Revision 6c964a9b
Added by Pierre-Loïc Garoche over 6 years ago
tests/cocospec-orig/StopwatchSpec.lus | ||
---|---|---|
1 |
------------------------- |
|
2 |
-- Auxiliary operators -- |
|
3 |
------------------------- |
|
4 |
node Even (N: int) returns (B: bool) ; |
|
5 |
let |
|
6 |
B = (N mod 2 = 0) ; |
|
7 |
tel |
|
8 |
|
|
9 |
node ToInt (X: bool) returns (N: int) ; |
|
10 |
let |
|
11 |
N = if X then 1 else 0 ; |
|
12 |
tel |
|
13 |
|
|
14 |
node Count (X: bool) returns (N: int) ; |
|
15 |
let |
|
16 |
N = ToInt(X) -> ToInt(X) + pre N ; |
|
17 |
tel |
|
18 |
|
|
19 |
node Sofar ( X : bool ) returns ( Y : bool ) ; |
|
20 |
let |
|
21 |
Y = X -> (X and (pre Y)) ; |
|
22 |
tel |
|
23 |
|
|
24 |
node Since ( X, Y : bool ) returns ( Z : bool ) ; |
|
25 |
let |
|
26 |
Z = X or (Y and (false -> pre Z)) ; |
|
27 |
tel |
|
28 |
|
|
29 |
|
|
30 |
node SinceIncl ( X, Y : bool ) returns ( Z : bool ) ; |
|
31 |
let |
|
32 |
Z = Y and (X or (false -> pre Z)) ; |
|
33 |
tel |
|
34 |
|
|
35 |
node Increased (N: int) returns (B: bool) ; |
|
36 |
let |
|
37 |
B = true -> N > pre N ; |
|
38 |
tel |
|
39 |
|
|
40 |
node Stable (N: int) returns (B: bool) ; |
|
41 |
let |
|
42 |
B = true -> N = pre N ; |
|
43 |
tel |
|
44 |
|
|
45 |
------------------------------- |
|
46 |
-- Stopwatch high-level spec -- |
|
47 |
------------------------------- |
|
48 |
contract stopwatchSpec ( toggle, reset : bool ) returns ( time : int ) ; |
|
49 |
let |
|
50 |
-- the watch is activated initially if the toggle button is pressed |
|
51 |
-- afterwards, it is activated iff |
|
52 |
-- it was activated before and the toggle button is unpressed or |
|
53 |
-- it was not activated before and the toggle button is pressed |
|
54 |
var on: bool = toggle -> (pre on and not toggle) |
|
55 |
or (not pre on and toggle) ; |
|
56 |
|
|
57 |
-- we can assume that the two buttons are never pressed together |
|
58 |
assume not (toggle and reset) ; |
|
59 |
|
|
60 |
-- the elapsed time starts at 1 or 0 depending |
|
61 |
-- on whether the watch is activated or not |
|
62 |
guarantee (on => time = 1) -> true ; |
|
63 |
guarantee (not on => time = 0) -> true ; |
|
64 |
-- the elapsed time is always non-negative |
|
65 |
guarantee time >= 0 ; |
|
66 |
|
|
67 |
-- if there is no reset now and there was an even number of counts since the last reset |
|
68 |
-- then the current elapsed time is the same as the previous one |
|
69 |
guarantee not reset and Since(reset, Even(Count(toggle))) |
|
70 |
=> Stable(time) ; |
|
71 |
-- if there is no reset now and there was an odd number of counts since the last reset |
|
72 |
-- then the current elapsed time is greater than previous one |
|
73 |
guarantee not reset and Since(reset, not Even(Count(toggle))) |
|
74 |
=> Increased(time) ; |
|
75 |
|
|
76 |
|
|
77 |
-- guarantee true -> not Even(Count(toggle)) and Count(reset) = 0 => time > pre time ; |
|
78 |
|
|
79 |
|
|
80 |
-- the watch is in resetting mode if the reset button is pressed |
|
81 |
-- while in that mode, the elapsed time is 0 |
|
82 |
mode resetting ( |
|
83 |
