A relevant feature of DSTM is that it owns a strictly formalized step semantics.
The step semantics and the external environment are modelled by means of a special Promela process named Engine. The Engine process initializes the exter-nal channels, simulates the non-deterministic generation of messages over them and controls the step semantics by assigning the token for the transitions firing.
Below the Engine process of the RBC Communication Procedure is described.
Channels initialization The exchange of messages between machines and the environment is performed using external channels defined in the data declara-tions. The external channels of the Communication Procedure are multi type.
This means that for each of them, the generation of the single-type sub channels must be performed, for both the initialization process and the non-deterministic messages generation. As for example the a generic ChFrom channel (i.e. a channel managing messages coming from a train) is of MtFrom multi type. The MtFrom
multi type is composed by three sub-types related to the messages that can con-vey in the channels of this type: (MSessionEstablished, MAck, MTrainRegistration).
Thus, for each subtype a simple-type external channel is generated. In the specific case, considering the ChFrom channels, the simple type external chan-nels generated are CfromTrain_MSessionEstablished, CfromTrain_MAck and Cfrom-Train_MTrainRegistration. Furthermore, strictly related to this, local variables for the non-deterministic generation are generated. Such local variables, named temp variables, are generated according to the process described in Section6.5.5.
Listing 7.2shows the temp variables for the Communication Procedure and the initialization of the external channels.
LISTING 7.2: The DSTM model of the Communication Establish-ment Machine
1 a c t i v e proctype Engine ( ) { 2 pid PidMain ;
3 //Temp V a r i a b l e s 4 mtype temp ;
5 mtype temp_Canswer_1 ;
6 mtype temp_CfromTrain1_MSessionEstablished_1 ; 7 mtype temp_CfromTrain1_MSessionEstablished_2 ; 8 i n t temp_CfromTrain1_MSessionEstablished_3 ; 9 i n t temp_CfromTrain1_MSessionEstablished_4 ; 10 mtype temp_CfromTrain1_MAck_1 ;
11 mtype temp_CfromTrain1_MTrainRegistration_1 ; 12 mtype temp_CfromTrain1_MTrainRegistration_2 ; 13 mtype temp_CtoTrain1_MSystemVersion_1 ; 14 mtype temp_CtoTrain1_MSystemVersion_2 ; 15 mtype temp_CtoTrain1_MMovementAuthority_1 ; 16
17 . . . 18
19 mtype temp_CfromTrain4_MSessionEstablished_1 ; 20 mtype temp_CfromTrain4_MSessionEstablished_2 ; 21 i n t temp_CfromTrain4_MSessionEstablished_3 ; 22 i n t temp_CfromTrain4_MSessionEstablished_4 ; 23 mtype temp_CfromTrain4_MAck_1 ;
24 mtype temp_CfromTrain4_MTrainRegistration_1 ; 25 mtype temp_CfromTrain4_MTrainRegistration_2 ; 26 mtype temp_CtoTrain4_MSystemVersion_1 ; 27 mtype temp_CtoTrain4_MSystemVersion_2 ; 28 mtype temp_CtoTrain4_MMovementAuthority_1 ; 29 i n t temp_CtoTrain4_MMovementAuthority_2 ; 30 chan chTerm_MMain = [MAX_PROC] o f { b i t } ;
31 PidMain = run MMain( _pid , MMain_initial , chTerm_MMain ) ; 32
33 //Generation o f f i r s t messages 34 Canswer ! 0 , 0 ;
35 CfromTrain1_MSessionEstablished ! 0 , 0 , 0 , 0 , 0 ; 36 CfromTrain1_MAck ! 0 , 0 ;
37 CfromTrain1_MTrainRegistration ! 0 , 0 , 0 ; 38 CtoTrain1_MSystemVersion ! 0 , 0 , 0 ; 39 CtoTrain1_MMovementAuthority ! 0 , 0 , 0 ; 40
41 . . . 42
43 CfromTrain4_MSessionEstablished ! 0 , 0 , 0 , 0 , 0 ; 44 CfromTrain4_MAck ! 0 , 0 ;
45 CfromTrain4_MTrainRegistration ! 0 , 0 , 0 ; 46 CtoTrain4_MSystemVersion ! 0 , 0 , 0 ; 47 CtoTrain4_MMovementAuthority ! 0 , 0 , 0 ;
Non-deterministic generation The non-deterministic generation is in charge of dispatching messages over the external channels. As reported in the Listing7.3 in the generation block this task is performed by an iteration. First, the length of each external channel is checked in order to verify that is not full. This condition is checked by using the len() function natively provided by Promela (Listing7.3, line 11). If the considered channel is of multi type in the corresponding DSTM model, the length check must be applied to each sub-channel (Listing 7.3, lines 30-31). In case the considered channel is full, the control is passed to the else statement, that add the TESQUEL directives to signal, in the resulting test case, such situation. Otherwise the non-deterministic generation, is performed, ac-cording to the structure of the external channels: each channel has two positions, one in which is memorized the current available value and one in which gener-ated values of the current step are memorized for the next step execution. Listing 7.3shows an excerpt of the non-deterministic generation of messages, related to the Engine process for a single train. The structure in the Listing7.3, is repeated as many times as the number of trains that can be accepted by the considered RBC.
