Studies in computer aided verification of protocols by Griffioen, Willem Otto David
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/18849
 
 
 
Please be advised that this information was generated on 2017-12-05 and may be subject to
change.
Studies in Computer Aided Verification
of Protocols
by
Willem Otto David Griffioen
IN  S T í %
IPA Dissertation Series 2000-04 
Druk: Print Partners Ipskamp, Enschede.
The research reported in this dissertation has been supported by the Netherlands Computer 
Science Research foundation (SION) with financial support from the Netherlands Organization 
for Scientific Reasearch (NWO) within the scope of the project NWO/SION 612-316-125.
The work in this thesis has been carried out under the auspices of the research school IPA 
(Institute for Programming research and Algorithmics).
Studies in Computer Aided Verification 
of Protocols
een wetenschappelijke proeve op het gebied 
van de Natuurwetenschappen, Wiskunde en Informatica
Proefschrift
ter verkrijging van de graad van doctor 
aan de Katholieke Universiteit Nijmegen, 
volgens besluit van het College van Decanen 
in het openbaar te verdedigen op 
woensdag 10 mei 2000 
des namiddags om 3.30 uur precies 
door
Willem Otto David Griffioen
geboren op 26 mei 1971 te Amsterdam
Promotor:
prof. dr. F. W. Vaandrager
Manuscriptcommissie:
prof. dr. ir. J. F. Groote CWI, Amsterdam en TU Eindhoven 
dr. J. Hooman
prof. dr. K. G. Larsen Universiteit van Aalborg, Denemarken
It is fair to state, that in this digital era correct systems for information processing
are more valuable than gold.
-  Henk Barendregt, in [Bar96]
Manual verification is at least as likely to be wrong as the program itself.
-  Pierre Wolper, in [Wol]

Preface
On the cover of this book a single name is written, but many people have put effort in it.
First of all, I want to thank Frits Vaandrager for being my daily supervisor, for being co-author, 
and for being my promotor. Without him this book would not exist at all.
Also, I want to thank the members of the reading committee: Jan Friso Groote, Jozef Hooman 
and Kim. G. Larsen. All three gave valuable comments that definitely improved the quality of 
this thesis.
This thesis has not been written by me alone, for most chapters I teamed up with others. I want 
to thank all co-authors: Doeko Bosscher, Fredrik Larsson, Henri Korver, Judi Romijn, Johan 
Bengtsson, Kâre Kristoffersen, Kim Larsen, Marieke Huisman, Marco Devillers, Olaf Müller, 
Paul Pettersson, Stan Ivanov, and Wang Yi. The aspect I liked most of writing this thesis, was 
working together with you all, many thanks!
Also thanks to Joost-Pieter Katoen because he pointed out the quotes at the beginning of this 
thesis.
My education started at the Montessori elementary school “De Wielewaal” . My thanks go 
to Ronald Sanders who motivated me to take learning more seriously. Also I want to thank 
teachers at my high school (again Montessori) for creating a free and stimulating environment.
I also want to thank Baan Company. After four years of working on this thesis, the thesis was 
not finished, but I started working for Baan. Jan Weststrate was very cooperative in finding a 
way for me to finish this book. In his opinion, was my thesis a Baan project. This project is 
now finished! Also many thanks to André Bogert for arranging a two month leave. The BIS 
team is always interested in my progress and makes Baan a fun place to work.
Many thanks to my colleagues at the CWI and the KUN, for discussing research, having lunch 
together, and helping me with natural languages and LTeX. Special thanks for the discussions 
we had in the knuffelhoek.
Last nor least I want to thank Ida, Co and Matthijs for educating, loving and supporting me.
The last, very, very special thanks go to Marjolein, for helping me to finish this thesis, but above 
all for loving me.
David Griffioen, Nijmegen
Viii
Contents
1 Introduction 1
1.1 M otivation.....................................................................................................................  1
1.2 Protocols and I/O Automata ..................................................................................... 2
1.3 Computer Aided V erification..................................................................................... 3
1.4 O v e rv ie w .....................................................................................................................  4
1.5 Main co n trib u tio n s .....................................................................................................  5
2 Proof-checking an Audio Control Protocol with LP 7
2.1 Introduction..................................................................................................................  7
2.2 The EEL-protocol . ...................................................................................................... 8
2.3 Linear Hybrid S y s te m s ..............................................................................................  9
2.4 Protocol Specification.................................................................................................. 11
2.4.1 Data T y p e s .....................................................................................................  11
2.4.2 The S e n d e r .....................................................................................................  12
2.4.3 The R e c e iv e r .................................................................................................. 14
2.4.4 The Full P ro to co l...........................................................................................  14
2.4.5 The Correctness C r i te r io n ........................................................................... 15
2.5 Formal specification.....................................................................................................  15
2.5.1 Lists and Time in L S L .................................................................................  16
2.5.2 The LHS m odel..............................................................................................  17
2.5.3 The EEL protocol...........................................................................................  19
2.5.4 Correctness c r ite r io n ..................................................................................... 20
2.6 Introduction to L P ........................................................................................................  21
2.7 Formalization of the p r o o f ........................................................................................ 24
2.8 D iscussion.....................................................................................................................  27
2.8.1 Errors in handwritten p ro o f? ........................................................................ 27
2.8.2 About L P ........................................................................................................  28
2.8.3 Related W o rk .................................................................................................. 32
2.9 Example P r o o f ...........................................................................................................  32
2.10 The traits .....................................................................................................................  34
2.10.1 S .....................................................................................................................  34
2.10.2 P .....................................................................................................................  37
2.10.3 C om m onA ctions...........................................................................................  38
x Contents
2.10.4 B i t ..................................................................................................................... .... 38
2.10.5 N a t ...................................................................................................................... 39
2.10.6 Time ................................................................................................................... 39
3 The Bakery Protocol: A Comparative Case-Study in Formal Verification 41
3.1 In troduction...................................................................................................................... 41
3.2 Specification of the p ro to c o l ......................................................................................... 42
3.2.1 D a ta .................................................................................................................. .... 43
3.2.2 Protocol specification......................................................................................... 44
3.3 Correctness c r i te r io n ...................................................................................................... 46
3.4 The correctness p ro o f ...................................................................................................... 46
3.5 A more general bisimulation to prove the same .................................................... .... 49
3.6 Checking the proof in L P ........................................................................................... .... 50
3.7 D iscussion..................................................................................................................... .... 53
3.7.1 Remarks on the usage of L P ....................................................................... .... 53
3.7.2 Comparison with the ^CRL verification.................................................... .... 56
3.8 Verification m odel........................................................................................................ .... 57
3.8.1 Labelled transition systems and b is im u la tio n .......................................... .... 57
3.9 Listing of LSL tra its ......................................................................................................... 60
3.9.1 P ..................................................................................................................... ....60
3.9.2 A u to m a to n ......................................................................................................... 60
3.9.3 C om m onA ctions........................................................................................... .... 61
3.9.4 ExternalActions.............................................................................................. .... 61
3.9.5 F orw ard ........................................................................................................... ....62
3.9.6 BISIM ........................................................................................................... ....62
4 A Comparison of PVS and Isabelle/HOL 63
4.1 In troduction...................................................................................................................... 63
4.1.1 Short overview of PVS and I s a b e l le .......................................................... ....64
4.2 A comparison of PVS and Isabelle/H O L................................................................. ....65
4.2.1 The l o g i c ........................................................................................................ .... 65
4.2.2 The specification lan g u ag e ...............................................................................66
4.2.3 The p r o v e r .........................................................................................................69
4.2.4 System architecture and soundness.................................................................. 72
4.2.5 The proof m a n ag e r............................................................................................74
4.2.6 User in terface......................................................................................................74
4.2.7 Manuals and su p p o rt......................................................................................... 74
4.2.8 Runtime s p e e d .............................................................................................. .... 75
4.3 Our experiences........................................................................................................... ....75
4.4 The best of both w o rld s .............................................................................................. .... 76
4.5 Conclusions and future w o r k ......................................................................................... 77
4.6 Epilogue........................................................................................................................ .... 78
5 A Theory of Normed Simulations 79
5.1 In troduction.................................................................................................................. .... 79
5.2 P re lim in a rie s ................................................................................................................... 82
5.3 Step Refinements and Execution C orrespondence.....................................................83
Contents xi
5.3.1 Step R efinem ents...........................................................................................  83
5.3.2 Execution Correspondence........................................................................... 85
5.3.3 Soundness and Partial Completeness..........................................................  87
5.4 Normed Forward Simulations..................................................................................... 87
5.5 Normed Backward Sim ulations.................................................................................  92
5.6 Normed History Relations ........................................................................................  97
5.7 Normed Prophecy Relations ..................................................................................... 99
5.8 D ecidability ..................................................................................................................  99
5.9 Reachability..................................................................................................................103
6 PVS Verification of a Leader Election Protocol 105
6.1 Introduction..................................................................................................................105
6.2 Other verifications of the protocol ...........................................................................106
6.3 Description of the p ro to c o l........................................................................................106
6.4 Automata and Relations.............................................................................................. 108
6.4.1 I/O A utom ata..................................................................................................108
6.4.2 Step Refinement and Normed Sim ulations.................................................108
6.5 Specification and Verification of the Protocol ....................................................... 109
6.5.1 N etw ork........................................................................................................... 109
6.5.2 TIP 1 ...............................................................................................................112
6.5.3 Invariants on TIP 1 ........................................................................................112
6.5.4 TIP 2 ...............................................................................................................113
6.5.5 Invariants on TIP 2 ........................................................................................113
6.5.6 Relation between TIP 1 and TIP 2 ..............................................................114
6.5.7 TIP 3 ...............................................................................................................115
6.5.8 Simulation D iagram s.....................................................................................117
6.5.9 Relation between TIP 2 and TIP 3 ..............................................................118
6.5.10 Delayed normed forward sim ulation...........................................................120
6.6 Some remarks on the use of P V S .............................................................................. 121
6.6.1 IOA support in PVS .....................................................................................122
6.6.2 Enhancing robustness of PVS proofs.......................................................... 123
6.7 C onclusions..................................................................................................................123
6.8 Appendix: PVS Specifications................................................................................. 124
6.8.1 A u to m ato n .....................................................................................................124
6.8.2 Step R efin em en t........................................................................................... 125
6.8.3 Normed Simulation........................................................................................126
6.8.4 N etw ork........................................................................................................... 126
6.8.5 TIP 1 ...............................................................................................................127
6.8.6 TIP 2 ...............................................................................................................128
6.8.7 Relation between TIP 1 and TIP 2 ..............................................................129
6.8.8 TIP 3 ...............................................................................................................130
6.8.9 Invariants on TIP 3 ........................................................................................132
6.8.10 Relation between TIP 2 and TIP 3 ..............................................................133
xii Contents
7 Verification of an Audio Control Protocol with Bus Collision using Uppaal 135
7.1 Introduction..................................................................................................................135
7.2 Committed L ocations..................................................................................................137
7.2.1 An Example ..................................................................................................137
7.2.2 Syntax ........................................................................................................... 138
7.2.3 Sem antics........................................................................................................ 139
7.3 Committed Locations in Uppaal .............................................................................. 140
7.3.1 The Model-Checking A lgorithm ................................................................. 140
7.3.2 Space and Time Performance Improvements .......................................... 141
7.4 The Audio Control Protocol with Bus C o llis io n .................................................... 142
7.5 A Formal Model of the P r o to c o l .............................................................................. 144
7.6 Verification in U p p aal..................................................................................................146
7.7 C onclusions..................................................................................................................147
7.8 Epilogue........................................................................................................................ 148
7.9 A p p e n d ix ..................................................................................................................... 149
8 Conclusions 155 
Bibliography 159 
Samenvatting 171
Chapter 1
Introduction
1.1 Motivation
Computers are becoming more and more important in our lives. In many cases computers are 
granted critical tasks. Airplanes are controlled by automatic pilots, basically all our money 
is ‘kept’ in computers, the locks to keep The Netherlands dry are controlled by a computer, 
etc. It is important that these systems behave as intended: do not crash the plane, transfer the 
money to the right bank account, close the locks when the water is high, etc. These computer 
systems tend to be large, distributed and intricate. In many cases it is not possible to test these 
systems in the real environment because this would be dangerous (plane), expensive (banks) 
and time-consuming (locks)1.
Then how to make sure that these systems behave correctly? The development process 
should be of the highest standards (ISO9000, CMM level 5 [ISO, PCCW93], etc). As part of 
this, one can use Formal Methods to enhance confidence in these systems. Formal Methods use 
mathematical languages to specify the systems and the intended properties. Then it is possible 
to prove that the system has these properties. Because the systems are large, it takes a lot to 
prove that a certain property is obeyed. One therefore uses computers to mechanically check 
that the proofs are correct.
At first sight it might seem that the reasoning loops here: We do not trust computer systems, 
start to use Formal Methods to check these, and then use computers to check the proofs. This 
is not a loop because the computer systems to check the mathematics are much simpler (and 
easier to test!) than the systems we want to ensure correctness of (see also [Bar96]).
The field of Formal Methods is very broad. Out of the many different areas, this thesis 
focuses on the use of proof checkers for the verification of protocols.
The goal of the project is nicely formulated in the abstract of the research proposal:
During the last 15 years the state-of-the-art on the description and analysis of paral­
lel and distributed systems has advanced enormously. Still the field has not reached 
a state in which its results are applied frequently and routinely in industry. There 
is common agreement that any solution to this problem of scale will require com­
puter support. The main goal of the project is to provide a practical and scalable 
approach to computer assisted verification of distributed systems. To this end, the 
project will develop methods to formalize, using general purpose theorem checkers
xHigh waters occur only once in a 100 years...
2 Introduction
that are now generally founded on typed lambda calculi, state-of-the art correctness 
proofs of protocols in process algebra and the I/O Automata model, in such a way 
that form and size of the input of the tools are as close as possible to the hand-made 
proofs.
In the project two persons have been active: One PhD student (the author) for four years 
and a post-doc (Henri Korver) for two years. The post-doc focused on the process algebra part 
whereas the author mainly worked on the I/O Automata model [LT89].
1.2 Protocols and I/O Automata
In this thesis, protocols are the subject of study. A protocol is a set of rules that prescribes 
the behavior of components in a system. Protocols can do many things: transfer information, 
ensure that customers are served in a fair order, elect a leader amongst equals etc. A well known 
protocol is the bakery shop protocol.
Customer:
1. go to the shop
2. take a number from the ticket machine
3. wait for your number to appear on the counter at the wall
4. when your ticket number is on the wall counter, place your order
Baker:
1. look for people in your shop.
2 . if  there are any serve the one with the right ticket
3. increase the ticket counter at the wall
4. goto step 1
This is a description of a protocol, but... It is incomplete in many ways. What is the initial 
state exactly? What exactly is the workings of the ticket machine and the ticket counter at the 
bakery’s wall? And so on.
A perhaps even more important problem with this description is that it is in natural language, 
which tends to be ambiguous. For this reason often a mathematical language is used to describe 
protocols. In this thesis we use I/O Automata. In Section 3.8 an overview is given.
I/O Automata allow for precise mathematical description of protocols in a relatively easy 
way. An automaton has some state variables (ticketvalue, countervalue) and actions operating 
on these variables (enter shop, serve, leave shop). A predicate over the state variables describes 
the initial states. The reachable states of an automaton are all initial states and the states that 
can be reached from an initial state after an arbitrary number of actions. An I/O Automaton 
description of the Bakery protocol can be found in this thesis from page 44 onwards.
Given such a mathematical description we can actually prove things about these protocols. 
When a property is valid in all reachable states of an automaton, then this property is called 
invariant. Invariants are used to express properties of a single system.
It is common practice to give (at least) two descriptions of a given system: one at a high level 
of abstraction, called Specification, and one with more details, called Implementation. Then one
1.3 Computer Aided Verification 3
can prove that these two systems have the same behavior. It is not necessary to restrict oneself 
to two descriptions. In Chapter 6, three descriptions of a protocol are given, with increasing 
detail: TIP1, TIP2 and TIP3. We proved that TIP1 is equal to TIP2 and that TIP2 is equal to 
TIP3. This implies that the most detailed description TIP3 has the same behavior as the most 
high level description TIP1.
1.3 Computer Aided Verification
The proof that the Bakery protocol is correct is relatively short. For a larger protocol, like the 
Philips audio-control protocol with bus collision, the correctness proof is quite long. In my 
Master’s Thesis [Gri94] an I/O Automata style proof of this protocol is given, it consists of 30+ 
pages of mathematical reasoning.
We see two important reasons for using computer assistance with these proofs. One is that 
these proofs are long but not very deep. Thus it seems that a computer program should be able 
to take over some of the work. The other reason is that most humans tend to make mistakes in 
long proofs. A computer can help by going over every detail without loosing concentration.
Many systems are available to check theorems: in [Dat] more than 60 proof tools are listed. 
The research proposal states that we should use a prover based on typed lambda calculi, for 
example Coq [BBC+97], LEGO [Pol94] or Isabelle [Pau94]. These theorem checkers have 
a beautiful and solid mathematical basis. When this project started it became apperent to us 
though that using these tools is quite labor intensive. Bezem and Groote [BG93] have used the 
proof checker Coq to check the alternating bit protocol. They conclude that the approach is 
feasible but the major problem is the large number of proof steps that must be exhibited to the 
proof checker. LP [GG91] appeared to compare favorable to this. In [EGL92] it is reported 
that the proofs are only a factor two or three longer than a detailed manual proof. LP has its 
limitations: it supports only first order logic, it has no (arithmetic) decision procedures build in 
or a tactical language. PVS and Isabelle are more powerful provers, both support higer order 
logic, have decision procedures and a tactical language. In Chapter 4, PVS is compared to 
Isabelle/HOL.
Protocol verification using proof checkers is still very labor intensive. Typically, one first 
has to make a manual proof and then translate this to a format that the mechanical proof checker 
understands.
Some protocols can be modeled as a system with only finitely many states. For those sys­
tems a completely automatic approach is available. Suppose we have a system with finitely 
many states and we want to know whether a special bad state is reachable. A model checker 
can (in theory) answer this question by first generating the complete reachable state space and 
then searching in this long list for the bad state. The main problem for model checkers is that 
the state spaces of realistic systems tend to be very large. Creating all states and storing the 
states takes a lot of time and memory.
The paramount advantage of using a model checker instead of a proof checker for verifica­
tion is that a model checker does the actual verification completely automatic. An important 
disadvantage of model checkers is the limited expressiveness of the specification language. In 
the Chapter 7 the Philips audio-control protocol with bus collision is verified using a model 
checker for timed automata. Whereas the manual verification process, represented in my Mas­
ter’s Thesis, took several months, model checking the system using Uppaal takes just a few 
seconds.
4 Introduction
1.4 Overview
In Chapter 2, we report on the use of the Larch Prover to mechanize the correctness proof of 
the audio control protocol as presented in [BPV94]. LP is a first order logic prover, that makes 
heavy use of rewriting. Philips uses this protocol in high-end audio sets to implement commu­
nication between the components of an audio set (CD player, amplifier etc.). The messages are 
transmitted by putting high and low voltages on a wire. The timing of these high and low volt­
ages are crucial for the correct behavior of this protocol. The protocol is modeled as a Linear 
Hybrid System, which can be viewed as a subclass of timed I/O Automata.
In Chapter 3, the I/O Automata approach is compared with a process-algebraic approach. 
The basis for the comparison is the Bakery protocol. Groote and Korver [GK95c] verified 
(a version of) the Bakery protocol in ^CRL [GP95]. Their process-algebraic verification is 
rather complex compared to the ‘intuitive’ complexity of the protocol. This raises the question 
how other verification techniques perform on this protocol. As a first answer, we present a 
new correctness proof by using I/O Automata theory and discuss the relative merits of both 
approaches.
The prover LP used in Chapter 2 is easy to use but has some drawbacks. Only first order 
logic is supported, it lacks decision procedures for algebraic expressions and it is not easy to 
extend the prover with new proof strategies. When one considers using a general theorem 
prover it turns out that, there is an overwhelming number of different proof tools available and 
it is hard to find the right one for a particular application. Manuals usually concentrate on the 
strong points of a proof tool, but to make a good choice, one should also know ( 1) which are 
the weak points and (2) whether the proof tool is suited for the application at hand. Chapter 4 
gives an initial impetus to a consumers’ report on proof tools. The powerful higher-order logic 
proof tools PVS and Isabelle are compared with respect to several aspects: logic, specification 
language, prover, soundness, proof manager, user interface (and more). The chapter concludes 
with a list of criteria forjudging proof tools, which is applied to both PVS and Isabelle.
A well know approach to large problems is: break up the problem in many smaller problems 
and solve the smaller problems. In Chapter 5 this approach is taken, and the problem is to prove 
trace inclusion. In existing proof techniques, a step is simulated by an execution fragment. We 
break it up to even smaller problems: in this chapter each step is simulated by at most one step. 
To get this right a norm function is introduced. For this reason the new simulations are called 
normed simulations. In existing simulation proof techniques, a single step in a low-level system 
may be simulated by an extended execution fragment in a high-level system. As a result, it is 
undecidable whether a given relation is a simulation, even if tautology checking is decidable 
for the underlying specification logic. We show that it is decidable whether a given relation is a 
normed forward simulation relation, given that tautology checking is decidable. We also prove 
that, at the semantic level, normed simulations form a complete proof method for establishing 
behavior inclusion, provided that the high-level system has finite invisible nondeterminism.
Chapter 6 reports on the use of PVS [ORSvH95] for the formal verification of a leader elec­
tion protocol. The protocol is part of the IEEE 1394 [IEE96] standard. The protocol is described 
at different levels of detail, these specifications are proven equivalent using step refinements and 
normed simulations.
In Chapter 7, we present a case-study where the model checking tool Uppaal is extended 
and applied to the audio-control protocol (see also Chapter 2) with bus collision. The size of 
the protocol studied in this chapter is significantly larger than case studies, including various
1.5 Main contributions 5
abstract versions of the same protocol without bus collisions, reported previously in the com­
munity of real time verification. We have checked that the protocol will function correctly if the 
timing error of its components is bound to ±5%, and incorrectly if the error is ± 6%.
During the case-study, Uppaal was extended with the notion of committed locations. This 
allows for accurate modeling of atomic behaviors and as a result the state-space is pruned by 
avoiding exploring of unnecessary interleavings of independent transitions. Our experimental 
results demonstrate truly time and space-savings of the modified model checking algorithm. 
In fact, due to the huge time and memory-requirement, it was impossible to check a simple 
reachability property of the protocol before the introduction of committed locations, and now it 
takes only seconds.
Finally, in Chapter 8 we present a number of conlusions.
1.5 Main contributions
In this thesis, two relatively large protocols are studied. In Chapter 6, the leader election pro­
tocol from IEEE 1394 is studied. Within the I/O Automata community this belongs to the 
largest mechanically verified refinement proofs. In Chapter 7, the audio-control protocol with 
bus collision is studied. At the time this work was done, this was the largest case study in the 
community of real time verification.
In both cases existing theory has been extended to improve the scalability of the verifica­
tions. During the verification of the leader election protocol normed simulations were defined. 
Normed simulations are decidable when tautology checking is. In day-to-day proving they al­
low for a shorter and easier proof of the refinements. Furthermore they allow for a verification 
diagram like approach to simulation proofs.
The verification of the audio-control protocol was not possible without committed locations. 
Committed locations glue actions together to almost atomic actions, and thus allow to model 
atomic behaviors in a natural way. The state-space is pruned drastically by the committed 
locations, this reduction made it possible for Uppaal to verify the protocol. Committed locations 
thus fight the two main problems of model checking: limited expressiveness of the specification 
language and the time and memory hungriness of the algorithms.
History of the chapters
Chapter 2: Proof-checking an Audio Control Protocol with LP. Appeared as technical report 
[Gri95].
Chapter 3: The Bakery Protocol: A Comparative Case-Study in Formal Verification. With 
Henri Korver. Appeared both as technical report [GK95a] and in the proceedings of the 
Computer Science in the Netherlands conference [GK95b].
Chapter 4: A Comparison of PVS and Isabelle/HOL. With Marieke Huisman. Appeared in 
the proceedings of TPHOL’98 [GH98].
Chapter 5: Normed Simulations. With Frits Vaandrager. A preliminary version of this chapter 
appeared as Section 2 of our CAV’98 paper [GV98].
Chapter 6: PVS Verification of a Leader Election Protocol. A preliminary version of this 
chapter appeared as Section 3 of [GV98].
6 Introduction
Chapter 7: Verification of an Audio Protocol with Bus Collision Using Uppaal. With Johan 
Bengtsson, Kâre J. Kristoffersen, Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and 
Wang Yi. This chapter is a revised version of our CAV’96 [BGK+96] paper.
Not in this thesis
• With Doeko Bosscher: Een Philips protocol correct bewezen. In Dutch. Appeared as 
[BG95].
• With Doeko Bosscher: Regularity o f a class o f Context-free Processes is decidable. Ap­
peared in the proceedings of ICALP’96 [BG96].
• With Marco Devillers: A Formalization o f Finite and Infinite Sequences in PVS. Appeared 
as technical report [DG97].
• With Marco Devillers and Olaf Müller: Possibly Infinite Sequences: A Comparative Case 
Study. Appeared in the proceedings of TPHOLs’97 [DGM97].
• With Stan Ivanov: Verification o f a Biphase Mark Protocol. Appeared as technical report 
[IG99].
• With Marco Devillers, Judi Romijn and Frits Vaandrager: Verification o f a Leader Elec­
tion Protocol -  Formal Methods Applied to IEEE 1394. Appeared in Formal Methods in 
System Design [DGRV00].
Chapter 2
Proof-checking an Audio Control
Protocol with LP
Abstract In this chapter we report on the use of the Larch Prover to mechanize the correctness 
proof of the audio control protocol as presented in [BPV94].
2.1 Introduction
The systems that are analyzed using formal methods increase in size and complexity and so 
do the proofs. Because it is not realistic to assume that a proof of 20 pages is flawless, the 
computer is asked for help to check those proofs. The protocol that is subject of investigation 
here is a fragment of the Enhanced Easy Link (EEL) protocol. This protocol is used by Philips to 
communicate control information between the components of an audio set (CD, DCC, amplifier, 
tuner etc). Though a simplified version of the protocol is verified (the same as in [BPV94]) it is 
still fairly complicated.
As a vehicle to mechanize the proof we used the Larch Prover (LP). LP is a proof-checker 
for first-order predicate logic and it is based on rewriting. It has been used for protocol ver­
ification in a comparable model MMT [LSGL94]. Here we use the Linear Hybrid Systems 
(LHS) model of [BPV94], the semantics of systems in this model is defined in terms of timed 
I/O-automata [VL92, LV96, GSSL93].
We think that both general proof checkers and model checkers are useful for protocol ver­
ification. Model checkers require the description to be finite in some sense and sometimes the 
type of questions the system can answer is restricted. On the other hand the advantage of model 
checking is of course that the questions are answered without any user interaction. When using 
general mathematical proof checkers almost no restrictions on the description of the system 
and/or the type of questions exist. But here much more user interaction is required to finish the 
proof.
As a correctness criterion we use trace-inclusion between the EEL protocol and a specifica­
tion. This tells us that the EEL protocol behaves like a message buffer with capacity one and 
that each message is delivered before a specified moment. To prove this we use invariants and 
a simulation relation.
We formalized the whole proof, including proofs of simple identities like x * 0 =  0. Other
8 Proof-checking an Audio Control Protocol with LP
1 -k
’ '
- k
1
1 0 0 1 0
2 halfs 3 halfs 4 halfs
Figure 2.1: Manchester encoding o f 1100101
users of LP [CL92] chose to concentrate on the crucial parts and assume simple properties like
((0 < X  < \Y | * 2 i)&(Y > 0)) ^ - \ Y \  *2i < X  -  (Y * 2i ) < 0.
We proved facts like these because if they are really simple, it should be easy to prove them, and 
when they are not simple it is possible that one makes a mistake. Also, we think it interesting 
to see what happens if one tries to prove everything from the basic axioms.
This chapter is organized as follows. In the next section the EEL protocol is introduced. 
In Section 2.3 the LHS model is informally introduced. In Section 2.4 the specification of the 
protocol is presented. In Section 2.5 the model and the protocol are formalized. In Section 2.6 
the Larch Prover is introduced. In Section 2.7 the correctness proof is formalized. In the last 
section we discuss the results of our work. In two appendices an example proof is presented 
and the formal specifications are listed.
2.2 The EEL-protocol
The Audio Control Protocol is a fragment of the Enhanced Easy Link protocol of Philips. The 
EEL protocol is used for communication of control information between the components of an 
audio set. When the red-eye receives commands of the remote control, the other components 
receive these commands via the EEL-protocol. EEL is also used to implement ‘added intelli­
gence’, one can copy a CD to a cassette by pressing a single key: the CD and the cassetedeck 
are started and when the CD has finished playing the deck stops recording. In fact the compo­
nents are connected by a small local area network (LAN). This network has one special quality: 
it is cheap. The low production costs are partly due to the small amount of copper needed: 
Many transmission protocols use a data wire and a clock wire, for EEL no clock wire is needed. 
Furthermore high tolerances on the timings are allowed, this makes it possible to implement the 
network via processors that are also used for other tasks.
The components are connected by a single wire, the bus. On this wire the voltage can be 
either high or low. When a component wants to send a message it changes the voltage several 
times, and all other components ‘hear’ these changes of voltage. Messages are sequences of 
one- and zero-bits. To encode the ones and zeros into changes of voltage, Manchester encoding 
is used. Manchester encoding divides time in chunks of equal length, so called ’bit-slots’. Bits 
are transmitted half-way the bit-slots, a bit 1 is transmitted by changing the voltage from low 
to high, a bit 0 is transmitted by changing the voltage in the other direction. If the same bit 
is transmitted twice in a row, the voltage changes exactly in between. See Figure 2.1 for an 
example.
The protocol is somewhat complicated by the fact that the hardware can not accurately 
detect the down-going edges. Therefore the receivers just ‘hears’ the up-going edges. The
2.3 Linear Hybrid Systems 9
messages are decoded by measuring the distances between the up-going edges. To start the 
decoding correctly the voltage must be low between messages, and all messages must start with 
a bit 1. The first bit synchronizes the sender and receivers, all know that the first up-going edge 
is half-way a bit-slot.
The distances between up-going edges are measured by the receiver. When the last decoded 
bit was a bit 1 and the next up-going edge is received
- after 2 half bit-slots then a bit 1 is decoded,
- after 3 half bit-slots then a bit 0 is decoded,
- after 4 half bit-slots then two bits are decoded: 01.
After decoding a bit 0 a similar approach is taken to decode the next bits.
In the Philips case a bit-slot is 888^ seconds. In our physical world it is impossible to 
measure time exactly. In the Philips documentation indeed a tolerance is allowed on all timings. 
Because the protocol is executed by a micro processor with many other tasks, the allowed 
tolerance on all timings is quite high: ±5%. When, for example, ideally two up-going edges 
have a distance of 888^ seconds, the distance must be between 844 and 932^ seconds.
Some additional issues:
1. The receiver does not know the length of the message it is receiving. To make correct 
reception of messages still possible, a restriction is needed: only messages of odd length 
or ending in 00 are valid.
2. To prevent the receiver from ‘glueing together’ messages, a silent period must be re­
spected between messages.
3. Arbitration is needed when two senders start transmitting at the same time.
The third issue is not dealt with here, but in Chapter 7.
2.3 Linear Hybrid Systems
In this section we give an informal introduction into the LHS model of [BPV94]. The semantics 
is defined using “old-fashioned recipes” [AL92], in a layered fashion. The I/O automata model 
is based on labeled transition systems. In the untimed case the transition labels can be input 
and output actions, which model the interactions of a system with its environment, and internal 
actions, which model internal computation steps. In [VL92, LV96] it is shown how real-time 
systems can be represented as labeled transition systems by adding, as additional labels, time­
passage actions. In the resulting model of timed I/O automata the continuous progress of 
real-time is represented by a continuum of discrete time-passage transitions. The LHS model 
can be viewed as a subclass of timed I/O automata. [BPV94]
The precondition-effect-style is used to define the LHS-systems. Each state of the labeled 
transition system is described by a valuation of the state variables. When the init predicate holds 
for a state, it is a start state. For every state variable v we have a primed variable v' to denote 
the new value of v after a transition. The labeled transitions are described by the precondition 
and effect functions. When the precondition holds in a state s and the effect on s is s ' then a 
transition from s to s ' exists.
In Figure 2.2 an example of a LHS in the style of [BPV94] is given. The system receives a 
message by an IN  action and after length(message) time units the message is transmitted by an
10 Proof-checking an Audio Control Protocol with LP
Discrete: list : List 
Continuous: x : Time
init: list =  e A x =  0
IN (m)
Effect
list : =  m ; x : =  0
OUT (list)
Precondition
x =  length(list) A list = e 
Effect 
list := e
TIME(d )
Action formula
A d > 0
A Unchanged (list)
A (0.5 * d) < x' — x < (1.5 * d)
A Stable (Below (x, prec( E , OUT (list))))
Figure 2.2: Example o f LHS-system (System E)
OUT action. Note that system E  forgets the former message when a new message is received 
before the current message is transmitted. The clock (x) is not very accurate: when time elapses 
by d  the clock is advanced by an amount between 0.5d and 1.5d. The discrete variables (list in 
the example) are not allowed to change during a time step, this is expressed by Unchanged(list) 
in the TIME(d) action predicate. Now we come to a somewhat subtle point. Suppose the length 
of the message is 5, then the OUT action must occur when x equals 5. What happens if x 
equals 4, the time action takes a ‘giant’ leap to a new state where x equals 6? That is: the 
TIME(d) action didn’t allow the OUT action to occur? This scenario is not possible because 
Stable (Below (x , prec(E, OUT (list)))) states that if the OUT(list) action is possible now or in 
the future this should still hold after the time step. The function prec( E , OUT (list)) returns the 
precondition of the action OUT (list) of the system E . The other functions used in the action 
formula of the TIME(d) action are defined as follows.
For W a finite set of unprimed variables, 0  an unprimed formula, and x an unprimed vari­
able:
Unchanged(W) =  / \ wGW w'=w 
Stable(0) =  0  ^  0'
Below(x, 0) =  3 x ' : x < x ' a  0[x '/x  ].
The predicate Unchanged(W) can be used on discrete variables, to express that discrete 
variables do not change during a time step. Stable(0) expresses that when 0  holds before a 
transition 0  should also hold after the transition. Below(x, 0) holds when 0  holds somewhere 
in the future (assuming x is a clock). In Figure 2.2 the last conjunct expresses that if  the
2.4 Protocol Specification 11
precondition of the OUT action holds somewhere in the future, the time step is not allowed to 
‘step over’ the last time the precondition holds: after the time step the preconditions should still 
hold somewhere in the future.
In LHS-systems a clock is just a continuous variable, updated by the time action. A clock 
can be inspected and reset by all actions, compared to other values or other clocks. Furthermore 
a clock can differ from the ideal clock (see example), so a lot of other things can be described 
using continuous variables (water-levels, leaked gas). Of course the behavior of the time action 
is restricted: for instance two steps of one time-unit should result in the same state as one step of 
two time-units. For a formal definition of the restriction on the time action we refer to [BPV94].
2.4 Protocol Specification
This section, which is taken from [BPV94], presents the formal specification of the protocol. 
Following a brief description of the many-sorted algebra that we use, we will first give linear 
hybrid systems for each of the components of the protocol, and then define the full protocol as 
the composition of the automata denoted by these systems. At the end of this section we will 
moreover present the definition of the system that specifies the allowed external behavior of the 
protocol.
2 . 4 . 1  D a t a  T y p e s
We start the specification of the protocol with a description of the various data types that we 
will need.
• a type Nat of natural numbers, with a constant symbol zero, a successor function symbol 
succ, and a predicate symbol odd, all with the usual interpretation. Also, there is an 
embedding i : Nat ^  Real of the natural numbers into the reals. We will suppress i’s in 
terms.
• a type Bit of bits that the protocol has to transmit, with constants symbols 0 and 1. Again 
there is an embedding i : Bit ^  Real, which we will suppress in terms.
• a type List, with as domain the collection of finite lists of bits. There is a constant symbol 
e for the empty list, an embedding (.} : Bit ^  List, and a binary function symbol ", 
denoting concatenation of lists. Besides these constructors, there are function symbols
head : List ^  Bit last : List ^  Bit length : List ^  Nat
tail : List ^  List last_two : List ^  List
head takes the first element of a list (defined arbitrarily as 0 in case of the empty list), tail 
returns the remainder of a list after removal of the first element, last gives the last element 
of a list, Iast_two gives the last two elements of a list, and length returns the length of a 
list. These operations are fully characterized by the axioms (here m i s a  variable of type
12 Proof-checking an Audio Control Protocol with LP
List, and d , e are variables of type Bit):
(e) = 0 last_two(e) = e
head((d }"m ) = d last_two((d}) =  (d}
(e) = e last_two(m"(de}) =  (de}
tail((d }"m ) = m length (e) =
last(e) = 0 length ((d }"m ) =
Iast(m"(d}) = d
Here (and elsewhere) we write (de} for (d}"(e}. Finally, we need an operation finalize 
List ^  List defined by:
if Iast(m)=1 a  odd(Iength(m)) then finalize(m)=m  else finaIize(m)=mA(0}.
a type Bool of booleans with constant symbols true and false. We view boolean valued 
terms as formulas and use b as an abbreviation of b=true.
a function symbol min : Real x Real ^  Real, with the obvious interpretation, and two 
constant symbols Q and T of type Real:
-  Q denotes one quarter of the length of a bit slot in the Manchester encoding. In the 
Philips specifications Q equals 222ßs .
-  T gives the tolerance on the timing of the sender and receiver in the protocol. Philips 
allows a maximum tolerance of ± ^ .
We will assume > 0 and 0 < < 1.
2 . 4 . 2  T h e  S e n d e r
We now define the system S, which models the sender of the protocol. The discrete variables 
of S  are a variable list, which records the bit string still to be transmitted, a boolean wire high 
to keep track of the voltage on the wire, and a boolean transmitting which records whether the 
sender is busy transmitting. There is also a continuous variable x which represents a drifting 
clock with tolerance T that is reset in the middle of each bit slot. The input action IN(m ) 
corresponds to a request by the environment to transmit a bit string m . Upon the occurrence 
of such an action in the initial state, S  immediately does an UP-action, which represents an 
upgoing edge on the bus. Depending on whether the second bit in the string is absent, 0 or 1, 
a DOWN-action occurs 2Q or 4Q time units after the first UP, according to the local clock of
S. An action DOWN of course represents a downgoing edge on the bus. Subsequent UP’s and 
DOWN ’s are generated as required by the Manchester encoding, and when the transmission is 
finished the protocol returns to its initial state. IN-actions that occur before the transmission 
finishes are ignored.
2.4 Protocol Specification 13
Inputs
Outputs
Internals
Discrete
Continuous
IN : List 
UP
DOWN
transmitting : Bool 
wire_high : Bool 
list : List 
x : Real
Init A —transmitting 
A —wire_high 
list e
IN (m)
Precondition
A head(m ) =  1
A (odd(length(m)) v last_two(m)=(00})
Effect
if —transmitting A —wire_high A list=e then [list := m
x := 0]
UP
Precondition
A —wire_high 
A list=e
A if transmitting the n (if head (list) =  1 the n x=4Q els e x=2Q ) else x =0 
Effect
transmitting : = 
wire_high : =
if head (list) =  1 then [list := ta W(list) 
x := 0]
DOWN
Precondition
A wire_high
A if list=e a  hea d (list) =0 the n x=4Q els e x=2Q 
Effect
¡f list=e v list=(0} then [transmitting := faise] 
wire_high := false
if list=e a  head(list)=0 then [list := taW(list)
x := 0]
TIME(t )
Action formula
A t > 0
A Unchanged( DS )
A 1 —T < < 1 + T  
A Stable (Below (x, prec(S, UP)))
A Stable (Below (x, prec(S, DOWN)))
14 Proof-checking an Audio Control Protocol with LP
2 . 4 . 3  T h e  R e c e i v e r
Next we define system R, which models the receiver of the protocol. System R  has only two 
state variables: a discrete variable list, which gives the bit string received thus far, and a con­
tinuous variable x , which represents a drifting clock with tolerance T that is reset whenever an 
upgoing edge is detected. There are two actions: an action UP that corresponds to the detection 
of an upgoing edge, and an action OUT by which the receiver passes a received string on to the 
environment. The action predicates for UP and OUT are straightforward formalizations of the 
informal specifications by Philips of the algorithm for the receiver.
Inputs UP
Outputs OUT : List
Discrete list : List Init list=e
Continuous x : Real
UP
Precondition
true
Effect
case
list=e 
last(list) =0
list := {1} 
case
x < 3Q
5Q < x
last(Zist) =  1 ^  case
x < 3
7Q < x
list =e
5 list = lisi (0}
list = list" (01}
list =e
5 list = lisf( 1}
7 list = lisi (0}
list = list" (01}
x : 0
OUT (finalize^ist))
Precondition
A list=e
A if la st(list)=0 the n x =7Q else x =9Q 
Effect
list : e
TIME(t )
Action formula
A t > 0
A Unchanged(DR)
A l — j  < < 1 + T  
A Stable (Below (x, prec(R, OUT)))
2 . 4 . 4  T h e  F u l l  P r o t o c o l
The full protocol can now be defined as the composition of automata S  and R, with communi­
cation between these components hidden:
Impl =  HIDE {UP} IN (S ||R)
2.5 Formal specification 15
2 . 4 . 5  T h e  C o r r e c t n e s s  C r i t e r i o n
System P  defines the collection of allowed behaviors of Impl. It has the same input and output 
actions as Impl, but no internal actions. In P  each action IN(m) is followed by an action 
OUT(m) within time
(4 length(m) +  5) Q
1 - T
However, if the environment offers another IN-action before the system has generated a corre­
sponding OUT-action, P  moves to a state of chaos in which anything is possible. This means 
that in such a situation any behavior of Impl is allowed. In the next section we will prove that 
the Impl is indeed a correct implementation of P  .
Inputs IN : List
Outputs OUT : List 
Discrete list : List Init A list=e
chaos : Bool A —chaos
Continuous x : Real
IN (m)
Precondition
A head(m ) =  1
A (odd(length(m)) v last_two(m)=(00})
Effect
¡f list=e then [list := m 
x := 0]
if list=e then [chaos := true]
TIME(t )
Action formula
A t > 0
A Unchanged( DP )
A x ' — x =  t 
A Stable(prec(P, OUT))
OUT (m)
Precondition
v (m =list=e A (1 — T)x < (4 length(list) +  5) Q) 
v chaos 
Effect 
list := e
2.5 Formal specification
To formalize part of the LHS-model and the protocol the Larch Shared Language (LSL) is used. 
LSL is a first-order algebraic specification language, also used to specify software. Besides LSL 
the Larch family consists of several other languages, the Larch interface languages. These make 
it for instance possible to specify a program partly in LSL and partly in programming language 
such as C and still do type checking.
In this chapter LSL is used as a front-end for the Larch Prover (LP). The LP input corre­
sponding to a specification in filename can be generated automatically by l s l  - lp  filename.
We will start with the LSL specification of the List and Time data-types. Then we will 
formalize part of the LHS model, followed by a formalization of the EEL protocol. Finally the 
correctness criterion will be given.
16 Proof-checking an Audio Control Protocol with LP
2 . 5 . 1  L i s t s  a n d  T i m e  i n  L S L
In this section we will give the List and Time traits that we will use in the specification of the 
EEL protocol. The List data type will be used in the protocol to store the messages. Here we 
will use the specification as a LSL example. We will present the LSL specification piece by 
piece.
L is t : t r a i t
includes B it, Nat
1
In the first line the name of the trait (module) is given. In the second line the traits B it and 
Nat are included. Including a trait is taking the union of the in tro d u c e s  and a s s e r t s  clauses 
of the current trait and the included traits.
in troduces 2
head L ist -> B it
t a i l L ist -> L ist
la s t L ist -> B it
last_tw o L ist -> L ist
length L ist -> Nat
empty -> L ist
_ _ L ist , L ist -> L ist
[__] Bit -> L ist
f in a l iz e L ist -> L ist
The in tro d u c e s  clause introduces new function symbols and their types.
a ss e r ts
L ist generated by em pty,[. 
\ f o r a l l  d ,e  : B it, m , l , l l  
head(empty) =
head([d]~m)
tail(empty) =
tail([d]~m) =
last(empty) 
last(m ~ [d] ) 
last_two(empty) 
last_two([d]) 
last_two(m ~ [d] 
length(empty) 
length([d] ~ m) 
finalize(m)
._] :B it-> L is t, ' 
: L ist 
0 ; 
d;
empty ; 
m;
0 ;
d;
empty;
Ce] ) = Cd] [e];
0 ;
s(length(m));
( i f  last(m ) = 1 /\ odd(length(m)) 
then m
else m ~ [0] );
A g en e ra ted  by clause asserts that a list of operators is a complete set of generators for 
a sort. That is, each value of the sort is equal to one that can be written as a finite number of 
applications of just those operators, and variables of other sorts [GH93].
Lists are generated by the empty list (empty), lists with one element ( [__] : B it -> L is t)
and the concatenation operator (~). The axioms for the functions head, t a i l ,  l a s t ,  la s t_ tw o ,
3
2.5 Formal specification 17
le n g th  and f i n a l i z e  are taken from [BPV94]. The f i n a l i z e  function is specific for the 
specification of the EEL protocol. It is used in the specification of the receiver. When necessary 
it adds a 0-bit to a message.
((1 - 11) - m) = (1 ~ (11 ~ m)); 4
m ~ empty = m ;
empty ~ m = m ;
[d] ~ 1 ~= empty ;
d = e / \  1 = 11 <=> [d] ~ 1 = [e] ~ 11
These axioms complete the specification of our List data-type. These were implicitly as­
sumed in the handwritten proof, but we had to make them explicit in the formalization.
Note that the booleans and the conjunction ( / \ )  are part of the LSL language. Also the i f  
th en  e ls e  construct is part of LSL.
Each well-formed trait defines a theory in a multisorted first-order logic with equality. Each 
theory contains the trait’s assertions, the conventional axioms of first-order logic, everything 
that follows from them, and nothing else. This loose semantic interpretation guarantees that 
formulas in the theory follow only from the presence of assertions in the trait - never from their 
absence. Using the loose interpretation ensures that all theorems proved about an incomplete 
specification remain valid when it is extended (page 37 [GH93]).
In Appendix 2.10.6 the Time trait is given. The continuous variables of LHS are of type 
Real. As mentioned in [BPV94], for the purpose of this verification any interpretation of Real 
as an ordered field will do: the only properties of reals that we use are the axioms for ordered 
fields. So the Time trait contains essentially the properties of an ordered field. For notational 
convenience some functions and constants are added, like the integer numbers 2 .. 20, the other 
inequalities (> , < , > ) and the min function. Specific for this verification a constant T, which 
denotes the drifting of the clocks, is added. Furthermore an ‘almost’ equal operator # is defined 
it expresses that two clocks are approximately the same, that is, equal modulo drifting. It is 
defined as follows (the ‘normal’ notation for # is ~):
a 1 — T 1 +  T
x ~ y  = --------x < v < -------- x
1 +  T _  1 — T
In LSL and LP there is no need for functions to be total so we did not add 0—1 =  1 as in 
[BPV94].
2 . 5 . 2  T h e  L H S  m o d e l
In this section the LSL-specification of the LHS-model is given. That is, a part of the model: 
traces, executions and simulations. Not defined in this chapter are: composition of systems, 
hiding and liveness. As starting point we used traits for MMT-automata that are presented in 
[LSGL94]. The main difference is the way time is handled, the adaption comes down to deleting 
some traits (the ones that handle time intervals) and slightly adapting the others.
In Figure 2.3 the trait System is depicted. This trait contains the basics for all systems, 
every trait that defines a LHS-system will include this one. In this trait are the declarations for 
the underlying labeled transition system: the sort S ta te s  [A] corresponding to the states of the 
system, the function s t o r t  denoting the set of start states, the function is S te p  denoting the
18 Proof-checking an Audio Control Protocol with LP
System(A): trait 
introduces
start States[A] -> Bool
pre States[A], Actions[A] -> Bool
eff States[A], Actions[A], States[A] -> Bool
isStep States[A], Actions[A], States[A] -> Bool
[__] States[A] -> StepSeq[A]
StepSeq[A], Actions[A], States[A] -> StepSeq[A]
execFrag StepSeq[A] -> Bool
first, last StepSeq[A] -> States[A]
isVisible Actions[A] -> Bool
common Actions[A] -> CommonActions
empty -> Traces
__ ~ __ Traces, CommonActions -> Traces
trace Actions[A] -> Traces
trace StepSeq[A] -> Traces
reachable States[A] -> Bool
asserts
StepSeq[A] generated by [_] , __[__,__]
Traces generated by empty, ~
\forali a,a’ : Actions[A], s,s’ : States[A], ss: StepSeq[A] 
isStep(s, a, s’) <=> pre(s,a) /\ eff(s, a, s’); 
execFragC[s]);
execFrag(ss[a,s]) <=> execFrag(ss) /\ isStep(last(ss),a,s); 
first([s]) = s; first(ss [a,s]) = first(ss); 
last([s]) = s; last(ss[a,s]) = s;
trace(a) = (if isVisible(a) then empty ~ common(a) else empty); 
trace([s]) = empty;
trace(ss[a,s]) = (if isVisible(a) then trace(ss) ~ common(a) else trace(ss)); 
reachable(s) <=> \E ss (execFrag(ss) /\ start(first(ss)) /\ last(ss) = s)
Figure 2.3: LSL trait System
2.5 Formal specification 19
Forward(A,B,f) : trait
assumes System(A), System(B)
introduces f : States[A], States[B] -> Bool
asserts \forali s, s’ : States[A], u : States[B], a : Actions [A], 
alpha : StepSeq[B] 
start(s) => \E u (start(u) /\ f(s,u));
f(s,u) /\ isStep(s,a,s’) /\ reachable(s) /\ reachable(u) =>
\E alpha (execFrag(alpha) /\ first(alpha) = u /\
f(s’, last(alpha)) /\ trace(alpha) = trace(a))
Figure 2.4: LSL traitForward.lsl
transition-relation. Using the brackets [] finite sequences are constructed, s 1a 1s2a2s3 is written 
as [s1][a1, s2][a2, s3]. The function execFrag tests if a sequence is an execution-fragment and 
the function t r a c e  returns the list of visible actions from a sequence. The common function 
is needed because in the formalization every system has its own sort for actions and sorts are 
disjunct in LSL. The common function maps the actions that systems have in common to a new 
sort CommonActions (see appendix 2.10.3). This makes it possible to compare the actions and 
traces of different systems.
We say that a system implements another system when the set of traces of A is a subset of 
the set of traces of B. To prove this we use a forward simulation relation between the imple­
mentation and the specification. In a forward simulation each start state of the implementation 
is related to at least one start state of the specification. When two states are related and the im­
plementation can do an action a, the specification can also do an action a  and the new states are 
also related. When it has been proved that a forward simulation exists, a meta-theorem (see for 
instance [LV95]) gives us the trace inclusion. In Figure 2.4 the notion of a forward simulation 
is defined. Because it is restricted to the reachable states this is essentially the ‘weak forward 
simulation’ of [LV95].
In this chapter we use the untimed interpretation of timed systems. In [BPV94] there are 
input-, output- and internal actions and a special time action. Here we have visible and invisible 
actions, where the input, output and time actions are visible and the internal actions are invisible. 
