Root contention in IEEE 1394 by Stoelinga, M.I.A. & Vaandrager, F.W.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The version of the following full text has not yet been defined or was untraceable and may
differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/18760
 
 
 
Please be advised that this information was generated on 2017-12-05 and may be subject to
change.
Root Contention in IEEE 1394 
M.I.A. Stoelinga, F.W. Vaandrager 
Computing Science Institute/ 
CSI-R99G5 March 1999
Computing Science Institute Nijmegen 
Faculty of Mathematics and Informatics 
Catholic University of Nijmegen 
Toernooiveld 1 
6525 ED Nijmegen 
The Netherlands
R oot Contention in IEEE 1394
M ariëlle Stoelinga and F rits V aandrager
Computing Science Institute, University of Nijmegen 
P.O. Box 9010, 6500 GL Nijmegen, The Netherlands 
{m arielle,fvaan}@ cs.kun .n l
A b s tra c t. The model of probabilistic I/O  autom ata of Segala and Lynch 
is used for the formal specification and analysis of the root contention 
protocol from the physical layer of the IEEE 1394 ( “FireWire”) standard.
In our model of the protocol both randomization and real-time play an 
essential role. In order to make our verification easier to understand we 
introduce several intermediate autom ata in between the implementation 
and the specification automaton. This allows us to use very simple no­
tions of refinement rather than the more general but also very complex 
simulation relations which have been proposed by Segala and Lynch.
K e y  w o rd s  a n d  p h a s e s : IE E E  1394, leader election algorithm s, communi­
cation protocols, probabilistic and  d istribu ted  algorithm s, form al verification, 
probabilistic and tim ed au tom ata , probabilistic real-tim e systems.
A M S  S u b je c t  C la ss if ic a tio n : 68Q10, 68Q22, 68Q60, 68Q75.
C R  S u b je c t  C la s s if ic a tio n : C.2.2, C.3, F.1.2, K .l.
1 In troduction
Recently, the  analysis of probabilistic, d istribu ted  algorithm s and protocols has 
gained new atten tion . Various m ethods and formalisms have been extended with 
probabilities, and several case studies have been carried out using these for­
malisms, c.f. [14,17].
This repo rt verifies a  small sub-protocol of IE E E  1394, called root contention. 
The IE E E  1394 high perform ance serial bus has been developed for interconnect­
ing com puter and consum er equipm ent such as m ultim edia PC s, digital cam ­
eras, VCRs, and CD players. The bus is “hot-pluggable” , i.e. equipm ent can 
be added and removed a t any tim e, and allows quick, reliable and inexpensive 
high-bandw idth transfer of digitized video and audio. A lthough originally devel­
oped by Apple (FireW ire), the  version docum ented in [9] has been accepted as 
a  standard  by IE E E  in 1996. More th an  seventy companies — including Sun, 
M icrosoft, Lucent Technologies, Philips, IBM, and A daptec — have joined in 
the  developm ent of the  IE E E  1394 bus, and related consum er electronics and 
software. Hence there  is a  good chance th a t  IE E E  1394 will become the  fu ture 
standard  for connecting digital m ultim edia equipm ent. Various p arts  of IE E E  
have been specified a n d /o r  verified formally, see for instance [5,11,12]. However, 
as far as we know, root contention has not.
R oot contention in IE E E  1394 is a  simple bu t realistic protocol th a t  involves 
bo th  real-tim e and random ization. The verification in th is  report is carried out 
in the  probabilistic au tom aton  model of Segala and Lynch [18,20]. Following the 
trad ition , the  correctness of the  protocol is proven by establishing a  probabilistic 
sim ulation between the  im plem entation and the  specification, bo th  probabilistic 
au tom ata .
The probabilistic sim ulation relations from [18,20] are ra th e r complex. In 
order to  simplify the  sim ulation proofs, th is  repo rt introduces the  notions of 
probabilistic step refinem ent and of probabilistic hyperstep refinement. These 
are special case of the  sim ulations in [18,20].
The stra tegy  followed in the  sim ulation proof is the  following. Given the 
protocol au tom aton  Im pl and the  ab strac t specification Spec, we define three 
in term ediate au to m ata  I I ,  12, and 13. F irst, I I  abstrac ts  from the message 
passing in Im pl bu t keeps the  same probabilistic choices and m ost of th e  tim ing 
inform ation. N ext, 12 ab strac ts  from all the  tim ing inform ation in Im pl, and 13 
abstrac ts  from the probabilistic choice in 13. The introduction  of the  interm edi­
ate  au to m ata  allows us to  separate our concerns. The sim ulation between Im pl 
and I I  is easy from probabilistic point of view and its proof m ainly involves 
trad itional, non-probabilistic techniques like proving invariants. The rem aining 
sim ulations between au to m ata  12, 13 and Spec deal w ith probabilistic choice, 
bu t since these au to m ata  are small th is  is not so difficult anymore.
