INTRODUCTION Abstractions
are widely used to reduce the state space of complex/parameterized/large systems for the verification purpose. Abstractions are often constructed in such a way that we can transfer positive verification results to the concrete model but not the negative ones, i.e. they are mostly used to check satisfaction rather than falsification of a property. Counterexamples found on the abstract system could have no counterpart in the concrete system. We further refer to this kind of counterexamples as false negatives.
In this paper we consider false negatives in the context of data abstractions, i.e. abstractions that substitute actual data values by abstract ones and operations on concrete data by operations on abstract data, depending on the property being verified. We use the timer abstraction from [9] as an illustrating example in this paper. This abstraction leaves all values of a discrete timer below k unchanged and maps all other values to the abstract value k + . Note that the deterministic time progress operation tick (decreasing the values of active timers by one), becomes nondeterministic on the abstract model (see Fig. 1 ).
Suppose we use this timer abstraction to verify an LTL property mentioning actions a and b and obtain the trace a.set(k + ).tick 3 .b.a.set(k + ).tick 2 .d) as a counterexample for the abstract system. Not that the data abstraction influences the number of ticks the system may take. In case the number of consecutive ticks stays the same along any trace of the concrete system, the abstract trace cannot be reproduced on the concrete system and is thus a false negative.
Although the obtained counterexample is a false negative, it may still contain a clue for finding a concrete counterexample, e.g. in case the trace a.set (k) .tick k .b. (a.set(k).tick k .d) is possible in the original system for some k. We can relax the found abstract counterexample by using the information that the operations on timers are influenced by the timer abstraction and check whether the concrete system contains a trace matching the pattern a.any .b.(a.any .d) , where any represents any action on timers. Note that any such a trace would violate our property of interest. The pattern is more restrictive than the negation of the property, and moreover, it contains a cyclic part. Therefore, finding a trace of the concrete system satisfying the pattern is "easier" than a finding a trace of the concrete system violating the property when the enumerative model checking is concerned. In this paper, we propose a framework that supports the bug hunting process described in the above example. Given an abstract counterexample (which is possibly a false negative) we relax actions influenced by the data abstraction and construct a violation pattern that represents a a set of traces violating the property and "similar" to the counterexample.
To check whether there is any concrete trace matching the violation pattern, we transform the violation pattern and the specification of the concrete system into a constraint program. Further a constraint solver is used to find a concrete trace matching the violation pattern, if such a trace exists. We tried out our approach by applying it for debugging µCRL specifications [1] . We use Eclipse Prolog [4] to implement constraint solving. Our first experiments showed that our framework can be successfully used for counter abstractions.
Related work First, we compare our method with the more traditional CEGAR approach (CounterexampleGuided Abstraction Refinement) [5, 17] . In both methods, abstractions preserve properties in one direction only: if the abstract system satisfies the property, so does the concrete system; a counterexample may however be a real one or a false negative (spurious). In the CEGAR method, a spurious counterexample is used to iteratively refine the abstraction; subsequently the model checking algorithm is called on the refined abstraction. Our method is to generalize the spurious counterexample, hoping to directly find some violation in the concrete specification, similar to the original spurious counterexample.
Note that in principle both methods can be combined: given a (possibly spurious) counterexample, one could search for a concrete violation using our method. If this is found, the CEGAR loop can be terminated early. If a concrete counterexample is not found, one can proceed to refine the abstraction, as in the CEGAR approach and iterate the verification process.
In [22] , the authors address the problem of automating the analysis of counterexamples that have been produced when model checking the abstract model in order to determine whether they represent real system defects. They propose two techniques for this purpose: model checking on choose-free paths and abstract counterexample guided concrete simulation. In [21] , an approach based on test generation is proposed for searching concrete instances of abstract counterexamples. The approach addresses only counterexamples for safety properties, i.e. works only for finite counterexamples. Unlike these approaches, we look for a concrete trace matching not a counterexample itself but a driven by it violation pattern.
Works orthogonal to our work are [15] and [23] , where the authors propose model checking methods that rely on a refinement of an under-approximation of the system behaviour. These methods are aimed at the falsification of the desired property, and apply a refinement when a counterexample is not found. We aim at proving the property and try to find a concrete counterexample when we do not succeed to prove it.
The rest of the paper is organized as follows. We introduce some basic notions in Section 2 and data abstractions in Section 3. In Section 4, we present our framework . In Section 5 we describe our approach to finding concrete traces matching the violation pattern and discuss some experimental results. Finally, in Section 6 we summarise our contribution and discuss directions for further research.
PRELIMINARIES
Our operational model is based on synchronously communicating processes with top-level concurrency. This is a simplification of a model used in [24] . A specification Spec is given as the parallel composition Π n i=1 P i of a finite number of processes. A process definition P is given by a four-tuple (Var, Loc, σ 0 , →), where Var denotes a finite set of variables, and Loc denotes a finite set of locations, or control states. A mapping of variables to values is called a valuation; we denote the set of valuations by Val = {η | η : Var → D}. We assume standard data domains such as N, Bool, etc. We write D when leaving the data-domain unspecified and silently assume all expressions to be well-typed. Let Σ = Loc × Val be the set of states, where a process has one designated 3. Safe Data Abstractions 3 initial state σ 0 = (l 0 , η 0 ) ∈ Σ. The set →⊆ Loc × Act × Loc denotes the set of edges. An edge describes changes of configurations specified by an action from a set Act.
As actions, we distinguish (1) input of a signal s containing a value to be assigned to a local variable, (2) output of a signal s together with a value described by an expression, and (3) internal events. Every action is guarded by a boolean expression g, its guard. The three classes of actions are written as g ?s(x), g !s(e), and g a, x := e, respectively, and we use α, α . . . when leaving the class of actions unspecified. For an edge (l, α,l) ∈→, we write more suggestively l → αl .
Before we define the semantics, we introduce the notions of labeled transition system and of trace.
Definition 1 (LTS).
A labeled transition system (LTS) is a tuple M = (Σ, Act, → , σ init ) where Σ = / 0 is a set of states, Act is a set of labels (actions), →⊆ Σ × Act × Σ is a transition relation, σ init ∈ Σ is the initial state.
Definition 2 (Trace).
A trace β of M is a mapping β : N −→ Act, where N = {1, 2, . . . , n} or N = N, for which there exists a mapping β σ :
If N = N, trace β is called an infinite trace; otherwise, it is a finite trace. The length |β| of β is defined as |N|.
In the further text, we refer to the set of traces of M as
The step semantics is given by an LTS M = (Σ, Lab, → λ , σ 0 ), where → λ ⊆ Σ × Lab × Σ is given as a labelled transition relation between states. The labels differentiate internal event steps and communication steps, either input or output, which are labelled by a signal and a value being transmitted, i.e. ?s(v) or !s(v), respectively.
