A Front-end to LBTest for Conformance Testing of Embedded Systems

ROYAL INSTITUTE OF TECHNOLOGY

BACHELOR THESIS

DEGREE PROJECT IN INFORMATION AND SOFTWARE SYSTEMS

A Front-end to LBTest for Conformance Testing of Embedded Systems

Author:

Johan Gasslander johangas@kth.se TRITA-ICT-EX-2014: 103

June 23, 2014

Examiner:

Christian Schulte Supervisor:

Karl Meinke

Abstract

This report presents the work creating and evaluating a front-end for

conformance testing with the LBTest software and the viability of a tool of this

kind. LBTest is a tool designed for learning-based testing of embedded

systems using model checking. In order to reach a verdict the model checking

uses a specification written in linear temporal logic. The front-ends desired

functionality is to translate NuSMV-files into linear temporal logic. A .dot-file

should also be generated in order to render a visual representation of the Nu-

SMV-file. A case study where the front-end translates a model's specification

and testing it on a program with LBTest is successful and shows that a front-

end is possible to create and use in order to achieve conformance testing in

LBTest.

Sammanfattning

Den här rapporten beskriver arbetet för att skapa och utvärdera en front-end för testningsprogramvaran LBTest och hur användbart ett sådant verktyg är för att använda sig av conformance testing. LBTest använder learning-based testing för att lära sig hur inbyggda system är uppbyggda genom att använda model checking. Det slutgiltiga front-end programmet ska översätta modellspecifikationer skrivna i NuSMV till linear temporal logic som är det logikspråk som LBTest använder sig av. Även en .dot-fil ska skapas som kan användas till att rendera en grafisk representation av modellspecifikationen.

En fallstudie av programmet där en modellspecifikation översätts och körs i

LBTest visar att mjukvara av den här typen går att skapa och är en lämpligt

verktyg för att uppnå conformance testing med LBTest.

Table of Contents - A Front-end to LBTest for Conformance Testing of Embedded Systems

1 Introduction... 1

1.1 Background... 1

1.2 Problem... 1

1.3 Purpose... 2

1.4 Goal and Sustainability... 2

1.5 Delimitations... 2

1.6 Outline... 2

2 LBTest and It's Associated Technologies...4

2.1 NuSMV... 4

2.2 Model Checking... 5

2.3 Conformance Testing... 5

2.4 LBTest... 6

2.4.1 Black Box Testing... 6

2.4.2 Automated Test Case Generation...6

2.4.3 Propositional Linear Temporal Logic...6

3 Methods and Tools ... 8

4 Developing the Parser... 9

5 Case Study: Cruise controller...12

5.1 System Under Test... 12

5.2 LBTest... 12

5.3 Verdict... 13

5.4 Discussion... 13

6 Evaluation and Discussion... 15

6.1 Functionality... 15

6.1.1 Included Functionality... 15

6.1.2 Excluded Functionality... 15

6.2 Further Development... 16

6.3 Conclusion... 17

References... 18

Appendix A... 19

The Car Controller Model... 19

Appendix B... 20

The Car Controller Configuration File... 20

1 Introduction

1.1 Background

LBTest is a program jointly developed by the Machine Design Department at KTH (Royal Institute of Technology), School of Computer Science and Communications at KTH and SDL Fredhopper. [1]

LBTest is an implementation of learning-based testing of systems that, according to Sindhu, [1] “combines algorithms for incremental black-box learning of Kripke structures with model checking technology”. This means that LBTest pries and tests the system to learn its behaviour and from that determines if the system works by using model checking against a specification.

LBTest is currently using linear temporal logic (LTL) in order to decide if the system under test (SUT) is working according to the desired specifications. [1]

1.2 Problem

Writing LTL formulae for large systems is a big undertaking and since LBTest relies on LTL as input – an alternative is needed. How can one make sure that the input LTL is correct if LTL is unintuitive and tedious to write?

A way to express systems and data flows is to write them as automatons.

Automatons are a mathematical construct within discrete mathematics which

contains states and runs on a specific set of inputs. The current state is

decided from the stream of input. Automatons are most often represented in

diagrams and a way to do this is using the .dot syntax and GraphViz to render

an image. [2] Is it possible to create a front-end for LBTest that receives input

created with modelling tools in a way which would decrease errors in the

specification?

1.3 Purpose

The purpose of this thesis is to describe the development of a front-end for the software LBTest, how the front-end works and the front-end's strengths and weaknesses.

1.4 Goal, Ethics and Sustainability

The goal of this project is to ensure that .smv can be used to give instructions to LBTest and to ensure that the translation from .smv to LTL is correct in order to achieve conformance testing with LBTest. The resulting program need also be easy to use and must be able to be integrated into appropriate programs (LBTest.)

Unless these goals are not met, or if they are met with incorrect methods, the resulting front-end software will not assist in the bettering of LBTest.

Ethical aspects of this project are hard to find. Since the front-end is to be a part of LBTest which in itself may test security-systems, the front-end can be argued to inherit aspects from LBTest. One of these inherited aspects are the fact that if testing misses errors or otherwise gives false promises of verification of a system, human security may be at risk.

Since LBTest is written in Java, this front-end will be as well, and platform independence is limited to platforms with Java support.

1.5 Delimitations

Every aspect of .smv functionality has not been considered since it is very

broad. Therefore, functions and modules in .smv has been excluded

completely from this project and files with this functionality will not be

translated properly by the software.

Along the same reasoning, several LTL operators have been excluded, such as U (until), G (always) and F (eventually), some of which have no equivalent operation in .smv.

1.6 Outline

Within the next chapters, the background of NuSMV and LBTest will be

described and the methods used while developing the front-end will be

presented. After that the developmental phase work is detailed as well as

problems during the development. Towards the end a case study of a system

specification being translated into LTL and ran through LBTest will be

evaluated. Finally the resulting front-end will be discussed and summarized.

2 LBTest and It's Associated Technologies

2.1 NuSMV

NuSMV is an upgraded version of SMV (Symbolic Model Checking for Sequential Circuit Verification) which was the first model checker based on BDD (Binary Decision Diagram). BDD is the elementary way to describe systems and classification algorithms by using a binary tree structure. [3]

The terms NuSMV, SMV and .smv will be used throughout this report.

