Property 2: INCA Query

Refinement: If a1 is registered for e1 and the dispatcher receives e1 from the adt_wrapper then it will not accept another event from the adt_wrapper before passing e1 to a1.

Pattern: Existence

Scope: Between (P becomes true between Q and R.)


  (defquery "existence_of_p_between_q_and_r" "nofair"
        (interval :initial t :open t :ends-with '("Q"))
        (interval :ends-with '("R") :forbid '("P")))))


  P = (rendezvous "dispatcher;a1.notify_client_event;e1")
  Q = (rendezvous "adt_wrapper;dispatcher.notify_artists;e1")
  R =     (and
            (or (prefix "call") (prefix "accept"))
            (contains "adt_wrapper;dispatcher.notify_artists"))

Modifcations: Added constraint representing "a1 is registered for e1" in interval 1. Here we are relying on the fact that Property 1 has been verified to simplify the interpretation of "a1 is registered for e1".

INCA Query:

(defquery "p02a" "nofair"
        :initial t
        :open t 
        :constraints '(
            (+ 1 "accept(a1;dispatcher.unregister_event;art1;e1)")))
        :ends-with '(
          (rendezvous "adt_wrapper;dispatcher.notify_artists;e1")))
        :ends-with '(
            (or (prefix "call") (prefix "accept"))
            (contains "adt_wrapper;dispatcher.notify_artists")))
        :forbid '((rendezvous "dispatcher;a1.notify_client_event;e1"))))))

Up to Property 2: Dispatcher notifies before receiving again

Forward to Property 3: INCA

Back to Property 1: INCA