Receiving a signal s with a communication parameter x, l → g ?s(x)l ∈→, results in updating the valuation η [x → v] according to the parameter of the signal and changing current location tol. Output, l → g !s(e)l ∈→, is guarded, so sending a message involves evaluating the guard and the expression according to the current valuation. It leads to the change of the location of the process from l tol.
Assignments, l → g a,x:=el ∈→, result in the change of a location and the update of the valuation η [x → v] , where [[e] ] η = v. Assignment transitions are labelled by the corresponding event label a.
Although we are working with specifications containing only one process definition, it does not limit our approach. Existing linearization techniques [14] allow to obtain a single process definition for a parallel composition of a finite number of process definitions by eliminating communication and parallel composition.
3. SAFE DATA ABSTRACTIONS Abstraction techniques are widely used to make the verification of complex/parameterised/infinite systems feasible. The main requirement for an abstraction is that the abstract system behavior should correctly reflect the behavior of the concrete system with respect to a verification task in the sense that (1) an abstraction should capture all essential points in the system behavior, i.e., be not "too abstract", and (2) an abstraction should be safe, which means that every property checked to be true on the abstract model, holds for the concrete one as well. This allows the transfer of positive verification results from the abstract model to the concrete one.
The concept of safe abstraction is well-developed within the Abstract Interpretation framework [7, 8, 10, 18] . Working within this framework guarantees the preservation (in the direction from the abstract to the concrete model) of the truth of formulas of temporal logics without existential quantification over paths, e.g. 2L + µ (i.e., all formulas of the µ-calculus without negation and containing only the 2 operator) or next-free LTL. Since the negative verification results are usually not preserved, counterexamples can be false negatives.
In practice, a data abstraction is usually applied directly on a system specification rather than on its semantics model. The requirement that Abstract Interpretation imposes on the relation between the concrete model and its safe abstraction can be formalized as a requirement on the relation between the data and the operations of the concrete system and their abstract counterparts as follows: Each value of the concrete domain Σ is mapped by a description function ρ d : Σ −→ α Σ to a value from the abstract domain α Σ. The abstract value "describes" the concrete value. We assume an ordering on the abstract domain α Σ according to the "precision" of abstract values: given a concrete value x and its abstract description x α = ρ d (x), we say that any y α ∈ α Σ such that x α y α is a less precise description of x.
For every operation (function) f on the concrete data domain, an abstract function f α is defined, which "mimics" f . (For simplicity, we assume f to be a unary operation.) In general, the abstraction can be nondeterministic. This is formally captured by letting f α be a function into the powerset over the domain of abstract values. The requirement of mimicking is then formally phrased with the following safety statement:
A Timer Abstraction We use a timer abstraction as an illustrative example. The timer abstraction has been proposed in [3, 9] . The concept of timers is often used to specify time constraints imposed on a system or on a system environment. We use this concept in the context of discrete time where time is modelled as a digital logical clock and time progress is modelled by an action tick having the least priority in the system [2] . A timer can be either active or deactivated. An active timer keeps a value left until an expiration of the timer. An active timer with the value 0 expires. We model expiration of a timer t by a boolean guard g t checking whether the value of the timer is 0. Time progression decreases values of active timers.
For a timer t, the concrete domain of timer values Σ = N ∪ {−1}, where −1 represents a deactivated timer, is replaced with the abstract domain α Σ t = {−1, 0, . . . , k t − 1, k + t }, where the value k t is a positive value defined by the user, assuming that the property we want to verify still holds even if we do not distinguish between the values of the timer greater than or equal to k t . We overload the notation by using c (−1 ≤ c < k t ) as an abstract value representing the single concrete value c, while c + describes the set of concrete values {c, c + 1, c + 2, . . .}. We do not consider 0 + abstraction here.
The description function ρ t is defined as ρ t (c) = c if c < k t and ρ t (c) = k + t otherwise. Abstract operations on timers are defined in an intuitive way: setting a timer to value x becomes setting it to value ρ t (x); the timeout guard g α t is true iff [[t]] = 0; and tick α is a nondeterministic operation that changes the value of a timer from a to b according to the following rules: (1) 
It is straightforward to show that the timer abstraction is safe. Applied to a concrete system it yields the safe abstract system [16] .
BUG-HUNTING WITH FALSE NEGATIVES
Here we provide an overview of our framework for bug hunting with false negatives. The bug hunting process comprises the following steps.
1. Specify a requirement as a formula φ of action-based next-free LTL [11] .
2. Choose and apply a data abstraction to the specification of the concrete system and to the property.
3. Check whether the abstract system satisfies the abstract property.
If the abstract system satisfies the property, so does the concrete system and the verification process stops. Otherwise, proceed with step 4.
4. Generate a violation pattern that specifies a set of traces "similar" to the counterexample and violating the property.
5. Check whether one of the traces of the concrete system matches the violation pattern.
Since steps 1-3 of the framework can be handled by existing data abstraction and model checking techniques, our contribution concerns steps 4-5 of the framework only.
Constructing a violation pattern
A counterexample that we obtain in case the property is violated on our abstract model is an infinite trace of the form β p β w s where β p is a finite prefix and β ω s is a cyclic suffix with a finite cycle base β s . For safety properties (claiming that "something bad" does not happen), the cycle base will be empty, while for liveness properties (stating that "something good" eventually happens) it is not empty.
Although β could have no counterpart in the concrete system, it may contain a clue about a counterexample present in the concrete system. Therefore we transform a counterexample β into a violation pattern V . We consider here both finite and infinite counterexamples.
A violation pattern is an LTS that accepts all traces leading to the distinguished state Accept that has no successor states. The violation pattern accepts only traces which are "similar" to the counterexample and First we will illustrate the idea of "similarity" on a simple example and then generalize it. Assume that we model checked the property 2(a −→ 3b) and obtained the following abstract counterexample (see Fig. 2 
To guarantee that the property is violated by any trace accepted by the pattern, we keep at least actions a and b mentioned in the property as they are (see Fig. 3 ). Since we are searching for "similar" traces with an infinite cyclic suffix, we also need to keep information about at least one state of the cycle. Moreover, we specify when the search for a concrete counterexample can stop by providing a transition to the acceptance state. Here we do it by keeping the last action d of the suffix base (see Fig. 3 ). The actions tick and set(k + ) are not mentioned in the property and are definitely influenced by the timer abstraction. Therefore we "relax" these actions, meaning, we allow these actions to occur an arbitrary number of times in an arbitrary order (see states 1 and 3 of the violation pattern in Fig. 3 ).