NuSMV refers to the model checker software which is an updated version of the SMV software while .smv is the file format in which the model is written in code.

The .smv syntax is fairly straightforward and consists of state, output and input variables, and rules of the behaviour of the variables. Sections separate different parts of an .smv file, the foremost is the MODULE section which contains subsections such as VAR (state and output variables), IVAR (input variables) and ASSIGN (transition rules). [4]

In ASSIGN, the switch-statement function “next()” (see fig. 2.1), determining transitional rules of output variables and states, is important. In a switch- statement the system sequentially evaluates the cases conditions. The first case which evaluates to true is chosen and the system executes the case's result. In the case of transitional rules, the case result is the state or output variable's next value. Only the first case in the list that evaluates to true is chosen. The subsequent cases are ignored. [4]

next(state) := case

state = stop & accelerate = throttleup & brake = nobreaking : slow;

state = slow & accelerate = throttleup & brake = nobreaking : fast;

state = fast & accelerate = throttledown & brake = nobreaking : slow;

state = slow & accelerate = throttledown & brake = nobreaking: stop;

brake = breaking : stop;

TRUE : state;

esac;

Figure 2.1: a transition switch-statement in the .smv file for a cruise controller in a car

2.2 Model Checking

Model checking is a method for automatic verification of finite-state concurrent systems. A finite state concurrent system is a system in which two states can be active at once, they are “concurrent states”. Model checking was proposed in the 1980s by both Clarke and Emerson as well as Quielle and Sifakis. [5]

The method literally checks if a systems meets the specifications and desired behaviour of a model. It either returns true, if the system is a model of the specification, or false along with a counterexample execution which describes why the specification is not satisfied. [5]

2.3 Conformance Testing

Conformance testing is a type of specifications testing that is very common in the Telecom industry when testing protocol. Conformance testing is based on generating a test suite from the specification and the SUT is then observed as test cases from the test suite is executed on it. A verdict is made by a verdict function that compares the results to the expected results. [6]

To understand how conformance testing works consider the production line of a factory. In the factory, products which do not conform to a certain specification (wrong weight, length, missing parts, etc.) are taken out from the process and are remade or recycled. For this process, the workers need a specification, without it the workers would not know what products to remove and faulty products might slip through. [6]

In conformance testing software, two finite state machines with input and output variables are compared. One specification machine M1 and one machine to be tested M2. [6]

First, the specification machine is subject to a series of input values I. The

testing software then reads the stream of output values O1 and stores it. Later,

the testing software compares it to the stream of output values O2 that the tested machine produces after being subject to an identical stream of input variables I . If the output streams, O1 and O2, differ in any way, the test is failed. A fault in the tested machine has been detected. [6]

2.4 LBTest

LBTest tests software systems by using learning-based testing which learns patterns within the SUT by black box-testing. Model checking is then used to find out if the learned system complies with the desired model. [1]

2.4.1 Black Box Testing

When the tester does not have access to source code for the system, the SUT has to be treated like a black box, an opaque entity which only responds to input with little to no output. For this, a number of test cases has to either be generated automatically or created manually. When the test cases are being run through the box, the results are compared to the expected results and a pass or fail verdict is decided. In the case of LBTest, the black box testing results in a model of the SUT that is compared to the specification with model checking. [1]

2.4.2 Automated Test Case Generation

In order for LBTest to black box test the SUT, a great number of test cases must be generated. This is done by analysing the specification and deriving enough relevant tests in order to create coverage of all paths through the execution to ensure no errors slip through. [7]

2.4.3 Propositional Linear Temporal Logic

LTL, introduced by Amir Pnueli as a way to create a unified approach to program verification, is the most common modal logic used. [8]

Propositional linear temporal logic (PLTL) is used for the special case where a

program is finite state. The correctness specification for program verification

can in this case be written in the propositional version of the logic. [9]

A formula in the logic is made up of a series of statements about variable values which are combined with various boolean operators, such as '&' (AND) and '|' (OR). [9]

What make this logic language special is the operators that handle time. One operator that handles time is X (next) which is particularly interesting for this project. X in itself contains logic statements which determine what variable values will be in the next iteration. There are many other operators that handle time such as U (until), G (always) and F (eventually). [9]

For example, this LTL formula

speed = zero & input = accelerate -> X(speed = one)

can be used to check a model of a vehicles behaviour. The formula can be

interpreted as: if the speed of the vehicle is zero and accelerate is inserted as

input then, in the next iteration, the speed will be one. The vehicle has

accelerated within the next iteration. If a system model does not conform to

this formula or “rule” then the formula will be evaulated to false in a model

checker and a counter-proof of the formula will be presented.

3 Methods and Tools

Working with Java SE 7 supplies a great amount of possibilities to use already existing code within its libraries. Java also provides the possibility to compile the program for a great number of platforms that runs JVM such as Windows, OSX, Linux and Solaris. [10]

The development was made in NetBeans due to its friendly debugging interface and integration with Git. Debugging and finding errors is an essential part of software development and the integrated debugging tools in NetBeans greatly simplifies this task. The tools include a possibility to enter breakpoints in the code via a graphical interface, and when debugging, stop at breakpoints and display the current state of the software, including every variable's current value. [13]

Handling versions of the programmed code with Git ensures that versions and notes on different versions are preserved. This prevents mistakes being done repeatedly and gives a sense of the projects advancements as well as creating a backup of the project. [14]

Since the finished front-end is to be used alongside LBTest, which is a Java program, it is constructed as a series of classes in Java. This means it can be used on whichever platform LBTest can be run on. The classes are compiled into a Java archive which enables execution of the program. The program prompts to open an .smv file from the disk and saves a new .smv-file with LTL translation, and another with the .dot translation, in the same directory.

The development method used to make the parser was extreme programming since the entire process was made by one person. Partial deliveries of the product was not needed and therefore, an iterative process was less important.

Testing is incorporated into extreme programming and comes along naturally

in the development process.

