// Hello!

  bool flags[2];

  byte victim = 255;

  // ghosts
  bool incs[2];

  active [2] proctype a_process() {
    restart:
    do
         //-flags[1 - _pid]; ???

     :: goto restart;

      ::

      flags[_pid] = 1;
      victim = _pid;

      flags[1 - _pid] == 0 || victim != _pid;

      incs[_pid] = 1;
      // do something
      printf("in cs: %d", _pid);
      assert(incs[1 - _pid] == 0);
      incs[_pid] = 0;

      flags[_pid] = 0;
    od;
  }


  ltl no_starvation {
    always (flags[0] -> eventually !flags[0])
    //&&
    //always (flags[1] -> eventually incs[1])
  }


  ltl fcfs {
    // This fails because "strong until" requires incs[0]
    // eventually, just like the old version of no_starvation
    // We made the same mistake we made before!
    //always (flags[0] && !flags[1] -> !incs[1] until incs[0])

    // This fails because the algorithm doesn't guarantee FCFS
    // unless victim + flag are set atomically.
    always (flags[0] && !flags[1] -> !incs[1] until !flags[0])
  }