This paper is organized as follows. After some m athem atical prelim inaries 
in Section 2, Section 3 introduces the  probabilistic au tom aton  model. Section
4 describes the  root contention protocol, bo th  inform ally and formally. Then 
Section 5 defines the  in term ediate au to m ata  and established the sim ulation re­
lations. Finally, Section 6 presents the  conclusions and  some topics for fu ture 
research.
2 P robab ility  D istributions
This section recalls a  few basic notions from probability  theory  and introduces 
some notation.
D e f in it io n  1. Let 1  be an index set and let Xi € [0, oo] fo r  all i € 1 . Define 
Y , i e x x i hJ
L  =  o
2. Xi =  x *i x *2 +  x *3 + -----hS i„ , i f  1  = { i \ , 'h , 'h ,  ■ ■ ■ -jn }  is a fin ite  set
with n  > 0 elements
3. J 2 ie x x i =  s u p i S j g j  x i I ■JQI- is fin ite}, i f  I  is infinite.
Here su p X  denotes the  suprem um  of X .  Notice th a t  XaeN =  because
the  sum m ation order is irrelevant, due to  the  fact th a t  Xi > 0 .
D e f in it io n  2. A  probability  d istribution over set X  is a function  \ i : X  [0,1] 
such that J 2 x e x  fJ,(x ) =  1- ^ w r i t e  support(p) =  {x  G X  | ¡j,(x) > 0}. I t
follows from  the definitions that this is a countable set. We denote the set o f all 
probability distributions over X  by I I ( X ) .
We denote a  probability  d istribution fi on a  countable dom ain by enum erating 
it as a  set of pairs. So, if D om (p) =  { x i , x 2 ■ ■ ■} then  denote fi by {x \  
f ( x i ),& 2  ^  ƒ (^ 2 ) • • • }• If the  dom ain of fi is known, then  we often leave out 
elements of probability  zero. For instance, the  probability  d istribu tion  assigning 
probability  one to  an elem ent x  € X  is denoted by {x  1}, irrespective of X .  
Such d istribu tion  is called the  Dirac distribution  over x. The uniform  distribution  
over a  finite set w ith n  > 0 elements, say { x \ , . . .  , x n }, is given by {x \
, x n ^  i } .
D e f in it io n  3. Let X  and Y  be sets, \i € I I ( X )  and v  € I I ( Y ) .  The product 
of  \i and v, notation \i x v, is the probability distribution k : X  x Y  —¥ [0,1] 
satisfying k (x , y) = ¡jl{x ) ■ v(y).
D e f in it io n  4 . Let X  and Y  be sets, \i G I I ( X )  and ƒ : X  Y .  The image of  
\i under f ,  notation is the probability distribution v  € I I  (Y ) satisfying
v { y )  =  Y , x e f - H y ) V ( x )-
3 P robabilistic  A utom ata
This section presents the  model of probabilistic au to m ata  and two extensions, 
probabilistic I /O  au to m ata  and tim ed probabilistic I /O  au tom ata . We assume 
th a t  the  reader is fam iliar w ith non-probabilistic (timed) au to m ata  and their 
sim ulation relations, see e.g. [13,15] for an introduction  and for the  notations 
used in th is  paper.
3 .1  T h e  B a s ic  M o d e l
This section recalls the  basic probabilistic au tom aton  model from [18,20], and 
introduces the  notions of probabilistic step refinem ent and probabilistic hyper­
step refinement.
D e f in it io n  5. A  probabilistic au tom aton  A  consists o f fou r components:
1. A  set states a  o f states.
2. A  nonem pty set startAQstatesA o f s ta r t states.
3. A n  action signature sigA = {exta , in tA ), consisting o f ex ternal and  internal 
actions respectively; we define the set o f actions as act a  =  ext a  U intA-
4■ A  transition  relation transAQ states a  x  actA x I I  {states a )-
We write s n  fo r  {s , a , n ) € transA , and s s' fo r  s A ^  {s' 1}.
Sometimes, a  more general definition of probabilistic au to m ata  is given where 
transAQstatesA  x II{actA x states a )- In th is context th e  probabilistic au to m ata  
from the  definition are called simple probabilistic au tom ata .
D e f in it io n  6. Let A  be a probabilistic automaton. The autom aton A ~ , the non- 
probabilistic variant o f A , which behaves like A  but discards all probabilistic 
inform ation, is defined by:
1. states a -  = states a -
2. start a -  =  start a ­
3. sigA-  = sigA -
4- transA- =  {(s, a, s') | 3 fi,: s —>a  M A /¿(s') >  0}.
Define reach a , the set o f reachable sta tes o f A , to be the set o f reachable states 
o f A ~ .
A n  execution (execution fragm ent, trace) o f a probabilistic autom aton A  is 
an execution (execution fragm ent, trace) o f A ~ . The set o f executions (execu­
tion fragm ents, traces) and fin ite  executions (execution fragm ents, traces) of 
A  are respectively denoted by execs (A) (frags (A),  traces (A  j) and by execs* (A) 
{frags*{A), traces*{A)).
