pta

module sender
	sender : [0..12] init 0;
	// 0 - reconf
	// 1 used0
	// 2 used1
	// 3 used2
	// 4 used3
	// 5 used_wait
	// 6 used_use
	// 7 fresh0
	// 8 fresh1
	// 9 fresh2
	// 10 fresh3
	// 11 fresh_wait
	// 12 fresh_use

	x : clock;

	invariant
			(sender=0 => x<=0) &
			(sender>=1 & sender<=10 => x<=20) &
			(sender>10 => true)
	endinvariant

	// reconfiguring
	[] sender=0 ->0.5 : (sender'=1) + 0.5 : (sender'=7);
	[recv] sender=1  -> (sender'=0) & (x'=0);
	[recv] sender=2  -> (sender'=0) & (x'=0);
	[recv] sender=3  -> (sender'=0) & (x'=0);
	[recv] sender=4  -> (sender'=0) & (x'=0);
	[recv] sender=5  -> (sender'=0) & (x'=0);
	[recv] sender=7  -> (sender'=0) & (x'=0);
	[recv] sender=8  -> (sender'=0) & (x'=0);
	[recv] sender=9  -> (sender'=0) & (x'=0);
	[recv] sender=10 -> (sender'=0) & (x'=0);
	[recv] sender=11 -> (sender'=0) & (x'=0);

	// sending fresh
	[send_used] sender=1 & x>=20 -> (sender'=2) & (x'=0);
	[send_used] sender=2 & x>=20 -> (sender'=3) & (x'=0);
	[send_used] sender=3 & x>=20 -> (sender'=4) & (x'=0);
	[send_used] sender=4 & x>=20 -> (sender'=5) & (x'=0);
	// sending used
	[send_fresh] sender=7 & x>=20 -> (sender'=8) & (x'=0);
	[send_fresh] sender=8 & x>=20 -> (sender'=9) & (x'=0);
	[send_fresh] sender=9 & x>=20 -> (sender'=10) & (x'=0);
	[send_fresh] sender=10 & x>=20 -> (sender'=11) & (x'=0);

	// finished
	[] sender=5  & x>=20 -> (sender'=6) & (x'=0);
	[] sender=11 & x>=20 -> (sender'=12) & (x'=0);
	[] sender=6 -> (sender'=6);
	[] sender=12 -> (sender'=12);

endmodule

module environment

	env : [0..2] init 0;
	// 0,1,2 - ready,send,reply

	y : clock;

	invariant
			(env=0 => true) &
			(env>=1 => y<=5)
	endinvariant

	[send_fresh] env=0 -> true;
	[send_used] env=0 -> 0.1 : (env'=0) & (y'=0) + 0.9 : (env'=1) & (y'=0);
	[] env=1  & y>=1 ->  0.1 : (env'=0) & (y'=0) + 0.9 : (env'=2) & (y'=0);
	[recv] env=2 & y>=1 -> (env'=0) & (y'=0);

endmodule

label "incorrect" = sender=6;