Analysis and verification of the token-passing bus medium access control protocol via PAV / by Canbazoglu, Isil
Lehigh University
Lehigh Preserve
Theses and Dissertations
1988
Analysis and verification of the token-passing bus
medium access control protocol via PAV /
Isil Canbazoglu
Lehigh University
Follow this and additional works at: https://preserve.lehigh.edu/etd
Part of the Electrical and Computer Engineering Commons
This Thesis is brought to you for free and open access by Lehigh Preserve. It has been accepted for inclusion in Theses and Dissertations by an
authorized administrator of Lehigh Preserve. For more information, please contact preserve@lehigh.edu.
Recommended Citation
Canbazoglu, Isil, "Analysis and verification of the token-passing bus medium access control protocol via PAV /" (1988). Theses and
Dissertations. 4833.
https://preserve.lehigh.edu/etd/4833
ANALYSIS AND VERIFICATION OF 
THE TOKEN-PASSING BUS 
MEDIUM ACCESS CONTROL PROTOCOL VIA PAV 
\ 
by 
lsil Canbazoglu 
A Thesis 
Presented to the Graduate Committee 
of Lehigh University 
in candidacy for the degree of 
Master of Science in Electrical Engineering. 
Lehigh University 
1987 
' 
This thesis is accepted and approved in partial fulfillment of the require-
ments for the degree of Master of Science in Electrical Engineering. 
" 
Advisor in Charge 
Department Chairperson 
•• 
I) 
----- --·- - . -- -·-·· ···-- --------·· ---------·----------~--~··--------··-··· - -
I ··.'. 
Acknowledgments 
I would like to thank Krishan K. Sabnani, Aleta M. Lapone, and their 
department head N. F. Maxemchuk for providing the software package PAV 
and guiding us in its use. 
I ,vould also like to give my special thanks to Professor Richard Denton 
who always supported and directed me during my research. It has been a great 
pleasure to work with him as he was always available for help and exchanging 
ideas. 
I would also like to express my thanks to my colleagues Azhar lmtiyaz 
Khan and Chang Seop Park who helped me with the software and worked in 
harmony forming a good research team, and to Mona El Gayar and Cheryl 
Starratt who assisted me in writing my thesis and who were always there as 
friends. 
In addition, I would like to thank the most wonderful and closest people 
to me, my father, mother, brother and sister who were very supportive during 
my graduate study at Lehigh University. 
••• 
Ill 
\,~ 
• 
Abstract 
1. INTRODUCTION 
1.1 General 
Table of Contents 
1.2 Overview of the Thesis 
2. TOKEN-..PASSING BUS ACCESS SCHEME 
2.1 General 
2.2 Basic Operation 
2.3 Access Control Machine 
3. PROTOCOL ANALYZER AND VERIFIER 
1 
3 
3 
8 
10 
10 
13 
16 
26 
3.1 PAV and Its Usage 26 
3.2 Protocol Specification Language 30 
4. MODEL DESCRIPTION OF THE MEDIUM ACCESS CON- 33 
TROL PROTOCOL 
4.1 General Modeling Scheme 
4.2 Reductions Assumed 
4.3 Component FSMs 
4.3.1 Access Control Machine (ACM) 
4.3.2 Tirners 
4.3.3 Counters 
4.3.4 Comparison Machines, Claim Data Unit and NS 
4.3.5 Miscellaneous Variables 
4.3.6 Boolean Variables 
4.3.7 Other Machines 
5. ANALYSIS AND VERIFICATION VIA PAV 
5.1 Consequent Reduction 
6. CONCLUSIONS 
6.1 Results and ConclusionE 
References 
Appendix A. PSL Descriptions of the Component Processes 
Appendix B. Final Reduced Abstraction FSM 
Vita 
• 
IV 
.. 
33 
39 
44 
44 
45 
47 
48 
50 
51 
53 
57 
57 
70 
70 
74 
76 
97 
101 
List of Figures 
Figure 2-1: Data Link Layer and MAC Layer Functional Partition- 11 
• Ing 
Figure 2-2: Logical Ring on Physical Bus 14 
Figure 2-3: Access Control Machine FSM Diagram 17 
Figure 3-1: Formal J>rocess Description in PSL 32 
Figure 4-1: Two Interacting FSMs of the Protocol Model 36 
Figure 4-2: PSL Description of the Token Rot Timer in Figure 37 
4-1 
Figure 4-3: PSL Description of the Token Ho] Timer in Figure 38 
4-1 
Figure 5-1: Macl a Obtained by Cornbining the Machines in Figure 64 
4-1 
Figure 5-2: Method for Converting the Reduced Abstraction form to 67 
the Structural Abstraction form 
V 
List of Tables 
Table 4-1: Reductions in Constants 41 
Table 5-1: First Four Layer Reductions Applied on the First Half 62 
of the Component Processes 
Table 5-2: First Four Layer Reductions Applied on the Second Half 63 
of the Component Processes 
Table 5-3: Last Six Layer Reductions Applied to the Fourth Layer 65 
FSMs of the Analysis 
• 
VJ 
Abstract 
Analysis and verification of the IEEE Standard 802.4, token-passing bus 
medium access control protocol, by means of the Protocol Analyzer and Verifier 
(PAV) package, is presented in this thesis. The purpose is to show that it is 
possible to verify very large size protocols using a systematic approach along 
with PAV for machine verification. The token-passing bus protocol is chosen 
because it is a thoroughly tested and widely used protocol. The analysis shows 
that PAV is very useful for verification purposes, even for unusually large 
protocols. 
For analysis, the protocol is modeled initially as a set of interacting finite 
state machines (FSMs). The model contains forty_four component FSMs which 
include the Access Control, Receive, Transmit and Interface Machines. These 
machines are parts of the Medium Access Control sublayer defined in the stan-
, 
<lard. An additional thirty_ eight FSMs represent the various variables, counters, 
timers, and functions which Access Control Machine refers to during its opera-
tion. The component FSMs interact with each other using input/ output opera-
tions, in pairs. One being the sender of a message while the other is the 
. 
receiver. J 
After model for1nation is complete, the model is translated into the 
Protocol Specification Language which is used to code FSMs to be input to 
PAV. The model is then divided into groups. Each group contains a few com-
ponent FSMs with many common interactions, and is analyzed separately. The 
reason for splitting the protocol into groups is PA V's large memory requirement 
1 
-------------- - ----- ----~--
and the time required for analysis. The memory required increases with the 
nurnber and size of the input processes to be combined. In addition, PAV uses 
time consuming recursive algorithms during the entire composition process. 
The resultant machines obtained after the first layer reductions are 
grouped and analyzed again. The final output is reached by applying this sub-
sequent reduction procedure over and over to the resultant machines obtained at 
the end of each layer analysis. This final machine which is obtained after ten 
layer analysis reflects the behavior of the protocol with respect to the user 
processes, station management and physical layer, and verified by PAV to be 
free of deadlocks and livelocks. 
2 
-------------------
- -----------------·--·---~~----------------
1.1 General 
Chapter 1 
INTRODUCTION 
The computer industry is a rapidly growing technology in which the fields 
of data communications and data processing have merged, creating an overlap of 
the computer and communications industries. The result of this growth is an in-
creased capability for gathering, processing and distributing information with less 
cost and shorter processing time. As a consequence, the development and im-
plementation of computer networks with hundreds of users that transmit and 
process all types of data and information are ga1n1ng importance. Computer net-
works are replacing the centralized computer systems where all the work load is 
handled by a central processor that requires multiprogramming and time sharing 
by its users. 
With computer networks, it is possible to make all of the resource 
programs and data available for each user connected to a node on the network, 
without regard to the physical distances between them. Each user can exchange 
data with all the other stations of the network and inspect their status and 
operability, at any instant. Also, multiprogramming and time sharing, which 
are the most important and corr1plex issues for the centralized computer systems 
can be avoided in computer networks by involving some or all of the processors 
with specialized tasks, reducing the cost and software complexity associated with 
the large mainframes. In addition, the system performance can be gradually in-
creased by adding more processors as the work load increases. Computer net-
3 
--
works have more favorable price/performance ratios when compared with those 
of centralized systems, and are preferred for reliability reasons. Reliability is en-
hanced by the load sharing and distribution of tasks over many processors. If a 
link or a processor failure occurs somewhere in the network, it affects only a 
limited number of nodes, not the entire system. Therefore the network keeps 
operating in most cases while the problem is being solved. For all these reasons, 
local and wide area networks are very popular and organizations have been in-
vesting heavily in their development and implementation. 
The wide variety of applications of computer networks and the complexity 
of distributing the work load and controlling the operation of the entire system, 
lead to the formation of standard network protocols. These protocols provide 
procedures which guide implementors in handling network issues such as medium 
access control, routing of information and flow control, data compression and 
code conversion, etc.. It is important to note that each protocol may deal with 
one or a few of these tasks. As a consequence, each computer network may con-
tain several protocol implementations integrated together, but operated indepen-
dently of each other. This helps network designers, as the most complex design 
issues can be separated from each other. 
It is very important to integrate all forms of communications and make 
data and information easily and uniformly accessible worldwide. This introduces 
the necessity for standardization and requires standard protocols for network im-
plementations. Although the wide variety of applications of computer networks 
makes standardization a very difficult task, there are already many standard 
4 
------------------------------- --~·-·· ··-· - ··-· ··-
protocols that have been tested, verified and are being used in large nu1nbers in 
systems. 
Wide usage of computer networks and people's dependency on them, make 
it important to have robust and reliable protocol irr1plementations with precise 
definitions. Therefore, it is essential to have systematic protocol modeling and 
verification procedures since realistic protocols and the programs to implement 
them are generally very complicated. For this reason, many formal mathematical 
models of protocols have been formed, mostly in the past decade, so that they 
can be used in confirming the protocols to be true. Rusbridge and Langsford [ 1] 
used state transition matrices, whereas Bachmann and Sunshine [2, 3, 4] used 
finite state machines and Merlin [5, 6] and Danthine [7], Petri nets as their 
modeling tools. All of these mathematical models are different formulations of 
the same basic idea. Finite state machines (FSMs) seem to be a practical and 
popular tool in the modeling of large, complex protocols. This is because they 
are easy to form and code for computer applications, and it is possible to 
represent any " event and action " relationship simply by sequential state tran-
sitions. They also give the designer the flexibility of organizing his thinking in 
pictorial form while correcting and improving his design. 
The protocols being modeled have to be thoroughly tested and proven free 
from errors before they are implemented. That is, they have to be verified in 
order to provide reliability. A reliable protocol must be able to handle un-
specified message receptions without causing unpredictable behaviors and must 
be free of any deadlocks or livelocks. That means it must not get locked in a 
5 
( I 
single state or a set of states, within which it cannot make any progress to 
other states and therefore cannot perform any of the expected services. 
In the area of protocol verification, several techniques, programs, and 
methods have been used such as the duologue matrix approach, verification via 
projections or module integration, and verification using temporal logic. 
Zafiropulo [8] suggested the use of duologue matrix analysis for protocol valida-
tion and West [9, 10] extended the method and worked on its automation. 
Later Rudin, West and Zafiropulo [11] joined together to describe an automated 
protocol verification using a duologue matrix approach. Lam and Shankar [ 12] 
worked on protocol verification via projections, whereas II ail pern and Owicki [ 13] 
studied the modular verification of computer communication protocols. Lin [ 14] 
also studied the module integration method for protocol verification. Another ap-
proach was to use temporal logic in verification as done by Kurose and Yemini 
[15] for a connection establishment protocol. Sabnani and Schwartz [16] also 
used the same method for the validation of a multidestination protocol.Hajek 
[17, 18] worked on automatic verification of data transfer protocols and formed 
a program called Approver for syntactic validation purposes. Similarly Sabnani 
and Lapone [19] developed Protocol Analyzer and Verifier (PAV) which is the 
software package used in this thesis to illustrate the feasibility of machine 
verification even for very large size protocols using a systematic approach. For 
this purpose, PAV is used to analyze and verify a very large size and complex 
protocol in this thesis. This protocol is the token-passing bus rnedium access 
control protocol 802.4 [20] modeled as a collection of interacting finite state 
machines coded in the Protocol Specification Language (PSL) as required by 
PAV. 
6 
--·--- --------- ---·-------------
I 
I 
I 
\ 
\ 
There have been a few studies already completed on simulation or perfor-
mance analysis of the token bus protocol [20] by Chien [21], Pimentel [22], and 
Muralidhar and Pimentel [23]. Each of these three studies involves a simplified 
version of the token bus protocol defined in the IEEE Std. 802.4. Because a 
simplified version was analyzed in each case, all the functions of the protocol 
were not taken into account during those analyses. 
Work done in this thesis, is a syntactic verification of IEEE Std. 802.4 
token-passing bus medium access control protocol [21] by means of the Protocol 
Analyzer and Verifier (PAV) [ 19]. The reason for choosing token-passing bus 
protocol is that it is a widely used and tested protocol. The scope was to show 
that it is possible to verify very large size protocols using a systematic approach 
with machine verification. This was accomplished by proving via PAV that the 
protocol model is correct, free of any deadlocks or livelocks, and behaves consis-
tently. 
Unlike the other studies done on 802.4, the model formed in this study is 
not a smaller version of the medium access control protocol. In fact it includes 
all the states of access control machine described in the standard, and supports 
all the functions and the tasks required. The only reductions used during model-
ing are in the integer values of some protocol variables, in order to decrease the 
number and sizes of FSMs formed, for tirr1e efficiency and due to some restric-
tions in PAV which will be explained in Chapter 3. 
7 
[ 
'. 
1. 1. 2 Overview of the Thesis 
Work done in this thesis can be grouped into three basic parts : 
I. Modeling the 802.4 token bus medium access protocol as a group of 
interacting finite state machines, 
2. Translating the model into the Protocol Specification Language (PSL) 
as required by PAV, 
3. Analysis and verification of the model via PAV. 
The chapter ordering of the thesis, follows the order of the work done. 
The token-passing bus access method, PAV, and PSL are briefly introduced in 
Chapters 2 and 3, respectively. This helps in getting acquainted with the ter-
minology used in the later chapters and will clarify the flow of work. 
Chapter 4 gives the model description of the media access control protocol 
by describing each of the finite state machines formed and their relative inter-
actions. 
Chapter 5 describes the analysis and verification process of the protocol 
model using PAV. 
A discussion of the results and some conclusions are introduced in Chapter 
6. 
8 
,. 
t 
Appendix A contains the descriptions in the Protocol Specification Lan-
guage of the finite state machines introduced in Chapter 4. A formal description 
. 
of the Protocol Specification Language is given in the paper by Sabnani and 
Lapone [19]. 
The final reduced machine, obtained as a result of the verification process, 
is contained in Appendix B, in the output form given by PAV. 
9 
··- - . - . - -----·---··-- - -· - -- . -------- ----··---- - ------· ·
-·-···· 
) 
I 
/ 
I 
Chapter 2 
TOKEN-PASSING BUS ACCESS 
SCHEME 
2.1 General 
IEEE standard 802.4-1985 [20], is a member of a family of standards for 
Local Area Networks that refers to the physical and data ]ink layers as defined 
by the ISO Open System Interconnection Reference Model. The token-passing 
bus access protocol is part of this standard. 
The data link layer contains two sublayers, the Logical Link Control 
(LLC) and the Medium Access Control (MAC) layers as shown in Figure 2-1, 
on page 11. The token bus medium access control mechanism is provided by the 
MAC sublayer made up of Interface, Receive, Transmit, Regenerative Repeater, 
and Access Control Machines. 
Among these five machines which form the MAC sublayer, Access Control 
Machine (ACM) regulates the transmission access to the shared bus (the trans-
mission medium) by cooperating with the ACMs of all other stations on the bus 
in handling the token. It is the most important and complicated machine of all, 
being the main control mechanism for the token-bus access method. 
In the token-passing bus access method, token is a control frame which 
denotes the right of access to the physical medium. It is passed from station to 
station forming a logical ring and whichever station gets it has the temporary 
10 
---------------------- ----------
D 
A 
T 
A 
L 
I 
N 
K 
L 
A 
y 
E 
R 
I 
RECEIVE 
MACHINE 
(R*M) 
NETWORK LAYER 
LLC SUBLAYER 
MAC SUBLAYER 
INTERFACE MACHINE 
(IFM) 
ACCESS CONTROL 
MACHINE 
(ACM) 
TRANSMIT 
MACHINE 
(T*M) 
_! _______________ _ 
REGENERATIVE 
REPEATER MACHINE (RRM) 
(OPTIONAL) 
:.:.:i-.:-:1:-:.;· :.:::·:.:.:·:.:.:·:.:.:1:-:.:::.:.:::.:.:::.:.:·:.: .. ::.:.:::.: .. ·:.:.:1:.:.:1:.: .. r:.:1:=:.:1:.:::·:::.:=:::::·:.:::1:=:.:1:::::1:::::i-.::1··::::: 
.;·. , .. '' ..... : ..... : ... ·.i···=· .;.:,:··-·,-t,:,:-:-:•:•:,:,:,"t.;,:,:,·-:,:, •••. ,:.;, .·.··:·=·=· .......... : .......... ..= ..... •···· •.•.• •.•.• ., ····· 
•.•:• :-:• •.·.· -~·:·t·:-:-t•:•:· .. · •,· . ···•• ·.·%· ••••. ·.·%·.· ·•·.·.····· ·i·.·.· ·.•.· . •.• •.·.• ·.·.· •,•.·i·.·.·····-·t•.•,• •,•,• •.•.· •,•,• .• ·.·.· 
PHYSICAL LAYER 
I 
s 
T 
A 
T 
I 
0 
N 
M 
A 
N 
A 
G 
E 
M 
E 
N 
T 
Figure 2-1: Data Link Layer and MAC Layer Functional Partitioning 
11 
·---··· - .... - ..... ,., .. ....._ 
_______ _ 
... > 
right to transmit to the shared bus. This wa
y, the MAC sublayer provides con-
trolled sequential access of the stations to the
 medium by passing the control of 
the bus from one to another in a logically c
ircular fashion. The MAC sublayer 
determines that a station can transmit to t
he medium on recognizing and ac-
cepting the token from its predecessor station
, as wel1 as taking care of sending 
the token to its successor station after the al
1owed token-hold-time has elapsed. 
The token bus is a broadcast medium. Thus,
 when a station transmits, its 
signal is received by all the stations on the
 medium. Each transmission unit 
which is called a frame carries source, destin
ation addresses, frame control, and 
data units. Thus, each MAC layer is able to 
distinguish the frames addressed to 
its own station, and knows from which st
ation they are coming. When the 
MAC layer recognizes a token frame addresse
d to its station, it enters the data 
transfer phase to transmit to the other sta
tions for a certain amount of time 
and then sends the token to its successor. H
ence the steady state operation will 
alternate between the token and data transfer
 phases. 
MAC sublayer is also responsible for ring m
aintenance functions such as 
ring initialization, new station addition to 
the logical ring, and lost token 
recovery. All the token using stations on th
e network can perform these func-
tions. In addition, it is MAC layer's duty t
o recover from faults like multiple 
tokens, token __ pass failures, deaf station, and
 duplicate station addresses as will 
be explained in the following section. 
12 
----
----
----
----
----
----
·-----·-·.
 ---
---·--····-...
........ -----~"..,..,... _
____
____
 _ 
In addition, the IEEE standard 802.4 supports an optional priority 
mechanism. The MAC sublayer offers four access classes for the priority levels 
indicated by the LLC ]ayer and has a separate qu.eue for frames in each access 
class pending transmission. When the p_riority option is not implemented, only 
data frames with the highest priority will be transmitted. When it is imple-
mented, the data frames corresponding to each class will be sent in order, start-
ing with the highest priority class. Finally the lowest priority class frames will 
be transmitted before passing the token to the next station. 
2.2 Basic Operation 
Steady state operation, when a logical ring has been formed and no error 
conditions exist, requires the token to be sent to a specific successor station 
after finishing transmission. Each participating station in the logical ring knows 
the addresses of its successor and predecessor stations referred as Next Station 
(NS) and Previous Station (PS) respectively. It also knows its own address 
named as This Station (TS). These predecessor and successor addresses are kept 
track of dynamically during the operation of the network. Whenever there is a 
change in any of these addresses, it is noted. 
The logical ring or the token pass is in descending numerical order of the 
station addresses as shown in Figure 2-2. The token holder sends the token to 
the station with the highest address lower than its own address. Al] the stations 
connected to the physical bus do not need to be on the ring at all times and 
the sma11est logical ring consists of only two stations. The number of stations 
that form the ring is subject to change and steady state is reached when there 
is no activity for such a change. When the token holder is the lowest addressed 
13 
'.\, 
,, 
' ,\ 
station on the logical ring, the token is passed to the highest addressed station 
(See Figure 2-2 where the station with address 1 sends the token to the station 
whose address is 8). This is the exception to the descending numerical order of 
token passing and starts the next circulation of the token around the ring. It 
is the MAC sublayer's responsibility to keep track of the station's predecessor 
and successor, and therefore the logical ring, since all stations operate the same 
way. 