In timed traces each action has a time stamp and the time action itself does not occur as an 
action in the traces. An untimed trace of timed system is just a sequence of actions and the 
time action occurs in it like the other visible actions. The untimed interpretation is sound in 
the sense that trace inclusion in the untimed interpretation implies timed trace inclusion in the 
timed interpretation. We chose this untimed interpretation because it is slightly easier to work 
with. We refer to [LV96] for a formal description of the relation between the timed and the 
untimed interpretation.
2 . 5 . 3  T h e  E E L  p r o t o c o l
In appendix 2.10.1 the machine readable definition of the protocol is presented. In this section 
we will point out the differences between the original specification of [BPV94] and the Larch 
trait in the appendix.
The system defined in trait S corresponds to the composition of the sender S and the receiver 
R with the UP action hidden as internal action (HIDE UP IN (S y R)) of [BPV94]. In this
20 Proof-checking an Audio Control Protocol with LP
chapter the whole system is presented directly instead of presenting the subsystems S and R 
and the whole system as a composition of these, because the composition operator (||) is not 
defined in LP.
Some differences between the original-specification [BPV94] and the one given in this chap­
ter are caused by abbreviations in the original specification. For assignments the x :=  c no­
tation is used instead of x ’ = c. The phrase if b then x :=  c else x :=  x is abbreviated to 
if b then x := c. When a variable is not assigned a new value, it is assumed to have the same 
value in the new state, so x :=  x is added implicitly. These notations are not formalized in LP.
A more substantial difference between the original and the LSL version of the specification 
is caused by the fact that LP does not support higher-order logic. In the original specification 
the phrase Stable (Below (x , prec(S, UP))) expresses that: When the precondition of UP holds 
or can hold in the future the TIME(d) action is not allowed to bring the system in a state where 
this does not hold. The higher-order functions are replaced by first-order functions that exhibit 
exactly the same behavior. For this purpose the function aux is introduced, it is essentially 
the same as the precondition. The only difference is that the clock variable x is added as a 
parameter. Using this help-function the phrase can be translated to:
((\E y (y >= s .S .x  /\ aux(s,y,U P))) => (\E z (z >= s ’ .S .x /\ au x (s’ ,z,U P))))
This section is finished by a small piece of a specification in both styles to give an idea of 
the distance between the two. First the ‘normal’ notation is given followed by the Larch Shared 
Language version. Note that this is not part of the EEL specification as used in the verification 
because the error variable is not taken into account.
IN (m)
Precondition
A head (m) =  1
A (odd(length(m)) v last_two(m)=<00))
Effect
if —transmitting A —wire_high A list=e then [list := m
x := 0]
1
pre(s, IN(m)) =
(head(m) = 1 /\ (odd(length(m)) \/ last_two(m) = [0] ~ [0])); 
eff(s, IN(m), s’) = (
(if ~s.S.transmitting /\ ~s.S .wire_high /\ s.S.list = empty 
then s’.S.list = m /\ s’.S.x = 0 
else s’.S.list = s.S.list /\ s’.S.x = s.S.x)
/\ s’.S.transmitting = s .S.transmitting 
/\ s’.S.wire_high = s.S .wire_high 
/\ s’.R = s.R) ;
2 . 5 . 4  C o r r e c t n e s s  c r i t e r i o n
Beside a specification of the protocol a specification of the desired behavior is needed, the 
LSL-definition of this system is presented in appendix 2.10.2.
The specification of system P is slightly different from the original specification [BPV94] 
which contained a small mistake. The precondition of the OUT action was:
2.6 Introduction to LP 21
OUT (list)
Precondition
v(list = € A (1 — T)x < (4length(list) + 5 )Q) 
v  chaos
but it should have been:
OUT (m)
Precondition
v(list = m A list = € A (1 — T)x < (4length(list) + 5)Q) 
v  chaos
This makes a difference when chaos is true, in the former case only OUT (list) actions are 
allowed while in the new case OUT(m) actions for arbitrary messages m are allowed. Although 
the first version was on paper, the handwritten proof assumed the second specification.
2.6 Introduction to LP
The Larch Prover (LP) [GG, GH93] is an interactive proof support system. It does not use 
complicated heuristics to search for a proof. It supports first-order logic and is based on rewrit­
ing. When LP is asked to prove a conjecture, it typically normalizes the conjecture using the 
rewrite-rule versions of the axioms and the lemmas that have already been proved. When a 
normal-form is reached the proof is suspended and the user can invoke a command. We will 
mention a few typical options: The user can start a proof by cases, making LP to generate a sub­
goal for each case. A proof by induction is possible when a sort has a set of generators. This set 
of generators must be given by the user. LP will then generate a subgoal for each generator. An 
other possibility is to apply a rewrite rule in the reversed direction, this is allowed because the 
rewrite-rules are oriented axioms, not implications. When quantifiers are involved, variables or 
constants can be fixed, specialized or generalized. Furthermore LP can compute critical-pairs 
and complete a set of rewrite-rules. Besides these proof-commands LP has commands to di­
rect the orientation of axioms into rewrite-rules, to make rewrite-rules inactive, to make proof 
scripts, etc. Because a proof in LP is based on rewriting, the tool is good at it: it is fast and 
rewriting modulo associativity and commutativity is supported.
As mentioned before the l s l  tool compiles the LSL-traits into LP scripts. These scripts 
can be executed from LP to add the axioms of the traits to the current set of facts. The first 
step of constructing a proof in LP is to orient the axioms into rewrite rules. Several methods 
are provided to do this. The standard method is a registered ordering based on a LP-suggested 
partial ordering of operators. This usually works very well without any user interaction. This 
method is also used to orient the new facts, like assumptions and proved conjectures, that are 
generated during the proof. We sometimes guided it toward the intended result by providing 
a small part of the ordering on the function symbols. Another method is polynomial ordering, 
we did not use this for the proof of this chapter. The least elegant are the ‘brute-force’ ordering 
procedures, which give users complete control over whether equations are oriented from left to 
right or in the other direction. This method is used sometimes in a proof when we want to use 
a rewrite rule in the other direction, typically to expand a definition (2 -> 1 + 1).
If a set of rules is non-terminating and LP is (apparently) in a rewrite-loop LP will stop 
the normalization after a number of rewrite steps. This number can be chosen by the user. A
22 Proof-checking an Audio Control Protocol with LP
reasonable number is one thousand, which is the default value. In our experience this happens 
hardly ever. If it happens the user can do several things. One can increase the maximum 
number of rewrite steps and resume the normalization. An offending rule can be made inactive, 
thereafter LP will not use it in rewriting. Another option is to orient a rule in the other direction. 
A more elegant solution is to use polynomial ordering or a registered ordering to guarantee that 
the rewrite system is terminating.
Note that LP does not require the user to prove that the set of rules is consistent or terminat­
ing. The authors of LP expect that an inconsistency will reveal itself when one starts using the 
rules in a proof.
When the user is satisfied with the set of rewrite rules the proving can really start. When 
a proof is non-trivial (and sometimes even when it is trivial) it is necessary to have a fairly 
detailed handwritten proof before LP is started. It is possible to play around in LP and just try a 
proof by induction and see what happens. And when it does not work use the can ce l command 
to backtrack to the point just before the induction proof was started. In our experience this only 
worked in very rare cases.
We constructed most of our proofs in LP in several rounds. In the first round we constructed 
a rough proof. When a subgoal was not interesting but still complicated to prove we just added 
the goal as an axiom to the system thereby skipping that part of the proof. Although a proof with 
holes is not a proof at all, it still provides useful information. The user can go to the problematic 
parts of the proof very fast and begin proving those parts. Hereby he gets a higher confidence 
in the correctness of the conjecture before starting with the time consuming and boring parts of 
the proof. Furthermore it sometimes turned out that several ad-hoc axioms were (almost) the 
same so it was useful to construct a lemma and use it to prove these subgoals, instead of proving 
the same thing several times. In the next rounds we proved some skipped subgoals, sometimes 
these proofs also contained some skipped subgoals. We continued in this way till the proof was 
complete.
This method is possible and reasonable because LP can generate script-files of the com­
mands the user types. The script files are plain ASCII files with neatly indented commands 
with some extra annotation. When a subgoal is generated LP adds a diamond (<>) and when a 
(sub)goal is proved a box ( □ )  is added. This annotation is useful when the conjecture or the 
set of axioms is slightly changed and a proof is rerun. When LP runs a script and encounters 
a box but has not proved a (sub)goal it stops and notifies the user about the problem. Without 
this annotation LP would execute all following commands to that subgoal and it would be very 
hard to find the place were the problems started.
To finish the introduction in LP, in the diagrams below two (very) simple LP proofs are 
presented. The first lemma states that length(m  ~ [d] ) = s (length(m ) ), while the cor­
responding axiom is le n g th  ( [d] ~ m) = s ( le n g th  (m)). For this purpose a more general 
theorem is proved: le n g th ( l  ~ 11) = le n g th (1) + le n g th (11) by induction on l. For 
the 1 = empty case LP proves it without user interaction. Note that x + 0 -> x, + is com­
mutative and empty ~ m -> m. For the case 1 = [b4], where b4 is fresh variable of type Bit, 
some user interaction is necessary.
The subgoal now reads: s ( l e n g t h ( l l ) )  = le n g th ( [b4] ) + le n g th (11). So we have 
to convince LP that le n g th  ( [b4] ) = s (0 ) . We use the mempty fact: m ~ empty -> m and 
of the List trait le n g th (  [d] ~ m) = s ( le n g th  (m) ). A critical pair of these is 
le n g th  ( [d ] )  = s ( le n g th  (em pty)). After this fact has been added, the proof is completed 
by normalization.
2.6 Introduction to LP 23
se t name p
1
prove : l i s t9 :  len g th (m ~ [d]) = s ( le n g th (m))
prove le n g th d  ~ 11) = len g th (l)  + le n g th ( ll)
re s  by ind on 1
<> basis  subgoal
[] basis  subgoal
<> basis  subgoal
c r i -p a i r  L ist with mempty
[] basis  subgoal
<> induction subgoal
[] induction subgoal
[] conjecture
[] conjecture
For the second example we do not give any intuition but only the facts mentioned in the
proof.
X < = y => (x + z) <= (y + z) ; °/,0/, TimeFl
x <= y A  0 <= z => (x * z) <= (y * z) ; °/0°/o TimeF2
x <= y V  y <= x ; °/»0/. TimeL4
2
se t name p
prove :time4: (x * x) >= 0
prove x <= 0 => m(x) >= 0
ins y by 0, z by m(x) in  TimeFl
[] conjecture
re s  by case x >= 0, m(x) >= 0
<> case ju s t i f ic a t io n
res  by case 0 <= x
<> case 0 <= xc
[] case 0 <= xc
<> case ~(0 <= xc)
ins x by 0, y by xc in  TimeL4
ins x by xc in  p
[] case ~(0 <= xc)
[] case ju s t i f ic a t io n
<> case xc >= 0
ins x by 0, y by xc, z by xc in  TimeF2
[] case xc >= 0
<> case m(xc) >= 0
ins x by 0, y by m(xc), z by m(xc) in  TimeF2
[] case m(xc) >= 0
[] conjecture
qed
24 Proof-checking an Audio Control Protocol with LP
2.7 Formalization of the proof
In this section we will report on the proof that there exists a weak forward simulation from the 
implementation (S) to the specification (P).
Unlike the handwritten proof the formal proof starts with proving data-identities. Apart 
from three trivial lemmas over the Bit and Nat sorts we have a dozen identities over the sort 
List. For instance and
le n g th  (m ~ [d] ) = s (length(m ) ). These are fairly easy to prove with LP. The twelve 
also include some trivial ones like l a s t  ( [d] ) = d and t a i l  ( [d] ) = empty. These hardly 
deserve it to be a lemma, the proof consists of applying one rewrite rule in the reversed di­
rection: [d] = empty ~ [d] = [d] ~ empty. But once these identities have been proven, 
l a s t  ( [ 1] ) will be rewritten to 1 without further user interaction. Sometimes this is very use­
ful because a conjecture does not normalize as expected because we assume l a s t  ( [1] ) = 1 
while LP does not know this. And when the logical system contains about four hundred facts, 
some of them one screen full, it can be hard to find that the reasoning is stuck because LP does 
not know that .
We have about thirty lemmas concerning the data type Time. Again we have some trivial 
ones like: m(0) = 0 where m(x) is the negation of x 1. But we also have some lemmas that 
needed some thought how to prove them in LP. We started with basic properties like 0 < 1.
In the proof the relation between the clock of the sender and the receiver is very important. 
In [BPV94] an operator ^  is used to express that two clocks are approximately the same, that 
is, equal modulo drifting. It is defined as follows (our ASCII notation for ^  is #):
a 1 — T 1 +  T
X  ~  V =  --------- X <  V <  --------- X
1 +  T _  1 — T
About ten of the lemmas contain the ~  operator, these are relatively intricate to prove in LP. 
An example is: y <= 8 / \  x # y => x < (y + 1). For this one we used about forty proof 
commands in LP. It is listed in Appendix 2.9. First we constructed a very detailed handwritten 
proof of ten steps. The LP proof comes down to instantiating facts and explicitly applying 
rewrite rules in the reversed direction. To prevent that we lose track we constructed a sub proof 
for every step of the handwritten proof. Of course it is possible to do it without a division in sub 
proofs but then the proof would consist of a long list of instantiate and rewrite commands and it 
would not be clear how it corresponds to the handwritten proof. Furthermore the logical system 
(the set of facts) would get messy. It would contain a lot of instantiated rules and some other 
rules are made inactive to use them for reversed rewriting. Sometimes such a messy system has 
unexpected rewrite properties. By using a proof for each step, a proof context is created for 
each step. These are deleted when the step is proved and only the sub-conjecture is added to the 
top context.
After the data lemmas the ‘real’ proof starts. The rest of the proof presented here is the 
Larch formalization of the proof presented in [BPV94], so all definitions are taken from that 
paper. When there is a difference we will say so.
First we prove some invariants about the state space of the sender. We start with an easy 
one, it reflects the observation that the sender is always transmitting if the voltage on the bus is 
high. In LSL invariants are functions with this signature inv  : S ta te s  [A] -> Bool.
1 We do not use the more natural notation —x because in an old release LP could not parse its own output when 
the unary - was involved.
2.7 Formalization ofthe proof 25
inv(s) = (s.S,wire_high => s.S.transmitting)
For every invariant we prove (a) that it holds in the start states and (b) that if  a state is 
reachable and the invariant holds and the system can do an action to a new state the invariant 
holds also in this new state. In LP this is expressed as follows:
prove
a) (start(s:States[S]) => inv(s)) /\
b) (reachable(s:States[S]) /\ inv(s) /\ isStep(s:States[S],a,s’) => inv(s’))
Given a and b it follows that c holds.
c) reachable(s) => inv(s)
In higher order logic we can prove that the implication a A b ^  c holds where inv  is a variable 
of type . In LP we have a proof that is replicated for each invariant were
inv is substituted by the current concrete invariant. This is one of the few cases were the fact 
that LP is a first order tool is really a disadvantage.
The next invariant gives an upper bound of the clock in the various stages of progress of the 
sender:
invS(s) = (
(~s.S.transmitting /\ ~s.S .wire_high /\ s.S.list = empty)
\/ (~s.S.wire_high /\ s.S.list ~= empty /\ ~s.S.transmitting /\ s.S.x = 0)
\/ (~s.S.wire_high /\ s.S.list ~= empty /\ s .S.transmitting 
/\ head(s.S.list) = 1 /\ s.S.x <= 4)
\/ (~s.S.wire_high /\ s.S.list ~= empty /\ s .S.transmitting 
/\ head(s.S.list) = 0 /\ s.S.x <= 2)
\/ (s.S.wire_high /\ s.S.list ~= empty /\ head(s.S.list)=0 /\ s.S.x <= 4)
V  (s.S.wire_high /\ (s.S.list = empty \/ head(s.S .list) = 1) /\ s.S.x <= 2))
Now we give invariants for relations between the states of the sender and the receiver. The 
next invariant tells us that during normal operation ( s . e r r o r  is false) an input of a new mes­
sage can only happen when the receiver is at rest. This invariant is slightly different from the 
one given in [BPV94] where the disjunct has been omitted in the conclusion of the
implication. In Section 2.8.1 we discuss this mistake.
invFirstBit(s) = ((~s.S .wire_high /\ s.S.list ~= empty /\ ~s.S.transmitting)
=> s.R.list = empty \/ s.error)
For the correctness of the implementation it is very important how the clocks of the sender 
and the receiver are related. The first invariant gives the possible distances and the second gives 
a more detailed description. The second differs from the one presented in [BPV94] in the same 
way as in v F i r s tB i t  differs from the original.
invW(s) = (
((s.S.transmitting /\ ~s.S .wire_high =>
(s.R.x # (s.S.x + 4))
\/ (s.R.x # (s.S.x + 2))
\/ (s.R.x # s.S.x /\ head(s.S .list) = 1 ))
/\ (s.S.transmitting /\ s .S.wire_high =>
(s.R.x # s.S.x)
\/ (s.R.x # (s.S.x - 2) /\ s.S.list ~= empty /\ head(s.S.list) = 0))))
26 Proof-checking an Audio Control Protocol with LP
invX(s) = (
((~s.error /\ s .S.transmitting /\ s.R.list ~= empty ) =>
( (last(s.R.list) = 1 /\ s.R.x <= (pTmT * 4)
/\ s.R.x # s.S.x)
\/ (last(s.R.list) = 1 /\ (mTpT * 4) <= s.R.x /\ s.R.x <= (pTmT * 8)
/\ s.R.x # (s.S.x + 4))
\/ (last(s.R.list) = 0 /\ s.R.x <= (pTmT * 2)
/\ s.R.x # (s.S.x - 2))
\/ (last(s.R.list) = 0 /\ (mTpT * 2) <= s.R.x /\ s.R.x <= (pTmT * 6)
/\ s.R.x # (s.S.x + 2))))
/\ (( ~s.error /\ ~s.S.transmitting /\ ~s.S.wire_high
/\ s.S.list = empty /\ s.R.list ~= empty ) =>
( (last(s.R.list) = 1 /\ s.R.x <= 9 /\ s.R.x # s.S.x)
\/ (last(s.R.list) = 1 /\ (mTpT * 4) <= s.R.x /\ s.R.x <= 9 
/\ s.R.x # (s.S.x + 4))
\/ (last(s.R.list) = 0 /\ (mTpT * 2) <= s.R.x /\ s.R.x <= 7 
/\ s.R.x # (s.S.x +2)) ))
/\ ((~s.error /\ s.R.list = empty ) =>
(~s.S.transmitting /\ ~s.S.wire_high)))
The next invariant implies that during normal operation output of a message by the receiver 
cannot happen when the sender is still busy.
invLO(s) = (
s.S.list ~= empty 
/\ ((s.R.list ~= empty /\ last(s.R.list) = 0 /\ s.R.x = 7)
V  (last(s.R.list) = 1 /\ s.R.x = 9))
=> s.error )
The next invariant gives an obvious property of the specification P.
invp(u:States[P]) = ( 
u.list = empty \/
(head(u.list) = 1 /\
(odd(length(u.list)) \/ last_two(u.list) = ([0] ~ [0])) ) )
The two simple invariants below are not mentioned in [BPV94].
invRXO(s) = (s.R.list ~= empty => s.R.x >= 0)
invSXO(s) = ((s.S.transmitting \/ s.S.list ~= empty) => s.S.x >= 0)
Finally we define a simulation relation SIM, defined in LSL as follows:
1
includes S, P
introduces SIM : States[S], States[P] -> Bool 
asserts \forali s : States[S], p : States[P]
SIM(s,p) =
(if s.error 
then p.chaos
2.8 Discussion 27
else (if s.R.list = empty-
then p.list = s.S.list / \  (s.S.list = empty \ /  p.x = 0) 
else (if s.R.x # (s.S.x + (2 * (t(last(s.R.list)) - 1))) 
then (p.list = s.R.list ~ s.S.list)
/\ ((1-T)*p.x)
<=
(((4*t(length(s.R.list))) - (2*(l+t(last(s.R.list))))) 
+
min(s.R.x, s.S.x + (2 * (t(last(s.R.list)) - 1)))) 
else (p.list = s.R.list ~ [0] ~ s.S.list)
/\ ((1-T)*p.x)
<=
(((4*t(length(s.R.list))) - (2*(l+t(last(s.R.list))))) 
+
min(s.R.x, s.S.x + (2 * (t(last(s.R.list)) + 1)))))))
implies
Forward(S,P,SIM)
Note that a lot of brackets are needed because in Larch it is impossible to define a precedence 
for self defined operators.
By the im p lie s  clause at the end of this trait it is claimed that SIM is a forward simulation 
from S to P. If that can be proved (and we did) then a meta result (see for instance [LV95]) tells 
us that S is indeed an implementation of P.
How to read the simulation above? The basic idea behind this simulation is that the con­
catenation of the lists in the implementation (s . R. l i s t  and s .  S. l i s t )  is about the same as 
the message in transit (p . l i s t ) .  Formally, when the system is transmitting then the following 
holds:
( p . l i s t  = s . R . l i s t  ~ s . S . l i s t )  \ /
.
This is expressed in the third if-then-else, in the second if-then-else it is tested if  the system is 
(almost) transmitting and in the first it is tested if the system is in an error situation. The big in 
equations ( ( 1-T) *p . x <= . . . ) express that the system returns the messages in time.
2.8 Discussion
In this section we will give some conclusions about this case-study. As said in the introduction 
it is unlikely that a handwritten proof is flawless. In the first subsection we will report on the 
errors we encountered. In the second subsection we will draw some conclusions about LP and 
in the last subsection we will compare the approach of this chapter with other approaches.
2 . 8 . 1  E r r o r s  in  h a n d w r i t t e n  p r o o f ?
As mentioned at the end of Section 2.5.4 we found a small error in the specification of the 
OUT action of system P. In some of the invariants a similar error existed, namely that INV  was 
claimed while only —e r r o r  ^  INV  holds.
28 Proof-checking an Audio Control Protocol with LP
The source of these mistakes was that the model in which the protocol was described had 
been changed during the construction of the proof. In the former model states where e r r o r  held 
were not accepted and traces that ended in a not accepted state were left out of consideration. 
Parts of the proof in the former model were still valid in the model presented in [BPV94], but 
unfortunately the subtlety with the e r r o r  variable was overlooked.
From a practical point of view these bugs were not so important because it was very easy 
to fix them. It was far more time consuming to fix an illegal proof step in the TIME case 
of the simulation. There the following implication was assumed: s ,u  |= not(X  # Y) ^  
s ’ , u ’ 1= not(X  # Y). In general this does not hold. For example when T equals 0.05 and
and then the implication does
not hold. We had to make extra case distinctions and do some extra arithmetic.
Because of the distance between the LP-proof and the handwritten proof it is possible that 
there are other illegal proof steps in the handwritten proof that were not noticed. When a con­
jecture is successfully proved by LP along similar lines, we did not investigate the handwritten 
proof.
In the handwritten proof data identities like: last (/) =  1 ^  last_two(r[0]) =  [0f[0] 
are used without a proof. To our taste this is reasonable in a handwritten proof. But when a 
proof is mechanized in LP, it is necessary to prove such data identities.
For a lot of facts concerning the time domain the same can be said. Facts like 0 < 1 and 
x > 0 ^  (1 / x ) > 0 are fairly obvious for humans. In this chapter we even proved these simple 
ones. Less obvious is for instance: y  < 8 A x ^  y  ^  x < (y +  1) . This is not proved in 
the handwritten proof, to our taste this is an omission. It took some time to formulate them in a 
proper way and prove them in LP.
2 . 8 . 2  A b o u t  L P
In this section we will report on the use of LP.
Insta//ing and starting. To start at the beginning: it is easy to install LP. Release 3.1a comes 
with online documentation in HTML format. For release 2.4 a paper document [GG91] is 
available, to start with this is probably easier to read. In about ninety pages the ideas and 
commands of LP are explained and one can start using LP. The most important difference 
between the two versions are: Full first-order logic is supported, not just the universal-existential 
subset supported by Release 2.4. Furthermore a simple sort system for describing polymorphic 
abstractions is added.
Statistics. In Figure 2.5 the number of occurrences of LP commands is listed. In the LP proofs 
we also used a number of display commands but these are not included in the list because these 
commands do not influence the proof and could be deleted without harming the proof. Of course 
the commands often have arguments, but mostly the complete command fits on one line. The 
total proof script consists of about 4000 lines (150 Kb). Beside the commands it contains lines 
with annotations, the boxes ( ) and the diamonds ( ).
The proofs can be divided in different classes: the lemmas over the datatypes, the invariants 
and the simulation. To gain some insight in the relative complexity of each class, the number of 
proof commands used to proof all lemmas in a class are depicted in Figure 2.6.
The proofs concerning time take up more than one third of the total proof. This is caused 
by the intrinsic complexity of the timing in the protocol, and by the absence of arithmetic 
procedures in LP. Although the time lemmas contain only simple arithmetic, our experience is
2.8 Discussion 29
command # meaning
prove 298 ask LP to prove a conjecture
res by => 115 resume the prove by assuming the lhs
res by <=> 10 resume by two cases: => and <=
res by case 152 resume by a case distinction
res by spec 23 resume by specialization
res by contra 37 resume by assuming the contradiction of the current goal
res by ind 31 resume by a proof by induction
rew 92 rewrite (mostly in reversed direction)
ins 608 instantiate variables in a fact
cri-pair 4 compute critical pairs
fix 31 fix a variable
reg 3 give part of ordering on function symbols
set 164 set system variables ofLP
make 121 make facts immune, passive etc.
del 46 delete facts
dec 46 declare variables or functions.
Figure 2.5: Number o f uses ofLP commands
class # commands in %
bit 6 0
naturals 16 1
list 123 7
time 666 37
invariants 471 26
main theorem 499 28
TOTALS 1781
Figure 2.6: Number ofLP commands used in the proof.
30 Proof-checking an Audio Control Protocol with LP
that it is equally hard to find the right lemmas, and in LP the time lemmas are even harder to 
prove than the invariants.
LP is sufficiently fast to be used really interactively. Running the complete proof script, 
which contains the proofs for the data-identities, the invariants and the simulation takes about 
1:30 hours on a Sun Sparc 10. The total number of proof commands is 1800. So on the average 
the execution of one command takes 3 seconds.
Proving The LP proofs follow the lines of reasoning of the handwritten proofs, that is: the 
induction schemes and case distinctions are the same. When the handwritten proof refers to an 
invariant in the LP proof it is mostly sufficient to instantiate the invariant with the current state. 
The normalization does the rest of the reasoning. But especially when arithmetic is involved 
the LP proof contains much more details than the handwritten proof.
It is interesting to know how much effort it took to formalize the proof in LP. But in this 
case it is not possible to give an exact answer. First of all, this was our first project with LP so it 
took some time to get used to the system. Furthermore the handwritten proof was not error free 
so we also had to pay attention to the abstract content of the proof. Also in the formal proof 
we proved the data-identities not present in the handwritten proof. Finally we had to cope with 
some problems in LP. But we estimate that given a complete and correct handwritten proof it 
still would take weeks to formalize it in LP.
As said LP is really interactive, almost too interactive. Because no tactical language exists 
for LP, it is impossible to add your own decision procedures or proof heuristics. A list of 
commands can be saved in a script file and executed again but this is no substitute for a tactical 
language. In LP it is impossible to express things like: “Try different proofs till one succeeds” 
or to examine the structure of terms like “If the current goal contains an if-then-else with a 
single variable as boolean, then resume by a case distinction on that variable” .
Proof Management The Proof Management system ofL P  is very simple. When LP generates 
subgoals in response to a case distinction or induction proof the order in which these subgoals 
must be proved is decided on by LP. The only way to escape from this rigid system is by adding 
a subgoal as an axiom to the system, continue with the next subgoal and leave the first one for 
another day. Then rerun the generated script up to the point where the ‘axiom’ is added and 
then insert a prove for that subgoal. There is some danger in this method because LP lacks a 
special draft/proof mode switch. It is always allowed to add axioms, so it is up to the user to 
check that in the final version no ‘axioms’ remain that need a proof.
It is also always allowed to cancel a proof. Obviously this is the quickest way to get at the 
qed, which technically means in LP that there are no conjectures left to prove. We claim that 
our proof does not contain unintended added axioms or cancels. We used g rep 2 to search for 
these commands in our proof script files. Still we think that a special proof mode, that one can 
enter after loading the axioms, would give some extra confidence in LP proofs.
As mentioned before, the script file that contains our proof is about 150 Kb and takes 1:30 
hours to run. Imagine that one makes a change at the end and wants to check if LP accepts the 
new script. This will take 1:30 hours for each revision. So to keep the proof manageable it is 
split in 60 lemmas and each lemma is proved in a separate file. When we change the proof of 
one lemma we only have to check if LP accepts that one. All lemmas are listed in one file. By 
assigning a level to each lemma and requiring that only lower level lemmas are used we ensure 
that there is no cycle in the proof. To make life a little easier a small nawk3 program is used
2Unix command to search for a string in a set o f files
3 A C-like pattern matching language.
2.8 Discussion 31
to generate the standard begin of the LP scripts. That is: a command to load the axioms, some 
settings and adding the lower level lemmas as axioms.
LSL comes with a library of traits. Most of these traits contain an im p lie s  clause that 
contains some important lemmas for that trait. But it comes without a proof, so the complete 
sceptic is not satisfied. The script files can be used to distribute proofs for these lemmas. Some 
care must be taken because LP proofs tend to be context dependent. Operationally LP proofs 
depend heavily on the normalization, and so on the set of facts and the direction in which the 
rules are oriented. Logically one can extend the set of facts without harming the proof, opera­
tionally a new rule can disturb a proof. This problem can be solved by making all rules inactive 
except the rules that are used. And then force the orientation, for example by giving a partial 
ordering on the function symbols. The generation scheme of fresh constants and variables is 
also a source of context dependency. For instance in a proof by induction or when assuming 
the left hand side of an implication, fresh variables and/or constants are generated. Variable 
names are b, b1, b2 ...  for variables whose sort name begins with a B and the first free name is
chosen. For constants a c is added so the names are: bc, bc1, b c 2 __ Because these names are
generated in a proof context the next proof does not know about these names. But the constants 
and variables that we declare at top level are visible everywhere, and so they can influence 
the generation of names. To prevent problems with unexpected names of fresh constants and 
variables it is advisable to use names that are not in the generation scheme ofLP.
Software Management Besides that Larch is used to describe software, LP itself is a software 
product. As to be expected with an experimental tool as LP we encountered some bugs. A 
critical bug was an alpha conversion problem. When n,m and k are of type Nat and this is a 
rewrite rule: n <= m -> \E k (n + k = m). The normalform of n <= k was according to 
LP (3.1 94/12/30): \E  n (n + n = k). In the current version of LP (3.1a 95/04/27) this bug 
is fixed and the normalform is: .
It was far more time consuming to cope with a memory problem. Even when memory on 
the machine and heap space in LP are amply available LP still runs out of memory. During 
our proof the system contains up to about four hundred rules and the proof is up to ten levels 
deeply nested. Steve Garland advised (via mail) to issue the command to delete a data
structure used for completion of rewrite systems. This indeed frees memory, but not enough for 
our proof. Our ‘solution’ was to delete rules that are not needed any more in the current proof 
context. Finding the ‘deletable’ rules is a time consuming trial and error process. One deletes 
a lot of rules to find out later that a few of them are still needed, and then starts again this time 
without deleting those rules, this time LP runs out of memory, etc.
Just for the record: we eventually checked the entire proof with LP Release 3.1a (95/04/27).
Next we will give our wish list for LP and LSL. We think that the tactical language, for our 
purposes, is by far the most important wish.
1. Tactical language Without a good tactical language it is impossible to extend LP with 
heuristics or decision procedures. So proofchecking with LP remains at the level of nor­
malizing conjectures and proofs by induction, etc. While for really efficient use of proof- 
checkers it is necessary to have larger concepts. For instance a tactic like: try to proof 
this invariant by case distinction on all booleans and apply a decision procedure on the 
remaining expressions over the reals.
2. Arithmetic decision procedures With or without a tactical language, arithmetic decision 
procedures would be very useful. In [LSGL94] it is mentioned that a procedure for linear
32 Proof-checking an Audio Control Protocol with LP
inequalities is implemented. Unfortunately most of the expressions in our proof are not 
linear.
3. Larger proofs accepted without memory problems
4. Better proof management It should be possible to use unproved lemmas and return to 
them later or skip cases of an induction proof etc. Furthermore it would be nice if a proof 
can be saved in such way that the proved theorem can be loaded directly, also when the 
current set of facts is extended compared to the set from which the theorem is proved.
5. Explicit names in LSL specifications Standard facts in LP have the name of the corre­
sponding specification followed by a number, like in Nat .3. One can work around this 
because a conjecture can be named explicitly and a conjecture that is an axiom is easy to 
prove.
6. More control over rewriting Sometimes a term has different redexes, and it is useful 
to be able to select one by hand. For normalizing it would be nice if it is possible to 
influence the order in which the rewrite rules are applied.
2 . 8 . 3  R e l a t e d  W o r k
The EEL protocol has received some attention from other sites. In [HWT95] Ho and Wong- 
Toi analyzed the audio control protocol using the HyTech tool. HyTech is a symbolic model 
checker for linear hybrid systems. Larsen, Pettersson and Yi analyzed the protocol with the 
UPPAAL tool [LPY95]. They used a formalization of the protocol based on the one developed 
by Ho and Wong-Toi. Daws and Yovine analyzed the protocol using KRONOS in [DY95]. 
The formalization used in this paper is different from the one used by the two others. It is not 
completely clear what the formal relation is between the finite state description used by the 
model checkers and the version as presented in [BPV94]. It seems to be an interesting research 
problem how to integrate model-checking and proofchecking. In [MN95] Müller and Nipkow 
discuss this topic.
In [NS95] the I/O automata model is formalized in Isabelle/HOL. In that paper a much 
larger part of the I/O automata model is formalized, in contrast to the limited number of notions 
that are formalized in this chapter.
Related to wish 4 is the work discussed in [Voi92]. In this paper a new proof environment for 
LP is proposed which makes it possible to walk through the proof tree as suggested in point 4.
2.9 Example Proof
In this appendix a script file of a LP proof is given. It is hard to read the proof because it depends 
on the set of facts, which changes with every proof command. So this proof is presented here 
to give some idea of what a script file looks like more than to show the actual proof.
set name p
prove :timetwLT: y <= 8 /\ x # y => x < (y + 1)
res by =>
<> => subgoal
prove :step9: (2*yc) <= 16
2.9 Example Proof 33
ins x by yc, y by 8, z by 2 in timeF2 
[] conjecture 
prove :step8: ((2 * yc) + 1) <= 17
ins x by (2 * yc), y by 16, z by 1 in timeFl 
[] conjecture 
prove :step7: ((2 * yc) + 1) < d(T) 
prove : hulpje: 17 < d(T)
ins x by T, y by d(17), z by d(T) in TimeLTF2 
ins x by T in time5
ins x by 1, y by (d(17) * d(T)), z by 17 in timeLTF2 
[] conjecture
ins x by ((2 * yc) +1), y by 17, z by d(T) in timeLTranl 
[] conjecture 
prove :step6: ((2 * yc * T) + T) < 1
ins x by ((2 * yc) +1), y by d(T), z by T in timeLTF2 
make ina timeDis 
rew timeLTF2 with rev timeDis 
[] conjecture 
prove :step5: (2 * yc * T) < (1 - T)
ins x by ((2 * T * yc) + T), y by 1, z by m(T) in timeLTFl 
[] conjecture 
prove :step4: (yc * T) < (1 + m(yc * T) + m(T))
ins x by (2 * T * yc), y by (1 + m(T)), z by m(T * yc) in timeLTFl 
prove (2 * T * yc) + m(T * yc) = (T * yc) 
set im on
prove : hulpje: 2 = 1 + 1 
[] conjecture 
make ina hulpje 
rew con with rev hulpje 
make ina timeDis 
rew con with rev timeDis 
rew con with rev timeDis 
[] conjecture 
[] conjecture
prove :step3: (yc + (yc * T)) < (yc + (1 + m(T + (yc * T))))
ins x by (yc * T), y by (1 + m(T + (yc * T))), z by yc in timeLTFl 
[] conjecture 
prove :step2: ((1+T)*yc) < ((yc +1)* (1-T)) 
make ina timeDis 
rew con with rev timeDis 
rew con with rev timeDis 
rew con with rev timeDis 
[] conjecture 
prove :stepl: ((1+T) * d(l-T) * yc) < (yc + 1)
ins x by ( (1 +T ) * yc), y by ((yc + 1) * (1 - T)), z by d(l-T) in timeLTF2 
ins x by (1- T) in time5 
[] conjecture 
prove :stepO: xc < (yc + 1) 
set im anc
34 Proof-checking an Audio Control Protocol with LP
ins x by yc, y by xc in TimeDefTwiddle 
ins x by xc, y by yc in timecom
ins x by xc, y by ((1+T) * d(l + m(T)) * yc), z by (yc + 1) in timeLTranl 
[] conjecture 
[] => subgoal 
[] conjecture 
%% quit
2.10 The traits
2 . 1 0 . 1  S
In this section we will present the trait that defines System S piece by piece.
S : trait
includes System(S), List, CommonActions(S)
States[S] tuple of S: Send, R : Ree, error : Bool 
Send tuple of transmitting: Bool, 
wire_high : Bool, 
list : List,
x : Time
Ree tuple of list : List,
x : Time
1
Above the first lines of the trait are given. The name of the trait is S, given on the first line of 
the trait. Then the trait System(S) (see Section 2.5.2) and the traits List and Time are included, 
see Section 2.5.1. Next the sort S ta te s  [S] is defined, its domain consists of triples of (1) the 
state variables of the sender, (2) the state variables of the receiver and (3) a history variable 
e r ro r . A history variable does not influence the behavior of the system. The extra information 
it provides is only used in the proof. The sender has four state variables: is true
when the system is transmitting, that is from the first UP action till the last DOWN action. The 
variable w ire _high denotes the level of the voltage on the bus. The variable l i s t  contains the 
bits of the message that still must be transmitted. The clock variable is used to specify the 
distance between the UP and DOWN actions of the sender. The receiver has two state variables: 
l i s t  denotes the bits of the current message that are already received and the clock variable x 
denotes the time elapsed since the last UP action.
introduces 
UP :
DOWN :
aux : States[S],
->
->
Time, Actions[S] ->
Actions [S]
Actions[S]
Bool %%
2
auxiliary-function.
The UP and DOWN actions are constants of type A ctions [S ], the other actions IN, OUT 
and TIME are declared in CommonActions trait. Furthermore the auxiliary function aux is 
declared, which is used in the action-predicate of the TIME action.
asserts
Actions[S] generated by IN, UP, DOWN, OUT, TIME 
\forall s,s’: States [S], m : List, t,x,y,z: Time
3
2.10 The traits 35
After the a s s e r t s  key-word the properties of the functions (the axioms) are given. The 
g en e ra ted  by clause expresses that every action is an IN, UP, DOWN, OUT or TIME action.
~isVisible(UP); 4
~isVisible(DOWN);
The actions UP and DOWN are declared invisible, the actions IN, OUT, and TIME are 
declared visible in the CommonActions trait.
%% *** START STATES *** 5
start(s) = ( ~s.S.transmitting 
/\ ~s.S.wire_high 
/\ s.S.list = empty 
/\ ~s.error 
/\ s.R.list = empty);
Initial the system is not transmitting, the wire is low, there is no message in transit (the lists 
are empty) and no error has occurred yet. Note that the values of the clocks (S . x and R. x) are 
undefined and so we have an infinite number of start states.
%% *** IN(m) *** 6
pre(s, IN(m)) =
(head(m) = 1 /\ (odd(length(m)) \/ last_two(m) = [0] ~ [0])); 
eff(s, IN(m), s’) = (
(if ~s.S.transmitting /\ ~s.S .wire_high /\ s.S.list = empty 
then s’.S.list = m /\ s’.S.x = 0 
else s’.S.list = s.S.list /\ s’.S.x = s.S.x)
/\ s’.S.transmitting = s .S.transmitting 
/\ s’.S.wire_high = s.S .wire_high
/\ (if s.R.list ~= empty then s’.error else s’.error = s.error)
/\ s’.R = s.R) ;
The IN  action denotes the reception of a new message to be transmitted. The precondition 
expresses that each message must start with a bit 1 and that a message must be of odd length or 
end in (00) (see Section 2.2). The e r r o r  variable becomes true when an IN  action occurs too 
early, that is, when the receiver is not yet ready to receive a new message.
°/°/„ *** UP *** 7
pre(s,UP) = aux(s,s.S.x,UP); 
aux(s,x,UP) = (
~s.S.wire_high 
/\ s.S.list ~= empty 
/\ (if s.S.transmitting
then (if head(s.S,list)=l then x = 4 else x = 2) 
else x = 0)); 
eff(s,UP,s’) = (
s’.S.transmitting 
/\ s’.S.wire_high
36 Proof-checking an Audio Control Protocol with LP
/\ (if head(s.S.list) = 1
then s’.S.list = tail(s.S.list) /\ s’.S.x = 0 
else s’.S.list = s.S.list /\ s’.S.x = s.S.x)
/\ s’.error = s.error
/\ (s.R.list = empty => s’.R.list = [1])
/\ (last(s.R.list) = 0 /\ s.R.list ~= empty =>
(s.R.x < 3 => s’.R.list = empty)
/\ (3 <= s.R.x /\ s.R.x < 5 => s’.R.list = s.R.list ~ [0])
/\ (5 <= s.R.x => s’.R.list = s.R.list ~ [0] ~ [1]))
/\ (last(s.R.list) = 1 =>
(s.R.x < 3 => s’.R.list = empty)
/\ (3 <= s.R.x /\ s.R.x < 5 => s’.R.list = s.R.list ~ [1])
/\ (5 <= s.R.x /\ s.R.x < 7 => s’.R.list = s.R.list ~ [0])
/\ (7 <= s.R.x => s’.R.list = s.R.list ~ [0] ~ [1]))
/\ s’.R.x = 0);
The UP action corresponds to an up-going edge on the wire. The sender generates the UP’s 
and DOWN's as required by the Manchester encoding. The receiver’s algorithm to decode the 
message via the UP actions is a direct formalization of the algorithm in Philips’ documentation.
7,7, *** DOWN ***
pre(s,DOWN) = aux( s, s. S . x ,DOWN); 
aux(s,x,DOWN) = ( 
s.S.wire_high
/\ (if s.S.list ~= empty /\ head(s.S .list) = 0 then x = 4 else x = 2)); 
eff(s,DOWN,s’) = (
(if s.S.list = empty \/ s.S.list = [0] 
then ~s’.S.transmitting
else s’.S.transmitting = s.S.transmitting)
/\ ~s’.S.wire_high
/ \  (if s.S.list "= empty / \  head(s.S.list) = 0
then s’.S.list = tail(s.S.list) /\ s’.S.x = 0 
else s’.S.list = s.S.list /\ s’.S.x = s.S.x)
/\ s’.error = s.error 
/\ s’.R = s.R);
The DOWN action of course corresponds to a down-going edge on the bus. The receiver 
does not observe this action, and indeed the values of the state variables of the receiver do not 
change ( ).
7,7, *** out ***
pre(s,0UT(m)) =
(m = finalize(s.R.list) /\ aux(s,s.R.x,0UT(m))); 
aux(s,x,0UT(m)) = (
s.R.list "= empty 
/\ (if last(s.R.list) = 0 then x = 7 else x = 9)); 
eff(s,OUT(m),s’) = ( 
s’.R.list = empty 
/\ s’.R.x = s.R.x
2.10 The traits 37
/\ s’.S = s.S
/\ s’.error = s.error);
When the receiver received the complete message the OUT action happens. Hereafter the 
receiver is ready to receive a new message.
7,7, *** TIME *** 
isStep(s,TIME(t), s’) = ( 
t > 0
/\ s’.S.transmitting = s .S.transmitting 
/\ s’.S.wire_high = s .S.wire_high 
/\ s’.S.list = s.S.list 
/\ s’.error = s.error
/\ (1-T) <= ((s’.S.x - s.S.x) / t) /\ ((s’.S.x - s.S.x) / t) <= (1+T) 
/\ ((\E y (y >= s.S.x /\ aux(s,y,UP))) =>
(\E z (z >= s’.S.x /\ aux(s’,z,UP))))
/\ ((\E y (y >= s.S.x /\ aux(s,y,DOWN))) =>
(\E z (z >= s’.S.x /\ aux(s’,z,D0WN))))
/\ s’.R.list = s.R.list
/\ (1-T) <= ((s’.R.x - s.R.x) / t) /\ ((s’.R.x - s.R.x) / t) <= (1+T) 
/\ ((\E y (y >= s.R.x /\ aux(s,y,OUT(m)))) =>
(\E z( z >= s’.R.x /\ aux(s’,z,0UT(m))))))
In the TIME action the discrete variables ( tr a n s m itt in g , w ire_high, l i s t ,  e r ro r )  are 
not allowed to change. Only the clocks are advanced by ‘about’ t, formally: for both clocks 
(1 — T) < < (1 +  T) must hold.
2 . 1 0 . 2  P
In this appendix the correctness criterion is given. It is a LSL-version of system P  of [BPV94].
P : trait
includes System(P), Time, List, CommonActions(P)
States[P] tuple of list : List, 
chaos : Bool, 
x : T ime
introduces
aux : States[P], Time, Actions[P] -> Bool 7,7, auxiliary-function
asserts
Actions[P] generated by IN, OUT
\forall s,s’ : States[P], t : Time, m : List, x,y,z: Time
start(s) = (s.list = empty /\ not(s.chaos));
pre(s,IN(m)) = ( 
head(m) = 1
/\ (odd(length(m)) \/ last_two(m) = [0] ~ [0])); 
eff(s,IN(m),s’) =
38 Proof-checking an Audio Control Protocol with LP
(if s.list = empty-
then (s’.list = m /\ s’.x = 0 /\ s’.chaos = s.chaos) 
else (s’.chaos = true /\ s’.list = s.list /\ s’.x = s.x));
pre(s,0UT(m)) = aux(s,s.x,OUT(m)); 
aux(s,x,OUT(m)) = (
( s.list = m 
/\ s.list ~= empty
/\ ((1-T)*x) <= ((4 * tdength(s.list))) + 5))
\/ s.chaos); 
eff(s,OUT(m),s’) =
(s’.list = empty /\ s’.chaos = s.chaos /\ s’.x = s.x);
isStep(s,TIME(t),s’) = ( 
t > 0 
/\ s’.list = s.list 
/\ s’.chaos = s.chaos 
/\ s’.x - s.x = t
/\ \A m ((\E y (y >= s.x /\ aux(s,y,OUT(m)))) =>
(\E z( z >= s’.x /\ aux(s’,z,0UT(m))))))
2 . 1 0 . 3  C o m m o n A c t i o n s
The trait given in this appendix is needed for technical reasons. In LSL sorts are disjunct and 
here a CommonActions sort is introduced to make it possible to compare actions of different 
systems.
CommonActions(A) : trait 
assumes System(A) 
introduces
IN : List -> Actions[A]
OUT : List -> Actions[A]
TIME : Time -> Actions[A]
IN : List -> CommonActions
OUT : List -> CommonActions
TIME : Time -> CommonActions
asserts \forali m: List, t : Time 
common(IN(m)) = IN(m); 
common(OUT(m)) = OUT(m); 
common(TIME(t)) = TIME(t); 
isVisible(IN(m)); 
isVisible(OUT(m)); 
isVisible(TIME(t))
2 . 1 0 . 4  B i t
In this appendix a small trait for the sort Bit is given. Bits are the elements of the messages 
transmitted by the protocol.
Bit : trait
2.10 The traits 39
introduces 
0,1 : -> Bit 
asserts \forali bit: Bit 
(bit = 1) V  (bit = 0); 
1 ~= 0
2 . 1 0 . 5  N a t
The sort Nat is introduced because it is the result sort of the le n g th  function on lists.
Nat : trait 
introduces 
0 : -> Nat 
s : Nat -> Nat
_ + _ : Nat, Nat -> Nat
odd: Nat -> Bool 
asserts
Nat generated by 0,s 
\forali n,nl: Nat
0 ~= s(n);
s(n) = s(nl) <=> n = nl; 
n + 0 = n;
n + s(nl) = s(n + nl);
~odd(0);
odd(s(n)) = ~odd(n)
2 . 1 0 . 6  T i m e
Here the Time trait is given. It is discussed in section 2.5.1.
Time : trait
includes Bit, AC(+,Time), AC(*,Time), Nat 
introduces
<= , . >= : Time, Time ■-> Bool
< , . > : Time, Time ■-> Bool
+ > . - : Time, Time -> Time
* , . / : Time, Time -> Time
m : Time -> Time
d : Time -> Time
min : Time , Time -> Time
t : Bit -> Time
t : Nat -> Time
0,1,2,3,4,5,6,7,8,9 : -> Time
10,11,12,13,14,15,16,17,18,19,20 : -> Time
#   : Time,Time -> Bool
T,pTmT,mTpT : -> Time
asserts \forali x,y,z,t: Time, n : Nat
40 Proof-checking an Audio Control Protocol with LP
n
7.7.
7.7.
7.7.
7.7.
7.7.
Studies in Logic and the Foundations of Mathematics. 
(Chang, C. C. and Keisler, H. J.)
Volume 73 Model Theory (Page 37)
LINEAR ORDER Axioms, 
x <= y /\ y <= z => x <= z; 7.7. TimeLl 
x <= y /\ y <= x => (x = y) ; 7.7. TimeL2 
x <= x; 7.7. TimeL3
x c= y V  y <= x; 7.7. TimeL4
ABELIAN GROUPS.
7.7. x + (y + z) = (x + y) + z; 7.7. 
x + 0 = x; 7.7. Timeld
7.7. \E y (x + y = 0 / \ y  + x = 0);%% 
x + m(x) = 0; 7.7. TimeMx
7.7. x + y = y + x; 7.7.
FIELDS = These 6 axiomas + Abelian groups.
1 * x = x; 7.7. TimeUn
y) * z; 7.7.
7.7.
*
(associativity of +) 
(identity)
(existence of inverse) 
(commutativity of +)
(y 
y =
* z) = (x 
y * x;
z) =
(1 is unit)
(associativity of *)
(commutativity of *)
(y + z ) ;%% TimeDis (distributivity of * over +)
7.7. Time 10
x = 1) ; 7.7. (existence of multiplicative inv.)
1); 7.7. TimeDx
7.7.
7.7. x *
7.7. x *
(x * y) + (x *
0 ~= l:Time;
7.7. X ~= 0 => \E y (y 
x ~= 0 => (x * d(x) =
ORDERD FIELDS = These 2 + Field + Linear Order, 
x <= y => (x + z) <= (y + z) ; 7.7. TimeFl 
x <= y /\ 0 <= z => (x * z) <= (y * z) ; 7.7. TimeF2
t(0:Bit) = 0; 
t(l:Bit) = 1; 
t(0:Nat) = 0; 
t(s(n)) = t(n) + 1;
7.7. Notational convenience.
x >= y n «<! A = x ;
(x <= y /\ x y) = X < y; 7.7. TimeLT
x > y = y < x ;
x/y = X * d(y) ;
x - y = X + m(y) ;
min(x,y) = (if x <= y then x else y);%% TimeMin
1 + 1 = 2; 2 + 1 = 3 3 + 1 = 4; 4 + 1 = 5; 5 + 1 = 6
6 + 1 = 7; 7 + 1 = 8 8 + 1 = 9; 9 + 1 = 10; 10 + 1 = 11
11 + 1 = 12 ; 12 + 1 = 13 13 + 1 = 14; 14 + 1 = 15; 15 + 1 = 16
16 + 1 = 17; 17 + 1 = 18 18 + 1 = 19; 19 + 1 = 20;
7.7. Specific for this proof:
0 < T /\ T < (1/17) ;
pTmT = ((1+T)/(1-T)); mTpT = ((1-T)/(1+T));
((((1-T) / (1+T)) * x) <= y /\ y <= (((1+T) / (1-T)) * x)) = x # y
Chapter 3
The Bakery Protocol: 
A Comparative Case-Study 
in Formal Verification
With Henri Korver
Abstract Groote and Korver verified (a version of) the Bakery Protocol in ^CRL. Their 
process-algebraic verification is rather complex compared to the protocol. Now the question 
is: How do other verification techniques perform on this protocol? As a first answer, we present 
a new correctness proof by using I/O-automata theory and discuss the relative merits of both 
approaches.
