On Combining Functional Verification and Performance Evaluation using CADP by Garavel, Hubert & Hermanns, Holger
HAL Id: inria-00072096
https://hal.inria.fr/inria-00072096
Submitted on 23 May 2006
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
On Combining Functional Verification and Performance
Evaluation using CADP
Hubert Garavel, Holger Hermanns
To cite this version:
Hubert Garavel, Holger Hermanns. On Combining Functional Verification and Performance Evalua-
tion using CADP. [Research Report] RR-4492, INRIA. 2002. ￿inria-00072096￿
IS
S
N
 0
24
9-
63
99
   
   
 IS
R
N
 IN
R
IA
/R
R
--
44
92
--
F
R
+
E
N
G
ap por t  
de  r ech er ch e 
THÈME 1
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
On Combining Functional Verification and
Performance Evaluation using CADP
Hubert Garavel — Holger Hermanns
N° 4492
July 2002
Unité de recherche INRIA Rhône-Alpes
655, avenue de l’Europe, 38330 Montbonnot-St-Martin (France)
Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52
On Combining Functional Verification and Performance
Evaluation using CADP
Hubert Garavel∗ , Holger Hermanns†
Thème 1 — Réseaux et systèmes
Projet VASY
Rapport de recherche n
 
4492 — July 2002 — 24 pages
Abstract: Considering functional correctness and performance evaluation in a common
framework is desirable, both for scientific and economic reasons. In this report, we describe
how the Cadp toolbox, originally designed for verifying the functional correctness of Lotos
specifications, can also be used for performance evaluation. We illustrate the proposed
approach by the performance study of the Scsi-2 bus arbitration protocol.
Key-words: bisimulation – bus arbitration – compositional verification – formal specifi-
cation – labeled transition system – Lotos – Markov chain – minimisation – model checking
– performance evaluation – process algebra – Scsi-2
A short version of this research report is also available as “On Combining Functional Verification and
Performance Evaluation using CADP”, in Lars-Henrik Eriksson and Peter A. Lindsay, editors, Proceedings
of the 11th International Symposium of Formal Methods Europe FME’2002 (Copenhagen, Denmark), July
22–24, 2002.
∗ INRIA Rhône-Alpes, E-mail: Hubert.Garavel@inria.fr
† Formal Methods and Tools Group, University of Twente, P.O. Box 217, NL-7500 AE Enschede, The
Netherlands, E-mail: hermanns@cs.utwente.nl
Combiner vérification fonctionnelle et évaluation de
performances avec CADP
Résumé : Il est souhaitable, à la fois pour des raisons scientifiques et économiques, de
considérer la correction fonctionnelle et l’évaluation de performances dans un même cadre
conceptuel. Dans ce rapport, nous décrivons comment la bôıte à outils Cadp, initialement
conçue pour vérifier la correction fonctionnelle de spécifications Lotos, peut aussi être
utilisée pour l’évaluation de performances. Nous illustrons l’approche proposée par l’étude
de performances du protocole d’arbitrage du bus Scsi-2.
Mots-clés : algèbre de processus – arbitre de bus – bisimulation – châıne de Markov –
évaluation de performances – Lotos – minimisation – model checking – Scsi-2 – spécification
formelle – système de transitions étiquetées – vérification compositionnelle
On Combining Functional Verification and Performance Evaluation using CADP 3
1 Introduction
The design of models suited for performance and reliability analysis of systems is difficult
because of their increase in size and complexity, in particular for systems with a high degree
of irregularity. Traditional performance models like Markov chains and queueing networks
are not easy to apply in these areas, mainly because they lack hierarchical composition
and abstraction means. Therefore, if attempts are nowadays made to assess performance of
complex designs, they are most often isolated from the system design cycle. This insularity
problem of performance evaluation [Fer86] is undesirable.
On the other hand, to describe and analyse the functional properties of designs, various
specification formalisms exist, which enable systems to be modelled in a compositional,
hierarchical manner. A prominent example of such specification formalisms is the class of
process algebras, which provide abstraction mechanisms to treat system components as black
boxes, making their internal implementation details invisible.
Among the many process algebras proposed in the literature, Lotos [ISO88, BB88,
Tur93] has received much attention, due to its technical merits and its status of Iso/Iec
International Standard. Cadp (Caesar/Aldebaran Development Package) [GLM01] is a
widespread tool set for the design and verification of complex systems. Cadp supports the
process algebra Lotos for specification, and offers various tools for simulation and formal
verification, including equivalence checkers (bisimulations) and model checkers (temporal
logics and modal µ-calculus).
Facing these advanced means to construct correct models of complex systems, it appears
most interesting to investigate how performance evaluation can be carried out on the basis
of such models, and this is what the present report is about. Functional correctness and
performance evaluation being two facets of the same problem, which is the proper functioning
of a system, it is desirable to address them together, both for scientific and economic reasons.
This requires (i) a common theoretical framework, (ii) a common language for modelling
both functional and performance aspects, (iii) a common methodology for combining both
aspects, and (iv) software tools implementing the appropriate algorithms.
To arrive at this joint consideration of functionality and performance, we follow the
approach advocated in [HK00]. We start from a functionally verified Lotos specification,
in which we introduce timing related information, which expresses that certain events are
delayed by a random time (governed by an exponential distribution or, more generally, a
phase-type distribution).
To support this methodology, we use the existing software components of Cadp, as well
as a novel tool named Bcg Min, which we developed for minimising stochastic models. We
illustrate the approach with an industrial case study: the bus arbitration protocol used in
the Scsi-2 [ANS94] standard.
We are not the first to advocate a joint consideration of functional verification and
performance evaluation. This idea has driven the development of stochastic Petri nets
[ABC84], stochastic process algebras [HBV93, MBC+94, Hil96, BG98, HHK02], as well as
other approaches, e.g., [BBA98]. Our proposal can be considered as a pragmatic outcome
of research on stochastic algebras, other tools in this context being the Pepa-workbench
RR n
 
4492
4 H. Garavel, H. Hermanns
[GH94], TwoTowers [BCSS98], and the TippTool [HHK+00]. Although on a superficial
level all these tools implement an approach similar to ours, only TwoTowers provides
support for both functional verification as well as performance evaluation. Moreover, we
are not aware of any publication considering both functional correctness and performance
properties for industrial scale applications, with the exception of [HK00], where a verified
Lotos specification of a telephone system is studied with respect to performance properties.
One conclusion of [HK00] was a lack of tool support for doing industrial strength case studies,
a problem that we address here explicitly.
This report is organised as follows. Section 2 explains how the process algebra Lotos
can be used for modelling Markovian aspects, and describes extensions of Cadp to support
performance evaluation. The functional part of the Scsi-2 case study is introduced in
Section 3, while Section 4 covers the performance-related modelling and analysis aspects for
the Scsi protocol. Finally, Section 5 concludes the report.
2 The proposed approach
Our approach to combining functional verification and performance evaluation is pragmatic
in the sense that, instead of developing new models, new languages and new tools, it is,
to a large extent, based on prior work for ‘classical’ (i.e., non-stochastic) process algebras,
and especially the Cadp tools. However, to address performance aspects, the Cadp tools
(originally designed for functional verification only) must be extended and combined with
performance tools. To do so, several challenging issues must be addressed. In this section,
we present the principles of our approach and their practical implementation.
