2. A parameter restriction scenario for the credits model.
0
1
ReqA(0,1)
3
ResA(0,1)
2
ResA(0,0)
Figure 14.3. Composition of the model programs in Figures 14.1 and 14.2. State 2 violates the state invariant
in Figure 14.1.
Figure 14.2). The FSM disables all Work actions and provides concrete parameter
domains for message IDs and credits in the Setup actions. We can compose the
credits model program with the FSM. The resulting finite state machine is shown in
Figure 14.3. We can see that state 2 is unsafe, because the update rule of the action
ResSetup(0,0, ) from state 1 removes all pending requests and adds no credits, so
the client cannot send further requests.
We need to strengthen the enabling condition of the response action so that if
there are no pending requests and the window is empty, then the granted number of
credits must be at least one. We do so by adding the additional enabling condition
to the credits model.
[Requirement("Section ...: Client must have enough credits")]
static bool ResEnabled1(int m, int c)
{
return requests.Count > 1 || window.Count > 0 || c > 0;
}
Notice that if the window is empty and no credits are granted then there must be
at least two requests pending when this enabling condition is checked, because the
response action update rule will remove one of the requests.
230 Compositional Modeling
FSM(0, AcceptingStates(0),
Transitions(t(0,ReqSetup(0,2),0),t(0,ReqSetup(1,2),0),
t(0,ResSetup(0,0),0),t(0,ResSetup(0,1),0),t(0,ResSetup(0,2),0),
t(0,ResSetup(1,0),0),t(0,ResSetup(1,1),0),t(0,ResSetup(1,2),0)),
Vocabulary("ReqWork", "ResWork"))
Figure 14.
Pages:
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307