3.1 Introduction
In this chapter, we verify a particular version of the Bakery Protocol1 for an arbitrary large 
capacity max by means of I/O automata theory. The parameter max ranges over (positive) 
integers and denotes the number of standing places in the bakery shop where the protocol is 
running. The correctness proof is developed and checked with the aid of the Larch Prover 
[GH93] which is a theorem prover based on first-order logic. Our verification method is semi­
automatic in the sense that the intelligent proof steps are provided by the user. This is to be 
contrasted with fully-automatic (finite-state) tools like CWB [CPS93], Auto [SV89], Aldébaran 
[FKM93], SPIN [Hol91], COSPAN [KL93], etc, where the protocol can only be treated for a 
fixed capacity, e.g. for the instance max =  10.
The protocol derives its name from the well-known situation in a busy bakery shop where 
customers pick a number at the ticket machine in order to guarantee that they are served in a 
proper order. It is based on the old FIFO principal (first in, first out); the customer who’s ticket 
matches with the clock of the baker is served first. In fact, correctness is formulated by stating 
that, after abstraction from the ticket machine and the clock, the Bakery Protocol has the same 
external behaviour as a bounded FIFO queue.
1This name is used earlier by Lamport [Lam74] for another protocol.
42 The Bakery Protocol
Just recently this well-known protocol has been used as a bench-mark for testing the suit­
ability of ^CRL [GP95, GP94] as a verification method for distributed systems in [GK95c]. 
This example is considered as an interesting case-study because the protocol is concurrent and 
crucially depends on data parameters ranging over infinite domains. In this aspect the protocol 
is for instance more advanced than the Alternating Bit Protocol in which all data types are finite.
The protocol consists of four actions: ENTER (entering the bakery shop), TICKET (picking 
a number from the ticket machine), COUNTER (walking to the counter-desk) and OUT (leaving 
the bakery). The correctness criterion is that, after abstraction of the TICKET and COUNTER 
actions, the Bakery Protocol has the same external behaviour as a FIFO queue. For the first 
time a rigorous proof of this correctness criterion has been given in [GK95c] by using ^CRL 
[GP95, GP94] which is an extended version of ACP [BW90] with abstract data types. This 
approach is called process algebraic [Mil89, BW90] as it is primarily based on equational 
reasoning. The ^CRL proof is compact and precise, but rather advanced and technical for such 
relatively simple protocol.
In this chapter, we will verify the Bakery Protocol by using I/O automata theory [LT89]. In 
this approach, correctness is proven by establishing a simulation relation between two automata 
(transition graphs). More concretely, here we will establish a bisimulation relation between the 
automata representations of the Bakery Protocol and the FIFO queue.
One of the advantages of the approach followed here compared with [GK95c] is that the 
verification is rather intuitive and does not require advanced prescience. Another point is that 
our verification is easy to formalise and check by the Larch Prover [GH93]. To our knowledge, 
this is the first time that the Bakery Protocol has been proof-checked. We expect that, at the 
moment, computer checking the ^CRL proof would require significantly more effort. However, 
this has not yet been investigated. Of course the verification model used in this chapter also has 
several disadvantages. And we shall discuss the pros and cons of both the ^CRL approach and 
the one followed here.
As a final point we mention that we came up with two different proofs for the Bakery 
Protocol in the I/O-automata model. One of the two appears to be far more elegant and signifi­
cantly shorter (about half the size) than the other. There are no well-known heuristics indicating 
which proof strategies lead to the best proofs. The lesson we learned is that it is very important 
to choose the most appropriate simulation (bisimulation) relation before starting the whole ver­
ification. Otherwise, the verification may become unnecessary involved. In the sequel, some 
heuristics are given drawn from our experiences.
The chapter is organised as follows. In the next section, we give a formal specification of 
the protocol (Impl). Then, in Section 3.3, we define its intended behaviour (P ). Correctness is 
proved by establishing a bisimulation relation between Impl and P  in Section 3.4. In Section
3.5 we provide an alternative correctness proof and discuss the differences with the one given 
in Section 3.4. The checking of our proofs using the Larch Prover is discussed in Section 3.6. 
In Section 3.7, we draw the conclusions of our work; in particular we compare our verification 
with the one given in [GK95c]. The model in which our verification takes place is given in 
Appendix 3.8. Finally, in Appendix 3.9 the Larch formalization of the protocol is listed.
3.2 Specification of the protocol
Data types play an important role in the specification of the Bakery Protocol. Therefore, we 
start with a description of the various data types that are used.
3.2 Specification of the protocol 43
3 . 2 . 1  D a t a
We assume a typed signature £  and a E-algebra A  which consists of the following components:
• a type Bool of booleans with constant symbols true and false, and a standard repertoire 
of function symbols ( a , v , —, ^ ) ,  all with the standard interpretation over the booleans. 
Also, we require, for all types S in £ , an equality, inequality, and if-then-else function 
symbol, with the usual interpretation:
. =  . : S xS  ^  Bool 
. =  . : S xS  ^  Bool
if .then  . else . : B oolxSxS  ^  S
Note the (harmless) overloading of the constants and function symbols of type Bool with 
the propositional connectives used in formulas. We will frequently view boolean valued 
expressions as formulas, i.e., we use b as an abbreviation of b = true.
•  a type In t of integers, with a standard repertoire of function symbols + , —, < , __  We
also need the constant max which denotes the maximal number of standing places in the 
Bakery Protocol. We assume that max > 0. In the proof it is sometimes convenient to 
interpret booleans as integers. Therefore we will use the conversion function ¡ : Bool ^  
In t with ¡(true) =  1 and ¡(false) =  0. For readability we omit the symbol ¡ in expressions.
• a type D ata of customers who enter the bakery shop.
• a type Pair in order to attach a number to a customer, with a function symbol [., .] : 
Data x In t ^  Pair for constructing pairs of customers and natural numbers in the usual 
way. We write p. for the first component and p. for the second component of 
a pair p .
•  a type Bag of finite multisets over the domain of Pair, with a constant symbol 0 , denoting 
the empty multiset, a function symbol {.} : Pair ^  Bag for the operation which assigns 
to a pair the corresponding multiset and a function symbol U : Bag xB ag ^  Bag for 
the union of multisets. Beside these constructors we have the function symbols delete : 
P airxB ag  ^  Bag, e: P airxB ag  ^  Bool, and size : Bag ^  In t . tó e te  deletes an 
element from a bag. Note that in multisets just one copy of an element is removed in case 
there are duplicates. Furthermore, e tests whether or not an element occurs one or more 
times in a bag, and size returns the number of elements (including duplicates) that are in 
a bag.
•  a type Queue of finite queues over the domain of Data, with a constant symbol e, de­
noting the empty queue, and a function symbol append : D atax  Queue ^  Queue, 
denoting the operation of prefixing a queue with a data element. Besides these construc­
tors, there are function symbols head : Queue ^  Data, tail : Queue ^  Queue, and 
len : Queue ^  Int. The function head takes the element that was appended to the queue 
at first, returns the remainder of a queue after removal of the head element and 
returns the length of the queue.
44 The Bakery Protocol
ENTER TICKET B COUNTER O OUT
Figure 3.1: The Bakery Protocol.
3 . 2 . 2  P r o t o c o l  s p e c i f i c a t i o n
We specify the Bakery Protocol (see Figure 3.1) in terms of three components:
The ticket machine Automaton I  (in-sequencer) given in Figure 3.2 models the behavior of 
the ticket machine. A customer, given by the constant d, entering the bakery shop is 
modeled by the action ENTER(d). The state variable fu ll indicates whether (or not) the 
ticket machine is already occupied. If this is the case, the variable datum represents the 
customer who is standing at the ticket machine. By the action TICKET([d, i ]) customer 
d  actually picks a number i and the counter is incremented by one. Initially, the value of 
the counter is set to zero and nobody is standing at the ticket machine.
The shop The standing places of the bakery are modelled by automaton B  (bag) given in Figure 
3.3. The customers in the shop are modelled by the variable bag which denotes a multiset,
i.e. a set that may contain duplicates. In contrast with a Queue, the data type Bag does 
not impose an ordering on the elements. This is exactly the essence of the protocol: 
customers are not tight to a fixed position but are free to stand wherever they want. A 
customer with a ticket, represented by the pair p, walking into the shop is modelled 
by the action TICKET(p). By the action COUNTER(p) he arrives at the counter-desk. 
Note that the function delete  only removes one element from the bag in case there are 
duplicates.
External ENTER, TICKET
State Variables datum : Data, fu ll : Bool, count : In t
Initialization fu ll =  false A  count =  0
ENTER(d : Data) TICKET(p : Pair)
Precondition Precondition
full =  false p =  [datum, count] A  full =  true
Effect Effect
datum := d full := false
full := true count := count +  1
Figure 3.2: Automaton I.
3.2 Specification of the protocol 45
External TICKET.\ COUNTER 
State Variables bag : Bag 
Initialization bag =  0
TICKET(p : Pair) COUNTER(j> : Pair)
Precondition Precondition
size(bag) < max p e bag
Effect Effect
bag := {p} U bag bag := delete(p, bag)
Figure 3.3: Automaton B.
The clock Automaton O (out-sequencer) given in Figure 3.4 models the clock of the bakery. 
The working of the clock and the ticket machine are very similar. When the boolean 
variable fu ll is true then the variable datum gives the customer that is served. Otherwise, 
there is nobody at the counter-desk. The action COUNTER(p) expresses that the cus­
tomer given by p .datum is selected to be served next. This is the case when his number 
p.index is equal to the value of the clock, which is represented by variable count. After 
being served, he leaves the shop by the action OUT(p.datum ). In the mean time, the 
counter of the clock is incremented by one. Analogously to the ticket machine, the clock 
starts counting from zero.
The full protocol Bak is defined as the parallel composition of automata I , B , and O , with 
communication between these components hidden:
Bak =  HIDEH IN ( I ||B ||O)
where H  =  {TICKET(p), COUNTER(p) | p  in domain Pair}. The fact that a customer, after 
picking a number at the ticket machine, directly enters the shop (represented by the variable
External COUNTER, OUT
State Variables datum : Data, fu ll : Bool, count : In t
Initialization fu ll = false A count =  0
COUNTER(p : Pair) OUT(d : Data)
Precondition Precondition
full =  false a full =  true A datum =  d
count =  p. index Effect
Effect full := false
full := true count := count +  1
datum := p.datum
Figure 3.4: Automaton O.
46 The Bakery Protocol
External ENTER, OUT 
State Variables queue : Queue 
Initialization queue =  e
ENTER(d : Data) OUT(d : Data)
Precondition Precondition
\en(queue) < max +  2 d =  head(queue) A
Effect queue ^  e
queue := apperid (d, queue) Effect
queue := tail (queue)
Figure 3.5: Automaton P.
bag) is modeled by synchronizing on the TICKET actions of automata I  and B . And syn­
chronization on the COUNTER actions of automata B  and O expresses that a customer who’s 
number matches the value of the clock immediately reaches the counter-desk. Declaring these 
actions to be internal can be interpreted as standing outside the bakery such that one can only 
observe customers entering and leaving the shop.
3.3 Correctness criterion
The Bakery Protocol is supposed to work as a bounded queue with a maximal length of max +  
2; there can be max customers waiting for their turn, but there can also be a customer busy 
obtaining a number at the ticket machine and another customer can already have been selected 
to be served at the counter.
The behaviour of a queue of capacity max +  2 is specified by automaton P  in Figure 3.5. 
In the next section, we prove that Bak and P  are bisimilar, i.e. have the same behaviour. Two 
automata A and B  are bisimilar if, starting from the root, they can mimic their external actions 
in every following state as follows. When A can do an external action a, B can also perform an 
action a, possibly preceded and followed by internal actions, and vice versa. A formal definition 
can be found in Appendix 3.8.
3.4 The correctness proof
In order to establish a bisimulation between Impl and P  we must first gain insight into what are 
the reachable states of Impl. A well-known technique is to find a suitable number of invariants 
of the protocol, i.e. properties that are valid for all reachable states. It turned out that two simple 
invariants, which are given below, are sufficient.
Both invariants are proved in LP by induction on the length of the executions to the reachable 
states. Definitions of the notions execution and reachable can be found in Appendix 3.8. As 
an illustration we have included the full proof of the invariant INV2 (Lemma 2). In order to 
distinguish between the state variables of different components of Impl, we prefix each state 
variable by the name of the component it originates from. The following invariant states that 
the capacity of the bakery shop is never exceeded.
3.4 The correctness proof 47
Lemma 1. For all reachable states o f Impl the following property INV1 holds:
size(B.bag) < max
The invariant INV2 below says that the value of the ticket machine is equal to the value of the 
clock plus the number of customers that are in the shop (including the person that is served at 
the counter-desk).
Lemma 2. For all reachable states o f Impl the following property INV2 holds:
I  .count =  size( B .bag) +  O .count +  O .full
Proof. Let s ' be a reachable state of Impl. By induction on the length n of the shortest execution 
of Impl that ends in s ', we prove s ' =  INV2. If  n =  0 then s ' is a start state. Hence s ' =
I  .count =  0 a  size(B .bag) =  0 a  O .count =  0 a  — O . fu l l ,  which implies s ' |= INV2.
For the induction step, suppose that s ' is reachable via an execution with length n +  1. Then 
there exists a state s that is reachable via an execution of length n and s s ', for some action 
a. By the induction hypothesis we have s |= INV2. We prove s ' |= INV2 by case distinction on
a .
•  Assume a =  ENTER(d). Then s ' =  INV2 trivially follows from s =  INV2 and the 
observation that a does not change any of the state variables mentioned in INV2.
Assume a =  TICKET( p)
1) s |= I  .count =  size(B .bag) +  O .count +  O . f u l l
2) s |= suec(I.count) =  size(B .bag U p) +  O.count +  O .fu l l
3) s '
4) s '
Assume
1) s |-
2) s
3) s '
4) s '
Assume
1) s |-
2) s
3) s '
4) s '
=  I  .count =  B .bag +  O .count +  O . fu l l  
INV2
a =  COUNTER(p)
= I  .count =  siz e( B .bag) +  O .count 
= I  .count =  siz e(delete( p, B .bag)) +  O .count +  1 
=  I  .count =  size(B .bag) +  O .count +  O . fu l l  
INV2
a =  OUT (d)
= I  .count =  siz e( B .bag) +  O .count +  1 
= I  .count =  size(B .bag) +  succ( O .count )
=  I  .count =  size(B .bag) +  O .count +  O . fu l l  
INV2
(by i.h.)
(by 1)
(by 2 and effect) 
(by 3)
(by pre. and i.h.) 
(by 1 and p  e bag) 
(by 2 and effect) 
(by 3)
(by pre. and i.h.) 
(by 1)
(by 2 and effect) 
(by 3)
□
These two simple invariants are needed for establishing a bisimulation between Impl and P . 
Before embarking on the main theorem, we introduce the auxiliary function symbol number : 
Queue x In t ^  Bag. Given a queue q and a number i , number attaches consecutive numbers to 
elements of q counting from i downwards and puts them in a bag. This function is completely 
characterised by the following two axioms:
48 The Bakery Protocol
number(e, i ) =  0
number(append(d, q ), i ) =  {[d, i ]} U number(q, i — 1)
Theorem 1. The relation BISIM defined by the following formula is a (weak) bisimulation 
between Impl and P :
(if I  .full the n {[I .datum, I  .count]} else 0 )  U B .bag U 
(if O.full then {[O.datum, O.count]} else 0 )
number (queue, I  .count — 1 +  I  .full)
This theorem is proved by using the two invariants given above. At the end of this section 
(Lemma 3) we present a part of the hand-written proof as an illustration. There one can see why 
for instance invariantINV2 is actually needed. In Section 3.6 we report on the formalisation of 
the proof in the Larch Prover.
The intuition behind the relation BISIM  given above is simple. It directly expresses that the 
customers in the bakery shop act as if  they were placed in a FIFO queue on the basis of their 
number.
Corollary 1. Impl P.
Proof. Immediate by Theorem 1 and Definition 2 (see Appendix 3.8). □
Corollary 1 says that Impl and P  are bisimilar, i.e. ‘have the same behaviour’, see Definition
2 in Appendix 3.8. In other words, every external action -  possibly preceded or followed by 
internal actions -  performed by Impl can be mimicked by P  and vice versa.
Next we will give a fragment of the proof that BISIM  is indeed a bisimulation. Here the 
manual proof is presented and in Section 3.6 the LP version is presented. The proof fragment 
is the lemma stating that if  two states are bisimilar and both systems do an OUT action the new 
states are bisimilar again.
Lemma 3. For all reachable states s in Impl and u in P we have that:
OUT(d) OUT(d)
(s, u ) e BISIM  a  s — ► s ' a  u — ► u ' ^  (s ', u ') e BISIM.
Proof. Assume that the left-hand side of the implication holds. Then we prove that (s ', u') e 
BISIM  as follows.
1. s. O . f u l l  (by precondition of OUT)
2. (if s. I . f u l l  then [I .datum, I  .count] else 0 )  U s. B .bag U [s.O .datum, s. O .count]
=  numb er(u .queue, s. I  .count — (1 — s. I  .full)) (by BISIM  and 1)
3. s. I  .count =  size(s. B .bag) +  s.O .count +  1 (by INV2 and 1)
4. Assume —s. I  .full
4.1 s .B.bag U [s.O.datum, s.O.count] =  number(u.queue, s.I.count — 1)
4.2 s. I  .count — 1 =  size(s. B .bag) +  s. O .count (by 3)
4.3 numb er (tail(u. queue), s. I  .count — 1) =  s. B .bag (by 4.1, 4.2 and DnumU)
4.4 numb er(u ' .queue, s '. I  .count — 1) =  s '. B .bag (by effect and 4.3)
4.5 —s '. I  .full a  —s ' .O .full (by effect)
4.6 (s', u') e BISIM  (by 4.4 and 4.5)
3.5 A more general bisimulation to prove the same 49
5. Assume s. I  .full. Then we can also prove that (s ', u ') e BISIM  in a similar way as the 
—s. I  .full case.
6. Q.E.D. (by 4 and 5)
In Step 4.3 above, data identity DnumU is used: 
number(q, i +  size(b)) =  b U {[d, i ]} ^  head(q) =  d  a  number(tail(q), i +  size(b)) =  b. 
Of course this identity is checked in LP. □
3.5 A more general bisimulation to prove the same
In I/O-automata proofs finding the right (bi)simulation and invariants is of course very impor­
tant. The length and readability of different approaches can variate greatly. In this section we 
report on an “old” bisimulation relation BISIM' that needed a proof more than twice as long as 
BISIM. We tried to find out what caused the longer proof, to prevent us making such mistake an 
other time. After presenting the old relation BISIM' we will explain what is “wrong” with it.
BISIM  =  corr(
(if I  .full the n {[I .datum, I  .count]} else 0 )  U B .bag U 
(if O fu l l e e  n {[ O .datum, O .count]} else 0 )
, queue)
where the equation
corr(b, q) =  if isEmpty(q) then isEmpty(b)
else if [toe(q), rn a x j(b)] e b
then corr(delete([toe(q), rnaxj(b)], b), untoe(q)) 
else false
defines the function : Bag x Queue ^  Bool.
In the equation above, toe(q) denotes the last element that is appended to the queue q , and 
rnaxj (b) denotes the largest number that is attached to the customers in the bag b. Further­
more, isEmpty (q) and isEmpty (b) stand for q =  e and b =  0 , respectively. The function corr 
determines a crucial correspondence between being the customer with the highest number in 
the bag b and being the customer who stands at the back of the queue q . In both situations you 
are served last.
This BISIM' is larger than BISIM (BISIM d BISIM) which means that the proof has to 
be constructed by means of a weaker hypothesis. For instance BISIM' does not require that 
the numbers in the bag are successive. And this is a crucial property of the protocol: the 
out-sequencer takes the customers out in successive order, if  a number is missing the Bakery 
Protocol deadlocks.
Example 1. Let s be a state of Impl satisfying s. I  .count =  3, s. I  .full =  s. O .full =  false and 
s .B.bag =  {[d2, 2], [d1, 0]}. And let u be a state of P  satisfying
u.queue =  append(d2, a p p e n d ^ , e)).
Then (s, u) e  BISIM  and (s, u) e BISIM'. The states s and u are not bisimilar because P  can 
do OUT(d1), OUT(d2), and Impl can not do any OUT(d) action after OUT(d1). But BISIM' is 
still a valid bisimulation relation because s is not reachable.
50 The Bakery Protocol
We used Lemma 4 to prove that states like s are unreachable, it expresses that the ticket numbers 
are distributed in a successive order, starting from I  .count — 1 counting downwards.
Lemma 4. For all reachable states o f Impl the following property INV3 holds:
I  .count — size( B .bag) < i < I  .count 3 d. [d, i ] e B .bag
The proof of this invariant is far more involved than the proofs of the two invariants needed 
in the final proof. And note that this extra invariant is needed just because BISIM' relates more 
non-bisimilar states than BISIM  does.
An other difference is that the new definition does not use the toe, untoe and rnaxj func­
tions. Also the corr function is not used but that is no real gain because we use the number 
function instead. We think that in practice reducing the number of functions over data can 
reduce the number of data lemmas.
The last advantage of the new BISIM  is, that in our opinion, the number function is more 
intuitive than the corr function. The number function recursively builds a bag of pairs by as­
signing indexes to the data elements in the queue. The corr function does something similar the 
other way around: it destructs the bag and the queue as long as the corresponding data elements 
are the same. We think the recursion in the corr function over the bag and the queue is more 
complex than the recursion in the number function, and that this extra complexity contributes 
to the length of the proof.
We think that this example indicates that in certain cases the choice of a (bi)simulation 
can influence the length of the proof considerable. Though we think that it is impossible to 
give a cook book to construct the (bi)simulation with the shortest proof, the above mentioned 
differences probably deserve some attention when comparing (bi)simulations.
3.6 Checking the proof in LP
In this section we will report on the use of the Larch Prover (LP) [GG, GH93] by which the 
proofs of the invariants and the bisimulation have been checked. LP is a proof checker or 
as the authors put it a proof debugger, it does not use complicated heuristics to search for a 
proof. It supports first-order logic and is based on rewriting. When LP is asked to prove a 
conjecture, it typically normalizes the conjecture using the rewrite-rule versions of the axioms 
and the lemmas that have already been proved. When a normal-form is reached the proof 
is suspended and the user can invoke a command. We will mention a few typical options: 
The user can start a proof by cases, making LP to generate a subgoal for each case. A proof 
by induction is possible when a sort has a set of generators. This set of generators must be 
given by the specifier. LP will generate a subgoal for each generator. An other possibility is 
to apply a rewrite rule in the reversed direction, this is allowed because the rewrite-rules are 
oriented axioms, not implications. When quantifiers are involved variables or constants can be 
fixed, specialized or generalised. Furthermore LP can compute critical-pairs and complete a set 
of rewrite-rules. Besides these proof-commands LP has commands to direct the orienting of 
axioms into rewrite-rules, to make rewrite-rules inactive, to make proof scripts, etc. Because 
a proof in LP is based on rewriting, the tool is good at it: it is fast and rewriting modulo 
associativity and commutativity is supported.
Before we can prove anything we must formalize the problem (the bakery protocol and it’s 
correctness). In this case-study we used the Larch Shared Language (LSL) [GH93] for this
3.6 Checking the proof in LP 51
purpose. The specifications in LSL can be translated by the l s l  tool to LP input scripts. So 
from our point of view LSL is a front-end language for LP.
LSL is an algebraic specification language. It supports modules, called t r a i t s ,  that can 
include other traits. In a trait sort- and function-symbols are introduced, the signature of the 
functions is declared and properties of the functions can be defined by axioms expressed in 
first-order logic.
For the formalization of the I/O-automata notions we used the formalization of [LSGL94] as 
a starting point and adapted these for the model we use, see Section 3.9 for a listing of the traits 
involved. Because no timing is involved, we do not need the Bounds and TimedAutomaton 
traits of [LSGL94], in the trait Automaton we changed some names and the type of the effect 
function. Effect was a predicate
e f f e c t  : S ta te s [A ] ,A c tio n s[A ], S ta te s[A ] -> Bool
The effect predicate holds when a transition exists from the first argument state to the third 
argument state by the second argument action. Because the bakery protocol is deterministic, it 
is possible to use an effect function 
e f f :  S ta te s [A ] , A ctions[A ] -> S ta tes[A ]
that returns the target state given the current state and the action. This formalization is less 
general, because non-determinism is not expressible, but it has the advantage that LP computes 
the new state.
In Figure 3.6 the trait defining the full protocol Impl is depicted, see Section 3.3 for the 
definition of Impl. The line numbers are added for reference only.
Note that the composition operator (||) and the (HIDE IN) operator are not formalized in 
LP. We think it is hard to do so because these are higher-order notions and LP only supports 
first-order logic.2
Next we will give some elucidation to Figure 3.6.
line 2. The trait Automaton is included. Traits can have parameters, in this way the Automaton 
trait can be re-used (twice): once for the definition of trait Bak and once for the trait 
P. Furthermore the Bag and In te g e r  traits are included, these are taken from a Larch 
Library [GH93].
line 3-6. The sorts P a ir  and S ta te s  [Bak] are tuples. A tuple is comparable to a record in 
Pascal or C.
line 9-10. The constant max and actions TICKET, COUNTER are declared.
line 12. The g en e ra ted  by clause expresses that every action is a ENTER, TICKET, COUNTER 
or OUT action.
line 13. The \ f  o r a l i  construct declares the variables that are used in the axioms.
line 14-end. Here the definitions for the functions are given: The i n i t  function to denote the 
start states and the p re  and e f f  functions to specify the transition system representation 
of the Bakery Protocol.
2In contrast to the process-algebraic notion of parallel composition also notated as (||) the I/O-automata notion 
of composition is very easy to compute, it can be syntacticly defined for specifications in the precondition/effect 
style.
52 The Bakery Protocol
[ 1] Bak : trait
[ 2] includes Automaton(Bak), Bag(Pair,B), Integer(Int)
[ 3] Pair tuple of datum: D, index: Int
[ 4] States[Bak] tuple of I:Sq, B:Bg, 0:Sq
[ 5] Sq tuple of full : Bool, datum : D, count : Int
[ 6] Bg tuple of bag : B 
[ 7]
[ 8] introduces
[ 9] TICKET, COUNTER: Pair -> Actions[Bak]
[10] max : -> Int
[11] asserts
[12] Actions [Bak] generated by ENTER, TICKET, COUNTER, OUT
[13] \forali s, s’: States[Bak], d:D, i:Int, p:Pair
[14]
[15] ~isExternal(TICKET(p)) /\ ~isExternal(COUNTER(p));
[16]
[17] max > 0 ;
[18]
[19] init(s) == s.I.full = false /\ s.I.count = 0 /\ s.B.bag = {} /\
[20] s.O.full = false /\ s.O.count = 0;
[21]
[22] pre(s,ENTER(d)) == ~s.I.full;
[23] eff(s,ENTER(d)) == [[true,d,s.I .count],s.B,s.0];
[24]
[25] pre(s,TICKET(p)) == p.datum = s.I.datum
[26] /\ p .index = s .I .count
[27] /\ s.I.full = true
[28] /\ size(s.B.bag) < max;
[29] eff(s,TICKET(p)) == [[false,s.I .datum,succ(s.I.count)],[{p} \U s.B.bag],s.0];
[30]
[31] pre(s,C0UNTER(p)) == s.O.full = false
[32] /\ s.O.count = p.index
[33] /\ p \in s.B.bag ;
[34] eff(s,C0UNTER(p)) == [s.I,[delete(p,s.B.bag)],[true,p.datum,s.O.count]];
[35]
[36] pre(s,OUT(d)) == d = s.O.datum /\ s.O.full ;
[37] eff(s,0UT(d)) == [s.I,s.B,[false,s.O.datum,succ(s.O.count)]]
Figure 3.6: Larch version o f Bak.
3.7 Discussion 53
In Figure 3.7 the LP proof of INV2 (see Lemma 2) is depicted. The base-case of this induc­
tion proof is that the invariant holds in the initial states.
At line 4, LP is asked to prove this by assuming the left-hand side of the implication. LP 
implements this by introducing a new constant, say sc, and adding i n i t ( s c )  = t r u e  to the 
set of facts, the new goal is the right-hand side in v 2 (sc ). After normalization this seemed 
equal to tru e , so the implication holds. The diamonds (<>) and the boxes ( □ )  are generated 
by LP and denote that a (sub)-goal is introduced or proved, respectively.
The next prove command asks LP to prove the induction step. First the proof method is 
set to normalization and the =>-method. This setting causes LP to try normalization first and if 
the conjecture is in normal form and the top-function is an implication (=>) then the left-hand 
side is assumed. The first proof-step is a case distinction on the actions of Bak, coded in LP as 
a induction proof with only four base-cases and no induction step. The lines beginning with % 
contain comments, and are ignored by LP. For the COUNTER step LP needs a little help. Lemma 
:
p \ i n  b => s iz e ( d e le te ( p ,b ) )  = ( s iz e (b )  - 1)
is instantiated. With this help LP finishes the proof of inv2.
When using invariants in a proof of an other lemma we use the following: 
r e a c h a b le (s )  => in v 2 (s )
This is exactly: for all reachable states inv2 holds, and it follows directly from the definition of 
reachable and the induction proof. But we did not prove this within LP but added the following 
implication for every invariant instead.
( i n i t ( s )  => in v ( s ) )  / \
( re a c h a b le (s )  / \  in v (s )  / \  i s S t e p ( s , a , s ’ ) => in v ( s ’ ))
=> (re a c h a b le (s )  => in v (s ) )
In Figure 3.8 the LP version of the proof of Lemma 3 of BISIM  is depicted. In this proof the 
same commands as in the proof above are used. The resume by case  command instructs LP 
to make a case distinction on ~ sc . I . f u l l  (—sc. I  .full) and sc .1 . f u l l .
3.7 Discussion
We are content with the result of our work: the essence of the proof merely consists of an elegant 
bisimulation relation BISIM  together with two nice invariants (Lemma 1 and 2). Moreover, it 
turned out that our reasoning could rather easily be mechanised in LP. Below we report on our 
experiences with the Larch Prover and we compare our verification with the ^CRL verification.
3 . 7 . 1  R e m a r k s  o n  t h e  u s a g e  o f  L P 3
We think that LP is relatively easy to use, after reading the ninety pages of “A Guide to LP, 
The Larch Prover” [GG91] one can start using the tool. The tool is easy because: only first­
order logic is supported, no tactical language is supported and the rewrite paradigm is clean and 
simple. An other advantage is that the specifications in LSL are not only machine readable but 
also human readable, the LSL specifications are close to the natural mathematical notation.
3A more extensive discussion ofLP can be found in 2.8.2
54 The Bakery Protocol
declare operator inv2 : States[Bak] -> Bool 
assert inv2(s) = (s.I.count = size(s.B.bag) + s.O.count + 
(if s.O.full then 1 else 0))
prove :inv2: (init(s:States[Bak]) => inv2(s)) by =>
<> => subgoal 
[] => subgoal 
[] conjecture
prove :inv2: (reachable(s:States[Bak]) /\ inv2(s)
/\ isStep(s:States[Bak],a,s’) => inv2(s’)) 
set proof-method normalization, =>-method 
res by ind on a¡Actions[Bak]
<> basis subgoal % ENTER 
<> => subgoal 
[] => subgoal 
[] basis subgoal 
<> basis subgoal % TICKET 
<> => subgoal 
[] => subgoal 
[] basis subgoal 
<> basis subgoal % COUNTER 
<> => subgoal
ins b by sc.B.bag, p by pc in SIZE 
[] => subgoal 
[] basis subgoal 
<> basis subgoal % OUT 
<> => subgoal 
[] => subgoal 
[] basis subgoal 
[] conjecture 
qed
Figure 3.7: LP proof o f Lemma 2
3.7 Discussion 55
prove
:lemmaOUT:
BISIM(s,u) /\ pre(s:States[Bak] , OUT(d)) /\ pre(u:States[P],OUT(d)) 
/\ reachable(s:States[Bak] )
/\ s’: States[Bak] = eff(s,OUT(d)) /\ u ’: States[P] = eff(u,OUT(d))
=> BISIM(s’ ,u’ )
set order-method either-way 
res by =>
o  => subgoal
ins s¡States[Bak] by sc in Icount 
res by case "sc.I.full 
<> case "sc.I.full 
ins
b by sc.B.bag, d by sc.0.datum,
i by sc.0.count, q by uc.queue in DnumU
[] case "sc.I.full 
<> case "("sc.I.full) 
ins
b by {[sc.I.datum,sc.I.count]} \U sc.B.bag , d by sc.0.datum,
i by sc.0.count , q by uc.queue in DnumU
[] case "("sc.I.full)
[] => subgoal 
[] conjecture
Figure 3.8: LP proof o f Lemma 3
56 The Bakery Protocol
The LP proof of this chapter consists of about 430 commands, and it takes 15 minutes to 
run on a SUN SPARCstation 10. The proof is not optimized for length or execution time: 
sometimes a sequence of commands is repeated with only a small change and the first version 
could be deleted. But we did not because a proof with a few unnecessary commands is still a 
proof and computers do not bother about some useless repetition.
Within the current proof management system ofL P is it not possible to use a lemma before 
it is proved other than adding it as an axiom. So a proof must be constructed strictly bottom-up. 
To manage our proof of about 20 lemmas, we wrote a small program. It is a simple thirty line 
nawk4 program that makes it easy to chose the order in which the lemmas are proved. The 
input is a listing of all lemmas where for each lemma the sub-lemmas that the proof uses are 
mentioned. Given this information the program generates the administrative begin of a LP script 
to prove a lemma. That is: the axioms are loaded, the sub-lemmas are assumed and the proof 
obligation is stated. With this method a small script for each lemma is constructed instead of 
one big script for all lemmas. When finished, the scripts can be glued together to construct one 
script for the whole proof.
Our conclusion is that LP’s strong points are: easy to read specifications, easy to understand 
rewrite paradigm, fast rewriting, well documented. The weak points are: only first order and no 
tactical language. We think that the lack of a tactical language is a real disadvantage when the 
proof is big and a lot of “almost” repetition occurs is in it. The last problem we mention is that 
there is no public list of know problems/bugs. We think such list is useful for the users because 
they could check this list when they observe something strange and there is no need to further 
investigate it when it is already mentioned on the list.
3 . 7 . 2  C o m p a r i s o n  w i t h  t h e  f i C R L  v e r i f i c a t i o n
Below some differences between the ^CRL and the I/O automata verification are listed which 
we encountered during the case-study.
• In principle, the (hand-written) ^CRL verification of the Bakery Protocol fits completely 
within the proof theory defined in [GP94].
The proof of the Bakery Protocol given in this chapter relies on meta-theory. In fact, not 
everything has been mechanised in LP. For instance, Corollary 1 is a ‘meta-result’ and has 
not been proof-checked. Also I/O automata are treated here as a meta-linguistic notion 
and are not available as objects in LP. Instead they are formalised via I/O automata gener­
ators. Furthermore, the parallel composition and hiding operator used in the specification 
of the protocol (Impl) were not formalised due to the first-order nature ofLP. Recently, in 
[NS95] parts of the meta-theory of I/O automata are formalised in Isabelle/HOL which is 
a theorem prover based on higher-order logic.
• The ^CRL proof has not been proof-checked. The main reason for this is that verifica­
tions of a similar complexity as the verification of the Bakery Protocol have already been 
proof-checked in Coq (e.g. see [KS94, GvdP93, BBG95]). So in this setting not so much 
new can be learned.
• In ^CRL a more advanced version of the Bakery Protocol is verified. First, the ticket 
machine and the clock are counting modulo a fixed number (max). Second, the standing
4A pattern matching, C-like programming language that comes with most UNIX versions.
3.8 Verification model 57
places in the bakery shop are modelled by a sequence of one-place buffers that are put in 
parallel.
In this chapter we have simplified the specification of the Bakery Protocol by allowing the 
counters to have arbitrarily large values instead of working modulo a fixed number. The 
reason for this is that the verification becomes less involved without harming the essence 
of the protocol. For a similar reason we model the standing places of the bakery shop by 
a bounded bag instead of a parallel composition of one-place buffers.
•  ^CRL is a rather technical formalism and some effort is needed to get acquainted with it.
Many people are already familiar with invariant theory (reasoning with pre/post condi­
tions). Therefore, for the time being, we expect that the verification given in this chapter 
can be understood by a larger audience.
3.8 Verification model
Throughout the chapter we use a very simple version of the I/O automata model. In particular, 
we do not need to distinguish between input and output actions. Furthermore, in this chapter, we 
neither require fairness assumptions. So, this part of I/O automata theory is also left out. Most 
of the definitions given in this appendix are an adapted version of the ones given in [HSV94].
3 . 8 . 1  L a b e l l e d  t r a n s i t i o n  s y s t e m s  a n d  b i s i m u l a t i o n
Definition 1. A labelled transition system or automaton A consists of four components:
• a (finite or infinite) set states(A) of states,
• a nonempty set start(A) ç  states(A) of start states,
• a pair (ext(A), int (A)) of disjoint sets of external and internal actions, respectively. The 
derived set acts(A) of actions is defined as the union of ext(A) and int(A).
• a set steps (A) ç  states (A) x acts (A) x states (A) of steps.
We let s, s u , u ',.. range over states, and a,.. over actions. We write s —% A s ', or just s s ' 
if  A is clear from the context, as a shorthand for (s, a, s ') e steps(A).
Let A be an automaton. An execution fragment of A is a finite or infinite alternating se­
quence s0a 1s1a2s2 ••• of states and actions of A, beginning with a state, and if it is finite also 
ending with a state, such that for all i , si —+1 si+1. An execution of A is an execution fragment 
that begins with a start state. A state s of A is reachable if  it is the final state of some finite 
execution of A .
Suppose a =  s0a 1s 1a2s2 ••• is an execution fragment of A. Then trace(a) is the subse­
quence of a 1a2 ■ ■ ■ consisting of the external actions of A. For s, s ' states of A and ß a finite 
sequence of external actions of A, we define s = - As' iff A has a finite execution fragment with 
first state s , last state s ' and trace ß .
Definition 2. Let A and B  be two automata with the same external actions. A (weak) bisimula­
tion between A and B  is a  relation R  between the states of A and B  that satisfies the following 
four conditions:
58 The Bakery Protocol
1. If s is a  start state of A, then there is a start state u in B  such that (s, u) e R.
2. If u is a start state of B , then there is a start state s in A such that (s, u) e R.
3. If s ——a s ' , (s, u) e R  and both s and u reachable, then there exists a state u' of B  sucho
that u = - bu ' and (s', u') e R, where ß =  trace((s, a, s ')).
4. If u ——B u', (s, u) e R  and both s and u reachable, then there exists a state s ' of B  such 
that s = •  as  ' and (s ', u ') e R, where ß =  trace ((s, a, s ')).
Automata A and B  are called bisimilar, notated as A H, iff there exists a bisimulation 
between them.
Composition
Intuitively, the composition of a collection of automata is their Cartesian product, with the added 
requirement that automata synchronize the performance of shared actions. This synchronization 
models communication between system components: if  a is an external action of A and an 
external action of B , then the simultaneous performance of a models communication from A 
to B . Since we do not want synchronization involving internal actions, we require that the 
automata are compatible in the sense that they do not share these actions.
Formally, we say that action signatures S1, . . . ,  Sn are compatible if, for all i, j  e { 1 n} 
satisfying i =  j , int (Sì) H acts(Sj) =  0 . We say that a number of automata are compatible if 
their action signatures are compatible. The composition S  =  YY¡=1 Si of a finite collection of 
compatible action signatures S1, . . . ,  Sn is defined to be the action signature with
• ext(S) =  U ”=i ext (Si),
• int(S) =  U ni=i int (Si).
The composition A =  ||n= 1 Ai of a finite collection of compatible automata A 1, . . . ,  An is the 
automaton defined as follows:
• sig (A) =  n ^ g c ^
• states(A) =  states(Ai)x ■ ■ ■ xstates(An),
• start(A) =  start(Ai)x  ■ ■ ■ xstart(An),
• steps(A) is the set of triples (s, a, s') in states (A) x acts (A) x states (A) such that, for all 
1 < i < n, if  a e acts(Ai ) then ?[i ] —a A¡ sr[i ] else ?[i ] =  sr[i ].
We will sometimes write A 11| ••• ||An for ||"= 1 Ai .
Hiding
If S  is an action signature and I  ç  ext(S), then the action signature HID E I  IN S  is defined as 
the pair (ext(S) — I, int(S) U I). If A is an automaton and I  ç  ext(A), then HID E I  IN A is the 
automaton obtained from A by replacing sig(A) by HID E I  IN sig(A), and leaving all the other 
components unchanged.
3.8 Verification model 59
Automata generators
In the automata approach, the automata that model the basic building blocks of a system are usu­
ally specified in the so-called precondition/effect style. In this section we will briefly describe 
the syntax of this language.
We start from a typed signature £  together with a £ -algebra A  which gives meaning to the 
function and constant symbols in £ . To describe properties, we use a first-order language over 
signature £  and a set V of (typed) variables, with equality and inequality predicates, and the 
usual logical connectives. If % i s a  valuation of variables in their domains, and b is a  formula, 
then we write A , % |= b if  b holds in A  under valuation %. A formula b is satisfiable if  there 
exists a valuations % such that *4, % |= b.
An automaton generator G consists of five components:
• a finite action signature sig(G),
•  a finite set vars(G) of (typed) state variables,
•  a satisfiable formula init(G), in which variables from vars(G) may occur free,
•  for each action a e acts(G), a transition type, i.e., an expression of the form
a ( y \ , y n  )
Precondition
b
Effect
x1 := ex
xm : — em
where the y i are (typed) variables, b is a formula in which variables from vars(G) U 
{y 1, . . .  , yn} may occur free, vars(G) = {x1, . . . ,  xm}, and the ej are expressions with the 
same type as x j , in which the variables vars(G) U{y1, . . . , y n} may occur.
Each automaton generator G denotes an automaton A in the obvious way: states of A are 
interpretations of the variables of vars(G) in their domains; start states of A are those states that 
satisfy formula init(G); for each (input, output or internal) action a e acts(G) with a transition 
type as above, and for each choice of values v1, . . . , v n taken from the domains of y 1, . . . ,  yn, 
respectively, A contains an (input, output or internal) action a(v 1, . . . , v n ); A has a transition
a(vi,...,v„ )
s --- - s
iff there exists a valuation % such that
• for all x e vars(G), %(x) =  s (x ),
• for 1 < i < n, %(yi) =  vi,
•  A ,% |= b, and
• for 1 < j  < m , ej evaluates to s '(xj ) under % ;
60 The Bakery Protocol
The reader will observe that the translation from automata generators to automata is quite 
straightforward. In fact, Lynch and Tuttle [LT87, LT89] do not even bother to distinguish be­
tween these two levels of description. For the formalization of automata theory in Larch the 
distinction between the semantic and syntactic levels is of course important, which is why we 
have discussed it here. The definition of automata generators has been inspired by similar def­
initions in the work of Jonsson (see, for instance, [Jon87]). In this chapter we will, like Lynch 
and Tuttle, often refer to automata when we actually mean automata generators.
3.9 Listing of LSL traits
Below we the list all the traits used in the formalization. The trait Bak has already been given 
in Figure 3.6. The data types Int, Bag and Queue are part of the library that comes with the 
Larch tools. They are not given here but can be found in An LSL Handbook [GH93]. The data 
types Bool and Pair are part of the LSL language.
3 . 9 . 1  P
P:trait
includes Automaton(P), Queue(D,Q), CommonActions(P)
States[P] tuple of queue : Q 
introduces 
P_max: -> Int 
asserts
Actions[P] generated by ENTER, OUT 
\forall u, u ’: States[P], m:D
init(u) == isEmpty(u.queue);
pre(u, ENTER(m)) == len(u.queue) < P_max; 
eff(u, ENTER(m)) == [append(m,u.queue)];
pre(u, OUT(m)) == ~isEmpty(u.queue) /\ head(u.queue) = m; 
eff(u, OUT(m)) == [tail(u.queue)]
3 . 9 . 2  A u t o m a t o n
Automaton(A): trait
includes CommonActions(A) 
introduces
init States[A] -> Bool
pre States[A], Actions[A] -> Bool
eff States[A], Actions[A] -> States[A]
isStep States [A], Actions [A], States [A] -> Bool
null States[A] -> StepSeq[A]
StepSeq[A] , Actions[A], States[A] -> StepSeq[A]
Seq StepSeq[A] , Actions[A] -> StepSeq[A]
execFrag StepSeq[A] -> Bool
3.9 Listing of LSL traits 61
first,last : StepSeq[A] 
empty :
-> States[A]
-> Trace 
-> Trace 
-> Trace 
-> Trace 
-> Bool
Trace, ExternalActions
trace
trace
reachable
Actions[A] 
StepSeq[A] 
States[A]
asserts \forall s, s’: States[A] , a, a’: Actions[A], ss:StepSeq[A] 
(pre(s,a) /\ s’ = eff(s,a)) == isStep(s,a,s’);
Seq(ss,a) = ss{a,eff(last(ss),a)}; 
execFrag(nulKs));
execFrag(null(s’){a,s}) == isStepis’,a,s);
execFragC(ss{a’,s’}){a,s}) == execFrag(ss{a’,s’}) /\ isStepis’,a,s);
first(null(s)) == s;
last(null(s)) == s;
first(ss{a,s}) == first(ss);
last(ss{a,s}) == s;
trace(a) == if isExternal(a) then empty ~ external(a) else empty; 
trace(null(s)) == empty; 
trace(ss{a,s}) ==
if isExternal(a) then trace(ss) ~ external(a) else trace(ss); 
init(s) \/ \E s’ \E a (reachable(s’) /\ isStep(s’,a,s)) <=> reachable(s)
3 . 9 . 3  C o m m o n A c t i o n s
CommonActions(A) : trait 
includes ExternalActions 
introduces
ENTER : D -> Actions[A]
OUT : D -> Actions[A]
external : Actions [A] -> ExternalActions 
isExternal : Actions [A] -> Bool 
asserts \forall m: D
external(ENTER(m)) == ENTER(m); 
external(OUT(m)) == OUT(m); 
isExternal(ENTER(m)); 
isExternal(OUT(m))
ExternalActions: trait 
introduces
ENTER : D -> ExternalActions 
OUT : D -> ExternalActions 
asserts
ExternalActions generated by ENTER, OUT
3 . 9 . 4  E x t e r n a l A c t i o n s
62 The Bakery Protocol
3 . 9 . 5  F o r w a r d
Forward(A,B,f) : trait
assumes Automaton(A), Automaton(B) 
introduces f : States[A], States[B] -> Bool
asserts \forali s, s’ : States[A], u : States [B], a : Actions [A], 
alpha : StepSeq[B] 
init(s) => \E u (init(u) /\ f(s,u));
f(s,u) /\ isStep(s,a,s’) /\ reachable(s) /\ reachable(u) =>
\E alpha (execFrag(alpha) /\ first(alpha) = u /\
f(s’, last(alpha)) /\ trace(alpha) = trace(a))
3 . 9 . 6  B I S I M
BISIM : trait 
includes Bak,P 
introduces
BISIM : States[Bak], States[P] -> Bool 
BISIM : States[P], States[Bak] -> Bool 
number : Q ,Int -> B
asserts \forali s : States [Bak], u : States[P], b: B, q : Q, 
d,e : D, i:Int
BISIM(s,u) == (if s.I.full then { [s.I .datum,s.I .count]} else {}) \U s.B.bag \U 
(if s.O.full then {[s.O.datum,s.O.count]} else {})
number(u.queue, (if s.I.full then s.I.count else s.I.count-1));
BISIM(u,s) = BISIM(s,u);
number(empty,i) = {};
number(append(e,q),i) = {[e,i]} \U number(q,i-1) 
implies
Forward(Bak,P,BISIM), Forward(P,Bak,BISIM)
Chapter 4
A Comparison of PVS and
Isabelle/HOL
With Marieke Huisman
Abstract There is an overwhelming number of different proof tools available and it is hard to 
find the right one for a particular application. Manuals usually concentrate on the strong points 
of a proof tool, but to make a good choice, one should also know (1) which are the weak points 
and (2) whether the proof tool is suited for the application in hand. This chapter gives an initial 
impetus to a consumers’ report on proof tools.
The powerful higher-order logic proof tools PVS and Isabelle are compared with respect to 
several aspects: logic, specification language, prover, soundness, proof manager, user interface 
(and more). The chapter concludes with a list of criteria forjudging proof tools, it is applied to 
both PVS and Isabelle.
4.1 Introduction
There is an overwhelming number of different proof tools available (e.g. in the Database o f 
Existing Mechanised Reasoning Systems one can find references to over 60 proof tools [Dat]). 
All have particular applications that they are especially suited for. Introductionary papers on 
proof tools usually emphasize their strong points by impressive examples. But, if  one really 
wishes to start using one particular proof tool, this information is usually not enough. To make 
the right choice, one should also know (1) which are the weak points of the proof tool and 
(2) whether the proof tool is suited for the application in hand. The choice of a proof tool is 
very important: it can easily take half a year before one fully masters a tool and is able to work 
on significant applications.
It would be desirable to have some assistance in choosing the appropriate proof tool. When 
one wishes to buy a toaster, there is also a wide choice, but one is assisted by the reports from 
consumers’ organizations. It is desirable to have similar consumers’ reports for proof tools. 
Such a report should not summarize the manuals, but they should be based on practical expe­
rience with these tools. It should discuss several important aspects from a users’ perspective. 
These aspects should be both theoretical (e.g. the logic used) and practical (e.g. the user in­
terface). It also should contain a list of criteria on which all proof tools are judged. This
64 A Comparison of PVS and Isabelle/HOL
consumers’ report can be interesting for both new and experienced users. It can assist in select­
ing an appropriate proof tool, but it also can help to gain more insight in various existing proof 
tools, including the proof tool one is usually working with.
We are aware that proof tools change in time and that such a consumers’ report only can 
have temporary validity. However, it would be nice if it could have some influence on the 
direction in which proof tools are developing.
This chapter gives the initial impetus to such a report. It describes two proof tools, PVS 
[Sha96] and Isabelle [Pau94]. We have chosen PVS and Isabelle as the basis for our comparison, 
because both are known as powerful proof tools for higher-order logic, which have shown their 
capabilities in non-trivial applications. Both PVS and Isabelle are very complex tools and it is 
impossible to take all features into account. Therefore, our opinion on the important advantages 
and disadvantages of working with PVS or Isabelle, is to some extend subjective and influenced 
by our own histories and fields of research.
Section 4.1.1 briefly gives some background information on PVS and Isabelle. Next, Sec­
tion 4.2 compares PVS and Isabelle/HOL. Section 4.3 discusses our experiences with PVS and 
Isabelle. Section 4.4 sketches what we think is the best of both tools. Finally, in Section 4.5 we 
apply a list of criteria to both PVS and Isabelle.