2.1 Interactive Markov Chains
To define the operational semantics of process algebras, the usual model is that of labelled
transition systems [Par81] (Lts for short). An Lts is a directed graph whose vertices denote
the global states of the system and whose edges correspond to the transitions permitted by
the system. Each transition is labelled by an action, and there is one distinguished state
considered as the initial state.
As regards functional verification, many verification techniques (such as those imple-
mented in Cadp) are based on the Lts model.
As regards performance evaluation, many stochastic models derived from state-transition
diagrams have been proposed. Our approach is based on the Interactive Markov Chains
model [Her98] (Imc for short), which is well-adapted to process algebras. An Imc is simply
an Lts whose transitions can be either labelled with an action (as in an ‘ordinary’ Lts) or
with special labels of the form “rate λ”, where λ belongs to the set of positive reals. A
transition “rate λ” going out of some state S is called a delay transition and expresses an
internal delay in state S. More precisely, it indicates that the time t spent in S follows a
so-called negative exponential distribution function Prob{t ≤ x} = 1 − e−λx, to be read as:
the probability that state S is exited at time x the latest equals 1−e−λx. The parameter λ of
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 5
the distribution is called a Markov delay ; it is also referred to as the rate of the distribution
(the rate being the reciprocal value of the mean duration of an exponentially distributed
delay). The Imc model is very general in several respects:
  It contains, as two particular cases, the Lts model (which is obtained when there is no
delay transition) and the well-known Continuous Time Markov Chain model (which
is obtained when there are only delay transitions). The latter model (Ctmc for short)
has been extensively studied in the literature and is equipped with various efficient
evaluation strategies (see, e.g. [Ste94]).
  The Imc model allows nondeterminism in states, i.e., two identical action transitions
leaving the same state. Nondeterminism is an important feature if the Imc model is
to be generated automatically from higher-level languages such as process algebra.
  Unlike some stochastic models (e.g. [Hil96, BG98]), the Imc model does not require a
strict alternation between actions and delays. It is therefore permitted to have several
successive actions not separated by a delay in between. It is also permitted to have
several delays interspersed between actions. This is practically useful: by combining
several exponential distributions one can define a more general class of distributions,
so-called phase-type distributions. Concretely, each Ctmc fragment with an absorbing
state (i.e., a state without rate-successors) can be used to represent a phase-type
distribution, which describes the time needed to reach the absorbing state from the
initial state. For instance, the following example:
. . . ◦ A−−→◦ rate 10−−−−−−−→◦ rate 10−−−−−−−→◦ rate 10−−−−−−−→◦ B−−→◦. . .
expresses that the occurrence of action B after witnessing action A is delayed by an
Erlang-3 distribution. This is an important feature, as phase-type distributions can
approximate arbitrary distributions arbitrarily close [Neu81].
There is a subtle, but important difference between the Lts and Imc models. In the Lts
model, given an action A and two states S1 and S2, there is at most one transition labelled
by A going from S1 to S2. It is not possible to have several identical transitions between the
same states, because transitions are usually defined by a relation over States × Actions ×
States. Technically, it would be easy to allow identical transitions by using a multirelation
over States ×Actions × States instead. But this is not the standard approach, as the usual
means of observing Ltss (bisimulations, µ-calculus, Sos rules that define the semantics of
process algebraic operators used to compose Ltss) only check for the existence of transitions
and, thus, would not make any difference between one and several identical transitions.
The situation is different in the stochastic setting. Multiplicity of identical transitions
is making a difference in the case of delay transitions. Given a rate λ and two states S1
and S2, the co-existence of two transitions labelled “rate λ” expresses that there are two
competing ways to reach S2. According to this so-called race interpretation, which is widely
RR n
 
4492
6 H. Garavel, H. Hermanns
used to explain the behaviour of Markov chains over time, these two delay transitions could
be merged into a unique transition “rate 2λ” that cumulates their rates.
Concretely, in our approach, Ltss and Imcs are encoded in the Bcg (Binary Coded
Graphs) file format. Bcg is a compact format for storing very large Ltss. It plays a pivotal
role in the Cadp tool set, which provides programming interfaces and a comprehensive
collection of software tools to handle Bcg files. The Bcg format can handle identical
transitions according to the multirelation semantics because, for time efficiency reasons,
transitions are stored inside the Bcg format as a list-like data structure, without checking
for duplicates.
2.2 Using LOTOS to express Interactive Markov Chains
Although it is possible to specify performance aspects directly at the Imc level, this is not
always suitable for complex systems, which are more easily described using higher level
languages. Our approach is based on the Lotos process algebra, which we briefly present
hereafter.
Lotos is a formal description technique for specifying communication protocols and
distributed systems at a high abstraction level and with a strong mathematical basis. Its
definition [ISO88] features two parts.
The data part is based on the theory of algebraic data types, namely on the Act-One
specification language [EM85, dMRV92]. It allows the definition of data structures described
by sorts, which represent value domains, and operations, which are mathematical functions
defined on these domains using algebraic equations. Sorts, operations, and equations are
grouped in modules called types, which can be combined together using importation, re-
naming, parameterisation, and actualisation. The underlying semantics is that of initial
algebras [EM85].
The behaviour part combines the best features of the pioneering process algebras, notably
Milner’s Ccs [Mil80, Mil89] and Hoare’s Csp [Hoa85]. It is used to describe concurrent
processes that synchronise and communicate by rendezvous message-passing. Lotos has a
small set of basic operators (sequential composition, non-deterministic choice, guard, parallel
composition, etc.), which can be combined together to express complex behaviours. The
semantics of Lotos is defined operationally in terms of (finite or infinite) Ltss. We refer to
[BB88, Tur93] for further reading.
As Lotos is mainly intended for functional aspects (data and behaviours), it provides
no built-in support for quantitative time nor performance modelling. It is worth noticing
that the recent E-Lotos standard [ISO01], which introduces quantitative time, still lacks
support for performance aspects. In particular, a concept like randomness or probability has
not been included.
At this point, we are confronted to a crucial choice: either designing a new process
algebra containing stochastic extensions (as done with Tipp [GHR93], Pepa [Hil96], or
Empa [BG98]), or taking Lotos as is and extend it orthogonally with stochastic features.
The former approach requires to develop a whole set of new tools, which we want to avoid
for time/cost reasons. We therefore chose the latter approach, so as to reuse existing tools
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 7
already available for Lotos, in particular the Cæsar.adt [Gar89] and Cæsar [GS90] tools
of Cadp.
Cæsar.adt and Cæsar are two complementary Lotos to C compilers, the former
for the data part, the latter for the behaviour part of Lotos. The C code generated by
these compilers is then used by other Cadp tools for various purposes: simulation, random
execution, on the fly verification, test generation, etc. Additionally, Cæsar can generate
the Lts corresponding to a Lotos specification, if of finite size. This Lts is encoded in the
Bcg format and can be verified using bisimulations and/or model checking of µ-calculus or
temporal logic formulas.
Extending Lotos with stochastic constructs would imply deep changes in the existing
compilers in order to cope with delay transitions. Still guided by pragmatism, we found
a lighter approach, which does not modify the syntax of Lotos and requires no change
in the Cæsar.adt and Cæsar compilers. The principle is the following. Starting from a
Lotos specification whose functional correctness has been already verified, the user should,
at every place in the Lotos specification where a Markov delay λi should occur, insert an
action Λi, where Λi is a new Lotos gate (i.e., action name) expressing a communication
with the external environment. The user should declare as many new gates Λi as there
exists different rates λi. It is also possible to declare a single new gate Λ to which different
parameter values will be associated (e.g., “Λ !i”).
