Flattened M_CommunicationEstablishment machine

The flat machine presents two of the cases treated in Section 5.4: the asyn-chronous fork and the simple join. The box manageTrain of the DSTM model is removed and the entering and exiting fork transitions T03, T04 and T05 are re-placed by the single transition T03_T04_T05. Such transition has the same source of the T03 transition and the same destination of the asynchronous fork transi-tion T04. Moreover the decoratransi-tion of such transitransi-tions inherits trigger and condi-tion from the T03 transicondi-tion and the accondi-tions of all original transicondi-tions with the additional actions related to the instantiation of the M_ManageTrain machine.

The idle node is renamed as idle_manageTrain in order to keep track of the re-moved box. Since the idle node is both the source and the target node of this transition, the new transition forms a self-loop on that node. With the respect to the join, lets note that an exiting join transition can specify neither a trigger nor a condition, but it may have an associated action. Since in this case the join is non-preemptive, it is replaced by a single internal transition with no trigger and a guard checking for the termination of all the machines associated with the joined boxes. The action of the transition must include the action of exit-ing join transition as well as the actions necessary to deal with the termination

of the joined boxes. According to this the transition T06_T07_T08 replaces the non-preemptive join transitions T06, T07 and the exiting join transition T08. The actions on this new transition include those specified on the exiting join transi-tion T08. The guard is chT erm_manageT rain_M _M anageT rainexiting[? < 1 >], checking for the reception of the exiting message from machine M_ManageTrain.

The action associated with transition T06_T07_T08 is the action of transition T08 (V_Cont:= ++V_Cont) followed by the consumption of the exiting message from M_ManageTrain and the dispatch of the termination message to M_ManageTrain along channel chTerm_manageTrain_M_ManageTrain.

Promela model In order to show a complete generation process the Promela model related to the M_CommunicationEstablishment machine, is provided in List-ing7.1. Such Promela model is structured according to the schema, discussed in Section5.2.

LISTING 7.1: The DSTM model of the Communication Establish-ment Machine

1 proctype MCommunicationEstablishment ( pid p a r e n t ; mtype i n i t i a l ; chan chTerm ) {

2 byte i ; 3 pid PidTemp ;

4 b i t MyChildren [MAX_PROC ] ; 5

6 chan chTerm_manageTrain_MManageTrain = [MAX_PROC] o f { b i t } ;

7 chan chTerm_manageTrain_MManageTrain_exiting = [MAX_PROC] o f { b i t } ; 8 mtype s t a t e = i n i t i a l ;

9 do

10 : : ( s t a t e == MCommunicationEstablishment_initial && HasToken [ _pid ] = = 1 )

−>

11 atomic {

12 p r i n t f (" < c u r r e n t node [%d ] = MCommunicationEstablishment_initial >\n " , _pid ) ;

13 HasToken [ _pid ] = 0 ; 14 i f

15 : : ( 1 ) −>

16 Vcont = 0 ;

17 p r i n t f (" < f i r i n g t r a n s i t i o n [%d ] = MCommunicationEstablishment_T01 >\n " , _pid ) ;

18 s t a t e = MCommunicationEstablishment_idle_manageTrain ;

19 p r i n t f (" < n ex t node[%d ] = MCommunicationEstablishment_idle_manageTrain

>\n " , _pid ) ;

20 L a s t T r a n s i t i o n =MCommunicationEstablishment_T01 ;

21 NoFirings = 0 ;

22 : : e l s e −>

23 f o r ( i : 0 . . MAX_PROC−1) { 24 HasToken [ i ]= MyChildren [ i ] ;

25 }

26 f i ;

27 }

28

29 : : ( s t a t e == MCommunicationEstablishment_idle_manageTrain && HasToken [ _pid ] = = 1 ) −>

30 atomic {

31 p r i n t f (" < c u r r e n t node [%d ] =

MCommunicationEstablishment_idle_manageTrain >\n " , _pid ) ; 32 HasToken [ _pid ] = 0 ;

33 34 i f

35 : : ( Crequest ? [ _ , _ , _ , _ , _]&&Vcont ==4) −>

36

37 Canswer ! 1 , r e f u s e d ; 38 Crequest ? _ , _ , _ , _ , _ ;

39 p r i n t f (" < f i r i n g t r a n s i t i o n [%d ] = MCommunicationEstablishment_T02 >\n " , _pid ) ;

40 s t a t e = MCommunicationEstablishment_idle_manageTrain ;

41 p r i n t f (" < n ex t node[%d ] = MCommunicationEstablishment_idle_manageTrain

>\n " , _pid ) ;

42 L a s t T r a n s i t i o n =MCommunicationEstablishment_T02 ;

43 NoFirings = 0 ;

44 : : ( Crequest ? [ _ , _ , _ , _ , _]&&Vcont <=3) −>

45 Crequest ? VchFrom_MSessionEstablished , VchFrom_MAck , VchFrom_MTrainRegistration , VchTo_MSystemVersion , VchTo_MMovementAuthority ;