D e f in it io n  7. I f  A  is a probabilistic autom aton and X C  ext a , then h i d e ( A , X)  
is the probabilistic autom aton (states a , start a , (exta  \  X ,  intA I I I ) ,  transA)-
D e f in it io n  8. We say that two probabilistic automata A± and A 2 are com patible 
i f  intA, H actA2 =  actA, H intA2 =  0- I f  A± and A 2 are compatible then their 
parallel com position, notation A± || A 2, is the probabilistic autom aton A  defined 
by:
— states a  = states a , x states a 2 ■
— start a  =  start a , x starta 2-
— sigA =  (exta , U extA2,in tA , U intA2)-
— transA is the set of  triples ( ( s i , s 2 ),a ,/j,i x ¿¿2) such that fo r  i = 1,2,  if 
a G actAi then (si,a,/j,i) £ transA it otherwise 1}.
Informally, w ithin a  com position two probabilistic au to m ata  synchronize on their 
common actions and evolve independently on others. W henever synchronization 
occurs, the  s ta te  reached is obtained by choosing a  sta te  independently  for both  
au tom ata .
P r o b a b i l i s t ic  S te p  R e f in e m e n ts  The sim plest form of sim ulations between 
probabilistic au to m ata  th a t  we consider are the  probabilistic step refinements. 
These are m appings from the  sta tes of one au tom aton  to  the  sta tes of another 
au tom aton  th a t  preserve initial sta tes and probabilistic transitions.
D e f in it io n  9. Let A  and B  be two probabilistic autom ata with ext a  = exts- A  
probabilistic step refinement from  A  to B  is a function  r : states a  states b 
such that:
1. for  all s G start a , ^ (s ) € sta r ts ;
2 . fo r  all steps s fi with s G reach a , one o f the following conditions holds:
(a) r(s)  r*(M)> or
(b) a G intA  A r(s)  A s  r* (p ), for  some b G M b , or
(c) a G intA  A r*(p) =  {r(s)  i—>■ 1}.
IFe write .4 C PgR -B i f  there is a probabilistic step refinem ent from  A  to B . Note  
that condition 2(c) is equivalent to a £ intA A Vs'[m(s') >  0 r(s' )  = r(s)].
P r o b a b i l i s t ic  H y p e r s te p  R e f in e m e n ts  P robabilistic  hyperstep refinements 
generalize the  probabilistic step refinements introduced above. T hey are a  special 
case of the  probabilistic forward sim ulations of Segala and Lynch [18,20].
D e f in it io n  10. Let X , Y  be sets and R  C X  x I I ( Y ) .  The lifting of  R  is the 
relation ii*» C I I ( X ) x I I ( Y )  given by: (p , v)  G ii** if  and only if  there is a choice 
function  r : support(p) —¥ I I ( Y )  fo r  R , i.e., a function  such that (x , r ( x )) G R  
for  all x  G support(p), satisfying
p(y) = tj’(x)-r (x)(y)-
x€supp(/i)
The idea is that vie obtain v  by choosing the probability distribution r(x)  with 
probability n(x) .
Example 1. Given a  probabilistic au tom aton  A  and an action a G actA, we 
can lift the  relation A  over states a  x I I  (states a ) to  the  relation A»» over 
I I(statesa ) x I I(statesa )- For instance, if «i A  / i i ,  «2 A  ¿¿2 and «1 ^  s2, then
{si 1—^ §■, S2 1—^ §} —>** |  • M 1 +  | ' M2 -
Intuitively, if «i A  /¡ i, S2 A  ¿¿2 and the  probability  to  be in «1 is |  and to  be 
in «2 is §, then  we choose the  next sta te  according to  Mi w ith probability  |  and 
according to  ¿¿2 w ith probability  | .  If there is another a -tran s itio n , say s2 A  v, 
then  we can also choose the  next s ta te  according to  Mi w ith probability  |  and 
according to  v  w ith probability  | .  Hence
{«1 | ,  «2 f } A»» |  • Ml +  |  • V.
We do not have
^  ^2 ^  f } —>** |  • Mi +  | ' M2 +  | ' v ■
D e f in it io n  11. Let A  and B  be probabilistic autom aton with ext a  =  extB- A  
probabilistic hyperstep refinem ent from  A  to B  is a function  h, : states a  —^ 
I I (s tatesb ) such that:
1. fo r  all s G start a , h(s)  = {s' 1} for  some s' G sta r ts ;
2. fo r  all steps s A ^  m with s G reach a , one o f the following conditions holds:
(a) h(s)  A b ** A**(m)> or
(b) a G intA  A h(s)  A b ** A**(m); f or some b G in ts ,  or
(c) a G intA  A h(s)  =
W rite A  C p h s r  if  there is a probabilistic hyperstep refinem ent from  A  to B .
Segala [18] describes the  behavior of probabilistic au to m ata  in term s of trace 
distributions, and proposes inclusion of trace  d istributions, no tation  CTD, as an 
im plem entation relation between probabilistic au to m ata  th a t  preserves safety 
properties. The following theorem  sta tes th a t  probabilistic (hyper-)step refine­
m ents are a  sound proof m ethod for establishing trace  d istribu tion  inclusion.