We refer to the set of actions that do not want to relax as Act keep . This set includes at least all the actions mentioned in the property. In the violation pattern, we distinguish a set of cyclic states that correspond to the states in the cyclic suffix. The last action of a finite counterexample leads to the accept state in the violation pattern. For an infinite counterexample, the last action of the cyclic base leads to the accept state.
Intuitively, we would like to relax only the actions influenced by the data abstraction (not necessarily all of them). These actions can be found by applying static analysis techniques. The more actions we keep, the faster we can check whether there is a concrete trace matching the pattern. By keeping too much, we may however end up with a violation pattern that specifies the traces having no counterparts in the concrete system. Given a counterexample β = β p β w s and a set Act keep of actions to keep, Algorithm 4 constructs the violation pattern V . The algorithm starts with creating the initial state 0 of V and goes through β p β s . When the algorithm encounters an action to relax, it adds a self-loop transition labelled by this action to the current state of V . When it encounters an action to keep or reaches the end of the trace, it adds a transition from the current state to the 
Looking for a concrete counterexample
After we have constructed the violation pattern V , we check whether there is a concrete counterexample
] atrace . For finite counterexamples (ρ s is empty) in non-parameterised finite systems one can build a synchronous product of V and the concrete system and check whether the Accept state is reachable. For infinite counterexamples we additionally need to check that some state of ρ σ corresponding to the Accept state coincides with a state of ρ σ corresponding to C. We employ constraint solving [20] for finding a concrete counterexample, which allows us to check this additional condition for infinite traces, and also allows us to do it for infinite and parameterised systems.
To find a concrete trace matching the violation pattern V , we transform the specification of the concrete system and the violation pattern into a constraint program and formulate a query to find such a trace. Note that for a concrete system with an infinite state space, it is possible that the constraint solver will not terminate. Moreover, it is possible that the only traces that match the violation pattern are "spiral" traces, not "cycling" traces (i.e. we do have a loop with respect to actions, but some variable is e.g. infinitely growing) and we will not be able to find them. This limitation applies however to all known to us methods for identifying counterexamples.
The transformation of the specification of the concrete system into a rule system R S Spec is defined in Table 1 .
Each edge of the specification Spec is mapped into a rule A : −g. In the rule, g is a guard and A is a user defined constraint of the form name (state(l, Var), state(l, Var ) , param(Z)). The first parameter state of the user defined constraint describes the source states corresponding to the edge in terms of control locations of a process and valuations of process variables. The second parameter state describes the destination states in terms of control locations of a process and valuations of process variables. The third parameter param() contains parameters representing input and output values. The constraint is satisfied iff the guard guard is satisfied.
In ROUTPUT, the name of the constraint coincides with the signal s. Note that the values of the process variables Var remain unmodified and the output value is represented by the parameter Y whose value is given by the expression e. In RINPUT, the input leads to the substitution of the value of process variable x by the Table 1 : From specification Spec to rule system R S Spec value of the input parameter Y . In RASSIGN, an assignment is represented by substituting the value of the process variable x by the valuation of the expression e. Event-rules have no local parameters, which is denoted by the underscore (don't-care) here.
The transformation of the edges of the violation pattern V = (Σ, Act, T, σ 0 , C, F) into the rules of the rule system R S V is defined in Table 2 . Note that we provide the transformation for input and output steps only. The transformation for the event steps is a straightforward simplification of the transformation for input and output steps. Intuitively, given a step of the violation pattern, a rule of R S V checks whether the concrete system may make this step. The rules also take into account the information about cyclic states and the data abstraction. Rules 1-4 of Table 2 transform the steps of the violation patterns into the rules of the form:
is a user defined constraint of the form σ(state( X), O) specifying a pair of the source state state( X) of the concrete system ( X stands for (l, Var)) and the source state O of the violation pattern. B keeps the concrete states that are possible on a cycle in the setC.
A is a user constraint of the form a(state( X), state( X ), param(Y )) as defined above. It represents a step on which the concrete system and the violation pattern can potentially synchronize.
B is a user defined constraint that represents pairs of a destination state of the concrete system and a destination state of the violation pattern that can be reached by the step specified by A. The guard g d checks whether the data parameter of the concrete action is a concretization of the data parameter of the abstract action. For the cyclic states, the guard g c also checks whether the destination state of the concrete system has been visited already, i.e. whether it is in the setC.
Rule 1 of Table 2 transforms input/output steps of the violation pattern whose destination state σ is not the beginning of the cycle base and not the acceptance state. Therefore, we omit the cyclic guard g c . The step specified by the s(state( X), state( X ), param(Y )) constraint leads to the change of the state to σ in the violation Figure 5 : PARComponents pattern and to the state state( X ) in the concrete system. That is captured by the constraintσ(state( X ),C) in the rule. The rule is satisfied only if both the violation pattern and the concrete system can make the specified input/output step and the action labelling the step of the concrete system satisfies the constraint Y ∈ γ(v). Rule 2 of Table 2 is applicable to the steps of the violation pattern built for a finite counterexample which lead to the acceptance state.
Rule 3 of Table 2 transforms the steps of the violation pattern leading the state which corresponds to the beginning of the cycle in case it does not coincide with the acceptance state. Sinceσ is the cyclic state, the pair of the state of the violation pattern and the state of the concrete system is potentially cyclic. By adding the constraintσ(state( X ), [state( X ) | C]), we add the concrete state state( X ) satisfying the rule to the setC of states which are potentially cyclic.
Rule 4 of Table 2 transforms the step leading to the accept state of the violation pattern. In this case, we check whether the destination state state( X ) of the concrete system has already been encountered before, i.e. we check whether it is in setC of potentially cyclic states.
The rule system R S V together with the rule system R S Spec form the constraint program. In order to check whether we can find a concrete counterexample matching the violation pattern, we transform the pair of the initial state of the violation pattern and the initial state of the concrete system into the query σ init (state( X init )) and ask a constraint solver whether it has a solution in the constraint program formed by R S Spec and R S v .
If yes, it provides us a counterexample. Otherwise, we cannot give a conclusive answer and have to use e.g. abstraction refinement techniques to find out whether the property holds on the concrete system or not.
PAR
To check the applicability of our framework we performed a number of verification experiments with µCRL specifications. µCRL (micro Common Representation Language) is a specification language which is essentially an extension of the process algebra ACP with abstract data types and recursive definitions. The µCRL toolset provides tool support for analysis, abstraction, optimization and state space generation for µCRL specifications (see [13] for details about the language and [1] for details about the toolset). We use Eclipse Prolog [4] for constraint solving.