4 Developing the Front-End

Beginning to find out how the .smv should be translated was quite confusing and required many reviews of .smv code as well as comparisons with LTL and how it works. Having considered alternatives for translation into LTL, creating a parse tree was the first choice and this work was set in motion. As time and work progressed, the task seemed more and more complex and this approach was reconsidered. The translation is not required to be complex. Preferably, the program makes correct translations in a short time with a simple method instead of reading unnecessary data.

Finding ASSIGN sections in the MODULE was central in order to locate where the parser should search to create LTL. The entire information required for the LTL seemed to be located in ASSIGN sections as they contains the rules for transitions between states and variable values in different states.

Therefore, the translation was simply made to focus on what happens in the transitions within the ASSIGN section. For each statement in ASSIGN, the parser finds the variable for transitioning and determines if the operation is

“next”, which determines the variable's transitional rules, and “init” which sets the variables initial state. Within next, the transitional rules are listed in switch caes. Since switch case sequentially performs checks, in the order defined by the programmer, and the LTL does not, some modifications are necessary, such as negating previous cases. For this, the parser finds previously added LTL translations for this variable, negates the relevant predicates and puts the pieces together.

Any parser should definitely not read a line as one line from the file. A line

should be defined as a statement – a string of characters between two

semicolons. If a developer writes a statement that is too long, he or she will

probably want a new line to end the statement. The term 'line' is therefore not

as accurate as 'statement' and should only be used to describe code-lines in the

file.

Starting out with the translation into .dot, the fact that a data structure was needed became quite tangible. The concept of parsing the .smv into a data structure had been scrapped previously, and this became questioned. It is likely that the work for .dot-translation would have become easier if the data structure was already there from the translation to LTL. On the other hand, the structure could have been too different to be useful for .dot.

The data structure was created in a separate class from the SMVParser called DOTGenerator. Data for DOTGenerator was found from reading the ASSIGN parts of the code, finding initial states and putting all the other states in a HashMap (for more information on HashMap see [10]). Within the HashMap the key is the name of the state and the value is a nested HashMap containing the output variables different values in the state. Transitions between states were added in a HashMap where the key was the name of the current state, and the value was a nested HashMap in which the key was the next state and the value the label that the transition would have. (see fig. 4.1) Extracting the .dot file from this structure was quite trivial.

Figure 4.1) the data structure for states and their transitions within DOTGenerator

The program was made to create the .dot file, along with the rendition of a .jpg image file that displayed the .dot file, into the directory where the input file was from. The .jpg file was rendered by the program by sending the .dot file to dot – a program in GraphViz (for more information on GraphViz see [11]). The generation of a .jpg, done from the front-end, was later scrapped due to issues with compatibility between operating systems.

After some work with parsing .smv, there seemed to be some rules that should

have been in place. For example, the program became increasingly simplified

when sections in the .smv file were separated by empty lines. Also, reading

Boolean variables as variables with two scalar values TRUE and FALSE

increased simplicity. There seemed to be no immediate effect of this change in the translation and the decision to exclude boolean variables were made.

In the process of creating .smv and while creating transitional rules, the programmer might save time writing predicates by writing more broadly covering rules at the end of the switch case-list. These will often, but not always, lead to self loops (the next state is the current state.) Creating the LTL for these situations requires finding the predicates which are relevant for this rule and that ensure cases are precise enough. Relevant predicates include predicates that handle the same variable. The algorithm for searching for the variables were not easy with the data structure that existed at the time. This pointed to the fact that a well made data structure was a good idea from the beginning.

Finding these relevant predicates will result in grabbing many Boolean expressions that are either duplicates or unnecessary. This was initially a problem as the final generated LTL formula was gritty and did not feel authentic. The grittiness was resolved by simply removing duplicates from the final set of expressions. Further evaluations to increase effectiveness has not been attempted for this problem.

In the final stages, just when the program was being prepared for the test case, a major flaw was discovered in the way that states was handled. States are not recognized by LBTest as their names and can therefore not be identified with names in the LTL. A representation of the state in the form of all the variables current values in that state must be used. At this point in the development, there was no such handling in the code and work on this was started immediately.

In order to keep track of the states different representations, another nested

HashMap for the states was introduced in SMVParser in which the keys were

state names, and the keys' values an ArrayList of the variables values in the

corresponding state. The values of the state names were only used as keys in

the HashMap in order to navigate it from within SMVParser. As the predicates were read into the list, being prepared for LTL, they still contained the state names. Only after every transition rule from the .smv was read into the list of predicates, the state names were changed into their representations.

A diagram of the finished front-end is pictured in figure 4.2 below.

Figure 4.2) the structure of the front end; showing files opened from, and saved to, disk and how the Java classes are organized within eachother

5 Case Study: Cruise controller

This case study is made to get insight into how this front-end performs as part of a test run in LBTest. The SUT is a Java implementation of a car's cruise controller and was provided by Karl Meinke.

A specification is usually modeled in .smv and ran through the front-end before being imported to LBTest. In this case study, the specification is reverse-engineered from LBTest's learned model of the SUT.

A quick hypothesis is that the test should return with a passing grade if the translation works.

5.1 System Under Test

The system that is tested is a model of a cruise controller which controls a car's cruising speed and ensures that a certain speed is kept and that the control is disengaged when the brake is applied. A picture of the model is rendered from .dot which is extracted from the specification .smv file. This picture comprises Appendix A.

5.2 LBTest

LBTest opens a configuration file containing information about the system it is being executed upon, such as the location of NuSMV on the system. This is used to call NuSMV from within LBTest in order to model check the learned model against the specification. Information about the SUT and which variables are in it is also included as well as the translated model specification in LTL. The parts of the configuration file which concerns this case study, including the translated LTL, is found in appendix B.

For each different test case, certain fields in the configuration file must be edited. These fields include output_types and output_values which contain the names of the different output variables as well as all their possible values.

Translations for the input values are needed as LBTest only handles character

data types for the input values, and every input variable value in the specification must therefore have a character assigned to it.

After the configuration file is read by the program, the test is started.

During the testing, five iterations are made in which LBTest learns more about the software in each iterations (see fig. 5.1). In each iteration, the learned model will be model checked against the specification in NuSMV. This means that if there are errors, the testing can be halted at an early stage.