I 
-~ 
1 
L - _. 
r 
2 
8 -, 
Figure 2-2: 
-, 
L 
7 
3 
-t 
I 
_J 
4 
6 
Logical Ring on Physical Bus 
._ - -, 
5 J 
During transmission, the token owner keeps sending data frames. A data 
frame is either a request_with_no_response or a request_with_response or a 
response frame as specified in its frame control unit. Sending a 
request_with_response frame is a special condition where the token holder 
waits for its response for a certain time. If it does not receive a response, it 
~ends the request_with_response frame again. Finally when the token owner. 
gets the response frame addressed to itself, it starts sending other data frames. 
14 
After finishing transmission the token ho]der sends the token control frame 
to its next station, NS. If it does not hear evidence that the token reached its 
destination, it tries the token_pass a second time. In the case that both trials 
are unsuccessful, it assumes that its successor has failed. Therefore it attempts 
to find its successor's successor by sending a who follows control frame with its 
successor's address in the data field. Since it is a broadcast medium, all the sta-
tions will receive this frame. The station whose predecessor is the successor of 
the sending station, responds by sending its address in a set successor frame. 
The token holder therefore knows its new successor and sets its NS to this ad-
dress. This way the logical ring is preserved by leaving the failed station out 
of the ring. If the station still cannot manage to find a successor, it becomes 
silent and listens for activity in the medium. This situation can occur in cases 
where all the stations have failed or left the logical ring, or the medium has 
broken, or the station's own receiver has failed. In the deaf station case, some 
other station will reinitialize the ring. The deaf station will not be able to 
reenter the new established ring, since it cannot hear. 
New stations can enter the logical ring through a controlled contention 
process using response windows. Response windows are controlled intervals of 
time after the transmission of solicit successor control frames during which the 
sender listens for a response. Responding stations send the frame sender their 
wishes to become its successor and after a contention process, the station with 
the highest address less than the sender's address \\'ill have the right to join the 
logical ring. Only the stations whose addresses fall in the range between the 
token holder's and its successor's addresses can respond to the solicit successor 
15 
------------------------------------------------------------
frames from the token holder. In this way, the 
.../'" 
destroy t'~d..escending address order of the ring. 
winner will not 
A station can leave the logical ring anytime by not responding to a token 
frame sent to itself and a1lowing the fault recovery mechanisms in the protocol 
to recover the ring. Also, it can send a set_successor control frame containing 
its successor's address to its predecessor, when it has the token. The predecessor 
will set its NS to this address. The token holder can then pass the token to its 
successor knowing that the token holder will not receive it again. 
2.3 Access Control Macl1ine 
Token-passing bus medium access control can be said to be robust, since it 
can accommodate and survive multiple concurrent errors. Its behavior can be 
better understood by referring to the operation of the finite state machine model 
of the Access Control Machine (ACM) in Figure 2-3 on page 17 and the state 
transition table given in Ada Programming Language in the IEEE Std. 802.4 
[20]. As previously mentioned, ACM is the main control mechanism of the 
Medium Access Control (MAC) sublayer. Its finite state machine diagram 
describes the main functioning of the MAC sublayer. 
Figure 2-3 differs slightly from the original FSM in the standard [20] be-
cause it required two state transition corrections to be compatible with the state 
transition table in Ada Language introduced in the standard. There is a tran-
sition from the demand delay state to the offline state which is necessary for a 
possible faulty_ transmitter case and is missing on the original FSM diagram. 
Also, there is no transition from the use token state back to itself as in the 
16 
- --- -. -·· - -----------·- .. - . --- . - -- ----- -··- -·-··--------·----··· ·-··-·--- - -·-. ----· -··---------------
. -
0 - OFFLINE 
I - IDLE 
2 - DEMAND IN 
3 - DEMAND DELAY 
4 - CLAIM TOKEN 
5 - USE TOKEN 
Figure 2-3: 
6 - AWAIT IFM RESPONSE 
- -
7 - CHECK ACCESS CLASS 
8 - PASS TOKEN 
9 - CHECK TOKEN PASS 
- -
IO - AWAIT RESPONSE 
Access Control Machine FS:N1 Diagram 
17 
original diagram since either check access class or await ifm_response state 
must be entered before being able to retransmit in the use token state. 
As seen in Figure 2-3 ACM has eleven states. Its functioning can be better 
understood with a brief description of its states. 
Offiine: Offline is the initial state ACM enters after power up. It is 
also entered after the detection of certain faults, by the MAC sublayer, such as 
faulty __ transmitter and duplicate_address conditions. Following power up, the 
station waits in this state for all of its necessary internal parameters to be in-
itialized. Then, after being instructed to go online, it enters the idle state. 
Idle: Idle is the state where the station listens for an activity without 
transmitting to the medium. The time to wait in this state is determined by 
the bus idle timer. During this time if the station 
• 
receives a token control 
frame addressed to itself it enters the use token state. If it hears a 
solicit successor frame when desiring to enter the logical ring, or if it recog-
nizes a who_follows message from its predecessor's predecessor (in order to 
patch a failed station out of the ring), it enters the demand_in state. If the 
bus_ idle_timer expires without hearing any activity on the medium, it at-
tempts to recover the logical ring by claiming the token and enters the 
claim token state. On detection of a duplicate station address case, the station 
goes to the offlinc state, after reporting it to the station management. If it 
hears a noise burst or its own frame, it initializes the bus idle timer and con-
tinues to wait in the same state. 
18 
--------
--- ----------
- - ----- - - -----
- - ---------
----------------
• 
Demand In: Demand in is the state the station contends for the 
token in conjunction with the demand delay state in order to be a member of 
the logical entered from the idle • ring. It • IS state on receipt of a 
solicit successor or a who follows frame from the token holder. 
There are two types of solicit_ successor frames, solicit_successor_ l and 
solicit successor 2 which are always followed by one and two response win-
dows respectively. Three response windows foil ow who fallows frames. As men-
tioned earlier, response windows are controlled intervals of time during which 
the sender listens for a response. Only those stations whose addresses fall in the 
range between the frame sender's and its successor's addresses are entitled to 
respond to these frames. 
Solicit successor I frames are sent when the address of the station's sue-
cessor is less than the station's address. Only the lowest addressed station in 
the logical ring sends solicit successor 2 frames, because the successor's ad-
dress is higher than the station's address. Responding stations can both have a 
higher or a lower address value than this lowest addressed station, as the lowest 
addressed station in the logical ring is not necessarily the lowest addressed sta-
tion in the entire system. There might be stations in the network with lower 
address values and which are interested in entering the logical ring. In order to 
keep track of the descending address order in the logical ring, two response win-
dows are essential so that the lower addressed stations respond in the first win-
dow and will have the priority in contention. When there are no such stations, 
higher addressed stations responding in the second window will have a chance of 
winning the contention. 
19 
On receipt of any of these control frames, the station who is entitled to 
respond sends the token holder a set successor control frame and enters the 
demand delay state. If the station is responding to a solicit successor or a 
who follows frame in the first response window, it immediately sends the 
set successor frame. If it is responding in the second response window or is 
participating in the contention resolution process, it delays in the demand • 1n 
state before sending the set_successor frarne. While delaying, if it hears any 
transmissions, it returns to the idle state assuming that another station with a 
higher address is contending to enter the logical ring. 
De111and Delay: Demand delay is the state entered after the station 
sends the set successor frame in the demand in state. In this state, if the sta-
tion hears a token addressed to itself, it goes to the use token state since the 
resolution contention process is over. If the station hears a resolve contention 
frame from the token holder, another step of the contention resolution process 
must be performed since there are still multiple numbers of stations responding 
to the token holder. Resolve_contention frames are followed by four response 
windows. All the contending stations set their delays and return to the 
demand in state where they listen for the other contenders. 
The delay interval is determined by choosing two bits from the station's 
address consecutively in each contention step, starting with the most significant 
two bits. The stations with higher addresses delay shorter intervals and send 
their set successor messages in the demand in state sooner than the others. 
•"· Those stations which are listening, drop out of contention process when they 
" 
20 
- --
hear frames from higher addressed • Stations with the set successor stations. 
'r 
same value for the selected two address bits, delay the same amount of time 
and the token holder who hears multiple responses sends another 
resolve contention frame. 
This process and switching between the demand in and demand_delay 
states continue till the contention is resolved or the station drops out of conten-
tion on recognizing higher addressed contenders. Finally the highest addressed 
station among the contenders wins the contention process and the token, and 
n1oves to the use token state. 
During this entire contention process, the set _successor frames from the 
other stations heard in the demand_delay state are ignored. Because the sta-
tion has already sent its set_successor frame and these frames it receive belong 
to stations with lower address values, hence lower priorities than itself. Also, 
during contention, if the station hears anything other than a token, 
resolve_contention, or set successor frames, or if it hears nothing, it abandons 
soliciting the token and goes back to the idle state. 
Claim Token: Claim token is the state in which the station attempts 
to initialize or reinitialize the logical ring by sending claim token frames. It is 
entered from the idle state upon expiration of the bus idle timer. Since there 
may be multiple stations claiming the token, each station delays one slot time 
( maximum time any station need for an immediate response from any other sta-
tion on the physical bus) after sending its claim token frame and listens to the 
21 
medium. If the bus stays quiet after this de]ay, another c]aim token frame is 
sent. When the station sends max_ pass __ count (ha]f the nurnber of bits in the 
station's address plus one) claim_token frames without hearing any other trans-
missions, it has successf ul1y claimed the token, and goes to the use token state. 
Use Token: Use token is the state in which the station can send data 
frames for a certain amount of time determined by the token hold timer. 
When this timer expires or the station has no more to transmit, the station 
goes to the check access class state. If the station sends a data frame, it sets 
the response window timer to 3 s]ot times and then enters the 
await_ JFM_ response state. 
Await IFM Response: A wait IFM response state is entered from 
- -
the use token state, when a data frame has been sent. No response is expected, 
if the frame sent was a request_ with_ no_ response data frame. Hence the 
use token state is again entered. If a request with response frame has been 
sent, the station waits for a response frame addressed to itself so that it can go 
back to the use token state to check for another frame or holding_timer 
timeout. If a timeout occurs before a response is heard, the station sends the 
request_with_response data frame again. When the station sends the same 
data frame max_retry_limit (an integer constant that determines how many 
times a station resends a request_ with _response frame and it is usually 
selected as three) tirnes without get ting any response, it abandons requesting. 
IFM notifies the MAC user entity that no response has been received and the 
use token state is again entered. If the station hears any other valid frame 
22 
other than a response, an error has occurred. It returns to the idle state to 
process the received frame. 
Check Access Class: Check access class is the state in which the 
station controls the transmission of frames for lower access classes. As men-
tioned in Section 2.1, the standard supports an optional priority mechanism 
with three lower access classes in addition to the highest priority access class. 
When the option is implemented, data frames of the lower access classes can 
also be sent. Each access class other than the highest, has a corresponding 
target rotation timer. These timers are previously loaded on entrance to the 
use token state and they keep running till the check access class state is 
reached. When the station enters the check _access_class state, the residual 
time left in the target rotation timer for the highest lower access class is 
- -
loaded into the token hold timer. Then the station enters the use token 
state to transmit for that access class till the token_hold_timer expires. At 
this time the target rotation timer is also reloaded to its initial value. 
Similarly each of the lower access classes are checked and the station alternates 
between the use token and check access class states for each access class. 
After sending data frames in each access class, the station goes to the 
pass token state, either to pass the token to its successor, or to solicit succes-
sors so that new stations can enter the ring. 
Pass Token: Pass token is the state in which the station attempts to 
pass the token to its successor. If the successor responds and the station hears a 
valid frame, the token pass is completed. If the station does not know its 
23 
successor's address, NS, it sends a solicit successor 2 frame to itself and 
enters the await_response state. This forces all the stations on the network 
which desire to be in the ring to respond. Also, at certain times, the station 
allows new stations to enter the logical ring before passing the token, by send-
ing the appropriate solicit_successor frame and entering the await_response 
state. ]f it cannot find any successors it goes to the idle state. 
Check Token Pass: Check_token_pass is the state in which the 
station waits for the evidence that its successor received the token. It waits one 
slot time for the station receiving the token to transmit. If it hears a valid 
frame, the station assumes that the token successfully reached its destination 
and goes to the idle state to process the frame. If it hears noise or an invalid 
frame, it continues to listen to the medium for four more slot times. ]f the sta-
tion hears nothing in one slot time, it assumes that the token pass was unsuc-
cessful and returns to the pass token state to repeat the token pass. 
Await Response: Await_Response is the state in which the station 
tries to sequence the candidate successors through a distributed contention 
resolution algorithm until one of the successors' set successor frames is cor-
rectly received or until no successors are found. The station waits for a number 
of response window times. If it hears a set successor frame it goes to the 
pass token state to send token to its new successor. If it hears nothing it 
enters the pass token state again to send the token to its known successor or 
to try another token pass strategy. If it hears a valid frame other than a 
set successor frame, it assumes that another station is behaving as if it also 
24 
-- ----------·-------------·--- -------
' 
• 
has the token. Hence it drops the token and goes to the idle state. If it hears 
noise, it sends a resolve_contention frame to perform another step of the con-
tention resolution algorithm which repeats max_pass_count times. 
25 
---··-····- ·--····-------------------
----
t Chapter 3 
PROTOCOL ANALYZER AND 
VERIFIER 
3.1 PAV and Its Usage 
Protocol Analyzer and Verifier (PAV), which was developed by Sabnani 
and Lapone [ 19], is a software package, in C programming language which runs 
on the UNIX operating system. It is written for the purpose of analyzing and 
verifying communication protocols. It checks for syntactic errors, the presence of 
deadlocks, livelocks and functional errors in the formal protocol specification. 
PAV requires the protocol to be precisely defined as a collection of communicat-
ing finite state machines (FSMs) coded in Protocol Specification Language (PSL) 
before being input to PAV. 
Formal specification is very important in the sense that it gives a precise 
definition of the protocol which eliminates the ambiguity and incompleteness 
that may arise in English language specifications. By the verification process, er-
rors like deadlocks and livelocks can be avoided so that the protocol to be im-
plemented will be robust and reliable. 
The protocol modeling as a set of interacting FSMs, is done by using 
Comrnunicating Sequential Processes [24] type input/output operations. In the 
formal specification of the protocol, each FSM is described as a process. Con-
sidering the interprocess input/output operations, it is essential to have match-
"· 
ing sets of input and output statements in the two communicating. processes. 
26 
-------- - . --- - - - -
---------·--------------------------·---- - - --- --- - ----
This means that, if process! has an output to process2 specified as " 
processf!!message ", process2 has to have the matching input statement coming 
from process I denoted as " processl ?message ". These two matching operations 
will be executed simu]taneously, requiring both processes to be in the specific 
states that support the corresponding output transitions. Therefore, it is very 
important to be able to reach all the states of the processes. If there is a dead-
lock or livelock condition existing in one of the processes, and if it cannot reach 
the state for which the other process has been waiting, the protocol wiI1 never 
be able to progress. Hence, in the case when there are no dead]ocks or livelocks, 
the input/ output operations serve in synchronizing the execution of the processes 
as well as exchanging data. 
When a group of processes in PSL are input to PAV, the first thing PAV 
does is to check the syntactic correctness of the input text. Before proceeding 
further, PAV makes sure that the states and input/output operations given in 
the process declarations match those in the process body so that for every 
input/output operation in one process, there is a matching input/output opera-
tion in the corresponding process. 
Next, PAV forms a reachab]e g]oba] FSM, by combining aI1 the input 
processes. This is done step by step, first combining two FSMs, then the resul-
tant FSM with another and so on, till all of thern are reduced to one global 
FSM. This final machine reflects the joint behavior of a1l the component 
processes con1bined. 
27 
During the composition of the global FSM, PAV checks for deadlocks. 
That is, PAV checks for the global states from which there are no outgoing 
transitions to any other state, and provides the user a list of all the deadlocked 
global states. 
After constructing the global FSM, PAV computes a reduced FSM called 
the Application View FSM (A VF). This reduced machine represents the behavior 
of the protocol with respect to its user processes. In this procedure, the match-
ing input/output operations in the component processes, in other words internal 
transitions, are merged together in the absence of deadlocks. ()nly the external 
transitions, that is the input/output operations from or to the user processes, 
are shown in the resultant A VF. 
Furthermore, PAV can make a livelock check by locating any global states 
in which the protocol makes no progress towards its function. To detect the 
livelocks of the protocol, all the strongly connected components are determined 
in the reachable FSM. These strongly connected components do not have inter-
actions between the component processes and the user processes. They include 
interactions only among the component FSMs. Each of these strongly connected 
components is a potential livelock. The FSM may not be able to leave the 
strongly connected component and will be circulating in it, over the same path, 
indefinitely. In order to avoid livelocks, each component FSM must be properly 
formed and functioning. If any of the component FSMs has a path that keeps 
repeating indefinitely, the protocol will never be able to progress once it chooses 
that path. That is a livelock in the design. Hence the choice between the non-
28 
.. 
.. 
----------
--· ..... 
deterministic state transitions from any state in the component FSMs should 
not create such a condition. Then no livelocks will be present and it will be 
possible to progress among all the states of the reachable global FSM. 
PAV provides the user some options, each of which contains a few or all 
of the tasks PAV can do. The advantage of having these options is not having 
to do all of the tests when analyzing a group of FSMs. With options, tests can 
be run separately. The user can proceed to the next test after correcting all the 
errors that showed up in the first test. Therefore, step by step testing is pos-
si hie and it is easier for the user to identify and fix the problems for one test 
at a time. rfhe least work is done when PAV is run with no option. After car-
rying out the syntax checking of the input text, PAV forms the reachable 
global FSM that shows the joint behavior of all the component processes as ex-
plained above. No deadlock or livelock checking is done in this option and the 
output is the reachable global FSM, a very large machine that shows all the 
possibilities that can occur in combining the component machines. 
The next option is the " -s " option in which the transitions from or to 
the user processes, with respect to which PAV performs the reduction, are in-
put. In this case, besides carrying out all the tasks realized in the no option 
case, PAV comf>Oses the A VF which shows the behavior of the protocol with 
respect to the user processes. PAV also checks for the presence of deadlocks and 
warns the user if any are found by out,putting a list of the deadlocked states. 
The output file contains the reachable global FSM, the list of the deadlocks, if 
any exist, and the A VF. The output file also contains the Reduced Abstraction, 
29 
which is a reduced form of the A VF. 'fhe Reduced Abstraction is a finite state 
machine formed by merging the same behavior states. If two or more states 
have the same output transitions that go to the same states, they behave the 
same and can be merged into one state. This reduction changes nothing in the 
physical functioning of the initial FSM and the Reduced Abstraction machine is 
just a simplified form of the A VF. 
The last choice is the " -l " option which has to be executed along with 
the " -s " option. When this alternative is used, livelock checking is done in 
addition to every procedure followed in the " -s " option. The output file is the 
same as the output file in the " -s " option, except that the output file con-
tains a list of the livelocked states, if any exist. Running PAV with the " -s -l 
" option makes use of all of the tests for syntactic verification of the protocol. 
Livelock checking is much too time consuming. It is very efficient to analyze the 
component processes with the " -s " option initially, till all the syntax correc-
tions and deadlock fixes are completed. After solving all the " -s " problems, 
the " -s -l " option is not to hard to go through if the user formed the com-
ponent FSMs properly. 
3.2 Protocol Specification Language 
The finite state machines to be combined have to be coded in a machine-
readable description using the Protocol Specification Language (PSL) before be-
ing input to PAV. 
In the formal description using PSL, a protocol is defined as a set of in-
teracting processes each of which represents one of the component FSMs. Trans-
30 
' 
7 ( 
lating the protocol model made up of FSMs into the Protocol Specification Lan-
guage is a straightforw~rd task. Each FSM corresponds to a unique process 
which consists of two parts called the declarations and the body. The process 
declarations are introduced first when defining a process. The declarations in-
clude a list of states and IO operations used in the process and the name of 
the initial state. Next, the process body introduces all the state transitions, 
along with the input or output condition that causes the transition. The state 
transitions are always expressed in the following format: 
current state : next state WHEN boolean condition (an I/0 condition) 
Figure 3-1 shows the formal way of describing a process in the Protocol 
Specification Language (PSL). PSL and its formal description in Backus Naur 
form, are described in the paper by Sabnani and Lapone [ 19]. 
31 
PROCESS process name 
ST A TES list of states separated by ',' 
JO list of input/output operations separated by ',' 
JNJTJAL ST A TE initial state 
TRANSITIONS 
list of transitions each in one line separated by ',' . 