T h e o r e m  1. Let A  and B  be probabilistic autom ata with ext a  = e x ts ■
1- I f  A  E p s r  B  then A  E p h s r -  
■2- I f  A  E p h s r  then A  CTD B .
P roof For (1), suppose th a t  A  C PgR B . Then there  exists a  probabilistic step 
refinem ent r  from A  to  B . Let R  : states a  I I  (states b )  be given by R(s)  = 
{r(s)  i—>- 1}. It is routine to  check th a t  R  is a  probabilistic hyperstep refinement 
from A  to  B.  Use th a t
S A B V {s 1} A b ** V.
Hence A  E p h s r -
For (2), suppose th a t  A  E p h s r -  T hen there  exists a  probabilistic hyperstep 
refinem ent R  from A  to  B . We claim th a t  R  is a  probabilistic forward sim ulation 
in the  sense of [18,20]. Now A  C TD B  follows from the  soundness result for 
probabilistic forward sim ulations, see Proposition  8.7.1 in [18]. For a  simple, 
direct proof of (2) we refer to  [22].
3 .2  P r o b a b i l i s t ic  I / O  A u to m a ta
This section defines the  probabilistic I /O  au tom aton  model, an extension of 
probabilistic au to m ata  w ith a  distinction between input and ou tp u t actions, 
and with a  notion of fair behavior.
D e f in it io n  12. A  probabilistic I /O  au tom aton  A  is a probabilistic autom aton  
enriched with
1. a partition o f ext a  into  inpu t actions in a  and ou tp u t actions out a , and
2. a task  partition  tasks a , which is an equivalence relation over out a  U intA 
with countably m any equivalence classes.
We require that A  is inpu t enabled, which means that fo r  all s G states a  and all 
a G in a , there is a n  such that s A ^  ¡x.
A s probabilistic I /O  automata are enriched probabilistic autom ata, vie can 
use the notions o f nonprobabilistic variant, reachable state, execution (fragment) 
and trace also fo r  probabilistic I /O  automata.
D e f in it io n  13. Let A  be a probabilistic I /O  automaton. A n  execution o f A  is 
fair i f  the following conditions hold fo r  each class C  o f tasks a  •'
1. I f  a  is fin ite  then C  is not enabled in the final states o f a .
2. I f  a  is infinite, then a  contains either infinitely m any actions from  C  or 
infinitely m any occurrences o f states in which no action in C  is enabled.
Similarly, a trace o f A  is fair in A  i f  it is the trace o f a fa ir  execution o f A. 
The sets o f fa ir  executions and fa ir  traces o f A  are denoted by fexecs (A) and 
f traces(A) respectively.
D e f in it io n  14. Let A  and B  be probabilistic automata with ext a  = exts- Let r 
be a mapping from  states a  to sta tess- Then r  induces a relation rC  frags (A) x 
frags (B ) as follows: i f  a  = soctisi • • • G frags (A),  1  is the index set o f a , ¡3 = 
tob iti • • • G f rags(B)  and J  is the index set o f ¡3, then ar/3 if  and only i f  there 
is a surjective, nondecreasing index mapping m  : 1  —¥ J , such that fo r  all i G l ,
j  G J ,
1. m (0) =  0
2. r(si )  = t m(i)
3. if  i > 0 then either o f the following conditions holds
(a) a>i = bm(i) A rn(i) = m( i  — 1) +  1 or
(b) a>i G intA A bm( G in ts  A rn(i) = m( i  — 1) +  1 or
(c) a>i G intA A rn(i) = m (i — 1).
In [17], fair trace  d istribu tion  inclusion, no tation  C FTD, is proposed as an 
im plem entation relation between probabilistic I /O  au to m ata  th a t  preserves both  
safety and liveness properties.
Claim, ([22]). Let A  and B  be probabilistic I /O  au tom ata . Let r  be a  proba­
bilistic step refinem ent from A  to  B  th a t  relates each fair execution of A  only 
to  fair executions of B. T hen A  C FTD B.
3 .3  T im e d  P r o b a b i l i s t ic  I / O  A u to m a ta
D e f in it io n  15. A  tim ed probabilistic I /O  au tom aton  A  is a probabilistic au­
tom aton enriched with a partition o f ext a  into  input actions in a , ou tp u t actions 
out a , and the set R>0 of positive real numbers or tim e-passage actions. We 
require1 that, fo r  all s, s ', s"  G states a and d, d! G R>0 with d! < d,
1. A  is input enabled,
2. each step labelled with a time-passage action leads to a Dirac distribution,
3. (T im e determ inism ) if  s s' and s s" then s' = s " .
4■ (W a n g ’s axiom) s s' i f f  3 s” : s ^ a  s" and s"  ..— - .> a  $'■
1 For simplicity the conditions here are slightly more restrictive than those in [15].
A s tim ed probabilistic I /O  automata are enriched probabilistic autom ata, we can 
use the notions o f nonprobabilistic variant, reachable state, and execution (frag­
m ent), also fo r  timed probabilistic I /O  automata.