46 Canswer ! 1 , a c c e p t e d ;

47 Vcont ++;

48 PidTemp=run MManageTrain ( _pid , MManageTrain_initial , VchFrom_MSessionEstablished , VchFrom_MAck , VchFrom_MTrainRegistration , VchTo_MSystemVersion ,

VchTo_MMovementAuthority , chTerm_manageTrain_MManageTrain , chTerm_manageTrain_MManageTrain_exiting ) ;

49 MyChildren [ PidTemp ] = 1 ; 50 HasToken [ PidTemp ] = 1 ;

51 p r i n t f (" < f i r i n g t r a n s i t i o n [%d ] =

MCommunicationEstablishment_T03_T04_T05 >\n " , _pid ) ; 52 s t a t e = MCommunicationEstablishment_idle_manageTrain ;

53 p r i n t f (" < n ex t node[%d ] = MCommunicationEstablishment_idle_manageTrain

>\n " , _pid ) ;

54 L a s t T r a n s i t i o n =MCommunicationEstablishment_T03_T04_T05 ;

55 NoFirings = 0 ;

56 : : ( ( chTerm_manageTrain_MManageTrain_exiting ? [ 1 ] ) ) −>

57 chTerm_manageTrain_MManageTrain ! 1 ;

58 chTerm_manageTrain_MManageTrain_exiting ? _ ;

59 Vcont−−;

60 p r i n t f (" < f i r i n g t r a n s i t i o n [%d ] =

MCommunicationEstablishment_T06_T07_T08 >\n " , _pid ) ; 61 s t a t e = MCommunicationEstablishment_idle_manageTrain ;

62 p r i n t f (" < n ex t node[%d ] = MCommunicationEstablishment_idle_manageTrain

>\n " , _pid ) ;

63 L a s t T r a n s i t i o n =MCommunicationEstablishment_T06_T07_T08 ;

64 NoFirings = 0 ;

65 : : e l s e −>

66 f o r ( i : 0 . . MAX_PROC−1) { 67 HasToken [ i ]= MyChildren [ i ] ;

68 }

69 f i ;

70 }

71 od u n l e s s {

72 ( chTerm ? [ 1 ] || dyingPid==p a r e n t ) ;

73 i f

74 : : chTerm ? [ 1 ] −> chTerm ? 1 ; 75 f i ;

76 dyingPid = _pid ;

77 p r i n t f (" < Machine MCommunicationEstablishment[%d ] terminated >\n " , _pid ) ; 78 }

79 }

The process reported in the above listing is composed by two enumerations types which introduce the symbolic names for nodes an transitions. A global variable HasToken, typed as a bit array, is used to simulate the step semantics as described is Section5.5. Specifically, the i-th position of this array is set to 1 if the process, whose _pid is equal to i, currently holds the token, meaning that it can evolve. Lets note that this array is unique for the entire Promela model.

The body of the process consists in an iteration (a do-repetition construct) re-peated until the termination message is received from the calling process over the channel chTerm (exchanged as parameter). The termination message is then propagated to all the children processes of the current process, if any. Each node of the machine is translated into a guarded statement. The guard is satisfied if the specified node is the current state of the process and the process holds the to-ken. The atomic statement associated to the guard contains a sequence of state-ments executed indivisibly. The first statement in the sequence consumes the token (e.g., HasToken[_pid] = 0). Then a conditional statement (a selection con-struct - if ) contains one guarded statement for each transition exiting from that node, where the guard correspond to the enabling condition of the transitions (presence of the trigger and truth of the condition) and the associated statements translate the actions (if any). Each action is translated into basic Promela state-ments and operators, and executed when the associated guarded statement is se-lected for the execution. If more than one guarded statement is executable, one of them is non-deterministically selected. The else branch in the conditional state-ment guarantees from one hand that the process is not blocked if no transition can fire, from the other hand it executes a block of statements which propagates the token to the children of the current process.

The DSTM model The M_ManageTrain models the management of the com-munication procedure with a specific train. The parameters taken into account by this machine are the names of the multi-type channels on which the train and the RBC will communicate. This machine enters the node idle and then instan-tiates the machine M_SessionEstablishment, which models the session establish-ment protocol, by entering the proper box. This last machine can terminate its execution through different exiting nodes: exiting through entry means that the machine M_Entry shall be subsequently instantiated, while som represents the necessity to instantiate the machine M_StartOfMission (the models of these last are provided in AppendixA). If the session establishment protocol is aborted (ex-iting through aborted), this machine also terminates its execution. After both the machines M_entry and the M_StartOfMission, the machine M_MovAuth is instan-tiated in order to give periodically MA to the train. Note that, if the entry actions have been performed, the machine M_MovAuth shall be instantiated through its afterEntry entering node.

Figure7.4shows the graphical representation of the M_ManageTrain.