To ensure that introducing Markov delays does not corrupt the functional behaviour of
the original specification, one can check that the Lotos specification obtained after hiding
the Λi gates (i.e., renaming these gates to τ) is equivalent to the original Lotos specification
modulo a weak equivalence (e.g., branching equivalence), or that both satisfy the same set
of properties expressed in temporal logic or µ-calculus.
After the special gates Λi have been inserted in the Lotos specification, Cæsar and
Cæsar.adt are invoked as usual to generate the corresponding Lts. This Lts is then
turned into an Imc (still encoded in the Bcg format) by replacing all its action transitions
Λi with delay transitions “rate λi”. This is done using the Bcg Labels tool of Cadp,
which performs hiding and/or renaming on the labels attached to the transitions of a Bcg
file, according to a set of regular expression and substitution patterns specified by the user.
Our approach operates in two successive steps, first generating an Lts parameterised
with action names Λi, then instantiating the Λi parameter with actual Markov delays. This
is practically useful, as one often needs to try several values for each rate parameters when
evaluating the performance of a system. With our approach, the highest cost (generating
the parameterised Lts) occurs only once, while the instantiation costs are negligible in
comparison.
One might wonder whether this two step approach is theoretically sound. For most
Lotos operators (sequential composition, non-deterministic choice, process instantiation,
etc.), there is no problem because the Imc model has been designed as an orthogonal exten-
sion of standard process algebra [Her98, HK00, HHK02]. Yet, two points must be clarified:
  As regards parallel composition, there are various possible semantics for the synchro-
nisation on a common action [Hil94, HHK02]. To avoid any ambiguity, we do not allow
RR n
 
4492
8 H. Garavel, H. Hermanns
synchronisation on the special gates Λi. It is the user’s responsibility not to synchro-
nise these gates. For the same reason, the Lotos parallel operator “||”, which forces
synchronisation for all visible gates, should be avoided as well.
  With respect to the above discussion on multirelation semantics for transitions, it is
true that the standard semantics of Lotos [ISO88] is defined in terms of Ltss, con-
trary to stochastic process algebras, which rely (explicitly or implicitly) on multirela-
tion semantics. However, Lotos could equally well be equipped with a multirelation
semantics without disturbing its sound algebraic theory, given that both standard and
multirelation semantics cannot be distinguished by strong bisimulation.
Concretely, if a Lotos specification contains identical transitions (e.g.,
“Λ; stop [] Λ; stop”), a Lotos compiler such as Cæsar can generate an Lts
with one or two Λ-transitions, both solutions being equivalent modulo strong bisimu-
lation; the number of Λ-transitions will mainly depend on the degree of optimisations
done by the compiler internally. The user can safely avoid this issue by using, instead
of Λ, two different gate names Λ1 and Λ2, which will be later instantiated with the
same Markov delay.
There is another approach to extend a Lotos specification with stochastic timing in-
formation, besides the direct insertion of Markov delays in the specification text. This
alternative approach is based on the use of specification styles [VSSB91] for Lotos, and
especially the constraint-oriented style, which allows to refine the behaviour of an existing
Lotos process by synchronising it with one (or several) concurrent process(es) expressing
a set of temporal constraints on the ordering of actions. It has been suggested in [HK00]
that the constraint-oriented style can be used to incorporate Markov delays (or even more
complex phase-type distributions) between the actions of a Lotos specification, without
modifying the specification text itself; see also [BBA98] for a similar suggestion. Following
this idea, a general operator for expressing time constraints compositionally has been pro-
posed in [Her98, Section 5.5]. In this report, we will illustrate both approaches, i.e., both the
direct insertion of Markov delays in the Lotos text (see Section 3) and the superposition
of time constraints specified externally (see Section 4).
2.3 Minimisation of Interactive Markov Chains
After generating an Lts from a Lotos specification and converting this Lts to an Imc
by instantiating Markov delays with their actual values, the next step of our methodology
consists in minimising this Imc, i.e., aggregating its state space. This minimisation is based
on the (closely related) notions of bisimulation (on Lts) and lumpability (on Ctmcs), and
is of interest for at least three reasons:
  It brings the Imc to a minimal number of states, still retaining its essential proper-
ties; this improves the efficiency of performance evaluation tools applied later to the
minimised Imc;
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 9
  It replaces all delay transitions between a given pair of states by a single transition that
cumulates the rates of these transitions; in particular, it removes identical transitions,
so that multirelation semantics is no longer needed after minimisation.
  It may reduce (or even eliminate) nondeterminism, a concept not supported by per-
formance evaluation algorithms; however, nondeterminism is not guaranteed to vanish
after minimisation.
Although minimisation is practically useful, a lack of tool support to minimise large Imcs
or Ctmcs has been identified (e.g., in [HK00] where the minimisation tool used could not
handle more than 4, 000 states). To account for this, we developed a software tool called
Bcg Min (3, 000 lines of C code) for minimising Ltss and Imcs encoded in the Bcg format:
  As regards Ltss, Bcg Min performs efficient minimisation with respect to either
strong or branching bisimulation. According to independent experts, Bcg Min is
“the best implementation of the standard [i.e., Groote & Vaandrager] algorithm for
branching bisimulation” [GvdP00]. Using Bcg Min we have been able to minimise an
Lts with 8 million states and 43 million transitions on a standard Pc.
  As regards Imcs, Bcg Min implements both stochastic strong bisimulation and
stochastic branching bisimulation. In a nutshell, stochastic strong (resp. branching)
bisimulation combines lumpability on the delay transitions with strong (resp. branch-
ing) bisimulation on the action transitions. Consequently, Bcg Min can be used to
minimise Ctmcs modulo lumpability. A formal definition of stochastic strong bisimu-
lation and stochastic weak bisimulation (a variant of stochastic branching bisimulation)
can be found in [Her98].
Apart from Ltss, Ctmcs, and Imcs, Bcg Min can handle a wide range of other models,
including (i) stochastic models containing transitions labelled by (action, rate) pairs, which
allows to minimise Tipp [GHR93], Pepa [Hil96], and Empa [BG98] models modulo strong
equivalence and Markovian bisimulation, (ii) probabilistic systems containing transitions la-
belled by action, probabilities, and/or (action, probability) pairs, which allows to minimise
discrete time Markov chains (and various probabilistic transition systems) modulo lumpa-
bility (respectively probabilistic bisimulation), and (iii) Markov decision processes [Put94],
which can be minimised modulo lumpability. We refer to the Bcg Min manual page1 for a
detailed description of the features of Bcg Min.
2.4 Compositional generation of Interactive Markov Chains
Both functional verification and performance evaluation are confronted to the well-known
state explosion problem, which occurs when state spaces or Markov chains become too large
for being generated exhaustively. As regards functional verification, the Cadp tool set
1http://www.inrialpes.fr/vasy/cadp/man/bcg min.html
RR n
 
4492
10 H. Garavel, H. Hermanns
provides various strategies to address the state explosion problem, one of these being com-
positional generation (also known as compositional minimisation), see e.g. [GSL96]. This
approach consists in dividing the system into a set of concurrent processes, then generating
the Ltss corresponding to these processes, minimising these Ltss using an equivalence rela-
tion (such as strong or branching bisimulation), and finally combining the minimised Ltss
in parallel so as to generate the Lts of the whole system.