LISTING 7.3: The DSTM model of the Communication Establish-ment Machine
1 g e n e r a t i o n :
2 atomic {
3 i f
4 : : ( NoFirings ==1) −> goto a b o r t ; 5 : : e l s e −> s k i p ;
6 f i ;
7 NoFirings = 1 ;
8 p r i n t f (" <ENGINE : message g e n e r a t i o n >\n " ) ;
9 //MESSAGES ON Canswer
10 i f
11 : : ( l e n ( Canswer ) ==1) −>
12 i f
13 : : ( 1 ) −>
14 i f
15 : : temp_Canswer_1=a c c e p t e d ; 16 : : temp_Canswer_1= r e f u s e d ;
17 f i ;
18 p r i n t f (" <ENGINE : Canswer − ge nera ted <%e>>\n " , temp_Canswer_1 ) ; 19 Canswer ! 1 , temp_Canswer_1 ;
20 : : ( 1 ) −>
21 p r i n t f (" <ENGINE : Canswer − ge nera ted EMPTY>\n " ) ; 22 Canswer ! 0 , 0 ;
23 f i ;
24 : : e l s e −>
25 p r i n t f (" <ENGINE : Canswer − ge nera ted BY SYSTEM>\n " ) ; 26 f i ;
27 Canswer ?temp , temp_Canswer_1 ; 28
29 //MESSAGES ON CfromTrain1
30 i f
31 : : ( l e n ( CfromTrain1_MSessionEstablished ) + l e n ( CfromTrain1_MAck ) + l e n ( CfromTrain1_MTrainRegistration ) == 3 ) −>
32 i f
33 : : ( 1 ) −>
34 i f
35 : : temp_CfromTrain1_MSessionEstablished_1= S e s s i o n E s t a b l i s h e d ;
36 : : temp_CfromTrain1_MSessionEstablished_1=Ack ;
37 : : temp_CfromTrain1_MSessionEstablished_1= T r a i n R e g i s t r a t i o n ;
38 : : temp_CfromTrain1_MSessionEstablished_1=SystemVersion ;
39 : : temp_CfromTrain1_MSessionEstablished_1=MovementAuthority ;
40 f i ;
41 i f
42 : : temp_CfromTrain1_MSessionEstablished_2=L0 ;
43 : : temp_CfromTrain1_MSessionEstablished_2=L1 ;
44 f i ;
45 temp_CfromTrain1_MSessionEstablished_3 = 1
46 temp_CfromTrain1_MSessionEstablished_4 = 1
47 p r i n t f (" <ENGINE : CfromTrain1_MSessionEstablished − ge ner ate d <%e ,%e ,%d ,%d>>\n " , temp_CfromTrain1_MSessionEstablished_1 ,
temp_CfromTrain1_MSessionEstablished_2 , temp_CfromTrain1_MSessionEstablished_3 , temp_CfromTrain1_MSessionEstablished_4 ) ;
48 CfromTrain1_MSessionEstablished ! 1 ,
temp_CfromTrain1_MSessionEstablished_1 , temp_CfromTrain1_MSessionEstablished_2 , temp_CfromTrain1_MSessionEstablished_3 , temp_CfromTrain1_MSessionEstablished_4 ; 49 CfromTrain1_MAck ! 0 , 0 ;
50 CfromTrain1_MTrainRegistration ! 0 , 0 , 0 ; 51 : : ( 1 ) −>
52 i f
53 : : temp_CfromTrain1_MAck_1= S e s s i o n E s t a b l i s h e d ;
54 : : temp_CfromTrain1_MAck_1=Ack ;
55 : : temp_CfromTrain1_MAck_1= T r a i n R e g i s t r a t i o n ;
56 : : temp_CfromTrain1_MAck_1=SystemVersion ;