We say that an execution a  o f A  is diverging i f  the sum  o f the time-passage 
actions in a  diverges to oo.
D e f in it io n  16. Let A ,B  be probabilistic or tim ed probabilistic I /O  automata. 
A  function  r is a probabilistic (hyper)step refinem ent from  A  to B  if  r  is a 
probabilistic (hyper)step refinem ent from  the underlying probabilistic autom aton  
o f A  to the underlying probabilistic autom aton o f B .
In [22], it is argued th a t, under certain  assum ptions (m et by the  au to m ata  
studied in th is paper), CTD can be used as a  safety and liveness preserving 
im plem entation relation between tim ed I /O  au tom ata . In addition, the  relation 
E d f t d  is proposed as a  safety and liveness preserving im plem entation relation 
between tim ed probabilistic I /O  au to m ata  and probabilistic I /O  au tom ata.
Claim, ([22]). Let A  be a  tim ed probabilistic I /O  au tom aton  and let B  be 
a  probabilistic I /O  au tom aton . Let r  be a  probabilistic step refinement from 
hide(A,  R> 0 ) to  B  th a t  relates each divergent execution of A  only to  fair execu­
tions of B.  Then A  CDFTD B.
4 D escription of th e  P ro toco l
The IE E E  1394 serial bus protocol has been designed for com m unication between 
m ultim edia equipem ent. In the  IE E E  1394 s tandard , com ponents connected to  
the  bus are referred to  as nodes. Each node has a  num ber of po rts  which are 
used for bidirectional connections to  (other) nodes. Each po rt has a t m ost one 
connection.
The protocol has several layers, of which the  physical layer is the  lowest. 
W ithin  th is  layer a  num ber of phases are identified. The protocol enters the 
so-called tree  identify phase whenever a  bus reset occurs, for instance when a 
connection is added or removed. The task  of th is phase is to  check w hether the 
network topology is a  tree  and, if so, to  elect a  leader am ong the  nodes in this 
tree.
This is done by constructing a  spanning tree  in the  network and electing the 
root of the  tree  as leader. Informally, th e  basic idea of the  protocol is as follows: 
leaf nodes send a  “paren t request” message to  the ir neighbor. W hen a  node has 
received a  paren t request from all bu t one of its neighbors it sends a  parent 
request to  its rem aining neighbor. In th is way the  tree  grows from the  leafs to  a 
root. If a  node has received paren t requests from all its neighbors, it knows th a t 
it is has been elected as the  root of the  tree. I t is possible th a t  a t the  end of the 
tree  identify phase two nodes send paren t request messages to  each other; th is 
situation  is called root contention. In th is paper we will be concerned w ith the 
form al verification and analysis of the  roo t contention protocol which is run  in
th is case. After com pletion of the  roo t contention protocol, one of the  two nodes 
has become root of the  network.
Lynch [13, p501] describes an ab strac t version of the  tree  identify protocol 
and suggests to  elect the node w ith the  larger unique identifier (UID) as the 
roo t in case of roo t contention. Since during the  tree  identify phase no U ID ’s 
are available (these will be assigned during a  la ter phase of the physical layer 
protocol), a  probabilistic algorithm  has been chosen th a t  is fully sym m etric and 
does not require the  presence of U ID ’s.
Let us, for simplicity, refer to  the  two contending nodes as node 1 and node
2. The tim ed probabilistic I /O  au to m ata  describing the  behavior of these nodes 
are given in Figure 1, using the  10 A syntax of [6] extended w ith a  simple form 
of probabilistic choice. Roughly, the  protocol works as follows. W hen a  node 
i  has detected roo t contention it first flips a  coin (i.e., perform s the  action 
F l ip ( i ) ) .  If head comes up then  it waits a  short tim e, somewhere in the  interval 
[¿fast, A a s t] -  If ta il comes up then  it waits a  long tim e, somewhere in th e  interval 
[¿slow, Alow]- So 0 <  ¿fast <  A a s t  <  ¿slow <  A lo w  After the  waiting period has 
elapsed, either no message from the  contender has been received, or a  parent 
request message has arrived. In the  first case the  node sends a  request message 
to  its contender (i.e., perform s the  action S end(i, reqj), in the  second case it 
sends an acknowledgement message (i.e., perform s the  action S end(i, ackj).  As 
soon as a  node has sent an acknowledgement it declares itself to  be the  root (via 
the  action R o o t(i)) , and whenever a  node has received an acknowledgement 
it assumes th a t  its contender will become root and it declares itself child (via 
the  action C h ild ( i) ) .  If a  node th a t  has sent a  request subsequently receives a 
request, then  it concludes th a t  there  is roo t contention again, and the  protocol 
s ta rts  all over again. The basic idea behind the  protocol is th a t  if the  outcomes 
of the  coin flips are different, the  node w ith outcom e ta il (i.e., the  slow one) will 
become root. And since w ith probability  one the  outcom es of the  two coin flips 
will eventually be different, the  roo t contention protocol will te rm inate  (with 
probability  one).