In this section we selected the positive acknowledgment retransmission protocol (PAR) [25] to illustrate the motivation for our work and our approach. The usual scenario for PAR includes a sender, a receiver, a message channel and an acknowledgment channel (see Fig.5 ). The channels delay the delivery of messages. Moreover, they can lose or corrupt messages. The sender receives a message from the upper layer, sends it to the receiver via the message channel, and waits for an acknowledgment from the receiver via the acknowledgment channel.
When the receiver has delivered the message to the upper layer it sends an acknowledgment to the sender. After the acknowledgment is received, the sender becomes ready to send a subsequent message. The receiver needs some time to deliver the received message to an upper layer. The sender handles lost messages by timing out. If the sender times out, it re-sends the message. The protocol works correctly iff the timer setting of the sender is larger than the sum of delays on communication channels. Fig. 6 illustrates the idea of a well-known erroneous scenario for PAR. The sender times out while the acknowledgment is still on the way. The sender sends a duplicate, then receives the acknowledgment and believes that this is the acknowledgment for the duplicate. The sender sends the next message, which gets lost. However, the sender receives the acknowledgment for the duplicate, which it believes to be the acknowledgment for the last message. Thus the sender does not retransmit the lost message and the protocol fails. To avoid this erroneous behavior, the timeout interval must be long enough to prevent a premature timeout, which means that the timeout interval should be larger than the sum of delays on the message channel, the acknowledgment channel and the receiver [25] .
In order to perform the verification, we specified PAR in µCRL (see App. A and [2] for timed verification with µCRL). Model checkers usually cannot handle open systems. Therefore we also have specified an environment for PAR. In the environment, we differentiate only two messages msg1 and msg2, the rest is mapped to msg3. This environment is sufficient in order to check that no message loss, no duplicated delivery happens and that the messages are delivered in the same order as they are sent. The environment consists of two processes: one represents the upper layer for the sender and the other models the upper layer of the receiver. The behavior of the environment is illustrated in Fig 7. The process representing the upper layer of the sender sends an arbitrary number of msg3 to the sender, followed by sending msg1. Then it proceeds with sending an arbitrary number of msg3 followed by sending msg2 and finally sends an arbitrary number of msg3 again. The process representing the upper layer for the receiver receives the messages in the same fashion.
We tried to verify that for any setting of the sender timer exceeding some value k, all messages sent by the upper layer to the sender are eventually received by the upper layer from the receiver. To prove that the property holds for any setting of the sender timer exceeding k, we applied the timer abstraction described in Section 3 to the sender timer (see App. B for the abstract PAR specification). The property was not satisfied on the abstract system (since the k we took was less than the sum of the channel delays) and we obtained a counterexample (see App. C for the counterexample). The abstract counterexample was not reproducible on the concrete system, since the number of tick steps from a setting of the sender timer till its expiration varied along the trace due to the use of the abstraction.
We have transformed the abstract counterexample into the violation pattern (Fig. 8) , where A = {msg out(msg1, F), tick, mdelay, msg in(msg1, F), vfvs} B = {ack out, tick, adelay, retransmit, msg out(msg1, F), ack in} C = { mchbusy, tick, mdelay, msg in(msg1, F), msg out(msg2, T), vfws, ack out, adelay, ack in} D = {mlose, msg out(msg3, F), tick, mdelay, msg in(msg3, F), vfws, ack out, adelay} E = {msg out(msg3, T), tick, mdelay, msg in(msg3, T), vfvs} F = {ack out, tick, adelay, ack in} G = {msg out(msg3, F), tick, mdelay, msg in(msg3, F), vfvs} H = {ack out, tick, adelay}
The violation pattern basically says that after losing message msg2, the receiver will reject delivery of message msg3. Further the system gets into the loop where again and again message msg3 is delivered first with the sequence bit T and then with the sequence bit F. Thus, the message msg2 has never been delivered. In Fig. 8 , this loop is entered in state 5 of the violation pattern.
We transform the violation pattern and the concrete specification of the system into resp. rule systems R S V (see App. D) and R S Spec (see App. E). With the Eclipse Prolog constraint solver, we obtain a solution for the query asking whether there any of the traces of the violation pattern has a concrete counterpart in the concrete system. The solution is indeed the counterexample for the property we have tried to verify (see App. F).
CONCLUSION
We proposed a novel framework for interpreting negative verification results obtained with the help of data abstractions. Existing approaches to handling abstract counterexamples try to find an exact counterpart of the counterexample (e.g. [22] ). When no concrete counterpart can be found, the data abstraction is considered to be not fine enough and an abstraction refinement is applied (e.g. [5] ).
In our framework we look for the useful information in false negatives. Given a specification of a system and a system property (formulated as an LTL-X formula), we first chose and apply a data abstraction to both of them and then verify the abstract property on the abstract system. If the verification results in a violation of the abstract property and the obtained counterexample has no counterpart in the concrete system, we transform the counterexample into a violation pattern, which is further used to guide the search for concrete counterexamples.
The framework allows to handle not only counterexamples obtained when verifying safety properties but also for liveness properties. Moreover, it can be applied for searching concrete counterexamples in parameterized and infinite state systems. Success is not always guaranteed -the violation pattern can be too strict, concrete counterexamples can have a "spiral" form, or there could be no counterexample at all since the property just holds on the concrete system. Still, our approach can help in finding counterexamples in those cases when a data abstraction influences the order and the number of some actions, e.g. as counter abstractions do.
