1
|
|
2
|
node PosEdge (X: bool) returns (Y: bool);
|
3
|
let
|
4
|
Y = false -> X or not pre(X);
|
5
|
tel
|
6
|
node Edge (X: bool) returns (Y: bool);
|
7
|
let
|
8
|
Y = false -> (X and not pre(X) or not X and pre(X));
|
9
|
tel
|
10
|
node AtLeastOnceSince(X, Y: bool) returns (XsinceY: bool);
|
11
|
let
|
12
|
XsinceY = if Y then X else (true -> X or pre(XsinceY));
|
13
|
tel
|
14
|
node MoreThanOneSec(X: bool) returns (Y: bool);
|
15
|
let
|
16
|
Y = false -> pre(X) and X;
|
17
|
tel
|
18
|
node MoreThanTwoSec(X: bool) returns (Y: bool);
|
19
|
let
|
20
|
Y = false -> pre(false -> pre(X) and X) and X;
|
21
|
tel
|
22
|
node one_button (ccseti, ccsetd, ccr: bool) returns (ob: bool);
|
23
|
let
|
24
|
ob = ccseti and not ccsetd and not ccr or
|
25
|
not ccseti and ccsetd and not ccr or
|
26
|
not ccseti and not ccsetd and ccr;
|
27
|
tel
|
28
|
node prev_no_button (ccseti, ccsetd, ccr: bool)
|
29
|
returns (pnb: bool);
|
30
|
let
|
31
|
pnb = true -> pre(not ccseti and not ccsetd and not ccr);
|
32
|
tel
|
33
|
node one_button_accept (ccseti, ccsetd, ccr, ccont, cca: bool)
|
34
|
returns (oba: bool);
|
35
|
var
|
36
|
ob, pnb: bool;
|
37
|
let
|
38
|
pnb = prev_no_button(ccseti, ccsetd, ccr);
|
39
|
ob = one_button(ccseti, ccsetd, ccr);
|
40
|
oba = if pnb and ob then
|
41
|
if not ccr then true
|
42
|
else AtLeastOnceSince(cca, PosEdge(ccont))
|
43
|
else false;
|
44
|
tel
|
45
|
node cc_allowed (ccont, igsw, bpa, cccanc, battok, gearok,
|
46
|
qfok, sdok, accok: bool; vs: int)
|
47
|
returns (ccall: bool);
|
48
|
let
|
49
|
ccall = ccont and not bpa and battok and gearok and
|
50
|
qfok and MoreThanOneSec(sdok) and 35 <= vs and
|
51
|
vs <= 200 and MoreThanTwoSec(accok) and not cccanc;
|
52
|
tel
|
53
|
node main (igsw, ccd, cconoff, bpa, cccanc, battok, gearok,
|
54
|
qfok, sdok, accok, ccseti, ccsetd, ccr: bool; vs: int)
|
55
|
returns (ccont, cca: bool);
|
56
|
var
|
57
|
ccall: bool;
|
58
|
let
|
59
|
ccont = false -> if Edge(igsw) or ccd or
|
60
|
pre(ccont) and PosEdge(cconoff) then false
|
61
|
else if pre(not ccont) and
|
62
|
PosEdge(cconoff) then true
|
63
|
else pre(ccont);
|
64
|
ccall = cc_allowed(ccont, igsw, bpa, cccanc, battok,
|
65
|
gearok, qfok, sdok, accok, vs);
|
66
|
cca = false ->
|
67
|
if one_button_accept(ccseti, ccsetd, ccr, ccont,
|
68
|
pre(cca))
|
69
|
and ccall then true else if not ccall then false
|
70
|
else pre(cca);
|
71
|
tel
|
72
|
node top (igsw, ccd, cconoff, bpa, cccanc, battok, gearok,
|
73
|
qfok, sdok, accok, ccseti, ccsetd, ccr: bool; vs: int)
|
74
|
returns (OK : bool);
|
75
|
--@ contract guarantees OK;
|
76
|
var
|
77
|
ccont, cca: bool;
|
78
|
env : bool;
|
79
|
let
|
80
|
(ccont, cca) = main(igsw, ccd, cconoff, bpa, cccanc, battok,
|
81
|
gearok, qfok, sdok, accok, ccseti, ccsetd,
|
82
|
ccr, vs);
|
83
|
env = not igsw -> true;
|
84
|
OK = if PosEdge(cca) then PosEdge(ccseti) or
|
85
|
PosEdge(ccsetd) or PosEdge(ccr) else true;
|
86
|
--%MAIN;
|
87
|
--%PROPERTY OK=true;
|
88
|
tel
|