The tim ed probabilistic I /O  au tom aton  for node i  ( i  =  1 ,2), displayed in 
Figure 1, has five sta te  variables: variable s t a t u s  tells w hether the  node has 
become root, child, or w hether its s ta tu s  is still unknow n ; variable c o in  records 
the  outcom e of the  coin flip; variable s n t  records the  last value (if any) th a t 
has been sent to  the  contender and may take values req, ack or ± ; sim ilarly r e c  
records the  last value th a t  has been received (if any); variable x, finally, models 
the  a rb itra tion  tim er th a t  records the  tim e th a t  has elapsed since root contention 
has been detected. We use two auxiliary functions mindelay and maxdelay from 
Toss to  Reals given by, for c € Toss,
mindelay(c) =  i f  c =  head t h e n  ¿fast e lse  ¿siow
maxdelay(c) =  i f  c =  head t h e n  A ast e lse  Alow
Now it should not be difficult to  understand  the  precondition/effect style defi­
nitions in Figure 1, except m aybe for the  definition of the  Time(d) transitions. 
This p a rt sta tes th a t  tim e will not progress if the  sta tu s  of the  node is unknown
ty p e  P =  e n u m e r a t io n  o f  1 ,2  
ty p e  M =  e n u m e r a t io n  o f  _L, req, ack, 
ty p e  Status =  e n u m e r a t io n  o f  unknown, root, child, 
ty p e  Toss =  e n u m e r a t io n  o f  head, tail 
a u to m a to n  N od e(i: P) 
s ta te s
s t a tu s  : Status :=  unknown, 
c o in  : Toss, 
sn t  : M :=  req, 
rec  : M :=  req, 
x : Reals :=  0 
s ig n a tu r e
in p u t  R e c e iv e (c o n s t  i ,  m: M) w h e r e  m ƒ  _L 
o u tp u t  S en d (con st i ,  m: M) w h e r e  m 
Root (c o n s t  i )  
in te r n a l F lip (c o n s t  i ) ,
C h ild (c o n st  i )  
d e la y  Time(d: Reals) w h e r e  d >  0 
tr a n s it io n s
in te r n a l F l i p ( i )
p re  s ta tu s  =  unknown A sn t  =  req A rec  =  req
x :=  0; 
sn t  :=_L; 
rec  :=_L 
o u tp u t  S e n d (i , m)
p re  s ta tu s  =  unknown A sn t =_L 
A x >  mindelay(coin)
A m =  i f  rec  =_L t h e n  req e ls e  ack, 
e f f  sn t  :=  m 
in p u t R e c e iv e d ,  m) 
e f f  rec  :=  m 
o u tp u t  R o o t(i)
p re  s t a tu s  =  unknown A sn t  =  ack 
e f f  s t a tu s  :=  root 
in te r n a l C h ild ( i)
p re  s ta tu s  =  unknown A rec  =  ack 
e ff  s ta tu s  :=  child 
d e la y  Time(d)
p re  s ta tu s  =  unknown =>
(sn t ^  ack, A rec  ^  ack, A -i(sn t =  req A rec  =  req) 
A sn t =_L=> x — d <  m axdelay(coin)) 
e f f  x :=  x +  d
Fig. 1. Node automaton.
and (1) an acknowledgement has been sent, or (2) an acknowledgement has been 
received, or (3) a  paren t request has bo th  been sent and received. In the  first case 
the  au tom aton  will instantaneously perform  a  E o o t( i)  action, in the  second case 
it will perform  a  C h ild ( i)  action, and in the  th ird  case there  is contention and 
the  au tom aton  will flip a  coin.2 The last clause in the  precondition of Time(d) 
enforces th a t  a  S end(i, m) action is perform ed w ithin either A ast or Alow tim e 
after the  coin flip (depending on the  outcom e). Once the  s ta tu s  of the  au tom aton  
has become root or child there  are no more restrictions on tim e passage.
The two au to m ata  for node 1 and node 2 com m unicate via wires, which are 
modeled as the  tim ed probabilistic au to m ata  W ire (l, 2) and W ire(2, 1) specified 
in Figure 2. We assum e an upper bound F  > 0 on the  com m unication delay.
a u to m a to n  W ire(i: P, j: P) 
s t a te s
msg : M :=_L, 
x : Reals :=  0 
s ig n a tu r e
in p u t  Send (c o n s t  i ,  m: M) w h e r e  m ƒ  _L 
o u tp u t  R eceive  (c o n s t  j ,  m: M) w h e r e  m ƒ  _L 
d e la y  Time(d: Reals) w h e r e  d > 0  
tr a n s it io n s
in p u t  S e n d (i , m) 
e f f  msg :=  m; 
x :=  0
o u tp u t  R e c e iv e ( j ,  m) 
p re  m =  msg 
e f f  msg :=_L 
d e la y  Time(d)
p re  msg /_L=> x — d <  / ’ 
e f f  x :=  x +  d
F ig . 2 . Wire automaton.
