1. 1 Pass the Parcel /* Pass the parcel in Promela */ /* passing is not atomic */ /* communication is asynchronous */ /* Muffy Calder, November 2000 */ mtype = {on, off,over}; chan one=[1] of {byte}; chan two= [1] of {byte}; chan three= [1] of {byte}; chan four= [1] of {byte}; chan music = [1] of {mtype}; chan game = [1] of {mtype} byte parcel; byte pid1= -1; byte pid2 = -1; byte pid3 = -1; byte pid4 = -1; byte winners = 0;

2. 2 proctype player(chan in, out) { bit posess =0; bit wrapped =1; do :: music? -> atomic{ if :: full(in) -> in?parcel; posess=1; wrapped =1; :: posess -> out!parcel; posess =0; :: !posess && empty(in) -> skip fi} :: music? -> atomic{ if :: posess && wrapped -> parcel=parcel-1; wrapped = 0; /*unwrap*/ if :: (parcel == 0) -> break /* end of game */ :: else -> skip fi :: posess && !wrapped -> skip :: !(posess) -> if :: full(in) -> in?parcel; posess=1; parcel = parcel-1; wrapped=0; if ::(parcel == 0) -> break /* end of game */ :: else -> skip fi :: empty(in) -> skip fi fi} :: game? -> goto finish od; game!over; winners = winners+1; finish: skip }

3. 3 proctype musicprocess() {music!on; do :: music?on -> music!off :: music?off -> music!on od } #define p1 (player[pid1].posess ==1) #define p2 (player[pid2].posess == 1) #define p3 (player[pid3].posess == 1) #define p4 (player[pid4].posess == 1) #define q1 winners == 1 #define q2 winners >1 init{ atomic{ parcel = 3; one!parcel; run musicprocess(); pid1 = run player (one,two); pid2 = run player (two,three); pid3 = run player (three,four); pid4 = run player (four,one) }}

4. 4 #include "/users/fda/muffy/Checkers/testexamples/parcel_claim2.p" /* claim1 <> q2 */ /* * Formula As Typed: <> q2 * The Never Claim Below Corresponds * To The Negated Formula !(<> q2) * (formalizing violations of the original) */ never { /* !(<> q2) */ accept_init: T0_init: if :: (! ((q2))) -> goto T0_init fi; } /*claim2 [] (!q2) */ /*claim3 [] (p1 -> !(p2 && p3 && p4) */