Compositional generation has been adapted to performance evaluation, both in the con-
text of Ctmcs, where bisimulation is known to agree with the notion of lumpability [Hil96],
and in the context of Lotos and Imcs [HK00]. Compared to [HK00], our approach is novel
in several respects:
  Using the Bcg Min tool, which did not exist at the time of [HK00], we are now able
to minimise Imcs effectively.
  To compute the Imc corresponding to a set of Imcs combined together using Lotos
parallel composition operators (without synchronisation on delay transitions as men-
tioned above), we resort to the Exp.Open tool2 developed by Laurent Mounier. The
Exp.Open tool is also used to combine a Lotos specification with a set of Imcs
expressing delays to be incorporated in a constraint-oriented style.
  Finally, we take advantage of Svl [GL01, Lan02], a new scripting language for com-
positional and on-the-fly verification. Svl provides a high-level interface to all Cadp
tools (including Cæsar, Cæsar.adt, Bcg Labels, Bcg Min, Exp.Open, etc.), thus
enabling an easy description and execution of complex performance studies.
2.5 Numerical analysis of Interactive Markov Chains
After constructing a minimised Imc, the last step of our methodology consists in apply-
ing performance evaluation analysis algorithms, so as to compute interesting performance
metrics out of the model. To analyse the Imc models, one can use either model checking
algorithms, such as those implemented in Etmcc [HKMKS00] or Prism [KNS01], or more
standard analysis algorithms for Ctmcs, such as those available in the TippTool [HHK+00]
developed at the University of Erlangen-Nuremberg. To handle Imc models containing non-
determinism, one needs rather involved algorithms as described in [Put94, dA98].
In this report, we stick to standard Ctmc analysis algorithms. A connection of the
TippTool analysis engine to the Bcg format was developed, which enables the use of
the TippTool to carry out analysis of (moderate size) Imcs generated using Cadp. This
connection allows to study the time dependent (transient) behaviour, as well as the long run
average (steady-state) behaviour of a model. Transient analysis uses a numerical algorithm
known as uniformisation, while steady-state analysis is carried out using either the power,
Gauss-Seidel or SOR method; see [Ste94] for a thorough introduction to these algorithms.
2http://www.inrialpes.fr/vasy/cadp/man/exp.open.html
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 11
DISKDISK
REC
ARB
CMD
...
DISK
CONTROLLER
CMD
ARB
REC
Figure 1: Architecture of the Scsi-2 system.
3 The SCSI-2 bus arbitration protocol
To illustrate our approach, we consider an industrial case-study brought to our attention by
Massimo Zendri while he was working in the Vasy team. This case-study is about a storage
system developed by Bull in the early 90’s. This system consists of at most 8 devices (7 hard
disks and one disk controller) connected by a bus implementing the Scsi-2 (Small Computer
System Interface) standard [ANS94]. Each device is assigned a unique Scsi number between
0 and 7.
During the testing phase, Bull engineers discovered potential starvation problems for
disks having Scsi numbers smaller than the Scsi number of the disk controller. Practically,
this problem was solved by instructing system manufacturers to install the controller with
the Scsi number 0 systematically. In parallel, research was initiated to understand the issue.
This problem was first modelled by Massimo Zendri, who developed a Markovian queueing
model to study performance issues [Zen92]. Later, the functional aspects of the Scsi-2 bus
arbitration protocol were formalised in Lotos by Hubert Garavel, with an emphasis on
modelling arbitration concisely using Lotos multiway rendezvous. This Lotos specifica-
tion3 served as a basis for model checking verification by Radu Mateescu (thus, enabling
to discover the starvation problem mechanically) and automated test generation by Solofo
Ramangalahy. See also [Ber01] for a discussion of fairness issues in the Scsi-3 bus arbitra-
tion protocol. In the present report, we complement these functional verification efforts by
enhancing the Lotos model so as to study performance issues.
3See http://www.inrialpes.fr/vasy/verdon for details
RR n
 
4492
12 H. Garavel, H. Hermanns
In the Scsi-2 system, the controller can send randomly to the disk n a message “CMD !n”
(command) indicating a transfer request (read/write a block of data from/to the disk).
After processing this command, the disk sends back to the controller a message “REC !n”
(reconnect). We do not model the detailed contents (e.g., type or data) of these messages.
The CMD and REC messages are stored in eight-place Fifo queues (see Figure 1). Since we
abstract from the message contents, it is sufficient to model these queues as simple counters.
3.1 Arbitration mechanism
The CMD and REC messages circulate on the Scsi bus, which is shared by all devices. To avoid
access conflicts, the Scsi-2 standard defines a bus arbitration policy ensuring that at any
time at most one device is allowed to access the bus. Before sending a message over the bus,
each device must first request and obtain exclusive bus access. Notice that the receiving
device needs not reserving the bus first, as bus access has already been obtained by the
sending device. Arbitration is based on fixed priorities: if several devices want to access the
bus simultaneously, the device with the highest Scsi number is granted access. Arbitration is
also decentralised: contrary to other bus protocols (e.g., Pci) there is no centralised arbiter
responsible for granting bus access. Instead, each device must watch out whether there is
no other device of higher priority trying to access the bus. To ensure exclusive access in
a distributed way, the arbitration mechanism is physically implemented by eight electrical
wires, the voltage level of which (high or low) can be consulted by all devices. Each wire
is owned by a particular device, and is set to high voltage when this device requests bus
access. Before using the bus, each device examines the eight wires’ voltage level during a
certain amount of time (the arbitration period) to ensure that no other device with a higher
Scsi number has its wire set to high voltage.
Modelling the Scsi-2 arbitration policy in a precise, concise, yet understandable way is
a challenge, especially for languages providing binary communication paradigms only (such
as Fifo queues, remote procedure calls, or binary synchronisations). With such languages,
each device must express its decision to access or not to access the bus separately; therefore,
at least eight binary communications are required. Because arbitration is decentralised, all
possible orderings of these communications must be considered, thus increasing complexity.
Yet, this problem can be solved elegantly using the advanced features of Lotos (namely,
multiway rendezvous with value negotiation based on pattern-matching). Assuming that
the arbitration period is short enough, arbitration can be modelled by a single, eight-party
rendezvous between all devices on a gate named ARB. During every arbitration period, all
devices must synchronise to indicate whether they request bus access or not. Syntactically,
each device must propose an action of the form “ARB ?W:WIRE [Cn(W, n)]”, where n is the
Scsi number of the device, where variable W of type WIRE is an eight-tuple (w0, w1, . . . , w7)
of booleans corresponding to the voltage levels on the wires4, and where predicate Cn(W, n)
belongs to a set of three possible constraints relating W and n. These three constraints are:
(i) the constraint C PASS(W, n) := ¬wn is true iff device n does not request the bus(i.e., wn
4The boolean values false and true correspond to low and high voltage, respectively.
