]); ASSIGN (* (* Transition relation for bounded model checking experiment *) init[count] := 0x00; next[count] := case up & ~dn & (count < N) : count +_8 0x01; ~up & dn & (count > 0) : count -_8 0x01; default : count; esac; *) (* Transition relation for inductive invariant checking experiment *) init[count] := init_cnt; next[count] := case up & ~dn & (count < N) : count +_8 0x01; ~up & dn & (count > 0) : count -_8 0x01; default : count; esac; (*-------------------------------------------------------------------------*) MODULE env INPUT VAR (* STATE VARIABLES *) up : TRUTH; dn : TRUTH; (*OUTPUTS*) CONST DEFINE ASSIGN (* Non-deterministically assign up and dn signals *) init[up] := {true, false}; next[up] := {true, false}; init[dn] := {true, false}; next[dn] := {true, false}; (*====================================================*) CONTROL EXTVAR STOREVAR cnt0 : BITVEC[8]; cnt1 : BITVEC[8]; VAR CONST DEFINE size_assumption := (N = 0x02); EXEC initialize; (* (* BMC Experiment 1 *) simulate(2); decide(ctr.count <= 0x01); *) (* (* BMC Experiment 2 *) simulate(3); decide(size_assumption => (ctr.count <= 0x02)); *) (* Induction Experiment *) cnt0 := ctr.count; simulate(1); cnt1 := ctr.count; decide(size_assumption => ((cnt0 <= 0x02) => (cnt1 <= 0x02)));