We based our experiences on PVS version 2.417 and on Isabelle versions 94-8 and 98.
Related Work
We are not the first to compare different proof tools. A comparison of ACL2, a first-order logic 
prover based on Lisp, and PVS -  based on the verification of the Oral Message algorithm -  
is described in [You97]. HOL is compared to PVS in the context of a floating-point standard 
[CM95]. In the first comparison, the specification language of PVS is described as too complex 
and sometimes confusing, while the second comparison is more enthusiastic about it. Gordon 
describes PVS from a HOL perspective [Gor95]. Other comparisons have been made between 
HOL and Isabelle/ZF (in the field of set theory) [AG95], HOL and Coq [Zam97] and Nuprl and 
NQTHM [BK91]. Three proof tool interfaces (including PVS) are compared from a human­
computer interaction perspective in [MH96].
To the best of our knowledge, we are the first to compare PVS and Isabelle/HOL. Our 
comparison is not based on a particular example, but treats systematically several aspects of 
both tools.
4 . 1 . 1  S h o r t  o v e r v i e w  o f  P V S  a n d  I s a b e l l e
The PVS Verification System is being developed at SRI International Computer Science Labo­
ratory. Work on PVS started in 1990 and the first version was made available in 1993. A short 
overview of the history of the system can be found in [Rus]. PVS is written in Lisp and it is 
strongly integrated with (Gnu and X) Emacs. The source code is not freely available.
PVS has been applied to several serious problems. For example to specify and design fault- 
tolerant flight control systems, including a requirements specification for the Space Shuttle 
[CD96]. References to more applications of PVS can be found in [Rus].
Isabelle is being developed in Cambridge, UK, and in Munich. The first version of the 
system was made available in 1986. Isabelle uses several ideas of the LCF prover [GMW79]: 
formulae are ML values, theorems are part of an abstract data type and backward proving is 
supported by tactics and tacticals. The aim of the designers of Isabelle was to develop a generic
4.2 A comparison of PVS and Isabelle/HOL 65
proof checker, supporting a variety of logics, with a high level of automation. Isabelle has been 
called the next 700 provers [Pau90]. Isabelle is written in ML, and the source code is freely 
available.
Isabelle is used in a broad range of applications: formalizing mathematics (including seman­
tics), logical investigations, program development, specification languages, and verification of 
programs or systems. References to applications of Isabelle can be found in [Pfe].
4.2 A comparison of PVS and Isabelle/HOL
This section first describes several important aspects of a proof tool in general. Subsequently, 
the comparison of PVS and Isabelle will be structured along these lines. The division is some­
what artificial, because strong dependencies exist between the various parts, but is helpful in 
the comparison. The emphasis will be on aspects that are important from a users’ perspective
The first aspect that we distinguish is the logic that is used by the tool. In this chapter we 
will restrict ourselves to (extensions of) typed higher-order logic.
Strongly related with the logic is the specification language. It is very important to have 
a good specification language, because a significant part of a verification effort comes down 
to specifying what one actually wishes to verify. It is not very useful to have a fully verified 
statement, if  it is not clear what the statement means.
The next aspect that we distinguish is the prover. An important issue for the prover is which 
proof commands (tactics) are available (i.e. which steps can be taken in a proof). Strongly 
related with this is the choice of a tactical language. Tacticals or proof strategies are functions 
which build new proof commands, using more basic ones. A sophisticated tactical language 
significantly improves the power of a prover. Another important aspect is whether decision 
procedures (such as for linear arithmetic and for abstract data types) are available.
Another aspect is the architecture of the tool, i.e. whether there is a small kernel which 
does all logical inferences. When the code of the kernel is available (and small) it is possible to 
convince oneself of the soundness of the tool.
Another component is the proof m anager, which determines e.g. how the current subgoals 
are displayed, whether the proof trace is recorded and how proof commands can be undone.
Theoretically non-existent, but very important for the actual use of a tool, is the user in­
terface. Of course this does not influence the “computing power” of the tool, but a good user 
interface can significantly increase the effectiveness and usability of a proof tool.
4 . 2 . 1  T h e  l o g i c  
PVS
PVS implements classical typed higher-order logic, extended with predicate subtypes and de­
pendent types. PVS has many built-in types, such as booleans, lists, reals and integers; standard 
operations on these types are also hard-coded in the tool. Type constructors are available to build 
complex types e.g. function types, product types, records (labeled products) and recursively- 
defined abstract data types.
Predicate subtypes are useful for writing readable, and correct specifications. Predicate sub­
types construct a new type from an existing type, by collecting the elements in the existing type 
that satisfy a predicate. This makes type checking undecidable, therefore the type checker can
66 A Comparison of PVS and Isabelle/HOL
generate so-called Type Correctness Conditions. A theory is not completely verified unless the 
TCCs have been proven. A typical example o f a predicate subtype is the type o f non-zero-real- 
numbers (w here/=  is inequality): n o n z e ro _ re a l : NONEMPTY_TYPE = { r :  r e a l  I r  /=  0}
Isabelle
Isabelle has a meta-logic, which is a fragment o f higher-order logic. Formulae in the meta-logic 
are built using implication ^ ,  universal quantification / \  and equality = . All other logics (the 
object logics) are represented in this meta-logic. Examples o f object logics are first-order logic, 
the Barendregt cube, Zermelo-Fraenkel set theory and (typed) higher-order logic.
In this chapter we will restrict attention to typed higher-order logic (HOL) as object logic. 
The formalization o f HOL in Isabelle relies heavily on the meta-logic. HOL uses the polymor­
phic type system o f the meta-logic. In its turn, the type system o f the meta-logic is similar to 
the type system o f Haskell. Implication, quantification and equality are immediately defined in 
terms o f the meta-logic. Together with some appropriate axioms, these form the basis for the 
higher-order logic theory. All other definitions, theorems and axioms are formulated in terms 
o f these basic constructs.
Isabelle/HOL does support predicate subtypes or dependent types directly. Data types can 
be coded in the Isabelle specification language, in this manner one can base a new type on an 
existing type.
4 . 2 . 2  T h e  s p e c i f i c a t i o n  l a n g u a g e  
PVS
The specification language of PVS is rich, containing many different type constructors, predi­
cate subtypes and dependent types. We will discuss some specific points.
•  PVS has a parameterized module system. A specification is usually divided in several 
theories and each theory can be parameterized with both types and values. At every point 
in a theory (multiple) other theories can be imported, so that a value or type that has just 
been declared or defined can immediately be used as an actual parameter.
Polymorphism is not available in PVS, but it is approximated by theories with type param­
eters. To define a polymorphic function, one can put it in a theory which is parameterized 
with the type variables of the function. However, this approach is not always convenient, 
because when a theory is imported all parameters should have a value. Thus when a func­
tion does not use all type parameters o f a theory, the unused types should still get some 
instantiation.
•  PVS allows non-uniform overloading. By this we mean that different functions can have 
the same name as long as they have different types. For instance, it is allowed to have three 
functions f  in one theory: f :  n a t ,  f :  n a t  -> b o o l and f :  b o o l -> b oo l. Different 
functions in different theories can have the same name too, even when they have the same 
types. The theory names can be used as a prefix to distinguish between them. Names 
for theorems and axioms can be reused as well, as long as they are in different theories. 
Again, the theory names can be used to disambiguate this.
•  A theory can start with a so-called assum ing clause, where one states assumptions, usu­
ally about the parameters o f the theory. These assumptions are used as a fact in the rest
4.2 A comparison of PVS and Isabelle/HOL 67
sort [T: TYPE,<=: [T,T->bool]]: THEORY % parameterized theory 
BEGIN
ASSUMING % assuming clause
total: ASSUMPTION total_order?(<=) % infix operator 
ENDASSUMING
1 : VAR list [T] 
e : VAR T
sorted(l): RECURSIVE bool = % recursive definitions
IF null?(l) OR null?(cdr(l)) % with measure 
THEN true
ELSE car(l) <= car(cdr(l)) AND sorted(cdr(l))
ENDIF 
MEASURE length(1)
qsort(l): RECURSIVE list[T] =
IF null?(l) THEN null 
ELSE LET piv = car(l)
IN append(qsort(filter(cdr(l),(LAMBDA e: e <= piv))), 
cons(piv,
qsort(filter(cdr(l),(LAMBDA e: NOT e <= piv)))))
ENDIF 
MEASURE length(1)
qsort_sorted: LEMMA sorted(qsort(1))
END sort
Figure 4.1: A specification o f the quicksort algorithm in PVS
of the theory. W hen the theory is imported, TCCs are generated, which force the user to 
prove that the assumptions hold for the actual parameters.
•  Recursive data types and functions can be defined in PVS. An induction principle and 
several standard functions, such as map and reduce, are automatically generated from 
an abstract data type definition. PVS allows general recursive function definitions. All 
functions in PVS have to be total, therefore termination o f the recursive function has to 
be shown, by giving a measure function which maps the arguments o f the function to a 
type with a well-founded ordering. The tool generates TCCs that force the user to prove 
that this measure decreases with every recursive call.
•  PVS has much fixed syntax. Many language constructs, such as IF . . . and CASES. . . 
are built-in to the language and the prover. There is a fixed set o f symbols which can be 
used as infix operators; most common infix operators, such as and are included in 
this set. Sometimes PVS uses syntax which is not the most common, e.g. [A,B] for a 
Cartesian product o f types A and B and ( : x , y , z : ) for a list o f values x, y, and z.
As an example, a PVS specification o f the quicksort algorithm can be found in Fig. 4.1. The 
name o f the theory ( s o r t )  is followed by the parameters o f the theory, in this case a type T and
68 A Comparison of PVS and Isabelle/HOL
QSort = HOL + List + WF_Rel + (* theory importings *)
consts (* infix operators *)
"«=" :: "[’a, ’a] => bool" (infixl 65)
axclass (* axiomatic type class *)
ordclass < term 
total_ord "total (op «=)"
consts (* primitive recursion *)
sorted:: "[(’a :: ordclass) list] => bool" 
primrec sorted list
sorted_nil "sorted [] = True"
sorted_cons "sorted (x#xs) = ((case xs of [] => True I y#ys => x « =  y) k
sorted xs)"
consts (* well-founded recursion *)
qsort :: "[(’a :: ordclass) list] => (’a :: ordclass) list" 
recdef
qsort "measure size"
"qsort [] = [] "
"qsort (x # xs) = qsort [y : xs. y « =  x] @
(x # qsort [y : xs. y « =  x] ) "
end
Figure 4.2: A specification o f the quicksort algorithm in Isabelle
a relation <= on T. In the ASSUMING clause it is stated that the relation <= is a total order; 
the predicate is already defined in the prelude. The keyword is used to
‘declare’ the variables 1 and e to have the types l i s t  [T] and T, respectively, unless specified 
otherwise.
The s o r te d  predicate expresses that a list is sorted, with respect to the order <=. It is 
defined recursively, and after the RASURE clause an expression is given which decreases for 
each recursive call. The function q s o r t  sorts a list (using the quicksort algorithm). Here the 
pivot p iv  is simply the first element o f the list c a r  (1 ). The tail o f the list is returned by c d r  (1 ), 
while n u l l ?  (1) denotes whether the list is empty. The function f i l t e r (1 ,p ) removes all 
elements from the list 1 which do not fulfill the predicate p. Finally, the lemma q s o r t_ s o r te d  
expresses that the quicksort algorithm indeed sorts a list.
Isabelle
The specification language o f Isabelle is inspired by functional programming languages (espe­
cially ML). We discuss some specific aspects.
•  The m odule system allows importing multiple other theories, but it does not permit para- 
metrisation. The type parameters o f PVS are not necessary in Isabelle, because functions 
can be declared polymorphically. The value parameters of PVS can be thought o f as an 
implicit argument for all functions in the theory. Making this argument explicit could be 
the way to ‘mim ic’ the value parameters in Isabelle.
4.2 A comparison of PVS and Isabelle/HOL 69
•  Axiomatic type classes [Wen95, Wen97] are comparable to the assuming clause in PVS, 
and type classes in functional programming [WB89]. In a type class polymorphic decla­
rations for functions are given. Additionally, in axiomatic type classes required properties 
about these functions can also be stated. These properties can be used as axioms in the 
rest o f the theory. The user can make different instantiations o f these axiomatic type 
classes, by giving appropriate bodies for the functions and proving that the properties 
hold. Notice that a limited form o f overloading can be realized using Isabelle’s axiomatic 
type classes, only for functions with a single polymorphic type.
•  Isabelle automatically generates induction principles for each recursive d a ta  type. The 
user can give inductive and coinductive function definitions. There is a special construct 
to define primitive recursive functions. Well-founded recursive functions can be defined 
as well, together with a measure function to show their termination.
•  Isabelle’s syntax can easily be extended. In particular, Isabelle allows the user to define 
arbitrary infix and mixfix operators. There is a powerful facility to give priorities and to 
describe a preferred syntax. This allows the user to define that lists should be represented 
for input and output as e.g. [ 1 ,2 ,3 ]  while internally this is represented as (cons 1 
(cons 2 (cons 3 n i l ) ) ) .  Language constructs like i f .  . . th e n .  . . e l s e  are defined 
explicitly in terms o f the basic operators.
In Fig. 4.2 the quicksort example is shown in Isabelle syntax. The theory Q so rt is the union 
o f the theories HOL, L i s t ,  WF_Rel and the constants and definitions in this file. Type variables 
start with a quote, in this specification this is ’a. The constant <<= is declared to be an infix 
operation with priority 65. It is a relation on ’a. The axiomatic type class o r d c la s s  is declared 
as a subclass o f the general type class term . It has an axiom to ta l_ o r d ,  which states that that 
« =  is a total order. In this axiom the infix symbol <<= is prefixed by op to make it behave like 
an ordinary function symbol.
The constant is a polymorphic function, where the type parameter must be in
o rd c la s s .  It is defined as a primitive recursive function, using the special p r im re c  declara­
tion. Pattern matching is used to give rules for the definition o f s o r te d  on the emptylist [] 
and on the nonempty list x#xs. Within the rule s o r te d _ c o n s  an extra case distinction on xs is 
made. The constant q s o r t  also is a polymorphic function where the type parameter ’ a  must be 
in , but it is defined using well-founded recursion. The declaration requires
the user to give a measure and rules to define q s o r t . Again pattern matching is used in the defi­
nition. The ® symbol denotes list concatenation. The list comprehension [y : x s . y « =  x] 
should be read as: the list containing all elements y o f the list xs, satisfying y <<= x.
4 . 2 . 3  T h e  p r o v e r  
PVS
PVS represents theorems using the sequent calculus. Every subgoal consists o f a list o f assump­
tions A 1 ;. . .  An and a list o f conclusions B 1, , Bm. One should read this as: the conjunction 
o fthe  assumptions implies the disjunction ofthe conclusions i.e. A 1A . . .A  An ^  B 1 v  . . . v  Bm.
The proof commands o f PVS can be divided into three different categories1.
1This division is made by the authors, not by the developers of PVS. Nevertheless it resembles the division 
made in [COR+95].
70 A Comparison of PVS and Isabelle/HOL
•  Creative proof commands. These are the proof steps one also writes down explicitly 
when writing a proof by hand. Examples o f such commands are (start to prove 
by induction), i n s t  (instantiate a universally quantified assumption, or existentially quan­
tified conclusion), lemma (use a theorem, axiom or definition) and c a se  (make a case 
distinction). For most commands, there are variants which increase the degree o f au­
tomation, e.g. the command i n s t ?  tries to find an appropriate instantiation itself.
•  Bureaucratic proof commands. W hen writing a proof by hand, these steps usually are 
done implicitly. Examples are f l a t t e n  (disjunctive simplification) expand (expanding a 
definition), r e p la c e  (replace a term by an equivalent term) and h id e  (hide assumptions 
or conclusions which have become irrelevant).
•  Powerful proof commands. These are the commands that are intended to handle all 
“trivial” goals. The basic commands in this category are s im p l i fy  and p ro p  (simplifi­
cation and propositional reasoning). A more powerful example is a s s e r t .  This uses the 
simplification command and the built-in decision procedures and does automatic (con­
ditional) rewriting. PVS has some powerful decision procedures, dealing, among other 
things, with linear arithmetic. The most powerful command is g r in d , which unfolds def­
initions, skolemizes quantifications, lifts if-then-elses and tries to instantiate and simplify 
the goal.
Isabelle
In Isabelle, every goal consists of a list of assumptions and one conclusion. One should read the 
goal [A 1; A2; . . .  ; An]] ^  B as A 1 ^  (A2 . . .  (An ^  B )). Notice that ^  is the implication 
o f the meta-logic.
The basic proof method o f Isabelle is resolution. The operation RS, which is used by many 
tactics, implements resolution with higher-order unification. It unifies the conclusion of its 
first argument with the first assumption o f the second argument. As an example, when doing 
resolution with ([?  P ]] ^  ? P v  ? Q ) and ([?  R; ? S]] ^  ? R A ? S), this results in the theorem 
[[?P ; ?S]] ^  (?P v  ? Q) A ?S.
Isabelle supports both forward and backward proving, although its emphasis lies on back­
ward proving by supplying many useful tactics for it. A tactic transforms the proof goal into 
several subgoals and gives a justification for this transformation.
Many tactics try to find themselves a useful instantiation for unknowns in the current goal, 
and variables in the applied theorems. In general there are many possible instantiations, there­
fore tactics return a lazy list containing (almost) all possible next states o f the proof (in a suitable 
order). W hen the first instantiation is not satisfactory the next instantiation can be tried with 
back. This possibility is mainly used by powerful tactics.
•  Creative proof commands. These are the proof steps one also writes down explicitly 
when writing a proof by hand. Induction is done by in d u c t_ ta c ,  which does resolution 
with an appropriate induction rule. Using an axiom or theorem is done by adding it to the 
assumption list. There are several variants: with and without instantiation, in combination 
with resolution etc.
•  Bureaucratic proof commands. When writing a proof by hand, these steps usually are 
done implicitly. An example is r o ta t e _ ta c ,  which changes the order o f the assumptions.
4.2 A comparison of PVS and Isabelle/HOL 71
This can be necessary for rewriting with the assumptions, because this is done from top 
to bottom.
•  Powerful proof commands. These are the commands that are intended to handle all 
“trivial” goals.
-  Simplification tactics for (conditional) rewriting. For every theory a so-called sim­
plification set can be built. This set contains theorems, axioms and definitions, 
which can be used to rewrite a goal. It is possible to extend the simplification set 
(temporarily or permanently).
Isabelle’s simplifier uses a special strategy to handle permutative rewrite rules, rules 
where the left and right hand side are the same, up to renaming o f variables. A stan­
dard lexical order on terms is defined and a permutative rewrite rule only is applied 
if  this decreases the term, according to this order. The most common example of a 
permutative rewrite rule is commutativity (x ® y  =  y  ® x ). With normal rewriting 
(as in PVS) this rule will loop, but ordered rewriting avoids this.
-  Classical reasoning is another powerful proof facility o f Isabelle. There are various 
tactics for classical reasoning. One o f them, b la s t _ ta c ,  uses a tableau prover, 
coded directly in ML. The proof that is generated is then reconstructed in Isabelle.
Tactical language
A tactical (or proof strategy) is a function to build complex tactics (or proof commands) using 
more basic ones.
PVS has a limited proof strategy language, containing constructs for sequencing, backtrack­
ing, branching, let-binding, and recursion. W hen one wishes to go beyond this, for example to 
write a strategy which inspects the goal, this should be done in Lisp. The Lisp data structure that 
contains the proof goal is not officially documented; some accessor functions are known to work 
but the developers explicitly allow themselves to change PVS at this level of implementation. 
Probably it is possible to change the goal in Lisp without a logical justification.
In Isabelle the tactical language is ML, so a complete functional language is available. All 
logical inferences on terms o f type thm (the theorems) are performed by a limited set o f func­
tions. In M L a type can be ‘closed’, which means that a programmer can express that no other 
functions than a number o f ‘trusted’ functions are allowed to manipulate values of this type (in 
this case: theorems). In this way the full power o f ML can be used to program proof strategies, 
and soundness is guaranteed via the interface.
Proving with powerful proof commands
Both PVS and Isabelle can do simple calculations quite fast. For instance the theorem below is 
proven in (almost) zero time in PVS by , using built-in integer arithmetic.
calc: LEMMA 700 * 400 * 11 = 2 * 7 * 22 * 10000
In Isabelle/HOL we have a similar result. After loading the theories defining the integers we 
can prove the following goal in (almost) zero time using simplification. Note that, for technical 
reasons, integers have a sharp-sign as prefix. Operations on integers are defined using their 
binary representation, so in contrast to PVS, arithmetic is not part of the kernel, but defined in 
the logic.
72 A Comparison of PVS and Isabelle/HOL
goal Bin.thy "#700 * #400 * #11 = #2 * #7 * #22 * #10000";
Linear (and some non-linear) arithmetic has standard support in PVS and the next theorem is 
also proven with a single command.
arith: LEMMA 7 + x < 8 + x AND 2 * x * x < = 3 * x * x
In Isabelle a package to cancel out common summands (and factors) is available. It is loaded 
standardly for the naturals, but not for the integers. The following goal is proven in one step, 
using simplification.
goal Arith.thy "1 + x < 2 + x";
A well-known [COR+ 95] example o f the simplification procedures of PVS is the proof o f the 
characterization o f the summation function. The theorem below is proven by a single command 
( in d u c t - a n d - s im p l i f y  "k")
sum(k:nat): RECURSIVE nat =
IF k = 0 THEN 0 ELSE k + sum(k-l) ENDIF 
MEASURE k
sum_char: LEMMA sum(k) = k*(k+l)/2
An impressive example o f the classical reasoner o f Isabelle is the following theorem, prob­
lem 41 of Pelletier [Pel86]. Isabelle proves this automatically using the classical reasoner 
( ).
(ALL z. EX y. ALL x. J x y = ( J x z & ( ~ J x x ) ) )  --> ~(EX z. ALL x. J x z)
Also in PVS Pelletier 41 can be proved in a single command: GRIND : IF-MATCH ALL, in PVS 
the lemma reads:
pelletier41 : LEMMA
(F0RALL z : EXISTS y : F0RALL x : J(x,y) = (J(x,z) AND NOT J(x,x))) IMPLIES 
NOT (EXISTS z : F0RALL x : J(x, z))
4 . 2 . 4  S y s t e m  a r c h i t e c t u r e  a n d  s o u n d n e s s  
PVS
The developers o f PVS designed their prover to be useful for real world problems. Therefore 
the specification language should be rich and the prover fast with a high degree o f automation. 
To achieve this, powerful decision procedures were added to PVS. However, these decision 
procedures sometimes cause soundness problems, thus the procedures can be considered to be 
part o f the kernel, which makes the kernel large and complex. Further, PVS once was considered 
to be a prototype for a new SRI prover. Perhaps for these reasons PVS still seems to contain a 
lot o f bugs and frequently new bugs show up. An overview of the known bugs at the moment 
can be seen on the PVS bug list [Owr]. It would be desirable that the bugs in PVS would only 
influence completeness and not soundness. Unfortunately, this is not the case, as some recent 
proofs o f t r u e = f  a l s e  have shown [Owr, bug numbers 71, 82, 113 and 160]. M ost bugs do not 
influence soundness, but they can be very annoying.
4.2 A comparison of PVS and Isabelle/HOL 73
F igure 4.3: Example o f a Tcl/Tk proof tree
Because o f the soundness bugs in the past, it is reasonable to assume that PVS will continue 
to contain soundness bugs. The obvious question thus arises, why use a proof tool that probably 
contains soundness bugs? Our answer is threefold:
PVS is still a very critical reader o f proofs. PVS lets fewer mistakes slip through than many 
o f our human colleagues (and PVS is much more patient), thus in comparing PVS to an average 
logician/mathematician PVS is much more precise and sceptic.
Furthermore, history tells us that the fixed soundness bugs are hardly ever unintentionally 
explored, we know of only a single case.
Thirdly, most mistakes in a system that is to be verified are detected in the process o f making 
a formal specification. Thus economically spoken, the specification is very important, and PVS 
has an expressive and human friendly specification language. Therefore when we specify a 
system in the language o f PVS this gives extra confidence that the specification expresses what 
is ‘m eant’.
A lot o f effort has been put into the development o f PVS. For this reason SRI does not make 
the code o f PVS freely available. As a consequence, to most users the structure o f the tool is 
unknown and making extensions or bug fixes is impossible, although sometimes users go to 
SRI to implement a feature.
Isabelle
Isabelle was developed from quite a different perspective. The main objective was to develop a 
flexible and sound prover, and next to develop powerful tactics, so that large proof steps could be 
taken at once. Isabelle seems to be much more stable than PVS. It does not show unpredictable 
behavior. Isabelle is an open system, which means that everybody can easily add extensions 
to it. Recently a new Isabelle version was released2. To our surprise some tactics (especially 
A u to_ tac) were changed, so that our old proofs really had to be adapted, and not all of these 
changes were clearly documented.
74 A Comparison of PVS and Isabelle/HOL
4 . 2 . 5  T h e  p r o o f  m a n a g e r  
PVS
All proofs in PVS are done in a special proof mode. The tool manages which subgoals still have 
to be proven and which steps are taken to construct a proof, so it is not the users responsibility 
to maintain the proof trace. Proofs are represented as trees. There is an Tcl/Tk interface which 
gives a picture o f the proof tree (see Fig. 4.3). It helps the user to see which branches o f the 
proof are not proven yet. One can click on a turnstile to see a particular subgoal, also the proof 
commands can be displayed in full detail.
W hen using a proof tool most o f the time the theorems and specification are under con­
struction, as the processes o f specifying and proving are usually intermingled. The notion of 
“unproved theorem” allows to concentrate on the crucial theorems first and prove the auxiliary 
theorems later. PVS keeps track o f the status o f proofs, e.g. whether it uses unproved theorems.
Line numbers can be used in PVS to specify that a command should work only on some 
o f the assumptions/conclusions, e.g. (expand " f 11 2) expands f  in the second conclusion. 
W hen a specification or theorem is slightly changed (e.g. a conjunct is added), the line numbers 
in the goal often change. It would be more robust, if  one could use commands expressing 
things like: expand all f  s with zero as first argument, and only expand f  in the assumptions 
where function g occurs. This has an additional advantage, namely that the intentions o f the 
proof steps become more clear. The authors have made their own Lisp functions to calculate a 
list o f line numbers that satisfy a simple regular expression. This is already helpful (especially 
in strategies), but many extensions are possible. For example, in the presence o f overloading it 
would be useful to expand f s  o f a specific type.
Isabelle
Isabelle does not give elaborate proof support. The user has to keep track o f everything him/herself 
(including the undos). The proofs are structured linearly, there is ju st a list o f all subgoals. This 
stimulates the use o f tacticals such as ALLGOALS, but it is not so easy to see how “deep” or in 
which branch one is in a proof. On the other hand, in Isabelle it is possible to undo an undo 
(or actually: a choplev, which steps back an arbitrary number o f levels, or to a particular level). 
And even more, it is also possible to look at the subgoals at an earlier level, without undoing 
the proof.
4 . 2 . 6  U s e r  i n t e r f a c e
PV S’s standard user interface is better developed than Isabelle’s. It is strongly integrated with 
Emacs. Recently, a batch mode was added to PVS. The de facto interface for Isabelle is Isamode 
(also based on Emacs). There are some more advanced user interfaces based on Tcl/Tk, but they 
only work for particular versions o f Isabelle.
4 . 2 . 7  M a n u a l s  a n d  s u p p o r t
PVS has a number o f different manuals, but none o f these is completely up-to-date. There is 
an introductionary manual with a fully elaborated (non-trivial) example to get started. On the 
mailing list one can ask starters questions.
2Isabelle98
4.3 Our experiences 75
Isabelle also comes equipped with several manuals. These are more up-to-date and concise, 
but often they explain things very briefly (and sometimes cryptically). The introductionary 
manual does not really give an interesting example, and it is hard to start using Isabelle, only 
on the basis o f the manuals. The best way to start is to take the (annual) Isabelle course. There 
is good (personal) support from the developers. They usually reply very quickly (same day) on 
emails with questions and problems. We found that this was really helpful.
4 . 2 . 8  R u n t i m e  s p e e d
We did not compare the speed o f the tools because we think the game is not to “run” a proof, but 
to construct it. This construction consists o f building a specification o f a problem and proving 
appropriate theorems. This is hard and depends heavily on the user, his/her experience with 
the proof tool etc. We do mention though that the “experienced speed” o f the two tools is 
comparable. By this we mean the time it takes to type check a specification or to execute a 
smart tactic. Both for PVS and Isabelle, the execution o f a single command -  on a Pentium II 
300Mhz -  often takes less then a second and hardly ever more than ten seconds.
4.3 Our experiences
In this section we wish to discuss in some detail our own, more personal, experiences. After 
using PVS for several years we became increasingly unhappy with it, because so many bugs ap­
peared. Sometimes we felt that we would spend more time on working around small bugs, than 
on proving serious properties. In this period Griffioen visited Munich and became enthusiastic 
about Isabelle. However, reading the Isabelle manuals did not provide enough background to 
get really started with it. Therefore, in September 1997 Huisman visited the Isabelle course in 
Cambridge. After this course, it seemed relatively easy to start working seriously with Isabelle.
To start with a well-understood, but non-trivial example, the Tree Identification Phase (TIP) 
[DGRV00] o f the 1394 protocol was selected, as Griffioen had already worked extensively on 
it using PVS. The first challenge was to transform the PVS specification into Isabelle, because 
Isabelle’s specification language lacks e.g. records and function updates.
After transforming the specification, the next step was to start proving. We are used to 
PV S’s proof manager, which records all the steps we take in a proof. Isabelle only provides a 
so-called listener, which records everything the user types in (including the typos and steps that 
were undone later), so the proof has to be filtered out. We experienced that it works faster to 
copy the steps immediately than to use the listener.
W hen we then really started proving, we noticed a big difference in the handling o f condi­
tional expressions (i.e. i  f .. . t h e n . . . e l s e . . .) .  In PVS, conditionals are built-in and the prover 
knows how to deal with them. In Isabelle conditional expressions are explicitly defined and 
the prover does not have special facilities for them. We discussed this with Larry Paulson and 
Tobias Nipkow, which resulted in a solution for Isabelle94-8. In Isabelle98 more tactics to deal 
with conditional expressions are available by default.
Despite these differences, we managed to prove the “same” invariants as in PVS. The lengths 
o f the proofs (in number o f commands/tactics) were comparable to the lengths o f the proofs in 
PVS.
We also studied whether a translation o f object-oriented specifications into higher-order 
logic (part o f a different project [HHJT98]) could be adapted to Isabelle. In the translation
76 A Comparison of PVS and Isabelle/HOL
to PVS we made extensive use o f overloading and this caused serious difficulties in Isabelle. 
In discussions with the Isabelle developers we tried several solutions, but none o f these were 
satisfactory. Isabelle98 has the possibility to define different name spaces and this might help. 
Due to time constraints and lack of documentation we did not investigate this option.
4.4 The best of both worlds
W hen comparing PVS and Isabelle we realised that both tools had their advantages and disad­
vantages. Our ideal proof tool would combine the best o f both worlds.
The logic
Predicate subtyping and dependent typing give so much extra expressiveness and protection 
against semantical errors, that this should be supported. The loss o f decidability o f type check­
ing is easily (and elegantly) overcome by the generation o f TCCs and the availability o f a proof 
checker.
The meta-logic o f Isabelle gives the flexibility to use different logics, even in a single proof. 
However, in our applications, we did not feel the need to use a logic other than HOL and the 
interference with the meta-logic sometimes complicated matters.
The specification language
The specification language should be readable, expressive and easily extendible. For function 
application, we have a slight preference for the bracketless syntax o f Isabelle.
It should be possible to parameterize theories with values. We have a preference for type 
parameterized theories, because polymorphism is hard to combine with non-uniform overload­
ing. A disadvantage o f type inference, in combination with implicitly (universally) quantified 
variables, is that typos introduce new variables, and do not produce an error. As an example, 
suppose that one has declared a function m yFunction : : n a t  => n a t ,  but that by accident 
the following goal is typed in: m yFunction x < m yFuntion (x+1) . This is internally equiv­
alent to: ALL m yF un tion . m yFunction x < m yFuntion (x+1). This error can be detected 
by asking explicitly for the list o f variables (and their types) in the goal.
The prover
The ideal prover has powerful proof commands for classical reasoning and rewriting, including 
ordered rewriting. A tactic should return a lazy list o f possible next states, as this is useful 
to try (almost) all possible instantiations. Also, decision procedures (for example for linear 
arithmetic) should be available. Preferably, these decision procedures are not built-in to the 
kernel, but written in the tactical language, so that they can not cause soundness problems. The 
style o f the interactive proof commands o f PVS is preferred over that o f Isabelle, because this 
is more intuitive. It is important to have a structured tactical language, which allows the user to 
access the goal. For this purpose, the structure o f the goal should be well-documented.
System architecture
To ensure soundness o f the proof tool, the system should have a small kernel. The tool should 
be an open system, o f which the code is freely available, so that users can easily extend it for 
their own purposes and (if necessary) implement bug fixes.
4.5 Conclusions and future work 77
PVS 2.417 Isabelle98/HOL
logic typed HOL typed HOL
predicate subtypes ++ not available
dependent predicate subtypes ++ not available
standard syntax ++/+ +
flexible syntax - ++
module system ++/+ +
polymorphism - ++
overloading ++ -
abstract data types ++/+ ++/+
recursive functions ++/+ ++/+
proof command language + +/-
tactical language - ++
automation + +
arithmetic decision procedures ++ +/-
libraries + ++/+
proof manager ++ +/-
interface ++ +
soundness - ++
upwards compatible +/- +/-
easy to start using + -
manuals +/- +/-
support + ++
time it takes to fix a bug - ?
ease o f installation ++ ++
Figure 4.4: A consumer report o f PVS and Isabelle 
The proof manager and user interface
The tool should keep track o f the proof trace. Proofs are best represented as trees, because 
this is more natural, compared to a linear structure. The tree representation also allows easy 
navigation through the proof, supported by a visual representation of the tree. W hen replaying 
the proof, after changing the specification, the tool can detect for which branches the proof fails, 
thanks to the tree representation.
4.5 Conclusions and future work
We tried to describe some important aspects o f PVS and Isabelle which are not in the ‘advertis­
ing o f the tool’, but are important in making a decision about which tool to use. To conclude, 
Fig. 4.4 gives a list o f criteria forjudging a proof tool, filled in for PVS and Isabelle. This list is 
not complete and based on the available features o f PVS and Isabelle and our work done with 
these proof tools. We hope that in the future users o f other proof tools will produce a similar 
consumers’ test on “their” proof tool too, so that a broad overview o f users’ experiences with 
different proof tools will be available.
Maybe such comparisons will lead to a proof tool which combines the best o f all available 
proof tools. Looking only at PVS and Isabelle, it would be desirable to have a proof tool with the
78 A Comparison of PVS and Isabelle/HOL
specification language, proof manager and user interface o f PVS, but the soundness, flexibility 
and well-structuredness o f Isabelle.
4.6 Epilogue
In the introduction o f this paper it is mentioned that: We are aware that proof tools change in 
time an that a consumers’ report only can have temporary validity.
And indeed things improved since 1998. For both tools we (Marieke Huisman and David 
Griffioen) will list some changes, upto February 2000.
PVS
- Current version is pvs-2.3
- The manuals are now up-to-date
- Improvements in the tool in the areas of: performance, rewriting, decision procedure and 
instantiation
- It is possible to label sequents
Isabelle/HOL
- Current version is Isabelle’99
- A tutorial is added to the documentation
- The specification language is improved, and still upwards compatible with earlier versions
- Many new libraries
- The need for ad-hoc overloading is reduced by the introduction o f namespaces
Chapter 5
A Theory of Normed Simulations
With Frits Vaandrager
Abstract In existing simulation proof techniques, a single step in a lower-level specification 
may be simulated by an extended execution fragment in a higher-level one. As a result, it is 
undecidable whether a given relation is a simulation, even if  tautology checking is decidable for 
the underlying specification logic. This paper introduces various types o f normed simulations. 
In a normed simulation, each step in a lower-level specification can be simulated by at most one 
step in the higher-level one, for any related pair o f states. We show that, under some reasonable 
assumptions, it is decidable whether a given relation is a normed forward simulation, provided 
tautology checking is decidable for the underlying logic. We also prove that, at the semantic 
level, normed forward and backward simulations together form a complete proof method for 
establishing behavior inclusion, provided that the higher-level specification has finite invisible 
nondeterminism. Apart from their pleasant theoretical properties, normed simulations also have 
turned out to be quite useful as a vehicle for the formalization o f refinement proofs via theorem 
provers.
5.1 Introduction
Simulation relations and refinement functions are widely used to prove that a lower-level spec­
ification o f a reactive system correctly implements a higher-level one [AL91, LV95, RE98]. 
Technically, a simulation (or refinement) is a relation (or function) R between the states o f a 
lower-level specification A and a higher-level specification B , that satisfies a condition like (see 
also Figure 5.1)
(s, u) e R A s —a A t ^  3v : u —%b v A (t, v) e R (5.1)
(If a lower-level state s and a higher-level state u are related, and in A there is a transition from 
s to t , then there exists a matching transition in B from u to a state v that is related to t .) The 
existence o f a simulation implies that any behavior o f A can also be exhibited by B .
The main reason why simulations are useful is that they reduce global reasoning about 
behaviors and executions to local reasoning about states and transitions. However, to the best 
o f our knowledge, all complete simulation proof methods that appear in the literature fall back 
on some form o f global reasoning in the case o f specifications containing internal (or stuttering)
80 A Theory of Normed Simulations
Figure 5.1: Transfer condition (5.1).
steps. The usual transfer condition for forward simulations [LV95], for instance, says (see also 
Figure 5.2)
(s, u) e R A s —->a t 3 execution fragment a : first (a) = u (5.2)
A trace(a) = trace(a) A (t, last (a)) e R
(Each lower-level transition can be simulated by a sequence of higher-level transitions which, 
apart from the action that has to be matched, may also contain an arbitrary number of internal 
“t” steps.) Thus the research program to reduce global reasoning to local reasoning has not 
been carried out to its completion.
F igure 5.2: Transfer condition (5.2).
u
In manual proofs o f simulation relations, the occurrence o f executions in transfer condition
(5.2) usually does not pose a real problem: often the matching execution fragments that have 
to be constructed are short since internal steps are rare in higher-level specifications; moreover 
humans tend to be quite good in reasoning about sequences, and move effortlessly from tran­
sitions to executions and back. In contrast, it turns out to be rather cumbersome to formalize 
arguments involving sequences using existing theorem provers (see [DGM97] for a comparative 
study). In fact, in several papers in which formalizations o f simulation proofs are described, the 
authors only define a restricted type o f simulation or refinement in which each transition o f the 
lower-level specification is matched by one or zero transitions o f the higher-level specification 
[HSV94, NS95, DGRV97]. In approaches, such as [SAGG+93], where the full transfer condi­
tion (5.2) is formalized, the user has to supply the simulating execution fragment a to the prover 
explicitly in each case o f the proof, which makes the verification process highly interactive.
In this paper, we introduce a simulation proof method which remedies the above problems. 
The idea is to define a function n that assigns a norm n(s —^  t , u), in some well-founded
5.1 Introduction 81
domain, to each pair o f a transition in A and a state o f B . I f  u has to simulate step s —^  t then it 
may either do nothing (if a is internal and t is related to u), or it may do a corresponding a-step, 
or it may perform an internal step u —^  v such that the norm decreases, i.e.,
n(s —^  t , v) < n(s —^  t , u).
We establish that normedforward simulations and normed backward simulations together con­
stitute a complete proof method for establishing trace inclusion. In addition we show how 
history and prophecy relations (which are closely related to the history and prophecy variables 
o f [AL91]) can be enriched with a norm function, to obtain another complete proof method in 
combination with a simple notion o f refinement mapping.
The preorders generated by normed forward simulations are strictly finer than the preorders 
induced by the forward simulations o f [LV95]. In fact, we will characterize normed forward 
simulations in terms o f branching forward simulations [GW96], and also present a similar char­
acterization for the backward case. It is possible to come up with a variant of normed forward 
simulation that induces the same preorder as forward simulations, but technically this is some­
what more involved.
W hen proving invariance properties o f programs, one is faced with two problems. The first 
problem is related to the necessity of proving tautologies o f the assertion logic, whereas the 
second manifests in the need o f finding sufficiently strong invariants. In order to address the 
first problem, powerful decision procedures have been incorporated in theorem provers such 
as PVS [ORSvH95]. I f  tautology checking is decidable then it is decidable whether a given 
state predicate is valid for the initial states and preserved by all transitions. The task of finding 
such a predicate, i.e. solving the second problem, is the responsibility o f the user, even though 
some very powerful heuristics have been devised to automate this search [BLS96, MBSU98]. 
Analogously, if  specifications A and B , a conjectured forward simulation relation R and norm 
function n can all be expressed within a decidable assertion logic, and if  the transition relations 
o f B can be specified using a finite number o f deterministic transition predicates, then it is 
decidable whether the pair (R , n) is a normed forward simulation. This result, which does not 
hold for earlier methods such as [LV95], is a distinct advantage o f normed forward simulations.
The idea o f using norm functions to prove simulation relations also occurs in [GS95], where 
it is used to prove branching bisimilarity in the context o f the process algebra ^CRL. However, 
in [GS95] the norm function is defined on the states o f B only and does not involve the tran­
sitions o f A. As a consequence, the method o f [GS95] does not always apply to diverging 
processes. Norm functions very similar to ours were also studied by Namjoshi [Nam97]. He 
uses them to obtain a characterization o f the stuttering bisimulation o f [BCG88], which is the 
equivalent of branching bisimulation in a setting where states rather than actions are labeled 
(see [DNV95]). Both [GS95] and [Nam97] do not address effectiveness issues. Although we 
present normed simulations in a setting of labeled transition systems, it should not be difficult 
to transfer our results to a process algebraic setting such as [GS95] or a state based setting such 
as [Nam97].
In Chapter 6, normed simulations will be applied to a nontrivial case study, namely the ver­
ification o f the leader election protocol that is used in the IEEE 1394 standard. This verification 
has been formally checked using the theorem prover PVS [ORSvH95].
In the presentation o f our results, we will closely follow [LV95] and also stick to the nota­
tions introduced in that paper. In fact, our aim will be to derive analogous results as in [LV95], 
only for different types o f simulations. However, we decided not to present normed versions
82 A Theory of Normed Simulations
of the forward-backward and backward-forward simulations o f [LV95], since these simulations 
have thus far not been used in practice and technically this would bring nothing new. Apart 
from the notion o f a norm function, a major technical innovation in the present paper is a new, 
simple definition o f execution correspondence [GSSL93, SALL93], and the systematic use of 
this definition in the technical development.
5.2 Preliminaries
In this section, we briefly recall some definitions from [LV95]. An automaton (or labeled 
transition system) A consists of
•  a (possibly infinite) set states(A) o f states,
•  a nonempty set start(A) ç  states(A) o f start states,
•  a set acts(A) o f actions that includes the internal (or stuttering) action t , and
•  a set steps (A) ç  states (A) x acts (A) x  states (A) o f steps.
W rite s —a A t as a shorthand for (s, a, t) e steps(A). We let ext(A), the external actions, 
denote acts(A) — {t }. An execution fragment of A is a finite or infinite alternating sequence, 
soa1s 1a 2s2 •••, o f states and actions o f A, beginning with a state, and if  it is finite also ending 
with a state, such that for all i > 0, s i—1 —^  si . An execution o f A is an execution fragment 
that begins with a start state. We denote by execs* (A) and execs(A) the sets o f finite and all 
executions o f A , respectively. A state s o f A is reachable if  s occurs as the last state in some 
finite execution a o f A. In this case we write reachable(A, s). Also, we write reachable(A) for 
the set o f reachable states o f A .
The trace o f an execution fragment a , notation trace(a), is the subsequence o f non-T actions 
occurring in a . A finite or infinite sequence ß o f external actions is a trace of A if  A has an 
execution a with ß = trace(a). Write traces* (A) and traces(A) for the sets o f finite and 
all traces o f A, respectively. W rite A < * t B if  traces*(A) ç  traces*(B ), and A < t  B if  
traces(A) ç  traces(B).
Suppose A is an automaton, s and t are states o f A, and ß is a finite sequence over ext(A). 
We say that (s, ß, t ) is a move o f A, and write s = -  At , or just s = -  t when A is clear, if  A has a 
finite execution fragment a that starts in s , has trace ß and ends in t .
Three restricted kinds o f automata play an important role in this paper:
1. A is deterministic if  \start(A)\ = 1, and for any state s and any finite sequence ß over 
ext(A), there is at most one state t such that s = -  t .A  deterministic automaton is charac­
terized uniquely by the properties that \start(A)\ = 1, every t -step is o f the form (s, t , s ) 
for some s , and for each state s and each action a there is at most one state t such that
a
s --- ► A t .
2. A has finite invisible nondeterminism (fin) if  start(A) is finite, and for any state s and any 
finite sequence ß over ext(A), there are only finitely many states t such that s = - At .
3. A is a forest if, for each state s of A, there is exactly one execution that leads to s . A 
forest is characterized uniquely by the property that all states o f A are reachable, start 
states have no incoming steps, and each of the other states has exactly one incoming step.
5.3 Step Refinements and Execution Correspondence 83
The relation after(A) consists o f the pairs (ß, s) for which there is a finite execution o f A with 
trace ß and last state s :
after (A) =  {(ß, s ) \3a e execs* ( A) : trace(a) = ß and last(a) = s}.
(So here last denotes the function that returns the last element o f a finite, nonempty sequence.) 
We also define past(A) to be the inverse o f after (A), past(A) = after (A)-1 ; this relates a state s 
o f A to the traces o f finite executions o f A that lead to s .
The following elementary lemma from [LV95] states that for the restricted kinds o f automata 
defined above, the relations after and past satisfy certain nice properties.
Lemma 5.2.1
1. I f  A is deterministic then after (A) is a function from traces *( A) to states(A).
2. I f  A has fin then after (A) is image-finite, i.e., each trace in the domain o f after (A) is only 
related to finitely many states in the range o f this relation.
3. I f  A is a forest then past(A) is a function from states(A) to traces *( A).
5.3 Step Refinements and Execution Correspondence
In this section, we present the notion o f a step refinement, the simplest type o f simulation 
that we consider in this paper. In order to prove soundness o f step refinements we introduce 
the auxiliary notion o f execution correspondence. This notion plays a key role in this paper; 
the technical lemmas that we prove in this section will also be used repeatedly in subsequent 
sections.
5 . 3 . 1  S t e p  R e f i n e m e n t s
Let A and B be automata. A step refinement from A to B i s a  partial function r from states(A) 
to states(B) that satisfies the following two conditions:
1. If  s e start (A) then s e domain (r ) and r (s ) e start (B).
2. If  s —%a t A s e domain (r) then t e domain (r) and
(a) r (s ) = r (t ) A a = t , or
(b) r (s) a B r (t ).
Note that, by a trivial inductive argument, r is defined for all reachable states o f A. We write 
A < r  B if  there exists a step refinement from A to B .
As far as we know, the notion o f step refinements was first proposed in [NS95]. However, if  
we insist on the presence o f stuttering steps s —^  s for each state s (a common assumption in 
many models o f reactive systems) then clause (2a) in the above definition becomes superfluous 
and the notion o f a step refinement reduces to that o f a homomorphism between reachable sub­
automata [Gin68]. Step refinements are slightly more restrictive than the possibility mappings 
from [LT87] (called weak refinements in [LV95]). In the case of a possibility mapping each 
(reachable) step o f A may be matched by a sequence o f steps in B with the same trace. This 
means that in the above definition condition (2) is replaced by:
84 A Theory of Normed Simulations
2. If  5 —% a t A 5 e domain (r) then t e domain (r) and B has an execution fragment a with 
first (a) = r (s ), trace (a) = trace (a) and last (a) = r (t ).
Observe that, unlike step refinements, possibility mappings do not reduce global reasoning to 
local reasoning.
Exam ple 5.3.1 Figure 5.3 illustrates the notion of a step refinement. Note that the t-steps in
s5
s6
Figure 5.3: A step refinement.
B
A are not matched by any step in B . Also the c-step in A is not matched by any step in B : 
both source and target states o f this step are outside the domain o f the step refinement. This is 
allowed since both states are unreachable. Observe that there is no step refinement from B to
A, but that there exists a possibility mapping from B to A.
Figure 5.4 gives another example o f a step refinement. In this case there is a step refinement 
from A' to B ' but not from B ' to A'. There is not even a possibility mapping from B ' to A'.
s0
si
a
A ’ B ’
Figure 5.4: Another step refinement.
The following proposition gives a basic sanity property o f step refinements. 
P roposition 5.3.2 < r  is a preorder (i.e., is transitive and reflexive).
a
5.3 Step Refinements and Execution Correspondence 85
Proof: The identity function from states(A) to itself trivially is a step refinement from A to 
itself. This implies that < r  is reflexive. Transitivity follows from the observation that if  r is a 
step refinement from A to B and r ' is a step refinement from B to C , then the composition r ' o r 
is a step refinement from A to C . □
5 . 3 . 2  E x e c u t i o n  C o r r e s p o n d e n c e
If  there exists a step refinement from A to B then we can construct, for each execution fragment 
o f A, a corresponding execution fragment o f B with the same trace. This idea is formalized 
below.
Suppose A and B are automata, R ç  states(A) x states(B), and a = s0 a 1s 1a2 s2  ■ ■ ■ and a' = 
u0 b1u 1 b2 u2  ■■■ are execution fragments o f A and B , respectively. Let index(a) and index(a') 
denote the index sets of a and a '. Then a and a' correspond via R and are R-related, notation 
(a, a ') e R, if  there exists an index relation over R, i.e., a relation I  ç  index(a) x index(a') 
that relates lower-level states to higher-level states such that (1) if  two indices are related by 
I  then the corresponding states are related by R; (2) I  is monotone; (3) each lower-level state 
is related to a higher-level state and vice versa; (4) sides o f “squares” always have the same 
label and sides o f “triangles” are labeled with t  . Formally we require, for i, i ' e index(a) and 
j ,  j ' e index(a'),
1. (i, j ) e I  ^  (si, u j) e R
2. (i, j ) e I  a  (i', j ') e I  a  i < i ' j  < j  '
3. I  and I -1 are total
4. (i, j  ) e I  a  (i +  1, j  +  1 ) e I ai+1 = bj
(i, j ) e I  a  (i +  1, j ) e I ai+1 =  t
(i, j ) e I  a  (i, j  +  1) e I bj +1 =  t
W rite ( A, B ) e R if  for every execution a o f A there is an execution a ' o f B such that (a, a ') e 
R, and [A , B ] e R if  for every finite execution a o f A there is a finite execution a ' o f B with 
(a, a ') e R. Figure 5.5 illustrates the correspondence between two executions o f automata A 
and B from Figure 5.3.
s0 s3 s4
T b 
• -----------------
u0  b u2  T u2  T u2  T u2
Figure 5.5: Execution correspondence.
Another notion of correspondence has been presented in [GSSL93, SALL93] and formal­
ized in [Mue98]. Within the theory of I/O automata, execution correspondence plays a crucial
86 A Theory of Normed Simulations
role in proofs o f preservation o f both safety and liveness properties. Our notion is more restric­
tive than the one o f [GSSL93, SALL93], but technically much simpler. Moreover it has the 
advantage that it preserves until properties. In this paper, we only study safety properties and it 
suffices to know that corresponding executions have the same trace. This fact is established in 
the next lemma.