The approach to generate a violation pattern leaves a certain freedom in the sense that the set of actions to relax can be more/less restrictive. Tuning the violation pattern or using the expertise of system developers to pick an appropriate set of actions to relax can be potentially less costly than repeating the abstraction/refinement cycle immediately. More case studies comparing both approaches and trying combinations are still needed. Nat -> Nat % 2n+1 50 map eq : Nat # Nat -> Bool succ: Nat -> Nat % n+1 pred: Nat -> Nat % n-1 (partial)
Bool# Nat # Nat -> Nat var n ,m: Nat b: Bool rew 60 gt (n ,n)=F gt (0 ,n)=F gt (S(n) ,0)=T gt(S(n),S(m))=gt (n ,m) eq (n ,n)=T eq (S(n) ,0)=F eq (0 ,S(n))=F 65 eq (S(n),S(m))=eq (n ,m)
if ( in ( msg1). Env1 (T ,F) <| and (eq (had1 ,F),eq( had2 ,F))|> delta + in ( msg2). Env1 (T ,T) <| and (eq (had1 ,T),eq( had2 ,F))|> delta + in ( msg3). Env1 (had1 , had2 ) 245 proc Env2( had1:Bool , had2: Bool) = out ( msg1). Env2(T ,F) <| and ( eq( had1 ,F) ,eq( had2 ,F))|> delta + out ( msg2). Env2(T ,T) <| and ( eq( had1 ,T) ,eq( had2 ,F))|> delta 2 ,3 ,4 ,5 ,6 ,7 ,8 ,9 ,10 ,11 ,12 ,13 ,14 , 55 15 ,16 ,17 ,18 ,19 ,20 ,21 ,22 ,23 ,24 ,25 , 26 ,27 ,28 ,29 ,30 ,31 ,32 ,33 ,34 ,35 ,36 , 37 ,38 : -> Nat % useful abbreviations x2p0: Nat -> Nat % 2n 60 succ: Nat -> Nat % n+1 pred: Nat -> Nat % n-1 (partial) gt :
Nat # Nat -> Bool % greater than if :
Bool# Nat # Nat -> Nat var 65 n ,m: Nat b: Bool rew gt (n ,n)=F gt (0 ,n)=F gt ( x2p1(n) ,0)=T gt( x2p2 (n) ,0)=T
8= x2p2 (3) 9= x2p1 (4) 10= x2p2 (4)
90
11= x2p1 (5) 12= x2p2 (5) 13= x2p1 (6) 14= x2p2 (6) 15= x2p1 (7) 16= x2p2 (7) 17= x2p1 (8) 18= x2p2 (8) 19= x2p1 (9) 20= x2p2 (9) 29= x2p1 (14) 30= x2p2 (14) 95 21= x2p1 (10) 22= x2p2 (10) 31= x2p1 (15) 32= x2p2 (15) 23= x2p1 (11) 24= x2p2 (11) 33= x2p1 (16) 34= x2p2 (16) 25= x2p1 (12) 26= x2p2 (12) 35= x2p1 (17) 36= x2p2 (17) 27= x2p1 (13) 28= x2p2 (13) 37= x2p1 (18) 38= x2p2 (18) 100 (1) 310 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% process environment %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% proc Env1( had1:Bool , had2: Bool) = in ( msg1). Env1(T ,F) <| and ( eq( had1 ,F) ,eq( had2 ,F))|> delta 315 + in ( msg2). Env1(T ,T) <| and ( eq( had1 ,T) ,eq( had2 ,F))|> delta + in ( msg3). Env1( had1 , had2) proc Env2( had1:Bool , had2: Bool) = out ( msg1). Env2(T,F) <| and ( eq( had1 ,F) ,eq ( had2 ,F))|> delta 320 + out ( msg2). Env2(T,T) <| and ( eq( had1 ,T) ,eq ( had2 ,F))|> delta + out ( msg3). Env2( had1 , had2) init( encap ({ _in , in , out , _out}, 325 rename ({ _tick -> tick}, encap ({ tick , msg_out_ch , msg_in_rcv , ack_out_ch , ack_in_snd}, rename ({ _tick -> tick}, encap ({ tick , msg_in_ch , msg_out_snd , mchbusy , _mchbusy}, Sender_Rh( known ( on (0) 
:-lib ( ic ). :-lib ( ic_symbolic ).
% The constraints determined from mCRL spec and ATC. eq( bool( V0) ,bool( V1)) :-V0= V1. eq( bool(t) ,bool ( not bool(f))). % Let's try with these four... eq( bool( not bool(f)) ,bool (t)). eq( bool(f) ,bool ( not bool(t))). 20 eq( bool( not bool(t)) ,bool (f)). eq( msg ( V0) , msg (V1 )) :-V0= V1. eq( nat ( V1) ,nat (V2 )):-V1 #= V2 . eq( state (V0 ), state ( V0)) :-bool(t). 25 eq( state ( one ) , state ( x2p1 ( state (V0 )))) :-bool(f).
eq( state ( one ) , state ( x2p0 ( state (V0 )))) :-bool(f). eq( state ( x2p1( state ( V0))) , state ( one )) :-bool(f). eq( state ( x2p0( state ( V0))) , state ( one )) :-bool(f). eq( state ( x2p1( state ( V0))) , state ( x2p0( state ( V1)))) :-bool(f). 30 eq( state ( x2p0( state ( V0))) , state ( x2p1( state ( V1)))) :-bool(f).
eq( state ( x2p0( state ( V0))) , state ( x2p0( state ( V1)))) :-bool( eq( state (V0 ) , state ( V1 ))). eq( state ( x2p1( state ( V0))) , state ( x2p1( state ( V1)))) :-bool( eq( state (V0 ) , state ( V1 ))). expire ( timer ( VInt0 )) :-VInt0 =off , f. expire ( timer ( VInt0 )) :-VInt0 = on( nat (0) ). 60 in( global ( state ( Vs0 ) , timer ( Vsc ) ,timer ( Vt) ,msg ( Vmsg) ,bool( Vsn ) ,state ( Vs1 ) ,timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( V3) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) ,state ( Vs3 ) ,timer ( Varc) ,bool( V4 ), bool(V5 ) ,bool( Vhad10 ) ,bool( Vhad20 )) ,local ( msg ( V6))) :-V6= msg2 , V5 =t , V4 =t, V3= msg2 , V2=off , V1=off , V0 = x2p1( state ( one )) , bool ( and ( bool ( and ( bool( eq( state ( Vs0 ) , state ( x2p0 ( state ( x2p0( state ( one ))))))) ,bool ( expire ( timer ( Vsc ))))) ,bool ( and ( bool (eq ( bool( Vhad1 ) , bool(t))), bool(eq ( bool( Vhad2 ), bool(f))))))) . in( global ( state ( Vs0 ) , timer ( Vsc ) ,timer ( Vt) ,msg ( Vmsg) ,bool( Vsn ) ,state ( Vs1 ) ,timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( V3) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) ,state ( Vs3 ) ,timer ( Varc) ,bool( V4 ), bool(V5 ) ,bool( Vhad10 ) ,bool( Vhad20 )) ,local ( msg ( V6))) :-V6= msg1 , V5 =f , V4 =t, V3= msg1 , V2=off , V1=off , V0 = x2p1( state ( one )) , bool ( and ( bool ( and ( bool( eq( state ( Vs0 ) , state ( x2p0 ( state ( x2p0( state ( one ))))))) ,bool ( expire ( timer ( Vsc ))))) ,bool ( and ( bool (eq ( bool( Vhad1 ) , bool(f))), bool(eq ( bool( Vhad2 ), bool(f))))))) . in( global ( state ( Vs0 ) , timer ( Vsc ) ,timer ( Vt) ,msg ( Vmsg) ,bool( Vsn ) ,state ( Vs1 ) ,timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( V3) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) ,state ( Vs3 ) ,timer ( Varc) ,bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , local ( msg ( V4))) :-V4 =msg3 , V3 = msg3 , V2=off , V1 =off , V0= x2p1( state ( one )), bool ( and ( bool( and ( bool( eq( state ( Vs0 ) , state ( x2p0( state ( x2p0( state ( one ) )))))), bool( expire ( timer ( Vsc ))))) ,bool(t))). out ( global ( state ( Vs0 ) ,timer ( Vsc ) , timer (Vt ),msg ( Vmsg), bool( Vsn ), state ( Vs1 ), timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) , msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state (V0 ) ,bool( V1) ,msg ( V2) ,bool (V3 ), state ( Vs3 ), timer ( Varc) ,bool( Vhad1 ) ,bool ( Vhad2 ), bool( V4) ,bool( V5)) , local ( msg ( Vrm ))) :-V5=t, V4=t , not ( bool ( Vesn) ,bool( V3)) , V2 =msg3 , V1=f, V0=one , bool( and ( bool( eq( msg ( Vrm ) ,msg ( msg2 ))) ,bool ( and ( bool (eq ( state ( Vs2 ) , state ( x2p0( state ( one ))))) ,bool ( and ( bool( eq( bool( Vhad10 ) ,bool(t))) ,bool( eq( bool( Vhad20 ), bool(f))))))))). out ( global ( state ( Vs0 ) ,timer ( Vsc ) , timer (Vt ),msg ( Vmsg), bool( Vsn ), state ( Vs1 ), timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) , msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state (V0 ) ,bool( V1) ,msg ( V2) ,bool (V3 ), state ( Vs3 ), timer ( Varc) ,bool( Vhad1 ) ,bool ( Vhad2 ), bool( V4) ,bool( V5)) , local ( msg ( Vrm ))) :-V5=f, V4=t , not ( bool ( Vesn) ,bool( V3)) , V2 =msg3 , V1=f, V0=one , bool( and ( bool( eq( msg ( Vrm ) ,msg ( msg1 ))) ,bool ( and ( bool (eq ( state ( Vs2 ) , state ( x2p0( state ( one ))))) ,bool ( and ( bool( eq( bool( Vhad10 ) ,bool(f))) ,bool( eq( bool( Vhad20 ), bool(f))))))))). 65 out ( global ( state ( Vs0 ) ,timer ( Vsc ) , timer (Vt ),msg ( Vmsg), bool( Vsn ), state ( Vs1 ), timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) , msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state (V0 ) ,bool( V1) ,msg ( V2) ,bool (V3 ), state ( Vs3 ), timer ( Varc) ,bool( Vhad1 ) ,bool ( Vhad2 ), bool( Vhad10 ) ,bool( Vhad20 )), local ( msg ( Vrm ))) :-not ( bool( Vesn) ,bool( V3)) , V2= msg3 , V1 =f , V0=one , bool( and ( bool( eq( msg ( Vrm ) ,msg ( msg3))) ,bool ( and ( bool( eq( state ( Vs2 ) ,state ( x2p0( state ( one ))))) ,bool (t))))). mchbusy ( global ( state ( Vs0 ) ,timer ( Vsc ) , timer ( Vt ),msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc), msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) , state ( Vs3 ) ,timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ),bool ( Vhad10 ), bool( Vhad20 )) , global ( state ( V0) , timer ( V1) , timer ( V2) ,msg ( Vmsg) ,bool ( Vsn ) , state ( V3) , timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) , msg ( Vrm ) ,bool( Vesn ), state ( Vs3 ) , timer ( Varc) ,bool( Vhad1 ) ,bool( Vhad2 ), bool( Vhad10 ) ,bool( Vhad20 )) ,local ) :-V3 = x2p0( state ( one )), V2= on( nat ( VInt0 )) , VInt0 #=1 , V1 =off , V0=one , bool( and ( bool( or( bool( and ( bool( eq( state ( Vs0 ) , state ( one ))) ,bool ( expire ( timer (Vt ))))), bool( eq( state ( Vs0 ) ,state ( x2p1( state ( one ))))))), bool ( and ( bool( eq( state ( Vs1 ) , state ( x2p0( state ( one ))))) ,bool( not ( bool ( expire ( timer ( Vmrc))))))))). msg_out ( global ( state ( Vs0 ) ,timer ( Vsc ) , timer ( Vt ),msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc), msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) , state ( Vs3 ) ,timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ),bool ( Vhad10 ), bool( Vhad20 )) , global ( state ( V0) , timer ( V1) , timer ( V2) ,msg ( Vmsg) ,bool ( Vsn ) , state ( V3) , timer ( V4) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs2 ) ,bool( Vrsn) ,msg ( Vrm ) ,bool( Vesn) ,state ( Vs3 ), timer ( Varc) ,bool( Vhad1 ) ,bool ( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )), local ( msg ( Vmsg) ,bool( Vsn ))) :-V4= on( nat ( VInt0 )) , VInt0 #=2 , V3= x2p0( state ( one )), V2 =off , V1 =on ( nat ( VInt1 )), VInt1 #=4 , V0= x2p0 ( state ( one )) , bool ( and ( bool( or ( bool( and ( bool( eq( state ( Vs0 ) , state ( one ))), bool( expire ( timer ( Vt))))) ,bool( eq( state ( Vs0 ) , state ( x2p1 ( state ( one ))))))), bool( eq( state ( Vs1 ) ,state ( x2p1( state ( one ))))))). mlose ( global ( state ( Vs0 ) , timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool( Vsn ) , state ( Vs1 ) ,timer ( Vmrc) ,msg ( Vmsg0 ) ,bool( Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) ,state ( Vs3 ), timer ( Varc) ,bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) , msg ( Vmsg ), bool( Vsn ), state (V0 ), timer (V1 ),msg ( V2) ,bool (V3 ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) ,state ( Vs3 ) ,timer ( Varc) ,bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , local ) :-V3=f , V2= msg3 , V1 =off , V0= x2p1( state ( one )), bool( eq ( state ( Vs1 ), state ( one ))). mdelay ( global ( state ( Vs0 ) , timer ( Vsc ) ,timer (Vt ) ,msg ( Vmsg) ,bool( Vsn ) ,state ( Vs1 ), timer ( Vmrc) , msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) , state ( Vs3 ) ,timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ),bool ( Vhad10 ), bool( Vhad20 )) , global ( state ( Vs0 ) ,timer ( Vsc ) ,timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ), state ( V0 ), timer ( V1 ),msg ( Vmsg0 ) ,bool( Vb ), state ( Vs2 ) ,bool ( Vrsn) , msg ( Vrm ) ,bool( Vesn ), state ( Vs3 ) , timer ( Varc) ,bool( Vhad1 ) ,bool( Vhad2 ), bool( Vhad10 ) ,bool( Vhad20 )) ,local ) :-V1 =off , V0=one , bool( and ( bool( eq ( state ( Vs1 ) , state ( x2p0( state ( one ))) )), bool( expire ( timer ( Vmrc ))))). 