5.3 Verdict

Finishing the five iterations took as long as 2 minutes 53 seconds (173895 milliseconds(row 5, column 7 in fig 5.1)), at a hypothesis size of 20, even though the SUT was very small. This could be explained by the fact that the specification was reverse-engineered and not made by a “smart” human since a human might construct the model in more concise and efficient way.

Having a good design in the model specification will drastically reduce the size of the LTL and therefore reduce the amount of processing needed each time model checking is done on the learned model.

Fig 5.1) a screenshot of the result section of LBTest when the testing was finished.

All the tests returns with a passing grade (rightmost column) and thus the SUT is conforming to the generated specification.

5.4 Discussion

Considering the result of the test was positive, one must ask the question; is

there any way this result might be erroneous or otherwise misleading? The

fact that the model was computer generated does not fully prove that the translation works in all cases. It only indicates that translations can be done.

More proofs in which the SUT is slightly erroneous which all fail their tests would work towards a more complete proof of that the translation is correct and they would reversely serve as counter proofs should they return with a passing verdict. Just like with conformance testing, this case study can only prove the presence of faults in the translation not the absence of them.

The most important thing to conclude from this case study is that the front-

end took a model specification in .smv, translated it into something LBTest

understood and assisted in the conformance test of a system.

6 Evaluation and Discussion

6.1 Functionality

The purpose of the front-end is to achieve correct LTL translation from .smv files. Therefore, the front-end must have sufficient functionality to achieve this.

6.1.1 Included Functionality

Input and output variables as well as states are included in order to evaluate relational rules within the LTL and the parsing of the switch-statements.

As described in chapter 4, the states need a representation in order to be used in the LTL for LBTest but not for the creation of a .dot file. Therefore, a slight difference exists between the two.

The switch-statements found in transitional rules for states and output variables under the ASSIGN section in .smv is the basic building stone for having a state machine built in the .smv. The front-end reads these switch- cases and negates preceding cases in order to simulate the sequential behaviour of switch-case.

The front-end opens .smv files as input and writes two files as output. One .smv file which contains the LTL specification and one .dot file which can be used to graphically display the model.

6.1.2 Excluded Functionality

Boolean type variables are excluded as they were very difficult to implement in

the short time of this project. Therefore, variables with the desired

functionality of a boolean variable can simply use a scalar variable with the

value set {TRUE, FALSE} or other similar words in order to emulate this

behaviour.

The rendition of a .jpg image file would have been a great way to instantly tell the user what was interpreted from the file. This would have given the user a sense whether the model was working as intended. Unfortunately, this was not reasonably achieved due to the fact that launching the GraphViz program dot from within the front-end worked on some platforms but not all. There is most likely a way to achieve this by inputting environment variables as settings in the front-end but the work required to implement this or another method did not outweigh the little time it actually takes to do it manually.

When beginning to make translations into LTL, an object model data structure was created which was very broad and made for expansion. The objects were fine grained and did not contain many variables or methods each. This approach lead to a very clunky program and since the translation could be made with an easier method, the object model was put on ice. Having a data structure of the parsed .smv proved useful after the work on translating into .dot began. It was then that the relations between states and variable values in the states started to matter in another way. However, the old object model was not reactivated in SMVParser but was replaced by a more simple structure:

three nested HashMaps. One each for output variables, input variables and states representations. Each with their own list of information about these variables and states.

6.2 Further Development

Increasing the functionality of the parsing from .smv would have a great effect in the way .smv can be used to create specifications. Specifications can potentially become very advanced and models made in .smv could then be forced to use the more advanced tools within NuSMV, such as modules (functions) and assignments (variable transitions) with multiple values.

Without the functionality of translating these type of tools, the front-end would not work for the specification in question.

The program could most likely have gained performance from having a single

data structure (parse tree), used both for LTL and .dot translation, and it

seems unlikely that this would have a negative effect on functionality. Using proper parsing techniques such as a top down parsing algorithm used from the beginning for building the parse tree.

The program could benefit from certain self tests before terminating and presenting a result, e.g. running NuSMV on the target .smv with the translated LTL specification and verifying that it conforms to itself.

More extensive studies of NuSMV usage could be very useful in combination with this type of project. There might be scenarios when the intended model could be easily converted into LTL while NuSMV complicates this matter.

6.3 Conclusion

The created front-end can read and parse an .smv file and, from it, parse the relevant information in order to create a .dot file and an LTL formula. The .dot file can then be used to manually create a visual representation of the model built in the .smv. The LTL formula can be used in the program LBTest in order to conformance test a system.

The possibility to create a fully functional front-end for LBTest in order to achieve conformance testing seems very plausible after this projects end.

In order to create a valid front-end for LBTest, the entire NuSMV functionality

should be included. This means far more work than was given for this project

to rigorously implement this, in addition to whatever useful information can

be extracted from this project.

References

1. Muddassar Azam Sindhu, (2013). Doctoral Thesis - Algorithms and Tools for Learning-based Testing of Reactive Systems

2. Alfred Aho and Jeffrey Ullman (1994). Pg. 530 Foundations of Computer Science http://i.stanford.edu/~ullman/focs/ch10.pdf

3. C. Meinel and T. Theobald (1998). Ch. 4.4 Algorithms and Data Structures in VLSI-Design: OBDD – Foundations and Applications http://www.hpi.uni-potsdam.de/fileadmin/hpi/FG_ITS/books/OBDD- Book.pdf

4. NuSMV 2.5 User Manual (2010).

http://nusmv.fbk.eu/NuSMV/userman/v220125/nusmv.pdf

5. Edmund M. Clarke, Orna Grumberg and Doron A. Peled (1999). Pg.

xiii Model Checking

6. Angelo Gargantini (2005). Ch 4, Model-Based Testing of Reactive Systems – Advanced Lectures

7. Saswat Anand et. al., (20xx), An Orchestrated Survey on Automated Software Test Case Generation, Antonia Bertolino, J. Jenny Li and Hong Zhu (Editor/Orchestrators), Journal of Systems and Software x(y), xxCyy