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 13
is set to low voltage); (ii) the constraint C WIN(W, n) := wn ∧ ¬
∨i=7
i=n+1
wi is true iff device
n requests the bus and succeeds to be the highest priority competitor; (iii) the constraint
C LOSS(W, n) := wn ∧
∨i=7
i=n+1
wi is true iff device n requests the bus but fails to gain ac-
cess. When the eight devices synchronise together on gate ARB, their individual, distributed
constraints are combined into a logical conjunction
∧i=7
i=0
Ci(W, i), which determines a unique
solution W agreed by all the devices unanimously.
3.2 Disk devices
Each disk is described as an instance of a generic Lotos process (noted DISK) parameterised
by the Scsi number N, the number L of CMD messages waiting to be processed in the disk’s
input Fifo queue (initially, L = 0), and by a boolean variable READY which is true iff the
device has processed a CMD message and is ready to send the result back to the controller
(initially, READY = false). The behaviour of the DISK process is a nondeterministic selection
between five branches: (i) the disk may receive a CMD message and increment L (a flow control
mechanism implemented in the controller avoids overflows in the disks’ input queues); (ii)
if the disk is not ready, it may take part in the arbitration mechanism without requesting
the bus, which enables lower priority devices to access the bus; (iii) if the disk is not ready
and if its input queue is not empty, it may process a command stored in the queue (which
takes a Markov delay noted “MU !N”), then decrement L and become ready; (iv) and (v) if
the disk is ready, it requests the bus repeatedly until it is granted; once successful, it sends
a corresponding REC message and returns to its non-ready state.
process DISK [ARB, CMD, REC, MU] (N:NUM, L:NAT, READY:BOOL):noexit :=
CMD !N;
DISK [ARB, CMD, REC, MU] (N, L+1, READY)
[]
ARB ?W:WIRE [not (READY) and C_PASS (W, N)];
DISK [ARB, CMD, REC, MU] (N, L, READY)
[]
[not (READY) and (L > 0)] ->
MU !N; (* Markov delay inserted here *)
DISK [ARB, CMD, REC, MU] (N, L-1, true)
[]
ARB ?W:WIRE [READY and C_LOSS (W, N)];
DISK [ARB, CMD, REC, MU] (N, L, READY)
[]
ARB ?W:WIRE [READY and C_WIN (W, N)];
REC !N;
DISK [ARB, CMD, REC, MU] (N, L, false)
endproc
RR n
 
4492
14 H. Garavel, H. Hermanns
3.3 Controller device
The controller is described by a Lotos process (noted CONTROLLER) parameterised by the
Scsi number NC of the controller and by two variables PENDING and T. PENDING contains
the Scsi number of the disk to which the controller has to send a CMD message (initially,
PENDING = NC, which means that the controller is idle). T is a table (i.e., an array) used
for flow control, so as to avoid overflow of the disks’ input queues. The n-th element of
T (noted “VAL (T, n)’’, where n is a Scsi number different from NC) stores the number
of commands waiting to be processed by disk n, i.e., the difference between the number of
“CMD !n” messages sent and the number of “REC !n” messages received by the controller.
ZERO denotes the initial value of the table, with all elements equal to 0. INCR (T, n) and
DECR (T, n) denote the table T in which the n-th element is incremented or decremented,
respectively.
As with the disk, the behaviour of the CONTROLLER process is a selection between five
branches: (i) if the controller is idle, it may take part in the arbitration mechanism without
requesting the bus; (ii) if the controller is idle, it may also select (nondeterministically) some
disk N with less than eight unprocessed commands and assign N to PENDING; in practice, this
selection is triggered by a transfer request sent to the controller by its external environment;
we introduce a Markov delay noted “LAMBDA !N” in order to model the load stress imposed
on the controller; (iii) and (iv) if the controller is not idle, it requests the bus repeatedly
until it is granted; once successful, it sends a CMD message to the disk indicated by PENDING,
then increments T accordingly and returns to its idle state; (v) the controller may receive
REC messages and decrement T accordingly.
process CONTROLLER [ARB, CMD, REC, LAMBDA] (NC:NUM, PENDING:NUM,
T:TABLE) : noexit :=
ARB ?W:WIRE [(PENDING == NC) and C_PASS (W, NC)];
CONTROLLER [ARB, CMD, REC, LAMBDA] (NC, PENDING, T)
[]
(
choice N:NUM []
[(PENDING == NC) and (N <> NC)] ->
[VAL (T, N) < 8] ->
LAMBDA !N; (* Markov delay inserted here *)
CONTROLLER [ARB, CMD, REC, LAMBDA] (NC, N, T)
)
[]
ARB ?W:WIRE [(PENDING <> NC) and C_LOSS (W, NC)];
CONTROLLER [ARB, CMD, REC, LAMBDA] (NC, PENDING, T)
[]
ARB ?W:WIRE [(PENDING <> NC) and C_WIN (W, NC)];
CMD !PENDING;
CONTROLLER [ARB, CMD, REC, LAMBDA] (NC, NC, INCR (T, PENDING))
[]
REC ?N:NUM [N <> NC];
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 15
CONTROLLER [ARB, CMD, REC, LAMBDA] (NC, PENDING, DECR (T, N))
endproc
3.4 System architecture
The architecture of the Scsi-2 system is described by composing in parallel the seven disk
processes and the controller process. All these processes synchronise together using an eight-
way rendezvous on the ARB gate. The disks communicate with the controller using binary
rendezvous on gates CMD and REC. Although the seven disks are competing with each other
for achieving a rendezvous on gates CMD and REC with the controller, the “!n” parameters
associated to these gates allow to identify the corresponding disk. Finally, as explained in
Section 2.2, the MU and LAMBDA gates must not be synchronised.
(
DISK [ARB, CMD, REC, MU] (0, 0, false)
|[ARB]|
DISK [ARB, CMD, REC, MU] (1, 0, false)
|[ARB]|
...
|[ARB]|
DISK [ARB, CMD, REC, MU] (6, 0, false)
)
|[ARB, CMD, REC]|
CONTROLLER [ARB, CMD, REC, LAMBDA] (7, 7, ZERO)
4 Performance model aspects
The Scsi-2 specification as introduced above incorporates already some timing parameters,
namely the Markov delays LAMBDA and MU. This section motivates the timing characteristics
of the model. It further discusses the approach followed to generate and analyse the model
numerically, together with some interesting performance figures we obtained.
4.1 SCSI-2 timing parameters
Based on the timing parameters given in definition of the Scsi-2 architecture, we identified
three parameters as most relevant for a performance study.
  The Markov delay LAMBDA put in the controller models the load (transfer requests
issued by the controller) that stimulates the whole Scsi-2 system. It is the main
parameter we vary in our experiments.
  The Markov delay MU put in the disk corresponds to the disk servicing time, i.e., the
time needed by an individual disk to fetch or store the requested data. The mean
servicing time depends on the size of the data blocks to be transferred, and also varies
RR n
 
4492
16 H. Garavel, H. Hermanns
from one disk manufacturer to another. Its value ranges from 1500 µs to about 4500
µs [Zen92].
  Finally, the bus inter-arbitration time (or bus delay, for short) determines the delay
between two consecutive bus arbitration periods. This delay is minimally 2.5 µs and
depends on the amount of data transmitted on the bus after an arbitration.