Lemma 5.3.3 (Corresponding execution fragments have the same trace)
1. Suppose I  is an index relation as above and (i, j ) e I. Then trace(sQaisi ■ ■ ■ aisi) = 
trace(u0 bju1 ■ ■ ■ bjuj).
2. I f  (a, a') e R then trace(a) = trace(a').
Proof: For (1), suppose (i, j ) e I . By induction on i + j  we prove
trace (sgajsj ■■■aisi) = trace (ugbjuj ■■■bjuj).
If  i + j  = 0 then both i and j  are 0. Clearly, trace(sß) = trace(uß) = A.
For the induction step, suppose i + j  > 0. For reasons of symmetry we may assume w.l.o.g. 
that i > 0. Let j ' be the largest index with j ' < j  and (i — 1, j ') e I . (By condition (2), i — 1 
can only be related to indices less than or equal to j , and by condition (3) there is at least one 
such an index.)
We distinguish between three cases:
1. j ' = j . Then by condition (4b), ai = t . By induction hypothesis,
trace(s0 a¡s1 ■ ■ ■ai-1 si-1 ) = trace(u0 b¡u¡ ■ ■ ■ bjuj).
Hence trace(s0 a¡s¡ ■ ■ ■ aisi) = trace (u0 b¡u¡ ■ ■ ■ bjuj).
2. j ' = j  — 1. Then by condition (4a), ai = b j. By induction hypothesis,
trace(s0 aisi ■ ■ ■ai-isi-i) = trace(u0 bjuj ■ ■ ■ bj-juj-j).
Hence trace(s0 a¡s¡ ■ ■ ■ aisi) = trace(u0 b¡u¡ ■ ■ ■ bjuj).
3. j ' < j  — 1. Then by conditions (2) and (3), (i, j  — 1) e I . By condition (4c), this implies 
bj = t . By induction hypothesis,
trace(s0 a¡s¡ ■ ■ ■aisi) = trace(u0 b¡u¡ ■ ■ ■ bj-¡uj-¡).
Hence trace(s0 aisi ■ ■ ■ aisi) = trace(u0 bjuj ■ ■ ■ bjuj).
This completes the proof o f the induction step.
For (2), suppose that (a, a ') e R. Then there exists an index relation I  that relates a and a '. 
Using (1) and the fact that both I  and I —1 are total, it follows that each finite prefix o f trace(a) 
is also a finite prefix o f trace(a'), and vice versa. This implies trace(a) = trace(a'). □
Corollary 5.3.4 (Execution correspondence implies trace inclusion)
1. (A, B ) e R implies [A, B ] e R.
2. I f  [A, B ] e R then A < * t B.
3. I f  (A, B ) e R then A < t  B.
Proof: Statement (1) follows from the definitions. Statements (2) and (3) follow immediately 
from Lemma 5.3.3 and the definitions. □
5.4 Normed Forward Simulations 87
5 . 3 . 3  S o u n d n e s s  a n d  P a r t i a l  C o m p l e t e n e s s
The next theorem states that if  there is a step refinement from A to B , it is possible to construct, 
for each execution of A, a corresponding execution o f B . Since corresponding executions 
have the same trace, this implies that step refinements constitute a sound technique for proving 
trace inclusion. In addition, the next theorem also allows one to use step refinements as a 
sound technique for proving implementation relations between live automata, as in [GSSL93, 
SALL93, Mue98].
Theorem 5.3.5 (Soundness o f step refinements)
I f  r is a step refinement from A to B then ( A , B ) e r.
Proof: Suppose r is a step refinement from A to B . Let a = s0a 1s 1 ■■■ be an execution o f A. 
Inductively, we define an execution a ' = u0 b1u 1 ■■■ o f B and an index relation I  such that a 
and a' are r -related via I .
To start with, define u0 =  r (s0) and declare (0, 0) to be an element of I .
Now suppose (i, j  ) e I  and i is a nonfinal index o f a . We distinguish between two cases:
1. If  r (si) -a +1B r (si+1) then define bj+1 =  ai+1, u j+1 =  r (si+1), and declare (i + 1, j  + 1) 
to be an element o f I ;
2. otherwise, declare (i + 1 , j ) to be an element o f I .
By construction, using the defining properties o f a step refinement, it follows that I  is an index 
relation. This implies (A , B ) e r . □
Step refinements alone do not provide a complete method for proving trace inclusion. There 
is a partial completeness result, however.
Theorem 5.3.6 (Partial completeness o f step refinements)
Suppose A is a forest, B is deterministic and A < *t B. Then A < r  B.
Proof: The relation r = after(B) opast(A) is a step refinement from A to B . □
Actually, we can even slightly strengthen the above theorem. It suffices to assume that A 
restricted to its reachable states is a forest, and that B restricted to its reachable states is deter­
ministic. In Figure 5.3, automaton A restricted to its reachable states is a forest and automaton 
B is deterministic. As we observed already, there is a step refinement from A to B . Even if  we 
restrict to reachable states, automaton B is not a forest and automaton A is not deterministic. 
As we observed, there is no step refinement from B to A .
In practice, Theorem 5.3.6 is not so useful. The higher-level specification often is determin­
istic, but it rarely occurs that the lower-level specification is a forest.
5.4 Normed Forward Simulations
Even though there exists no step refinement from automaton B ' to automaton A' in Figure 5.4, 
these automata do have the same traces. By moving from functions to relations it becomes 
possible to prove that each trace o f B ' is also a trace o f A'. This idea is formalized in the 
following definition.
88 A Theory of Normed Simulations
A normedforward simulation from A to B consists o f a relation f  ç  states(A) x states(B) 
and a function n : steps(A) x states(B) 4  S, for some well-founded set S, such that (here f  [s] 
denotes the set {u | (s, u) e f }):
1. If  s e start (A) then f  [s ] n  start (B) = 0 .
2. If  s —%a t a  u e f  [s] then
(a) u e f  [t ] a  a = t  , or
(b) 3v e f  [t] : u —4 B v, or
(c) 3v e f  [s] : u - 4 b v a  n(s —4  t , v) < n(s —4  t , u).
W rite A < F B if  there exists a normed forward simulation from A to B .
The intuition behind this definition is that if  s —4 A t and (s, u) e f , then either (a) the 
transition in A is a stuttering step that does not have to be matched, or (b) there is a matching 
step in B , or (c) B can do a stuttering step which decreases the norm. Since the norm decreases 
at each application o f clause (c), this clause can only be applied a finite number o f times. 
In general, the norm function may depend both on the transitions in A and on the states of 
B . However, if  B is convergent, i.e., there are no infinite t -paths, then one can simplify the 
type o f the norm function (though not necessarily the definition o f the norm function itself) to 
n : states(B) 4  S. In fact, in the approach o f [GS95], which not always applies to divergent 
processes, the norm function is required to be o f this restricted type.
Example 5.4.1 In Figure 5.4, the relation indicated by the dashed lines, together with an arbi­
trary norm function, is a normed forward simulation from B ' to A'.
Consider automata A and B in Figure 5.3. Let n be the function that assigns norm 1 to state 
s 0 and norm 0 to all other states o f A. Then n together with the relation indicated by the dashed 
lines constitutes a normed forward simulation from B  to A .
u1
u3
C D
b
Figure 5.6: Norm function must take steps o f C into account.
Now consider the automata C and D in Figure 5.6. Let m be a norm function satisfying
m (s0 —4  s 1 , u0 ) = 0 m (s0 —4  s 1 , u1) =  1 
m (s0 —4  s3, u0 ) = 1 m(s0 —4  s3, u1) =  0
5.4 Normed Forward Simulations 89
Then m together with the relation indicated by the dashed lines constitutes a normed forward 
simulation from C to D. It is not hard to see that in this example, where D is not convergent, 
the norm necessarily depends on the selected step in C .
The next proposition asserts that normed forward simulations indeed generalize step refine­
ments.
Proposition 5.4.2 A < R B ^  A < F B.
Proof: Together with an arbitrary norm function, any step refinement (viewed as a relation) is 
a normed forward simulation. □
The soundness o f normed forward simulations is trivially implied by the following lemma.
Lemma 5.4.3 Suppose ( f ,  n) is a normedforward simulation from A to B, A has an execution 
fragment a with first state s, and u is a state o f B with u e f  [s ]. Then B has an execution 
fragment a ' that starts in u such that (a, a ') e f .
Proof: Let c : steps(A) x states(B) 4  {L , C, R} x states(B) be a function such that 
c(s —4  t , u) = (x, v) and u e f  [s] implies
1. If  x =  L then u e f  [t ] a  a = t .
2. If  x = C then v e f  [t ] a  u —%b v.
3. If  x =  R then v e f  [s ] a  u —4  b v a  n(s —4  t , v) < n(s —4  t , u).
The existence o f c, which chooses between a left move (L) o f A, a common move (C) of A and
B , or a right move (R) o f B , is guaranteed by the fact that ( f ,  n) is a normed forward simulation.
Let a = s0 a1s 1a2 s2  ■ ■ ■. Then s =  s0. Inductively, we define a sequence a = z0 z 1 z2 ••• of 
4-tuples inN  x N x acts(B) x states(B). The first element in the sequence is z 0 =  (0, 0, t, u). 
I f  zk = (i, j ,  b, u) is an element o f the sequence, and i is a nonfinal index o f a , then we define 
zk+1 as follows
1. If  c(si —4  si+1, u) = (L , v) then zk+1 =  (i + 1, j ,  b, u).
2. If  c(si —4  si+1, u) = (C, v) then zk+1 =  (i + 1, j  + 1, ai+1, v).
3. If  c(si —4  si+1, u) = (R , v) then zk+1 =  (i, j  + 1 , t ,v ) .
Suppose that both (i, j ,  b, u) and (i', j , b', u') occur in sequence a . We claim that b = b' and 
u = u'. To see why this is true assume w.l.o.g. that (i, j ,  b, u) occurs before (i', j , b', u'). Now 
observe that the values o f both the first and second component o f elements in a increase mono- 
tonically. This means that each successor o f (i, j ,  b, u) up to and including (i ', j ,  b', ur) has 
been obtained from its predecessor by applying rule (1). This implies that the the second resp. 
third components o f all elements in the sequence from (i, j ,  b, u) until (i ', j , b', ur) coincide. 
Hence b = b' and u = u'.
Using this property, we can define for each element (i, j , b, u) in a , bj = b and uj = u. 
Let a' = u0 b1u 1 b2 u2  ■ ■ ■ and let I  = {(i, j ) 13b, u : (i, j ,  b, u) occurs in a }. By construction 
o f a , using the properties o f c, it follows that a ' is an execution fragment o f B that starts in u , 
and that I  is an index relation over f . This implies (a, a ') e f . □
90 A Theory of Normed Simulations
Theorem  5.4.4 (Soundness o f normedforward simulations)
I f  f  is a normedforward simulation from A to B then ( A, B ) e f .
Proof: Immediate from the definitions and Lemma 5.4.3. □
E xam ple 5.4.5 Consider automata C and E  in Figure 5.7. There does not exist a normed
u2
u3
C
b
Figure 5.7: Difference between forward simulations and normedforward simulations.
forward simulation from C to E . Such a simulation would have to relate states s 0 and u0. But 
in order for E  to simulate the step s 0 —4  s3, it would also have to relates states s 0 and u2. But 
this is impossible since from state u2 there is no way to simulate the step s 0 —4  s 1.
It turns out that there does exist a forward simulation in the sense o f [LV95] from C to E . 
In the case of a forward simulation, a step o f A may be matched by a sequence of steps in B 
with the same trace. This means that in the definition o f a normed forward simulation condition 
(2) is replaced by:
2. If  s —4  a  t A u e f  [s] then B has an execution fragment a with first(a) = u , trace (a) = 
trace(a) and last (a) e f  [t ].
The dashed lines in Figure 5.7 indicate a forward simulation from C to E .
The automata A and B in Figure 5.3 provide us with a similar example: there exists a 
forward simulation from B to A, but no normed forward simulation.
The difference between forward simulations and normed forward simulations is very similar 
to the difference between M ilner’s observation equivalence [Mil89] and the branching bisimu­
lation o f Van Glabbeek and Weijland [GW96]. In fact, we can characterize normed forward sim­
ulations in terms o f “branching forward simulations” , a notion that is inspired by the branching 
bisimulations o f [GW96]. A similar characterization has been obtained by Namjoshi [Nam97] 
in the setting o f stuttering bisimulations.
Formally, a branching forward simulation from A to B is a relation f  ç  states (A) x 
states (B) such that
1. If  s e start (A) then f  [s ] n  start (B) = 0 .
2. If  s —4 A t and u e f  [s] then B has an execution fragment that starts in u and that is 
f  -related to s —4  t .
5.4 Normed Forward Simulations 91
The following theorem implies that there exists a normed forward simulation between two 
automata if  and only if  there is a branching forward simulation between them.
Theorem 5.4.6
1. Suppose ( f ,  n) is a normed forward simulation from A to B. Then f  is a branching 
forward simulation from A to B.
2. Suppose f  is a branching forward simulation from A to B. Let n(s - 4  t , u ) be 0 if  
u e  f  [s ] and otherwise be equal to the length o f the shortest execution fragment that 
starts in u and that is f  -related to s —4  t. Then ( f ,  n) is a normed forward simulation 
from A to B.
Proof: Part (1) follows by Lemma 5.4.3. The proof o f part (2) is routine. □
An interesting corollary of Theorem 5.4.6 is that if  there exists a normed forward simulation 
between two automata, there is in fact a normed forward simulation with a norm that has the 
natural numbers as its range.
The proof that branching bisimilarity is an equivalence is known to be tricky [Bas96]. Like­
wise, the proof that branching forward simulations induce a preorder is nontrivial. We first need 
to define the auxiliary concept o f a reduced index relation and to prove a lemma about it.
Suppose that a and a ' are R -related via index relation I . We say that I  is reduced if  the 
following two conditions are satisfied:
1. If  a is finite then I  relates the final index o f a only to the final index o f a '.
2. I  is N-free: (i, j ) e I  A (i + 1, j  + 1) e I  ^  (i + 1, j ) e  I  a  (i, j  + 1) e  I .
Observe that if  a is finite and I  is reduced, then a ' is also finite. The following technical lemma 
states that index relations can always be reduced.
Lemma 5.4.7 Suppose that a and a ' are R-related via index relation I. Then a ' has a prefix 
a" that is R-related to a via a reduced index relation J  ç  I.
Proof: If  a is infinite then let a" = a'. I f  a is finite then let a" be the finite prefix o f a' up to 
and including the first state whose index is related by I  to the final index o f a .
Inductively we define a sequence a = z 0 z 1z2 ••• o f pairs in N x N. The first element o f the 
sequence is z0 =  (0, 0). I f  zk = (i, j  ) is an element o f the sequence and i is a nonfinal index 
then we define zk+1 as follows:
L (i + 1  j  + 1) e I  ^  zk+1 =  (i + 1  j  + 1)
2 . (i + 1> j )  e I  A (i + 1> j  + 1) ¥ I  ^  zk+1 =  (i + 1  j )
3 . (i, j  + 1) e I  A (i + 1  j  + 1) ¥ I  ^  zk+1 =  (i, j  + 1)
Note that since I  is an index relation, zk+ 1 is properly defined. Let J  = {(i, j ) | (i, j ) occurs in a }. 
It is routine to check that J  ç  I , that a and a" are R-related via J , and that J  is reduced. A 
tricky point is the totality o f J  and J - 1 . We prove that J  is total by contradiction. Suppose 
that J  is not total. Let i be the smallest index o f a with J[i] =  0 .  Let j  be the smallest index
92 A Theory of Normed Simulations
of a' with (i, j ) e I  (j exists since index relation I  is total). Let l be the maximal index of 
a' with (i — 1, l) e J  (there is a maximal index since (i — 1, l ) e J  implies (i — 1, l) e I , 
which implies l < j  by monotonicity o f index relation I ). Let zk = (i — 1, l ). Since J[i ] = 0 , 
zk+1 =  (i — 1, l + 1). Hence (i — 1, l + 1) e J . But this contradicts the fact that l be the 
maximal index o f a ' with (i — 1 , l ) e J .
In a similar way also the totality o f J —1 and N-freeness can be proved by contradiction. □
We are now prepared to prove that branching forward simulations (and hence also normed 
forward simulations) induce a preorder.
Proposition 5.4.8 < f  is a preorder.
Proof: For reflexivity, observe that the identity function from states(A) to itself is a branching 
forward simulation from A to itself.
For transitivity, suppose f  and g  are branching forward simulations from A to B and from 
B to C , respectively. We claim that g o f  is a branching forward simulation from A to C . 
It is trivial to check that g o f  satisfies condition (1) in the definition o f a branching forward 
simulation. For condition (2), suppose that s —4 A t A u e (g o f  )[s]. Then there exists a state 
w of B such that w e f  [s] and u e g[w]. Hence there is an execution fragment a starting in 
w such that s —4  t and a are f  -related via some index relation I . By Lemma 5.4.7, we may 
assume that I  is reduced. Also, there is an execution fragment a ' starting in u such that a and 
a' are g-related via some index relation J . Again by Lemma 5.4.7, we may assume that J  is 
reduced. Using the fact that both I  and J  are reduced, it is routine to check that s —4  t and a' 
are g o f  -related via index relation J  o I . Thus g o f  satisfies condition (2) in the definition of 
a branching forward simulation. □
Variants o f the partial completeness result below appear in several papers, see for instance 
[Jon87, LV95]. Since higher-level specifications are often deterministic, this result explains 
why in practice (normed) forward simulations can so often be used to prove behavior inclusion.
Theorem  5.4.9 (Partial completeness o f normed/branchingforward simulations)
I f  B is deterministic and A < * t B then A < f  B.
Proof: The relation f  = after (B) opast(A) is a branching forward simulation from A to B . □
It is interesting to note that there is one result from [LV95] concerning forward simulations 
that does not carry over to the normed/branching simulations o f this paper. This result, Propo­
sition 3.12, states that if  A is a forest and A < F B then A < R B . The automata C and D of 
Figure 5.6 constitute a counterexample. Actually, the same Proposition 3.12 also does not carry 
over to the setting o f timed automata studied in [LV96].
5.5 Normed Backward Simulations
As we observed, there exists no normed forward simulation from automaton B to automaton 
A in Figure 5.3, even though both automata have the same traces. Also, there does not exist 
a normed forward simulation from automaton C to the trace equivalent automaton E  in Fig­
ure 5.7. In both cases a forward simulation in the sense o f [LV95] exists. However, the example 
in Figure 5.8 below shows that also forward simulations do not yet provide us with a complete
5.5 Normed Backward Simulations 93
method for proving trace inclusion. It is well-known from the literature that completeness can 
be obtained by adding some form o f backward simulation.
Exam ple 5.5.1 There exists no (normed/branching) forward simulation from automaton C to 
automaton F  in Figure 5.8. The relation indicated by the dashed lines fails since from state 
u0 the b-step from s 0 can not be simulated, whereas from u2 the a-step from s 0 can not be 
simulated.
u0
ul
u2
u3
C F
Figure 5.8: The needfor backward simulations.
In many respects, backward simulations are the dual o f forward simulations. Whereas a 
forward simulation requires that some state in the image o f each start state should be a start 
state, a backward simulation essentially requires that all states in the image of a start state be 
start states. Also, a forward simulation requires that forward steps in the source automaton can 
be simulated from related states in the target automaton, whereas the corresponding condition 
for a backward simulations requires that backward steps can be simulated. However, the two 
notions are not completely dual: the definition o f a backward simulation contains a nonempti­
ness condition, and also, in order to obtain soundness for general trace inclusion, backward 
simulations also require a finite image condition. The mismatch is due to the asymmetry in our 
automata between the future and the past: from any given state, all the possible histories are 
finite executions, whereas the possible futures can be infinite.
Formally, we define a normed backward simulation from A to B to be a pair o f a total 
relation b ç  states(A) x states(B) and a function n : (steps(A) U start (A)) x states(B) 4  S, 
for some well-founded set S, satisfying
1. If  s e start(A) A u e b[s] then
(a) u e start (B), or
(b) 3v e b[s] : v —4 b u A n(s, v) < n(s, u).
2. If  t —%a s a  u e b[s] then
(a) u e b[t] A a = t , or
(b) 3v e b [t] : v —4 B u, or
(c) 3v e b[s] : v —4 b u A n(t —4  s, v) < n(t —4  s, u).
94 A Theory of Normed Simulations
W rite A < b B if  there is a normed backward simulation from A to B , and A < iB B if  there is 
a normed backward simulation from A to B that is image-finite.
Exam ple 5.5.2 In Figure 5.8, the relation indicated by the dashed lines is a normed backward 
simulation from C to E , for arbitrary norm functions. It is not difficult to construct normed 
backward simulations from automaton B to automaton A in Figure 5.3, and from automaton C 
to automaton E  in Figure 5.7.
s0 sl s2 s3
a a a
— ..............►
G
u0
•**
ul u2 u3 u4rH a
Figure 5.9: No image-finite normed backward simulation.
Figure 5.9 illustrates the difference between < b  and <íb. Relation states(G) x states(H) 
together with an arbitrary norm function constitutes a normed backward simulation from G to 
H . We claim that no image-finite normed backward simulation exist. Because suppose that b 
is such a relation. Then, for all i, j  e N with i > 0,
(si, uj) e b ^  (si — 1, uj + 1) e b
This implies that
(si, uj) e b ^  (s0, ui + j ) e b
Since each state si is related to at least one state s j , it follows that state s 0 is related to infinitely 
many states, which is a contradiction.
The following proposition states some trivial connections between the preorders induced by 
normed backward simulations and step refinements.
Proposition 5.5.3
1. I f  all states o f A are reachable and A < r  B then A <íb B.
2. I f  A <íb B then A <b  B.
Proof: Trivial. □
The next lemma is required to prove soundness o f normed backward simulations.
Lem m a 5.5.4 Suppose (b, n) is a normed backward simulation from A to B, A has a finite 
execution fragment a with last state s, and u is a state o f B with u e b[s ]. Then B has a finite 
execution fragment a ' that ends in u such that (a, a ') e b. Moreover, i f  a is an execution then 
a' can be chosen to be an execution as well.
5.5 Normed Backward Simulations 95
Proof: Similar to the proof o f Lemma 5.4.3. □
By Lemma 5.5.4, the existence o f a normed backward simulation implies inclusion o f finite 
traces. Normed backward simulations, however, are in general not a sound method for proving 
inclusion o f infinite traces. As a counterexample, consider automata G and H  from Figure 5.9. 
There exists a normed backward simulation from G to H , but the infinite trace am o f G is not 
a trace o f H . As is well-known the literature, a sound method for proving inclusion o f infinite 
traces can be obtained by requiring image finiteness.
Theorem  5.5.5 (Soundness o f normed backward simulations)
1. I f  b is a normed backward simulation from A to B then [ A, B ] e b.
2. Ifmoreover b is image-finite then ( A, B) e b.
Proof: Statement (1) follows immediately by Lemma 5.5.4 and the totality o f b. In order to 
prove (2), suppose that b is image-finite. Let a be an execution o f A. We have to establish 
the existence o f an execution a ' o f B with (a, a r) e b. I f  a is finite then this follows by 
Lemma 5.5.4 and the totality o f b. So assume that a is infinite. We use a minor variation of 
K onig’s Lemma [Knu97] that occurs in [LV95]:
Let G be an infinite digraph such that (1) G has finitely many roots, i.e., nodes 
without incoming edges, (2 ) each node o f G has finite outdegree, and (3) each node 
o f G is reachable from some root. Then there is an infinite path in G starting from 
some root.
The nodes o f the graph G that we consider are pairs (I, y ) where y  is a finite execution o f B 
and I  is an index relation that relates y  to some finite prefix o f a . There is an edge from a node 
(I, y ) to a node (I', y ') iff y  is a prefix o f y ' and I ' extends I  with precisely one element. It 
is straightforward to check that G satisfies the conditions o f K onig’s Lemma. Hence G has an 
infinite path. Let J  be the union o f all the index relations occurring on nodes in this path, and let 
a ' be the limit o f the finite executions o f the nodes in this path. Observe that, by image-finiteness 
o f b, each index o f a occurs in the domain o f J . Hence (a, a ') e b. □
The following Proposition 5.5.6 is in a sense the converse o f Proposition 5.5.3. The proof is 
similar to that o f the corresponding result in [LV95].
Proposition 5.5.6
1. I f  B is deterministic and A < b  B then A < r  B.
2. I f  all states o f A are reachable, B has fin and A < b  B, then A <ìb B.
Proof: For (1), suppose that B is deterministic and that b is a normed backward simulation 
from A to B . Suppose that s is a reachable state o f A. We will prove that b[s] contains exactly 
one element. Since any normed backward simulation that is functional on the reachable states 
trivially induces a step refinement, this gives us A <R B .
Because b is a normed backward simulation it is a total relation, so we know b[s] contains 
at least one element. Suppose that both u 1 e b[s] and u2 e b[s]; we prove u 1 =  u2. Since s is 
reachable, A has an execution a that ends in s . By Lemma 5.5.4, B has executions a 1 and a2
96 A Theory of Normed Simulations
which end in u 1 and u2, respectively, such that (a, a 1) e b and (a, a2) e b. By Lemma 5.3.3, 
trace(a) = trace(a1) = trace(a2). Now u 1 =  u2 follows by Lemma 5.2.1(1), using the fact 
the B is deterministic.
For (2), suppose that all states o f A are reachable, B has fin, and b is a normed backward 
simulation from A to B . Suppose that s is a state o f A. Since s is reachable, there is an 
execution a that ends in s . Let ß be trace o f a . By Lemma 5.5.4 there exists, for each u e b[s ], 
an execution au o f B that ends in u such that (a, au) e b. By Lemma 5.3.3, trace(au) = ß . 
Hence b[s] ç  after(B)[ß]. But since B has fin, after(B)[ß] is finite by Lemma 5.2.1(2). Hence 
b is image-finite.
As in the forward case, we will now characterize normed backward simulations in terms of 
“branching backward simulations”, and use this characterization to establish that < b and < iB 
are preorders.
A branching backward simulation from A to B is a total relation b ç  states(A) x states(B) 
such that
1. If  s e start(A) and u e b[s] then B has an execution that ends in u and is b-related to s .
2. If  t —4 a s and u e f  [s] then B has an execution fragment that ends in u and is b-related
ato t — > s .
Theorem  5.5.7
1. Suppose (b, n) is a normed backward simulation from A to B. Then b is a branching 
backward simulation from A to B.
2. Suppose b is a branching backward simulation from A to B. Let n(s, u) be 0 i f  s is not 
a start state or u e  b[s] and otherwise be equal to the length o f the shortest execution 
that ends in u and is b-related to s. Furthermore, let n(t —% s, u) be 0 i f  u e  f  [s] 
and otherwise equal to the length o f the shortest execution fragment ending in u that is 
b-related to t —% a s. Then (b, n) is a normedforward simulation from A to B.
Proof: Statement (1) follows by Lemma 5.5.4. The proof o f statement (2) is routine. □
As in the forward case, we see that if  there exists a normed backward simulation between 
two automata, there is in fact a normed backward simulation with a norm that has the natural 
numbers as its range.
Proposition 5.5.8 < b  and <ìb are preorders.
Proof: Similar to the proof o f Proposition 5.4.8. □
The following partial completeness result is a variation o f results of [Jon90, LV95].
Theorem  5.5.9 (Partial completeness o f normed backward simulations)
I f  A is a forest and A < * t B then A < b  B.
Proof: The relation b = after(B) ◦ past(A) is a branching backward simulation from A to B .
□
Note that by Proposition 5.5.6 we can strengthen the conclusion o f Theorem 5.5.9 to A < iB 
B in case B has finite invisible nondeterminism.
5.6 Normed History Relations 97
Example 5.5.10 Consider the automata A' and B' in Figure 5.4. There exists no normed back­
ward simulation from B ' to A'. The relation indicated by the dashed lines fails since the back­
ward transition from state u0 cannot be simulated from the related state s0. By consequence, 
also normed backward simulations do not provide a complete proof method for establishing 
trace inclusion. In the next section, we will see that completeness can be obtained by combin­
ing normed forward and backward simulations.
5.6 Normed History Relations
In this section we introduce normed history relations. These provide an abstract view o f the 
history variables o f Abadi and Lamport [AL91], which in turn are abstractions o f the auxiliary 
variables o f Owicki and Gries [OG76].
A pair (r, n) is a normed history relation from A to B if  r is a step refinement from B to 
A, and (r— 1, n) is a normed forward simulation from A to B . W rite A < h  B if  there exists a 
normed history relation from A to B .
Thus A < h  B implies A < f  B and B < r  A. Through these implications, the preorder and 
soundness results for normed forward simulations and step refinements carry over to history 
relations. In fact, if  (r, n) is a normed history relation from A to B then r is just a func­
tional branching bisimulation from B to A in the sense o f Van Glabbeek and Weijland [GW96]. 
Hence, history relations preserve behavior o f automata in a very strong sense. Intuitively, there 
is a history relation from A to B if  B can be obtained from A by adding an extra state variable 
that records information about the history o f an execution.
Example 5.6.1 Consider again the automata A' and B' in Figure 5.4. Together with an arbitrary 
norm function, the dashed lines constitute a normed history relation from B ' to A'. Because, as 
we observed, there is no step refinement from B ' to A', there exists no normed history relation 
from A' to B '.
An important example o f a history relation is given by the “unfolding” construction. The 
unfolding o f an automaton A, notation unfold(A), is the automaton obtained from A by record­
ing the complete history o f each execution. Formally, unfold(A) is the automaton B defined 
by
• states(B) = execs* ( A),
• start(B) = the set o f executions of A that consist of a single state,
• acts(B) = acts (A), and
• for a', a e states(B) and a e acts(B), a ' —%b a a = a ' a last(a).
The next proposition relates an automaton to its unfolding.
Proposition 5.6.2 unfold(A) is a forestand A < h  unfold(A).
Proof: Clearly, unfold(A) is a forest. The function last which maps each finite execution o f A 
to its last state is a step refinement from unfold(A) to A, and the relation last—1, together with 
an arbitrary norm function, is a normed forward simulation from A to unfold(A). □
98 A Theory of Normed Simulations
The following completeness theorem, a variation o f a result due to Sistla [Sis91], asserts 
that normed history relations together with normed backward simulations constitute a complete 
proof method for establishing trace inclusion. By consequence, also normed forward simula­
tions together with normed backward simulations constitute a complete proof method.
Theorem  5.6.3 (Completeness o f normed history relations and normed backward simulations) 
I f  A < * t B then there exists an automaton C such that A < h  C < b  B.
Proof: Take C = unfold(A). By Proposition 5.6.2, C is a forest and A < h  C . Since A <*t B , 
also C <*t  B by soundness of history relations. Next apply the partial completeness result for 
backward simulations (Theorem 5.5.9) to conclude C < b B . □
Observe that if  we can assume in addition that B has fin, we may replace < b by < iB in the 
conclusion using Proposition 5.5.6.
Normed forward simulations are equivalent to normed history variables combined with step 
refinements. In order to prove this result, we need to define a notion o f “superposition” of 
automata and to prove a technical lemma.
Let R ç  states(A) x states(B) be a relation with R n  (start(A) x start(B)) = 0 .  The 
superposition sup(A, B, R) o f A and B via R is the automaton C defined by
• states(C) = R,
• start(C) = R n  (start(A) x start(B)),
• acts(C) = acts(A ) n acts(B) , and
• for (s, u), (t, v) e states(C) and a e acts(C), (s, u) —4 C (t, v)
a = T A s = t A u —4  B v
V a = T A u = V A s —4  A t
a aV s --- >At A u --- > b V.
Lem m a 5.6.4 Suppose ( f ,  n) is a normedforward simulationfrom A to B. Let C = sup(A, B, f )  
and let m  and n  be the projection functions that map states ofCto their first and second com­
ponents, respectively. Letnr be the norm function given by nr (8 , u) = n(S, n 2 (u)). Then (m, n') 
is a normed history relation from A to C, and n 2  is a step refinement from C to B.
Proof: Straightforward from the definitions.
Theorem  5.6.5 A < f  B (3C : A < h  C < r  B ).
Proof: Implication “^ ” follows by Lemma 5.6.4. For implication “^ ”, suppose A < H C <R 
B . Then A < f  C by the definition o f history relations, and C <f B because any step refinement 
is a normed forward simulation. Now A < f  B follows by the fact that < f  is a preorder. □
5.7 Normed Prophecy Relations 99
5.7 Normed Prophecy Relations
In this section, we will define normed prophecy relations and show that they correspond to 
normed backward simulations, very similarly to the way in which normed history relations 
correspond to normed forward simulations.
A pair (r, n) is a normed prophecy relation from A to B if  r is a step refinement from B to 
A and (r—1, n) is a normed backward simulation from A to B . We write A < p B if  there is 
a normed prophecy relation from A to B , and A < iP B if  there is a normed prophecy relation 
(r, n) with r —1 image-finite. Thus A < iP B implies A < iB B and A < p B , and A < p B 
implies A < b B and B <r A. Moreover, if  all states o f A are reachable, B has finite invisible 
nondeterminism and A < p B , then A < iP B . It is easy to check that the preorder and soundness 
results for backward simulations and refinements carry over to prophecy relations.
Lem m a 5.7.1 Suppose (b, n) is a normed backward simulation from A to B. Let C = sup(A, B, b) 
and let n  and n  be the projection functions that map states ofCto their first and second com­
ponents, respectively. Letnr be the norm function given by nr (8 , u) = n(8 , n 2 (u)). Then (n1 , n') 
is a normed prophecy relation from A to C, and n 2 is a step refinement from C to B. I f  b is 
image-finite then so is n —1.
Theorem  5.7.2
1. A <b  B &  (3C : A <p C < r  B ).
2. A <ìb B &  (3C : A <ip C < r  B ).
Proof: The proofs o f (1) and (2) are analogous to that o f Theorem 5.6.5, using Lemma 5.7.1.
□
We can now prove variants o f the well-known completeness result o f Abadi and Lamport 
[AL91].
Theorem  5.7.3 (Completeness o f normed history+prophecy relations and step refinements) 
Suppose A < * t B. Then
1. 3C, D : A < h  C <p D < r  B.
2. I f  B has fin then 3C, D : A < h  C <ip D < r  B.
Proof: By Theorem 5.6.3, there exists an automaton C with A < h  C < b B . Next, Theo­
rem 5.7.2 yields the required automaton D with C < p D < r  B , which proves (1). The proof 
o f (2) is similar, but uses Proposition 5.5.6. □
5.8 Decidability
Thus far, our exposition has been purely semantic. We have considered automata and simulation 
relations, but not the languages in which they are expressed. In this section, we move to the 
syntactic world and discuss some decidability issues.
We assume an underlying assertion language £  which is a first-order language over inter­
preted symbols for expressing functions and predicates over some concrete domains such as
100 A Theory of Normed Simulations
integers, arrays, and lists o f integers. I f  X  i s a  set o f (typed) variables then we write F ( X) and 
E (X)  for the collection o f formulas and expressions, respectively, in which variables from X  
may occur free. An automaton can be described syntactically by first specifying a finite set X  
of variables, referred to as the state variables. For each state variable x we assume the presence 
o f a copy x ', called the primed version o f x . We write X ' for the set {x' | x e X} and, if  0 is 
a formula then we write 0 ' for the formula obtained from 0  by replacing each occurrence o f a 
state variable by its primed version. The set o f states o f the automaton is defined as the set of 
all valuations o f the state variables in X . The set o f initial states is specified by a predicate in 
F (X) , called the initial condition. The action are specified via a finite number of action names 
with, for each action name a, a finite list V o f variables called the parameters o f a. We assume 
{V} n  X  = 0 .  The set o f actions o f the automaton is defined as the union, for each action name 
a, o f all tuples a(d), where d  is a valuation o f the parameters V in their respective domains. 
The transition relation is specified by providing, for each action name a with parameters V, a 
transition predicate in F ( X  U {V} U X'),  i.e., a predicate that may contain action parameters as 
well as primed and unprimed state variables.
Example 5.8.1 Below we specify aFIFO  channel in a self-explanatory IO A like syntax [GLV97].
au tom aton  Channel 
s t a t e s
b u f f e r :  SeqENat] 
i n i t i a l  c o n d i t io n  
b u f f e r  = -Q 
a c t io n s
se n d (v : N a t) ,  
r e c e iv e ( v :  N a t) ,  
ta u  
t r a n s i t i o n s  
a c t io n  sen d (v )
p r e d ic a te  b u f f e r ’ = b u f f e r  I-  v 
a c t io n  r e c e iv e ( v )
p r e d ic a te  b u f f e r  ~= O  / \  v = h e a d (b u f fe r )
/ \  b u f f e r ’ = t a i l ( b u f f e r )
a c t io n  ta u
p r e d ic a te  f a l s e
This piece o f syntax defines an automaton A with
• states(A) = N*,
• start(A) = {A},
• acts(A) = { se n d (d ) , r e c e i v e ( d )  | d e N}U {t},
• steps(A) is the least set that contains the following elements, for all o e N* and d e N,
send(d )
o — > o dreceive(d )
d o o.
5.8 Decidability 101
Now assume that we have specified two automata A and B , using state variables x and y, 
respectively. Let X  = { x }  and Y =  {y}. Assume X  n  Y = 0 .  A step refinement from A to B 
can be specified by a formula o f the form d A y  = e, with d e E (X) and e a list o f expressions 
in E (X) that matches y  in terms o f length and types.
A normed forward simulation can be described by a predicate in F (X  U Y ) together with, 
for each action type a with parameters V, an expression in E (X  U{ V}U X'U Y ) that specifies the 
norm function. In practice, norm functions often only depend on the states o f B , which means 
that they can be specified by means o f a single expression in E (Y).
Example 5.8.2 Consider the following specification, essentially just the chaining o f two FIFO 
channels.
au tom aton  TwoChannels 
s t a t e s  
b u f f e r i :  SeqE N at], 
b u f f e r 2 : SeqENat] 
i n i t i a l  c o n d i t io n
b u f f e r l  = O  / \  b u f f e r2  = O  
a c t io n s
se n d (v : N a t) ,  
r e c e iv e ( v :  N a t) ,  
ta u  
t r a n s i t i o n s  
a c t io n  sen d (v )
p r e d ic a te  b u f f e r l ’ = b u f f e r l  I - v / \  b u f f e r 2 ’ = b u f f e r2  
a c t io n  r e c e iv e ( v )
p r e d ic a te  b u f f e r2  ~= O  / \  v = h e a d (b u f fe r2 )
/ \  b u f f e r 2 ’ = t a i l ( b u f f e r 2 )  / \  b u f f e r l ’ = b u f f e r l
a c t io n  ta u
p r e d ic a te  b u f f e r l  ~= O  / \  b u f f e r l ’ = t a i l ( b u f f e r l )  / \
/ \  b u f f e r 2 ’ = b u f f e r2  I- h e a d ( b u f f e r l )
Let B be the automaton denoted by this specification. It is easy to prove that the formula below 
defines a step refinement from B to the automaton A o f Example 5.8.1.
b u f f e r  = b u f f e r2  I I b u f f e r l
It is also routine to check that this formula together with the norm on states o f B defined by
i f  b u f f e r l  ~= O  / \  b u f f e r2  = O  th e n  1 e l s e  0
defines a normed forward simulation from A to B .
We will now show that, under some reasonable assumptions, it is in fact decidable whether a 
given predicate/expression indeed corresponds to a step refinement or normed forward simula­
tion. Assume that automaton A is described using state variables V, initial condition y 0  and, for 
each action name a, a transition predicate ya. Likewise, assume that automaton B is described 
using state variables y , initial condition ÿ 0  and, for each action name a, a transition predicate 
ÿ a. Assume further that each action name a o f A is also an action name of B , and that a has
102 A Theory of Normed Simulations
exactly the same parameters in both A and B . W rite Pa for the list o f parameters o f a. We 
require that Px = 0 .
Suppose that we want to check whether a formula p = 9 A y  = e denotes a step refinement. 
This is equivalent to proving validity o f the following formula:
<
V0 9
V0  a  p f '0
a Va A9 9 '
i\a=x
<
Va A p A p ' fa
Vx A p A p' fx
In this formula, the first conjunct asserts that the function is defined for start states o f A; the 
second conjunct asserts that start states o f A are mapped onto start states o f B ; the third conjunct 
asserts that if  the function is defined for the source o f a transition then it is also defined for the 
target state o f a transition; and the two final conjuncts encode the transfer condition. Thus 
checking whether a partial function is a step refinement from A to B is decidable if  the partial 
function as well as A and B can all be expressed within a fragment o f £  for which tautology 
checking is decidable.
Next suppose that we want to check whether a formula p together with norm expressions 
na, for each action name a, denotes a normed forward simulation from A to B . In order to 
turn this into a decidable question, we have to make some additional assumptions about the 
specification o f B . We assume that B has finitely many start states, which are listed explicitly,
i.e., we require that the initial condition f  0 is o f the form
f 0 =  V  y  = eo (5 3 )
i €lo
where I0  is a finite index set and, for each i , el0  is a list o f closed terms. In addition we assume 
that in any state and for any given value o f the action parameters, only finitely many transitions 
are possible in B , which are listed explicitly. Formally we require that, for each action type a, 
transition predicate f a is o f the form
f a = V  (Xa A Î '  = eÌa) (5.4)
i e I a
where Ia is a finite index set and, for each i , x la is a formula in F (Y U {Pa}) and e0 is a list 
o f expressions in E (Y U {Pa}). Basically, x la gives the precondition o f the i -th instance of 
transition a and y ' = e'a specifies the effect o f taking it. Both assumption (5.3) and (5.4) are 
satisfied by most automaton specifications that one encounters in practice. In particular, the 
assumptions hold for the channels specified in Examples 5.8.1 and 5.8.1. Only specifications 
that involve a nondeterministic choice that is not a priori bounded fall outside o f our format. An 
example o f this, described in [SAGG+93], is a FIFO channel in which a crash action may result 
in the loss o f an arbitrary subset o f the messages contained in a buffer. Under assumptions
(5.3) and (5.4), we can eliminate the existential quantifiers that occur in the definition o f a 
normed forward simulation, and checking the conditions in this definition becomes equivalent
5.9 Reachability 103
to proving validity o f the following formula:
V0 ^  V  p [e0/y ]  
i € I 0
Va A p ^  V  (X'a A p '[eia -^>'/]) V V  (X'x A pK /y] A na [eX/y] < na)
i € la i € Ix
Vx A p ^  p /[y / y /] V V  (xX A p '[eix/ y /]) V V  (xX A p[eX/y] A nx[eX/y] < nx)
i € Ix i € Ix
If  this formula can be expressed within a fragment o f £  for which tautology checking is decid­
able then it is decidable whether p together with expressions na constitutes a normed forward 
simulation. It is easy to see that a similar result can also be obtained for normed history vari­
ables. Thus far, however, we have not been able to come up with plausible syntactic restrictions 
that ensure decidability o f normed backward simulations and/or normed prophecy relations.
Our decidability results for step refinements and normed forward simulations do not carry 
over to the weak refinements and forward simulations o f [LV95]. In order to see this, let A be 
a system with two states, an initial and a final one, and a single transition labeled halt from the 
initial to the final state. Let B be a system that simulates the n-th Turing machine such that 
each computation step of the Turing machine corresponds with a x-move, and which moves via 
a halt-action to a designated final state if  and only if  the computation of the Turing machine 
terminates. The function that maps the initial state o f A to the initial state o f B and the final 
state o f A to the final state o f B is a weak refinement iff the n-th Turing machine halts. It is 
straightforward to specify A, B and the function from states o f A to states o f B in a decidable 
logic. Hence it is undecidable whether a given function is a weak refinement, even in a setting 
where the underlying logic is decidable.
5.9 Reachability
For the sake o f simplicity, all the definitions o f simulations and refinements so far have been 
carried out without any mention o f reachability or invariants. However, in actual verification 
examples it is almost always the case that first a preliminary collection o f invariants is proved 
(i.e., properties that hold for all reachable states), which is then used in proving the step corre­
spondence. In this section we show how to integrate reachability concerns into the simulation 
definitions. More specifically, we present adapted versions o f step refinements, normed forward 
simulations and normed backward simulations which include reachability concerns, and show 
how they can be seen as special cases o f the original definitions.
The adapted step refinement from A to B consists o f a function r : states(A) 4  states(B) 
and a predicate Q ç  states(A) satisfying the following two conditions:
1. If  s € start (A) then Q(s ) and r (s ) € start (B).
2. If  s —%a t A Q(s) A reachable(A, s) A reachable(B , r (s)) then Q(t) and
(a) r (s ) = r (t ) A a = x , or
(b) r (s ) -4 >b r (t ).
a=x
A
104 A Theory of Normed Simulations
The adapted definition can easily be seen as a special case o f the original definition: if  r is an 
‘adapted’ step refinement then the restriction r / o f r , which is defined for a state s iff Q(s) A 
reachable(A, s) A reachable(B , r /(s)), is a regular step refinement.
The adapted normedforward simulation from A to B consists o f a relation f  ç  states(A) x 
states(B) and a function n : steps (A) x states(B) 4  S, for some well-founded set S, such that:
1. If  s € start (A ) then f  [s ] n  start (B) = 0 .
2. If  s —%a t A u € f  [s ] A reachable( A, s ) A reachable( B , u) then
(a) u € f  [t] A a = x, or
(b) 3v € f  [t] : u —4 B v, or
(c) 3v € f  [s] : u - 4 B v A n(s —4  t , v) < n(s —4  t , u).
Again the adapted normed forward simulation can easily been seen as a special case o f the 
original definition: if  (f, n) is an ‘adapted’ normed forward simulation then the pair (g, n), 
where g = f  n  (reachable(A) x reachable(B)), is a regular normed forward simulation.
The adapted normed backward simulation from A to B consists o f a relation b ç  states(A) x 
states(B), a predicate Q ç  states(A), and a function n : (steps(A) U start(A)) x states(B) 4  S, 
for some well-founded set S , such that:
1. If  s € start(A) A u € b[s ] A Q(u ) then
(a) u € start (B), or
(b) 3v € b[s] : v - 4 B u A n(s, v) < n(s, u) A Q(v).
2. If  t —%a s A u € b[s ] A reachable(A, t) A Q(u) then
(a) u € b[t] A a = x, or
(b) 3v € b[t] : v —4 B u A Q(v), or
(c) 3v € b[s] : v —4 b u A n(t —4  s, v) < n(t —4  s, u) A Q(v).
3. If  reachable(A, s ) then 3u € b[s] : Q(u).
Again, the adapted normed backward simulation is a special case of the original definition: if  
(b, n) is an ‘adapted’ normed backward simulation then in fact (b, n) is a regular normed back­
ward simulation from the automaton A/ that restricts A to its reachable states, to the automaton 
B/ that restricts B to the set o f states satisfying Q.
A c k n o w l e d g e m e n t
We thank M ariëlle Stoelinga for spotting a mistake in an earlier version o f this paper.
Chapter 6
PVS Verification of a 
Leader Election Protocol
Abstract This chapter applies the normed simulations o f Chapter 5. A leader election protocol 
is specified at three levels of detail and these specifications are proven equivalent using step 
refinements and normed simulations. The protocol is part o f the IEEE 1394 [IEE96] standard 
and it is an abstract version o f the tree identify phase. By identifying a tree in the network, 
a leader is elected, because the root o f the tree is considered to be the leader. We used PVS 
[ORSvH95] to formalize the specifications and proofs.
6.1 Introduction
Chapter 5 introduced normed simulations. This chapter illustrates these notions through the 
verification o f a fragment o f IEEE 1394 [IEE96], a high performance serial multimedia bus 
protocol. The specific algorithm that we analyze is an abstract version o f the tree identify phase 
(TIP) o f the IEEE 1394. We present the TIP protocol at three levels o f abstraction, and prove, via 
refinements and simulations, that these three specifications are trace equivalent. The relations 
that will be established between them are depicted below. T IP I is the most abstract version, 
TIP2 contains more detail, and TIP3 contains most detail. A normed forward simulation from 
TIP2 to TIP3 is proved (TIP2 <F TIP3), so a simulation from a high level specification to a 
low level specification is proved. The standard terminology used in Chapter 5 is intuitive, when 
one proves that the set traces o f low level specification, is included in the set o f traces of a high 
level specification. In this chapter we prove trace equivalence and thus also that, the set o f traces 
o f the high level specification, is included in the set o f traces o f the low level specification. In 
this (inversed) direction the high and low o f Chapter 5 can be exchanged to fit better on the 
simulations TIP2 <F TIP3, and TIP 1 <B TIP2.
— R —R
T IPI TIP2 TIP3
< B < F
We used PVS [ORSvH95, COR+ 95] to computer check that these relations hold. With 
this aim we present the PVS theories for I/O Automata, step refinements, forward-, backward-, 
prophecy- and history-simulations. The automata are presented both in IOA [GLV97] and in 
the PVS language.
106 PVS Verification of a Leader Election Protocol
The organization o f this chapter is as follows. In Section 6.2 the verification done in this 
chapter is compared to other verifications o f the protocol. In Section 6.3 the protocol is de­
scribed. In Section 6.4 our PVS formalization o f I/O Automata and the normed simulations is 
presented. In Section 6.5 the PVS specification and verification o f the protocol are described in 
a bottom-up manner: first the network than the automata and the relations between the automata. 
In Section 6.6 some remarks on the use o f PVS are made. In Section 6.7 some conclusions are 
drawn. In Appendix 6.8 the important parts o f the PVS sources are listed.
6.2 Other verifications of the protocol
Devillers, Griffioen, Romijn and Vaandrager [DGRV00] present two automata SPEC (compa­
rable to T IP I in this chapter) and TIP (comparable to TIP3 in this chapter), in TIP cycles are 
not taken into account. The PVS verification behind [DGRV00] does prove trace inclusion but 
not trace equivalence.
In Chapter 7 o f [Rom99] a timed specification TIP4 is presented, which adds real cycle 
detection to TIP3. It is manually proved that TIP4 is trace included in TIP3. In TIP3 a loop is 
‘detected’ by a predicate o n cy c le  which takes the whole network into account. In TIP4 devices 
detect a loop when a clock reaches a specified value.
Shankland and van der Zwaag [SZ98] present a specification in ^C R L  [GP95] similar to 
the specification in [DGRV00]. Manually the correctness is verified.
Stoelinga and Vaandrager [SV99] focus on root contention. A probabilistic specification is 
given and it is proved that, with probability one, the root contention terminates. In Stoelinga 
and Simons [SS00] the communication model o f [SV99] is improved.
6.3 Description of the protocol
In this section we describe the tree identify phase o f the IEEE 1394 protocol informally. Later 
on, in Section 6.5 we specify abstract versions as I/O Automata.
The Leader Election Protocol is a fragment o f the IEEE 1394 [IEE96] standard. The IEEE 
1394 architecture is used to connect video-cameras with TV ’s and so on, and takes care o f both 
the video signals and the control messages.
Every component (video-camera, TV, video-recorder etc) has a number o f ports. The user 
can connect two components anytime and in this manner define a new network topology. When 
a new component is added (or one is deleted from the network) the protocol starts a reset phase. 
After the reset phase, the tree identify phase starts. Then the self identify phase starts, followed 
by the normal operation phase. In this chapter the tree identify phase is studied. In this phase a 
leader is elected and cycles in the network are detected.
Leader election protocols tend to be intricate, both in the ‘real’ world and in the world of 
bits and bytes. This protocol is no exception. Still the basic idea behind it is quite simple. Every 
device is connected to a number o f devices. Each connection connects two devices, one o f these 
will become the parent device, the other will become the child device. The protocol decides per 
connection what the ‘direction’ is: which device becomes parent o f the other device. The leaf 
devices start the protocol. Note that by definition leaf devices have only a single connection. 
