MODULE sender(ack)
	VAR
		st       : {sending, sent};
		message1 : boolean;
		message2 : boolean;
	ASSIGN
		init(st) := sending;
		next(st) := 
			case
				ack = message2 & !(st = sent) : sent;
				1                              : sending;
			esac;
		next(message1) :=
			case
				st = sent : {0, 1};
				1         : message1;
			esac;
		next(message2) :=
			case
				st = sent : !message2;
				1         : message2;
			esac;
	FAIRNESS running
	SPEC AG AF st = sent   

MODULE receiver(message1, message2)
	VAR
		st       : {receiving, received};
		ack      : boolean;
		expected : boolean;
	ASSIGN
		init(st) := receiving;
		next(st) :=
			case
				message2 = expected & !(st = received) : received;
				1                                      : receiving;
			esac;
		next(ack) :=
			case
				st = received : message2;
				1             : ack;
			esac;
		next(expected) :=
			case
				st = received : !expected;
				1             : expected;
			esac;
	FAIRNESS running
	SPEC AG AF st = received
		
MODULE one-bit-chan(input)
	VAR
		output : boolean;
	ASSIGN
		next(output) := {input, output};
	FAIRNESS running
	FAIRNESS (input = 0 -> AF output = 0) & (input = 1 -> AF output = 1)

MODULE two-bit-chan(input1, input2)
	VAR
		output1 : boolean;
		output2 : boolean;
	ASSIGN
		next(output2) : = {input2, output2};
		next(output1) :=
			case
				input2 = next(output2) : input1;
				1                      : {input1, output1};
			esac;
	FAIRNESS running;
	FAIRNESS (input1 = 0 -> AF output1 = 0) & (input1 = 1 -> AF output1 = 1) & (input2 = 0 -> AF output2 = 0) & (input2 = 1 -> AF output2 = 1)
	

MODULE main
	VAR
		S : process sender(ack_chan.output);
		R : process receiver(msg_chan.output1, msg_chan.output2);
		msg_chan : process two-bit-chan(S.message1, S.message2);
		ack_chan : process one-bit-chan(R.ack);
	ASSIGN
		init(S.message2)        := 0;
		init(R.expected)        := 0;
		init(R.ack)             := 1;
		init(msg_chan.output2)  := 1;
		init(ack_chan.output)   := 1;
	
SPEC AG(S.st = sent & S.message1 = 1 -> msg_chan.output1 = 1)