|
1
|
--
|
|
2
|
-- Source: Magnus Ljung
|
|
3
|
-- This is the Lustre source to the specication of a cruise controller
|
|
4
|
-- that Nielsen presents in Nie98b. This is only an implementation of part
|
|
5
|
-- of the speci cation. A subset of all requirements are given as the
|
|
6
|
-- properties , , and . p1 p2 p3 p4
|
|
7
|
|
|
8
|
-- PosEdge(X) defines a positive edge of X,
|
|
9
|
-- i.e. X was false and becomes true
|
|
10
|
node PosEdge (X: bool) returns (Y: bool);
|
|
11
|
let
|
|
12
|
Y = false -> X and not pre(X);
|
|
13
|
tel
|
|
14
|
|
|
15
|
-- Edge(X) defines an edge of X,
|
|
16
|
-- i.e. X was false and becomes true or vice versa
|
|
17
|
node Edge (X: bool) returns (Y: bool);
|
|
18
|
let
|
|
19
|
Y = false -> (X and not pre(X) or not X and pre(X));
|
|
20
|
tel
|
|
21
|
|
|
22
|
-- AtLeastOnceSince(X, Y) is true if X has been true once
|
|
23
|
-- since Y became true
|
|
24
|
node AtLeastOnceSince(X, Y: bool) returns (XsinceY: bool);
|
|
25
|
let
|
|
26
|
XsinceY = if Y then X else (true -> X or pre(XsinceY));
|
|
27
|
tel
|
|
28
|
|
|
29
|
-- MoreThanOneSec(X) is true when X has been true more than 1
|
|
30
|
-- time instance
|
|
31
|
node MoreThanOneSec(X: bool) returns (Y: bool);
|
|
32
|
let
|
|
33
|
Y = false -> pre(X) and X;
|
|
34
|
tel
|
|
35
|
|
|
36
|
-- MoreThanTwoSec(X) is true when X has been true more than 2
|
|
37
|
-- time instances
|
|
38
|
node MoreThanTwoSec(X: bool) returns (Y: bool);
|
|
39
|
let
|
|
40
|
Y = false -> pre(false -> pre(X) and X) and X;
|
|
41
|
tel
|
|
42
|
|
|
43
|
-- one_button(ccseti, ccsetd, ccr) defines the event when
|
|
44
|
-- only one button is pressed
|
|
45
|
node one_button (ccseti, ccsetd, ccr: bool) returns (ob: bool);
|
|
46
|
let
|
|
47
|
ob = ccseti and not ccsetd and not ccr or
|
|
48
|
not ccseti and ccsetd and not ccr or
|
|
49
|
not ccseti and not ccsetd and ccr;
|
|
50
|
tel
|
|
51
|
|
|
52
|
-- prev_no_button(ccseti, ccsetd, ccr) defines the event when no
|
|
53
|
-- button is pressed in the previous time instance
|
|
54
|
node prev_no_button (ccseti, ccsetd, ccr: bool)
|
|
55
|
returns (pnb: bool);
|
|
56
|
let
|
|
57
|
pnb = true -> pre(not ccseti and not ccsetd and not ccr);
|
|
58
|
tel
|
|
59
|
|
|
60
|
-- one_button_accept(ccseti, ccsetd, ccr, ccont, cca) defines the
|
|
61
|
-- event when one button is pressed and accepted
|
|
62
|
node one_button_accept (ccseti, ccsetd, ccr, ccont, cca: bool)
|
|
63
|
returns (oba: bool);
|
|
64
|
var
|
|
65
|
ob, pnb: bool;
|
|
66
|
|
|
67
|
let
|
|
68
|
pnb = prev_no_button(ccseti, ccsetd, ccr);
|
|
69
|
ob = one_button(ccseti, ccsetd, ccr);
|
|
70
|
oba = if pnb and ob then
|
|
71
|
if not ccr then true
|
|
72
|
else AtLeastOnceSince(cca, PosEdge(ccont))
|
|
73
|
else false;
|
|
74
|
tel
|
|
75
|
|
|
76
|
-- cc_allowed(ccont,...) defines when the cruise control is
|