8. Amir Pnueli (1977). The Temporal Logic of Programs, 18th Annual Symposium on Foundations of Computer Science, Sept. 1977

9. A. P. Sistla and E. M. Clarke (1985). Pg. 1 The Complexity of Propositional Linear Temporal Logics

10. Oracle JDK 7 and JRE 7 Certified System Configurations http://www.oracle.com/technetwork/java/javase/config-417990.html

11. Oracle. Java Class HashMap

http://docs.oracle.com/javase/7/docs/api/java/util/HashMap.html 12. GraphViz Graph Visualization Software http://www.graphviz.org/

13. NetBeans Documentation, Training and Support https://netbeans.org/kb/index.html

14. Git Documentation http://git-scm.com/docs

Appendix A

The Car Controller Model

Appendix B

The Car Controller Configuration File

vectorlength = 3;

learner = ikldepth;

output_types = [mode, speed, button];

output_values = {manual:mode, two:speed, one:speed, off:button, disengaged:mode, on:button, zero:speed, zero:mode, cruise:mode};

expno = 1;

hypotheses = 20;

determinism = yes;

stepexecution = no;

time = 1;

str1 = java;

str2 = -jar;

str3 = cruiseController.jar;

inputs = {a=acc, b=brake, d=dec, g=gas, s=switch};

ltlspecs = {[req1, G(

((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)& input = gas -> X( (mode

!= manual & mode != cruise & speed != two & speed != one & button !=

off & button != on)))

&((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)& input = dec & !( input

= gas ) -> X( (mode != manual & speed != one & speed != zero & button

!= off & button != on)))

&((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)& input = brake & ! ( input = gas ) & !( input = dec ) -> X( (mode != manual & speed !=

one & speed != zero & button != off & button != on)))

&((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)& input = switch & ! ( input = gas ) & !( input = dec ) & !( input = brake ) -> X( (mode !

= disengaged & mode != cruise & mode != manual & speed != two & speed

!= one & speed != zero & button != on & button != off)))

&((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)& input = acc & !( input

= gas ) & !( input = dec ) & !( input = brake ) & !( input = switch ) -> X( (mode != manual & mode != cruise & speed != two & speed != one

& button != off & button != on)))

&((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)& input = gas & !((mode != manual & mode

!= cruise & speed != two & speed != zero & speed != one & button !=

off & button != on)) & !( input = dec ) & !( !( input = gas ) ) & ! ( input = brake ) & !( input = switch ) & !( input = acc ) ->

X( (mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & speed != zero & button != on & button != off)))

&((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)& input = dec & !((mode != manual & mode

!= cruise & speed != two & speed != zero & speed != one & button !=

off & button != on)) & !( input = gas ) & !( !( input = gas ) ) & ! ( input = brake ) & !( !( input = dec ) ) & !( input = switch ) & ! ( input = acc ) & !( !( input = acc ) ) -> X( (mode != cruise &

mode != manual & speed != one & speed != zero & button != on & button

!= off)))

&((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)& input = brake & !((mode != manual &

mode != cruise & speed != two & speed != zero & speed != one & button

!= off & button != on)) & !( input = gas ) & !( input = dec ) & !( !(

input = dec ) ) & !( input = switch ) & !( !( input = brake ) ) & ! ( input = acc ) & !( !( !( input = gas ) ) ) & !( !( !( input = acc ) ) ) -> X( (mode != cruise & mode != manual & speed != one & speed !=

zero & button != on & button != off)))

&((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)& input = switch & !((mode != manual &

mode != cruise & speed != two & speed != zero & speed != one & button

!= off & button != on)) & !( input = gas ) & !( input = dec ) & ! ( input = brake ) & !( !( input = brake ) ) & !( input = acc ) & !( ! ( input = switch ) ) & !( !( !( input = gas ) ) ) & !( !( !( input = dec ) ) ) & !( !( !( input = acc ) ) ) & !( !( !( !( input =

acc ) ) ) ) -> X( (mode != manual & speed != one & speed != zero &

button != off & button != on)))

&((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)& input = acc & !((mode != manual & mode

!= cruise & speed != two & speed != zero & speed != one & button !=

off & button != on)) & !( input = gas ) & !( input = dec ) & !( input

= brake ) & !( input = switch ) & !( !( input = switch ) ) & !( !( !(

input = gas ) ) ) & !( !( input = acc ) ) & !( !( !( input = dec ) ) ) & !( !( !( input = brake ) ) ) & !( !( !( !( input = acc ) ) ) ) & !( !( !( !( !( input = acc ) ) ) ) ) -> X( (mode !=

disengaged & mode != cruise & mode != manual & speed != two & speed !

= one & speed != zero & button != on & button != off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)& input = gas & ! ((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)) & !( input = dec ) & !(

!( input = gas ) ) & !( input = brake ) & !( input = switch ) & ! ( input = acc ) & !((mode != cruise & mode != manual & speed != one &

speed != zero & button != on & button != off)) & !( !( !( input = dec ) ) ) & !( !( !( input = acc ) ) ) & !( !( !( input = brake ) ) ) & !

( !( !( !( input = gas ) ) ) ) & !( !( !( input = switch ) ) ) & !( ! ( !( !( !( input = acc ) ) ) ) ) & !( !( !( !( !( !( input =

acc ) ) ) ) ) ) -> X( (mode != disengaged & mode != cruise & mode !=

manual & speed != two & speed != one & button != on & button !=

off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)& input = dec & ! ((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)) & !( input = gas ) & !(

!( input = gas ) ) & !( input = brake ) & !( !( input = dec ) ) & ! ( input = switch ) & !( input = acc ) & !((mode != cruise & mode !=

manual & speed != one & speed != zero & button != on & button !=

off)) & !( !( !( input = acc ) ) ) & !( !( !( input = brake ) ) ) & ! ( !( !( !( input = gas ) ) ) ) & !( !( !( input = switch ) ) ) & !( ! ( !( !( input = dec ) ) ) ) & !( !( !( !( !( input = acc ) ) ) ) )