Figure 3-1: Formal Process Description in PSL 
32 
---------- . ·----- ···-----·- ·-·- ------- -------·----·-----·-·- ---·--·------·-··----
-Chapter 4 
MODEL DESCRIPTION OF THE 
MEDIUM ACCESS CONTROL 
PROTOCOL 
4.1 General Modeling Scheme 
As mentioned in Chapter 2, Access Control Machine (ACM) is the central 
unit of the MAC sublayer and functions as the brain of the MAC Protocol. 
The ACM finite state machine diagram, shown in Figure 2-3, is only a 
partial description of ACM since it does not specify the events and actions that 
take place during the state transitions. Actually, its operation is very detailed 
and can be better followed by referring to the ACM state transition table in 
Ada Programming Language introduced in the IEEE Std. 802.4. This detailed 
state transition table is the basis of the FSM formed in this thesis to model the 
ACM. The eleven states seen in Figure 2-3 are the basic states of the machine 
model. However, there have to be more states introduced in order to represent 
the events and actions that take place during progress of the protocol. The full 
ACM model, as given in Appendix A, contains two hundred and thirty eight 
states. The IEEE Std. 802.4, the state transition table introduced in the stan-
dard, and Chapter 2 are helpful for better understanding of the model. 
Referring to Figure 2-1 and Appendix A, one sees that the protocol model 
contains all the machines except the Regenerative Repeater Machine which is 
optional according to the standard and whose implementation is not recom-
33 
rnended in the NBS Workshop for Implementors of OSI [25]. The Receive 
Machine (RxM), Transmit Machine (TxM), and the Interface Machine (IFM) 
are modeled as side machines for ACM which is the main finite state machine 
and the rnost important element of the protocol model. However one will note 
that the model description in Appendix A includes forty more processes in ad-
dition to these machines given in the standard. The reason for having more 
machines will be explained in the following paragraphs. 
The MAC Protocol is a complex protocol that supports several timers, 
procedures, functions, address and boolean state variables, counters, and many 
other miscellaneous variables whose status or values continuously change during 
the operation of the protocol. While using a high level language like Ada it is 
possible to have all these separate variables, functions, procedures, etc. al-
together in a program, but when using finite state machines in modeling, we are 
restricted to using state transitions to perform all actions. In addition, the 
Protocol Specification Language described in the paper by Sabnani and Lapone 
[19], can only form the state transitions as IO (input/output) operations in the 
form: 
Process Name?lnteraction Name (input) 
or 
Process Name!lnteraction Name (output) 
1"herefore, in order to keep track of what is happening in the protocol 
using PSL, all of the variables, procedures, functions, counters and timers must 
be modeled as separate FSMs. Modeling in this way will allow ACM to send 
34 
------------ ·-- ·---· ···-----·-·----·------- . - .. -·-- -·· 
outputs to these various machines, receive inputs from them, and know their 
values or status at any time. Any action that takes place in the protocol will 
correspond to a state transition in two FSMs, one which is the sender of a mes-
sage and the other which is the receiver of that message. Hence, any change in 
the state of the entire protocol may be described by simultaneous state tran-
sitions in a number of interacting FSMs. 
The token-passing bus protocol model formed in this thesis contains forty-
four component processes. It is introduced in Appendix A in the Protocol 
Specification Language. All the component processes are briefly explained in Sec-
tion 4.3 . ACM, which is the largest and most complex machine of the model, 
has two hundred and thirty eight states. Eleven of these states, namely I, 1, 
2, 3, 4, 5, 6, 7, 8, 9 and F, can be considered as the main states of the 
machine, where I and F stand for the Initial and Final states. These states cor-
respond to those in Figure 2-3. All the intermediate states are due to ACM's 
communication with the other component processes supporting the high level 
language procedures like functions, variables, timers, counters, etc. 
Almost all of the machines directly interact with ACM and have state-
ments from and to ACM. Only three machines, NB_BQ_detector, silence, and 
valid frame do not have direct communication with ACM. However, they in-
teract with it via the noise burst and bus_quiet machines. 
The protocol model contains eight timers, five counters, fifteen boolean 
variables, three comparison machines and other miscellaneous machines besides 
35 
--·· -·-···------
·----- -----
-------
-
., 
3 
2 
1 
Token Rot Timer 
token rot timer?value O acm ?hi_ pri _token_ hold_ time 
1 
2 
acm!timeout acm!timeout 
Token Hol Timer 
Figure 4-1: Two Interacting FSMs of the Protocol Model 
36 
PROCESS token rot timer; 
ST A TES 0, 1, 2, 3; 
IO acm?load token hold timer, acm?expire, token_hol_timer!value_O, 
acm ?tar rot time O; 
INITIAL ST A TE O; 
TRANSITIONS 
0 • 1 WHEN acm?expire, • 
0 2 WHEN acm ?load_ token_ hold_ timer, 
1 • 2 WHEN acm ?load token hold timer, . 
- - -
2 • 3 WHEN token hol timer!value _o, • 
- -
3 • 0 WHEN acm?tar rot time 0. • 
Figure 4-2: PSL Description of the Token Rot Timer in Figure 4-1 
.~-
37 
PROCESS token hol timer; 
ST A TES 0, 1, 2; 
IO acm?hi _ pri _ token hold time, token rot timer?value 0, acm!tirneout; 
INITIAL ST A TE O; 
TRANSITIONS 
0 : 1 WHEN acm?hi_pri_token hold time, 
0 : 2 WHEN token rot timer?value 0, 
1 : 0 WHEN acm!timeout, 
2 : 0 WHEN acm!timeout. 
Figure 4-3: PSL Description of the Token Hol Timer in Figure 4-1 
38 
. - -···-· ··--·· - ·- ---·. - ·-· ------------··--··--··· ··-•···-·- --· ···-··· . 
. , 
... 
the Access Control Machine (ACM), transmit (tx), receive (rx) and the interface 
machines (ifrr1) introduced in the standard. Figure 4-1, on page 36, contains the 
FSM diagrams of two of the timers, token_rotation_timer (token_rot_timer) 
and token_hold_timer (token_hol_timer). These two machines have an inter-
action with each other which is controlled with the state transitions, " 
token hol timer !value 0 " at the FSM token rot timer and " 
token rot timer ?value O " at the token ho) timer. These machines start 
from the O initial state like all the other component processes and they both in-
t.er act with ACM. Figure 4-1 is a simple example to show how FSMs interact. 
Figure 4-2 and Figure 4-3, on pages 37 and 38 respectively, show the PSL 
descriptions of the machines in Figure 4-1. One can easily see that a PSL 
description is another representation of finite state machines, like FSM diagrams 
or state transition tables. It introduces the initial state, a list of the states, and 
the transitions in an FSM systematically. It is a very important representation 
method when the sizes and numbers of the FSMs increase and computer 
analysis is required. 
Because of the large number (forty-four) of FSMs, some of which are quite 
large, finite state machine diagrams will not be given in the text. However, Ap-
pendix A contains all the machines and is sufficient to introduce the whole 
protocol model in a compact form. 
4.2 Red11ctio11s Assumed 
1"he idea in verification of the protocol is to combine all these individual 
machines that interact with each other, and with ACM via PAV. This way 
their joint behavior can be determined. The purpose is to obtain a functionally 
39 
correct output, free of deadlocks and livelocks after combining all the FSMs 
using PAV. 1"'his can be achieved by correcting errors that arise during combin-
ing procedures. Then the protocol can be said to be reliable. 
As will be explained in the following paragraphs, some reductions are as-
sumed during modeling. These reductions are made in such a way that none of 
them will affect the behavior of the protocol or the main operational properties. 
They are basically done to simplify the combining procedures. The following 
paragraph will give an insight to why some reductions were assumed. 
Each group of machines to be combined has a different nature. Some of 
the groups may have many small size machines while other groups may have a 
few large size machines. In addition, some machines may have a very large 
number of states. Sometimes the number of states in an FSM may not be that 
large, but the number of transitions between states may be excessive. Hence, for 
each combination of machines, certain variables have more significance, like the 
number of FSMs to be combined, the number of states and transitions in each 
FSM, the number of 1/0 statements from and to the user processes, etc .. Each 
of these variables and many others refer to corresponding variables and arrays 
in PAV. However, when PAV is compiled, al1 the variables and arrays used in 
the program are assigned fixed values. Therefore with PAV compiled in one 
specific way, it is very likely to have overflows of some arrays for some groups 
of machines during analysis. Certainly PAV can be recompiled in such a case 
and limits can be adjusted as required. However, this is a very time consuming 
and complex job. Unfortunately, it is not possible to indefinitely increase the 
40 
sizes of all the arrays used because of the finite memory capacity of the com-
puters. Hence, it is beneficial to do as many reductions as possible, as long as 
they don't affect the behavior of the protocol. The smaller the number of 
FSMs, states and transitions in each FSM, the easier the combining procedure. 
name of the constant 
address length 
max_pass_count 
max inter solicit count 
max transmitter fault count 
max-~ retry_ limit 
max access class 
Table 4-1: 
standard value 
16 (or 48) 
9 (or 25) 
16 - 255 
7 
3 
6 
Reductions in Constants 
model value 
8 
5 
8 
3 
2 
2 
First, there are reductions done in some constant values which result in 
reductions in the dimensions of some FSMs as shown in Table 4-1. 
Address_length is reduced causing a reduction in the max_pass_count value 
and FSMs resolution_pass_count, result, the . In 
. 
sizes of the as a 
contend_ pass_ count, and claim pass count. The address_ length and the 
max_ pass_ count have the following relation: 
max pass count 
- -
( address_ length / 2 ) + 1 
41 
J 
t 
JI 
With this reduction, the counters resolution_ pass_ count, 
contend_pass~_count, and claim_.pass_count will count only up to five. This 
causes an immense decrease in the sizes of these counters as will be easily un-
derstood referring to their PSL descriptions in Appendix A. 
Further, max inter solicit count, max transmitter fault count and 
max_retry_limit are reduced when compared with the suggested values in the 
IEEE Std. 802.4. This resulted in a decrease in the sizes of the FSMs 
inter solicit count, transmitter fault count and remaining_retries. 
Finally, the constant max access class is reduced, which results in a 
series of other reductions. The standard supports four access classes, namely 0, 
2, 4 and 6 while the model supports only two of them, 0 and 2. In this way 
the size of the access class FSM is reduced. Since the model has only two ac-
cess classes, there only need to be two send pending frame queues imple-
- -
mented, resulting in a decrease in the size of the FSM any send pending. We 
- -
also save four machines since we do not need to model the finite state machines 
send_pending_6, token_ rotation_ timer_ 2, and send_pending_4, 
token rotation timer 4. Token_rotation_timer_O, token_hold_timer, and 
ring maintenance token rotation timer are FSMs sufficient for sending data 
- - - -· 
in the two access classes and for the ring maintenance timing. 
It is also assumed that the parameters slot time, TS, address_ length, 
target_rotation_ time_O (for access class 0), hi_pri_token_hold_time (for 
the highest access_class, namely 2), ring_maintenance_timer_initial_value, 
42 
max_inter_solicit_count, etc. are fixed values known by ACM before entering 
the ID LE( 1) state from the OFFLINE(I) state. 
Besides these reductions, the optional regenerative repeater machine has 
not been modeled at all, as already mentioned. 
In addition, some of the responsibilities of the receive (rx) and transmit 
( tx) machines are not considered during modeling. The following explains those 
responsibilities and the reason for neglecting them. It is rx and tx machines' 
responsibilities to remove and append preamble, Frame Check Sequence (FCS), 
and the frame delimiters SD and ED. All these units require bit by bit check-
ing. It is redundant to model such details when forming finite state machines as 
this will require an excessive number of states. Hence the rx machine is modeled 
only for warning the ACM about the identity of the incoming frames, assuming 
their Frame Check Sequences are correct. Similarly, the tx machine sends the 
frames to be transmitted to the physical layer without adding the above units 
since it does not affect the access control protocol. 
A reduction is also done within the Interface machine (ifm) which works 
like a bridge between the MAC layer and the LLC layer. As explained in the 
standard, ifm receives the incoming messages from the rx machine and passes 
them to the LLC layer. However, this does not affect the operation of ACM, 
that is the access control, at all. Therefore, when modeling ifm, this function 
was left out so as not to complicate and enlarge the machine unnecessarily. 
Another function of ifm is to pass the pending frames from LLC layer to ACM 
43 
---------------------------- -----------------·-·-··----------·- ....... ----------- .. ----·--·--------- . -
( for transmission to the medium by the tx machine, whenever ACM requests. 
Instead of receiving these pending frames from the LLC layer, the model as-
sumes that ifm receives them from station management (stmgm) which is a user 
process frequently consulted during the operation of ACM. This way a user 
process (LLC) is eliminated which simplifies the whole reduction process during 
verification. Therefore ifm transmits the messages from the user process stmgm 
to ACM. This simplification however, does not affect the operation of ACM or 
the access control as ACM receives the pending frames anyway whenever it 
needs them. 
4.3 Cornponent FSMs 
Forty-two finite state machines are formed in modeling the Medium Access 
Control Protocol. The following is a brief description of each of those machines. 
The IEEE Std. 802.4 [20] can be referred to for more information. (The names 
in parenthesis are the abbreviations used in the PSL description of the protocol 
model in Appendix A.) 
4.3.1 Access Control Machine (ACM) 
ACM is the control mechanism in the protocol. ACM is responsible for 
keeping track of what is happening in all the other finite state machines of the 
model. It makes all the decisions after checking the necessary component 
machines and the incoming inputs from the physical layer and the station 
management. Hence, ACM follows the protocol by working in cooperation with 
the other component processes. Its basic operation and responsibilities are 
described in Sections 2.2 and 2.3 in detail. 
44 
. ------ -----·---- -----------·-- ----- --·----- -----·-------- - -
• 
{ 4.3.2 Timers 
Token rotation ti1ner (token_ rot_ timer): This timer is for the 
lower access class and essential in implementing the priority option. Initially it 
is expired or set to zero by ACM. When the station starts sending data at 
access_class_O, token_rotation_timer is loaded with target __ rotation_time_O 
after loading the residual time left in the timer to token hold-timer. This 
residual time determines the time to send data frames of access class 0. 
Token (token • lS timer): hold timer hol Token hold timer 
loaded with hi __ pri _ token hold time by ACM to send data frames of highest 
priority, namely of access class 2. When sending frames of access_ class_O, it 
is loaded with the residual time in the token rotation timer. 
Ring maintenance token rotation timer (rmtr_timer ): This 
timer for ring_maintenance, is set to ring_maintenance_timer_initial_value 
on initial entry to the logical ring, or after checking and accessing both access 
class levels if the station wants to stay in ring or there are pending queues 
available. When it is expired, depending on the other finite state machines of 
the protocol, Access Class Machine may allow entry of new stations by sending 
solicit successor frames. 
Bus idle timer: It is a simple timer modeled such that it waits in 
the idle state for any activity on the medium and on timeout ACM attempts to 
reinitialize the ring by claiming the token. If an activity is heard before 
timeout, bus idle timer is reset again. 
45 
- --- ----------------- --- ·--- ·-----·
·-· ·------ ---- -·----·--·-- ----
--------------------- - --------
--- -· -- .. -- . " 
Claim timer: It is another simple timer that controls the time between 
sending claim token frames. 
Contention timer: It is set by ACM with one of the four values 0, 1, 
2 or 3 after hearing a solicit successor, who follows or resolve contention 
frame in the demand in state to contend for the token. 
Response_window_timer (res_window_timer): It is loaded with 
the number of response_window times, after the station sends a 
solicit_ successor, who follows or resolve contention frame, in order to solicit 
the response. The response_ window_ timer is set to 4 response window times 
for a resolve_ contention, 3 for a who follows and 1 or 2 for a 
solicit_ successor frame depending on the type of the solicit _successor frame. If 
timeout occurs and nothing is heard, the station passes the token to its succes-
sor. 
Response_window_timer is also used when a request_with_response 
data frame is sent. It is loaded with 3 response window times to wait for a 
response. If no the request_with_response frame • IS . response 1s received, 
retransmitted. 
Token pass timer: This timer controls the time to listen for any 
type of a frame, after passing the token, in order to make sure that the succes-
sor has the token and is transmitting to the medium. If no frame is heard, 
ACM tries another token pass procedure. It is usually loaded with I 
46 
--- ----- --------------------------------------------------------- ------------ - - -- -- ---- -
response_window time, but in the case the station hears a noise_burst, it lis-
tens to the medium longer by setting the timer to 4 response window times. If 
it still does not hear any frarnes, it performs the next token pass procedure. 
4.3.3 Counters 
Claim pass co·unt: It is a counter that counts from 1 to 
max_ pass_count which is equal to 5 in the model, and is used to limit the 
token claiming process. Every time after sending a claim token frame, it is in-
cremented by one and once max_pass_count claim __ token_frames are sent 
and no other station is heard, the station can claim the token. 
Conte11d pass count: It counts frorr1 0 to max_pass_count going 
through max_ pass_count cycles of contention processes to be able to enter the 
logical ring by getting the token. If no contending station gets the token due to 
an error, ACM informs station management about a probable 
faulty_ transmitter condition. 
Transmitter fault count (trans fault count): It is incremented 
every time the station runs to the end of the contention process without getting 
the token, or it fails to pass the token to any successor. In the model it counts 
from O to 3 and if reaches its maximum, it reports the probable faulty trans-
"' mitter case to the station management and removes itself from the ring. 
Resolution pass count (res pass count): This counter counts 
from of the number of order to keep track 0 max pass count 
- -
. 
In to 
resolve contention frames the station sends. If the contention is resolved, the 
47 
• 
--·----------------
,1. -
token is passed to the new successor, the winner of the contention process. If 
max pass count is reached, the resolution is abandoned and the token is 
- -
passed to the station's successor. 
Inter solicit count (inter sol count): It is a counter that counts 
from the max_inter_solicit_count (8 in the model) down to 0. Every time the 
station passes the token, it is decremented and when it reaches 0, the station 
allows new stations to enter the logical ring by sending solicit successor frames. 
If any response is heard, the counter is reset to O so that the process can be 
repeated till the ring gains a new merr1ber. 
4.3.4 Co1nparison Machines, Claim Data Unit and NS 
Compare (comp): It is a rnachine formed to check the address bits of 
the station in groups of two, which can result in either 0, 1, 2 or 3, to use in 
claim token and resolve_contention processes. During the claim token process, 
it determines the length of the data field of the claim token frame to be sent. 
During the resolution process, it identifies the length of time a station delays 
before sending a set_successor frame to the token holder on receipt of a 
resolve contention process. 
TS compare (TS comp): This machine compares the station address 
TS with the incoming frame's source address (SA) or destination address (DA) 
or data_ unit (du) fields at various tirr1es as the Access Control Machine en-
titles it to do and informs ACM if TS is equal to, less than or greater than 
the compared value. 
48 
PS compare (PS comp): This machine saves the source address 
knowledge whenever the station receives a token frame whose source address 
denotes the identity of the previous station. On receipt of a who_follows frame 
in the idle state, it compares the PS with the incoming frames data_unit field 
that carries the frame sender's NS. On recognition of a who follows frame from 
the predecessor's predecessor, ACM responds with a set successor to patch a 
failed station (station's predecessor) out of the ring. 
Claim data unit (cdu): Cdu, in conjunction with the FSM comp, 
determines the length of the data field of the claim token frames to be trans-
mitted. It infor1ns comp about the current claim pass count and comp sends 
- -
it the value of the two address bits for that count which helps to determine the 
length of the claim_data_unit, twice the number sent by comp. Hence the in-
formation is either O, 2, 4 or 6 slot times long. 
NS: NS is the finite state machine that keeps track of the Next Station's 
address. When the station receives a set successor frame addressed to itself, it 
loads NS with the data unit field of the set successor frame. Also NS is set 
to the destination address (DA) field of the incoming frame when it is a 
solicit successor frame and the station contends for the token. If the station 
succeeds in getting the token, it will know its successor by the time it is ready 
to pass the token. ACM sets NS false when next station's address is not known. 
49 
- - - --·-- -- ··---- -
- -------· -· -- - - - ---· - -·-
( 4.3.5 Miscellaneous Variables 
Remaining retries: It counts the number of retransmissions on timeout 
of a request_with _ response frame. The number of retransmissions allowed is 
determined by the max_. retry_ limit which is 2 in the model. 
Access class: It is a machine that sequences through the two access 
classes while transmitting data in the use token state. When it is equal to 
ring_ maintenance it means that all access class levels are checked and ac-
cessed. Therefore the token is passed to the next station. 