The leafs try to become the child of their neighbor. W hen this succeeds the connection is di­
rected. Then the network minus the directed connections and leaf devices is a smaller network,
6.3 Description of the protocol 107
on which the same procedure starts. The protocol is finished when the ‘undirected’ network 
consists o f a single node. This node is the leader!
Let us consider the protocol in some more detail. The components in the network are re­
ferred to as devices. Each device has a number o f ports which are used for bidirectional con­
nections to (other) devices. Each port has at most one connection. A typical network topology 
is presented in Figure 6.1.
The devices send and receive messages. In this manner the devices ‘negotiate’ on every 
parent-child relationship. Leaf devices start by sending a parent request message to their neigh­
bor. W hen an acknowledge message is received the connection is directed. W hen all but one of 
the connections o f a device are directed it is a (pseudo) leaf, this means that it can send its parent 
request message. I f  in this manner all connections are directed, a spanning tree is completed. 
W hen the tree is complete the root is known and hereby a leader is elected.
Let us consider the operation o f the protocol in more detail. During the tree identify phase 
every device goes through three stages: wait for parent requests, send messages, and decide 
if  it is the root. In special circumstances a device may get in an optional fourth stage: root 
contention.
First a device waits until it has received a parent request on all ports or on every port except 
one. Since leaf devices have at most one connection, they can skip the first stage, and are thus 
responsible for starting up the algorithm. In Figure 6.2, two parent requests have been received 
and one parent request is pending. The devices that receive a parent request, mark the port via 
which the parent request was received as childport. In Figure 6.2 the ports are depicted as small 
circles, and child ports are depicted as filled small circles.
A device can send messages to all its neighbors when it has received a parent request on all 
ports except at most one. The device acknowledges all the parent requests that it has received 
and sends a parent request on the remaining port (if any).
I f  a device has received parent requests on all ports but has not sent a parent request itself, 
it decides to be the root and terminates. I f  a device, that has sent a parent request, receives an 
acknowledgement then it also terminates but decides that it has not been elected as the root.
Note that a device that is allowed to send acknowledgement, but has one port on which no 
parent request was received, can decide to wait for that parent request message. A device that 
received parent requests from all its neighbors and did not send any parent request will become 
the leader. Thus waiting (for an other parent request) increases the change o f becoming the 
leader. In the protocol this is used because some devices (say the TV) are better equipped then 
others to be the leader. In the full protocol the leader becomes the bus master. A bus master 
decides on bandwidth and so on, and some devices have more advanced algorithms to do this. 
In the full protocol the devices that are more fit to be the leader are programmed to wait longer 
for parent requests.
It is possible that two devices send parent requests to each other; this situation is called 
root contention and is illustrated in Figure 6.3. W henever root contention occurs, the devices 
involved make a random choice, to wait either a fixed long, or fixed short time. After this time 
they retransmit their parent request and wait for a reply. W hen the reply is an acknowledgement 
then the device is the child device. W hen the reply is an parent request the root contention 
continues and the devices again make a random choice and retransmit the parent request.
After completion o f the protocol, the resulting spanning tree in our example network may 
look as in Figure 6.4.
I f  the network contains a cycle, then a device that is part o f this cycle, will always have (at
108 PVS Verification of a Leader Election Protocol
Figure 6.1: Initial network topology F igure 6.2: Intermediate configuration
F igure 6.3: Two contending devices F igure 6.4: Final spanning tree
least) two neighbors from whom it has not received a parent request. In 1394, this deadlock 
situation is recognized with the help o f timers. In principle, 1394 allows every device in the 
network to become the root o f the tree, so even leaves in the network can be elected as leader. 
However, a device can increase its chances o f becoming root by waiting longer for one more 
parent request.
6.4 Automata and Relations
In this section our PVS formalization o f I/O Automata and the normed simulations is presented.
6 . 4 . 1  I /O  A u t o m a t a
The PVS specification o f I/O Automata is listed in Appendix 6.8.1. The theory has two pa­
rameters: A c tio n  and S ta te .  An Automaton consists o f a signature (input-, internal-, output- 
and time-actions) s ig ,  start states s t o r t s  and a step relation s to p s . The predicate re a c h a b le  
holds for all reachable states. An Automaton is an IOA when it is input enabled ( in p u te n a b le d ? )  
and the signature is disjoint and contains all actions o f the type A ction .
Note that the specification mentions a time action. This is not used in this chapter, but it 
could used be for formalizing TIP4 in [Rom99]. Also note that our formalization does not 
incorporate the action partition. The protocol is modeled without using a notion o f fairness.
6 . 4 . 2  S t e p  R e f i n e m e n t  a n d  N o r m e d  S i m u l a t i o n s
The PVS files defining step refinements, normed forward simulations, normed backward simu­
lations, and history- and prophecy relations can be found in [Gri00]. For step refinements, and 
forward- and backward simulations the differences between the PVS version and the ‘theoreti­
cal’ version o f Chapter 5 are discussed below.
6.5 Specification and Verification of the Protocol 109
Step Refinement
Appendix 6.8.2 shows the PVS definition o f the step refinement. The step refinement has five 
parameters, the implementation automaton A, the specification automaton B, a predicate Q on 
the states o f A, the refinement function r  and a predicate on actions eq ual_a .
The definition in Section 5.9 only mentions A, B , r and Q. The predicate e q u a l_ a  is ne­
cessary in PVS because, generally speaking, the two automata have different action alphabets. 
Each action alphabet is formalized as a PVS type, a step refinement thus compares elements 
(actions) from different types (automata). Standard equality (=) does not allow this, therefore 
we introduce a e q u a l_ a  predicate which returns true when two actions are ‘equal’ and false 
otherwise. Despite its name, it is not a necessity that e q u a l_ a  is an equality relation. It can 
even be useful to relate one action in the specification with many in the implementation. When 
two actions are related by e q u a l_ a  these are ‘equal’ in the sense that one simulates the other.
The reachability assumptions and the predicate are useful to escape from a reasoning loop, 
let us first look into the loop. Suppose we proved an interesting invariant I  on an automaton 
Spec. Then after proving a step refinement r from Impl to Spec we can ‘transfer’ the invariant 
from Spec to Impl. I f  I  is an invariant on Spec then I  o r i s a  invariant in Impl. Often invariants 
on Impl are needed to prove a refinement. Here the story loops: we use the invariant on Impl 
to prove the step-refinement and we use the step-refinement to transfer the invariant to Impl. A 
solution is to transfer the invariant and prove the refinement in a single shot. The predicate Q 
can be used to do exactly this, by instantiating it by the invariant I  o r . The step refinement 
from TIP2 to TIP3 gives a practical example o f this use of Q. Others remedy the same problem 
in other ways, see for instance [Rom99] Lemma A.2.
Normed Forward Simulation
The definition o f the adapted normed forward simulation in Section 5.9 differs in notation from 
the PVS definition in Appendix 6.8.3, in Section 5.9 u e f  [s] is used where in PVS we write 
.
Normed Backward Simulation
In PVS the adapted normed backward simulation o f Section 5.9 is formalized at can be found 
in [Gri00]. The differences are only in syntax, the norm function n : (steps(A) U start (A)) x 
states(B) 4  S, is split in two functions, norm: steps(A) x states(B) 4  S and s ta r tn o rm : 
start(A) x states(B) 4  S.
6.5 Specification and Verification of the Protocol
6 . 5 . 1  N e t w o r k
All three automata assume a network, the important definitions o f the PVS theory netw ork  
are listed in Appendix 6.8.4. In [Rom99], Section 7.4.1, the same notion o f network is pre­
sented, but we encountered some typos/omissions during the PVS formalization. These will be 
discussed at the end o f this section.
The devices are modeled by the non-empty type , the set o f ports by the type . Each port 
belongs to a device (dev : [P -> D] ) and each port has a peer (p e e r : [P -> P] ). The peer’s
110 PVS Verification of a Leader Election Protocol
peer o f p is p, and p is not its own peer ( ). We assume that the set o f ports is finite
( ).
A path and cycle are defined as follows:
path(lp:list[P]):bool = length(lp) > 0 AND even?(length(lp)) AND 1
NOT nth(lp,0) = nth(lp,length(lp) - 1) AND 
FORALL i: i > 0 AND i < length(lp) IMPLIES 
IF odd?(i)
THEN nth(lp,i-l) = peer(nth(lp,i))
ELSE dev(nth(lp,i-1)) = dev(nth(lp,i)) AND NOT nth(lp,i-l) = nth(lp,i) 
ENDIF
cycle(lp): bool = path(lp) AND dev(nth(lp,0)) = dev(nth(lp,length(lp) - 1))
A path is a list o f ports like [p , p e e r ( p ) ,  q , p e e r ( q ) ]  where p e e r (p )  and q are on the 
same device but different. Furthermore p and p e e r  (q) should be different. A cycle is simply a 
path that starts and ends in the same device.
Two devices d l  and d2, are connected when there is a path that starts in d l  and ends in d2. 
A network is connected when every pair o f devices d l  and d2, where d l  is not equal to d2, is 
connected. We assume the network to be connected, see c o n n e c te d .a x  in Appendix 6.8.4.
We present our proof bottom-up, meaning that first the preliminaries are presented and 
then the automata modeling the protocol. This has the advantage that, when we present the 
protocol the reader knows about the underlying data types (the network in this case). The 
disadvantage is that, when reading the definitions/lemmas on networks, the reader does not yet 
know the details o f the protocol, therefore, the definitions and lemmas may seem to come ‘out 
o f the blue’. To remedy this disadvantage some explanation o f the protocol is given to explain 
each definition/lemma. For a complete description o f the protocol including the parent-child 
relations, we refer to TIP2 in Section 6.5.4.
In the PVS theory ne tw ork  many (67) lemmas are proved. The remainder o f this section 
will discuss four o f the more interesting lemmas. The lemmas discussed here are used in the 
proofs o f the step refinement and the backward simulation between T IP I and TIP2.
The protocol adds ports to a child-set in a specific order. Crucial is that each device has at 
most one parent, and when a device has a parent all other neighbors are its children. Exactly 
this is expressed by the predicate in _ t r e e in v ,  see sniplet 2 (a sniplet is small piece o f PVS 
code). In the protocol ports on a cycle will not be added to the child set, this is expressed by 
cycle_no_C  see sniplet 3. Both in _ t r e e in v  and cycle_no_C  are predicates on port sets. It is 
proved that these predicates are invariant on the child set o f TIP2 and TIP3.
Lemma s in g le r o o t  expresses that when a set C is a valid child set it is impossible to have 
two different devices who are root. P roof sketch: First notice that when in _ in tr e e in v (C )  
holds, a path that starts with a port in C has all even ports in C and all odd ports not in C (see 
[Gri00] d ir_ p a th ) .  Then consider a path lp  from d l  to d2. Because d l  is root the first port of 
this path is in the set C, and because d2 the last port in this path is in set C. The last port is has 
an odd index and thus can not be in the C set according to d ir_ p a th .
C: VAR setof[P]
in_treeinv(C):bool = FORALL pi: C(pl) IMPLIES
2
6.5 Specification and Verification of the Protocol 111
d if fe re n c e (p o r ts (d e v (p e e r (p l) ) ) ,C )  = s in g le to n (p e e r (p i) ) 
ro o t(d ,C ) : bool = su b se t? (p o rts (d ) ,C )
s in g le ro o t:  LEMMA in _ tree in v (C ) AND ro o t(d l,C )  AND roo t(d2 ,C ) IMPLIES d l = d2
Predicate cycle_no_C  (sniplet 3) expresses that ports on a cycle are not in the child set (C). 
Lemma states that, when we have a non empty child set, it is possible to delete
one o f the ports from the child set, and on this new set in _ t r e e in v  still holds. This lemma is 
used in for the backward simulation from T IP I to TIP2. P roof sketch: W hen we find a device 
that has no parent but does have a child we are finished, because we remove one o f its ports from 
the child set and the resulting child set will also satisfy in _ in t r e e in v .  We start in a device 
with a child and ‘w alk’ to its parent, and then to its parent etc. This walk should end because 
we have a finite number o f nodes and no cycles can be used. The last device in this walk does 
not have a parent but does have a child.
cycle_no_C(C): bool = (FORALL p: oncycle(p) IMPLIES NOT C(p)) 3~
backstep2_c: LEMMA in _ tree in v (C ) AND cycle_no_C(C) AND
(EXISTS p: C(p)) IMPLIES (EXISTS p: C(p) AND in _ tree inv (rem ove(p ,C )))
The function c h i ld  (d) (sniplet 4) defines a set o f ports that is the child set where device d 
is the root device. In the set are all ports on an even position on a path that starts in device d. 
Lemma lem3 states that in the absence o f cycles indeed c h i ld  (d) is a valid child set. Lemma 
p a th _ e q u a l is used in the proof of lem3 and expresses that, in the absence o f cycles, when two 
paths have the same start device and the same last device, these two paths are equal.
c h i ld ( d ) : f in i te _ s e t  [P] = {p I EXISTS lp ,  i  : i  < le n g th ( lp )  AND 4
p a th (lp )  AND d e v (n th ( lp ,0 ) ) = d AND n th ( lp , i )  = p AND ev en ?(i)}
path_equal: LEMMA p a th (lp )  AND path(m) AND d e v (n th ( lp ,0 ))  = dev(n th (m ,0 )) AND 
d e v ( n th ( lp , le n g th ( lp ) - l ) )  = d ev (n th (m ,len g th (m )-l)) AND 
(NOT EXISTS p: oncycle(p )) IMPLIES lp  = m
lem3: LEMMA (NOT EXISTS d: oncycle(d )) IMPLIES in _ tre e in v (c h ild (d ) )
We proved (see [Gri00]) lemmas very close to Lemmas 7.3, 7.4 and 7.5 o f [Rom99] in PVS. 
During the formalization we found three minor omissions in [Rom99] Section 7.4
• In the else branch o f the definition o f path a condition is missing: p i - 1  = p i . Clearly 
the rest o f the text assumes that this condition is in the definition. In the PVS code this 
condition is included in the else branch, see p a th  above.
• It should be assumed that the set o f devices and ports are finite. This assumption is 
not mentioned in [Rom99]. In the PVS code we do make this assumption explicit, see 
f i n i t e _ a x  in Appendix 6.8.4 .
• The definition o f a connected network reads: a network is “connected if  for each two 
devices d, d' e D there is a path form d  to d' ” W hen we take d  and d' to be the 
same device only a cycle can connect these. Therefore d  and d' should be different. See 
co n n ec ted _ ax  in Appendix 6.8.4 for the proper definition.
112 PVS Verification of a Leader Election Protocol
6 . 5 . 2  T I P  1
au tom aton  TIPI
signature
ou tp u t r o o t(d :D e v ) ,
l o o p d e te c t ( d : Dev)
states
r o o t ,  lp d :  A rray [D ev ,B oo l] : =  c o n s t ( f a l s e )
transitions
o u tp u t r o o t ( d )
p re  — 3e:  Dev (o n c y c le ? (e )
1—
1 
0) 
i___________________________________________________i
-Poou>
eff r o o t[ d ]  : =  t r u e
o u tp u t lo o p d e te c t ( d )
p re  o n c y c le ? (d )  A  — lp d [d ]
eff lp d  [d ]  : =  t r u e
F igure 6.5: Automaton!IP 1 .
In Figure 6.5 automaton T IP I is presented, the PVS version is in Appendix 6.8.5. The 
state consists o f two arrays (one element for each device) o f booleans. One array to denote 
per device whether it has detected a cycle (loop) lp d  (d :D ev). The second array to denote per 
device whether it considers itself the root of the network r o o t  (d : Dev) .T I P I  has two action 
schemas, one to announce that is the root and one to announce that has detected
a cycle (loop) in the network lo o p d e te c t ( d ) . Specification T IP I says that if  the network is 
cycle free at most one device will perform a r o o t  action. Otherwise, no r o o t  action will occur, 
but instead each device that lies on a cycle can perform a lo o p d e te c t  (d) action.
6 . 5 . 3  I n v a r i a n t s  o n  T I P  1
In sniplet 5 a predicate on states is listed ( lp d _ o n cy c le )  and a lemma (lp d _ o n cy c le_ in v ). 
The lemma states that the predicate holds in all reachable states, in other words: is an invariant 
for automaton . In the PVS code we have a state predicate and a lemma for every invariant, 
in the sequel we will omit the lemmas and only list the predicates. Note that in the PVS code 
all variable and action names o f automaton TIPn have a postfix _n, where n is 1, 2 or 3.
The invariants on T IP I are trivial, they hold by the preconditions o f the actions. The first 
( ) states that when a loop is detected by a device it is on a loop indeed. The
second ( ) states that only a single device can be root, and
states that when a device is root, the network is cycle free.
lp d _ o n cy c le (s ):b o o l = FORALL d: ( lp d _ l(s ) (d )  IMPLIES oncycle(d )) 5
lpd_oncycle_inv: LEMMA reac h ab le (T IP _ l,s )  IMPLIES lpd_oncycle(s)
ro o t_ s in g le _ l(s ) :b o o l =
FORALL d ,e  : r o o t_ l( s ) (d )  AND r o o t_ l ( s ) ( e )  IMPLIES d = e
6.5 Specification and Verification of the Protocol 113
root_l_no_cycle(s):bool =
FORALL d: root_l(s)(d) IMPLIES (NOT EXISTS e: oncycle(e))
6 . 5 . 4  T I P  2
autom aton
signature
in terna l
ou tpu t
lo o p d e te c t ( d : Dev)
states
:=
:=
transitions
in ternal a d d c h i ld (d ,p )  w here d = dev (p ) 
p re  p $  c h i ld  A
p o r t s ( d e v ( p e e r ( p ) ) )  - c h i ld  = { p e e r (p )}  
eff c h i1d :=  i n s e r t ( p , c h i l d )  
ou tpu t
p re  — r o o t[ d ]  A p o r t s (d) ç  c h i ld  
eff r o o t[ d ]  :=  t r u e  
ou tpu t
p re  o n c y c le ? (d )  A —lp d [d ]  
eff lp d  [d] :=  t r u e
F igure 6.6: Automaton .
In Figure 6.6 automaton is presented, the PVS version is in Appendix 6.8.6. is 
an implementation o f T IPI. In TIP2 the parent-child relations are added to the specification, 
the relations are encoded by the extra variable c h i ld :  S e t [ P o r t ] . I f  port p is in c h i ld  then 
we say that its device dev (p) has a child, namely dev (p e e r  (p) ).
TIP2 has three actions. The action r o o t  has o f course a counter part in T IPI. The definition 
thought is different. The r o o t  (d) action can occur when all its neighbors are its children.
The action lo o p d e te c t  (d) has the same definition as in TIPI.
The action a d d c h i ld (d ,  p) does not have a counterpart in T IPI. This action adds port p 
to the child set when all ports o f its neighbor (dev (p e e r  (p) ))  except p e e r  (p) are in the child 
set. In other words: W hen a device has only a single non-child neighbor, the device can become 
a child itself. The single neighbor that is not its child, will be the parent.
6 . 5 . 5  I n v a r i a n t s  o n  T I P  2
The PVS code contains seven invariants on TIP2 o f which the interesting invariants are listed 
in sniplet 6.
114 PVS Verification of a Leader Election Protocol
Iroot(s):bool = FORALL d:root_2(s)(d) IMPLIES subset?(ports(d),child_2(s)) 
Iintree(s):bool = in_treeinv(child_2(s))
Ioncycle_p(s): bool = FORALL pi: oncycle(pl) IMPLIES NOT child_2(s)(pi)
Isingleroot(s):bool = FORALL dl,d2: NOT dl = d2 IMPLIES 
NOT (root_2(s)(dl) AND root_2(s)(d2))
6 . 5 . 6  R e l a t i o n  b e t w e e n  T I P  1 a n d  T I P  2
Step Refinement from TIP 2 to TIP 1
The theory r e l _  12 is listed in Appendix 6.8.7. We prove that the set o f traces o f TIP2 is 
included in the set of traces o f by proving a step refinement (lemma ).
We prove the other inclusion by a backward simulation (lemma norm ed_back_sim _l_2). This 
trivially implies a normed prophecy relation (lemma no rm ed_prop_re l) (see Section 5.7).
r(s: State_TIP_2): State_TIP_l = (# lpd_l := lpd_2(s), root_l := root_2(s) #) 7 
step_ref_l_2: LEMMA step_ref(TIP_2, TIP_l,Q,r,equal_a)
back(s:State_TIP_2):bool = Iroot(s) AND Ilpd(s) AND Iintree(s) AND Ioncycle_p(s)
startnorm(sl: State_TIP_l, s2: State_TIP_2): nat = card(child_2(s2))
normed_back_sim_l_2: LEMMA normed_back_sim(
TIP_1,TIP_2,converse(graph(r) ),back,startnorm,norm, less, converse(equal_a))
The step refinement from TIP2 to T IP I is quite easy to prove. In sniplet 7 the relation r  
is defined, two states o f T IP I and TIP2 are related when the lp d  and r o o t  arrays are equal. 
It is trivial to see that r  maps start states o f TIP2 on start states o f T IPI. Next we do a case 
distinction on the action o f TIP2. For transaction (s,ADDC_2(d,p) , t )  it is trivial because it 
only changes c h ild _ 2 , thus r ( s )  = r ( t ) .  For the transaction (s,L PD (d) , t )  the proof is 
trivial because schemas in T IP I and TIP2 are exactly the same. W hen (s ,R 00T (d) , t )  is a 
transaction ofT IP2 then ( r ( s )  ,R00T(d) , r ( t ) )  is a transaction o fT IP l. To prove this we use 
, , and (these are listed in sniplet 6).
Normed Backward Simulation from TIP 1 to TIP 2
The simulation from T IP I to TIP2 illustrates the usefulness o f backward simulations. A (tradi­
tional) forward simulation exists, but no normed forward simulation. Assume a simple network 
with only two devices (d and e) and a single link connecting these, see Figure 6.7. The solid 
vectors in Figure 6.8 depict the transition systems o fT IP l and TIP2 for this network. In this 
case T IP I only can do a R00T_l(d) or a R 00T _l(e) action. Before a R00T_2 action can be 
done in TIP2 an ADDC_2 action has to be done.
6.5 Specification and Verification of the Protocol 115
TIPI TIP2
dev d: 
port p: ADDC_2(d, ADDC_2(e,q)
R00T_l(d, R00T_l(e) R00T_2(d) R00T_2(e)port q : f  Ô 
dev e: [
Figure 6.7: A network Figure 6.8: Transition systems
A possible simulation relation is depicted by the dotted lines. This is not a normed forward 
simulation, because the start state o fT IP l is related to a state where only a R00T_2(d) action 
can happen and not a R00T_2 (e ) action.
However the dotted lines depict a normed backward simulation from T IP I to TIP2. The 
norm is defined on the states o f TIP2 as the number o f ports in the child set. Note that the 
only internal action o f TIP2 is ADDC_2, so the norm only needs to decrease when an ADDC_2 is 
simulated backwards (is ‘undone’).
In general, backward simulations can be useful when the implementation ‘makes a decision’ 
with internal steps. In TIP2 the decision who becomes root device is made by the internal action 
.
It is proved in PVS that a normed backwards simulation exits, sniplet 7 lists the lemma 
.
In Figure 6.9 automaton TIP3 is presented, the PVS version is in Appendix 6.8.8. Automation 
TIP3 is an implementation o f TIP2. Automaton TIP3 takes the communication between devices 
into consideration.
To model this communication a message queue per port (mq : A rray  [P o r t ,  Seq [M es]]) is 
used. A message can be either or . Initially the message queues are empty. W hen a
device transmits a message via port p, the message is appended at the end the list mq [p ] . When 
a device receives a message via port p, it reads the message on the head o f the list mq [p e e r  (p) ] .
The set o f ports c h i ld  is initially empty. I f  port p is in c h i ld  then we say that its device 
has a child, namely .
The current stage o f the protocol for each device is indicated by arrays o f booleans i n i t ,  
r c ,  lp d  and ro o t .  Initially all booleans are false except for i n i t  which is true for each device. 
I f  i n i t  [d] is true then d is still waiting for parent requests, otherwise d has received requests 
from all its neighbors except at most one. I f  r c  [d] is true then d is in root contention with one 
o f its neighbors. I f  r o o t  [d] is true then d has found out that all its neighbors are children and 
has declared itself to be the root o f the tree. If  lp d  [d] is true then d has detected a cycle.
The actions in TIP3 reflect the tree identify phase behavior as follows. Consider device d. 
Initially i n i t  [d] is true, so d is waiting for parent request messages from neighboring devices 
through the action ad d c h iId . W hen a d d c h i ld (d ,p )  is performed, p is added to the child set.
I f  all incoming ports o f device d or all ports except one are in the child set, d may per­
form the ch ild renknow n  action. Note that leaf devices can perform ch ild renknow n  imme-
6 . 5 . 7  T I P  3
116 PVS Verification of a Leader Election Protocol
au tom aton  TIP3
signature
in ternal ch ild ren k n o w n (d : D ev),
a d d c h ild (d :D e v , p : P o r t ) ,
re c e iv e m e s(d :D e v , p :P o r t ,  m:M es),
s o lv e ro o tc o n te n t(d :D e v , p :P o r t )
ou tp u t r o o t(d :D e v ) ,
l o o p d e te c t ( d : Dev)
states
c h i ld :  S e t[ P o r t ]  :=  O
mq: A rray  [ P o r t ,  Se q [Mes]] :=  c o n s t ( O )
i n i t :  A rray [D ev ,B oo l] :=  c o n s t ( t r u e )
r c ,  r o o t ,  lp d : A rray [D ev ,B oo l] :=  c o n s t ( f a l s e )
transitions
in ternal ch ild renknow n  (d)
p re  i n i t  [d] A s i z e ( p o r t s ( d )  - c h i ld )  <  1
eff i n i t [ d ]  :=  f a l s e ;
for p in p o r t s  [d] do if p e c h i ld
then  mq[p] :=  mq[p] h ack
else mq[p] :=  mq[p] h p a re n t  fi od
in ternal a d d c h i ld (d ,p )  w here d = d ev (p )
p re  i n i t [ d ] A h e a d (m q [p e e r(p )] )  = p a r e n t
eff c h i 1 d :=  i n s e r t ( p ,  c h i ld )  ; m q [p ee r(p )]  : = t a i l ( m q [ p e e r ( p ) ] )
in ternal r e c e iv e m e s (d ,p ,mes) w here d = dev (p )
p re  - ■ in i t [ d ]  A p o r t s ( d )  - c h i ld  = {p> A head (m q [p eer (p )]  ) = mes
eff if mes = p a r e n t  then  r c  [d] :=  t r u e  fi;
m q [p ee r(p )]  :=  t a i l ( m q [ p e e r ( p ) ] )
in ternal s o lv e r o o tc o n te n t ( d ,p )  w here d = d ev (p )
p re  r c [ d ] A r c  [dev (p e e r  (p) )]
eff c h i ld  :=  i n s e r t ( p , c h i l d ) ;
r c [d ]  :=  f a l s e ;  r c [ d e v ( p e e r ( p ) ) ]  :=  f a l s e
ou tp u t r o o t ( d )
p re  — i n i t [ d ]  A — r o o t[ d ]  A p o r t s (d) ç  c h i ld
eff r o o t [ d ] :=  t r u e
o u tp u t lo o p d e te c t (d )
p re  o n c y c le (d )  A —lp d [d ]
eff lp d [d ] :=  t r u e
F igure 6.9: Automaton HP3.
diately after start o f the protocol, because these devices have exactly one port. As a result of 
ch ild renknow n  ( d ) , i n i t  [d] is set to false, and an acknowledgment message is sent to its 
children. Moreover, if  there is an neighbor that is not its child, then a parent request message is 
sent to this neighbor.
6.5 Specification and Verification of the Protocol 117
mit¡(d )
CKNsid )
— i initß(d )
ROOT3 (d)
O
Figure 6.10: Simulation diagram for ROOT2 (d)
If  a device has sent a parent request message to a neighbor, then it can receive a message 
from this neighbor with the action receivemes (d ,p  ,m ). If  the message is an acknowledgment, 
then the neighbor has become the parent o f in the tree, hence is not the root and its activity 
is finished. I f  the message is a parent request then we have a situation o f root contention.
This root contention can be resolved by the action s o lv e ro o tc o n te n t .  This action non- 
deterministically designates one o f the contending devices as the parent and the other as the
If  all ports o f device d are in the child-set, it can perform the r o o t  (d) action, hereby it has 
become the the root (or leader). I f  d is on a cycle it can perform a lo o p d e te c t  (d) action.
6 . 5 . 8  S i m u l a t i o n  D i a g r a m s
In this section we discuss the proof method that will be used in Section 6.5.9. The proof method 
is inspired by the verification diagrams o f M anna and Pnueli [MP94].
We make so called ‘simulation diagrams’, these depict how a transition is simulated. The 
diagram specifies a number of lemmas these lemmas together prove the normed simulation.
The running example o f this section is the proof o f a normed forward simulation from TIP2 
to . Two states o f and are related when the , and variables are
equal (see sniplet 9).
In this section it is proved that ROOT2 (d) can be simulated by TIP3. The diagram (in 
Figure 6.10) should be interpreted as follows.
• A location is a set o f states that satisfies a state predicate. Each location is depicted as 
a circle, the state predicate is displayed to the left o f the circle. In the example A is a 
location, its predicate is init3 (d).
• All states in a location (except finish-location) are related to the start state o f the transac­
tion to be simulated. In the example all states u in the locations are related to 5, g(s, u).
• An arrow labeled with an action between two locations denotes that from all states in 
the source location the action is enabled and ends in a state in the target location. In the 
example the arrow from A to B expresses that we can do a CKN3 (d) from every state in 
A to a state in B .
• A finish-location contains the target states for an action that simulates the transaction. 
All states in a finish-location should relate to the target state o f the transaction to be 
simulated. In the example all states v in the finish-location should relate to t , g(t , v). 
Finish-locations are depicted by small circles.
child.
118 PVS Verification of a Leader Election Protocol
• W hen the diagram has no cycles (as in this example) then a norm function is implicitly 
defined by the diagram. The location above a finish-locations has norm 0 the one above 
this 1 etc. In the example B has norm 0 and A norm 1.
• The union o f the non-finish locations should contain all states related to the start state. In 
the example this holds trivially because the union o f A and B contains all states.
Note that we did not formalize simulation diagrams in PVS but used these diagrams as a 
guideline to setup the proof in PVS. Each location has a corresponding predicate in PVS, in the 
example locROOTA and locROOTB. Each arrow in the diagram corresponds to a lemma in PVS.
locR00TA(u,d): bool = init_3(u)(d) 8
locROOTB(u,d): bool = NOT init_3(u)(d)
trROOTA: lemma FORALL s, t, u, d:
steps(TIP_2)(s,R00T_2(d),t) AND g(s,u) AND reachable(TIP_3,u) AND locR00TA(u,d) 
IMPLIES EXISTS v: steps(TIP_3)(u,CKN_3(d),v) AND g(s,v) AND locR00TB(v,d)
trROOTB: lemma FORALL s, t, u, d:
steps(TIP_2)(s,R00T_2(d),t) AND g(s,u) AND reachable(TIP_3,u) AND locR00TB(u,d) 
IMPLIES EXISTS v: steps(TIP_3)(u,R00T_3(d),v) AND g(t,v)
6 . 5 . 9  R e l a t i o n  b e t w e e n  T I P  2  a n d  T I P  3
Step Refinement from TIP 3 to TIP 2
This step refinement is relatively straightforward to prove. The proof contains a number of 
invariants on TIP3, which are listed in Appendix 6.8.9.
Normed Forward Simulation from TIP 2 to TIP 3
Normed forward simulations are defined in Section 5.9, the parts are numbered 1 to 2c, in this 
section we will use that numbering. The state relation is depicted in sniplet 9.
g(s,u):bool = 9
(child_2(s) = child_3(u) AND lpd_2(s) = lpd_3(u) AND root_2(s) = root_3(u))
It is trivial to prove that start states o f TIP2 are related to start states o f TIP3(1). We will 
look into each action schema (ROOT, LPD, ADDC) o f TIP2 at a time to see if  2 is satisfied. See 
Section 6.5.8 for the proof that the ROOT action is correctly simulated by TIP3. Simulating 
LPD is trivial because the schemas are the same, see Figure 6.11.
The simulation diagram for ADDC2  is depicted in Figure 6.12. In this diagram some short­
hand notation is used. W hen a device is expected and a port is found dev should be inserted, 
we write for example CKN3 (p) for CKN3 (dev(p)). W hen a port is compared to a (empty) 
list mq should be inserted, we write p  = e for mq(p) = e . W hen a port is compared to a 
message hd(mq()) should be inserted, we write p  = parent for hd(mq(p)) = parent. For
6.5 Specification and Verification of the Protocol 119
0 true 
LPD3 (d )
o
Figure 6.11: Simulation diagram for LPD 2 (d)
0 init¡(d) Apeer(p) = e 
CKN-¡(peer {p))0 init¡(d) A peer(p) = parent 
ADDC3 (p)
o
0 — init¡(d) A p  = parent Apeer(p) = e A init¡(peer(p))
CKN-¡(peer {p))
^init¡(d) A p  = parent Apeer(p) = parent 
RMES3 (peer ( p), parent)
^inits(d) A p  = e Apeer(p) = parent 
RMES3 ( p , parent) 
f F  ) —init¡(d) A p  = parent A peer(p) = e A —init ¡(peer (p)) 
/  RMES3 (peer (p), parent)
( C ) —init¡(d) A p  = e A peer(p) = e
SLRC3(P)
0
0
Ò
Figure 6.12: Simulation diagram for ADDC 2 ( p)
actions with a device and a port as parameters only the port is given, we write ADDC3(p) for 
ADDC3 (dev(p), p).
Note that c o n v e rse  (g rap h  ( r )  ) equals g a n ^ r m  is the norm function implied by the
120 PVS Verification of a Leader Election Protocol
diagrams.
The lemmas corresponding to the diagrams in Figures 6.10, 6.11 and 6.12 together prove 
the existence o f a normed forward simulation from TIP3 to TIP2.
10
normed_sim(TIP_2,TIP_3,converse(graph(r)),norm,less,converse(equal_a))
6 . 5 . 1 0  D e l a y e d  n o r m e d  f o r w a r d  s i m u l a t i o n
In Chapter 5 it is mentioned that many more simulations have a normed version. In this section 
we present a definition o f the delayed normed forward simulation and report on an alternative 
proof o f trace inclusion from to .
Recall that a normedforward simulation from A to B consists o f a relation r over states(A) x 
states(B) and a function n : steps (A) x states(B) 4  S, for some well-founded set S, such that
1. If  s e start (A) and r (s, u) then u e start (B).
2. If  s —%a t A r (s, u) then
• r (t, u) A a = t ,  or
• 3v : r (t, v) A u —4 B v, or
• 3v : r (s, v) A u —4 b v A n(s —4 a t , v) < n(s —4 a t , u).
A delayed normedforward simulation from A to B consists o f a relation r over states(A) x 
states(B), a relation ra over steps(A) x states(B) and a function n : steps (A) x states(B) 4  S, 
for some well-founded set S , such that
1. If  r (s, u) A s —a A t  then ra(s, a, t , u)
2. If  s e start (A) and r (s, u) then u e start (B).
3. If  s —4  A t A ra(s —4 a t , u) then
• r (t, u) A a = t , or
• 3v : r (t, v) A u —4 B v, or
•  3d : ra(s—4 A t, v) A u —4 B v A n (s—4 A t, v) <  n (s—4 A t, u).
Write A < DF if  there exists a delayed normed forward simulation from A to B . It is easy to 
see that, if  r is delayed normed forward simulation, r is also forward simulation as in [LV95].
Figures 6.13 and 6.14 depict the difference between a normed forward simulation and a 
delayed normed forward simulation. In both figures an transition (s, a, t ) is simulated by an 
execution fragment (u, t , u t, u", a, v). In the normed forward simulation every state on the 
execution fragment in B is related to a state in A (the dashed line). In the delayed case the 
requirement is relieved to the first and the last state o f the execution fragment. The intermediate 
states (u ' and u") should satisfy a predicate that relates them to the transition (s, a, t) (the dotted 
line).
6.6 Some remarks on the use of PVS 121
In our case a delayed normed forward simulation is easier to prove than a normed forward 
simulation. The intuition behind this is that less states are related and less transitions have to 
respect the relation. W hat we basically do is to prevent TIP3 to get into a root contention situa­
tion. Thus relating less states we can ignore everything in TIP3 that deals with root contention.
The state relation is r_2_3  and the relation for the intermediate states is ra_2_3  (see sni­
plet 11). Note that r  requires TIP3 not to be in root contention and that there are no parent 
requests in transit. This greatly reduces the number of cases the proof has to take into account.
b(s,u):bool = (child_2(s) = child_3(u) AND lpd_2(s) = lpd_3(u) AND 
root_2(s) = root_3(u) AND FORALL d: NOT rc_3(u)(d) )
r_2_3(s,u):bool = b(s,u) AND FORALL p: NOT hdeq(mq_3(u)(p),parent)
ra_2_3(s,a,t,u):bool = b(s,u) AND 
cases a of
ADDC_2(d,p) : init_3(u)(d) AND FORALL q: q = peer(p) OR 
NOT hdeq(mq_3(u)(q),parent),
R00T_2(d): FORALL p: NOT hdeq(mq_3(u)(p),parent) ,
LPD_2(d): FORALL p: NOT hdeq(mq_3(u)(p),parent) 
endcases
A B
S *  -  -  -  -? u
a  '  '  x
t i  \  '  u^
B
s •- -  -  -  - 
i h - - .
u
T
U ' 
T
u
a
1 V
//
Figure 6.13: normedforward simulation Figure 6.14: delayed normed forward 
simulation
T
6.6 Some remarks on the use of PVS
In Figure 6.15 the PVS theories are listed. For each theory it lists:
- The name o f the PVS file, this is the same as the name o f the theory it contains. PVS 
allows to have many theories in a single file, here each file contains exactly one theory.
- The number o f lines in the file. Note that this contains the definitions, the lemmas and 
whitespace.
- The number o f lines in the proof. This is computed the output o f show -proof s - p v s - f  i l e ,  
here a line usually contains a single proof command.
- The number o f lemmas.
122 PVS Verification of a Leader Election Protocol
PVS Theory .PVS length proof lines # lemmas of which TCCs avg. proof lines
ListExtra 130 609 81 45 7.5
FiniteSetsExtra 38 91 8 0 11.3
SetsExtra 38 91 12 0 7.5
evenodd 36 73 18 0 4
automaton 64 26 4 2 6.5
s te p re f 26 0 0 0 0
normed sim 45 0 0 0 0
normed hist sim 23 0 0 0 0
normed_prop_sim 27 0 0 0 0
network 233 2448 86 28 28.4
IOA TIPI 48 93 4 1 23.2
IOA TIP2 77 240 8 1 30
IOA TIP3 95 9 3 3 3
IN V T IP 3 125 878 26 1 33.7
rei 12 47 360 9 1 40
sim 32 109 337 11 0 30.6
sima 32 57 192 6 0 32
rel_23 52 481 14 1 30.2
F igure 6.15: PVS theories with sizes
- The number o f Type Correctness Conditions, many of these are proved automatically.
- The number o f proof lines per lemma. This is (proof lines) / # lemmas. It is meant to give 
some indication on how difficult it is to prove the lemmas.
ListExtra, FiniteSetsExtra, SetsExtra and evenodd contain general lemmas on lists, finite- 
sets, sets and even/odd numbers. Section 6.4 discusses the following theories: automaton, 
step_ref, normed_sim, normed_hist_sim and normed_prop_sim. The theories IOA_TIPX con­
tain the automata for T IPI, TIP2, and TIP3. The invariants on TIP3 are in INV_TIP3. The 
normed prophecy simulation from T IP I to TIP2 is proved in rel_12. In sim_32 the simulation 
diagrams o f Section 6.5.9 are proved correct. In rel_23 the normed history relation from TIP2 
to TIP3 is proved. In sima_32 the delayed normed simulation o f Section 6.5.10 is proved.
Note that the network theory is the largest theory, in every aspect except complexity (avg. 
proof lines). This illustrates that reasoning on protocols consists for an important part o f rea­
soning about data types.
PVS release 2.3 was used to finally check the proofs. This takes 10 minutes on a 500 Mhz 
Pentium III with 128 MB internal memory running Red Hat Linux. The notation used for tuples 
and records is still the ‘old’ PVS 2.2 notation, also the ‘old’ decision procedures are used.
6 . 6 . 1  I O A  s u p p o r t  i n  P V S
Relatively many lemmas state that some predicate is an invariant. Therefore we created some 
special strategies in PVS for invariant proofs. The strategy s t a r t - i n v - p r o o f ,  reduces an 
invariant proof to a subgoal for the start states and a subgoal for each action. It unpacks standard 
definitions and skolemises variables etc. Thus one can start with the ‘real’ proof directly. The 
simple subgoals are proved automatically by this strategy. A simple case is for instance an
6.7 Conclusions 123
action schema that does not change the variables that are used in the invariant.
In invariant proofs very often other invariants are used, therefore we created a special strat­
egy to use invariants in PVS proofs. To make this possible we introduced a naming convention 
for state properties and the lemma that proves this property to be an invariant. For a state 
property x the lemma is called x_inv, see for example:
lpd_oncycle(s):bool = FORALL d: (lpd_l(s)(d) IMPLIES oncycle(d)) 
lpd_oncycle_inv: LEMMA reachable(TIP_1,s) IMPLIES lpd_oncycle(s)
This naming convention allows to make a strategy called u s e - in v  that takes the name of 
state predicate and adds the invariant assumption to the proof goal. It instantiates the invariant 
for a default state (s), but this can be overridden by an optional second argument. The strategies 
are available via [Gri00].
6 . 6 . 2  E n h a n c i n g  r o b u s t n e s s  o f  P V S  p r o o f s
In PVS goals are o f the form B A C A D ^  E v  F  v  G . Each conjunct/disjunct has a number, in 
this example: -1, -2, -3, 1, 2, 3. In proof commands one can use these numbers. The command 
(HIDE -1  -2  3) hides assumption -2 (C ) -1 (D ) and conclusion 3 (G). We do not like line 
numbers like this in a proof. Imagine that the proof o f this lemma fails and to fix this we include 
an assumption A, then the goal can becomeA A B A C A D ^  E v  F  v  G . Then B is no 
longer -1 but -2 and thus in rerunning the proof this hide command will hide A and B instead of 
B and C . It is also not clear from the command what we are actually hiding. For these reasons 
we created strategies to circumvent the use o f line numbers in a proof. We implemented a 
simple matching language. A constant string is translated to the list o f line numbers where it 
occurs. The operator contains-and CAND takes the intersection o f its arguments, any number 
o f arguments larger then zero. The operator contains-or COR takes the union o f its arguments. 
The operator CNOT returns the line numbers that are not in the argument list. We also made a -C 
version o f every proof command in PVS that takes line numbers as an argument. Thus (HIDE-C 
(CNOT (CAND "p a th "  1 c o n s1 ) ) ) hides all lines that do not contains both the function p a th  
and the function cons. In our experience this is more robust to small changes in the proof or 
specification and it is more clear what the intention o f a command is.
6.7 Conclusions
In this chapter we proved trace equivalence o f three automata, using step refinements and 
normed simulations. The complete proof has been checked using PVS. We think that normed 
simulations have some advantages over other simulations, especially when one uses a mechan­
ical proof check system.
Advantages o f normed simulations:
•  No need to formalize or reason about traces or execution fragments.
•  It is decidable wheter a given realation is a normed forward simulation when the data 
types involved are (see Section 5.8).
•  All reasoning is very local.
124 PVS Verification of a Leader Election Protocol
•  The norm functions tend to be easy to formulate and to reason about.
Disadvantages of normed simulations
•  One has to find a suitable norm function. In our experience the norm functions were 
obvious. We expect this to be the case in general, because the norm function is local, only 
for a specific transition in one automaton the internal step in the other should decrease 
this measure.
•  More often one needs a backward simulations where a ‘traditional’ forward simulation 
would also work.
Normed simulations have nice theoretical properties, see Chapter 5, but perhaps even more 
important is that they are very ‘friendly’ in day-to-day proving. In fact the need for a notion 
like normed simulation popped up during this day-to-day proving. An early proof o f the simu­
lation from TIP3 to TIP2 used some ad-hoc normed simulation and this is later formalized and 
polished to what is presented in Chapter 5.
6.8 Appendix: PVS Specifications
In this section PVS theories are listed containing all important definitions. These are valid PVS 
theories although not complete, because o f space considerations lemmas and less important 
definitions are left out. The complete files can be found at [Gri00].
6 . 8 . 1  A u t o m a t o n
automaton[Action: TYPE, State: TYPE]: THEORY 
BEGIN
IMPORTING setsExtra
Signature : TYPE =
[# inputs 
internals 
outputs 
time
setof[Action], 
setof[Action], 
setof[Action], 
setof [Action] #]
Automaton : TYPE =
[# sig : Signature,
starts : setof[State],
steps: [State,Action,State->bool] #]
A: VAR Automaton 
s,t: VAR State 
a: VAR Action
reachable_n(A,s,(n:nat)) : RECURSIVE bool = 
IF n = 0 THEN starts(A)(s) ELSE 
(EXISTS (t:State),(a:Action) :
6.8 Appendix: PVS Specifications 125
reachable_n(A,t,n-l) AND steps(A)(t,a,s))
ENDIF 
MEASURE n
reachable(A,s): bool = EXISTS (n:nat ) : reachable_n(A,s,n)
inputenabled?(A):bool = FORALL (s:State,a: Action):
inputs(sig(A))(a) IMPLIES EXISTS (t:State): steps(A)(s,a,t)
externals(A):setof[Action] =
union(union(inputs(sig(A)),outputs(sig(A))), time(sig(A)))
sig_oke(A):bool = (union(internals(sig(A)),externals(A)) = {ac¡Action I True})
AND disjoint?(inputs(sig(A)),internals(sig(A)),outputs(sig(A)), time(sig(A)))
IOA: TYPE = {A|inputenabled?(A) AND sig_oke(A) AND NOT empty?(starts(A))}
END automaton
6 . 8 . 2  S t e p  R e f i n e m e n t
step_ref [A_Action, A_State, B_Action, B_State: TYPE] : THEORY 
BEGIN 
ASSUMING
IMPORTING automaton[A_Action, A_State]
IMPORTING automaton[B_Action, B_State]
ENDASSUMING
A: VAR Automaton[A_Action, A_State]
B: VAR Automaton[B_Action, B_State]
Q: VAR pred[A_State] 
s,t: VAR A_State 
a: VAR A_Action 
b: VAR B_Action 
r: VAR [A_State->B_State]
step_ref(A,B,Q,r,(equal_a:pred[[(externals(A)),(externals(B))]])):bool =
(FORALL s: starts(A)(s) => Q(s) AND starts(B)(r(s)))
AND FORALL a,s,t:
steps(A)(s,a,t) AND Q(s) AND reachable(A,s) AND reachable(B,r(s)) IMPLIES 
Q(t) AND
IF externals(A)(a)
THEN EXISTS (b:(externals(B))): equal_a(a,b) AND steps(B)(r(s),b,r(t))
ELSE r(s) = r(t) OR EXISTS b: internals(sig(B))(b) AND steps(B)(r(s),b,r(t)) 
ENDIF
END step_ref
126 PVS Verification of a Leader Election Protocol
6 . 8 . 3  N o r m e d  S i m u l a t i o n
normed_sim[A_Action, A_State, B_Action, B_State,T: TYPE] : THEORY 
BEGIN
ASSUMING
IMPORTING automaton[A_Action, A_State]
IMPORTING automaton[B_Action, B_State]
ENDASSUMING
A: VAR Automaton[A_Action, A_State]
B: VAR Automaton[B_Action, B_State]
s,t: VAR A_State 
a: VAR A_Action
u, v: VAR B_State 
b: VAR B_Action
norm: VAR [A_State, A_Action, A_State, B_State -> T] 
r: VAR pred[[A_State, B_State]] 
less: VAR pred[[T, T]]
normed_sim(A,B,r,norm,less,(equal_a:pred[[(externals(A)),(externals(B))]] )):bool = 
well_founded?(less)
AND
(FORALL s: starts(A)(s) IMPLIES EXISTS u: starts(B)(u) AND r(s,u))
AND
(FORALL a,s,t,u:
steps(A)(s,a,t) AND reachable(A,s) AND reachable(B,u) AND r(s,u)
IMPLIES
(internals(sig(A))(a) AND r(t,u))
OR (EXISTS b,v: steps(B)(u,b,v) AND r(t,v) AND 
(IF externals(A)(a)
THEN externals(B)(b) AND equal_a(a,b)
ELSE internals(sig(B))(b) ENDIF))
OR (EXISTS b,v: steps(B)(u,b,v) AND r(s,v) AND internals(sig(B))(b)
AND less(norm(s,a,t,v),norm(s,a,t,u))))
END normed_sim
6 . 8 . 4  N e t w o r k
network : THEORY 
BEGIN
D: TYPE+ % The non empty set of devices.
P: TYPE % The set of ports.
p: VAR P 
d,dl,d2: VAR D 
i: VAR nat
6.8 Appendix: PVS Specifications 127
lp: VAR list[P]
fset: LIBRARY = "/usr/local/pvs-2.3/lib/finite_sets"
IMPORTING fset@finite_sets
dev: [P -> D] % Each port belongs to a device, 
peer: [P -> P] % Each port has a peer.
finite_ax: AXIOM is_finite({pI TRUE})
peer_ax: AXIOM peer(peer(p)) = p AND NOT p = peer(p)
ports(d): finite_set[P]= {p|dev(p)=d}
path(lp): bool = length(lp) > 0 AND even?(length(lp)) AND 
NOT nth(lp,0) = nth(lp,length(lp) - 1) AND 
FORALL i: i > 0 AND i < length(lp) IMPLIES 
IF odd?(i)
THEN nth(lp,i-l) = peer(nth(lp,i))
ELSE dev(nth(lp,i-1)) = dev(nth(lp,i)) AND NOT nth(lp,i-l) = nth(lp,i) 
ENDIF
cycle(lp):bool = path(lp) AND dev(nth(lp,0)) = dev(nth(lp,length(lp) - 1)) 
oncycle(p):bool = EXISTS lp,i: cycle(lp) AND i < length(lp) AND nth(lp,i) = p 
oncycle(d):bool = EXISTS p: oncycle(p) AND dev(p) = d
connected(dl,d2): bool = EXISTS lp: path(lp) AND dev(nth(lp,0)) = dl
AND dev(nth(lp,length(lp)-l)) = d2
% Only connected networks are considered.
connected_ax: AXIOM FORALL dl,d2: NOT dl = d2 IMPLIES connected(dl,d2)
6 . 8 . 5  T I P  1
Action_TIPl: DATATYPE 
BEGIN 
IMPORTING network 
LPD_l(d:D): LPD_1?
R00T_l(d:D): R00T_1?
