#define NUM_FLOORS 4

/* Is the door on the Nth floor open? */
bit doorOpen[NUM_FLOORS];

/* Buffer of floor requests to elevator */
chan elevatorRequests = [10] of {byte};
chan doorRequest = [0] of {byte,bit};
chan doorRequestComplete = [0] of {bit};

proctype Customer () 
{ 
  byte floor;
  /* this annoying person rides the elevator
  from one floor to the next */
  do
  :: elevatorRequests!floor ->
	floor = (floor + 1) % NUM_FLOORS;
  od
}

proctype DoorController (byte floor)
{
  do
  :: doorRequest?eval(floor),1 ->
	doorOpen[floor] = 1; /* open the door */
	doorOpen[floor] = 0; /* shut the door */
	doorRequestComplete!1	
  od
}

proctype Elevator () 
{
  byte floor=0, targetFloor=0, response; 
  do
  :: floor < targetFloor -> floor++;
  :: floor > targetFloor -> floor--;
  :: floor == targetFloor ->
	doorRequest!floor,1;
	doorRequestComplete?response;
	assert(response == 1);
 	elevatorRequests?targetFloor
  od
}

init
{
  atomic {
    run Customer();
    run Elevator();
    run DoorController(0);
    run DoorController(1);
    run DoorController(2);
    run DoorController(3);
  }
}


#define safedoors  (doorOpen[0] + doorOpen[1] + doorOpen[2] + doorOpen[3] <= 1)
/* [] safedoors */

#define open0	    doorOpen[0]
#define req0	    elevatorRequests?[0] /* does this channel contain a request for 0? */
/* [] req0 -> <> open0 */