Pass state: This finite state machine controls the operation of the pass 
token processes. It is a multistate machine which is in one of the pass_ token, 
repeat pass token, 
-
-
solicit successor, who follows, repeat_ who _follows, 
solicit_any or total_failure states. Depending on in which state it is, ACM 
takes different actions. 
Heard: This FSM circulates between three states depending on • main 
what the station hears while awaiting a response for the resolve contention 
frame it sent. It can hear nothing or a collision which means a few 
set successor frames have been sent causing a noise burst altogether, or a 
set successor frame meaning that contention is resolved and the token needs to 
be sent to this new successor. 
50 
--------------------------·-··· 
4.3.6 Boolean Variables 
Any send pending: ACM checks for the status of this FSM which 
turns true when any of the pending frame queues nonempty. 
Send pending 0: This FSM informs any_send_pending when station 
management notes the existence or nonexistence of a pending frame queue of the 
access class 0. ACM also can check the status of this machine from time to 
time. 
Send pending 2: It is an exact copy of the FSM send_pending_O, 
however it is modeled for the access class 2. 
Power OK: This machine is either true or false as informed by station 
management. ACM can check its status anytime. ACM cannot proceed its func-
tions unless power_OK is true. 
In • ring desired: It is similar to power_OK and used to indicate if 
the station wants to get into the logical ring or stay in it when it is already in 
the ring. This decision is made by station management. 
First time: First time denotes a boolean variable that controls the 
processing of the noise bursts in the await response state. It is set true on 
entering this state and set false when a is heard, by the finite 
. 
noise burst 
state machine ACM. The station goes to the idle state if a second noise burst 
is heard. 
51 
• 
In It is set true by ACM when the station enters the ring and • ring: 
false when it leaves the ring. Its status can be checked by ACM anytime. 
Just had token: It operates exactly like first time and in_ ring be-
cause it is set true by ACM whenever the station passes the token and set false 
when it hears a valid frame from another station and its status can be checked 
by ACM anytime. This machine is used to detect the duplicate address case 
which is probable to occur during the operation of the network. 
Lowest address: This FSM is set true if the station's address is less 
than its successor's address and false if not, by ACM just like the previous 
three machines. Its status can always be checked by ACM as well. There is 
only one station at a time in the network whose lowest address machine is set 
true that serves to support the descending address ordering of the network. 
NS known: It is set true when the station knows its successor and 
false when it leaves the logical ring. ACM is the mechanism that performs this 
task and questions the status of the machine at anytime. 
Sole active station (sole act st): This FSM is used to inactivate 
the stations with defective receivers. It is set false whenever the station hears a 
valid frame from another station, and true after going through a token passing 
recovery procedure without hearing any response. It is controlled and questioned 
by ACM like the previous five rnachines. 
52 
·-·----~-- ---~------- - - --- - -·--------- ---- -- ~ ---- -
Noise~ burst: This FSM is set true by the NB_BQ_dctector 
(NB_BQ_det) and false by ACM. Its status can always be asked by ACM. 
Bus quiet: lt is set and reset by the NB_ BQ_detector depending on 
the existence of silence or nonsilence on the medium. ]ts status can always be 
checked by A CM. 
Valid frame: lt is set and reset by the receive machine ( rx) whenever 
there is a valid or invalid frame reception and its status is reported to the 
NB BQ detector when it asks for it. 
Silence ( sil): It operates exactly like valid_ frame, with dependency on 
the silence and nonsilence conditions. Its status is checked by the NB_ BQ_det 
likewise. 
NB BQ detector(NB BQ det): This machine makes decisions like 
setting and resetting th~\ FSM bus_quiet, or setting the FSM noise_burst by 
checking the statuses of the machines valid frame and silence and analyzing 
their different combinations. 
4.3. 7 Other Machines 
Receive machine (rx): This machine is modeled as an intermediate 
machine between the physical layer and the ACM. Upon receipt of data or 
protocol frames it informs ACM about the type of the frame, sends the source 
and destination addresses and the data unit to the machine called TSPSNS so 
that they will be stored for later use, sets and resets the machines, valid frame 
53 
and silence, respectively. It also sends the protocol frames received to the FSM 
Frame_Control (FC) for storage. Further, it makes the necessary changes on 
the status of the machines silence and valid frame on receipt of invalid frames 
or silence indication from the physical layer. 
Transmit machine ( tx): Transmit machine serves for sending the data 
and protocol frames from the Access Control Machine (ACM) to the physical 
layer. It can send all of the seven control (protocol) frames whose destination 
addresses (DA) and data_units (du) are determined when required. It also 
sends the service data unit ( sdu), received from the interface machine (ifm) via 
ACM. Actually, it transmits whichever frame it receives from the Access Con-
trol Machine to the physical layer with no change. 
Interface machine (ifm): Interface machine is modeled as an inter-
mediate machine between the Access Control Machine (ACM) and the station 
management (stmgm) which is a user process. Whenever ACM is ready to 
transmit pending frames for different access classes, it requests ifm to send the 
data frames available in the queues for the corresponding access classes. Ifm also 
warns ACM on receipt of a response frame to a request_with_response frame 
sent by ACM. Besides, it notifies the station management whenever there is a 
distributed ACM error on the bus, detected by ACM. This is the situation 
when there is another station that behaves as if it also has the token and ACM 
drops its token after notifying the interface machine to prevent a multiple token 
case. It is ifm's responsibility to inform the station management about the exist-
ence of this erroneous condition. 
54 
- -------. - - ------ --- --- ------------
( 
,-
~, 
Frame Control (FC): This machine stores the protocol_frame sent by 
the receive machine and informs ACM whenever it asks the type of the frame. 
In order to prepare it for the reception of a new control frame, ACM sets it to 
false so that it will be in a state enabled to accept any of the protocol frames. 
TSPSNS: This is a machine formed to keep track of the incoming 
frames' address fields and data units. On receipt of a valid_frame, receive 
machine sends the destination address (DA), source address (SA) and data_ unit 
(du) knowledge of the frame to TSPSNS. Whenever ACM needs to set NS with 
one of the new address fields, for example on receipt of a set successor frame 
or a solicit_successor frame during its contention for the token, it communi-
cates with this machine. Likewise if ACM wants to compare one of these values 
with its o~n address (TS) or with its predecessor's address (PS), it again refers 
to this machine. 
Many of these machines defined above refer to the variables and functions 
defined in the IEEE Std. 802.4 and same names are used as in the standard. 
However, there are some additional machines formed to simplify the reduction 
process like compare, TS compare, PS compare, and TSPSNS. These machines 
- -
take care of the address comparison tasks which are actually the responsibilities 
of the rx machine. They do not perform anything that is not included in the 
standard. However, their formation was unavoidable because the rx machine be-
comes a very large machine otherwise. As rx machine needs to be combined 
with ACM which is the largest size machine in the Protocol model, very large 
limits were needed during compilation of PAV and the analysis procedure would 
55 
---- ----------------- ---- ---------- .
... --- ------------------- ------
----------------- . 
become very difficult and time consuming. Therefore, address comparison respon-
sibilities of the rx machine were handled by these machines to save time and 
reduce complications. These machines can be thought as modules of the rx 
machine. Hence, during modeling the main idea was to design the machines in 
the best way to be analyzed by PAV, as well as remaining., compatible with the 
token passing bus protocol. 
56 
··- -· ·-------· 
' 
' ' 
I 
Chapter 5 
ANALYSIS AND VERIFICATION VIA 
PAV 
5 .1 Consequent Reduction 
For small size protocols, it is possible to input all the processes to PAV 
at the same time and obtain the resultant reduced machine with respect to the 
user processes in one run if the protocol is robust and properly modeled. 
11owever, this approach is unlikely to succeed as the number of finite state 
machines and the number of states of each individual machine increase. The 
reason for this is PA V's large memory requirement during execution. PAV uses 
many recursive procedures in the formation of the reachable global FSM, reduc-
tion of the global FSM, and checking for deadlocks and livelocks. This requires 
a large memory allocation and higher limits for the structures, arrays, etc. 
PAV during the execution process. 
. 
In 
For example, if a protocol consists of n processes with n 1, n 2, n3 , ..... , n 0 
states respectively, the upper bound for the number of states of the global 
machine is n 1 x n 2 x n3 x ..... x n0 • Calling this number N, the upper bound 
for the nurnber of state transitions is N2, considering even the transitions that 
might go back to the same state. Therefore, PAV has to be compiled with cer-
tain parameters defined large enough so that these limits will not be exceeded 
during its run. It is usually not possible to compile PAV with all the array 
sizes indefinitely increased because of the memory size constraints of the com-
puter. Compilation can be done only when the rr1emory allocation is within the 
57 
------------ - ----- ·-·-·--- --- - -
computer limits. This is a reason why PAV fails to compile all the FSMs in 
one run. In addition, increasing the number of FSMs to be composed increases 
the analysis time directly with N. 
However, this problem can be solved in a straightforward way by splitting 
the protocol into smaller groups and analyzing them separately as suggested by 
Krishan Sabnani [26]. For large size protocols, it is convenient to group the 
finite state machines and apply a reduction process to each of the groups 
separately. Then all the resultant reduced machines can be combined to obtain 
the final Reduced Abstraction. The result will be the same as a one step reduc-
tion, but the combining process will be easier and less time consuming. Depend-
ing on the size of the protocol model, the number of machine groups may in-
crease. The larger the size of the protocol, the larger the number of groups to 
be formed. This may increase the number of steps in combining. At the end of 
the first step reductions, there may still be a large number of machines to be 
combined. Therefore they have to be regrouped and additional reduction steps 
required. No matter how many steps are used to reach the final output, the 
result will not be any different than combining all the component processes at 
one time. That is, the output is unique and is independent of the number of 
reduction steps used. 
For the PSL model of the IEEE Std. 802.4 token bus medium access 
protocol [ 20] this step by step reduction was necessary even though the verifica-
tion is done on a CDC CYBER 850 mainframe, in the UNIX (NOS/VE) 
emulator environment. This is because the protocol model contains forty-four 
58 
.... 
----------------------------------------------------------------,----·=· -------------
processes with a very large number of states. If all the machines were input to 
PAV together, the number N obtained by multiplying the number of states of 
all the component FSMs in Appendix A, would be 8.2865 x 1032 and accord-
ingly N2 would be 6.8666 x 1065 . It is clearly not possible to both stay within 
the main frame's allowable memory limit and compile PAV with large enough 
limits so that the entire protocol can be combined in one run. Therefore, a 
gradual composition approach has been used in order to realize the verification 
of the protocol using PAV. There are many groupings, compositions, and check-
ing procedures done to rnake the analysis easier and less time consuming. In ad-
dition, a logical approach is followed while grouping the machines in order to 
simplify the succeeding composition steps. 
<, 
' 
' 
First of all, the finite state machines that interact extensively with each 
other are grouped. This way the resultant reduced machine, namely the Reduced 
Abstraction machine, will be smaller than the initial machines since it shows 
their joint behavior. The group of three finite state machines, 
any_send_pending, send_pending_O, and send_pending_2 given in Appendix 
A, is a good example. Any_send_pending is a machine that changes its be-
havior or state according to an input from either of the other two machines. Its 
main operation consists of interactions with them. In addition, these two 
machines are exact copies of each other and behave the same way using the 
same state transitions. This is an advantage in the composition process as will 
be explained in the next paragraph. 
59 
( The second idea used in . grouping is to gather the equivalent or alike 
machines that have many common state transitions. The group of FSMs 
first time, in_ring, just_had_ token, lowest address, NS known, and 
sole active station whose PSL descriptions are introduced in Appendix A, is a 
good example. These six machines are modeled to represent different variables in 
the protocol, but they are all equivalent and interact with ACM in the same 
manner. Since they all support the same transitions and nothing different, the 
output machine will obviously not support more transitions than those. Actually 
the outputs never include any which are not in the input. Hence the resultant 
machine will be one small machine reduced from six. However, these six 
machines are split into two groups, each of which contains three FSMs. These 
two groups are analyzed separately to save time and memory space, and the 
resultant two machines are then combined again. The user has to determine 
the grouping and combining strategies for the analysis process and make use of 
the above two ideas to simplify verification. In fact, verification of even very 
large size protocols is possible using such strategies. 
The successive composition and reduction of the component processes in 
the protocol model are explained by means of the following tables: 
Table 5-1 on page 62 contains a list of twenty_two component finite 
state machines. Table 5-2 on the following page lists the rest of the FSMs of 
the rnodel. Both tables show the first, second, third, and forth layer reductions 
applied to these machines successively. For example, the machine mac la is a 
result of combining the timers, token rot timer and token ho] timer which 
60 
. . ···-··-- ------------·-·· .......... ---- . ·-·--···· ...... . 
are introduced in Chapter 4. It is also the finite state machine to be combined 
with macl b and maclc to get a second layer FSM mac2a in the subsequent 
combining process. 
Macia is introduced in Figure 5-1 on page 64, in the form given in the 
output file by PAV. This figure shows the format of output obtained when 
combining component processes. It includes the A VF under the name Structural 
Abstraction and also the Reduced Abstraction which is formed by merging the 
same behavior states. Both abstractions show only the state transitions and the 
output is not in PSL form. In order to use this output file for the next layer 
reductions, it must be rewritten in PSL. That is, the list of states and IO 
operations, the process name and the initial state must be added. The process 
must then be rearranged in the syntax described in Figure 3-1, on page 32. In 
this translation process, Structural Abstraction is used for reasons that will be 
explained later. 
By the end of the fourth layer reductions, the machines on hand to be 
combined are tx, ifm, ACM, maclg, mac2a, mac3b, mac4a and mac4b. The 
) 
' 
successive composition steps applied to these eight machines are finally intro-
duced in Table 5-3 on page 65. The tenth layer machine is the final Reduced 
Abstraction machine that reflects the behavior of the complete protocol with 
respect to the user processes station management ( stmgm) and the physical 
layer (phy ). This reduced machine is formed by PAV, by merging the like be-
havior states in the Application View FSM (A VF) obtained at the end of the 
analysis. It is listed in Appendix B in the Reduced Abstraction form as given in 
the output file obtained by running PAV. 
61 
... ···- -· - --- -----··- . --- ---- -· --- -
tx 
ifm 
ACM 
token rot timer 
- -
macla 
token hol timer 
- -
rmtr timer . 
-
bus idle timer maclb mac2a 
- -
claim timer 
-
contention timer 
-
res window timer maclc 
- -
token_pass timer 
-
comp 
cdu macld 
mac2b 
claim _pass_ count 
mac3a 
contend _pass count 
-
trans fault count mac4a 
- -
macle 
res _pass_ count 
inter sol count 
- -
remaining_retries maclf 
access class 
-
pass_ state 
maclg 
heard 
Table 5-1: First Four Layer Reductions Applied on the First Half of the 
Component Processes 
62 
--- ·- -· ·-· ----- ----- ··-----· - ----------- ------- ---- ----- ----- ------ -- ------ ~-
,j 
'. 
any_send_pending 
send_pending_O maclh 
send_pending_2 mac2c 
power_ OK 
• macli 
in_ring_desired 
. 
first time mac3b 
-
• • maclj -, in _ring D 
·-
just had token 
- -
mac2d 
lowest address 
-
NS known maclk 
-
sole act st 
- -
• burst noise 
-
bus 
-
quiet macll 
,. 
NB BQ det mac2e 
- -
valid frame mac3c 
-
sil 
rx mac4b 
maclm 
FC 
TS_comp 
PS_comp 
macln 
NS 
TSPSNS 
Table 5-2: First Four Layer Reductions Applied on the Second Half of the 
Component Processes 
63 
-Structural Abstraction 
(0) : (I) 
(0) : (2) 
(I) : (2) 
(I) : (3) 
(I) : (4) 
(2) : (I) 
(2) : (3) 
(2) : (4) 
(2) : (5) 
(3) : (I) 
(3) : (2) 
(3) : (3) 
(3) (4) 
(3) (5) 
(4) : (2) 
(4) : (3) 
(4) : (5) 
(5) (1) 
(5) (2) 
(5) : (3) 
(5) : (4) 
WHEN acm?expire 
WHEN acm?hi_pri_token_hold_ time 
WHEN acm?hi_pri_token_hold_time 
WHEN acm!timeout 
WHEN acm?load token hold timer 
WHEN acm?expire 
WHEN acm!timeout 
WHEN acm?load token hold tirr1er 
WHEN acm?tar rot time 0 
WHEN acm?expire 
WHEN acm?hi_pri_token_ hold_time 
WHEN acm!timeout 
WHEN acm?load token hold timer 
WHEN acm?tar rot time 0 
- - -
WHEN acm?hi_pri_token_hold_ time 
WJIEN acm!timeout 
WHEN acm?tar rot time 0 
WHEN acm?expire 
WHEN acm?hi_pri_token_hold_time 
WHEN acm!timeout 
WHEN acm?load token hold timer 
Reduced Abstraction 
(0) (1) WHEN acm?expire 
(0) (2) WHEN acm?hi . token hold time . _pr1_ . 
- -(I) . (I) WHEN acm?expire • 
(I) • (2) WHEN acm!timeout • 
(I) (2) WHEN acm?hi • token hold time • pr1 • 
- - - -(I) • (4) WHEN acm?load token hold timer . 
(2) • (I) WHEN acm?expire • 
(2) (I) WHEN acm?tar rot time 0 
(2) (2) WHEN acm!timeout 
(2) (4) WHEN acm?load token hold timer 
(4) . (1) WHEN acm?tar rot time 0 • 
( 4) (2) WHEN acm!timeout 
( 4) (2) WJIEN acm?hi . token hold time _pr1 __ 
- -
Figure 5-1: Macla Obtained by Combining the Machines in Figure 4-1 
64 
-- ····--···-------------- ·----------···- .. - ----·· ·------·------- ·- .. .. --·· -
-··· -= 
tx 
ifm 
ACM 
mac2a 
mac4a 
maclg 
mac3b 
mac4b 
Table 5-3: 
. ' 
F 
I 
N 
A 
L 
mac5a M 
mac6 mac7 A 
C 
mac9 H 
macs I 
N 
mac5b E 
Last Six Layer Reductions ,.\.pplied to the Fourth Layer FSMs of 
the Analysis 
Referring back to Figure 5-1 on page 64, note that the Structural Abstrac-
tion machine supports one distinct state for each of the distinct state tran-
sitions. For example state " 1 " is reached only with the transition " 
acm ?expire " and no other states. This is valid for all the states so that every 
state is entered with one and only one distinct state transition. Hence, Struc-
tural Abstraction machine is always larger in size than the Reduced Abstraction 
machine. The Reduced Abstraction machine is the FSM that would normally be 
obtained according to conventional finite state machine theory. PAV outputs 
this machine every time it runs, in addition to the Structural Abstraction 
machine. However, PAV operates correctly only \V hen Structural, but not 
Reduced Abstraction machines are input to it. Of course, this is a deficiency of 
PAV since the input files are bigger than they would need to be if the Reduced 
65 
-------------------------------------- - -------
Abstraction machines were used as inputs. This can be observed in Figure 5-1 
where it is seen that the Reduced Abstraction machine has one less state and a 
smaller number of transitions when compared to the Structural Abstraction 
machine. It is a deficiency because even though both the Reduced and Struc-
tural Abstraction machines carry the same information, PAV is using the larger 
version as its input. PAV always introduces this simpler version, i.e. the 
Reduced Abstraction, in the output file. However, when Reduced Abstraction 
machines are input to PAV, it does not give a completely correct output. In 
such cases it tends to forget some of the state transitions and forms some dead-
lock states in the output file which will create problems in the next step reduc-
tion. Because of this limitation, Structural Abstraction machines are used 
throughout the successive reduction analysis. 
For this same reason, all of the initial forty_four input processes are en-
larged in order to convert them to Structural Abstraction form. This is ach-
ieved by splitting all states which are reached with more than one state tran-
sition as shown in Figure 5-2 on page 67. The method used is the opposite 
process of merging equivalent states in the finite state machine theory. As 
demonstrated in Figure 5-2, the number of states formed to represent one such 
state is equal t.o the number of input transitions to that state - two in the ex-
ample. Each of these newly formed states is equivalent to the originating state 
and they all support the same output transitions. Figure 5-2 demonstrates a 
very simple exarr1ple of this method. State " a " in case (a) is split into two 
equivalent states " a1 " and " a2 " in (b) in order to avoid having the two in-
put transitions " x1 " and " x2 " enter the same state. If this is not done, 
66 
·- ------· -•·-- -- -··--- ------- - --· ------
PAV defines only the output transitions from the state it enters with " X " 1 
and forgets to specify the transitions from the one it enters with " x2 ". The 
reason for this is that it forms a unique state for every distinct IO operation, 
but does not reconsider the states it has analyzed once even though that state 
is reached more than once, over different paths, with different state transitions. 