70 retransmit( global ( state ( Vs0 ) ,timer ( Vsc ) , timer (Vt ),msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc ) ,msg ( Vmsg0 ), bool( Vb) ,state ( Vs2 ) ,bool( Vrsn ),msg ( Vrm ) ,bool( Vesn ), state ( Vs3 ) , timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ),bool ( Vhad10 ), bool( Vhad20 )) , global ( state ( V0) , timer ( V1) , timer ( V2) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ) ,bool( Vb ), state ( Vs2 ) ,bool ( Vrsn) , msg ( Vrm ) ,bool( Vesn ), state ( Vs3 ) , timer ( Varc) ,bool( Vhad1 ) ,bool( Vhad2 ), bool( Vhad10 ) ,bool( Vhad20 )) ,local ) :-V2 =off , V1=off , V0 = x2p1( state ( one )) , bool ( and ( bool( eq( state ( Vs0 ) , state ( x2p0( state ( one ))))) ,bool( expire ( timer ( Vsc ))))). udelay ( global ( state ( Vs0 ) , timer ( Vsc ) ,timer (Vt ) ,msg ( Vmsg) ,bool( Vsn ) ,state ( Vs1 ), timer ( Vmrc) , msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) , state ( Vs3 ) ,timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ),bool ( Vhad10 ), bool( Vhad20 )) , global ( state ( V0) , timer ( V1) , timer ( V2) ,msg ( V3) ,bool( Vsn ) ,state ( Vs1 ), timer ( Vmrc) ,msg ( Vmsg0 ) ,bool( Vb) , state ( Vs2 ) ,bool( Vrsn ),msg ( Vrm ) ,bool( Vesn ), state ( Vs3 ) , timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ), bool( Vhad10 ), bool( Vhad20 )) ,local ) :-V3 =msg3 , V2 =off , V1= on ( nat ( VInt0 )) , VInt0 #=1 , V0 = x2p0( state ( x2p0( state ( one )))) , bool ( and ( bool (eq ( state ( Vs0 ) ,state ( x2p0( state ( x2p0( state ( one ))))))) ,bool( expire ( timer ( Vsc ))))). ack_out ( global ( state ( Vs0 ) ,timer ( Vsc ) , timer ( Vt ),msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc), msg ( Vmsg0 ) ,bool (Vb ), state ( Vs2 ) ,bool ( Vrsn) ,msg ( Vrm ) ,bool ( Vesn) , state ( Vs3 ) ,timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ),bool ( Vhad10 ), bool( Vhad20 )) , global ( state ( Vs0 ) ,timer ( Vsc ) ,timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ), state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ) ,bool (Vb ), state (V0 ), bool( V1) , msg ( V2) ,bool( Vesn) ,state ( V3) ,timer ( V4) ,bool( Vhad1 ) ,bool ( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )), local ) :-V4= on( nat ( VInt0 )) , VInt0 #=2 , V3 = x2p0( state ( one )) , V2= msg3 , V1 =f , V0= x2p0( state ( x2p0( state ( one )))) , bool ( and ( bool( eq ( state ( Vs2 ) , state ( one ))), bool( eq( state ( Vs3 ) , state ( x2p1( state ( one ))))))). adelay ( global ( state ( Vs0 ) , timer ( Vsc ) (and(bool(eq(state(Vs2), state(x2p1(state( one) )))),bool (eq(bool(Vrsn) ,bool(Vesn))))). %vfws (global(state(Vs0) ,timer (Vsc) (Varc), bool(Vhad1), bool(Vhad2), bool(Vhad10), bool(Vhad20) ),local) V1=f, V0=one, bool(and(bool(eq(state(Vs2), state(x2p1(state(one) )) )),bool (neq(bool(Vrsn) ,bool(Vesn))))). vfvs( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) , msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state (V0 ) ,bool( Vrsn ),msg ( Vrm ) ,bool( Vesn ), state ( Vs3 ) , timer ( Varc) , bool( Vhad1 ) ,bool( Vhad2 ), bool( Vhad10 ), bool( Vhad20 )) ,local ) :-V0 = x2p0( state ( one )) , Vs2 = x2p1( state ( one )) ,Vrsn = Vesn. vfws( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) , msg ( Vmsg ), bool( Vsn ), state ( Vs1 ) , timer ( Vmrc) ,msg ( Vmsg0 ), bool(Vb ) ,state (V0 ) ,bool( V1) ,msg ( V2) ,bool ( Vesn) , state ( Vs3 ) ,timer ( Varc) ,bool ( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool ( Vhad20 ) ) ,local ) :-V2 =msg3 , V1=f, V0=one , Vs2 = x2p1( state ( one )), Vrsn \= Vesn. tick( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( Vmsg) ,bool( Vsn ) ,state ( V3) ,timer ( V4) ,msg ( V5 ), bool(V6 ) ,state (V7 ) ,bool( V8) ,msg (V9 ) ,bool( Vesn) ,state ( V10 ), timer ( V11 ) ,bool ( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , local )
