MODULE main
VAR
  turn : {p,q};
  procP : process user(turn, p, q);
  procQ : process user(turn, q, p);
ASSIGN
  init(turn) := p;
SPEC  AG !(procP.state = crit & procQ.state = crit)
SPEC  EF (procP.state = crit & procQ.state = crit)
LTLSPEC F !(procP.state = crit & procQ.state = crit)
LTLSPEC G !(procP.state = crit & procQ.state = crit)

SPEC AG (procQ.state = enter -> AF (procQ.state = crit | procP.state=crit))
SPEC AG (procP.state = enter -> AF (procQ.state = crit | procP.state=crit))
SPEC AG ((procQ.state = enter | procP.state = enter) -> AF (procQ.state = crit | procP.state=crit))
SPEC AG ((procQ.state = enter & procP.state = enter) -> AF (procQ.state = crit | procP.state=crit))
LTLSPEC G (procQ.state = enter -> F (procQ.state = crit | procP.state = crit))
LTLSPEC G (procP.state = enter -> F (procQ.state = crit | procP.state = crit))
LTLSPEC G ((procP.state = enter | procQ.state = enter) -> F (procQ.state = crit | procP.state = crit))
LTLSPEC G ((procP.state = enter & procQ.state = enter) -> F (procQ.state = crit | procP.state = crit))

SPEC AG (procP.state = enter -> AF (procP.state = crit))
SPEC AG (procQ.state = enter -> AF (procQ.state = crit))
SPEC AG (procP.state = enter -> EF (procP.state = crit))
SPEC AG (procQ.state = enter -> EF (procQ.state = crit))
LTLSPEC G F (procP.state = enter -> F procP.state = crit) 
LTLSPEC G F (procQ.state = enter -> F procQ.state = crit)
LTLSPEC G (procQ.state = enter -> F procQ.state = crit)
LTLSPEC G (procP.state = enter -> F procP.state = crit) 

MODULE user(turn, io, altro)
VAR
  state : {non-crit,enter, crit,exit};
ASSIGN
  init(state) := non-crit;
  next(state) :=
    case
      state = non-crit : {non-crit,enter};
      state = enter & turn = io : crit;
      state = crit : exit;
      state = exit : non-crit;
      TRUE : state;
    esac;
  next(turn) := 
    case
            next(state) = exit : altro;
      TRUE : turn;
    esac;
FAIRNESS
  running