& !( !( !( !( !( !( input = acc ) ) ) ) ) ) & !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) -> X( (mode != disengaged & mode !=

cruise & mode != manual & speed != two & speed != one & button != on

& button != off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)& input = brake & ! ((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)) & !( input = gas ) & !(

input = dec ) & !( !( input = dec ) ) & !( input = switch ) & !( ! ( input = brake ) ) & !( input = acc ) & !((mode != cruise & mode !=

manual & speed != one & speed != zero & button != on & button !=

off)) & !( !( !( input = gas ) ) ) & !( !( !( input = acc ) ) ) & ! ( !( !( !( input = acc ) ) ) ) & !( !( !( input = switch ) ) ) & !( ! ( !( !( input = dec ) ) ) ) & !( !( !( !( input = brake ) ) ) ) & ! ( !( !( !( !( !( input = acc ) ) ) ) ) ) & !( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) -> X(

(mode != disengaged & mode != cruise & mode != manual & speed != two

& speed != one & speed != zero & button != on & button != off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)& input = switch

& !((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)) & !( input = gas ) & !(

input = dec ) & !( input = brake ) & !( !( input = brake ) ) & ! ( input = acc ) & !( !( input = switch ) ) & !((mode != cruise & mode

!= manual & speed != one & speed != zero & button != on & button !=

off)) & !( !( !( input = gas ) ) ) & !( !( !( input = dec ) ) ) & ! ( !( !( input = acc ) ) ) & !( !( !( !( input = acc ) ) ) ) & !( !( ! ( !( !( input = acc ) ) ) ) ) & !( !( !( !( input = brake ) ) ) ) & ! ( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( !( input =

switch ) ) ) ) & !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) & ! ( !( !( !( !( input = dec ) ) ) ) ) & !( !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) ) -> X( (mode != manual & mode !=

cruise & speed != two & speed != one & button != off & button !=

on)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)& input = acc & ! ((mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)) & !( input = gas ) & !(

input = dec ) & !( input = brake ) & !( input = switch ) & !( !

( input = switch ) ) & !((mode != cruise & mode != manual & speed !=

one & speed != zero & button != on & button != off)) & !( !( !( input

= gas ) ) ) & !( !( input = acc ) ) & !( !( !( input = dec ) ) ) & !(

!( !( input = brake ) ) ) & !( !( !( !( input = acc ) ) ) ) & !( !( ! ( !( !( input = acc ) ) ) ) ) & !( !( !( !( !( !( input = acc ) ) ) ) ) ) & !( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( !( input = switch ) ) ) ) & !( !( !( !( !( input = dec ) ) ) ) ) & !( !( !( !( ! ( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( !( input = brake ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) -> X( (mode != disengaged & mode != cruise & mode != manual &

speed != two & speed != one & button != on & button != off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & speed != zero & button != on & button != off)&

input = gas & !((mode != manual & mode != cruise & speed != two &

speed != zero & speed != one & button != off & button != on)) & ! ( input = dec ) & !( !( input = gas ) ) & !( input = brake ) & ! ( input = switch ) & !( input = acc ) & !((mode != cruise & mode !=

manual & speed != one & speed != zero & button != on & button !=

off)) & !( !( !( input = dec ) ) ) & !( !( !( input = acc ) ) ) & ! ( !( !( input = brake ) ) ) & !( !( !( !( input = gas ) ) ) ) & !( !(

!( input = switch ) ) ) & !( !( !( !( !( input = acc ) ) ) ) ) & !( ! ( !( !( !( !( input = acc ) ) ) ) ) ) & !((mode != disengaged &

mode != cruise & mode != manual & speed != two & speed != one &

button != on & button != off)) & !( !( !( !( !( input = dec ) ) ) ) )

& !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( ! ( input = brake ) ) ) ) ) & !( !( !( !( !( !( input = gas ) ) ) ) ) )

& !( !( !( !( !( input = switch ) ) ) ) ) & !( !( !( !( !( !( !( !( ! ( !( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( ! ( !( input = acc ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != disengaged &

mode != cruise & mode != manual & speed != two & speed != one &

button != on & button != off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & speed != zero & button != on & button != off)&

input = dec & !((mode != manual & mode != cruise & speed != two &

speed != zero & speed != one & button != off & button != on)) & ! ( input = gas ) & !( !( input = gas ) ) & !( input = brake ) & !( ! ( input = dec ) ) & !( input = switch ) & !( input = acc ) & ! ((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)) & !( !( !( input = acc ) ) ) & !( !( ! ( input = brake ) ) ) & !( !( !( !( input = gas ) ) ) ) & !( !( ! ( input = switch ) ) ) & !( !( !( !( input = dec ) ) ) ) & !( !( !( ! ( !( input = acc ) ) ) ) ) & !( !( !( !( !( !( input =

acc ) ) ) ) ) ) & !((mode != disengaged & mode != cruise & mode !=

manual & speed != two & speed != one & button != on & button != off))

& !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( ! ( input = brake ) ) ) ) ) & !( !( !( !( !( !( input = gas ) ) ) ) ) )

& !( !( !( !( !( input = switch ) ) ) ) ) & !( !( !( !( !( !( input = dec ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( input

= acc ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != disengaged & mode !=

cruise & mode != manual & speed != two & speed != one & speed != zero

& button != on & button != off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & speed != zero & button != on & button != off)&

input = brake & !((mode != manual & mode != cruise & speed != two &

speed != zero & speed != one & button != off & button != on)) & !

( input = gas ) & !( input = dec ) & !( !( input = dec ) ) & !( input

= switch ) & !( !( input = brake ) ) & !( input = acc ) & !((mode !=

cruise & mode != manual & speed != one & speed != zero & button != on

& button != off)) & !( !( !( input = gas ) ) ) & !( !( !( input = acc ) ) ) & !( !( !( !( input = acc ) ) ) ) & !( !( !( input = switch ) ) ) & !( !( !( !( input = dec ) ) ) ) & !( !( !( !( input = brake ) ) ) ) & !( !( !( !( !( !( input = acc ) ) ) ) ) ) & !((mode != disengaged

& mode != cruise & mode != manual & speed != two & speed != one &

button != on & button != off)) & !( !( !( !( !( input = gas ) ) ) ) )

& !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( ! ( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) & !( !( !( !( !( input = switch ) ) ) ) ) & !( !( !( !( !( !( input = dec ) ) ) ) ) ) & !( ! ( !( !( !( !( input = brake ) ) ) ) ) ) & !( !( !( !( !( !( !( !( ! ( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( ! ( input = gas ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != cruise &

mode != manual & speed != one & speed != zero & button != on & button

!= off)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & speed != zero & button != on & button != off)&

input = switch & !((mode != manual & mode != cruise & speed != two &

speed != zero & speed != one & button != off & button != on)) & ! ( input = gas ) & !( input = dec ) & !( input = brake ) & !( !( input

= brake ) ) & !( input = acc ) & !( !( input = switch ) ) & !((mode !