END Action_TIPl
IOA.TIPl: THEORY 
BEGIN
IMPORTING Action_TIPl, automaton
State_TIP_l: TYPE = [# lpd_l: [D->bool], root.l: [D->bool] #] 
d,e: VAR D
starts_l(s:State_TIP_l):bool =
128 PVS Verification of a Leader Election Protocol
FORALL d: NOT lpd_l(s)(d) AND NOT root_l(s)(d)
trans_l(s:State_TIP_l, a:Action_TIPl, t:State_TIP_l):bool =
CASES a OF
ROOT_l(d): (FORALL e: NOT oncycle(e) AND NOT root_l(s)(e)) AND 
t = s WITH [root_l := root_l(s) WITH [d := true]],
LPD_1(d): oncycle(d) AND NOT lpd_l(s)(d) AND
t = s WITH [lpd_l := lpd_l(s) WITH [d := true]]
ENDCASES
TIP_1: Automaton[Action_TIPl, State_TIP_l] =
(# sig := (# inputs := emptyset[Action_TIPl],
internals := emptyset[Action_TIPl], 
outputs := {a:Action_TIPl| LPD_l?(a) OR R00T_l?(a)>, 
time := emptyset[Action_TIPl] #), 
starts := starts_l, 
steps := trans_l
#)
END I0A_TIP1
6 . 8 . 6  T I P  2
Action_TIP2 : DATATYPE 
BEGIN
IMPORTING network 
ADDC_2(d:D, p:P): ADDC_2?
R00T_2(d:D): R00T_2?
LPD_2(d:D): LPD_2?
END Action_TIP2
I0A_TIP2: THEORY 
BEGIN
IMPORTING Action_TIP2, automaton
State_TIP_2: TYPE = [# child_2: finite_set[P],
lpd_2, root_2: [D->bool]
#]
s,t: VAR State_TIP_2 
d,e,di,dl,d2: VAR D 
p,pl,p2: VAR P
start_2(s:State_TIP_2): bool = empty?(child_2(s)) AND
(FORALL d: NOT root_2(s)(d) AND NOT lpd_2(s)(d))
trans_2(s:State_TIP_2, a:Action_TIP2, t :State_TIP_2):bool = 
CASES a OF
6.8 Appendix: PVS Specifications 129
ADDC_2(d,p): (d = dev(p)) AND
difference(ports(dev(peer(p))),child_2(s))= singleton(peer(p))
AND NOT child_2(s)(p) AND 
t = s WITH [child_2 := add(p,child_2(s))],
R00T_2(d):
subset?(ports(d),child_2(s)) AND NOT root_2(s)(d) AND 
t = s WITH [root_2 := root_2(s) WITH [d := TRUE]],
LPD_2(d):
oncycle(d) AND NOT lpd_2(s)(d) AND 
t = s WITH [lpd_2 := lpd_2(s) WITH [d := TRUE]]
ENDCASES
TIP_2: Automaton[Action_TIP2,State_TIP_2] =
(# sig := (# inputs := emptyset[Action_TIP2],
internals := { a:Action_TIP2 I ADDC_2?(a)}, 
outputs := { a:Action_TIP2 I R00T_2?(a) OR LPD_2?(a) > , 
time := emptyset[Action_TIP2] #),
starts := start_2, 
steps := trans_2 #)
END I0A_TIP2
6 . 8 . 7  R e l a t i o n  b e t w e e n  T I P  1 a n d  T I P  2
rel_12: THEORY 
BEGIN
IMPORTING I0A_TIP1, I0A_TIP2,
normed_prop_rel[Action_TIPl, State_TIP_l, Action_TIP2, State_TIP_2, nat]
fset: LIBRARY = "/usr/local/pvs-2,3/lib/finite_sets"
IMPORTING fset@finite_sets, finite_setsExtra
startnorm(sl: State_TIP_l, s2: State_TIP_2): nat = card(child_2(s2))
norm(s:State_TIP_l, a:Action_TIPl, t:State_TIP_l, u:State_TIP_2): nat = 0 
less(i,j:nat):bool = i < j
r(s: State_TIP_2): State_TIP_l = (# lpd_l := lpd_2(s), root_l := root_2(s) #)
R :pred[ [State_TIP_l,State_TIP_2]] = {((s: State_TIP_l),(u:State_TIP_2)) I 
lpd_l(s) = lpd_2(u) AND root_l(s) = root_2(u)}
back(s: State_TIP_2):bool =
Iroot(s) AND Ilpd(s) AND Iintree(s) AND Ioncycle_p(s)
Q(s:State_TIP_2): bool = TRUE
130 PVS Verification of a Leader Election Protocol
equal_a(a:(externals(TIP_2)),b:(externals(TIP_l))):bool =
CASES a OF
R00T_2(d): b = ROOT_l(d),
LPD_2(d): b = LPD_l(d)
ENDCASES
step_ref_l_2: LEMMA step_ref(TIP_2, TIP_l,Q,r,equal_a)
normed_back_sim_l_2: LEMMA normed_back_sim(
TIP_1,TIP_2,converse(graph(r)) ,back,startnorm,norm,less,converse(equal_a))
normed_prop_rel: LEMMA normed_prop_rel(
TIP_1,TIP_2, r, Q, back, startnorm, norm, less, converse(equal_a))
END rel_12
6 . 8 . 8  T I P  3
Action_TIP3: DATATYPE 
BEGIN
IMPORTING network
ADDC_3(d:D, p:P): ADDC_3?
RMES_3(d:D, p:P, mes: nat): RMES_3?
CKN_3(d:D): CKN_3?
SLRC_3(d:D ,p :P): SLRC_3?
R00T_3(d:D): R00T_3?
LPD_3(d:D): LPD_3?
END Action_TIP3
I0A_TIP3 : THEORY 
BEGIN
IMPORTING Action_TIP3, automaton, listExtra, finite_setsExtra
Mes: TYPE = nat 
parent: Mes = 0 
ack: Mes = 1
State_TIP_3: TYPE = [# mq_3: [P -> list[Mes]],
child_3: finite_set [P],
init_3, rc_3, root_3, lpd_3: [D -> bool]
#]
s,t: VAR State_TIP_3 
p,q, pp: VAR P 
d,e: VAR D 
mes: VAR Mes
start_3(s:State_TIP_3) : bool =
6.8 Appendix: PVS Specifications 131
(empty?(child_3(s))) AND 
(FORALL q: null?(mq_3(s)(q))) AND 
(FORALL e: init_3(s)(e) AND
NOT rc_3(s)(e) AND 
NOT root_3(s)(e) AND 
NOT lpd_3(s)(e))
trans_3(s:State_TIP_3,a :Action_TIP3,t :State_TIP_3): bool =
CASES a OF 
ADDC_3(d,p): (d = dev(p)) AND
init_3(s)(d) AND hdeq(mq_3(s)(peer(p)),parent) AND 
t = s WITH [
child_3 := add(p,child_3(s)),
mq_3 := mq_3(s) WITH [ (peer(p)) := cdr(mq_3(s)(peer(p))) ] ],
RMES_3(d,p,mes):
NOT init_3(s)(d) AND
difference(ports(d), child_3(s)) = singleton(p) AND 
hdeq(mq_3(s)(peer(p)),mes) AND 
t = s WITH [
rc_3 := rc_3(s) WITH [ d := IF (mes = parent)
THEN true
ELSE rc_3(s)(d) ENDIF ], 
mq_3 := mq_3(s) WITH [(peer(p)) :=cdr(mq_3(s)(peer(p)))] ],
CKN_3(d):
init_3(s)(d) AND card(difference(ports(d),child_3(s))) <= 1 AND 
t = s WITH [
init_3 := init_3(s) WITH [ d := false ], 
mq_3 := (LAMBDA (u:P):
IF dev(u)=d 
THEN IF child_3(s)(u)
THEN append(mq_3(s)(u),(: ack :))
ELSE append(mq_3(s)(u),(: parent :))
ENDIF 
ELSE mq_3(s)(u)
ENDIF ) ],
SLRC_3(d,p): (d = dev(p)) AND
rc_3(s)(d) AND rc_3(s)(dev(peer(p))) AND 
t = s WITH [
child_3 := add(p,child_3(s)),
rc_3 := rc_3(s) WITH [ (dev(peer(p))) := false , d := false] ],
R00T_3(d):
NOT init_3(s)(d) AND NOT root_3(s)(d) AND subset?(ports(d),child_3(s)) AND 
t = s WITH [ root_3 := root_3(s) WITH [ d := true ]] ,
LPD_3(d):
132 PVS Verification of a Leader Election Protocol
oncycle(d) AND NOT lpd_3(s)(d) AND 
t = s WITH [lpd_3 := lpd_3(s) WITH [ d := true ]]
ENDCASES
TIP_3: Automaton[Action_TIP3, State_TIP_3] =
(# sig := (# inputs := emptyset[Action_TIP3],
internals := {a:Action_TIP3 I ADDC_3?(a) OR CKN_3?(a) OR
RMES_3?(a) OR SLRC_3?(a)>, 
outputs := {a:Action_TIP3 I R00T_3?(a) OR LPD_3?(a)>, 
time := emptyset[Action_TIP3] #), 
starts := start_3, 
steps := trans_3 #)
END I0A_TIP3
6 . 8 . 9  I n v a r i a n t s  o n  T I P  3
INV_TIP3: THEORY 
BEGIN
IMPORTING I0A_TIP3
s,t: VAR State_TIP_3 
ppi,p,pi: VAR P 
d,di: VAR D 
mes: VAR Mes
Il(s): bool = FORALL di:
init_3(s)(di) IMPLIES NOT rc_3(s)(di)
12(s): bool = FORALL pi:
init_3(s)(dev(pi)) IMPLIES null?(mq_3(s)(pi))
13(s): bool = FORALL pi:
init_3(s)(dev(peer(pi))) IMPLIES NOT child_3(s)(pi)
14(s):bool = FORALL di: 
init_3(s)(di) OR card(difference(ports(di),child_3(s))) <= 1
I5a(s):bool = FORALL pi: 
null?(mq_3(s)(pi))
OR (null?(cdr(mq_3(s)(pi)))
AND (hdeq(mq_3(s)(pi),ack) OR hdeq(mq_3(s)(pi),parent)))
I5(s):bool = FORALL pi: length(mq_3(s)(pi)) <= 1
I6(s):bool = FORALL pi: init_3(s)(dev(pi))
IMPLIES NOT rc_3(s)(dev(peer(pi)))
I7(s):bool = FORALL pi: child_3(s)(pi) IMPLIES null?(mq_3(s)(peer(pi)))
6.8 Appendix: PVS Specifications 133
I8(s):bool = FORALL pi: rc_3(s)(dev(pi)) IMPLIES null?(mq_3(s)(peer(pi)))
I9(s):bool = FORALL pi: hdeq(mq_3(s)(pi),ack) IMPLIES child_3(s)(pi)
I10(s):bool = FORALL pi: hdeq(mq_3(s)(pi),parent) IMPLIES NOT child_3(s)(pi)
IlOm(s):bool = FORALL pi:
(NOT init_3(s)(dev(pi))) OR (NOT null?(mq_3(s)(pi))) OR child_3(s)(pi)
OR rc_3(s)(dev(pi)) IMPLIES NOT dev(pi) = dev(peer(pi))
IlOf(s):bool = FORALL pi:
card(difference(ports(dev(pi)), child_3(s))) <= 1 
IMPLIES NOT dev(pi) = dev(peer(pi))
Ill(s):bool =
FORALL pi,ppi: child_3(s)(pi)
AND dev(peer(ppi)) = dev(pi)
AND dev(peer(pi)) = dev(ppi)
IMPLIES NOT child_3(s)(ppi)
I12(s):bool = FORALL pi: rc_3(s)(dev(pi)) IMPLIES NOT child_3(s)(peer(pi))
IDI(s):bool = FORALL di: lpd_3(s)(di) IMPLIES oncycle(di)
ID2(s):bool = FORALL di:
rc_3(s)(di) IMPLIES card(difference(ports(di),child_3(s))) = 1
ID3(s):bool = FORALL di: root_3(s)(di) IMPLIES subset?(ports(di),child_3(s))
ID4(s):bool = FORALL pi:
LET di:D = dev(pi),
ei:D = dev(peer(pi)), 
qi:P = peer(pi)
IN init_3(s)(di) OR
hdeq(mq_3(s)(pi),parent) OR 
child_3(s)(qi) OR 
rc_3(s)(ei) OR 
child_3(s)(pi)
END INV_TIP3
6 . 8 . 1 0  R e l a t i o n  b e t w e e n  T I P  2  a n d  T I P  3
rel_23: THEORY 
BEGIN
IMPORTING I0A_TIP2, I0A_TIP3, INV_TIP3, sim_32,
134 PVS Verification of a Leader Election Protocol
normed_hist_rel[Action_TIP2, State_TIP_2, Action_TIP3, State_TIP_3, nat]
equal_a(a:(externals(TIP_3)), b:(externals(TIP_2))):bool =
CASES a OF
R00T_3(d) : b = R00T_2(d),
LPD_3(d) : b = LPD_2(d)
ENDCASES
Q(s:State_TIP_3): bool = FORALL (di:D): oncycle(di) IMPLIES init_3(s)(di)
r(s:State_TIP_3):State_TIP_2 =
(# child_2 := child_3(s), lpd_2 := lpd_3(s), root_2 := root_3(s) #)
d: VAR D
p: VAR P
mes: VAR Mes
s,t: VAR State_TIP_2
a: VAR Action_TIP2
u: VAR State_TIP_3
step_ref_2_3: LEMMA
step_ref(TIP_3,TIP_2, Q ,r,equal_a)
less(i,j:nat): bool = i < j
normed_sim_3_2: LEMMA
normed_sim(TIP_2,TIP_3,converse(graph(r) ),norm,less,converse(equal_a))
normed_hist_rel_3_2: LEMMA
normed_hist_rel(TIP_2,TIP_3,Q,r,norm,less,converse(equal_a))
IMPORTING sima_32,
extended_normed_sim[Action_TIP2, State_TIP_2, Action_TIP3, State_TIP_3, nat]
extended_sim_3_2: LEMMA
extended_normed_sim(TIP_2,TIP_3,r_2_3,ra_2_3,norma,less,converse(equal_a))
END rel_23
Chapter 7
Verification of an Audio Control 
Protocol with Bus Collision 
using Uppaal
With Johan Bengtsson, Kâre J. Kristoffersen, Kim G. Larsen, Fredrik Larsson, Paul Pettersson, 
and Wang Yi
Abstract In this chapter we present a case-study where the tool Uppaal is extended and applied 
to verify an Audio-Control Protocol developed by Philips. The size of the protocol studied in 
this chapter is significantly larger than case studies, including various abstract versions verified 
of the same protocol without bus collision handling, reported previously in the community of 
real time verification. We have checked that the protocol will function correctly if the timing 
error of its components is bound to ±5% , and incorrectly if the error is ±6%. In addition, using 
Uppaal’s ability of generating diagnostic traces, we have studied an erroneous version of the 
protocol actually implemented by Philips in their audio products, and constructed a possible 
execution sequence explaining a known error.
During the case-study, Uppaal was extended with the notion of committed locations. It 
allows for accurate modeling of atomic behaviors, and it is utilized to prune the state-space 
and to avoid exploring unnecessary interleavings of independent transitions. Our experimental 
results demonstrate truly time and space-savings of the modified model checking algorithm. 
In fact, due to the huge time and memory-requirement, it was impossible to check a simple 
reachability property of the protocol before the introduction of committed locations, and now it 
takes only seconds.
7.1 Introduction
During the last few years a number of tools for automatic verification of hybrid and real-time 
systems have emerged, e.g. HyTech [HHWT95], Kronos [DY95], Polka [HRP94], RT-Cospan 
[AK95] and Uppaal [BLL+95]. These tools have by now reached a state, where they are 
mature enough for industrial applications. We hope to substantiate the claim by reporting on an 
industry-size case study where the tool Uppaal is applied.
136 Verification of an Audio Control Protocol with Bus Collision using Uppaal
We analyze an audio control protocol developed by Philips for the physical layer of an inter­
face bus connecting the various devices e.g. CD-players, amplifier etc.in audio equipments. It 
uses Manchester encoding to transmit bit sequences of arbitrary length between the components, 
whose timing errors are bound. A simplified version of the protocol is studied by Bosscher et 
al.[BPV94]. It is showed that the protocol is incorrect if  the timing error of the components is 
±Y7 or greater. The proof is carried out without tool support. The first automatic analysis of 
the protocol is reported in [HWT95] where H y T e c h  is applied to check an abstract version of 
the protocol and automatically synthesize the upper bound on the timing error. Similar versions 
of the protocol have been analyzed by other tools, e.g. U p p a a l  [LPY95] and Kronos [DY95]. 
However, all the proofs are based on a simplification on the protocol, introduced by Bosscher 
et.al. in 1994, that only one sender is transmitting on the bus so that no bus collisions can 
occur. In many applications the bus will have more than one sender, and the full version of the 
protocol by Philips therefore handles bus collisions. The protocol with bus collision handling 
was manually verified in [Gri94] without tool support. Since 1994, it had been a challenge for 
the verification tool developers to automate the analysis on the full version of the protocol.
The first automated proof of the protocol with bus collision handling was presented in 1996 
in the conference version of this chapter [BGK+96]. It was the largest case study, reported in 
the literature on verification of timed systems, which has been considered as a primary example 
in the area (see [CW96, LSW97]). The size of the protocol studied is significantly larger than 
various simplified versions of the same protocol studied previously in the community, e.g. the 
node-space is 103 times larger than the case without bus collision handling and the number of 
clocks, variables and channels is also increased considerably.
The major problem in applying automatic verification tools to industrial-size systems is 
the huge time and memory-usage needed to explore the state-space of a network (or product) 
of timed automata, since the verification tools must keep information not only on the control 
structure of the automata but also on the clock values specified by clock constraints. It is 
known as the state-space explosion problem. We experienced the problem right on the first 
attempt in checking a simple reachability property of the protocol using U p p a a l , which did 
not terminate in hours though it was installed on a super computer with giga bytes of main 
memory. We observed that in addition to the size and complexity of the problem itself, one of 
the main causes to the explosion was the inaccurate modeling of atomic behaviors and inefficient 
search of the unnecessary interleavings of atomic behaviors by the tool. As a simple solution, 
during the case-study, U p p a a l  was extended with the notion of committed locations. It allows 
for accurate modeling of atomic behaviors, and it is utilized to prune the state-space and to 
avoid exploring unnecessary interleavings of independent transitions. Our experimental results 
demonstrate truly time and space-savings of the modified model checking algorithm. In fact, 
due to the huge time and memory-requirement, it was impossible to check certain properties of 
the protocol before the introduction of committed locations, and now it takes only seconds.
The automated analysis was originally carried out using an U p p a a l  version extended with 
the notion of committed location installed on a super computer, a SGI ONYX machine [BGK+96] 
To make a comparison, we in this chapter present an application of the current version of 
U p p a a l , also supporting committed location, installed on an ordinary Pentium 150 MHz PC 
machine, to the protocol. We have checked that the protocol will function correctly if  the timing 
error of its components is bound to ±5% , and incorrectly if the error is ±6%. In addition, using 
U p p a a l ’s ability of generating diagnostic traces, we have studied an erroneous version of the 
protocol actually implemented by philips in their audio products, and constructed a possible
7.2 Committed Locations 137
S1
ml!
;:S2 0  
m2 !
V
S3 0
R1
R1 1 (£
ml?
><
R12 O
R2
R21
m2?
>f
R22
Figure 7.1: Broadcasting Communication and Committed Locations.
execution sequence explaining a known error.
The chapter is organized as follows: In the next two sections we present the U p p a a l  model 
with committed location and describe its implementation in the tool. In section 7.4 and 7.5 the 
Philip Audio-Control Protocol with Bus Collision is informally and formally described. The 
analysis of the protocol is presented in section 7.6 where we also compare the performance of 
the current U p p a a l  version with the one used in [BGK+96]. Section 7.7 concludes the chapter. 
Finally, formal descriptions of the protocol components are enclosed in the appendix.
7.2 Committed Locations
The basis of the U p p a a l  model for real-time systems is networks of timed automata extended 
with data variables [AD90, HNSY94, YPD94]. However, to meet requirements arising from 
various case-studies, the U p p a a l  model has been extended with various new features such as 
urgent transitions [BLL+95] etc.The present case-study indicates that we need to further extend 
the U p p a a l  model with committed locations to model behaviors such as atomic broadcasting in 
real-time systems. Our experiences with U p p a a l  show that the notion of committed locations 
introduced in U p p a a l  is not only useful in modeling but also yields significant improvements 
in performance.
We assume that a real-time system consists of a fixed number of sequential processes com­
municating with each other via channels. We further assume that each communication synchro­
nizes two processes as in CCS [Mil89]. Broadcasting communication can be implemented in 
such systems by repeatedly sending the same message to all the receivers. To ensure atomicity 
of such “broadcast” sequences we mark the intermediate locations of the sender, which are to 
be executed immediately, as so-called committed locations.
7 . 2 . 1  A n  E x a m p l e
To introduce the notion of committed locations in timed automata, consider the scenario shown 
in Figure 7.1. A sender S is to broadcast a message m to two receivers Ri and R2. As this 
requires synchronization between three processes this can not directly be expressed in the 
U p p a a l  model, where synchronization is between two processes with complementary actions.
138 Verification of an Audio Control Protocol with Bus Collision using Uppaal
As an initial attempt we may model the broadcast as a sequence of two two-process synchro­
nizations, where first S synchronizes with Ri on mi and then with R2 on m2. However, this 
is not an accurate model as the intended atomicity of the broadcast is not preserved (i.e. other 
processes may interfere during the broadcast sequence). To ensure atomicity, we mark the in­
termediate location S2 of the sender S as a committed location (indicated by the c :-prefix). The 
atomicity of the action sequence mi ! m2 ! is now achieved by insisting that a committed sequence 
must be left immediately! This behavior is similar to what has been called “urgent transitions” 
[HHWT95, DY95, BLL+95], which insists that the next transition taken must be an action (and 
not a delay), but the essential difference is that no other actions should be performed in between 
such an atomic sequence. The precise semantics of committed locations will be formalized in 
the transition rules for networks of timed automata with data variables in Section 7.2.3.
7 . 2 . 2  S y n t a x
We assume a finite set of clock variables C ranged over by x , y , z and a finite set of data 
variables V  ranged over by i, j . We use B (C) to stand for the set of clock constraints that 
are the conjunctive formulas of simple constraints in the form of x -< n or x — y  < n, 
where ^  e {<, <, =, >, >} and n is a natural number. Similarly, we use B (V) to stand 
for the set of non-clock constraints that are conjunctive formulas of i ~  j  or i ~  k, where 
~ e  {<, <, =, =, > , >} and k is an integer number. We use B(C,V) ranged over by g  to de­
note the set of formulas that are conjunctions of clock constraints and a non-clock constraints. 
The elements of B(C,V) are called constraints or guards.
To manipulate clock and data variables, we use reset-sets which are finite sets of reset- 
operations. A reset-operation on a clock variable should be in the form x :=  n where n is a 
natural number and a reset-operation on an data variable should be in the form: i :=  k * j  +  k ' 
where k , k' are integers. A reset-set is a proper reset-set when the variables are assigned a value 
at most once, we use TZ to denote the set of all proper reset-sets.
We assume that processes synchronize with each other via complementary actions. Let ^4 be 
a set of action names with a subset W of urgent actions on which processes should synchronize 
whenever possible. We use Act = { a ? | a e *4 }U { a  ! | a e *4 }U { t  } to denote the 
set of actions that processes can perform to synchronize with each other, where t is a distinct 
symbol representing internal actions. We use name (a) to denote the action name of a, defined 
by name(a?) = name(a!) = a.
An automaton A over actions Act, clock variables C and data variables X> is a tuple 
(N , l0, E , I , NC) where N  is a finite set of locations (control-locations) with a subset NC ç  N  
being the set of committed locations, 10 is the initial location, E  ç  N  x B  (C,V) x  Act x I Z x N  
corresponds to the set of edges, and I  : N  4  B(C) is the invariant assignment function. 
To model urgency, we require that the guard of an edge with an urgent action is a non-clock 
constraint, i.e. if  name(a) e U  and (l, g, a, r, l ') e E  then g e B (V).
gar
In the case, (l, g, a, r, l') e E  we shall write l — 4 l' which represents a transition from 
the location l to the location l ' with guard g, action a to be performed, and a sequence of 
reset-operations r to update the variables. Furthermore, we shall write C(l) whenever l e NC.
To model networks of processes, we introduce a CCS-like parallel composition operator for 
automata. Assume that A\, ..., A„ are automata. We use A to denote their parallel composition. 
The intuitive meaning of A is similar to the CCS parallel composition of A \, A„ with all 
actions being restricted, that is, A =  (A\\...\An)\Act. Thus only synchronization between the
7.2 Committed Locations 139
components A¡ is possible. We call A a network o f automata. We simply view A as a vector 
and use Ai to denote its ith component.
7 . 2 . 3  S e m a n t i c s
Informally, a process modeled by an automaton starts at location 10 with all its variables ini­
tialized to 0. The values of the clocks may increase synchronously with time at location l as 
long as the invariant condition I  (l) is satisfied. At any time, the process can change location
gar
by following an edge l — 4 l ' provided the current values of the variables satisfy the enabling 
condition g. With this transition, the variables are updated by r .
To formalize the semantics we shall use variable assignments. A variable assignment is 
a mapping which maps clock variables C to the non-negative reals and data variables V  to 
integers. For a variable assignment v and a delay d, v ®  d  denotes the variable assignment such 
that (v ®  d)(x) = v(x) +  d  for a clock variable x and (v ®  d)(i) = v(i) for any data variable 
i . This definition of ®  reflects that all clocks proceed at the same speed and that data variables 
are time-insensitive.
For a reset-set r (a proper set of reset-operations), we use r [v] to denote the variable assign­
ment v' with v'(w) = Value(e)v whenever (w :=  e) e r and v'(w') = v(w') otherwise, where 
Value(e)v denotes the value of e in v. Given a constraint g e B(C,V) and a variable assignment 
v, g(v) is a boolean value describing whether g  is satisfied by v or not.
A control vector I of a network A is a vector of locations where /, is a location of A¡. We 
write l [l-/ li] to denote the vector where the ith element li of l is replaced by l . . Furthermore, 
we shall write C(l) whenever C(¡¡ ) for some i.
A state of a network A is a configuration (I, v) where / is a control vector of A and v is a 
variable assignment. The initial state of A is (Io, v°) where Io is the initial control vector whose 
elements are the initial locations l0 of Ai ’s and v0 is the initial variable assignment that maps 
all variables to 0.
The semantics o f a network of automata A is given in terms of a transition system with the 
set of states being the configurations. The transition relation is defined by the following three 
rules, which are standard except that each rule has been augmented with conditions handling 
control-vectors with committed locations:
•  (l, v)^+ (l[l¡/ 1i], ri [v]) if  li —- -  l'f and gi (v) for some li, gi, ri , and for all k if  C(lk) then 
k = i ,
g a ! ri gi a? r,
• (l, v ) ^  (l [l' /  li, lj /  lj ], (rj U ri )[v]) if  li — -  l[, lj — 4 l j , gi (v), gj (v), and i = j , 
for some li , l j , gi, g j , a , ri , r j , and for all k if  C (lk) then k = i or k = j ,
a? gj a!rj
• (l, v) (l,v  ®  d) if I(l)(v), I(l)(v  ®  d), —C (l) and no l f — - ^ 1, lj — 4 such that gi (v), 
gj (v), a e U , i = j , li, l j , ri and r j .
where I  (l) = f \ i I  (li ).
Intuitively, the first rule describes a local internal action transition in a component, and 
possibly the resetting of variables. An internal transition can occur if the current variable as­
signment satisfies the transition guard, and the control-locations of all other components in 
the network are not committed. Thus, internal transitions can not interrupt other components 
operating in committed locations.
140 Verification of an Audio Control Protocol with Bus Collision using Uppaal
The second rule describes synchronization transitions that synchronize two components. It 
is required that the control-locations of all other components are not committed to prevent the 
transition from interfering with ongoing atomic (i.e. committed) transition sequences in other 
components.
The third rule describes delay transitions, i.e. when all clocks increase synchronously with 
time. Delay transitions are permitted only while the location invariants of all components are 
satisfied. Delays are not permitted if the control-location of a component in the network is 
committed, or if  an urgent transition (i.e. a synchronization transition with urgent action) is 
possible. Note that the guards on urgent transitions are non-clock constraints whose truth-values 
are not affected by delays.
Finally, we note that the three rules give a semantics where components operating in com­
mitted location are required to participate in the next transition, which must be an action transi­
tion. Furthermore, transition sequences marked as committed are instantaneous in the sense that 
they happen without duration, and non-interleaved (or indivisible) as they are never interfered 
by other components.
7.3 Committed Locations in Uppaal
In this section we present a modified version of the model-checking algorithm of U p p a a l  for 
networks of automata with committed locations.
7 . 3 . 1  T h e  M o d e l - C h e c k i n g  A l g o r i t h m
The model-checking algorithm performs reachability analysis to check for invariance proper­
ties VDß , and reachability properties 3 0 ß , with respect to a local property ß of the control 
locations and the values of the clock and data variables. It combines constraint-solving tech­
niques with on-the-fly generation of the state-space in order to avoid explicit construction of 
the product automaton and the immediately caused memory problems. The algorithm is based 
on a partitioning of the (otherwise infinite) state-space into finitely many symbolic states of the 
form (l, D), where D is a constraint system (i.e. a conjunction of clock constraints and non­
clock constraints). It checks if  a symbolic state (lf , Df  ) is reachable from the initial symbolic 
state (l0, D 0), where D 0 expresses that all clock and data variables are initialized to 0 [YPD94]. 
Throughout the rest of this chapter we shall simply call (l, D)  a state instead of symbolic state.
The algorithm essentially performs a forwards search of the state-space. The search is 
guided and pruned by two buffers: , holding states waiting to be explored and hold­
ing states already explored. Initially, Passed is empty and Wait holds the single state (l0, D0). 
The algorithm then repeats the following steps:
51. Pick a state (l, D)  from the Wait buffer.
52. If l = lf  and D A Df  = 0  return the answer yes.
53. a. If l = l' and D ç  D', for some (l', D') in the Passed buffer, drop (l, D) and go to
step .
b. Otherwise, save (l, D) in the buffer.
7.3 Committed Locations in Uppaal 141
54. Find all successor states (ls, Ds) reachable from (l, D) in one step and store them in the
buffer.
55. If the Wait buffer is not empty then go to step S1, otherwise return the answer no.
We will not treat the algorithm in detail here, but refer the reader to [YpD94, BL96].
Note that in step S3.b all explored states are stored in the Passed buffer to ensure termination 
of the algorithm. In many cases, it will store the whole state-space of the analyzed system which 
grows exponentially both in the number clocks and components [YPD94]. The algorithm is 
therefore bound to run into space problems for large systems. The key question is how to 
reduce the growth of the buffer.
The use of committed location to model atomic behaviors render possible two potential 
reductions of the Passed buffer size. First, as atomic sequences in general restrict the amount of 
interleaving that is allowed in a system [Hol91], the state-space of the system is reduced, and 
consequently also the number of states stored in the Passed buffer. Secondly, as a sequence of 
committed locations semantically is instantaneous and non-interleaved with other components, 
it suffices to save only the control-location at the beginning of the sequence in the Passed buffer 
to ensure termination. Hence, our proposed solution is simply not to save states in the 
buffer which involve committed locations. We modify step S3 of the algorithm in the following 
way:
S3'. a. If C(l) go directly to step S4.
b. If l = l' and D ç  D', for some (l', D') in the Passed buffer, drop (l, D) and go to 
step .
c. If neither of the above steps are applicable, save (l, D) in the Passed buffer.
So, for a given state (l, D), if  l is committed the algorithm proceeds directly from step S3'.a to 
step S4, thereby omitting the time-consuming step S3'.b and the space-consuming step S3'.c. 
Clearly, this will reduce the growth of the Passed buffer and the total amount of time spent on 
step S3'. In the following step S4 more reductions are made as interleavings are not allowed 
when l is committed. In fact, the next transition must be an action transition and it must involve 
all U which are committed in l (according to the transition rules in the previous section). This 
reduces the time spent on generating successor states of (l, D) in S4 as well as the total number 
of states in the system. Finally, we note that reducing the Passed buffer size also yields potential 
time-savings in step S3'.b when l is not committed as it involves a search through the Passed 
buffer.
7 . 3 . 2  S p a c e  a n d  T i m e  P e r f o r m a n c e  I m p r o v e m e n t s
To investigate the practical benefits from the usage of committed locations and its implemen­
tation in U p p a a l  we perform an experiment with a parameterizable scenario, where a sender 
S wants to broadcast a message to n receivers Ri , . . . ,  Rn. The sender S simply performs n 
a!-transitions and then terminates, whereas the receivers are all willing to perform a single a?- 
transition hereby synchronizing with the sender. The data variable k ensures that the i th receiver 
participates in the i th handshake. Additionally, there are m auxiliary automata D \ , . . . ,  Dm sim­
ply oscillating between two states. Consider Figure 7.2, where the control node S2 is committed 
(indicated by the c :-prefix).
142 Verification of an Audio Control Protocol with Bus Collision using Uppaal
Figure 7.2: Broadcasting Using Committed Locations.
70 - 
60 - 
50 - 
40 -
s
H  30 -
20 - 
10 -
2 3
Receivers Receivers
Figure 7.3: Time and Space Consumption.
We may now use U p p a a l  to verify that the sender succeeds in broadcasting the message, i.e. 
it forces all the receivers to terminate. We verify thatSYS n , m  =  (S n | Ri | . . .  | Rn | Di | . . .  | D m) 
satisfies the formula 3 0 (at(S, S3) a "=1 at(R¡, R¡2)), where we assume that the proposition 
at(A,l) is implicitly assigned to each location l of the automaton A, meaning that the component 
A is operating in location l . We perform two test sequences, with S2 declared as respectively 
not committed and committed. The result is shown in Figure 7.3. In both test sequences the 
number of disturbing automata was fixed to eight. Time is measured in seconds and space is 
measured in pages (4KB). The general observation is that use of committed locations in broad­
casting saves time as well as space. The most important observation is that in the committed 
scenario the space consumption behaves as a constant function in the number of receivers.
7.4 The Audio Control Protocol with Bus Collision
In this section an informal introduction to the audio protocol with bus collision is given. The 
audio control protocol is a bus protocol, all messages are received by all components on the 
bus. If a component receives a message not addressed to it, the message is just ignored. Philips
7.4 The Audio Control Protocol with Bus Collision 143
Figure 7.4: An Example.
allows up to 10 components.
Messages are transmitted using Manchester encoding. Time is divided into bit-slots of equal 
length, a bit “ 1” is transmitted by an up-going edge halfway a bit-slot, a bit “0” by a down-going 
edge halfway a bit-slot. If the same bit is transmitted twice in a row the voltage changes at the 
end of the first bit-slot. Note that only a single wire is used to connect the components, no extra 
clock wire is needed. This is one of the properties that makes it a nice protocol.
The protocol has to cope with some problems: (a) The sender and the receiver must agree 
on the beginning of the first bit-slot, (b) the length of the message is not known in advance 
by the receiver, (c) the down-going edges are not detected by the receiver. To resolve these 
problems the following is required: Messages must start with a bit “ 1” and messages must end 
with a down-going edge. This ensures that the voltage on the wire is low between messages. 
Furthermore the senders must respect a so-called “radio silence” between the end of a message 
and the beginning of the next one. The radio silence marks the end of a message and the receiver 
knows that the next up-going edge is the first edge of a new message. It is almost possible to 
decode a Manchester encoded message by only looking to the up-going messages (problem c) 
only the last zero bit of a message can not be detected (consider messages “ 10” and “ 1”). To 
resolve this, it is required that all messages are of odd length.
It is possible that two or more components start transmitting at the same time. The behavior 
of the electric circuit is such that the voltage on the wire will be high as long as one of the 
senders pulls it high. In other words: The wire implements the or-function. This makes it 
possible for a sender to notice that someone else is also transmitting. If the wire is high while 
it is transmitting a low, a sender can detect a bus collision. This collision detection happens 
at certain points in time. Just before each up-going transition, and at one and three quarters of 
a bit-slot after a down going edge (if it is still transmitting a low). When a sender detects a 
collision it will stop transmitting and will try to retransmit its message later.
If two messages are transmitted at the same time and one is a prefix of the other, the receiver 
will not notice the prefix message. To ensure collision detection it is not allowed that a message 
is a prefix of an other message in transit. In the Philips environment this restriction is met by 
embedding the source address in each message (and assigning each component a unique source 
address).
In Figure 7.4 an example is depicted. Assume two senders, named A and B, that start trans­
mitting at exactly the same time. Because two lines on top of each other is hard to distinguish 
from one line, they are shifted slightly. The sender A (depicted with thick lines) starts trans­
mitting “ 11...” and sender B (depicted with thin lines) “ 101...” . At the end of the first bit-slot 
sender A does a down, to prepare for the next up-going edge. But one quarter after this down it 
detects a collision and stops transmitting. Sender B did not notice the other sender and continues 
transmitting. Note that the receiver will decode the message of the sender B correctly.
The protocol has to cope with one more thing: timing uncertainty. Because the protocol is 
implemented on a processor that also has to execute a number of other time critical tasks, a quite
144 Verification of an Audio Control Protocol with Bus Collision using Uppaal
B head0
B head1
Figure 7.5: Philips Audio-Control Protocol with Bus Collision.
large timing uncertainty is allowed. A bit-slot is 888 microseconds, so the ideal time between 
two edges is 888 or 444 microseconds. On the generation of edges a timing uncertainty of ±5%  
is allowed. That is, between 844 and 932 for one bit-slot and between 422 and 466 for half a bit­
slot. The collision detection just before an up-going edge and the actual generation of this up- 
going edge must be at most 20 microseconds. The timing uncertainty on the collision detection 
on one and three quarters after the generation of a down-going edge is ±22 microseconds. Also 
the receiver has a timing uncertainty of ±5%. And, to complete the timing information, the 
distance between the end of one message and the beginning of the next must be at least 8000 
microseconds (8 milliseconds).
7.5 A Formal Model of the Protocol
To analyze the behavior of the protocol we model the system as a network of seven timed 
automata. The network consists of two parts: a core part and a testing environment. The core 
part models the components of the protocol to be implemented: two senders, a wire and a 
receiver. The testing environment, consisting of two message generators and an output checker, 
is used to model assumptions about the environment of the protocol and for testing the behavior 
of the core part. Figure 7.5 shows a flow-graph of the network where nodes represent timed 
automata and edges represent synchronization channels or shared variables (enclosed within 
parenthesis).
The general idea of the model is as follows. The two automata MessageA and MessageB 
generate messages for the both senders, in addition MessageA informs the Check-automaton on 
the bits it generated for . The senders transmit the messages via the wire to the receiver.
The receiver communicates the bits it decoded to the checker. Thus the Check automaton is able 
to compare the bits generated by MessageA and the bits received by Receiver. If this matches 
the protocol is correct.
The senders A and B are, modulo renaming (all A’s in identifiers to B ’s), exactly the same. 
Because of this symmetry, it is enough to check that the messages transmitted by sender A are 
received correctly. We will proceed with a short description of each automaton. The definition 
of these uses a number of constants that are declared in Table 7.1 in Appendix 7.9.
7.5 A Formal Model of the Protocol 145
The Senders SenderA is depicted in Figure 7.10. It takes input actions AheadO?, Aheadl? and 
Aempty?. The output actions U P! and DOWN ! will be the Manchester encoding of the message. 
The clock Ax is used to measure the time between UP! and DOWN! actions. The idea behind 
the model (taken from [DY95]) is that the sender changes location each half of a bit-slot. The 
locations HS (wire is High in Second half of the bit-slot) and HF (High in First half of the 
bit-slot) refer to this idea. Extra locations are needed because of the collision detection.
The clock Ad is used to measure the time elapsed between the detection just before UP! 
action and the corresponding UP! action. The system is in the locations ar_Qfirst and ar_Q!ast 
when the next thing to do is the collision test at one or three quarters of a bit-slot. When Volt is 
greater than zero, at that moment, the sender detects a collision, stops transmitting and returns 
to the Wie location. The clock w is used to ensure the radio silence between messages. This 
variable is checked on the transition from to _ _ .
The Wire This small automaton keeps track of the voltage on the wire and generates VUP! 
actions when appropriate, that is when a UP? action is received when the voltage is low. The 
automaton is shown in Figure 7.9.
The Receiver Receiver, shown in Figure 7.8, decodes the bit sequence using the up-going 
(modeled as ?) changes of the wire. Decoded bits are signaled to the environment using 
output actions AddO!, Addi! and OUT! (where OUT! is used for signaling the end of a decoded 
message). The decoding algorithm of the receiver is a direct translation of the algorithm in the 
Philips documentation of the protocol. In the automaton each VUP? transition is followed by 
a transition modeling the decoding. This decoding happens at once, therefore the intermediate 
locations are modeled as committed locations. The automaton has two important locations, LI 
and LO. When the last received bit is a bit “ 1” the receiver is in location LI, after receiving a 
bit “0” it will be in location LO. The error location is entered when a VUP? is received much to 
early. In the complete model the error location is not reachable, see Section 7.6. The receiver 
keeps track of the parity of the received message using the integer variable odd. When the 
last received bit is a bit “ 1” and the message is even, a bit “0” is added to make the complete 
message of odd length.
The Message Generators The message generators and , shown in Fig­
ure 7.11, generate messages of odd length for sender A and B respectively. Furthermore, the 
messages generated for sender A are communicated to the checker. The start of a message 
is signaled to the checker by !, bits by ! and !. When a collision is de­
tected by sender A this is communicated to MessageA via Acoll?. The message generator will 
communicate this on his turn to the check automaton via CAcoll !.
Generating messages of odd length is quite simple. The only problem is that it is not allowed 
that a message for one sender is a prefix of the message for the other sender. To be more precise: 
If only one sender is transmitting there is no prefix restriction. Only when the two senders start 
transmitting at the same time, it is not allowed that one sender transmits a prefix of the message 
transmitted by the other. As mentioned before the reason for this restriction is that the prefix 
message is not received by the receiver and it is possible that the senders do not notice the 
collision. In other words: the prefix message can be lost.
The Checker This automaton is shown in Figure 7.7. It keeps track of the bits “in transit”,
i.e. the bits that are generated by the message generators but not yet decoded by the receiver. 
Whenever a bit is decoded or the end of the message is detected not conform the generated 
message the checker enters location . Furthermore, when sender A detects a collision the
146 Verification of an Audio Control Protocol with Bus Collision using Uppaal
checker returns to its initial location.
7.6 Verification in Uppaal
In this section we present the results of analyzing the protocol formally described in the pre­
vious section. We will use A .l to denote the (implicit) proposition at(A , l ) introduced in Sec­
tion 7.3.2. Also, note that invariance properties in UPPAAL are on the form VDß , where ß is a 
local property.
Correctness Criteria The main correctness criterion of the protocol is to ensure that the bit 
sequence received by the matches the bit sequence sent by . Moreover, the
entire bit sequence should be received by (and communicated to ). From the
description of the Check-automaton (see the previous section) it follows that this behavior is 
ensured if is always operating in location or :
VD (Check.start v  Check.a) (7.1)
When the Receiver-automaton observes changes of the wire too early it changes control to 
location error. If the rest of the components behave normally this should not happen. Therefore, 
the -automaton is required to never reach the location :
VD (^Receiv er.error) (7.2)
Incorrectness Unfortunately the protocol described in this chapter is not the protocol that 
Philips has implemented. The original sender checked less often for a bus collision. The “just 
before the up going edge” collision detection was only performed before the first up. In the 
U p p a a l  model this comes down to deleting outgoing transitions of ar_QIast_ok and using the 
outgoing transitions of ar_up_ok instead. This incorrect version is shown in Figure 7.12. In 
general the problem is that if  both senders are transmitting and one is slow and the other fast, 
the distance can cumulate to a high value that can confuse the receiver. U p p a a l  generated a 
counterexample trace to Property 7.1. The trace is depicted in Figure 7.6. The scenario is as 
follows: Sender A (depicted with thick lines) tries to transmit “ 111...” and sender B (depicted 
with thin lines) “ 1100...” . The sender A is fast and the other slow. This makes that the distance 
between the second UP’s is quite big (77 microseconds). In the third bit-slot the sender A de­
tects the collision. The result of all this is that the time elapsed between the VUP actions is 
6.65Q instead of the ideal 6Q. And because of the timing uncertainty in the receiver this can 
be interpreted as 7Q (7 * 0.95 =  6.65). And 7Q is just enough to decode “01” instead of the 
transmitted “0”. In the correct version this scenario is impossible, because if collision detection 
happens before every UP action, the distance between the UP’s in the second bit-slot can not be 
that high (at most 20 microseconds).
It is not likely that these kind of errors happen in the actual implementation. This is pre­
vented by, among others, the following: It is not likely that two senders do start at (roughly) 
the same time. The timing uncertainty is at most 2% instead of 5%. And the “average” timing 
uncertainty is even less. And finally, the source address is in the beginning of the messages, this 
makes the senders detect the collision. See [Gri94] for more details.
Although this problem was know by Philips it is interesting to see how powerful the diag­
nostic traces can be. It enables us not only to find mistakes in the model of a protocol, but also 
to find design mistakes in real life protocols.
7.7 Conclusions 147
I first
actual distance = 6.65Q|
Figure 7.6: Error execution of the incorrect protocol.
Verification Results U p p a a l  successfully verifies the correctness properties 7.1 and 7.2 for an 
error tolerance of 5% on the timing. Recall that SenderA and SenderB are, modulo renaming, 
exactly the same, implying that the verified properties for SenderA also applies to the symmetric 
case for SenderB. The verification of Property 7.1 and 7.2 was performed in 12.75 sec using 
2.1 MB of memory.
The analysis of the incorrect version of the protocol with less collision detection (discussed 
above) uses U p p a a l ’s ability to generate diagnostic traces whenever an invariant property is 
not satisfied by the system. The trace, consisting of 46 transitions, was generated in 4.5 sec 
using 1.8 MB of memory. Also, attempts to verify Property 7.1 for the full protocol with an 
error tolerance of 6% on the timing failed. The scenario is similar to the one found by Bosscher 
et al.in [BPV94] for the one sender protocol.
The properties were verified using U p p a a l  version 2.17 [LPY97a, BLL+98] that imple­
ments the verification algorithm for handling committed locations described in Section 7.3. It 
was installed on a Pentium 150 MHz MMX running Red Hat Linux 5.0. In the conference ver­
sion of this chapter [BGK+96] we reported that the same protocol was verified using U p p a a l  
version 0.961 installed on a SGI ONYX machine. The verification of the two correctness proper­
ties then consumed 7.5 hrs using 527.4 MB and 1.32 hrs using 227.9 MB, whereas a diagnostic 
trace for the incorrect version was generated in 13.0 min using 290.4 MB of memory. Hence, 
both the time- and space-consumption of the verifier have been reduced with over 99%. These 
improvements of the U p p a a l  verifier are due to a number of developments in the last two years 
that will not be discussed further here, but we refer the reader to [LPY97b, BLL+98].
7.7 Conclusions
In this chapter we have presented a case-study where the verification tool U p p a a l  is applied to 
analyze a realistic audio-control protocol by Philips with bus collision handling. The protocol 
has received a lot of attention in the formal methods research community (see e.g. [LSW97, 
CW96]) and simplified versions of the protocol without the handling of bus collisions have 
previously been analyzed by several research teams, with and without support from automatic 
tools. To our knowledge, the full protocol considered in this chapter has never before been 
automatically analyzed.
As verification results we have shown that the protocol behaves correctly if the error on all 
timing is bound to ±5% , and incorrectly if the error is ±6%. Furthermore, using UPPAAL’s 
ability to generate diagnostic traces we have been able to study error scenarios in an incorrect
bitslot i ideal distance = 6Q ,
1rThe two U p p a a l  versions 0.96 and 2.17 are dated Nov 1995 and March 1997 respectively.
148 Verification of an Audio Control Protocol with Bus Collision using Uppaal
version of the protocol actually implemented by Philips.
In this chapter we have also introduced the notion of so-called committed locations which 
allows for accurate modeling of atomic behaviors. More importantly, it is also utilized to prune 
the state-space and to avoid exploring unnecessary interleavings of independent transitions. Our 
experimental results demonstrate truly time and space-savings of the modified model checking 
algorithm. In fact, due to the huge time and memory-requirement, it was impossible to check 
certain properties of the protocol before the introduction of committed locations, and now it 
takes only seconds.
7.8 Epilogue
This chapter started as a paper on CAV’96. Paul Pettersson revised it in 1998. He updated the 
timings for the newer version of Uppaal 2.17 of March 1997. In the CAV’96 version a large 
automaton generates the messages. In this version two smaller automata generate the messages.
At the time of this writing (February 2000) committed locations are still used. And the 
Uppaal community is very alive, some topics: parallel verification, graphical simulations of 
systems, and parametric verification.
7.9 Appendix 149
7.9 Appendix
The constants used in the formulas
q 2220 One quarter of a bit-slot: 222 micro sec
d 200 Detection ’just before’ the UP: 
20 micro sec
g 220 ’Around’ 25% and 75% of the bit-slot: 
22 micro sec
w 80000 The radio silence: 8 milli sec
t 0.05 The timing uncertainty: 5%
The constants in the automata
W w 80000
D d 200
A lm in q-g 2000
A l max q+g 2440
A2min 3* q-g 6440
A2max 3* q+g 6880
Q2 2*q 4440
Q2minD 2*q*(l-t)-d 4018
Q2min 2*q*(l-t) 4218
Q2max 2*q*(l+t) 4662
Q3min 3*q*(l-t) 6327
Q3max 3*q*(l+t) 6993
Q5min 5*q*(l-t) 10545
Q5max 5*q*(l+t) 11655
Q7min 7*q*(l-t) 14763
Q7max 7*q*(l+t) 16317
Q9min 9*q*(l-t) 18981
Q9max 9*q*(l+t) 20979
Table 7.1: Declaration of Constants.
150 Verification of an Audio Control Protocol with Bus Collision using Uppaal
Figure 7.7: The Check Automaton.
Figure 7.8: The Receiver Automaton.
Figure 7.9: The Wire Automaton.
7.9 Appendix 151
senderA
ñüeauu?Aempty? HS Ax>=Q2min HF
creadv Ax>=Q2min (Ax<=Q2max) Ax<=Q2max (Ax<=Q2max)Ax<=Q2max ^  ^ Ax:=0
Figure 7.10: The SenderA Automaton.
152 Verification of an Audio Control Protocol with Bus Collision using Uppaal
messageA
messageB
Figure 7.11: The Message Automata.
7.9 Appendix 153
senderA
Aneauo?Aempty? HS Ax>=Q2min HF
c-readv Ax>=Q2min (Ax<=Q2max) Ax<=Q2max (Ax<=Q2max)Ax<=Q2max Ax:=0
Figure 7.12: The Incorrect SenderA Automaton.
154 Verification of an Audio Control Protocol with Bus Collision using Uppaal
Chapter 8
Conclusions
We (the reader and the author) have come to the end of this thesis. Here I try to summarize the 
essential lessons learned. The conclusions are put into a number of more or less independent 
remarks, because (using words of Wittengstein [Wit60]):
Wesentlich aber schien es mir, daß darin die Gedanken von einem Gegenstand 
zum andern in einer natürlichen und lückenlosen Folge fortschreiten sollten. Nach 
manchen mißglückten Versuchen, meine Ergebnisse zu einem solchen Ganzen 
zusammenzuschweißen, sah ich ein, daß mir dies nie gelingen würde.
Tools In this thesis a number of tools are used. We list them here and mention some character­
istics, with a focus on the differences.
• Doing proofs using LP is hard work. It has no decision procedures or tactical language. 
For larger cases this can be blocking. Since all facts are all in a single environment and 
influence each other, constructing large proofs is a intricate exercise (see Chapter 2).
•  Isabelle supports many logics, among them Higher Order Logic. The complete functional 
programming language (ML) is available to the user. Many theories are available for 
Isabelle. Better knowledge transfer (documentation) would be very beneficial. Even the 
latest tutorial is quite focused on the tool itself. For instance, in the PVS tutorial, an 
airplane reservation system is described and some properties are proved. This gives more 
insight in how the tool can be used.