|
77
|
-- allowed to be active, i.e. cca is allowed to be true
|
|
78
|
node cc_allowed (ccont, igsw, bpa, cccanc, battok, gearok,
|
|
79
|
qfok, sdok, accok: bool; vs: int)
|
|
80
|
returns (ccall: bool);
|
|
81
|
let
|
|
82
|
ccall = ccont and not bpa and battok and gearok and
|
|
83
|
qfok and MoreThanOneSec(sdok) and 35 <= vs and
|
|
84
|
vs <= 200 and MoreThanTwoSec(accok) and not cccanc;
|
|
85
|
tel
|
|
86
|
|
|
87
|
node main (igsw, ccd, cconoff, bpa, cccanc, battok, gearok,
|
|
88
|
qfok, sdok, accok, ccseti, ccsetd, ccr: bool; vs: int)
|
|
89
|
returns (ccont, cca: bool);
|
|
90
|
var
|
|
91
|
ccall: bool;
|
|
92
|
let
|
|
93
|
-- ccont - indicates whether the cc is on or not
|
|
94
|
-- igsw - indicates whether the ignition switch is turned
|
|
95
|
-- on or not
|
|
96
|
-- ccd - indicates whether there is a detected error or not
|
|
97
|
-- cconoff - indicates if the driver presses the on/off button
|
|
98
|
ccont = false -> if Edge(igsw) or ccd or
|
|
99
|
pre(ccont) and PosEdge(cconoff) then false
|
|
100
|
else if pre(not ccont) and
|
|
101
|
PosEdge(cconoff) then true
|
|
102
|
else pre(ccont);
|
|
103
|
|
|
104
|
-- bpa - true when driver presses the break pedal
|
|
105
|
-- cccanc - true when driver presses the cancel button
|
|
106
|
-- battok - true when the voltage of the battery >= 9 volt
|
|
107
|
-- gearok - true when the gear lever is in position
|
|
108
|
-- Drive or Drive_L
|
|
109
|
-- qfok - true when the quality signals for vsa, vs and
|
|
110
|
-- atglp is ok
|
|
111
|
-- sdok - true when the speed deviation is ok
|
|
112
|
-- accok - true when the acceleration is ok
|
|
113
|
-- vs - indicates the speed of the vehicle
|
|
114
|
ccall = cc_allowed(ccont, igsw, bpa, cccanc, battok,
|
|
115
|
gearok, qfok, sdok, accok, vs);
|
|
116
|
|
|
117
|
-- ccseti - true when driver presses the set/plus button
|
|
118
|
-- ccsetd - true when driver presses the set/minus button
|
|
119
|
-- ccr - true when driver presses the resume button
|
|
120
|
cca = false ->
|
|
121
|
if one_button_accept(ccseti, ccsetd, ccr, ccont,
|
|
122
|
pre(cca))
|
|
123
|
and ccall then true else if not ccall then false
|
|
124
|
else pre(cca);
|
|
125
|
tel
|
|
126
|
|
|
127
|
node top (igsw, ccd, cconoff, bpa, cccanc, battok, gearok,
|
|
128
|
qfok, sdok, accok, ccseti, ccsetd, ccr: bool; vs: int)
|
|
129
|
returns (OK : bool);
|
|
130
|
--@ contract guarantees OK;
|
|
131
|
var
|
|
132
|
ccont, cca: bool;
|
|
133
|
env : bool;
|
|
134
|
let
|
|
135
|
(ccont, cca) = main(igsw, ccd, cconoff, bpa, cccanc, battok,
|
|
136
|
gearok, qfok, sdok, accok, ccseti, ccsetd,
|
|
137
|
ccr, vs);
|
|
138
|
env = not igsw -> true;
|
|
139
|
|
|
140
|
OK = if PosEdge(cca) then PosEdge(ccseti) or
|
|
141
|
PosEdge(ccsetd) or PosEdge(ccr) else true;
|
|
142
|
--%PROPERTY OK=true;
|
|
143
|
--%MAIN;
|
|
144
|
tel
|