[tlaplus] How to model check this "real-time" spec?

[ns <nedsri1988@xxxxxxxxx>]

hello I've been reading the chapter on Real-time in the Specifying Systems book and am trying to experiment with a small spec that uses an integer clock (thereby bypassing the need to worry about real valued time, which wouldn't work with TLC anyway). This specific example is to turn the lights on and off, but in any case no less than every K seconds. However, it does not model check (invariant TimingOK violated) although it *seems* correct to me. The problem is that there is no way of forcing the LNext action to take place so the invariant is violated. (for the example I used K=2 and MAX_TIME 4). Is there a way to fix this so TLC will model check it?

thanks!

(*turn lights on and off, but at least every K seconds*)

EXTENDS Naturals

CONSTANTS

MAX_TIME, K

Time == 0 .. (MAX_TIME+1) 

VARIABLE lights,clock, lightsTrigT

vars == <<lights, clock, lightsTrigT>>

isTyped == lights \in BOOLEAN /\ clock \in Time /\ lightsTrigT \in Time

Init == lights=TRUE /\ clock=0 /\ lightsTrigT=0

LNext == (IF lights THEN lights'=FALSE ELSE lights'=TRUE) /\ lightsTrigT' = clock

DoNothing == UNCHANGED <<lights,lightsTrigT>>

clockNext == clock' = clock+1 

TBound(actionTriggerT, maxWait) == clock <= actionTriggerT + maxWait

Next == (LNext \/ DoNothing) /\ clockNext /\ TBound(lightsTrigT, K)

Spec == Init /\ [][Next]_vars

TimingOK == (clock <= lightsTrigT + K)

THEOREM Spec => [] TimingOK

-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/92ac2873-a0a6-415a-9c6f-fd6a8afa028cn%40googlegroups.com.