MODULE main
VAR
    wantP: boolean;
    wantQ: boolean;
    p: process proc(wantP, wantQ); -- PROCESS: http://nusmv.fbk.eu/NuSMV/userman/v21/nusmv_3.html#SEC27
    q: process proc(wantQ, wantP);
ASSIGN
    init(wantP) := FALSE;
    init(wantQ) := FALSE;

CTLSPEC -- no mutual exclusion
  AG (p.state != critical | q.state != critical)

CTLSPEC -- no deadlock
  AG ((p.state = setTrue | q.state = setTrue) -> AF (p.state = critical | q.state = critical))

CTLSPEC -- no individual starvation
  AG (p.state = setTrue -> AF p.state = critical)
CTLSPEC
  AG (q.state = setTrue -> AF q.state = critical)

LTLSPEC -- no mutual exclusion
  G (p.state != critical | q.state != critical)
LTLSPEC -- no deadlock
  G ((p.state = setTrue | q.state = setTrue) -> F (p.state = critical | q.state = critical))
LTLSPEC -- no individual starvation
  G (p.state = setTrue -> F p.state = critical)
LTLSPEC
  G (q.state = setTrue -> F q.state = critical)

MODULE proc(mine, other)
VAR
    state: {local, critical, setTrue, setFalse, resetTrue, resetFalse};
ASSIGN
    init(state) := local;
    next(state) := case
                    state = local: {local, setTrue};
                    state = setTrue & other = TRUE: resetFalse;
                    state = setTrue & other = FALSE: critical;
                    state = resetFalse: resetTrue;
                    state = resetTrue & other = TRUE: resetFalse;
                    state = resetTrue & other = FALSE: critical;
                    state = critical: setFalse;
                    state = setFalse: local;
                   esac;
    next(mine) := case
                    state = setTrue: TRUE;
                    state = setFalse: FALSE;
                    state = resetTrue: TRUE;
                    state = resetFalse: FALSE;
                    TRUE: mine;
                   esac;
FAIRNESS
  running