require reset ; |
|
84 |
ensure time = 0 ; |
|
85 |
) ; |
|
86 |
|
|
87 |
-- the watch is in running mode if is activated and |
|
88 |
-- the reset button is unpressed. |
|
89 |
-- while in that mode, the elapsed time increases by 1 |
|
90 |
mode running ( |
|
91 |
require on ; |
|
92 |
require not reset ; |
|
93 |
ensure true -> time = pre time + 1 ; |
|
94 |
) ; |
|
95 |
|
|
96 |
-- the watch is in stopped mode if is not activated and |
|
97 |
-- the reset button is unpressed |
|
98 |
-- while in that mode, the elapsed time remains the same |
|
99 |
mode stopped ( |
|
100 |
require not reset ; |
|
101 |
require not on ; |
|
102 |
ensure true -> time = pre time ; |
|
103 |
) ; |
|
104 |
tel |
|
105 |
|
|
106 |
------------------------------ |
|
107 |
-- Stopwatch low-level spec -- |
|
108 |
------------------------------ |
|
109 |
|
|
110 |
node stopwatch ( toggle, reset : bool ) returns ( count : int ); |
|
111 |
(*@contract import stopwatchSpec(toggle, reset ) returns (count) ; *) |
|
112 |
var running : bool; |
|
113 |
let |
|
114 |
running = (false -> pre running) <> toggle ; |
|
115 |
count = |
|
116 |
if reset then 0 |
|
117 |
else if running then 1 -> pre count + 1 |
|
118 |
else 0 -> pre count ; |
|
119 |
tel |
|
120 |
|
|
121 |
|
|
122 |
|
|
123 |
|
|
124 |
|
tests/cocospec/StopwatchSpec.lus | ||
---|---|---|
45 | 45 |
------------------------------- |
46 | 46 |
-- Stopwatch high-level spec -- |
47 | 47 |
------------------------------- |
48 |
|
|
49 |
(*@ |
|
48 | 50 |
contract stopwatchSpec ( toggle, reset : bool ) returns ( time : int ) ; |
49 | 51 |
let |
50 | 52 |
-- the watch is activated initially if the toggle button is pressed |
... | ... | |
102 | 104 |
ensure true -> time = pre time ; |
103 | 105 |
) ; |
104 | 106 |
tel |
107 |
*) |
|
105 | 108 |
|
106 | 109 |
------------------------------ |
107 | 110 |
-- Stopwatch low-level spec -- |
tests/cocospec/StopwatchSpec2.lus | ||
---|---|---|
1 |
------------------------- |
|
2 |
-- Auxiliary operators -- |
|
3 |
------------------------- |
|
4 |
node Even (N: int) returns (B: bool) ; |
|
5 |
let |
|
6 |
B = (N mod 2 = 0) ; |
|
7 |
tel |
|
8 |
|
|
9 |
node ToInt (X: bool) returns (N: int) ; |
|
10 |
let |
|
11 |
N = if X then 1 else 0 ; |
|
12 |
tel |
|
13 |
|
|
14 |
node Count (X: bool) returns (N: int) ; |
|
15 |
let |
|
16 |
N = ToInt(X) -> ToInt(X) + pre N ; |
|
17 |
tel |
|
18 |
|
|
19 |
node Sofar ( X : bool ) returns ( Y : bool ) ; |
|
20 |
let |
|
21 |
Y = X -> (X and (pre Y)) ; |
|
22 |
tel |
|
23 |
|
|
24 |
node Since ( X, Y : bool ) returns ( Z : bool ) ; |
|
25 |
let |
|
26 |
Z = X or (Y and (false -> pre Z)) ; |
|
27 |
tel |
|
28 |
|
|
29 |
|
|
30 |
node SinceIncl ( X, Y : bool ) returns ( Z : bool ) ; |
|
31 |
let |
|
32 |
Z = Y and (X or (false -> pre Z)) ; |
|
33 |
tel |
|
34 |
|
|
35 |
node Increased (N: int) returns (B: bool) ; |
|
36 |
let |
|
37 |
B = true -> N > pre N ; |
|
38 |
tel |
|
39 |
|
|
40 |
node Stable (N: int) returns (B: bool) ; |
|
41 |
let |
|
42 |
B = true -> N = pre N ; |
|
43 |
tel |
|
44 |
|
|
45 |