To incorporate the bus delay into the Scsi specification, we use the constraint-oriented
style mentioned earlier. As the bus delay elapses between any two consecutive ARB actions, it
will be incorporated by running the Scsi system in parallel with an additional, very simple
process BUS, which forces any two consecutive ARB actions to be separated by a Markov
delay NU:
process BUS [ARB, NU]:noexit :=
ARB; NU; BUS [ARB, NU]
endproc
Both the Scsi system and the BUS process are synchronised on gate ARB. Note that this
approach allows one to experiment with different, phase-type distributed delays in a flexible
way, such as with an Erlang-5 distributed delay:
process BUS_5 [ARB, NU]:noexit :=
ARB; NU; NU; NU; NU; NU; BUS_5 [ARB, NU]
endproc
We carried out several experiments with such delays, and found that as long as the mean
value of the distributions used stays unchanged, the influence of the distributions on the
numerical results is marginal. As regards the LAMBDA and MU delays, experimenting with
other distributions is not so straightforward, because any change in the distribution implies a
change in the Lotos specification, and hence a proof obligation that the functional behaviour
is still as intended. The constraint-oriented style reliefs this burden, since it preserves the
functional behaviour: the resulting Lts obtained after parallel composition is branching
bisimilar to the original one provided that the Markov delays are hidden (i.e., renamed to
τ) [Her98].
4.2 Performance results
Among the studies we performed, we here focus on the behaviour of a Scsi-2 system under
heavy load, since the system exhibits some interesting aspects of unfairness in extreme
situations. Note that due to the distributed priority mechanism governing the bus arbitration
protocol, the system can not be expected to behave perfectly fair under all circumstances.
We study a system with 3 disks. The load imposed on the system varies between 10
and 800 requests per seconds and per disk. Unless otherwise stated, we assume the average
servicing time of the disks to be 2,500 µs, and the bus delay to range between 2.5 µs and
2,500 µs.
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 17
high priority disk
2,500
250
25
2.5
throughput
lambda
0.00
20.00
40.00
60.00
80.00
100.00
120.00
140.00
160.00
180.00
200.00
220.00
240.00
260.00
280.00
300.00
320.00
340.00
360.00
380.00
400.00
0.00 100.00 200.00 300.00 400.00 500.00 600.00 700.00
low priority disk
2,500
2500
25
2.5
throughput
lambda
0.00
20.00
40.00
60.00
80.00
100.00
120.00
140.00
160.00
180.00
200.00
220.00
240.00
260.00
280.00
300.00
320.00
340.00
360.00
380.00
400.00
0.00 100.00 200.00 300.00 400.00 500.00 600.00 700.00
Figure 2: Throughput of disk 2 (left) and disk 0 (right) under increasing load with bus delay
ranging from 2.5 µs (dashed) to 2.5 ms (solid), and controller having number 7.
First, we study a system in which the controller is assigned the Scsi number 7, and
observe the throughput of each disk under increasing load. The resulting throughputs are
plotted in Figure 2, for four different bus delay parameters. The left plot shows the high
priority disk 2, and the right one shows the low priority disk 0. We observe that the bus
bandwidth is shared in a load dependent way, and we further observe that the higher the
bus delay, the lower the throughputs of the disks. Interestingly, the lower disks’ throughputs
may collapse if the bus delay is very long and load is heavy. The high priority disk does not
exhibit such a phenomenon. This reveals the unfairness of the arbitration mechanism.
To study this phenomenon further, we analyse the effect of the controller Scsi number on
the throughputs of the high and low priority disk. Figure 3 plots the throughputs of the low
and high priority disks under extreme bus delays. If the controller is in the highest position
(Scsi number 7), we find back one of the scenarios studied in Figure 2: the high priority
disk dominates the low priority disk, and makes the throughput of the latter collapse. If
on the other hand, the controller is in the lowest position (Scsi number 0), the achieved
throughputs of high and low priority disk are rather balanced, and in particular the low
priority throughput does not degrade nor collapse.
This study allows us to draw the conclusion that assigning Scsi number 0 to the controller
makes the system balanced. Otherwise, disks in a position lower than the controller are
disfavoured. This conclusion is in line with the experimental observations made by the Bull
engineers; our studies allow a quantification of the influence of the disk position on the
throughput.
RR n
 
4492
18 H. Garavel, H. Hermanns
high priority disk
num. 0
num. 1
num. 7
throughput
lambda
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
80.00
90.00
100.00
110.00
120.00
130.00
140.00
150.00
0.00 100.00 200.00 300.00 400.00 500.00 600.00 700.00
low priority disk
num. 0
num. 1
num. 7
throughput
lambda
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
80.00
90.00
100.00
110.00
120.00
130.00
140.00
150.00
0.00 100.00 200.00 300.00 400.00 500.00 600.00 700.00
Figure 3: Throughput of high priority disk (left) and low priority disk (right) under increas-
ing load with bus delay 2.5 ms, and controller having lowest (solid), middle, and highest
(dashed) number.
4.3 An SVL session with CADP
This section discusses how the Markov chains under study are generated from the Lotos
specification using the Cadp toolbox. To explain how we proceed, we list below the main
fragment of the Svl-script used to distill the lumped Markov chain used for the plots in
Figure 2.
"scsi.bcg" = branching reduction of (1)
total rename "ARB !.*" -> ARB in
hide CMD, REC in
"scsi.lotos";
"model.bcg" = hide all but LAMBDA, MU, NU in (2)
("scsi.bcg" |[ARB]| "erlang.lotos":BUS [ARB, NU]);
% for SPEED in .4 2 4 40 400 (3)
% do
% for LOAD in .01 .03 .06 .1 .15 .2 .25 .3 .35 \
% .4 .45 .5 .55 .6 .65 .7 .75 .8
% do
% BCG_MIN_OPTIONS="-rate"
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 19
"res-$SPEED.bcg" = branching reduction with bcg_min of (4)
total rename "NU" -> "rate $SPEED",
"MU !0" -> "DISK_L; rate .4",
"MU !1" -> "DISK_M; rate .4",
"MU !2" -> "DISK_H; rate .4",
"LAMBDA !.*" -> "rate $LOAD" in
"model.bcg";
% seidel -v $LOAD "res-$SPEED.bcg" (5)
% done
% done
During step (1) the transition system of the Scsi specification is generated, the CMD and
REC gates are hidden as they are not needed in subsequent processing, and the arbitration
events are uniformly renamed into a new action named ARB. Then, the resulting state space
is minimised according to branching bisimulation, and stored in a file named “scsi.bcg”.
Step (2) incorporates the bus delay via the process BUS [ARB, NU] taken from file
“erlang.lotos”. Afterwards, all gates are hidden, except those corresponding to Markov
delays (i.e., LAMBDA, MU, and NU). The result is stored in file “model.bcg”.
Step (3) initiates two nested loops that compute a two-dimensional matrix of performance
results. The outer loop varies the SPEED parameter, which is the inverse of the bus delay
expressed in milliseconds, ranging from 1/2.5 µs to 1/2.5 ms. The inner loop varies the LOAD
parameter, imposing between 0.01 and 0.8 requests per millisecond on each disk.
Step (4) instantiates, for each pair (SPEED, LOAD), the Markov delays LAMBDA, MU, and NU
present in file “model.bcg” with concrete values. The resulting Imc is then minimised using
Bcg Min according to stochastic branching bisimulation, which eliminates nondeterminism.