:-pred ( timer ( Varc) , timer ( V11 )), V10 = x2p0( state ( one )) , V9= msg3 , V8 =f, V7= x2p0 ( state ( x2p0( state ( one )))) , V6 =f , V5 =msg3 , V4=off , V3 = x2p1( state ( one )) , V2=off , pred( timer ( Vsc ) , timer ( V1)), V0= x2p0( state ( one )), bool ( and ( bool( and ( bool( and ( bool( eq( state ( Vs0 ) , state ( x2p0( state ( one ))))), bool( not ( bool( expire ( timer ( Vsc ))))))) ,bool ( and ( bool( eq( state ( Vs1 ) , state ( x2p1( state ( one ))))) ,bool( not ( bool( expire ( timer ( Vmrc))))))))), bool ( and ( bool( eq( state ( Vs2 ) , state ( x2p0( state ( x2p0 ( state ( one ))))))), bool ( and ( bool( eq( state ( Vs3 ) , state ( x2p0( state ( one ))))), bool( not ( bool( expire ( timer ( Varc))))))))))). 80 tick( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( Vmsg) ,bool( Vsn ) ,state ( V3) ,timer ( V4) ,msg ( V5 ), bool(V6 ) ,state (V7 ) ,bool( V8) ,msg (V9 ) ,bool( Vesn) ,state ( V10 ), timer ( V11 ) ,bool ( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , local ) :-V11 =off , V10 = x2p1( state ( one )), V9= msg3 , V8=f , V7 = x2p0( state ( x2p0( state ( one )))) , V6= f , V5 =msg3 , V4 =off , V3 = x2p1( state ( one )), V2=off , pred( timer ( Vsc ) , timer ( V1)), V0= x2p0( state ( one )) , bool ( and ( bool( and ( bool ( and ( bool( eq( state ( Vs0 ) ,state ( x2p0( state ( one ))))) , bool( not ( bool( expire ( timer ( Vsc ))))))) ,bool ( and ( bool( eq( state ( Vs1 ) ,state ( x2p1( state ( one ) )))) ,bool( not ( bool ( expire ( timer ( Vmrc))))))))) ,bool ( and ( bool( eq ( state ( Vs2 ) , state ( x2p0( state ( x2p0( state ( one ))))))) ,bool ( and ( bool( eq( state ( Vs3 ) ,state ( x2p1( state ( one ))))) ,bool( not ( bool ( expire ( timer ( Varc))))))))))). tick( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( Vmsg) ,bool( Vsn ) ,state ( V3) ,timer ( V4) ,msg ( Vmsg0 ), bool( Vb) ,state ( V5) ,bool( V6) ,msg ( V7) ,bool ( Vesn ), state ( V8 ), timer (V9 ), bool( Vhad1 ) ,bool( Vhad2 ) ,bool ( Vhad10 ), bool( Vhad20 )) , local ) :-pred( timer ( Varc) , timer (V9 )) , V8= x2p0( state ( one )) , V7 =msg3 , V6=f, V5= x2p0 ( state ( x2p0( state ( one )))) , pred( timer ( Vmrc) , timer (V4 )), V3= x2p0 ( state ( one )) , V2 =off , pred( timer ( Vsc ) , timer (V1 )), V0= x2p0 ( state ( one )) , bool ( and ( bool ( and ( bool( and ( bool( eq( state ( Vs0 ) , state ( x2p0( state ( one ))))) ,bool( not ( bool( expire ( timer ( Vsc ))))))), bool ( and ( bool( eq( state ( Vs1 ) , state ( x2p0 ( state ( one ))))) ,bool ( not ( bool( expire ( timer ( Vmrc ))))))))) ,bool ( and ( bool( eq( state ( Vs2 ) , state ( x2p0( state ( x2p0 ( state ( one ))))))) ,bool ( and ( bool( eq( state ( Vs3 ) , state ( x2p0( state ( one ))))), bool( not ( bool( expire ( timer ( Varc))))))))))). tick( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( Vmsg) ,bool( Vsn ) ,state ( V3) ,timer ( V4) ,msg ( Vmsg0 ), bool( Vb) ,state ( V5) ,bool( V6) ,msg ( V7) ,bool ( Vesn ), state ( V8 ), timer (V9 ), bool( Vhad1 ) ,bool( Vhad2 ) ,bool ( Vhad10 ), bool( Vhad20 )) , local ) :-V9 =off , V8= x2p1( state ( one )), V7= msg3 , V6 =f , V5 = x2p0( state ( x2p0( state ( one )))) , pred( timer ( Vmrc) , timer (V4 )), V3= x2p0 ( state ( one )) , V2 =off , pred( timer ( Vsc ) , timer ( V1 )) , V0 = x2p0( state ( one )), bool ( and ( bool( and ( bool( and ( bool( eq ( state ( Vs0 ) , state ( x2p0( state ( one ))) )), bool( not ( bool( expire ( timer ( Vsc ))))))) ,bool ( and ( bool( eq( state ( Vs1 ) ,state ( x2p0 ( state ( one ))))) ,bool( not ( bool ( expire ( timer ( Vmrc))))))))), bool ( and ( bool( eq( state ( Vs2 ) , state ( x2p0( state ( x2p0 ( state ( one ))))))) ,bool ( and ( bool( eq( state ( Vs3 ) , state ( x2p1( state ( one ))))), bool ( not ( bool( expire ( timer ( Varc) )))))))))). tick( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( Vmsg) ,bool( Vsn ) ,state ( V3) ,timer ( V4) ,msg ( V5 ), bool(V6 ) ,state (V7 ) ,bool( V8) ,msg (V9 ) ,bool( Vesn) ,state ( V10 ), timer ( V11 ) ,bool ( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , local ) :-pred ( timer ( Varc) , timer ( V11 )), V10 = x2p0( state ( one )) , V9= msg3 , V8 =f, V7= x2p0 ( state ( x2p0( state ( one )))) , V6 =f , V5 =msg3 , V4=off , V3 = x2p1( state ( one )) , pred( timer ( Vt) , timer ( V2)) , V1 =off , V0=one , bool( and ( bool ( and ( bool( and ( bool( eq( state ( Vs0 ) , state ( one ))), bool( not ( bool ( expire ( timer ( Vt))))))) ,bool ( and ( bool (eq ( state ( Vs1 ) , state ( x2p1( state ( one ))))) , bool( not ( bool( expire ( timer ( Vmrc))))))))) ,bool ( and ( bool( eq( state ( Vs2 ) ,state ( x2p0 ( state ( x2p0( state ( one ))))))) ,bool ( and ( bool (eq ( state ( Vs3 ) , state ( x2p0( state ( one ))))) ,bool( not ( bool( expire ( timer ( Varc ))))))))))). tick( global ( state ( Vs0 ), timer ( Vsc ) , timer ( Vt) ,msg ( Vmsg) ,bool ( Vsn ) , state ( Vs1 ) , timer ( Vmrc ),msg ( Vmsg0 ), bool(Vb ) ,state ( Vs2 ), bool( Vrsn) ,msg ( Vrm ), bool( Vesn) , state ( Vs3 ) ,timer ( Varc ) , bool( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , global ( state (V0 ) ,timer (V1 ) ,timer ( V2) ,msg ( Vmsg) ,bool( Vsn ) ,state ( V3) ,timer ( V4) ,msg ( V5 ), bool(V6 ) ,state (V7 ) ,bool( V8) ,msg (V9 ) ,bool( Vesn) ,state ( V10 ), timer ( V11 ) ,bool ( Vhad1 ), bool( Vhad2 ) ,bool( Vhad10 ) ,bool( Vhad20 )) , local ) :-V11 =off , V10 = x2p1( state ( one )), V9= msg3 , V8=f , V7 = x2p0( state ( x2p0( state ( one )))) , V6= f , V5 =msg3 , V4 =off , V3 = x2p1( state ( one )), pred ( timer ( Vt) , timer (V2 )) , V1 =off , V0 =one , bool( and ( bool( and ( bool ( and ( bool( eq( state ( Vs0 ) ,state ( one ))) ,bool( not ( bool ( expire ( timer ( Vt))))))), bool ( and ( bool( eq( state ( Vs1 ) , state ( x2p1( state ( one ))))), bool( not ( bool( expire (