------------------------------- |
|
46 |
-- Stopwatch high-level spec -- |
|
47 |
------------------------------- |
|
48 |
|
|
49 |
-- integrated in the node |
|
50 |
|
|
51 |
------------------------------ |
|
52 |
-- Stopwatch low-level spec -- |
|
53 |
------------------------------ |
|
54 |
|
|
55 |
node stopwatch ( toggle, reset : bool ) returns ( count : int ); |
|
56 |
(*@ |
|
57 |
-- the watch is activated initially if the toggle button is pressed |
|
58 |
-- afterwards, it is activated iff |
|
59 |
-- it was activated before and the toggle button is unpressed or |
|
60 |
-- it was not activated before and the toggle button is pressed |
|
61 |
var on: bool = toggle -> (pre on and not toggle) |
|
62 |
or (not pre on and toggle) ; |
|
63 |
|
|
64 |
-- we can assume that the two buttons are never pressed together |
|
65 |
assume not (toggle and reset) ; |
|
66 |
|
|
67 |
-- the elapsed time starts at 1 or 0 depending |
|
68 |
-- on whether the watch is activated or not |
|
69 |
guarantee (on => time = 1) -> true ; |
|
70 |
guarantee (not on => time = 0) -> true ; |
|
71 |
-- the elapsed time is always non-negative |
|
72 |
guarantee time >= 0 ; |
|
73 |
|
|
74 |
-- if there is no reset now and there was an even number of counts since the last reset |
|
75 |
-- then the current elapsed time is the same as the previous one |
|
76 |
guarantee not reset and Since(reset, Even(Count(toggle))) |
|
77 |
=> Stable(time) ; |
|
78 |
-- if there is no reset now and there was an odd number of counts since the last reset |
|
79 |
-- then the current elapsed time is greater than previous one |
|
80 |
guarantee not reset and Since(reset, not Even(Count(toggle))) |
|
81 |
=> Increased(time) ; |
|
82 |
|
|
83 |
|
|
84 |
-- guarantee true -> not Even(Count(toggle)) and Count(reset) = 0 => time > pre time ; |
|
85 |
|
|
86 |
|
|
87 |
-- the watch is in resetting mode if the reset button is pressed |
|
88 |
-- while in that mode, the elapsed time is 0 |
|
89 |
mode resetting ( |
|
90 |
require reset ; |
|
91 |
ensure time = 0 ; |
|
92 |
) ; |
|
93 |
|
|
94 |
-- the watch is in running mode if is activated and |
|
95 |
-- the reset button is unpressed. |
|
96 |
-- while in that mode, the elapsed time increases by 1 |
|
97 |
mode running ( |
|
98 |
require on ; |
|
99 |
require not reset ; |
|
100 |
ensure true -> time = pre time + 1 ; |
|
101 |
) ; |
|
102 |
|
|
103 |
-- the watch is in stopped mode if is not activated and |
|
104 |
-- the reset button is unpressed |
|
105 |
-- while in that mode, the elapsed time remains the same |
|
106 |
mode stopped ( |
|
107 |
require not reset ; |
|
108 |
require not on ; |
|
109 |
ensure true -> time = pre time ; |
|
110 |
) ; |
|
111 |
|
|
112 |
|
|
113 |
|
|
114 |
*) |
|
115 |
var running : bool; |
|
116 |
let |
|
117 |
running = (false -> pre running) <> toggle ; |
|
118 |
count = |
|
119 |
if reset then 0 |
|
120 |
else if running then 1 -> pre count + 1 |
|
121 |
else 0 -> pre count ; |
|
122 |
tel |
|
123 |
|
|
124 |
|
|
125 |
|
|
126 |
|
|
127 |
|
Also available in: Unified diff
Cocospec files