If there is more than one input transition to a specific state, PAV only takes 
care of one of them and forms deadlocked states for all the other state tran-
sitions. However, this problem can be avoided by using case (b) where more 
states are used to represent a state with more than one input transition. Of 
course this causes a major increase in the sizes of the input processes. 
Figure 5-2: 
------------ - -------- -------
a 
(a) (b) 
Method for Converting the Reduced Abstraction form to the 
Structural Abstraction form 
67 
------ ---- -
This limitation results from PA V's marking the states it enters once and 
not analyzing them again if it reenters those states. Therefore, the user has to 
avoid going to any state with more than one input state transition. This is a 
limitation which will require some algorithmic changes in PAV for correction. 
Appendix A contains the reduced forms of all the component processes to 
make it easy for the reader to understand their main operation. During the real 
analysis, all the machines had to be enlarged to accommodate the limitation ex-
plained above. 
During the analysis the successive steps in composing and grouping are 
determined according to the reasoning explained in the previous pages. That is, 
like machines or interacting machines are gathered and combined. As higher 
steps are reached, the number of machines to be combined is reduced and they 
get simpler. For example, mac6 in Table 5-3 on page 65 is actually the resul-
tant machine obtained by composing nineteen machines. When mac6 is to be 
combined with ACM to form the next layer FSM, ACM interchanges messages 
with only one machine instead of nineteen. For example, instead of asking the 
status of many of these machines separately using different transitions, ACM 
now needs to use only one state transition " mac6!status " for the same pur-
pose. Hence the number of machines ACM communicates with, and the number 
of distinct transitions to and from A CM ( that is the IO list in the PSL descrip-
tion of ACM) decrease considerably. As a consequence, ACM which is a very 
large FSM in the initial model, becomes simpler. This causes the next step com-
position process to be a lot easier than it would be in a one-step reduction. 
68 
·--·-· -• ·-~-------· ·--
, 
During this ten step reduction, PAV had to be compiled many times be-
cause certain machines in the input file for each combining process needed larger 
limits for certain variables and arrays and this required reducing some others in 
order to succeed in compilation. Using the gradual reduction method it was 
possible to obtain the final reduced machine. This would have been impossible 
to get in a one step composition using the CDC CYBER 850 because of the 
complexity of the protocol. 
69 
- ----- ·---
------··--···· -
t 
-------
-------
-------
-----
-- -·----
- --- . 
Chapter 6 
CONCLUSIONS 
6.1 Results and Concl11sions 
The research described in this thesis was con
cerned with analysis and 
verification of the IEEE Std. 802.4 token-passing
 bus access protocol [20] using 
the Protocol Analyzer and Verifier (PAV) package creat
ed by Sabnani and 
Lapone [19]. The complexity of the protocol and the inpu
t requirements of PAV 
resulted in a large model with several finite s
tate machines, rnany having a 
large nurnber of states. The large number of s
tates required the model to be 
separated into groups and the analysis procedure 
done in steps. 
After modeling the protocol and translating 
the model into Protocol 
Specification Language (PSL) [19], like machines and machines with ma
ny inter-
actions were grouped. The analysis procedure w
as then applied to each group 
separately and a second analysis carried out o
n groups of machines obtained 
from the first level analysis. These machines wer
e regrouped and analyzed in the 
same manner as in the first analysis. This p
rocess was repeated till all the 
machines had been combined and a single out
put obtained. The final output 
reflects the behavior of the protocol with respect
 to the user processes. It shows 
all the possible orders of the input/output ope
rations to and from users that 
can occur within the operation of the protocol. 
As a result of this verification process the 
token bus medium access 
protocol was verified to be syntactically and func
tionally correct and free of any 
70 
---
---
---
---
---
---
---
-~---·
------
' I 
' 
--
dead]ock or ]ive]ock situations. This study showed one more time the robustness 
and reliability of the protocol which is being widely used in computer networks. 
This study is not a performance analysis. It does not study delay and 
throughput conditions. It is a study done to precise]y define a large protocol 
like 802.4 and, using PAV, to check for the correctness and reliability of that 
specific protocol. The software tool, PAV which was used for the analysis, is a 
package specifically designed for this kind of syntactic verification purposes. 
The main objective of this study was to show that it is possible to verify 
very ]arge size protocol models using the right tool and a carefully planned ap-
proach. As a result of this study, we conclude that PAV can be used in the 
verification of realistic protocols, even those which are unusually complEx and 
large. No matter how big the protocol is a systematic approach such as 
described in this thesis can be utilized for its verification. 
Another conclusion reached is that a step by step analysis considerably 
reduces the analysis time required for each group when compared to a one step 
reduction process. The analysis time in each combining procedure directly in-
creases with the number of machines to be combined and the number of state 
transitions that take place within the component processes. This is one of the 
important factors that make the subsequent reduction approach very practical 
and attractive. 
71 
It should be noted that for every analysis procedure the number of states 
of the output Structural Abstraction machine is dependent on the number of 
specific input/ output operations by the user processes. This helps the analyst in 
understanding the output machine and checking its functional logic. 
PAV is very useful for the analysis and verification of protocols. However, 
some modifications are needed to make PAV more efficient and user friendly. 
First, since merging equivalent states is a major concern in finite state machine 
theory, it wou Id be beneficial for PAV to the follow the same principle. This 
way the machines input to PAV can be much simpler and smaller in size. Un-
fortunately PAV uses an opposite approach. In its input file, instead of one 
merged equivalent state PAV needs forrnation of separate equivalent states for 
each distinct input transition to that merged state. This procedure is the op-
posite of merging and a limitation because it causes a considerable enlargement 
in the number of states of the FSMs in the model, as explained in Chapter 5. 
It also causes an increase in the analysis time and the number of groups 
formed. In order to avoid this deficiency and make PAV more efficient, some al-
gorithmic changes might be required. 
To be more user friendly PAV should have more "' warn and exit " state-
rr1ents. With these statements PAV would inform the user whenever one of the 
limits in the program is exceeded due to excessive input values, and stop the 
execution at that point. Because of some C language characteristics, there are 
cases where PAV refers to unrelated addresses in the memory when there is a 
limit exceeded due to such excessive inputs. In those cases, PAV keeps running 
72 
------· -·----- --
until it arrives at an address value outside the main frame's memory limit and 
the execution is terminated by the computer. At that point it is very hard to 
trace back to the origin of the problem and understand which variable is over-
flowing. The number, size and character of each group of machines to be 
analyzed are variable for each group. For that reason, it is not possible to use 
one specific PAV compiled with certain limits, for all combination of machines 
to be analyzed. PAV may need to be recompiled before analyzing a group of 
machines as some variables may become more important due to the character of 
the machines combined. It is difficult to estimate in advance which variables are 
dominant and have to be increased. This is specific to each machine group be-
ing reduced. While increasing the limits on some variables other limits may 
have to be decreased in order not to exceed any limits again. Unfortunately, it 
is not possible to compile PAV with every critical value increased sufficiently, 
because of excessive memory allocation required during compilation. 
The analysis done in this thesis, for the verification of the IEEE Std. 
802.4 [20], which is a very large and complex protocol, was a helpful exercise in 
using PAV. This was actually one of the main goals of the thesis. Further use 
of PAV in other applications will be useful in further understanding and might 
provide ideas for improvement of the package. 
In summary, PAV provides a very useful systematic tool for the verifica-
tion of large protocols. No matter how large the protocol is, verification is pos-
sible by performing a step by step analysis as described in this thesis. Verifica-
tion of the IEEE Std. 802.4 token-passing bus medium access control protocol 
via PAV, as studied in this thesis, is one example of this. 
73 
---·--····-----
-------··· ·- ·-
- -------·----·· - --------------··· - -
' l 
. ,
--
References 
[ 1] R. E. Rusbridge and A. Langsford, " Formal representation of protocols for 
computer networks, " Report AFRE-R-7826, UKAEA, Harwell, England, 20p, 
December 197 4. 
[2] C. V. Bachmann, " Finite state description of communication protocols, " 
Proc. Comput. Network Protocols Symp., Univ. of Liege, pp. F3-1 to F3-11, 
February 1978, and Comput Networks, 2, 4/5, pp. 361-372, October 1978. 
[3] C. A. Sunshine, " Formal techniques for protocol specification and verifica-
' tion, " Computer, vol.12, no.9, pp. 20-27, September 1979. 
[4] C. V. Bachmann and C. A. Sunshine, " Formal methods in communication 
protocol design, " IEEE Trans. Commun., vol. COM-28, no.4, pp.624-631, 
April 1980. 
[5] P. M. Merlin, " A methodology for the design and implementation of 
protocols, " IEEE Trans. Commun., vol. COM-24, no. 5, pp. 614-621, June 
1976. 
[6] P. M. Merlin, " Specification and validation of protocols, " IEEE Trans. 
Commun., Vf>l. COM-27, no. 11, pp. 1671-1680, November 1979. 
[7] A. A. S. Danthine, " Petri nets for protocol modeling and verification, " 
Proc. Comput. Networks and Teleprocessing Symp., Budapest, Hungary, 
vol.2, pp. 663-685, October 1977. 
[8] P. Zafiropulo, " Protocol validation by duologue-matrix analysis, " Proc. In-
tern. Commun. Conf., Chicago, pp. 259-263, June 1977, and IEEE Trans. 
Commun., vol. COM-26, August 1978. 
[9] C. H. West, " General technique for communication protocol validation, " 
IBM J. Res. Dev., vol. 22, no. 4, pp. 393-404, July 1978. 
[10] C. H. West, " An automated technique of communications protocols valida-
tion, " IEEE Trans. Commun., vol. COM-26, no. 8, pp. 1271-1275, August 
1978. 
[ 11] H. Rudin, C. H. West, and P. Zafiropulo, " Automated protocol validation: 
One chain development, " Proc. Comput. Network Protocols Symp., Univ. of 
Liege, pp. F4-l to F4-6, February 1978, and Comput Networks, 2, 4/5, pp. 
373-380, October 1978. 
[12JS. S. Lam and A. U. Shankar, " Protocol verification via projections, " 
IEEE Trans. Software Eng., vol. SE-10, no.4, pp. 325-342, July 1984. 
[13] B. T. Hailpern and S. Owicki, " Modular verification of computer com-
munication protocols, " IEEE Trans. Commun., vol. COM-31, no. 1, pp. 
56-68, January 1983. 
[14] H. P. Lin, " Protocol verification via module integration, " IEEE INFOCOM 
'87, conference on Comp. Commun., San Francisco, session no. W 4B, pp. 
701-710, April 1978 . 
74 
------··- - .... ··--·-· 
• 
( [15JJ. F. Kurose and Y. Yemini, " The specification and verification of a con-
nection establishment protocol using temporal logic, " Protocol Specification, 
Testing and Verification, 2 (ed. C. A. Sunshine), North-Holland Publishing 
Company, pp. 43-62, 1982. 
[16] K. Sabnani and M. Schwartz, " Verification of a multidestination protocol 
using temporal logic, " Protocol Specification, Testing and Verification, 2 
(ed. C. A. Sunshine), North-Holland Publishing Company, pp. 21-42, 1982. 
[ 17] J. Hajek, " Automatically verified data transfer protocols, " Proc. Fourth 
ICCC, pp. 749-756, September 1978. 
[18]J. Hajek, " Protocols verified by Approver, " Computer Communication 
Review, vol. 9, pp. 32-34, January 1979. 
[19] K. Sabnani and A. Lapone, " PAV-Protocol Analyzer and Verifier, " 
Protocol Specification, Testing and Verification, 6 ( eds. B. Sarikay a and 
G. Bachmann), North-Holland Publishing Company, pp. 29-34, 1986. 
[20] ANSI/IEEE Standard, Token-Passing Bus Access Method, Institute of 
Electrical and Electronics Engineers, Inc., vol. Std. 802.4-1985, 1985. 
[21] J. Y. Chien, " Performance analysis of the 802.4 token bus media access 
control protocol, " Proc. Workshop on Analytic and Simulation Modeling of 
IEEE 802.4 Token Bus LANs, NBS, April 1985. 
[22] J. R. Pimentel, " Performance simulation of the IEEE token passing bus 
protocol using SIMAN, " Proc. Workshop on Analytic and Simulation 
Modeling of IEEE 802.4 Token Bus LANs, NBS, April 1985. 
[23] K. H. Muralidhar and J. R. Pimentel, " Performability analysis of the token 
bus protocol, " IEEE INFOCOM '87, conference on Comp. Commun., San 
Francisco, session no. Tl B, pp. 55-63, April 1987. 
[24] C. A. R. Hoare, " Communicating sequential processes, " Communication of 
the ACM, vol. 21, no.8, pp.666-667, August 1978. 
[25] U.S. Department of Commerce, National Bureau of Standards, " Implemen-
tation Agreements for Open Systems Interconnection Protocols, " NBS 
Workshop for Implementors of Open Systems Interconnection, 14lp, July 
1986. 
[26] K. Sabnani, Private Communication. 
75 
-· --- -- ···- - - ·- -- ---··--- - -·--·· ~- -----·------------------ --------------------------··- -------- --·--- -- ----···-- --- - ------. - . . . -
Appendix A 
PSL Descriptions of the Component 
Processes 
76 
,. 
j 
' 
"• - Logical AND, + - Logical OR" 
PROCESS tx; 
STATES 0, 1, 2, 3, 4, 6, 6, 7, 8, 9, 10, 11, 12, 13; 
IO ACM?token_DA_NS, ACM?res_con, ACM?set_succ_DA_PS_du_NS, phy!res_con, 
ACM?sdu suppFCS, ACM?set succ DA TH du TS, ACM?sol succ 1 DA NS, 
ACM?sol-succ 2 DA NS, ACM?sol-succ 2 DA TS, ACM?who follows du NS, 
ACM?claTm token w-du 0 slottl: ACM?cTaim token w du-2 slottT, -
ACM?claim-token-w-du-4-slottl, ACM?claim-token-w-du-6-slottl, 
phy!token=DA_NS~ phy!set_succ_DA_PS_du_NS, phy!set_succ_DA_TH_du_TS, 
phy!sdu suppFCS, phy!sol succ 1 DA NS, phy!sol succ 2 DA NS, 
phy!sol-succ 2 DA TS, phy!who-fol lows du NS, - - - -
phy!claTm token w-du 0 slott1: phy!claim-token w du 2 slottl, 
phy!claim-token-w-du-4-slottl, phy!claim-token-w-du-6-slottl; 
INITIAL STATE 0; - - - - - - - - -
TRANSITIONS 
0:1 WHEN ACM?token DA NS, 
0:2 WHEN ACM?res con,-
0:3 WHEN ACM?set-succ DA PS du NS, 
0:4 WHEN ACM?set-succ-DA-TH-du-TS, 
0:5 WHEN ACM?sdu=suppFcs: - -
0:6 WHEN ACM?sol succ 1 DA NS, 
0:7 WHEN ACM?sol-succ-2-DA-NS, 
0:8 WHEN ACM?sol-succ-2-DA-TS, 
0:9 WHEN ACM?who-fol lows du NS, 
0:10 WHEN ACM?claim token w-du 0 slottl, 
0:11 WHEN ACM?claim-token-w-du-2-slottl, 
0:12 WHEN ACM?claim-token-w-du-4-slottl, 
0:13 WHEN ACM?claim token=w=du=6=slottl, 
1:0 WHEN phy token DA NS, 
2:0 WHEN phy res_con,-
3:0 WHEN phy set_succ_DA_PS_du_NS, 
4:0 WHEN phy set succ DA TH du TS, 
5:0 WHEN phy sdu=suppFcs: - -
6:0 WHEN phy sol succ 1 DA NS, 
7:0 WHEN phy.sol-succ-2-DA-NS, 
8:0 WHEN phy!sol-succ-2-DA-TS, 
9:0 WHEN phy!who-fol lows du NS, 
10:0 WHEN phy!claim token w-du 0 slottl, 
11:0 WHEN phy!claim-token-w-du-2-slottl, 
12:0 WHEN phy!claim-token-w-du-4-slottl, 
13:0 WHEN phy!claim_token=w=du=6=slottl. 
PROCESS ifm; 
STATES 0, 1, 2; 
IO ACM!sig received, ACM?dist ACM error, stmgm!dist ACM error, 
ACM?send pending frame, ACij!queue0_sdu_suppFCS, - -
ACM!queue2_sdu_suppFCS; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM!sig received, 
0:1 WHEN ACM?dist ACM error, 
0:2 WHEN ACM?send-pending frame, 
1:0 WHEN stmgm!dist ACM error, 
2:0 WHEN ACM!queue0=sdu=suppFCS + ACM!queue2_sdu_suppFCS. 