= cruise & mode != manual & speed != one & speed != zero & button !=

on & button != off)) & !( !( !( input = gas ) ) ) & !( !( !( input = dec ) ) ) & !( !( !( input = acc ) ) ) & !( !( !( !( input =

acc ) ) ) ) & !( !( !( !( !( input = acc ) ) ) ) ) & !( !( !( ! ( input = brake ) ) ) ) & !((mode != disengaged & mode != cruise &

mode != manual & speed != two & speed != one & button != on &

button != off)) & !( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( ! ( input = switch ) ) ) ) & !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) & !( !( !( !( !( input = dec ) ) ) ) ) & !( !( !( !( !( !( !( ! ( !( input = acc ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( input = brake ) ) ) ) ) ) & !( !( !( !( !( !( !( input = gas ) ) ) ) ) ) ) & !( !( !(

!( !( !( input = switch ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( ! ( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( input

= dec ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( !( input

= acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != manual & mode !=

cruise & speed != two & speed != zero & speed != one & button != off

& button != on)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & speed != zero & button != on & button != off)&

input = acc & !((mode != manual & mode != cruise & speed != two &

speed != zero & speed != one & button != off & button != on)) & ! ( input = gas ) & !( input = dec ) & !( input = brake ) & !( input = switch ) & !( !( input = switch ) ) & !((mode != cruise & mode !=

manual & speed != one & speed != zero & button != on & button !=

off)) & !( !( !( input = gas ) ) ) & !( !( input = acc ) ) & !( !( !(

input = dec ) ) ) & !( !( !( input = brake ) ) ) & !( !( !( !( input

= acc ) ) ) ) & !( !( !( !( !( input = acc ) ) ) ) ) & !( !( !( !( !(

!( input = acc ) ) ) ) ) ) & !((mode != disengaged & mode != cruise &

mode != manual & speed != two & speed != one & button != on &

button != off)) & !( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( ! ( input = switch ) ) ) ) & !( !( !( !( !( input = dec ) ) ) ) ) & ! ( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( !

( input = brake ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( input =

gas ) ) ) ) ) ) ) & !( !( !( !( !( !( input = switch ) ) ) ) ) ) & !(

!( !( !( !( !( !( input = dec ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !(

!( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !(

!( !( input = brake ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( ! ( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode !

= disengaged & mode != cruise & mode != manual & speed != two & speed

!= one & speed != zero & button != on & button != off)))

&((mode != manual & mode != cruise & speed != two & speed != one &

button != off & button != on)& input = gas & !((mode != manual & mode

!= cruise & speed != two & speed != zero & speed != one & button !=

off & button != on)) & !( input = dec ) & !( !( input = gas ) ) & ! ( input = brake ) & !( input = switch ) & !( input = acc ) & ! ((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)) & !( !( !( input = dec ) ) ) & !( !( ! ( input = acc ) ) ) & !( !( !( input = brake ) ) ) & !( !( !( !

( input = gas ) ) ) ) & !( !( !( input = switch ) ) ) & !( !( !( !( ! ( input = acc ) ) ) ) ) & !( !( !( !( !( !( input = acc ) ) ) ) ) ) &

!((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)) & !( !( !( !( ! ( input = dec ) ) ) ) ) & !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( !( input = brake ) ) ) ) ) & !( !( !( !( !( ! ( input = gas ) ) ) ) ) ) & !( !( !( !( !( input = switch ) ) ) ) ) &

!( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) & !( !(

!( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) & ! ((mode != disengaged & mode != cruise & mode != manual & speed != two

& speed != one & speed != zero & button != on & button != off)) & ! ( !( !( !( !( !( !( input = dec ) ) ) ) ) ) ) & !( !( !( !( !( !( ! ( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( ! ( !( !( !( !( input = brake ) ) ) ) ) ) ) & !( !( !( !( !( !( !( ! ( input = gas ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( input = switch ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( ! ( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ->

X( (mode != manual & mode != cruise & speed != two & speed != one &

button != off & button != on)))

&((mode != manual & mode != cruise & speed != two & speed != one &

button != off & button != on)& input = dec & !((mode != manual & mode

!= cruise & speed != two & speed != zero & speed != one & button !=

off & button != on)) & !( input = gas ) & !( !( input = gas ) ) & ! ( input = brake ) & !( !( input = dec ) ) & !( input = switch ) & ! ( input = acc ) & !((mode != cruise & mode != manual & speed != one &

speed != zero & button != on & button != off)) & !( !( !( input = acc ) ) ) & !( !( !( input = brake ) ) ) & !( !( !( !( input =

gas ) ) ) ) & !( !( !( input = switch ) ) ) & !( !( !( !( input = dec ) ) ) ) & !( !( !( !( !( input = acc ) ) ) ) ) & !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) & !((mode != disengaged & mode != cruise &

mode != manual & speed != two & speed != one & button != on &

button != off)) & !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) )

& !( !( !( !( !( input = brake ) ) ) ) ) & !( !( !( !( !( !( input = gas ) ) ) ) ) ) & !( !( !( !( !( input = switch ) ) ) ) ) & !( !( ! ( !( !( !( input = dec ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) ) ) ) & !((mode != disengaged & mode !=

cruise & mode != manual & speed != two & speed != one & speed != zero

& button != on & button != off)) & !( !( !( !( !( !( !( !( !( !( !( ! ( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( ! ( input = brake ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( input = gas ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( input = switch ) ) ) ) ) ) ) & ! ( !( !( !( !( !( !( !( input = dec ) ) ) ) ) ) ) ) & !( !( !( !( !( ! ( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( ! ( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( ! ( !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != manual & mode !=

cruise & speed != two & speed != zero & speed != one & button != off

& button != on)))