The full system  can now be described as the  parallel com position of the  two 
node au to m ata  and the  two wire au tom ata , w ith all synchronization actions 
hidden (see Figure 3).
Rem ark 1. As Segala [18] points out in his thesis, it would be useful to  study  the 
theory  of receptiveness [19] in the  context of random ization. As far as we know, 
nobody has taken  up th is challenge yet. Intuitively, an au tom aton  is receptive if 
it does not constrain its environm ent, for instance by not accepting certain  inputs 
or by preventing tim e to  pass beyond a  certain  point. Behavior inclusion is used
2 Note tha t in each of these three cases we abstract in our model from the computation 
time required to perform these actions.
Impl =  h id e  Send(i, m), R e c e iv e (i , m) for i  : P, m : M in
c o m p o s e  Node(l); W ire(l, 2); Node(2); Wire(2, 1)
F ig . 3 . The full system.
as an im plem entation relation in the  I /O  au to m ata  fram ework and we exclude 
triv ial im plem entations by requiring th a t  an im plem entation is receptive.
If we replace all probabilistic choices by nondeterm inistic choices in the au­
to m a ta  of th is section, then  the  resulting tim ed I /O  au to m ata  are receptive in 
the  sense of [19]. Even w ith a  more restrictive definition of receptivity, in which 
we allow the  environm ent to  resolve all probabilistic choices, the  au to m ata  of 
th is section rem ain receptive.
5 Verification and Analysis
Of course the  key correctness p roperty  of the  root contention protocol which we 
would like to  prove is th a t  eventually exactly one node is designated as root. This 
correctness property  is described by the  two sta te  probabilistic I /O  autom aton  
Spec of Figure 4. We will establish th a t  Im pl im plem ents Spec, provided the
a u to m a to n  Spec 
s t a t e s
done : Bool :=  false 
s ig n a tu r e
o u tp u t  R o o t(i:  P) 
tr a n s it io n s
o u tp u t  R o o t(i)
p r e  done =  false 
e f f  done =  true
ta s k s
One block
F ig . 4 . Specification, 
following two constrain ts on the  param eters are met:
r <  ¿fast (1)
A a st  +  2-T <  ¿slow (2)
W ithin  our proof, we introduce th ree  in term ediate au to m ata  I I ,  12 and 13, and 
prove th a t
Im pl [^td  I I  {^ td  12 [^td  13 [^td  Spec.
These results (or more precisely the refinements that are established in their 
proofs) are then used to obtain that
Impl [^td I I  i^DFTD 12 {^FTD 13 {^ftd Spec.
I I  is a timed probabilistic I/O  automaton, which abstracts from all the mes­
sage passing in Impl, while preserving the probabilistic choices as well as most 
information about the timing of the Eoot(i) events. 12 is a probabilistic I/O  au­
tomaton which is identical to I I ,  except that all real-time information has been 
omitted. In 13 the two coin flips from each node of the protocol are combined 
into a single probabilistic transition.
5.1 Invariants
We will show that there exists a probabilistic step refinement from Impl to an 
intermediate automaton I I .  In order to establish a refinement, we first need to 
introduce a number of invariants for automaton Impl.
We use subscripts 1 and 2 to refer to the state variables of Node(l) and 
Node(2), respectively, and subscripts 12 and 21 to refer to the state variables 
of W ire(l, 2) and Wire(2, 1), respectively. So, xi denotes the clock variable of 
Node(l), X12 the clock variable of W ire(l, 2), etc. W ithin formulas we further 
use the following abbreviations, for i  € P,
Cont(i) =  sn ti =  req A (reci =  req V msgji =  req)
W ait(i) =  sn ti =  reci =±
=  mindelay(coini)
A± =  maxdelay(coini)
Predicate Cont(i) states that node i  has either detected contention (a request 
has both been sent and received) or will do so in the near future (the node has 
sent a request and will receive one soon). Predicate W ait(i) states that node has 
flipped the coin and is waiting for the delay time to expire; no message has been 
received yet. State function 6± gives the minimum delay time for node i ,  and 
state function the maximum delay time (both state functions depend on the 
outcome of the coin flip).
We claim that assertions (3)-(19) below are invariants of automaton Impl.