PROCESS ACM; 
STATES I, 11, 12, I3, 14, I5, 16, I7, 1, 11, 111, 112, 113, 114, 116, 
116, 117, 118, 119, 12, 121, 122, 123, 124, 125, 126, 127, 128, 
129, 13, 131, 132, 133, 134, 14, 141, 142, 143, 144, 145, 146, 
147, 148, 149, 15, 151, 152, 153, 164, 165, 166, 157, 168, 169, 
16, 161, 162, 163, 17, 171, 172, 173, 174, 176, 18, 181, 182, 183, 
184, 186, 186, 187, 188, 19, 191, 192, 193, 194, 196, 196, 197, 
198, 199, 2, 21, 22, 23, 24, 26, 3, 31, 32, 321, 33, 34, 36, 361, 
36, 361, 362, 363, 364, 37, 38, 381, 39, 391, 392, 393, 394, 396, 
4, 41, 42, 43, 44, 46, 46, 6, 61, 611, 612, 613, 614, 62, 63, 64, 
77 
. -·----------·····--
-- ---··-------- ------------ ------- -- --·- -- .. ------- ---------·----·- -·-·--· - .. ·-
66, 66, 67, 68, 6, 61, 62, 63, 631, 64, 641, 642, 643, 644, 66, 
66, 67, 671, 672, 68, 681, 69, 7, 71, 711, 712, 72, 73, 731, 74, 
741, 742, 743, 744, 76, 761, 762, 763, 76, 761, 77, 771, 78, 79, 
8, 81, 82, 83, 84, 86, 861, 862, 863, 86, 87, 871, 872, 88, 881, 
882, 89, 891, 892, 893, 9, 91, 92, 93, 94, 96, 96, 97, 971, 98, 
981, 982, 99, F, Fl, Fll, Fl2, F13, Fl4, F16, Fl6, F2, F21, F3, 
F31, F32, F33, F4, F6, F61, F6, F61, F62, F63, F64, F65, F66, F7, 
F71, F72, F8, F81, F82, F9, F91, F92, F93; 
IO stmgm?MA !NI PRO req, power OK!status, power OK?true, power OK?false, 
cdu?0, stmgm!turn power on,-stmgm!MA !NI PRO-conf, in ring!status, 
NS!false, in ringTfalse: in ring!true, in ring?true, in ring?false, 
stmgm!res overdue, pass state?sol any, trans fault count!status, 
trans fault count?LTmtfc, trans fault count?mtfc, trans fault count!0, 
trans:fault=count!inc, stmgm!new_succ: stmgm!dup_add, stmgm!faulty_tr, 
I owest address! status, I owest address! true, I owe st address! fa I se, 
lowest-address?true, lowest address?false, stmgm!no succ, cdu?2, 
NS known!status, NS known!false, NS known!true, NS known?true, cdu?4, 
NS-known?false, just had token!status, comp?0, just had token!true, 
just had token!false: just had token?true, just had-token?false, 
sole-act-st!status, sole act st!false, sole act-st!true, FC!status, 
sole-act-st?true, sole act st?false, FC?token, FC?claim token, cdu?6, 
FC?set succ, FC?sol succ 1~ FC?sol succ 2, FC?res con, FC?who fol lows, 
bus idle timer!start, bus idle timer?timeout, noise burst!status, 
noise burst!false, noise burst?true, noise burst?faTse, comp?l, 
rx?rx-data frame, rx?rx pro frame, TSPSNS!send SA, TSPSNS!send DA, 
TSPSNS!send du, TS comp?TSLT, TS comp?TSGT, TS-comp?TSEQ, comp?2, 
bus quiet!status, bus quiet?true: bus quiet?faTse, comp?3, FC!false, 
in ring desired!status, in ring desired?true, in ring desired?false, 
TSPSNS!·send NS du, inter sol count!status, TSPSNS!send PS comp du, 
inter sol count!dec, inter sol count!0, inter sol count!max isc, 
stmgm!sdu: inter sol count?0, inter sol count?GT0: heard!noth, 
any send pendingTstatus, any send pending?true, heard!succ, 
any-send-pending?false, TSPSNS!send NS DA, PS comp?PSEQ, PS comp?PSLT, 
PS comp?PSGT, TSPSNS!send NS DA, heardTstatus: token rot timer!expire, 
token rot timer! load token hold timer, heard!col I, rmtr timer!start, 
token-rot-timer!tar rot time 0,-token rot timer?timeout: heard?succ, 
rmtr timer!status, rmtr-timer?timeout: rmtr timer?not expired, 
rmtr-timer?expired, contend pass count!status, contention timer!0, 
contend pass count?LTmpc, contend pass count!0, contention timer!l, 
contend-pass-count!inc, contend pass count?mpc, contention-timer!2, 
contention tTmer?timeout, contention-timer!3, TSPSNS!send PS comp SA, 
access class?0, access class?2, access class!status, heard?noth, -
access-class?ring main: access class!dec, access class!2, heard?col I, 
token hol timer!hT pri token hold time, token hoT timer?timeout, 
claim-pass count!status, claim pass count!inc: claim pass count!l, 
claim-pass-count?LTmpc, claim pass count?mpc, rx?no res req, 
tx!claim token w du 6 slottl,-tx!cTaim token w du 4-slottl, 
tx!claim-token-w-du-2-slottl, tx!claim-token-w-du-0-slottl, 
tx!token-DA Ns: claim-timer!start, send pending 2Tstatus, tx!res con, 
send pending 0!status: send pending 2?false, send pending 0?false, 
send-pending-2?true, ifm?sig rec, send pending 0?true, -
ifm!send pending frame, ifm?queue2 sdu-suppFcs: claim timer?timeout, 
ifm?queue0 sdu suppFCS, remaining retries?GT0, remaining retries!dec, 
remaining retries!2, remaining retries!status, remaining-retries?0, 
tx!sdu suppFCS, tx!set succ DA-TH du TS, tx!set succ DA PS du NS, 
tx!sol-succ 1 DA NS, tx!sol-succ 2 DA NS, tx!soT succ 2-DA-rs: 
tx!who-fol 1;ws du NS, pass stateTsucc: first time!false: -
res window timer!l, res window timer!2, res window timer!3, 
first time?false, res window timer!4, res window timer?timeout, 
pass state?rep pass token, ifm!dist ACM error, pass state!sol succ, 
first time!status, first time!true,-pass state!sol any, -
pass state!pass token, pass state?total failure, pass state!status, 
pass-state?pass-token, pass-state?send who fol lows, res pass count!0, 
pass-state?sol succ, pass state?rep who follows, res pass count!inc, 
token pass timer?timeout,-token pass timer!l, token pass timer!4, 
res pass count!status, res pass-count?LTmpc, res pass count?mpc, 
- - -
- -
-
78 
.. ··.,--. ----------------
; 
,, 
a 
res pass count?0, first time?true; 
INITIAL STATE I; -
TRANSITIONS 
I:Il WHEN stmgm?MA INI PRO req, 
Il:I2 WHEN power OK!status: 
I2:I3 WHEN power-OK?false, 
I2:I4 WHEN power-OK?true, 
I3:Il WHEN stmgmTturn power on, 
I4:I6 WHEN stmgm!MA INI PRO-conf • in_ring!false • trans_fault_count!0 • 
lowest address!false, 
16:16 WHEN stmgm!no succ • NS known!false • NS!false, 
I6:I7 WHEN just had-token!false • sole act st!false, 
I7:1 WHEN bus idle timer!start, - -
1:11 WHEN rx?rx data frame, 
1:12 WHEN rx?rx-pro frame, 
1:116 WHEN noise burst!status, 
1:182 WHEN bus idle timer?timeout, 
11:111 WHEN TSPSNS!send SA, 
111:1 WHEN TS_comp?TSLT-+ TS_comp?TSGT, 
111:112 WHEN TS comp?TSEQ, 
112:113 WHEN just had token!status, 
113:114 WHEN just-had-token?true, 
113:117 WHEN just-had-token?false, 
114:!7 WHEN FC!false,-
116:1 WHEN noise burst?false, 
116:116 WHEN noise burst?true, 
116:!7 WHEN noise burst!false, 
117:I WHEN stmgm!dup add, 
118:119 WHEN FC!status, 
119:145 WHEN FC?who fol lows, 
119:149 WHEN FC?token + FC?claim token+ FC?set succ + FC?sol succ 1 + 
FC?sol succ 2 + FC?res_con, 
12:121 WHEN TSPSNS!send_SA, 
121:112 WHEN TS comp?TSEQ, 
121:122 WHEN TS comp?TSLT, 
121:124 WHEN TS-comp?TSGT, 
122:123 WHEN TSPSNS!send DA, 
123:126 WHEN TS_comp?TSEQ, 
123:14 WHEN TS comp?TSLT, 
123:141 WHEN TS_comp?TSGT, 
124:125 WHEN TSPSNS!send_DA, 
126:118 WHEN TS comp?TSLT, 
126:126 WHEN TS=comp?TSEQ, 
126:14 WHEN TS comp?TSGT, 
126:127 WHEN FC!status, 
127:128 WHEN FC?set succ, 
127:146 WHEN FC?who-fol lows, 
127:172 WHEN FC?token, 
127:149 WHEN FC?claim token+ FC?sol succ 1 + FC?sol succ 2 + 
FC?res con, 
128:129 WHEN TSPSNS!send NS du, 
129:13 WHEN TSPSNS!send_du,-
13:131 WHEN TS comp?TSGT, 
13:132 WHEN TS=comp?TSLT, 
13:134 WHEN TS comp?TSEQ, 
131:133 WHEN lowest address!false, 
132:133 WHEN lowest-address!true, 
133:!6 WHEN inter sol count!0 • FC!false • NS known!true • 
stmgmTnew-succ, 
134:16 WHEN inter sol-count!0 • FC!false, 
14:143 WHEN FC!status: 
141:142 WHEN FC!status, 
142:144 WHEN FC?sol succ 1 + FC?sol succ 2, 
142:146 WHEN FC?who-fol lows, - -
142:149 WHEN FC?set-succ + FC?token + FC?claim token+ FC?res_con, 
143:144 WHEN FC?sol-succ 2, 
- -
79 
------------------------·----· 
I 
143:146 WHEN FC?who fol lows, 
143:149 WHEN FC?set-succ + FC?sol succ 1 + FC?token + FC?claim token+ 
FC?res-con, 
144:16 WHEN in ring-desired!status, 
145:146 WHEN TSPSNS!send PS comp du, 
146:147 WHEN PS_comp?PSEQ, - -
146:149 WHEN PS comp?PSGT + PS comp?PSLT, 
147:148 WHEN in=ring!status, -
148:149 WHEN in ring?false, 
148:17 WHEN in_ring?true, 
149:!6 WHEN FC!false, 
15:161 WHEN in_ring_desired?false, 
15:153 WHEN in ring desired?true, 
151:152 WHEN any send pending!status, 
152:149 WHEN any-send-pending?false, 
152:153 WHEN any=send=pending?true, 
153:154 WHEN in_ring!status, 
154:155 WHEN in_ring?false, 
154:161 WHEN in_ring?true, 
155:156 WHEN TSPSNS!send_NS_DA, 
156:157 WHEN TSPSNS!send DA, 
157:158 WHEN TS_comp?TSEQ + TS_comp?TSGT, 
157:159 WHEN TS_comp?TSLT, 
158:16 WHEN lowest_address!false, 
159:16 WHEN lowest address!true, 
16:161 WHEN token rot timer!expire • rmtr timer!start, 
161:162 WHEN just-had-token!false • FC!false • sole act st!false • 
inter soT count!0 • contend pass countT0 .-
TSPSNS!send SA, - -
162:163 WHEN TS comp?TSEQ + TS comp?TSGT, 
162:171 WHEN TS-comp?TSLT, -
163:2 WHEN contention timer!l, 
17:171 WHEN FC!false; sole act st!false • just had token!false • 
inter sol countT0 .-contend pass count!0, 
171:2 WHEN contention-timer!0, - -
172:173 WHEN in ring!status, 
173:149 WHEN in-ring?false, 
1 7 3 : 1 7 4 WHEN ·, n - r i n g? true , 
174:175 WHEN sole act st!false, 
175:18 WHEN FC!false,-
18:181 WHEN TSPSNS!send PS comp SA, 
181:5 WHEN access class!2; token hol timer!hi pri token hold time, 
182:183 WHEN bus quiet!status, - - - - - -
183:1 WHEN bus q~iet?false, 
183:184 WHEN bus quiet?true, 
184:185 WHEN sole act st!status, 
186:186 WHEN sole-act-st?true, 
186:191 WHEN sole-act-st?false, 
186:187 WHEN any send-pending!status, 
187:188 WHEN any-send-pending?false, 
187:193 WHEN any=send=pending?true, 
188:19 WHEN stmgm!no succ, 
19:17 WHEN in ring!false • lowest address!false • NS known!false • 
NSTfalse, -
191:192 WHEN in ring desired!status, 
192:187 WHEN in-ring-desired?false, 
192:193 WHEN in=ring=desired?true, 
193:194 WHEN claim pass count!l, 
194:195 WHEN cdu?6~ -
194:196 WHEN cdu?4, 
194:197 WHEN cdu?2, 
194:198 WHEN cdu?0, 
195:199 WHEN tx!claim token w du 6 slottl, 
196:199 WHEN tx!claim-token-w-du-4-slottl, 
197:199 WHEN tx!claim-token-w-du-2-slottl, 
198:199 WHEN tx!claim-token=w=du=0=slottl, 
80 
I 
! 
'• 
•' 
I 
199:4 WHEN claim timer!start, 
2:1 WHEN rx?rx pro frame+ rx?rx data frame, 
2:21 WHEN noise burst!status, - -
21:1 WHEN noise-burst?true, 
21:22 WHEN noise burst?false, 
22:23 WHEN bus quiet!status, 
23:2 WHEN bus quiet?false, 
23:24 WHEN bus quiet?true, 
24:26 WHEN contention timer?timeout, 
26:3 WHEN tx!set succ-DA TH du TS• bus idle_timer!start, 
3:1 WHEN rx?rx data frame, 
3:31 WHEN rx?rx pro-frame, 
3:36 WHEN noise=burst!status, 
31:32 WHEN FC!status, 
32:1 WHEN FC?claim token+ FC?who fol lows+ FC?sol succ 1 + 
FC?sol_succ_2, 
32:321 WHEN FC?set succ, 
32:33 WHEN FC?res con, 
32:37 WHEN FC?token, 
321:3 WHEN FC!false, 
33:34 WHEN FC!false • contend_pass_count!inc, 
34:163 WHEN comp?2, 
34:171 WHEN comp?3, 
34:36 WHEN comp?0, 
35:351 WHEN comp?l, 
36:2 WHEN contention timer!3, 
351:2 WHEN contention_timer!2, 
36:361 WHEN noise burst?false, 
36:364 WHEN noise-burst?true, 
361:362 WHEN bus quiet!status, 
362:3 WHEN bus_quiet?false, 
362:363 WHEN bus quiet?true, 
363:1 WHEN bus idle timer?timeout, 
364:3 WHEN noise burst!false, 
37:38 WHEN TSPSNS!send_DA, 
38:381 WHEN TS comp?TSEQ, 
38:39 WHEN TS comp?TSLT + TS comp?TSGT, 
381:176 WHEN trans fault count!0 • stmgm!new succ, 
39:391 WHEN contend pass-count!status, -
391:1 WHEN contend pass count?LTmpc, 
391:392 WHEN contend pass count?mpc, 
392:393 WHEN trans fault count!status, 
393:394 WHEN trans-fault-count?LTmtfc, 
393:396 WHEN trans-fault-count?mtfc, 
394:17 WHEN trans fault count! inc, 
396:l WHEN stmgm!faulty-tr, 
4:41 WHEN claim timer?tTmeout, 
41:42 WHEN bus quiet!status, 
42:I7 WHEN bus-quiet?false, 
42:43 WHEN bus-quiet?true, 
T 43:44 WHEN claim pass count!status, 
44:45 WHEN claim-pass-count?mpc, 
44:46 WHEN claim-pass-count?LTmpc, 
45:181 WHEN in ring!true • inter sol count!0 • 
token rot timer!expire .-rmtr timer!start, 
46:194 WHEN claim-pass count! inc, -
5:51 WHEN access classTstatus, 
5:58 WHEN token hol timer?timeout, 
51:511 WHEN access class?2, 
51:52 WHEN access class?0, 
51:7 WHEN access class?ring main, 
611:512 WHEN send pending 2!status, 
512:613 WHEN send-pending-2?true, 
612:68 WHEN send pending 2?false, 
513:514 WHEN ifmTsend pending frame, 
613:68 WHEN token_hol=timer?tTmeout, 
81 
---~------··-------------. - -· .- - - - - . -----·---------·----·-------------·--··· --------·---·--------------,-, 
614:66 WHEN ifm?queue2 sdu suppFCS, 
62:63 WHEN send pending 0!status, 
63:64 WHEN send-pending-0?true, 
63:68 WHEN send-pending-0?false, 
64:66 WHEN ifm!send pending frame, 
64:68 WHEN token hoT timer?timeout, 
66:66 WHEN ifm?queue0 sdu suppFCS, 
56:67 WHEN remaining_retrTes!2 • tx!sdu_suppFCS, 
57:6 WHEN res window timer!3, 
58:7 WHEN access class!dec, 
6:61 WHEN noise burst!status, 
6:63 WHEN rx?rx-pro frame, 
6:64 WHEN rx?rx-data frame, 
6:6 WHEN rx?no res req + ifm?sig rec, 
6:67 WHEN bus quiet!status, -
61:6 WHEN noise burst?false, 
61:62 WHEN noise burst?true, 
62:6 WHEN noise burst!false, 
63:631 WHEN TSPSNS!send SA, 
631:644 WHEN TS comp?TSLT + TS_comp?TSGT, 
631:65 WHEN TS comp?TSEQ, 
64:641 WHEN TSPSNS!send SA, 
641:642 WHEN TS_comp?TSLT + TS_comp?TSGT, 
641:65 WHEN TS comp?TSEQ, 
642:643 WHEN TSPSNS!send DA, 
643:644 WHEN TS comp?TSLT + TS comp?TSGT, 
643:66 WHEN TS comp?TSEQ, -
644:1 WHEN ifm!dist ACM error, 
65:6 WHEN FC!false,- -
66:6 WHEN stmgm?sig rec, 
67:6 WHEN bus quiet?false, 
67:671 WHEN bus quiet?true, 
671:672 WHEN res window timer?timeout, 
672:68 WHEN remaTning retries!status, 
68:681 WHEN remaining-retries?GT0, 
68:69 WHEN remaining retries?0, 
681:57 WHEN remaining retries!dec • tx!sdu_suppFCS, 
69:5 WHEN stmgm!res o;erdue, 
7:71 WHEN access_class!status, 
71:711 WHEN access class?0, 
71:72 WHEN access class?ring main, 
711:712 WHEN token rot timerTload token hold timer, 
712:5 WHEN token_rot_tTmer!tar_rot_time=0, 
72:73 WHEN NS known!status, 
73:731 WHEN NS known?false, 
73:74 WHEN NS known?true, 
731:79 WHEN pass state!sol any, 
74:741 WHEN inter sol count!status, 
741:742 WHEN inter sol count?0, 
741:76 WHEN inter sol count?GT0, 
742:743 WHEN rmtr-timer!status, 
743:744 WHEN rmtr-timer?not expired, 
743:76 WHEN rmtr_timer?expired, 
744:79 WHEN pass state!sol succ, 
75:751 WHEN in rTng desired!status, 
761:752 WHEN in ring desired?false, 
761:76 WHEN in ring desired?true, 
762:753 WHEN any send pending!status, 
753:76 WHEN any send pending?true, 
763:77 WHEN any-send-pending?false, 
76:761 WHEN pass state!pass token• inter_sol_count!status, 
761:78 WHEN inter sol count?GT0, 
761:79 WHEN inter-sol-count?0, 
77:771 WHEN tx!set succ DA PS du NS• in ring!false • 
NS known!faTse-. NS!false. stmgm!no_succ, 
771:8 WHEN pass_state!pass_token, 
82 
·------·- - -··--·---· --------------------------------······--··..,,....,.------------
( 78:79 WHEN inter sol count!dec, 
79:8 WHEN rmtr tTmerTstart, 
8:81 WHEN pass-state!status, 
81:82 WHEN pass state?pass token+ pass state?rep-pass-token, 
81:83 WHEN pass-state?send-who fol lows; pass_state?rep_who_fol lows, 
81:84 WHEN pass-state?sol any,-
81:86 WHEN pass-state?sol-succ, 
81:88 WHEN pass-state?total failure, 
82:9 WHEN tx!token DA NS• just had token!true • first time!tru8 • 
noise burstTfalse. FC!faTse. token pass timer!l, 
83:87 WHEN tx!who_fol lows_du_NS • res_window_tTmer!3, 
84:863 WHEN tx!sol_succ_2_DA_TS, 
86:861 WHEN lowest address!status, 
861:862 WHEN lowest address?true, 
861:86 WHEN lowest_address?false, 
852:853 WHEN tx!sol succ 2 DA NS, 
853:87 WHEN res window tTmer!2, 
86:87 WHEN tx!sol succ-1 DA NS• res window timer!l, 
87:871 WHEN res pass count!0 • noise-burst!false, 
871:872 WHEN heard!noth, -
872:F WHEN FC!false, 
88:881 WHEN any send pending!status, 
881:181 WHEN any send pending?true, 
881:882 WHEN any-send-pending?false, 
882:89 WHEN sole-act st!status, 
89:19 WHEN sole act st?true, 
89:891 WHEN sole act st?false, 
891:892 WHEN trans fault count!status, 
892:396 WHEN trans-fault-count?mtfc, 
892:893 WHEN trans-fault-count?LTmtfc, 
893:188 WHEN trans-fault-count! inc• sole act st!true, 
9:91 WHEN rx?rx data frame+ rx?rx_pro_frame,-
9:94 WHEN bus quiet!status, 
91:92 WHEN TSPSNS!send SA, 
92:1 WHEN TS comp?TSLT-+ TS comp?TSGT, 
92:93 WHEN TS comp?TSEQ, -
93:9 WHEN first time!true • FC!false, 
94:9 WHEN bus quiet?false, 
94:96 WHEN bus quiet?true, 
95:96 WHEN noise_burst!status, 
96:97 WHEN noise burst?false, 
96:98 WHEN noise-burst?true, 
97:971 WHEN token pass timer?timeout, 
971:8 WHEN pass state!succ, 
98:981 WHEN first time!status, 
981:982 WHEN first time?false, 
981:99 WHEN first time?true, 
982:1 WHEN token pass timer?timeout, 
99:9 WHEN first time!false • noise burst!false • token_pass_timer!4, 
F:Fl WHEN rx?rx-pro frame, 
F:F2 WHEN rx?rx-data frame, 
F:F6 WHEN res wTndow-timer?timeout, 
Fl:Fll WHEN TSPSNS!send SA, 
Fll:871 WHEN TS comp?TSEQ, 
Fll:F12 WHEN TS-comp?TSLT + TS_comp?TSGT, 
F12:F13 WHEN FCTstatus, 
F13:1 WHEN FC?res con+ FC?token + FC?claim token+ FC?who fol lows+ 
FC?sol=succ_l + FC?sol_succ_2, 
F13:F14 WHEN FC?set succ, 
Fl4:F16 WHEN TSPSNS!send DA, 
F16:1 WHEN TS comp?TSLT; TS comp?TSGT, 
F16:F16 WHEN TS comp?TSEQ, -
Fl6:F3 WHEN TSPSNS!send NS du, 
F2:F21 WHEN TSPSNS!send-SA~ 
F21:871 WHEN TS comp?TSEQ, 
F21:l WHEN TS_comp?TSLT + TS_comp?TSGT, 
83 
-----·-----,·--- - - - --- ---··-·--
.· 
F3:F31 WHEN TSPSNS!send du, 
F31:F32 WHEN TS comp?TSGT, 
F31:F33 WHEN TS-comp?TSLT, 
F31:F6 WHEN TS comp?TSEQ, 
F32:F4 WHEN lowest address!false, 
F33:F4 WHEN lowest-address!true, 
F4:F61 WHEN NS known!true, 
F6:F61 WHEN lowest address!false • NS known!false, 
F61:872 WHEN sole act st!false • heard!succ • inter_sol_count!0, 
trans fault count!0, 
F6:F61 WHEN bus quiet!status, 
F61:F WHEN bus quiet?false, 
F61:F62 WHEN bus quiet?true, 
F62:F63 WHEN noise burst!status, 
F63:F64 WHEN noise-burst?true, 
F63:F7 WHEN noise_burst?false, 
F64:F65 WHEN heard!status, 
F65:F66 WHEN heard?noth + heard?col I, 
F65:F72 WHEN heard?succ, 
F66:F WHEN heard!col I • noise_burst!false, 
F7:F71 WHEN heard!status, 
F71:F72 WHEN heard?succ, 
F71:F8 WHEN heard?col I, 
F71:F9 WHEN heard?noth, 
F72:771 WHEN noise burst!false • stmgm!new succ, 
F8:F81 WHEN res pass count!status, -
F81:F82 WHEN res pass count?0 + res pass count?LTmpc, 
F81:F93 WHEN res-pass-count?mpc, - -
F82:F WHEN res pass count! inc• tx!res con• heard!noth • 
res-window timer!4, -
F9:F91 WHEN res pass count!status, 
F91:F92 WHEN res pass count?0, 
F91:F93 WHEN res-pass-count?LTmpc + res pass count?mpc, 
F92:971 WHEN inter soT count!max isc, 
F93:971 WHEN inter-sol-count!0. -
PROCESS token rot timer; 
STATES 0, 1, 2, 3; 
IO ACM?load_token_hold_timer, ACM?expire, ACM?tar_rot_time_0, 
token_hol_timer!value_0; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?expire, 
0:2 WHEN ACM?load token hold timer, 
1:2 WHEN ACM?load-token-hold-timer, 
2:3 WHEN token hoT timer!value 0, 
3:0 WHEN ACM?tar rot time 0. -
PROCESS token_hold_timer; 
STATES 0, 1, 2; 
IO ACM?hi_pri_token_hold_time, ACM!timeout, token rot_timer?value_0; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?hi pri token hold time, 
0:2 WHEN token rot timer?value-0, 
1:0 WHEN ACM!tTmeout, -
2:0 WHEN ACM!timeout. 