57 : : temp_CfromTrain1_MAck_1=MovementAuthority ;
58 f i ;
59 p r i n t f (" <ENGINE : CfromTrain1_MAck − ge nera ted <%e>>\n " , temp_CfromTrain1_MAck_1 ) ;
60 CfromTrain1_MAck ! 1 , temp_CfromTrain1_MAck_1 ; 61 CfromTrain1_MSessionEstablished ! 0 , 0 , 0 , 0 , 0 ; 62 CfromTrain1_MTrainRegistration ! 0 , 0 , 0 ; 63 : : ( 1 ) −>
64 i f
65 : : temp_CfromTrain1_MTrainRegistration_1= S e s s i o n E s t a b l i s h e d ;
66 : : temp_CfromTrain1_MTrainRegistration_1=Ack ;
67 : : temp_CfromTrain1_MTrainRegistration_1= T r a i n R e g i s t r a t i o n ;
68 : : temp_CfromTrain1_MTrainRegistration_1=SystemVersion ;
69 : : temp_CfromTrain1_MTrainRegistration_1=MovementAuthority ;
70 f i ;
71 i f
72 : : temp_CfromTrain1_MTrainRegistration_2= r e g i s t e r e d ;
73 f i ;
74 p r i n t f (" <ENGINE : CfromTrain1_MTrainRegistration − ge ner ated <%e ,%e>>\n
" , temp_CfromTrain1_MTrainRegistration_1 , temp_CfromTrain1_MTrainRegistration_2 ) ;
75 CfromTrain1_MTrainRegistration ! 1 , temp_CfromTrain1_MTrainRegistration_1 , temp_CfromTrain1_MTrainRegistration_2 ;
76 CfromTrain1_MSessionEstablished ! 0 , 0 , 0 , 0 , 0 ; 77 CfromTrain1_MAck ! 0 , 0 ;
78 : : ( 1 ) −>
79 p r i n t f (" <ENGINE : CfromTrain1 − ge ner ated EMPTY>\n " ) ; 80 CfromTrain1_MSessionEstablished ! 0 , 0 , 0 , 0 , 0 ;
81 CfromTrain1_MAck ! 0 , 0 ;
82 CfromTrain1_MTrainRegistration ! 0 , 0 , 0 ;
83 f i ;
84 : : e l s e −>
85 p r i n t f (" <ENGINE : CfromTrain1 − ge ner ated BY SYSTEM>\n " ) ; 86 f i ;
87 CfromTrain1_MSessionEstablished ?temp , temp_CfromTrain1_MSessionEstablished_1 , temp_CfromTrain1_MSessionEstablished_2 , temp_CfromTrain1_MSessionEstablished_3 , temp_CfromTrain1_MSessionEstablished_4 ; 88 CfromTrain1_MAck ?temp , temp_CfromTrain1_MAck_1 ; 89 CfromTrain1_MTrainRegistration ?temp ,
temp_CfromTrain1_MTrainRegistration_1 , temp_CfromTrain1_MTrainRegistration_2 ; 90
91
92 //MESSAGES ON CtoTrain1
93 i f
94 : : ( l e n ( CtoTrain1_MSystemVersion ) + l e n ( CtoTrain1_MMovementAuthority ) ==
2 ) −>
95 i f
96 : : ( 1 ) −>
97 i f
98 : : temp_CtoTrain1_MSystemVersion_1= S e s s i o n E s t a b l i s h e d ;
99 : : temp_CtoTrain1_MSystemVersion_1=Ack ;
100 : : temp_CtoTrain1_MSystemVersion_1= T r a i n R e g i s t r a t i o n ;
101 : : temp_CtoTrain1_MSystemVersion_1=SystemVersion ;
102 : : temp_CtoTrain1_MSystemVersion_1=MovementAuthority ;
103 f i ;
104 i f