This results in a Markov chain stored in file “res-
 
SPEED.bcg”.
Step (5) calls the TippTool solver seidel, a numerical solution engine implementing the
Gauss-Seidel linear equation solver for Markov chains. It computes the equilibrium (steady-
state) probabilities for the states of the Markov chain. From these probabilities, seidel
calculates the transition throughputs for each Markov delay marked with a distinguished
label. These labels have been incorporated into the transition system in step (4); they
indicate a high (DISK H), medium (DISK M), or low (DISK L) priority disk being active.
The largest state space produced during the execution of the Svl script is the Lts
generated from “scsi.lotos”, which has 56,169 states and 154,752 transitions. The size of
the Markov chains solved (i.e., files “res-*.bcg”) ranges from 10,666 to 17,852 states.
5 Concluding remarks
This report has presented a practical methodology for studying the performance of a con-
current system, starting from an already verified functional specification of this system.
Compared to prior works on stochastic Petri nets and stochastic process algebras, our ap-
proach is original in several respects:
RR n
 
4492
20 H. Garavel, H. Hermanns
  We have chosen not to design a new formalism to model stochastic systems, because
the effort required to develop appropriate software tools would have been very high.
Instead, we reuse a non-stochastic process algebra (Lotos), which we adapt to the
stochastic framework by introducing a few additional operators (such as relabelling,
restriction, time constraints, and minimisation). This approach provides the user with
a high-level language (Lotos) to describe both control and data aspects (contrary to,
e.g., the TippTool, which only supports a subset of Lotos without data structures).
Furthermore, existing Lotos tools can be used to perform functional verification be-
fore undertaking performance analysis.
  To translate Lotos specifications into labelled transition systems, we use the
Cæsar.adt and Cæsar compilers of the Cadp tool set. To perform relabelling,
we also reuse an existing Cadp tool, Bcg Labels. Our major development effort
is Bcg Min, an efficient tool implementing several minimisation algorithms for ordi-
nary, stochastic, and probabilistic transition systems. Bcg Min plays a central role in
connecting the Cadp tools to the stochastic setting, and supports the compositional
approach proposed in [HK00], in which concurrent processes are generated, then min-
imised separately so as to handle large state spaces.
  In order to automate the performance studies, in which stochastic parameters are var-
ied in multiple dimensions, we take advantage of the scripting language Svl. Originally
developed for compositional verification of non-stochastic systems, Svl is also useful
in the stochastic settings, and provides convenient means to integrate the various tools
transparently.
We have presented an application of these principles to an industrial problem: the Scsi-2
bus arbitration protocol, which we managed to model elegantly using the expressiveness of
Lotos multiway negotiated rendezvous. After verifying the functional correctness of the
Lotos specification using the Cadp tools, we turned this specification into a performance
model, which we analysed automatically by combining the Cadp tools and the solution
engine of the TippTool. This performance study allowed us to quantify the unfairness
of the Scsi-2 bus arbitration protocol, and to show how the respective disk thoughputs
depend on the Scsi number assigned to the controller. These results are in line with the
experimental observations on the real Scsi-2 disk system.
As regards future work, more efforts are foreseen on the model solution side. So far, we
are resorting to the TippTool, but in a near future we shall investigate model checking
approaches to Markov models, notably by linking the Etmcc Markov chain model checker
[HKMKS00] to Cadp. Also, Mtbdd- or Kronecker-based Markov chain representations
[KNS01, BCDK00] are promising directions to enable the analysis of even larger models, in
combination with our compositional approach.
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 21
Acknowledgements
We are grateful to Massimo Zendri for bringing the Scsi-2 example to our attention, and
to Moëz Cherif (formerly at Inria/Vasy) for helping us to develop the Bcg Min tool. We
are also grateful to Frédéric Lang (Inria/Vasy) for his remarks about this report.
References
[ABC84] M. Ajmone Marsan, G. Balbo, and G. Conte. A Class of Generalized Stochastic
Petri Nets for the Performance Evaluation of Multiprocessor Systems. ACM
Transactions on Computer Systems, 2(2), May 1984.
[ANS94] ANSI. Small Computer System Interface-2. Standard X3.131-1994, American
National Standards Institute, January 1994.
[BB88] Tommaso Bolognesi and Ed Brinksma. Introduction to the ISO Specification
Language LOTOS. Computer Networks and ISDN Systems, 14(1):25–59, Jan-
uary 1988.
[BBA98] Lynne Blair, Gordon Blair, and Anders Andersen. Separating Functional Be-
haviour and Performance Constraints: Aspect-Oriented Specification. Dis-
tributed Multimedia Research Group Report MPG-98-07, Computing Depart-
ment, Lancaster University, May 1998.
[BCDK00] P. Buchholz, G. Ciardo, S. Donatelli, and P. Kemper. Complexity of Memory-
Efficient Kronecker Operations with Applications to the Solution of Markov
Models. INFORMS Journal on Computing, 12(3):203–222, 2000.
[BCSS98] M. Bernardo, W.R. Cleaveland, S.T. Sims, and W.J. Stewart. TwoTowers: A
Tool Integrating Functional and Performance Analysis of Concurrent Systems.
In Proceedings of the 18th IFIP WG 6.1 International Conference on Formal
Techniques for Networked and Distributed Systems FORTE’1998, 1998.
[Ber01] Didier Bert. Preuve de propriétés d’équité en B : Preuve de l’algorithme
d’arbitrage du bus SCSI-3. In Rafael Marcano and Nicole Lévy, ed-
itors, Approches Formelles dans l’Assistance au Développement de Logi-
ciels AFADL’2001 (Nancy, France), pages 221–241, Nancy, June 2001.
ADER/LORIA.
[BG98] M. Bernardo and R. Gorrieri. A Tutorial on EMPA: A Theory of Concurrent
Processes with Nondeterminism, Priorities, Probabilities and Time. Theoretical
Computer Science, 202:1–54, 1998.
[dA98] L. de Alfaro. How to Specify and Verify the Long-Run Average Behavior of
Probabilistic Systems. In Proceedings of the 13th Annual IEEE Symposium on
Logic in Computer Science (LICS’98), pages 454–465, 1998.
RR n
 
4492
22 H. Garavel, H. Hermanns
[dMRV92] Jan de Meer, Rudolf Roth, and Son Vuong. Introduction to Algebraic Spec-
ifications Based on the Language ACT ONE. Computer Networks and ISDN
Systems, 23(5):363–392, 1992.
[EM85] H. Ehrig and B. Mahr. Fundamentals of Algebraic Specification 1 — Equa-
tions and Initial Semantics, volume 6 of EATCS Monographs on Theoretical
Computer Science. Springer Verlag, 1985.
[Fer86] D. Ferrari. Considerations on the Insularity of Performance Evaluation. IEEE
Transactions on Software Engineering, SE–12(6):678–683, June 1986.
[Gar89] Hubert Garavel. Compilation of LOTOS Abstract Data Types. In Son T.
Vuong, editor, Proceedings of the 2nd International Conference on Formal De-
scription Techniques FORTE’89 (Vancouver B.C., Canada), pages 147–162.
North-Holland, December 1989.
[GH94] S. Gilmore and J. Hillston. The PEPA Workbench: A Tool to Support a
Process Algebra-Based Approach to Performance Modelling. In G. Haring
and G. Kotsis, editors, 7th Int. Conf. on Modelling Techniques and Tools for
Computer Performance Evaluation, Wien, May 1994.