PROCESS rmtr_timer; 
STATES 0, 1, 2, 3; 
IO ACM?start, ACM?status, ACM!timeout, ACM!expired, ACM!not_expired; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?start, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM!timeout, 
84 
1:1 WHEN ACM?start, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!not expired, 
3:0 WHEN ACM!expired. 
PROCESS bus_idle_timer; 
STATES 0, 1; 
IO ACM?start, ACM!timeout; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?start, 
1:0 WHEN ACM!timeout, 
1:1 WHEN ACM?start. 
PROCESS claim_timer; 
STATES 0, 1; 
IO ACM?start, ACM!timeout; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?start, 
1:0 WHEN ACM!timeout, 
1:1 WHEN ACM?start. 
PROCESS contention timer; 
STATES 0, 1; 
IO ACM?0, ACM?l, ACM?2, ACM?3, ACM!timeout; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?0 + ACM?l + ACM?2 + ACM?3, 
1:0 WHEN ACM!timeout. 
PROCESS res_window_timer; 
STATES 0, 1; 
IO ACM?l, ACM?2, ACM?3, ACM?4, ACM!timeout; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?l + ACM?2 + ACM?3 + ACM?4, 
1:0 WHEN ACM!timeout. 
PROCESS token_pass_timer; 
STATES 0, 1; 
IO ACM?l, ACM?4, ACM!timeout; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN ACM?l + ACM?4, 
1:0 WHEN ACM!timeout. 
PROCESS comp; 
STA TES 0, 1, 2; 
IO cdu?sortl, cdu?sort3, cdu?sort6, cdu?sort7, cdu?random, cdu!0, cdu!l, 
cdu!2, cdu!3, conpc?sortl, conpc?sort3, conpc?sort6, conpc?sort7, 
conpc?random, ACM!0, ACM!l, ACM!2, ACM!3; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN cdu?sortl + cdu?sort3 + cdu?sort5 + cdu?sort7 + cdu?random, 
0:2 WHEN conpc?sortl + conpc?sort3 + conpc?sort5 + conpc?sort7 + 
conpc?random, 
1:0 WHEN cdu!0 + cdu!l + cdu!2 + cdu!3, 
2:0 WHEN ACM!0 + ACM!l + ACM!2 + ACM!3. 
PROCESS cdu; 
STATES 0, 1, 2, 3, 4, 5, 6, 7, a, 9, 10; 
IO cpc?2, cpc?4, cpc?6, cpc?S, cpc?random, comp!sortl, comp!sort3, 
comp!sort6, comp!sort7, comp!random, comp?0, comp?l, comp?2, comp?3, 
ACM!0, ACM!2, ACM!4, ACM!6; 
INITIAL STATE 0; 
85 
----·--- - -·----,.--~------~ -- - ---- - - ---··-- ·-· -·- -
• 
TRANSITIONS 
0: 1 WHEN cpc?2, 
0: 2 WHEN cpc?4, 
0: 3 WHEN cpc?6, 
0: 4 WHEN cpc?8, 
0:6 WHEN cpc?random, 
1:6 WHEN comp!sortl, 
2:6 WHEN comp!sort3, 
3:6 WHEN comp!sort6, 
4:6 WHEN comp!sort7, 
6:6 WHEN comp!random, 
6:7 WHEN comp?0, 
6:8 WHEN comp?l, 
6:9 WHEN comp?2, 
6:10 WHEN comp?3, 
7 : 0 WHEN ACM ! 0 , 
8:0 WHEN ACM!2, 
9 : 0 WHEN ACM ! 4 , 
10:0 WHEN ACM!6. 
PROCESS claim_pass_count; 
STATES 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14; 
IO ACM?l, cdu!2, cdu!4, cdu!6, cdu!8, cdu!random, ACM?inc, ACM?status, 
ACM!mpc, ACM!LTmpc; 
INITIAL STATE 0; 
TRANSITIONS 
0: 0 WHEN ACM?l, 
0: 1 WHEN cd u ! 2, 
1: 0 WHEN ACM?l, 
1:2 WHEN ACM?inc, 
1:14 WHEN ACM?status, 
2 : 3 WHEN c d u ! 4 , 
3: 0 WHEl\1 ACM? 1, 
3:4 WHEN ACM?inc, 
3:13 WHEN ACM?status, 
4:6 WHEN cdu!6, 
6: 0 WHEN ACM?l, 
6:6 WHEN ACM?inc, 
6:12 WHEN ACM?status, 
6 : 7 WHEN c d u ! 8 , 
7:0 WHEN ACM?l, 
7:8 WHEN ACM?inc, 
7:11 WHEN ACM?status, 
8:9 WHEN cdu!random, 
9: 0 WHEN ACM?l, 
9:10 WHEN ACM?status, 
10:9 WHEN ACM!mpc, 
11:7 WHEN ACM!LTmpc, 
12:6 WHEN ACM!LTmpc, 
13:3 WHEN ACM!LTmpc, 
14:1 WHEN ACM!LTmpc. 
PROCESS contend_pass_count; 
STATES 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16; 
IO ACM?0, ACM?inc, ACM?status, ACM!LTmpc, ACM!mpc, comp!sortl, 
comp!sort3, comp!sort5, comp!sort7, comp!random; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?0, 
0:1 WHEN ACM?inc, 
0:16 WHEN ACM?status, 
1:2 WHEN comp!sortl, 
2:0 WHEN ACM?0, 
2:3 WHEN ACM?inc, 
2:16 WHEN ACM?status, 
3:4 WHEN comp!sort3, 
------------------- ------~- -- - . -- -- --·-------·- --·- ---- -- --·- .. - -·. ------- -- - - -- -- ·-- -
86 
I 
--
' 
4:0 WHEN ACM?0, 
4:6 WHEN ACM?inc, 
4:14 WHEN ACM?status, 
6:6 WHEN comp!sort6, 
6:0 WHEN ACM?0, 
6:7 WHEN ACM?inc, 
6:13 WHEN ACM?status, 
7:8 WHEN comp!sort7, 
8:0 WHEN ACM?0, 
8:9 WHEN ACM?inc, 
8:12 WHEN ACM?status, 
9:10 WHEN comp!random, 
10:0 WHEN ACM?0, 
10:11 WHEN ACM?status, 
11:10 WHEN ACM!mpc, 
12:8 WHEN ACM!LTmpc, 
13:6 WHEN ACM!LTmpc, 
14:4 WHEN ACM!LTmpc, 
15:2 WHEN ACM!LTmpc, 
16:0 WHEN ACM!LTmpc. 
PROCESS trans_fault_count; 
STATES 0, 1, 2, 3, 4, 5, 6, 7; 
IO ACM?status, ACM?0, ACM?inc, ACM!mtfc, ACM!LTmtfc; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?0, 
0:1 WHEN ACM?inc, 
0:7 WHEN ACM?status, 
1:0 WHEN ACM?0, 
1:2 WHEN ACM?inc, 
1:6 WHEN ACM?status, 
2:0 WHEN ACM?0, 
2:3 WHEN ACM?inc, 
2:6 WHEN ACM?status, 
3:0 WHEN ACM?0, 
3:4 WHEN ACM?status, 
4:3 WHEN ACM!mtfc, 
6:2 WHEN ACM!LTmtfc, 
6:1 WHEN ACM!LTmtfc, 
7:0 WHEN ACM!LTmtfc. 
PROCESS res_pass_count; 
ST A TES 0, 1 , 2 , 3, 4 , 6, 6, 7 , 8 , 9, 10, 11 ; 
IO ACM?status, ACM?inc, ACM?0, ACM!0, ACM!LTmpc, ACM!mpc; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?0, 
0:1 WHEN ACM?inc, 
0:11 WHEN ACM?status, 
1:0 WHEN ACM?0, 
1:2 WHEN ACM?inc, 
1:10 WHEN ACM?status, 
2:0 WHEN ACM?0, 
2:3 WHEN ACM?inc, 
2:9 WHEN ACM?status, 
3:0 WHEN ACM?0, 
3:4 WHEN ACM?inc, 
3:8 WHEN ACM?status, 
4:0 WHEN ACM?0, 
4:5 WHEN ACM?inc, 
4:7 WHEN ACM?status, 
6:0 WHEN ACM?0, 
6:6 WHEN ACM?status, 
6:5 WHEN ACM!mpc, 
7:4 WHEN ACM!LTmpc, 
87 
----------------------------- ------------· 
... 
-------------- -~---- -
8:3 WHEN ACM!LTmpc, 
9:2 WHEN ACM!LTmpc, 
10:1 WHEN ACM!LTmpc, 
11:0 WHEN ACM!0. 
PROCESS inter_sol_count; 
STATES 0, 1, 2, 3, 4, 6, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 16, 17; 
IO ACM?status, ACM?max_isc, ACM?dec, ACM?0, ACM!0, ACM!GT0; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?0, 
0:1 WHEN ACM?max isc, 
0:9 WHEN ACM?status, 
1:0 WHEN ACM?0, 
1:1 WHEN ACM?max isc, 
1:2 WHEN ACM?dec~ 
1:10 WHEN ACM?status, 
2:0 WHEN ACM?0, 
2:1 WHEN ACM?max isc, 
2:3 WHEN ACM?dec~ 
2:11 WHEN ACM?status, 
3:0 WHEN ACM?0, 
3:1 WHEN ACM?max_isc, 
3:4 WHEN ACM?dec, 
3:12 WHEN ACM?status, 
4:0 WHEN ACM?0, 
4:1 WHEN ACM?max isc, 
4:5 WHEN ACM?dec~ 
4:13 WHEN ACM?status, 
6:0 WHEN ACM?0, 
6:1 WHEN ACM?max isc, 
5:6 WHEN ACM?dec~ 
6:14 WHEN ACM?status, 
6:0 WHEN ACM?0, 
6:1 WHEN ACM?max isc, 
6:7 WHEN ACM?dec~ 
6:16 WHEN ACM?status, 
7:0 WHEN ACM?0, 
7:1 WHEN ACM?max isc, 
7:8 WHEN ACM?dec~ 
7:16 WHEN ACM?status, 
8:0 WHEN ACM?0 + ACM?dec, 
8:1 WHEN ACM?max isc, 
8:17 WHEN ACM?status, 
9:0 WHEN ACM!0, 
10:1 WHEN ACM GT0, 
11:2 WHEN ACM GT0, 
12:3 WHEN ACM GT0, 
13:4 WHEN ACM GT0, 
14:6 WHEN ACM GT0, 
16:6 WHEN ACM GT0, 
16:7 WHEN ACM GT0, 
17:8 WHEN ACM GT0. 
PROCESS remaining_retries; 
STATES 0, 1, 2, 3, 4, 5; 
IO ACM?status, ACM?2, ACM?dec, ACM!0, ACM!GT0; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?2, 
0:1 WHEN ACM?dec, 
0:3 WHEN ACM?status, 
1:2 WHEN ACM?dec, 
1:4 WHEN ACM?status, 
2:0 WHEN ACM?2, 
2:6 WHEN ACM?status, 
88 
-- ---- ···- -· - ---;---
3:0 WHEN ACM!GT0, 
4:1 WHEN ACM!GT0, 
6:2 WHEN ACM!0. 
PROCESS access_class; 
ST A TES 0, 1 , 2, 3 , 4 , 6; 
IO ACM?2, ACM?dec, ACM?status, ACM!2, ACM!0, ACM!ring_main; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?2, 
0:1 WHEN ACM?dec, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?2, 
1:2 WHEN ACM?dec, 
1:4 WHEN ACM?status, 
2:0 WHEN ACM?2, 
2:3 WHEN ACM?status, 
3:0 WHEN ACM!2, 
4:1 WHEN ACM!0, 
5:2 WHEN ACM!ring_main. 
PROCESS pass_state; 
ST AT ES 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 ; 
IO ACM?status, ACM!sol succ, ACM!sol any, ACM!pass token, ACM?sol succ, 
ACM!rep pass token,-ACM!send who fol lows, ACM!rep who fol lows, 
ACM!total failure, ACM?succ,-ACM?sol any, ACM?pass token; 
- -
-INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?sol succ, 
0:1 WHEN ACM?succ + ACM?pass_token, 
0:5 WHEN ACM?sol_any, 
0:7 WHEN ACM?status, 
1:0 WHEN ACM?sol succ, 
1:1 WHEN ACM?pass token, 
1:2 WHEN ACM?succ: 
1:5 WHEN ACM?sol any, 
1:8 WHEN ACM?status, 
2:0 WHEN ACM?sol succ, 
2:1 WHEN ACM?pass_token, 
2:3 WHEN ACM?succ, 
2:5 WHEN ACM?sol_any, 
2:9 WHEN ACM?status, 
3:0 WHEN ACM?sol succ, 
3:1 WHEN ACM?pass token, 
3:4 WHEN ACM?succ: 
3:5 WHEN ACM?sol any, 
3:10 WHEN ACM?status, 
4:0 WHEN ACM?sol succ, 
4:1 WHEN ACM?pass token, 
4:5 WHEN ACM?succ-+ ACM?sol_any, 
4:11 WHEN ACM?status, 
5:0 WHEN ACM?sol succ, 
5:1 WHEN ACM?pass_token, 
5:5 WHEN ACM?sol any, 
5:6 WHEN ACM?succ, 
5:12 WHEN ACM?status, 
6:0 WHEN ACM?sol succ + ACM?succ, 
6:1 WHEN ACM?pass_token, 
6:5 WHEN ACM?sol_any, 
6:13 WHEN ACM?status, 
7:0 WHEN ACM!sol succ, 
8:1 WHEN ACM!pass token, 
9:2 WHEN ACM?rep pass token, 
10:3 WHEN ACM!send who fol lows, 
11:4 WHEN ACM!rep who fol lows, 
12:6 WHEN ACM!sol:any: 
89 
\. 
.. 
13:6 WHEN ACM!total failure. 
PROCESS heard; 
STA TES 0, 1, 2, 3, 4, 5; 
IO ACM?status, ACM?noth, ACM?col I, ACM?succ, ACM!noth, ACM!col I, ACM!succ; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?noth, 
0:1 WHEN ACM?col I, 
0:2 WHEN ACM?succ, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?noth, 
1:1 WHEN ACM?col I, 
1:2 WHEN ACM?succ, 
1:4 WHEN ACM?status, 
2:0 WHEN ACM!noth, 
2:1 WHEN ACM?col I, 
2:2 WHEN ACM?succ, 
2:5 WHEN ACM?status, 
3:0 WHEN ACM!noth, 
4:1 WHEN ACM!col I, 
5:2 WHEN ACM!succ. 
PROCESS any_send_pending; 
STA TES 0, 1, 2, 3, 4, 5, 6, 7, 8; 
IO ACM?status, ACM!false, ACM!true, send pending 0?true, 
send_pending_0?false, send_pending_2?true, send_pending_2?false; INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN send pending 0?true, 
0:2 WHEN send-pending-2?true, 
0:3 WHEN send-pending-0?false, 
0:4 WHEN send-pending-2?false, 
0:6 WHEN ACM?status, -
1:3 WHEN send pending 0?false, 
1:7 WHEN ACM?status, -
2:4 WHEN send pending 2?false, 
2:7 WHEN ACM?status, -
3:1 WHEN send pending 0?true, 
3:2 WHEN send-pending-2?true, 
3:4 WHEN send-pending-2?false, 
3:6 WHEN ACM?status, -
4:1 WHEN send pending 0?true, 
4:2 WHEN send-pending-2?true, 
4:3 WHEN send-pending-0?false, 
4:5 WHEN ACM?status, -
6:6 WHEN ACM!false, 
6:1 WHEN send pending 0?true, 6:2 WHEN send-pending-2?true, 
6:6 WHEN ACM?status, -
7:8 WHEN ACM!true, 
8:3 WHEN send pending 0?false, 8:4 WHEN send-pending-2?false, 
8:7 WHEN ACM?status. -
PROCESS send_pending_0; 
ST A TES 0, 1 , 2, 3, 4 , 5, 6; 
IO stmgm?pending frame, stmgm?no pending frame, any send pending!false, any_send_pendTng!true, ACM?status, ACM!false, ACM!true; INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN stmgm?pending frame, 
0:3 WHEN stmgm?no pending frame, 
0:6 WHEN ACM?status, -
1:2 WHEN any_send_pending!true, 
90 
' 
-2:2 WHEN any_send_pending!true, 
2:3 WHEN stmgm?no pending frame, 
2:6 WHEN ACM?status, -
3:4 WHEN any_send_pending!false, 
4:1 WHEN stmgm?pending frame, 
4:4 WHEN any_send_pending!false, 
4:6 WHEN ACM?status, 
6:2 WHEN ACM!true, 
6:4 WHEN ACM!false. 
PROCESS send_pending_2; 
STATES 0, 1, 2, 3, 4, 5, 6; 
IO stmgm?pending_frame, stmgm?no_pending_frame, any_send_pending!false, 
any send pending!true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN stmgm?pending frame, 
0:3 WHEN stmgm?no pending frame, 
0:6 WHEN ACM?status, -
1:2 WHEN any send pending!true, 
2:2 WHEN any-send-pending!true, 
2:3 WHEN stmgm?no-pending frame, 
2:6 WHEN ACM?status, -
3:4 WHEN any_send_pending!false, 
4:1 WHEN stmgm?pending frame, 
4:4 WHEN any send pendTng!false, 
4:6 WHEN ACM?status, 
6:2 WHEN ACM!true, 
6:4 WHEN ACM!false. 
PROCESS power_OK; 
STATES 0, 1, 2, 3; 
IO stmgm?true, stmgm?false, ACM?status, ACM!true, ACM!false; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN stmgm?false, 
0:1 WHEN stmgm?true, 
0:3 WHEN ACM?status, 
1:0 WHEN stmgm?false, 
1:1 WHEN stmgm?true, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!true, 
3:0 WHEN ACM!false. 
PROCESS in ring desired; 
STATES 0, 1, 2,-3; 
IO stmgm?true, stmgm?false, ACM?status, ACM!true, ACM!false; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN stmgm?false, 
0:1 WHEN stmgm?true, 
0:3 WHEN ACM?status, 
1:0 WHEN stmgm?false, 
1:1 WHEN stmgm?true, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!true, 
3:0 WHEN ACM!false. 
PROCESS first_time; 
STATES 0, 1, 2, 3; 
IO ACM?false, ACM?true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
91 
1:0 WHEN ACM?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS i n_r i ng; 
STATES 0, 1, 2, 3; 
IO ACM?false, ACM?true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS just_had_token; 
STATES 0, 1, 2, 3; 
IO ACM?false, ACM?true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS lowest_address; 
STATES 0, 1, 2, 3; 
IO ACM?false, ACM?true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS NS_known; 
STATES 0, 1, 2, 3; 
IO ACM?false, ACM?true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS sole act st; 
STATES 0, 1,-2, 3; 
IO ACM?false, ACM?true, ACM?status, ACM!false, ACM!true; 
INITIAL STATE 0; 
92 
TRANSITIONS 
0:0 WHEN ACM?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
1:0 WHEN ACM?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS noise_burst; 
STATES 0, 1, 2, 3; 
IO ACM?status, ACM?false, ACM!false, ACM!true, NB_BQ_det?true; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN NB_BQ_det?true, 
0:1 WHEN ACM?false, 
0:3 WHEN ACM?status, 
1:0 WHEN NB BQ det?true, 
1:1 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS bus_quiet; 
STATES 0, 1, 2, 3; 
IO ACM?status, ACM!false, ACM!true, NB_BQ_det?true, NB_BQ_det?false; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN NB_BQ_det?true, 
0:1 WHEN NB BQ det?false, 
0:3 WHEN ACM?status, 
1:0 WHEN NB_BQ_det?true, 
1:1 WHEN NB_BQ_det?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!false, 
3:0 WHEN ACM!true. 