105 : : temp_CtoTrain1_MSystemVersion_2=V0 ;
106 : : temp_CtoTrain1_MSystemVersion_2=V1 ;
107 : : temp_CtoTrain1_MSystemVersion_2=V2 ;
108 f i ;
109 p r i n t f (" <ENGINE : CtoTrain1_MSystemVersion − ge nera ted <%e ,%e>>\n " , temp_CtoTrain1_MSystemVersion_1 , temp_CtoTrain1_MSystemVersion_2 ) ; 110 CtoTrain1_MSystemVersion ! 1 , temp_CtoTrain1_MSystemVersion_1 ,
temp_CtoTrain1_MSystemVersion_2 ; 111 CtoTrain1_MMovementAuthority ! 0 , 0 , 0 ; 112 : : ( 1 ) −>
113 i f
114 : : temp_CtoTrain1_MMovementAuthority_1= S e s s i o n E s t a b l i s h e d ;
115 : : temp_CtoTrain1_MMovementAuthority_1=Ack ;
116 : : temp_CtoTrain1_MMovementAuthority_1= T r a i n R e g i s t r a t i o n ;
117 : : temp_CtoTrain1_MMovementAuthority_1=SystemVersion ;
118 : : temp_CtoTrain1_MMovementAuthority_1=MovementAuthority ;
119 f i ;
120 temp_CtoTrain1_MMovementAuthority_2 = 10
121 p r i n t f (" <ENGINE : CtoTrain1_MMovementAuthority − ge ner ated <%e ,%d>>\n " , temp_CtoTrain1_MMovementAuthority_1 ,
temp_CtoTrain1_MMovementAuthority_2 ) ;
122 CtoTrain1_MMovementAuthority ! 1 , temp_CtoTrain1_MMovementAuthority_1 , temp_CtoTrain1_MMovementAuthority_2 ;
123 CtoTrain1_MSystemVersion ! 0 , 0 , 0 ; 124 : : ( 1 ) −>
125 p r i n t f (" <ENGINE : CtoTrain1 − ge ner ated EMPTY>\n " ) ; 126 CtoTrain1_MSystemVersion ! 0 , 0 , 0 ;
127 CtoTrain1_MMovementAuthority ! 0 , 0 , 0 ;
128 f i ;
129 : : e l s e −>
130 p r i n t f (" <ENGINE : CtoTrain1 − ge ner ated BY SYSTEM>\n " ) ;
131 f i ;
132 CtoTrain1_MSystemVersion ?temp , temp_CtoTrain1_MSystemVersion_1 , temp_CtoTrain1_MSystemVersion_2 ;
133 CtoTrain1_MMovementAuthority ?temp , temp_CtoTrain1_MMovementAuthority_1 , temp_CtoTrain1_MMovementAuthority_2 ;
134
The generation block ends by assigning the token to the main process (Listing 7.4, line 2). Then, the Engine process enters the do construct, where it waits until the Promela global variable timeout is evaluated true. This happens when no statement can be executable in the active processes, hence when all the SUT processes have consumed their token. In this case, Engine executes a jump to the generation label and starts a new step.
LISTING 7.4: The DSTM model of the Communication Establish-ment Machine
1 //GIVE TOKEN TOTHE MAIN PROCESS
2 HasToken [ PidMain ] = 1 ;
3 }
4 do
5 : : timeout −> goto g e n e r a t i o n ;
6 od ;
7 a b o r t :
8 dyingPid=_pid ;
9 }