[GHR93] N. Götz, U. Herzog, and M. Rettelbach. Multiprocessor and Distributed Sys-
tem Design: The Integration of Functional Specification and Performance
Analysis Using Stochastic Process Algebras. In Tutorial Proc. of the 16th Int.
Symposium on Computer Performance Modelling, Measurement and Evalua-
tion, PERFORMANCE ’93. Springer, LNCS 729, 1993.
[GL01] Hubert Garavel and Frédéric Lang. SVL: a Scripting Language for Composi-
tional Verification. In Myungchul Kim, Byoungmoon Chin, Sungwon Kang,
and Danhyung Lee, editors, Proceedings of the 21st IFIP WG 6.1 Interna-
tional Conference on Formal Techniques for Networked and Distributed Sys-
tems FORTE’2001 (Cheju Island, Korea), pages 377–392. IFIP, Kluwer Aca-
demic Publishers, August 2001. Full version available as INRIA Research
Report RR-4223.
[GLM01] Hubert Garavel, Frédéric Lang, and Radu Mateescu. An Overview of CADP
2001. Rapport technique RT 254, INRIA, December 2001.
[GS90] Hubert Garavel and Joseph Sifakis. Compilation and Verification of LOTOS
Specifications. In L. Logrippo, R. L. Probert, and H. Ural, editors, Proceed-
ings of the 10th International Symposium on Protocol Specification, Testing
and Verification (Ottawa, Canada), pages 379–394. IFIP, North-Holland, June
1990.
[GSL96] S. Graf, B. Steffen, and G. Lüttgen. Compositional Minimization of Finite
State Systems using Interface Specifications. Formal Aspects of Computation,
8(5):607–616, September 1996.
INRIA
On Combining Functional Verification and Performance Evaluation using CADP 23
[GvdP00] J.F. Groote and J. van de Pol. State Space Reduction using Partial τ -
Confluence. In Mogens Nielsen and Branislav Rovan, editors, Proceedings of
the 25th International Symposium on Mathematical Foundations of Computer
Science MFCS’2000 (Bratislava, Slovakia), volume 1893 of Lecture Notes in
Computer Science, pages 383–393, Berlin, August 2000. Springer Verlag. Also
available as CWI Technical Report SEN-R0008, Amsterdam, March 2000.
[HBV93] O. Hjiej, A. Benzekri, and A. Valderruten. From Annotated LOTOS Specifi-
cations to Queueing Networks: Automating Performance Models Derivation.
Decentralized and Distributed Systems, 1993.
[Her98] H. Hermanns. Interactive Markov Chains. PhD thesis, Universität Erlangen-
Nürnberg, September 1998. Arbeitsberichte des IMMD 32/7, revision to appear
in Springer LNCS.
[HHK+00] H. Hermanns, U. Herzog, U. Klehmet, V. Mertsiotakis, and M. Siegle. Compo-
sitional performance modelling with the TIPPtool. Performance Evaluation,
39(1–4):5–35, January 2000.
[HHK02] H. Hermanns, U. Herzog, and J.-P. Katoen. Process Algebra for Performance
Evaluation. Theoretical Computer Science, 2002. to appear.
[Hil94] J. Hillston. The Nature of Synchronisation. In U. Herzog and M. Rettel-
bach, editors, Proc. of the 2nd Workshop on Process Algebras and Performance
Modelling, pages 51–70, Regensberg/Erlangen, July 1994. Arbeitsberichte des
IMMD, Universität Erlangen-Nürnberg.
[Hil96] J. Hillston. A Compositional Approach to Performance Modelling. Cambridge
University Press, 1996.
[HK00] H. Hermanns and J.P. Katoen. Automated Compositional Markov Chain Gen-
eration for a Plain-Old Telephony System. Science of Computer Programming,
36(1):97–127, January 2000.
[HKMKS00] H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, and M. Siegle. A Markov Chain
Model Checker. In S. Graf and M. Schwartzbach, editors, TACAS’2000, pages
347–362, Berlin, 2000. Springer, LNCS 1785.
[Hoa85] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985.
[ISO88] ISO/IEC. LOTOS — A Formal Description Technique Based on the Temporal
Ordering of Observational Behaviour. International Standard 8807, Interna-
tional Organization for Standardization — Information Processing Systems —
Open Systems Interconnection, Genève, September 1988.
RR n
 
4492
24 H. Garavel, H. Hermanns
[ISO01] ISO/IEC. Enhancements to LOTOS (E-LOTOS). International Standard
15437:2001, International Organization for Standardization — Information
Technology, Genève, September 2001.
[KNS01] M. Kwiatkowska, G. Norman, and R. Segala. Automated Verification of a
Randomised Distributed Consensus Protocol Using Cadence SMV and PRISM.
In Proc. CAV’01. Springer, LNCS 2102, January 2001.
[Lan02] Frédéric Lang. Compositional Verification using SVL Scripts. In Joost-Pieter
Katoen and Perdita Stevens, editors, Proceedings of the 8th International Con-
ference on Tools and Algorithms for the Construction and Analysis of Systems
TACAS’2002 (Grenoble, France), volume 2280 of Lecture Notes in Computer
Science, pages 465–469. Springer Verlag, April 2002.
[MBC+94] A. Marsan, A. Bianco, L. Ciminiera, R. Sisto, and A. Valenzano. A LOTOS
Extension for the Performance Analysis of Distributed Systems. IEEE/ACM
Transactions on Networking, 2(2):151–164, 1994.
[Mil80] Robin Milner. A Calculus of Communicating Systems, volume 92 of Lecture
Notes in Computer Science. Springer Verlag, 1980.
[Mil89] Robin Milner. Communication and Concurrency. Prentice-Hall, 1989.
[Neu81] M.F. Neuts. Matrix-geometric Solutions in Stochastic Models–An Algorithmic
Approach. The Johns Hopkins University Press, 1981.
[Par81] David Park. Concurrency and Automata on Infinite Sequences. In Peter
Deussen, editor, Theoretical Computer Science, volume 104 of Lecture Notes
in Computer Science, pages 167–183. Springer Verlag, March 1981.
[Put94] M.L. Puterman. Markov Decision Processes. Wiley, 1994.
[Ste94] W.J. Stewart. Introduction to the Numerical Solution of Markov Chains.
Princeton University Press, 1994.
[Tur93] Kenneth J. Turner, editor. Using Formal Description Techniques – An Intro-
duction to ESTELLE, LOTOS, and SDL. John Wiley, 1993.
[VSSB91] C. Vissers, G. Scollo, M. van Sinderen, and E. Brinksma. Specification Styles
in Distributed Systems Design and Verification. Theoretical Computer Science,
89(1):179–206, 1991.
[Zen92] Massimo Zendri. Studio ed implementazione di un modello del bus SCSI.
Laurea thesis, Politecnico di Milano, Facoltà di Ingegneria, Dipartimento di
Elettronica, June 1992.
INRIA
Unité de recherche INRIA Rhône-Alpes
655, avenue de l’Europe - 38330 Montbonnot-St-Martin (France)
Unité de recherche INRIA Lorraine : LORIA, Technop ôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)
Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)
Unité de recherche INRIA Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)
Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr
ISSN 0249-6399