PROCESS NB_BQ_det; 
STATES 0, 1, 2, 3, 4, 6, 6, 7, 8, 9, 10, 11; 
IO si I !status, si l?true, si l?false, noise_burst!true, 
valid frame!status, valid frame?true, valid_frame?false, 
bus_quiet!false, bus_quiet!true; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN si I !status, 
1:0 WHEN si l?true, 
1:2 WHEN si l?false, 
2:3 WHEN bus quiet!false, 
3:4 WHEN valid frame!status, 
4:5 WHEN val id-frame?false, 
4:9 WHEN val id-frame?true, 
5:6 WHEN si I !status, 
6:3 WHEN si l?false, 
6:7 WHEN si l?true, 
7:8 WHEN bus quiet!true, 
8:0 WHEN noise burst!true, 
9:10 WHEN si I !status, 
10:9 WHEN si l?false, 
10:11 WHEN si l?true, 
11:0 WHEN bus_quiet!true. 
PROCESS valid_frame; 
STATES 0, 1, 2, 3; 
IO NB_BQ_det?status, NB_BQ_det!true, NB_BQ_det!false, rx?true, rx?false; 
INITIAL STATE 0; 
93 
. -· -- - -- ---·--· -- --·- --·---- --------------------- -----------------
, 
' 
TRANSITIONS 
0:0 WHEN rx?true, 
0:1 WHEN rx?false, 
0:3 WHEN NB_BQ_det?status, 
1:0 WHEN rx?true, 
1:1 WHEN rx?false, 
1:2 WHEN NB_BQ_det?status, 
2:1 WHEN NB BQ det!false, 
3:0 WHEN NB=BQ=det!true. 
PROCESS si I; 
STATES 0, 1, 2, 3; 
IO NB BQ det?status, NB_BQ_det!true, NB_BQ_det!false, rx?true, rx?false; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN rx?true, 
0:1 WHEN rx?false, 
0:3 WHEN NB BQ det?status, 
1:0 WHEN rx?true, 
1:1 WHEN rx?false, 
1:2 WHEN NB BQ det?status, 
2:1 WHEN NB-BQ-det!false, 
3:0 WHEN NB=BQ=det!true. 
PROCESS rx; 
STATES 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17; 
IO phy?inval id frame, phy?si I, val id frame!true, val id frame!false, 
si l!true, sTI !false, si I !true, phy?data RNR, phy?data RR, 
phy?data RS, phy?token, phy?claim token~ phy?set succ~ 
phy?sol succ 1, phy?sol succ 2, phy?who fol lows,-phy?res con, 
FC!token, FC!claim token, FC!set succ, FC!sol succ 1, -
FC!sol succ 2, FC!who fol lows, FC!res con, ACM!rx data frame, 
ACM!rx-pro frame, ACM!no res req, TSPSNS!SA DA du; -
INITIAL STATE-0; - - - -
TRANSITIONS 
0:1 WHEN phy?data RNR, 
0:2 WHEN phy?data=RR + phy?data_RS, 
0:4 WHEN phy?token, 
0:5 WHEN phy?claim token, 
0:6 WHEN phy?sol_succ_l, 
0:7 WHEN phy?sol_succ_2, 
0:8 WHEN phy?set succ, 
0:9 WHEN phy?who-fol lows, 
0:10 WHEN phy?res con, 
0:11 WHEN phy?invalid frame, 
0:12 WHEN phy?si I, -
1:3 WHEN ACM!no res req, 
2:3 WHEN ACM!rx-data frame, 
3:14 WHEN valid-frame!true • si l!false • TSPSNS!SA_DA_du, 
4:13 WHEN FC!token, 
5:13 WHEN FC!claim_token, 
6:13 WHEN FC!sol_succ_l, 
7:13 WHEN FC!sol_succ_2, 
8:13 WHEN FC!set_succ, 
9:13 WHEN FC!who_fol lows, 
10:13 WHEN FC!res con, 
11:0 WHEN valid frame!false • si I !false, 
12:0 WHEN si I !true, 
13:3 WHEN ACM!rx pro frame, 
14:1 WHEN phy?data RNR, 
14:2 WHEN phy?data-RR + phy?data RS, 
14:4 WHEN phy?token, -
14:5 WHEN phy?claim token, 
14:6 WHEN phy?sol succ 1, 
14:7 WHEN phy?sol-succ-2, 
14:8 WHEN phy?set=succ~ 
\ 
I 
\ 
~ 
' 
94 
h 
14:9 WHEN phy?who fol lows, 
14:10 WHEN phy?res con, 
14:11 WHEN phy?invalid fram
e, 
14:12 WHEN phy?si I. -
PROCESS FC; 
STATES 0, 1, 2, 3, 4, 5, 6, 
7, 8, 9, 10, 11, 12, 13, 14,
 16; 
IO ACM?status, ACM!token, A
CM!claim token, ACM!sol succ
 1, 
ACM!sol succ 2, ACM!set suc
c, ACM!who fol lows, ACM!res 
con, 
ACM?false, rx?who fol lows, 
rx?token, rx?claim token, r
x?sol succ 1, 
rx?sol succ 2, rx?set succ,
 rx?res con; -
-
-
INITIAL STATE 0; -
-
TRANSITIONS 
0:0 WHEN ACM?false, 
0:1 WHEN rx?token, 
0:3 WHEN rx?claim token, 
0:5 WHEN rx?sol succ 1, 
0:7 WHEN rx?sol-succ-2, 
0:9 WHEN rx?set-succ: 
0:11 WHEN rx?who fol lows, 
0:13 WHEN rx?res-con, 
1:0 WHEN ACM?false, 
1:2 WHEN ACM?status, 
2:1 WHEN ACM!token, 
3:0 WHEN ACM?false, 
3:4 WHEN ACM?status, 
4:3 WHEN ACM!claim token, 
6:0 WHEN ACM?false; 
6:6 WHEN ACM?status, 
6:5 WHEN ACM!sol succ 1, 
7:0 WHEN ACM?false, 
7:8 WHEN ACM?status, 
8:7 WHEN ACM!sol succ 2, 
9:0 WHEN ACM?false, -
9:10 WHEN ACM?status, 
10:9 WHEN ACM!set succ, 
11:0 WHEN ACM?false, 
11:12 WHEN ACM?status, 
12:11 WHEN ACM!who fol lows, 
13:0 WHEN ACM?false, 
13:14 WHEN ACM?status, 
14:13 WHEN ACM!res con. 
PROCESS TS comp; 
STATES 0, 1; 
IO TSPSNS?SA, TSPSNS?DA, TS
PSNS?du, ACM!TSEQ, ACM!TSLT, ACM!T
SGT; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN TSPSNS?SA + TSPSNS
?DA + TSPSNS?du, 
1:0 WHEN ACM!TSEQ + ACM!TSLT + AC
M!TSGT. 
PROCESS PS comp; 
STATES 0, I, 2, 3; 
IO TSPSNS?SA, TSPSNS?du, AC
M!PSEQ, ACM!PSLT, ACM!PSGT; 
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN TSPSNS?SA, 
0:2 WHEN TSPSNS?du, 
1:1 WHEN TSPSNS?SA, 
1:2 WHEN TSPSNS?du, 
2:3 WHEN ACM!PSEQ + ACM!PSLT + AC
M!PSGT, 
3:1 WHEN TSPSNS?SA, 
3:2 WHEN TSPSNS?du. 
PROCESS NS; 
STATES 0, 1; 
95 
--
--
--
-.• -...
__ 
__
__
_ _
 
I 
' 
IO TSPSNS?DA, TSPSNS?du, ACM?false; 
INITIAL STATE 0; 
TRANSITIONS 
0:0 WHEN ACM?false, 
0:1 WHEN TSPSNS?DA + TSPSNS?du, 
1:0 WHEN ACM?false, 
1:1 WHEN TSPSNS?DA + TSPSNS?du. 
PROCESS TSPSNS; 
STATES 0, 1, 2, 3, 4, 6, 6, 7, 8; 
IO ACM?send SA, ACM?send DA, ACM?send du, ACM?send NS du, 
ACM?send-NS DA, ACM?send PS comp du, ACM?send PS comp SA, 
TS comp!SA,-TS comp!DA, TS comp!du, NS!du, NS!DA: PS comp!du, 
PS=comp!SA, rx?SA_DA_du; - -
INITIAL STATE 0; 
TRANSITIONS 
0:1 WHEN rx?SA DA du, 
1:1 WHEN rx?SA-DA-du, 
1:2 WHEN ACM?send-SA, 
1:3 WHEN ACM?send-DA, 
1:4 WHEN ACM?send-du, 
1:5 WHEN ACM?send-NS du, 
1:6 WHEN ACM?send-NS-DA, 
1:7 WHEN ACM?send-PS-comp du, 
1:8 WHEN ACM?send=PS=comp=SA, 
2:1 WHEN TS_comp!SA, 
3:1 WHEN TS_comp!DA, 
4:1 WHEN TS_comp!du, 
5:1 WHEN NS!du, 
6: 1 WHEN NS !DA, 
7:1 WHEN PS_comp!du, 
8:1 WHEN PS_comp!SA. 
96 
,, 
- ---------- ---------------
------------------
-------····-,---~---------------
l Appendix B 
Final Reduced Abstraction FSM 
97 
- ----------- --------- -- - - - - --·· . ·---~ ---- .. ----· - -
Reduced Abstraction 
(0) • (1) WHEN phy?invalid_frame • 
(0) • (1) WHEN phy?s i I . 
(0) . (1) WHEN stmgm?MA_INI_PRO_req • 
(0) • (1) WHEN stmgm?false • 
(0) • (1) WHEN stmgm?no_pending_frame . 
(0) . (1) WHEN stmgm?pending frame . 
(0) • (1) WHEN stmgm?true . 
(0) • (3) WHEN phy?data_RNR . 
(0) • (3) WHEN phy?data_RR . 
(0) . (3) WHEN phy?data_RS . 
(0) . (3) WHEN phy?claim_token • 
(0) . (3) WHEN phy?res_con • 
(0) . (3) WHEN phy?set_succ . 
(0) • (3) WHEN phy?sol_succ_l . 
(0) . (3) WHEN phy?sol_succ_2 . 
(0) . (3) WHEN phy?token . 
(0) • (3) WHEN phy?who_fol lows . 
(1) • (1) WHEN phy?invalid_frame • 
(1) . (1) WHEN phy?s i I . 
(1) . (1) WHEN stmgm?MA_INI_PRO_req . 
(1) • (1) WHEN stmgm?f a I se . 
(1) . (1) WHEN stmgm?no_pending_frame . 
(1) • (1) WHEN stmgm?pending_frame . 
(1) • (1) WHEN stmgm?true . 
(1) . (2) WHEN stmgm!MA_INI_PRO_conf . 
(1) • (2) WHEN stmgm!turn_power_on . 
(1) . (2) WHEN stmgm!res_overdue . 
(1) . (3) WHEN phy?data_RNR . 
(1) . (3) WHEN phy?data_RR . 
(1) • (3) WHEN phy?data_RS • 
(1) . (3) WHEN phy?claim_token • 
,~ (1) • (3) WHEN phy?res_con • 
(1) • (3) WHEN phy?set_succ 
' 
• 
• (1) (3) WHEN phy?sol_succ_l • • 
(1) • (3) WHEN phy?sol_succ_2 • 
(1) . (3) WHEN phy?token • 
(1) • (3) WHEN phy?who_f o I I ows . 
(1) . ( 4) WHEN phy claim_token_w_du_0_slottl . 
(1) . (4) WHEN phy claim token w du 2 slottl . 
(1) . ( 4) WHEN phy claim-token-w-du-4-slottl . 
(1) . (4) WHEN phy claim token-w:du:s:slottl • 
(1) . ( 4) WHEN phy set succ DA TH du TS • 
- -
- - -
(1) • (4) WHEN phy sdu_suppFCS • 
(1) . (4) WHEN phy sol_ succ 2 DA NS • -
(1) . (4) WHEN phy sol_succ:2:DA_TS • 
(1) . ( 4) WHEN phy token_OA_NS • 
(1) . (4) WHEN phy who_fol lows_du_NS . 
(1) • (5) WHEN stmgm!dist_ACM_error . 
(1) . (5) WHEN stmgm!dup add . 
(1) . (5) WHEN stmgm!fau lty_tr • 
(1) . (5) WHEN stmgm!new_succ . 
(1) • (5) WHEN stmgm ! no succ • 
(1) . (6) WHEN phy!res_con . 
(1) . (6) WHEN phy!set_succ_DA_PS_du_NS . 
(1) . (6) WHEN phy!sol_succ_l_DA_NS . 
(2) . (1) WHEN phy?inval id_frame . 
(2) . (1) WHEN phy?s i I . 
(2) . (1) WHEN stmgm?false . 
(2) • (1) WHEN stmgm?no_pending_frame . 
(2) . (1) WHEN stmgm?pending_frame • 
(2) • (1) WHEN stmgm?true • 
(2) • (3) WHEN phy?data RNR • 
(2) . (3) WHEN phy?data RR • 
(2) . (3) WHEN phy?data RS • 
98 
-~-- ---
·--····-- -
. 
---
---
---
---
---
---
.. ·---,·-·~--------
(2) (3) WHEN phy?claim_token 
(2) (3) WHEN phy?res_con 
(2) (3) WHEN phy?set_succ 
(2) (3) WHEN phy?sol_succ_l 
(2) (3) WHEN phy?sol_succ_2 
(2) • (3) WHEN phy?token • (2) • (3) WHEN phy?who_fol lows • 
(2) . (4) WHEN phy claim_token_w_du_0_slottl • 
(2) (4) WHEN phy claim_token_w_du_2_slottl 
(2) (4) WHEN phy claim_token_w_du_4_slottl 
(2) (4) WHEN phy claim_token_w_du_6_slottl 
(2) (4) WHEN phy set_succ_DA_TH_du TS 
(2) (4) WHEN phy sdu_suppFCS 
(2) (4) WHEN phy sol_succ_2_DA_NS 
(2) (4) WHEN phy sol_succ_2_DA_TS 
(2) (4) WHEN phy.token_DA_NS 
(2) (4) WHEN phy!who_fol lows_du_NS 
(2) (5) WHEN stmgm!dist_ACM_error 
(2) (6) WHEN phy!res_con 
(2) (6) WHEN phy!set_succ_DA_PS_du_ NS 
(2) (6) WHEN phy!sol_succ_l_DA_NS 
(3) (1) WHEN stmgm?MA_INI_PRO_req 
(3) (1) WHEN stmgm?false 
(3) (1) WHEN stmgm?no_pending_frame 
(3) (1) WHEN stmgm?pending_frame 
(3) (1) WHEN stmgm?true 
(3) (2) WHEN stmgm!MA_INI_PRO_conf 
(3) (2) WHEN stmgm!turn_power_on 
(3) (2) WHEN stmgm!res_overdue 
(3) (4) WHEN phy claim_token_w_du_0_slottl 
(3) (4) WHEN phy claim_token_w_du_2_slottl 
(3) (4) WHEN phy claim_token_w_du_4_slottl 
(3) (4) WHEN phy claim_token_w_du_6_slottl 
(3) • (4) WHEN phy set_succ_DA_TH_du TS • (3) (4) WHEN phy sdu_suppFCS 
(3) • (4) WHEN phy sol_succ_2_DA_NS • 
(3) (4) WHEN phy sol_succ_2_DA_TS 
(3) (4) WHEN phy.token_DA_NS 
(3) (4) WHEN phy!who_fol lows_du_NS 
(3) (5) WHEN stmgm!dist_ACM_error 
(3) (5) WHEN stmgm!dup_add 
(3) (5) WHEN stmgm!faulty_tr 
(3) (5) WHEN stmgm!new_succ 
(3) • (6) WHEN stmgm!no_succ . 
(3) • (6) WHEN phy!res_con • (3) • (6) WHEN phy!set succ DA PS du NS • 
- - - - -(3) (6) WHEN phy!sol_succ_l_DA_NS 
(4) (1) WHEN phy?invalid_frame 
(4) (1) WHEN phy?si I 
(4) (1) WHEN stmgm?MA_INI_PRO_req 
(4) (1) WHEN stmgm?false 
(4) (1) WHEN stmgm?no_pending_frame 
(4) (1) WHEN stmgm?pending_frame 
(4) (1) WHEN stmgm?true 
(4) (3) WHEN phy?data_RNR 
(4) (3) WHEN phy?data_RR 
(4) (3) WHEN phy?data_RS 
(4) (3) WHEN phy?claim_token 
(4) (3) WHEN phy?res_con 
(4) (3) WHEN phy?set_succ 
(4) (3) WHEN phy?sol_succ_ 1 
(4) (3) WHEN phy?sol_succ_2 
(4) (3) WHEN phy?token 
(4) (3) WHEN phy?who_fol lows 
(4) (5) WHEN stmgm!dist_ACM_error 
(5) (1) WHEN phy?invalid_frame 
., 
99 
--· ... -------· .. 
(6) (1) WHEN phy?sil 
(5) (1) WHEN stmgm?MA INI PRO req 
- - -(6) (1) WHEN stmgm?false 
(6) (1) WHEN stmgm?no_pending_frame 
(5) (1) WHEN stmgm?pending_frame 
(5) (1) WHEN stmgm?true 
(5) • (3) WHEN phy?data_RNR • 
(5) (3) WHEN phy?data_RR 
(5) (3) WHEN phy?data_RS 
(5) (3) WHEN phy?claim_token 
(6) (3) WHEN phy?res_con 
(6) (3) WHEN phy?set_succ 
(5) (3) WHEN phy?sol_succ_l 
(6) (3) WHEN phy?sol_succ_2 
(5) (3) WHEN phy?token 
(5) (3) WHEN phy?who_fol lows 
(5) ( 4) WHEN phy claim token w du 0 slottl 
(5) ( 4) WHEN phy claim-token-w-du-2-slottl 
(5) ( 4) WHEN phy claim token:w:du=4=slottl 
(5) ( 4) WHEN phy claim_token_w_du_6_slottl 
(5) ( 4) WHEN phy set_succ_OA_TH_du TS 
(5) ( 4) WHEN phy sdu_suppFCS 
(5) ( 4) WHEN phy sol_ succ 2 DA NS 
(5) ( 4) WHEN phy sol_ succ-2-DA-TS 
-
(5) (4) WHEN phy token_DA=NS 
(6) (4) WHEN phy who_fol lows_du_NS 
(5) (6) WHEN stmgm!dist_ACM_error 
(5) (6) WHEN phy!res_con 
(5) (6) WHEN phy!set_succ_DA_PS_du_NS 
(5) (6) WHEN phy!sol_succ_l_DA_NS 
(6) (1) WHEN phy?invalid_frame 
(6) (1) WHEN phy?sil 
(6) (1) WHEN stmgm?false 
(6) (1) WHEN stmgm?no_pending_frame 
(6) . (1) WHEN stmgm?pending_frame • 
(6) (1) WHEN stmgm?true 
(6) . (3) WHEN phy?data_RNR • 
(6) • (3) WHEN phy?data_RR . 
(6) (3) WHEN phy?data_RS 
(6) (3) WHEN phy?claim_token 
(6) (3) WHEN phy?res_con 
(6) (3) WHEN phy?set_succ 
(6) • (3) WHEN phy?sol_succ_l . 
(6) (3) WHEN phy?sol_succ_2 
(6) • (3) WHEN phy?token • 
(6) • (3) WHEN phy?who_fol lows . 
(6) • (6) WHEN stmgm!dist_ACM_error • 
100 
- -·---·------~-·-~
----- ------- . - -
·- -
Vita 
The author, Isil Can bazoglu, was born on October 03, 1962 to Mr. Omer 
and Mrs. Nevin Canbazoglu. Her undergraduate work was done at Middle East 
Technical University in Ankara, Turkey where she received a B.S. in Electrical 
Engineering in 1985. She was awarded a fellowship from the Scientific and Tech-
nical Research Council of Turkey beginning in 1978 and ending in 1985. She 
also worked in the Research and l)evelopment Department of the Military 
Electronics Incorporation, on her senior year. Her gradate work was cornpleted 
at Lehigh University where she was involved in research to analyze and verify 
the IEEE Standard 802.4 token-passing bus rnediu1n access control protocol. She 
will receive a M.S. from Lehigh University in Electrical Engineering in January 
1988. 
101 