• PVS has nice a user interface but hardly a programming interface, because the tactical 
language is quite poor. Documentation is quite good, therefore it is easy to start using 
PVS. The tool comes with many powerful decision procedures. The source code of PVS 
is not freely available. This makes it harder for other scientists to incorporate PVS as a 
(hidden) proof engine for a specialized tool.
•  Uppaal is a model checker. The ‘turnaround’ time (from start of specification to result) 
is much lower then when using proof checkers. Also the option to trace the behavior 
is very powerful. A disadvantage is that sometimes, one has to ‘encode’ datatypes in 
automata, and these parts of the specification are hard to read. An example of this is the 
generation of messages for the audio control protocol. On these messages, a restriction 
is that messages in transit should not be a prefix of one another. Encoding this in Uppaal 
automata is more difficult than expressing it in regular mathematics.
156 Conclusions
Approaches In this thesis, both a model checker (Uppaal) and proof checkers are used.
• Model checking. Fast and easy. Sometimes it is less clear what exactly is checked and 
why it works or not. In Uppaal this is remedied by the diagnostic traces and simulations.
• Proof checking. Lengthy process of hard work. PVS and Isabelle have the full expres­
siveness of Higer Order Logic. After going through the process one has deeper insight in 
reasons for the behavior because everything has been proved.
Formalisms In this thesis, Automata and related formalisms, ^CRL and ‘Uppaal’ automata 
are used. Most chapters use a flavor of Automata model.
•  I/O Automata Different flavors of Automata models are used in Chapters 2, 3, 5, 6 and 
in my Master’s Thesis [Gri94]. Therefore I am somewhat biased to this formalism.
• ixCRL Specifications in ^CRLcan be very concise. The algebra part can be of help but is 
also complicating matters. The notation used for Automata generators, the precondition 
effect style, is quite close to programming languages and therefore easier to understand 
for ‘outsiders’. When comparing the ^CRL community and the Automata community, 
it seems that the ^CRL community is more focusing on the algebra and process descrip­
tion in general, and the Automata community more on doing ‘practical’ verifications of 
protocols.
•  Timed Automata The model checker Uppaal uses timed automata. It has real- and 
natural-numbers as datatypes. Other datatypes are lacking. This makes the language 
semi decidable and simplifies the language to ‘outsiders’. A drawback is that everything 
else has to be encoded in naturals and locations.
Theory and Tools This thesis uses tools in a theoretical environment.
• Comparing proof tools (Chapter 4) is a strange exercise. In theory only the ‘deep’ and 
‘essential’ aspects matter. These are for instance- the logic used, the expressiveness of the 
tactical language, the existence of proof objects. On the other hand, a less ‘deep’ aspect 
can be blocking as well. For instance documentation that is not up-to date or too cryptic 
can basically make it impossible to use that tool. Also, a relatively simple aspect such 
as rewriting can be blocking when not implemented right. So, when comparing proof 
tools one always feels this tension- only ‘deep’ aspects matter, but also ‘trivial’ aspects 
are important for using it. While for instance, documentation can be improved (or at least 
changed) quite easily, in my experience the quality is quite constant over time. In my 
opinion the cause of this is that the development teams remain more-or-less unchanged. 
For these reasons I think the ‘trivial’ aspects should be part of a comparison of tools for a 
scientific community.
• Some problems do not exist when a theory is applied manually, but pop up when using the 
theory in a tool. An example are the execution fragments, used in classical simulations. 
For manual verifications, this is no problem at all, in mechanical verification, the execu­
tion fragments are more cumbersome. In fact the normed simulations (see Chapter 5) are 
‘born’ from a tool user (me), who wanted to get around the execution fragments.
157
Tips for an industrial researcher who wants to prove the correctness of a protocol After 
four years of working on protocol verification, I allow myself to list some tips for others who 
want to verify a protocol.
• If possible, use a model checker.
• If you have a lot of timing in the protocol and limited data then you can try Uppaal.
• If the data part is complicated, and you see no easy way to model that in locations and 
integers then a proof checker should be used.
• When the verification is a once (or twice) in your lifetime experience you can best go for 
PVS.
• If you expect many similar protocols, and these can all be attacked with a single custom 
made algorithm, then Isabelle should definitely be considered.
• Keep your formalization as simple as possible. Rethinking the formalization twice and 
stripping as much as possible, definitely pays off later.
• When you use an IOA like method do not try to make the formalization of the meta theory 
‘too nice’. In PVS, I tried to make the actions more like in theoretical papers- we have 
a single type of actions and every automaton works on a subset of actions. This can be 
formalized in PVS. But this complicates the specification and verification too much. In 
Chapter 6, we simply use PVS types for the action alphabet and constants for actions. 
To enable the comparison of actions from different action alphabets, an extra predicate is 
added. This is much simpler and results in shorter specifications and proofs. Be aware 
that every ‘layer’ in your specification has to be dealt with in the prover. Especially 
the automatic decision procedures are less effective when you use notions that are more 
complicated than the ones directly available in the prover.
• Be aware of ‘obvious’ lemmas on data types. Many data types are very easy to reason 
about for humans but much harder for tools. So, try to find libraries with data types, 
and use these. More and more libraries with data types and properties become available. 
Especially the Isabelle community is working on this. The Internet can very well be used 
to distribute the specifications and proofs.
Project setup Working on a thesis is not just about theory and tools, also organizational aspects 
are important.
• For the verification of complex protocols using state-of-the-art tools, a multi skill team is 
needed. Most of the work I did was not in a team like that.
• The Uppaal team works very well. All members add a different skill to the team. I very 
much liked working in that team.
158 Conclusions
Future Work In the field of formal methods a huge amount of work still needs to be done. 
Here I mention two more or less concrete subjects that, in my opinion, deserve attention from 
researchers.
•  Parameters in model checking. The audio control protocol has the timing uncertainty 
as a parameter. In Chapter 7 it is proved that the protocol fails with timing uncertainty 
of ±6%  and works correctly for a timing uncertainty of ±5%. Theoretically (without 
looking in the workings of the protocol) this tells us only very little. We do not know 
what happens for a timing uncertainty of ±5.1%  or for ±5.2%. When we look into the 
protocol, though, it seems very likely that somewhere in between 5 and 6 a breakpoint 
point lies- for all values below this point the protocol works correctly and for all higher 
values it doesn’t work anymore. And in fact, this is the case, see my Master’s Thesis 
[Gri94]. The idea behind the breakpoint is that the more the clocks drift, the worse things 
get. It seems that the correctness is monotone in the amount of drift. I think it would 
be interesting to formalize this idea and get from ‘it seems’ to ‘it is’. I can imagine that 
when a parameter is only used in a specific way in the automaton then we know that the 
correctness is monotone in this parameter. In the case of the audio control protocol, the 
ranges in the guards get larger when the clock drift increases.
• Tool support for simulations diagrams. The simulation diagrams helped me in struc­
turing the simulation proof, see Section 6.5.8. The diagrams can be used to automatically 
generate lemmas, that together prove the simulation. This is very much like what happens 
in the Step tool [BBC+00]. In the Step tool, the focus is on invariants and temporal logic 
reasoning. I can imagine a Step-like tool that uses simulation diagrams as suggested in 
Chapter 6, where Step uses the verification diagrams of Manna and Pnueli. The normed 
simulations help in making a tool like that, because then every generated lemma deals 
with at most two actions and not with execution fragments. For forward simulations, 
these lemmas are decidable when tautology checking is (see Chapter 5). Even when the 
data types are more complicated, focusing on at most two transitions in a single lemma, 
is easier for man and tool than having an execution fragment involved. Also, drawing a 
simulation diagram for a normed simulation seems easier than for a classical simulation, 
because there arbitrarily long execution fragments can be involved. I would prefer to use 
an existing tool as engine and write a program on top of that.
Bibliography
[AD90] Rajeev Alur and David Dill. Automata for Modelling Real-Time Systems. In 
Proc. o f Int. Colloquium on Algorithms, Languages and Programming, number 
443 in Lecture Notes in Computer Science, pages 322-335, July 1990.
[AG95] Sten Agerholm and Mike Gordon. Experiments with ZF set theory in HOL and 
Isabelle. In E. Thomas Schubert, Philip J. Windley, and James Alves-Foss, editors, 
Proceedings o f the 8 th International Workshop on Higher Order Logic Theorem 
Proving and Its Applications, Aspen Grove, UT, USA, volume 971 of Lecture 
Notes in Computer Science. Springer-Verlag, September 1995.
[AK95] Rajeev Alur and Robert P. Kurshan. Timing Analysis in COSPAN. In Rajeev 
Alur, Thomas A. Henzinger, and Eduardo D. Sontag, editors, Proc. o f Workshop 
on Verification and Control o f Hybrid Systems III, number 1066 in Lecture Notes 
in Computer Science, pages 220-231. Springer-Verlag, October 1995.
[AL91] M. Abadi and L. Lamport. The existence of refinement mappings. Theoretical 
Computer Science, 82(2)-253-284, 1991.
[AL92] M. Abadi and L. Lamport. An old-fashioned recipe for real time. In J.W.
de Bakker, C. Huizing, W.P. de Roever, and G. Rozenberg, editors, Proceedings 
REX Workshop on Real-Time: Theory in Practice, Mook, The Netherlands, June
1991, volume 600 of Lecture Notes in Computer Science, pages 1-27. Springer­
Verlag, 1992.
[Bar96] H.P. Barendregt. The quest for correctness. In Images o f SMC Research 1996, 
pages 39-59. Stichting Mathematisch Centrum, 1996.
[Bas96] T. Basten. Branching bisimilarity is an equivalence indeed! Information Process­
ing Letters, 58(3)-141-147, 1996.
[BBC+97] B. Barras, S. Boutin, C. Cornes, J. Courant, J.C. Filliatre, E. Giménez, H. Herbe­
lin, G. Huet, C. Muñoz, C. Murthy, C. Parent, C. Paulin, A. Saïbi, and B. Werner. 
The Coq Proof Assistant Reference Manual -  Version V6.1. Technical Report 
0203, INRIA, August 1997.
160 Bibliography
[BBC+00]
[BBG95]
[BCG88]
[BG93]
[BG95]
[BG96]
[BGK+96]
[BK91]
[BL96]
[BLL+95]
[B L L +98]
Nikolaj Bjorner, Anca Browne, Michael Colon, Bernd Finkbeiner, Zohar Manna, 
Henny Sipma, and Tomas Uribe. Verifying temporal properties of reactive sys­
tems- A STeP tutorial. 2000. To appear in Formal Methods in System Design. 
Available via h t tp  : / / r o d i n . s ta n f o r d . edu/.
M.A. Bezem, R. Bol, and J.F. Groote. Formalizing process algebraic verifications 
in the calculus of constructions. Computing Science Report 95-02, Eindhoven 
University of Technology, 1995.
M.C. Browne, E.M. Clarke, and O. Grümberg. Characterizing finite Kripke struc­
tures in propositional temporal logic. Theoretical Computer Science, 59(1,2)-115- 
131, 1988.
M.A. Bezem and J.F. Groote. A formal verification of the alternating bit proto­
col in the calculus of constructions. Logic Group Preprint Series 88, Dept. of 
Philosophy, Utrecht University, March 1993.
D.J.B. Bosscher and W.O.D. Griffioen. Een Philips-protocol correct bewezen. 
Informatie, 37(6)-14-18, 1995.
D.J.B. Bosscher and W.O.D. Griffioen. Regularity of a class of context-free pro­
cesses is decidable. In Proceedings 23nd ICALP, volume 1099 of Lecture Notes 
in Computer Science, pages 182-193. Springer-Verlag, 1996.
Johan Bengtsson, W.O. David Griffioen, Kâre J. Kristoffersen, Kim G. Larsen, 
Fredrik Larsson, Paul Pettersson, and Wang Yi. Verification of an Audio Protocol 
with Bus Collision Using UPPAAL. In Rajeev Alur and Thomas A. Henzinger, 
editors, Proc. o f the 8th Int. Conf. on Computer Aided Verification, number 1102 
in Lecture Notes in Computer Science, pages 244-256. Springer-Verlag, July 
1996.
David Basin and Matt Kaufmann. The Boyer-Moore prover and Nuprl- An ex­
perimental comparison. In Gérard Huet and Gordon Plotkin, editors, Logical 
Frameworks, pages 90 -  119. Cambridge University Press, 1991.
Johan Bengtsson and Fredrik Larsson. U p p a a l  a Tool for Automatic Verification 
of Real-time Systems. Master’s thesis, Uppsala University, 1996. Available via
.
Johan Bengtsson, Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang 
Yi. U p p a a l  — a Tool Suite for Automatic Verification of Real-Time Systems. 
In Proc. o f Workshop on Verification and Control o f Hybrid Systems III, number 
1066 in Lecture Notes in Computer Science, pages 232-243. Springer-Verlag, 
October 1995.
Johan Bengtsson, Kim G. Larsen, Fredrik Larsson, Paul Pettersson, Wang Yi, and 
Carsten Weise. New Generation of U p p a a l . In Int. Workshop on Software Tools 
for Technology Transfer, June 1998.
Bibliography 161
[BLS96]
[BPV94]
[BW90]
[CD96]
[CL92]
[CM95]
[COR+95]
[CPS93]
[CW96]
[Dat]
[D G 97]
S. Bensalem, Y Lakhnech, and H. Saidi. Powerful techniques for the auto­
matic generation of invariants. In R. Alur and T.A. Henzinger, editors, Proceed­
ings of the 8 th International Conference on Computer Aided Verification, New 
Brunswick, NJ, USA, volume 1102 of Lecture Notes in Computer Science, pages 
323-335. Springer-Verlag, July/August 1996.
D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control 
protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Proceed­
ings of the Third International School and Symposium on Formal Techniques in 
Real Time and Fault Tolerant Systems (FTRTFT’94), Lübeck, Germany, Septem­
ber 1994, volume 863 of Lecture Notes in Computer Science, pages 170-192. 
Springer-Verlag, 1994.
J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts in Theo­
retical Computer Science 18. Cambridge University Press, 1990.
Judith Crow and Ben L. Di Vito. Formalizing Space Shuttle software require­
ments. In First Workshop on Formal Methods in Software Practice (FMSP ’96), 
pages 40-48, San Diego, CA, January 1996. Association for Computing Machin­
ery.
B. Chetali and P. Lescanne. An exercise in LP- The proof of the non restoring 
division circuit. In First International Workshop on Larch, Dedham, pages 55­
68. Workshops in Computing, Springer-Verlag, July 1992.
Victor A. Carreño and Paul S. Miner. Specification of the IEEE-854 floating­
point standard in HOL and PVS. In HOL95: Eighth International Work­
shop on Higher-Order Logic Theorem Proving and Its Applications, As­
pen Grove, UT, September 1995. Category B proceedings, available at
.
Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, and Man- 
dayam Srivas. A tutorial introduction to PVS. Presented at WIFT 
’95- Workshop on Industrial-Strength Formal Specification Techniques, 
Boca Raton, Florida, April 1995. Available, with specification files, at
.
R. Cleaveland, J. Parrow, and B. Steffen. The concurrency workbench- A seman­
tics based tool for the verification of concurrent systems. ACM Transactions on 
Programming Languages and Systems, 1(15)-36-72, 1993.
Edmund M. Clarke and Jeanette M. Wing. Formal Methods- State of the Art and 
Future Directions. ACM Computing Surveys, 28(4)-626-643, December 1996.
Database of existing mechanized reasoning systems.
.
M.C.A. Devillers and W.O.D. Griffioen. A formalization of finite and infinite 
sequences in PVS. Technical Report CSI-R9702, Computing Science Institute, 
University of Nijmegen, 1997.
162 Bibliography
[DGM97]
[DGRV97]
[DGRV00]
[DNV95]
[DY95]
[EGL92]
[FKM93]
[GG]
[GG91]
[GH93]
[GH98]
M.C.A. Devillers, W.O.D. Griffioen, and O. Müller. Possibly infinite sequences- 
A comparative case study. In E.L. Gunter and A. Felty, editors, 10th Interna­
tional Conference on Theorem Proving in Higher Order Logics (TPHOLs’97), 
volume 1275 of Lecture Notes in Computer Science, pages 89-104. Springer­
Verlag, 1997.
M.C.A. Devillers, W.O.D. Griffioen, J.M.T Romijn, and F.W. Vaandrager. Veri­
fication of a leader election protocol — formal methods applied to IEEE 1394. 
Technical Report CSI-R9728, Computing Science Institute, University of Ni­
jmegen, December 1997.
M.C.A. Devillers, W.O.D. Griffioen, J.M.T Romijn, and F.W. Vaandrager. Ver­
ification of a leader election protocol- Formal methods applied to IEEE 1394. 
Formal Methods in System Design, 16(3)-307-320, June 2000.
R. De Nicola and F.W. Vaandrager. Three logics for branching bisimulation. Jour­
nal ofthe ACM, 42(2)-458-487, March 1995.
C. Daws and S. Yovine. Two examples of verification of multirate timed automata 
with KRONOS. In Proc. o f the 16th IEEE Real-Time Systems Symposium, pages 
66-75. IEEE Computer Society Press, December 1995. Also appeared as techni­
cal report Spectre-95-06, VERIMAG, Grenoble, France.
U. Engberg, P. Granning, and L. Lamport. Mechanical verification of concur­
rent systems with TLA. In G. v. Bochmann and D.K. Probst, editors, Proceed­
ings o f the 4th International Workshop on Computer Aided Verification, Mon­
treal, Canada, volume 663 of Lecture Notes in Computer Science, pages 44-55. 
Springer-Verlag, 1992.
J.-C. Fernandez, A. Kerbrat, and L. Mounier. Symbolic equivalence checking. 
In C. Courcoubetis, editor, Proceedings o f the 5th International Conference, CAV 
’93, Elounda, Greece, volume 697 of Lecture Notes in Computer Science, pages 
85-97. Springer-Verlag, 1993.
S.J. Garland and J.V. Guttag. LP- Introduction.
.
Stephen J. Garland and John V. Guttag. A guide to LP, the Larch Prover. Re­
port 82, DEC Systems Research Center, Palo Alto, CA, December 1991.
J.V. Guttag and J.J. Horning. Larch: Languages and Tools for Formal Specifica­
tion. Springer-Verlag, 1993.
W.O.D. Griffioen and M. Huisman. A comparison of PVS and Isabelle/HOL. In 
J. Grundy and M. Newey, editors, Proceedings o f the 11th International Confer­
ence on Theorem Proving in Higher Order Logics, Canberra, Australia, volume 
1479 of Lecture Notes in Computer Science, pages 123-142. Springer-Verlag, 
September/October 1998.
Bibliography 163
[Gin68]
[GK95a]
[GK95b]
[GK95c]
[GLV97]
[GMW79]
[Gor95]
[GP94]
[GP95]
[Gri94]
[Gri95]
[Gri00]
[G S95]
A. Ginzburg. Algebraic Theory o f Automata. Academic Press, New York -  Lon­
don, 1968.
W.O.D. Griffioen and H.P. Korver. The bakery protocol- A comparative case­
study in formal verification. Report CS-R9569, CWI, Amsterdam, November 
1995.
W.O.D. Griffioen and H.P. Korver. The bakery protocol- A comparative case­
study in formal verification. In J.C. van Vliet, editor, CSN’95 (Computer Science 
in the Netherlands), pages 109-121. Stichting Mathematisch Centrum, 1995.
J.F. Groote and H.P. Korver. A correctness proof of the bakery protocol in ^CRL. 
In A. Ponse, C. Verhoef, and S.F.M. van Vlijmen, editors, Algebra o f Com­
municating Processes, Utrecht, 1994, Workshops in Computing, pages 63-86. 
Springer-Verlag, 1995.
S.J. Garland, N.A. Lynch, and M. Vaziri. IOA- A language for speci- 
fiying, programming, and validating distributed systems, September 1997.
.
Michael J.C. Gordon, Robin Milner, and Cristopher P. Wadsworth. Edinburgh 
LCF: A Mechanised Logic o f Computation, volume 78 of Lecture Notes in Com­
puter Science. Springer-Verlag, 1979.
Mike Gordon. Notes on PVS from a HOL perspective. Available at 
h t tp  : / / www. c l . cam. ac .u k /u se rs /m j cg/PVS.htm l, August 1995.
J.F. Groote and A. Ponse. Proof theory for /xCRL- a language for processes with 
data. In D.J. Andrews, J.F. Groote, and C.A. Middelburg, editors, Proceedings 
o f the International Workshop on Semantics o f Specification Languages, pages 
232-251. Workshops in Computer Science, Springer Verlag, 1994.
J.F. Groote and A. Ponse. The syntax and semantics of ^CRL. In A. Ponse,
C. Verhoef, and S.F.M. van Vlijmen, editors, Algebra o f Communicating Pro­
cesses ’94, Workshops in Computing Series, pages 26-62. Springer-Verlag, 1995.
W.O.D. Griffioen. Analysis of an audio control protocol with bus collision. Mas­
ter’s thesis, Programming Research Group, University of Amsterdam, 1994.
W.O.D. Griffioen. Proof-checking an audio control protocol with LP. Report 
CS-R9570, CWI, 1995.
W.O.D. Griffioen. Source files for studies in computer aided verification of pro­
tocols, 2000. .
J.F. Groote and J.S. Springintveld. Focus points and convergent process operators 
— a proof strategy for protocol verification. Report CS-R9566, Department of 
Software Technology, CWI, Amsterdam, November 1995.
164 Bibliography
[GSSL93]
[GV98]
[GvdP93]
[GW96]
[HHJT98]
[HHWT95]
[HNSY94]
[Hol91]
[HRP94]
[HSV94]
[HWT95]
[IEE96]
R. Gawlick, R. Segala, J.F. S0gaard-Andersen, and N. Lynch. Liveness in timed 
and untimed systems. Technical Report MIT/LCS/TR-587, Laboratory for Com­
puter Science, MIT, Cambridge, MA, December 1993.
W.O.D. Griffioen and F.W. Vaandrager. Normed simulations. In A.J. Hu andM.Y. 
Vardi, editors, Proceedings o f the 10th International Conference on Computer 
Aided Verification, Vancouver, BC, Canada, volume 1427 of Lecture Notes in 
Computer Science, pages 332-344. Springer-Verlag, June/July 1998.
J.F. Groote and J. van de Pol. A bounded retransmission protocol for large data 
packets. Logic Group Preprint Series 100, Dept. of Philosophy, Utrecht Univer­
sity, October 1993.
R.J. van Glabbeek and W.P. Weijland. Branching time and abstraction in bisimu­
lation semantics. Journal o f the ACM, 43(3)-555-600, 1996.
Ulrich Hensel, Marieke Huisman, Bart Jacobs, and Hendrik Tews. Reasoning 
about classes in object-oriented languages- Logical models and tools. In Pro­
ceedings o f ESOP at ETAPS ’98, volume 1381 of Lecture Notes in Computer 
Science, pages 105-121. Springer-Verlag, 1998.
Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. H y Te c h - The Next 
Generation. In Proc. ofthe 16th IEEE Real-Time Systems Symposium, pages 56­
65. IEEE Computer Society Press, December 1995.
Thomas. A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine. Sym­
bolic Model Checking for Real-Time Systems. Information and Computation, 
111(2)-193-244, 1994.
G.J. Holzmann. Design and Validation o f Computer Protocols. Prentice-Hall 
International, 1991.
N. Halbwachs, P. Raymond, and Y.-E. Proy. Verification of linear hybrid systems 
by means of convex approximations. In Static Analysis Symposium, number 864 
in Lecture Notes in Computer Science, pages 223-237, 1994.
L. Helmink, M.P.A. Sellink, and F.W. Vaandrager. Proof-checking a data link pro­
tocol. In H. Barendregt and T. Nipkow, editors, Proceedings International Work­
shop TYPES’93, Nijmegen, The Netherlands, May 1993, volume 806 of Lecture 
Notes in Computer Science, pages 127-165. Springer-Verlag, 1994. Full version 
available as Report CS-R9420, CWI, Amsterdam, March 1994.
P.-H. Ho and H. Wong-Toi. Automated analysis of an audio control protocol. In 
P. Wolper, editor, Proceedings o f the 7th International Conference on Computer 
Aided Verification, Liège, Belgium, volume 939 of Lecture Notes in Computer 
Science. Springer-Verlag, June 1995.
IEEE Computer Society. IEEE Standard for a High Performance Serial Bus. Std 
1394-1995, August 1996.
Bibliography 165
[IG99]
[ISO]
[Jon87]
[Jon90]
[KL93]
[Knu97]
[KS94]
[Lam74]
[LPY95]
[LPY97a]
[LPY97b]
[LSGL94]
S. Ivanov and W.O.D. Griffioen. Verification of a biphase mark protocol. Report 
CSI-R9915, Computing Science Institute, University of Nijmegen, August 1999.
ISO. Iso 9000. Technical report, ISO. h t tp :  //www. i s o . ch/.
B. Jonsson. Compositional Verification o f Distributed Systems. PhD thesis, De­
partment of Computer Systems, Uppsala University, 1987. DoCS 87/09.
B. Jonsson. On decomposing and refining specifications of distributed systems. 
In J.W. de Bakker, W.P. de Roever, and G. Rozenberg, editors, Proceedings REX 
Workshop on Stepwise Refinement o f Distributed Systems: Models, Formalism, 
Correctness, Mook, The Netherlands, May/June 1989, volume 430 of Lecture 
Notes in Computer Science, pages 361-387. Springer-Verlag, 1990.
R.P. Kurshan and L. Lamport. Verification of a multiplier- 64 bits and beyond. 
In C. Courcoubetis, editor, Proceedings o f the 5th International Conference on 
Computer Aided Verification, Elounda, Greece, volume 697 of Lecture Notes in 
Computer Science, pages 166-179. Springer-Verlag, 1993.
D.E. Knuth. Fundamental Algorithms, volume 1 of The Art o f Computer Pro­
gramming. Addison-Wesley, Reading, Massachusetts, 1997. Third edition.
H.P. Korver and J. Springintveld. A computer-checked verification of Milner’s 
scheduler. In M. Hagiya and J.C. Mitchell, editors, Proceedings o f the Inter­
national Symposium on Theoretical Aspects o f Computer Software (TACS’94), 
Sendai, Japan, volume 789 of Lecture Notes in Computer Science, pages 161­
178. Springer-Verlag, 1994.
L. Lamport. A new solution of Dijkstra’s concurrent programming problem. Com­
munications o f the ACM, 17(8)-453-455, 1974.
Kim G. Larsen, Paul Pettersson, and Wang Yi. Diagnostic model-checking for 
real-time systems. In 4th DIMACS Workshop on Verification and Control o f Hy­
brid Systems, number 1066 in Lecture Notes in Computer Science, pages 575­
586, New Brunswick, New Jersey, October 1995. Springer-Verlag.
Kim G. Larsen, Paul Pettersson, and Wang Yi. U p p a a l  in a Nutshell. Int. Journal 
on Software Tools for Technology Transfer, 1(1-2)-134-152, October 1997.
Kim G. Larsen, Paul Pettersson, and Wang Yi. U p p a a l - Status and Develop­
ments. In Orna Grumberg, editor, Proc. o f the 9th Int. Conf. on Computer Aided 
Verification, number 1254 in Lecture Notes in Computer Science, pages 456-459. 
Springer-Verlag, June 1997.
V. Luchangco, E. Söylemez, S. Garland, andN. Lynch. Verifying timing proper­
ties of concurrent algorithms. In Proceedings o f the Seventh International Con­
ference on Formal Description Techniques for Distributed Systems and Commu­
nications Protocols, pages 259-273. IFIP WG6.1, Chapman and Hall, October 
1994.
166 Bibliography
[LSW97]
[LT87]
[LT89]
[LV95]
[LV96]
[MBSU98]
[MH96]
[Mil89]
[MN95]
[MP94]
[Mue98]
[Nam 97]
Kim G. Larsen, Bernard Steffen, and Carsten Weise. Continuous modeling of 
real-time and hybrid systems- from concepts to tools. Int. Journal on Software 
Tools for Technology Transfer, 1(1-2)-64-85, December 1997.
N.A. Lynch and M.R. Tuttle. Hierarchical correctness proofs for distributed al­
gorithms. In Proceedings o f the 6th Annual ACM Symposium on Principles o f 
Distributed Computing, pages 137-151, August 1987. A full version is available 
as MIT Technical Report MIT/LCS/TR-387.
N.A. Lynch and M.R. Tuttle. An introduction to input/output automata. CWI 
Quarterly, 2(3)-219-246, September 1989.
N.A. Lynch and F.W. Vaandrager. Forward and backward simulations, I- Untimed 
systems. Information and Computation, 121(2)-214-233, September 1995.
N.A. Lynch and F.W. Vaandrager. Forward and backward simulations, II- Timing- 
based systems. Information and Computation, 128(1)-1-25, July 1996.
Z. Manna, A. Browne, H.B. Sipma, and T.E. Uribe. Visual abstraction for tempo­
ral verification. In Proceedings AMAST’98, Lecture Notes in Computer Science, 
pages 28-41. Springer-Verlag, 1998.
Nicholas A. Merriam and Michael D. Harrison. Evaluating the interfaces of three 
theorem proving assistants. In F. Bodart and J. Vanderdonckt, editors, Proceed­
ings of the 3rd International Eurographics Workshop on Design, Specification, 
and Verification o f Interactive Systems, Eurographics Series, Namur, Belgium, 
June 1996. Springer-Verlag.
R. Milner. Communication and Concurrency. Prentice-Hall International, Engle­
wood Cliffs, 1989.
Olaf Müller and Tobias Nipkow. Combining model checking and deduction for 
I/O-automata. In U.H. Engberg, K.G. Larsen, and A. Skou, editors, Proceedings 
o f the Workshop on Tools and Algorithms for the Construction and Analysis of 
Systems, Aarhus, Denmark, volume NS-95-2 of BRICSNotes Series, pages 1-12. 
Department of Computer Science, University of Aarhus, May 1995.
Z. Manna and A. Pnueli. Temporal verification diagrams. In M. Hagiya and 
J.C. Mitchell, editors, Proceedings o f the International Symposium on Theoretical 
Aspects o f Computer Software (TACS’94), Sendai, Japan, volume 789 of Lecture 
Notes in Computer Science, pages 726-765. Springer-Verlag, 1994.
O. Mueller. A Verification Environment for I/O Automata Based on Formalized 
Meta-Theory. PhD thesis, Technical University of Munich, 1998.
K.S. Namjoshi. A simple characterization of stuttering bisimulation. In S. Ramesh 
and G. Sivakumar, editors, Proceedings 17 th Conference on Foundations o f Soft­
ware Technology and Theoretical Computer Science, Kharagpur, India, volume 
1346 of Lecture Notes in Computer Science, pages 284-296. Springer-Verlag, 
December 1997.
Bibliography 167
[NS95]
[OG76]
[ORSvH95]
[Owr]
[Pau90]
[Pau94]
[PCCW93]
[Pel86]
[Pfe]
[Pol94]
[RE98]
[Rom99]
[Rus]
[SAGG+93]
[SA LL93]
T. Nipkow and K. Slind. I/O automata in Isabelle/HOL. In P. Dybjer, B. Nord­
ström, and J. Smith, editors, Types for Proofs and Programs, volume 996 of Lec­
ture Notes in Computer Science, pages 101-119. Springer-Verlag, 1995.
S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. Acta 
Informatica, 6(4)-319-340, 1976.
Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal 
verification for fault-tolerant architectures- Prolegomena to the design of PVS. 
IEEE Transactions on Software Engineering, 21(2)-107-125, February 1995.
Sam Owre. h t t p : //www.c s l . s r i . c o m /h tb in /p v s /p v s -b u g - l is t .
Lawrence C. Paulson. Isabelle- The next 700 theorem provers. In P. Odifreddi, 
editor, Logic and Computer Science, pages 361-386. Academic Press, 1990.
Lawrence C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of Lec­
ture Notes in Computer Science. Springer-Verlag, 1994.
Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber. Capability 
maturity model for software, version 1.1. Technical Report CMU/SEI-93-TR- 
24, DTIC Number ADA263403, Software Engineering Institute, February 1993.
.
F.J. Pelletier. Seventy-five graduated problems for testing automatic theorem 
provers. Journal o f Automated Reasoning, pages 191-216, 1986.
Frank Pfenning. Isabelle bibliography.
.
Robert Pollack. The Theory o f LEGO: A Proof Checker for the Extended Calculus 
o f Constructions. PhD thesis, University of Edinburgh, 1994.
W.P. de Roever and K. Engelhardt. Data Refinement: Model-Oriented Proof 
Methods and their Comparison. Cambridge Tracts in Theoretical Computer Sci­
ence 47. Cambridge University Press, 1998.
J.M.T. Romijn. Analysing Industrial Protocols with formal Methods. PhD thesis, 
Department of Computer Science, University of Twente, October 1999.
John Rushby. PVS bibliography. .
J. S0gaard-Andersen, S. Garland, J. Guttag, N.A. Lynch, and A. Pogosyants. 
Computer-assisted simulation proofs. In C. Courcoubetis, editor, Proceedings 
o f the 5th International Conference on Computer Aided Verification, Elounda, 
Greece, volume 697 of Lecture Notes in Computer Science, pages 305-319. 
Springer-Verlag, 1993.
J.F. S0gaard-Andersen, N.A. Lynch, and B.W. Lampson. Correctness of commu­
nication protocols -  a case study. Technical Report MIT/LCS/TR-589, Laboratory 
for Computer Science, MIT, Cambridge, MA, November 1993.
168 Bibliography
[Sha96]
[Sis91]
[SS00]
[SV89]
[SV99]
[SZ98]
[VL92]
[Voi92]
[WB89]
[Wen95]
[Wen97]
[Wit60]
[Wol]
N. Shankar. PVS- Combining specification, proof checking, and model checking. 
In Mandayam Srivas and Albert Camilleri, editors, Formal Methods in Computer- 
Aided Design (FMCAD ’96), volume 1166 of Lecture Notes in Computer Science, 
pages 257-264, Palo Alto, CA, November 1996. Springer-Verlag.
A.P. Sistla. Proving correctness with respect to nondeterministic safety specifica­
tions. Information Processing Letters, 39(1)-45-49, July 1991.
D.P.L. Simons and M.I.A. Stoelinga. Mechanical verification of the IEEE 1394a 
root contention protocol using Uppaal2k. 2000. to appear.
R. de Simone and D. Vergamini. Aboard AUTO. Technical Report 111, INRIA, 
Centre Sophia-Antipolis, Valbonne Cedex, 1989.
M.I.A. Stoelinga and F.W. Vaandrager. Root contention in IEEE 1394. In J.-P. Ka­
toen, editor, Proceedings o f 5th AMAST Workshop on Real-Time and Probabilis­
tic Systems (ARTS’99) Bamberg, Germany, May 1999, volume 1601 of Lecture 
Notes in Computer Science, pages 53-75. Springer-Verlag, 1999. Also, Technical 
Rapport CSI-R9905, Computing Science Institute, University of Nijmegen, May 
1999.
C. Shankland and M.B. van der Zwaag. The tree identify protocol of IEEE 1394 
in ^CRL. Formal Aspects o f Computing, 10(5/6)-509-531, 1998.
F.W. Vaandrager and N.A. Lynch. Action transducers and timed automata. In 
W.R. Cleaveland, editor, Proceedings CONCUR 92, Stony Brook, NY, USA, vol­
ume 630 of Lecture Notes in Computer Science, pages 436-455. Springer-Verlag,
1992.
Frédéric Voisin. A new front-end for the larch prover. In Ursula Martin and Jean­
nette M. Wing, editors, First International Workshop on Larch, Dedham 1992, 
pages 282-296. Workshops in Computing, Springer-Verlag, 1992.
Philip Wadler and Stephen Blott. How to make ad-hoc polymorphism less ad 
hoc. In 16’thACM Symposium on Principles o f Programming Languages, Austin, 
Texas, January 1989.
Markus Wenzel. Using axiomatic type classes in Isabelle, a tutorial, 1995.
.
Markus Wenzel. Type classes and overloading in higher-order logic. In Elsa L. 
Gunter and Amy Felty, editors, Proceedings o f the 10th International Workshop 
on Theorem Proving in Higher Order Logics, Murray Hill, NJ, USA, volume 1275 
of Lecture Notes in Computer Science. Springer-Verlag, August 1997.
Ludwig Wittgenstein. Philosophische Untersuchungen. Frankfurt am M ain­
Suhrkamp, 1960.
P. Wolper. Verification- dreams and reality. Inaugural lecture of the course "The 
algorithmic verification o f reactive systems".
Bibliography 169
[You97]
[YPD94]
[Zam97]
William D. Young. Comparing verification systems- Interactive Consistency in 
ACL2. IEEE Transactions on Software Engineering, 23(4)-214-223, April 1997.
Wang Yi, Paul Pettersson, and Mats Daniels. Automatic Verification of Real-Time 
Communicating Systems By Constraint-Solving. In Dieter Hogrefe and Stefan 
Leue, editors, Proc. o f the 7th Int. Conf. on Formal Description Techniques, pages 
223-238. North-Holland, 1994.
Vincent Zammit. A comparative study of Coq and HOL. In Elsa L. Gunter and 
Amy Felty, editors, Proceedings o f the 10th International Workshop on Theorem 
Proving in Higher Order Logics, Murray Hill, NJ, USA, volume 1275 of Lecture 
Notes in Computer Science. Springer-Verlag, August 1997.
170 Bibliography
Samenvatting
De invloed van computers op ons leven neemt toe, deels doordat het aantal computers toe­
neemt, maar vooral doordat ze steeds vaker belangrijke taken krijgen toebedeeld. Vliegtuigen 
worden bestuurd door automatische piloten, vrijwel al ons geld zit ‘in’ de computer, sluizen 
worden bestuurd door computers, enzovoort. Het is belangrijk dat deze systemen zich gedragen 
zoals bedoeld- het vliegtuig veilig laten landen, het geld overmaken naar de juiste rekening 
en de sluizen sluiten bij hoog water. Het probleem is dat deze systemen groot, gedistribueerd 
en moeilijk zijn. In veel gevallen is het niet mogelijk de systemen te testen in hun normale 
omgeving, omdat dat gevaarlijk (vliegtuigen), duur (banken) of tijdrovend (sluizen) is.
Hoe kunnen we er dan voor zorgen dat deze systemen zich correct gedragen? Ze moeten 
zeer zorgvuldig worden ontwikkeld, het ontwikkelingsproces moet voldoen aan de hoogste stan­
daarden (ISO9000, CMM level 5, etc). Een onderdeel daarvan kan het gebruik van Formele 
Methoden zijn. Formele Methoden gebruiken wiskundige talen om de systemen en hun gewen­
ste eigenschappen te beschrijven. Dit maakt het mogelijk om te bewijzen dat het systeem de 
gewenste eigenschappen heeft. Omdat de systemen groot zijn en de bewijzen lang, gebruiken 
we computers om te controleren of de bewijzen in orde zijn.
Het lijkt dat er hier sprake is van een cirkelredenering- we vertrouwen een computersysteem 
niet zomaar, gebruiken Formele Methoden om dit system te controleren, en gebruiken dan weer 
compters om de bewijzen te controleren! Toch is dit geen echte cirkel; de computersystemen die 
we gebruiken om de bewijzen te controleren zijn veel eenvoudiger (en eenvoudiger te testen!) 
dan de systemen waar het ons allemaal om begonnen is (dit wordt nader toegelicht in [Bar96]).
Laten we iets dieper ingaan op de titel van deze dissertatie. “Studies in” geeft aan dat dit 
proefschrift een aantal min of meer los staande hoofdstukken bevat. “Computer Aided” staat 
simpelweg voor- met behulp van een computer. “Verification” staat voor verifiëren, controleren. 
Hier kom ik nog op terug. Een “Protocol” tenslotte, is een verzameling regels waaraan de 
deelnemers zich moeten houden om tot het gewenste resultaat te komen. Een voorbeeld van 
een protocol is het bonnetjes-systeem bij de bakker. Iedere klant trekt een bonnetje, wacht tot 
het juiste nummer op de klok van de bakker verschijnt en wordt dan geholpen. De bakker doet 
het volgende. Hij kijkt op de klok, roept dat nummer en als er een klant reageert wordt deze 
geholpen. Als die klant geholpen is verhoogt hij het nummer op de klok enz. Dit is een heel 
eenvoudig protocol met een eenvoudig doel- het in eerlijke volgorde helpen van klanten.
Als men een protocol wilt verifiëren, moeten er veel keuzes die gemaakt worden. Wil 
men een zogenaamde model checker of een proof checker gebruiken? Bij model checken be­
schrijft (modelleert) men het protocol als een eindige automaat. De model checker kan nu alle
172 Samenvatting
mogelijke toestanden waarin het systeem zich kan bevinden, controleren op bepaalde eigen­
schappen. Omdat realistische systemen veel toestanden hebben, kost model checken vaak bij­
zonder veel geheugen en tijd. In hoofdstuk 7 wordt de model checker Uppaal gebruikt om een 
protocol te analyseren. Toen dit hoofdstuk als artikel verscheen [BGK+96], was het de grootste 
analyse in zijn soort. Dit is mede mogelijk gemaakt door de introductie van zogenaamde ‘com­
mitted locations’. Een ‘commited location’ beschrijft dat een deel-systeem in een toestand is 
die onmiddellijk weer verlaten moet worden. Voordeel van het gebruik van committed locations 
is dat men soms preciezer kan modelleren wat wordt bedoeld. Bovendien heeft het beschreven 
systeem minder toestanden waardoor de verificatie sneller gaat. Model checken heeft bepaalde 
nadelen- niet alles kan beschreven of geverifiëerd worden.
De meeste hoofdstukken houden zich bezig met proof checken. Dit is het door de computer 
laten controleren van een bewijs. Als men kiest voor proof checken is een andere belang­
rijke keuze welke wiskundige taal men gebruikt om het systeem te beschrijven. In hoofstuk 3 
worden aan de hand van het eenvoudige bakkerij-voorbeeld twee talen vergeleken- ^CRL en 
I/O Automata. In dit geval geeft de I/O Automata aanpak aanleiding tot een iets eenvoudiger 
bewijs.
Als men kiest voor een I/O Autmata aanpak dan kan men zogenaamde ‘invarianten’ be­
wijzen. Een eigenschap is invariant als deze voor alle toestanden van de automaat geldt. Men 
kan ook bewijzen dat twee sytemenen, van buitenaf gezien, het zelfde gedrag vertonen. Men 
modelleert dan een specificatie en een implementatie. De specificatie beschrijft op hoog niveau 
wat het systeem moet doen, de implementatie beschrijft in meer detail hoe het systeem werkt. 
Als dan bewezen kan worden dat de implementatie, van buitenaf gezien, gelijk is aan de speci­
ficatie, is de implementatie correct.
In hoofdstuk 5 wordt een bestaande bewijstechniek verfijnd. Het idee van de bestaande tech­
niek (simulations) is om iedere actie van een systeem met een reeks acties in het andere systeem 
te relateren. Op deze manier kan bewezen worden dat de implementatie ‘gelijk’ is aan de speci­
ficatie. Het feit dat en enkele actie met een reeks acties wordt gerelateerd, is niet altijd handig. 
We introduceren normed simulations, waarin een actie altijd met maximaal één actie uit de an­
dere automaat gerelateerd wordt. Dit heeft als voordeel dat de bewijzen eenvoudiger worden. 
Onder bepaalde voorwaarden zijn normed simulations zelfs beslisbaar. Beslisbaar betekent in 
praktische zin dat een computerprogramma, gegeven een implementatie, een specificatie en een 
normed simulation, kan uitrekenen of de implementatie correct is.
De laatste keuze die men moet maken is de keuze voor een stuk gereedschap (tool). In dit 
proefschrift worden vier tools gebruikt. In hoofdstukken 2 en 3 wordt LP gebruikt, dit is een 
relatief eenvoudige tool voor eenvoudige (eerste orde) wiskunde. In de hoofdstuk 6 wordt PVS 
gebruikt. Dit is een krachtiger tool voor ‘alle’ (hogere orde) wiskunde. In hoofdstuk 4 worden 
twee bewijstools vergeleken- PVS en Isabelle/HOL. In hoofdstuk 7 wordt de model checker 
Uppaal gebruikt.
In dit proefschrift wordt dus een aantal technieken en tools gebruikt om protocollen te ana­
lyseren. In hoofdstuk 7 gaf het protocol aanleiding tot een uitbreiding van het tool met comitted 
locations. Dit maakt sommige specificaties eenvoudiger en de verificatie sneller. De verificatie 
in hoofstuk 6 gaf aanleiding tot het introduceren van normed simulations in hoofdstuk 5. Verder 
worden tools (in hoofdstuk 4) en methodes (in hoofdstuk 3) vergeleken. Dit allemaal om te 
komen tot- Een praktische en schaalbare aanpak voor de verificatie van protocollen, gebruik 
makend van bestaande systemen. Ik hoop dat dit proefschrift inderdaad heeft bijgedragen aan 
het vinden van zo’n aanpak.
T i t l e s  in  t h e  IP A  D i s s e r t a t i o n  S e r i e s
J.O. Blanco. The State Operator in Process Algebra. 
Faculty of Mathematics and Computing Science, TUE. 
1996-1
A.M. Geerling. Transformational Development o f  
Data-Parallel Algorithms. Faculty ofMathematics and 
Computer Science, KUN. 1996-2
P.M. Achten. Interactive Functional Programs: Mod­
els, Methods, and Implementation. Faculty of Mathe­
matics and Computer Science, KUN. 1996-3
M.G.A. Verhoeven. Parallel Local Search. Faculty of 
Mathematics and Computing Science, TUE. 1996-4
M.H.G.K. Kesseler. The Implementation o f  Func­
tional Languages on Parallel Machines with Distrib. 
Memory. Faculty of Mathematics and Computer Sci­
ence, KUN. 1996-5
D. Alstein. Distributed Algorithms for Hard Real­
Time Systems. Faculty of Mathematics and Computing 
Science, TUE. 1996-6
J.H. Hoepman. Communication, Synchronization, 
and Fault-Tolerance. Faculty of Mathematics and 
Computer Science, UvA. 1996-7
H. Doornbos. Reductivity Arguments and Program 
Construction. Faculty of Mathematics and Computing 
Science, TUE. 1996-8
D. Turi. Functorial Operational Semantics and its De- 
notational Dual. Faculty of Mathematics and Com­
puter Science, VUA. 1996-9
A.M.G. Peeters. Single-Rail Handshake Circuits. 
Faculty of Mathematics and Computing Science, TUE.
1996-10
N.W.A. Arends. A Systems Engineering Specification 
Formalism. Faculty of Mechanical Engineering, TUE.
1996-11
P. Severi de Santiago. Normalisation in Lambda Cal­
culus and its Relation to Type Inference. Faculty of 
Mathematics and Computing Science, TUE. 1996-12
D.R. Dams. Abstract Interpretation and Partition Re­
finement for Model Checking. Faculty of Mathematics 
and Computing Science, TUE. 1996-13
M.M. Bonsangue. Topological Dualities in Seman­
tics. Faculty of Mathematics and Computer Science, 
VUA. 1996-14
B.L.E. de Fluiter. Algorithms for Graphs o f  Small 
Treewidth. Faculty of Mathematics and Computer Sci­
ence, UU. 1997-01
W.T.M. Kars. Process-algebraic Transformations in 
Context. Faculty of Computer Science, UT. 1997-02
P.F. Hoogendijk. A Generic Theory o f Data Types. 
Faculty of Mathematics and Computing Science, TUE.
1997-03
T.D.L. Laan. The Evolution o f  Type Theory in Logic 
and Mathematics. Faculty of Mathematics and Com­
puting Science, TUE. 1997-04
C.J. Bloo. Preservation o f Termination for Explicit 
Substitution. Faculty of Mathematics and Computing 
Science, TUE. 1997-05
J.J. Vereijken. Discrete-Time Process Algebra. Fac­
ulty of Mathematics and Computing Science, TUE.
1997-06
F.A.M. van den Beuken. A Functional Approach to 
Syntax and Typing. Faculty of Mathematics and Infor­
matics, KUN. 1997-07
A.W. Heerink. Ins and Outs in Refusal Testing. Fac­
ulty of Computer Science, UT. 1998-01
G. Naumoski and W. Alberts. A Discrete-Event Sim­
ulator for Systems Engineering. Faculty ofMechanical 
Engineering, TUE. 1998-02
J. Verriet. Scheduling with Communication for Mul­
tiprocessor Computation. Faculty of Mathematics and 
Computer Science, UU. 1998-03
J.S.H. van Gageldonk. An Asynchronous Low-Power 
80C51 Microcontroller. Faculty of Mathematics and 
Computing Science, TUE. 1998-04
A.A. Basten. In Terms o f  Nets: System Design with 
Petri Nets and Process Algebra. Faculty of Mathemat­
ics and Computing Science, TUE. 1998-05
E. Voermans. Inductive Datatypes with Laws and 
Subtyping -  A Relational Model. Faculty of Mathe­
matics and Computing Science, TUE. 1999-01
H. terDoest. Towards Probabilistic Unification-based 
Parsing. Faculty of Computer Science, UT. 1999-02
J.P.L. Segers. Algorithms for the Simulation o f Sur­
face Processes. Faculty of Mathematics and Comput­
ing Science, TUE. 1999-03
C.H.M. van Kemenade. Recombinative Evolutionary 
Search. Faculty of Mathematics and Natural Sciences, 
Univ. Leiden. 1999-04
E.I. Barakova. Learning Reliability: a Study on Inde­
cisiveness in Sample Selection. Faculty of Mathemat­
ics and Natural Sciences, RUG. 1999-05
M.P. Bodlaender. Schedulere Optimization in Real­
Time Distributed Databases. Faculty of Mathematics 
and Computing Science, TUE. 1999-06
M.A. Reniers. Message Sequence Chart: Syntax and 
Semantics. Faculty of Mathematics and Computing 
Science, TUE. 1999-07
J.P. Warners. Nonlinear approaches to satisfiability 
problems. Faculty of Mathematics and Computing Sci­
ence, TUE. 1999-08
J.M.T. Romijn. Analysing Industrial Protocols with 
Formal Methods. Faculty of Computer Science, UT. 
1999-09
P.R. D’Argenio. Algebras and Automata for Timed 
and Stochastic Systems. Faculty of Computer Science, 
UT. 1999-10
G. Fábián. A Language and Simulator for Hybrid Sys­
tems. Faculty of Mechanical Engineering, TUE. 1999­
11
J. Zwanenburg. Object-Oriented Concepts and Proof 
Rules. Faculty of Mathematics and Computer Science, 
TUE. 1999-12
R.S. Venema. Aspects o f an Integrated Neural Pre­
diction System. Faculty of Mathematics and Natural 
Sciences, RUG. 1999-13
J. Saraiva. A Purely Functional Implementation o f  A t­
tribute Grammars. Faculty of Mathematics and Com­
puter Science, UU. 1999-14
R. Schiefer. Viper, A Visualisation Tool for Paral­
lel Progam Construction. Faculty of Mathematics and 
Computer Science, TUE. 1999-15
K.M.M. de Leeuw. Cryptology and Statecraft in the 
Dutch Republic. Faculty of Mathematics and Com­
puter Science, UvA. 2000-01
T.E.J. Vos. UNITY in Diversity. A stratified approach 
to the verification ofdistributed algorithms. Faculty of 
Mathematics and Computer Science, UU. 2000-02
W. Mallon. Theories and Tools for the Design o f  
Delay-Insensitive Communicating Processes. Faculty 
of Mathematics and Natural Sciences, RUG. 2000-03