&((mode != manual & mode != cruise & speed != two & speed != one &

button != off & button != on)& input = brake & !((mode != manual &

mode != cruise & speed != two & speed != zero & speed != one & button

!= off & button != on)) & !( input = gas ) & !( input = dec ) & !( !(

input = dec ) ) & !( input = switch ) & !( !( input = brake ) ) & ! ( input = acc ) & !((mode != cruise & mode != manual & speed != one &

speed != zero & button != on & button != off)) & !( !( !( input = gas ) ) ) & !( !( !( input = acc ) ) ) & !( !( !( !( input = acc ) ) ) )

& !( !( !( input = switch ) ) ) & !( !( !( !( input = dec ) ) ) ) & ! ( !( !( !( input = brake ) ) ) ) & !( !( !( !( !( !( input =

acc ) ) ) ) ) ) & !((mode != disengaged & mode != cruise & mode !=

manual & speed != two & speed != one & button != on & button != off))

& !( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) & !( !( !( !( !( input = switch ) ) ) ) ) & ! ( !( !( !( !( !( input = dec ) ) ) ) ) ) & !( !( !( !( !( !( input = brake ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) & !((mode != disengaged & mode != cruise &

mode != manual & speed != two & speed != one & speed != zero & button

!= on & button != off)) & !( !( !( !( !( !( !( input =

gas ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( ! ( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( ! ( input = switch ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( input = dec ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( input = brake ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( input = gas ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( !( ! ( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ->

X( (mode != manual & mode != cruise & speed != two & speed != zero &

speed != one & button != off & button != on)))

&((mode != manual & mode != cruise & speed != two & speed != one &

button != off & button != on)& input = switch & !((mode != manual &

mode != cruise & speed != two & speed != zero & speed != one & button

!= off & button != on)) & !( input = gas ) & !( input = dec ) & ! ( input = brake ) & !( !( input = brake ) ) & !( input = acc ) & !( ! ( input = switch ) ) & !((mode != cruise & mode != manual & speed !=

one & speed != zero & button != on & button != off)) & !( !( !( input

= gas ) ) ) & !( !( !( input = dec ) ) ) & !( !( !( input = acc ) ) )

& !( !( !( !( input = acc ) ) ) ) & !( !( !( !( !( input = acc ) ) ) ) ) & !( !( !( !( input = brake ) ) ) ) & !((mode !=

disengaged & mode != cruise & mode != manual & speed != two & speed !

= one & button != on & button != off)) & !( !( !( !( !( input = gas ) ) ) ) ) & !( !( !( !( input = switch ) ) ) ) & !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) & !( !( !( !( !( input = dec ) ) ) ) )

& !( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) & !( !( !(

!( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !(

!( input = brake ) ) ) ) ) ) & !((mode != disengaged & mode != cruise

& mode != manual & speed != two & speed != one & speed != zero &

button != on & button != off)) & !( !( !( !( !( !( !( input = gas ) ) ) ) ) ) ) & !( !( !( !( !( !( input = switch ) ) ) ) ) ) & !( !( !( ! ( !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) & !( !(

!( !( !( !( !( input = dec ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !(

!( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( ! ( !( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( input = brake ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( input =

gas ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( input =

switch ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( !( !(

!( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( ! ( !( !( !( !( input = dec ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !(

!( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != disengaged &

mode != cruise & mode != manual & speed != two & speed != one &

button != on & button != off)))

&((mode != manual & mode != cruise & speed != two & speed != one &

button != off & button != on)& input = acc & !((mode != manual & mode

!= cruise & speed != two & speed != zero & speed != one & button !=

off & button != on)) & !( input = gas ) & !( input = dec ) & !( input

= brake ) & !( input = switch ) & !( !( input = switch ) ) & ! ((mode != cruise & mode != manual & speed != one & speed != zero &

button != on & button != off)) & !( !( !( input = gas ) ) ) & !( ! ( input = acc ) ) & !( !( !( input = dec ) ) ) & !( !( !( input = brake ) ) ) & !( !( !( !( input = acc ) ) ) ) & !( !( !( !( !( input

= acc ) ) ) ) ) & !( !( !( !( !( !( input = acc ) ) ) ) ) ) & !((mode

!= disengaged & mode != cruise & mode != manual & speed != two &

speed != one & button != on & button != off)) & !( !( !( !( !( input

= gas ) ) ) ) ) & !( !( !( !( input = switch ) ) ) ) & !( !( !( !( !(

input = dec ) ) ) ) ) & !( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) & !( !( !( !( !( input = brake ) ) ) ) ) & !( !( !( !( !( !( !(

!( !( !( input = acc ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !(

!( !( input = acc ) ) ) ) ) ) ) ) ) ) ) & !((mode != disengaged &

mode != cruise & mode != manual & speed != two & speed != one & speed

!= zero & button != on & button != off)) & !( !( !( !( !( !( !( input

= gas ) ) ) ) ) ) ) & !( !( !( !( !( !( input = switch ) ) ) ) ) )

& !( !( !( !( !( !( !( input = dec ) ) ) ) ) ) ) & !( !( !( !( !( ! ( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) & !( ! ( !( !( !( !( !( input = brake ) ) ) ) ) ) ) & !( !( !( !( !( !( !( ! ( !( !( !( !( !( !( !( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !(

!( !( !( !( !( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( ! ( input = gas ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( input = switch ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( input = dec ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( !( ! ( input = acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !(

!( !( !( input = brake ) ) ) ) ) ) ) ) ) & !( !( !( !( !( !( !( !( !(

!( !( !( !( !( !( !( !( !( !( !( input =

acc ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) -> X( (mode != manual &

mode != cruise & speed != two & speed != one & button != off & button

!= on)))

&((mode != disengaged & mode != cruise & mode != manual & speed !=

two & speed != one & button != on & button != off)& input = gas & !