Xi >  0 (3)
s ta tu s i =  unknown A s n t i ^  re<I ;■ Xj <  (4)
s n t i =  ack =$■ Xi >  6± (5)
s ta tu s i =  root =$■ s n t i =  ack (6)
s ta tu s i =  child =$■ re c i =  ack (7) 
Xij >  0 (8) 
msgj^j 7^-L=  ^Xij <  r  (9)
Cont(i) Cont(j) =>\ Xi — xj | < F  (10)
Cont(i) A -iCont(j) =£- W ait(j) A msgi;j =±  Axj < F  (11)
msgj^j 7^ -L=^ recj =±  (12)
msgi j =±=^> sn t i =-L Vrecj VCont(i) (13)
msgi j =  req A -iWait(i) =$■ s n t i =  req A sn tj ^  ack A
Si <  Xi — Xij <  A i (14) 
msgij =  re<i  ^  W ait(i) =£- sn tj =  req A Xi <  x ^  (15)
s n t i =-L A reci =  req ^  sn tj =  req A recj = ±  Axj >  ¿j (16)
re c i =  ack ^  sn tj =  ack (17)
msgi j =  ack sn t i =  ack (18)
s n t i =  ack re c i =  sn tj =  req A recj ^  req A Xj > 6j (19)
Assertions (3)-(9) are local invariants, which can be proven straightforwardly for 
automata Node(i) and W ire(i, j )  in isolation. Most of the time nodes 1 and 2 
are either both in contention or both not in contention. Assertion (10) states 
that in these cases the values of the clocks of the two nodes differ by at most 
F. Assertion (11) expresses that the only case where node i  is in contention but 
the other node j is not occurs when j  has just flipped a coin but the request 
message that j  sent to i  has not yet arrived or been processed. If a channel 
contains a message then nothing has been received at the end of this channel
(12). If the channel from i  to j is empty then either no message has been sent 
into the channel at i ,  or a message has been received at j , or we have a situation 
where i  is in contention and j has just flipped a coin and moved to a new phase
(13). If the channel from i  to j contains a request message then there are two 
possible cases. Either i  has sent the message and is waiting for a reply (14), or 
there is contention and i  has just flipped a coin (15). If i  has received a request 
message without having sent anything, then j has sent this message but has 
not received anything (16). The last three invariants deal with situations where 
there is an acknowledgement somewhere in the system (17)-(19). In these cases 
the global state is almost completely determined: if an acknowledgement is in a 
channel or has been received then it has been sent, and if a node has sent an 
acknowledgement then it has received a request, which in turn has been sent by 
the other node.
The proofs of the following two lemmas are tedious but completely standard 
since they only refer to the non-probabilistic automaton Impl- . Detailled proofs 
can be obtained via URL h ttp ://w w w .cs.k u n .n l/~ fvaan /P A P E E S /S V p roofs.
L em m a  1. Suppose state s satisfies assertions (3)-(19) and s Senl^ ,m) s ' _ Then 
s | msgij =  recj = ±  and s' | Cont(i) Cont(j).
L em m a  2. Assertions (3)-(19) hold for all reachable states of Impl.
Remark 2. The first constraint on the timing parameters (F  < ¿fast) is used 
in the proof of Lemma 1 and ensures that there can never be two messages 
travelling in a wire at the same time. This property allows for a very simple 
model of the wires, in which a new message overwrites an old message. The 
constraint is not needed to prove the correctness of the algorithm. Nevertheless, 
since the constraint is implied by the standard, we decided to include it as an 
assumption in our analysis.
5.2  T h e  F ir st In te r m e d ia te  A u to m a to n
Intermediate automaton I I  is displayed in Figure 5. This probabilistic timed I/O  
automaton records the status for each of the two nodes to be either in it, head, 
tail, or done. In addition I I  maintains a clock x to impose timing constraints 
between events. Apart from the delay action there are three actions: F lip ( i) ,  
which corresponds to node i  flipping a coin, E o o t(i), which corresponds to node 
i  declaring itself to be the root, and E etry(c), which models the restart of the 
protocol in the case where the outcome of both coin flips is c. Node i  performs 
a (probabilistic) F lip ( i )  action in its initial state. A E o o t(i) transition may 
occur if both nodes have flipped a coin and it is not the case that the outcome 
for i  is head and for j tail. A E etry(c) transition may occur if both nodes have 
flipped c. Clock x is used to express that both nodes flip their coin within time 
r  after the (re-)start of the protocol. In addition it ensures that subsequently 
(depending on the outcome of the coin flips) at least ¿fast — T or ¿siow — F  time 
and at most zlfast or Alow time will elapse before either a E oot(i) or a E etry(c) 
action occurs.
P r o p o s it io n  1. Impl CTD I I . More specifically the conjunction, for i  € P ,  of
phase[i] =  i f  s ta tu s i  =  root V s ta tu s 2 =  root th e n  done else  
i f  Cont(i) th e n  init e lse  co in i fi fi 
x =  i f  Cont(l) V Cont(2) th e n  m in(xi2 ,X2 i)  e lse  m in (x i,x 2 )
determines a probabilistic step refinement from Impl to I I .
Proof. Routine. See h ttp ://w w w .cs.k u n .n l/~ fvaan /P A P E E S /S V p roofs.
Remark 3. The second constraint on the timing parameters (Aast + 2-T < ¿slow) 
is used in the proof of Proposition 1 and ensures that contention may only occur 
if the outcomes of both coin flips are the same. This property is needed to prove 
termination of the algorithm (with probability 1).
autom aton  I I
type Phase =  enum eration o f init, head, tail, done 
states
phase : Array[P, Phase] :=  constant(im'i), 
x : Reals :=  0 
signature
o u tpu t Root(i: P) 
in ternal F l ip ( i :  P),
Retry(c: Toss) 
delay Time(d: Reals) where d > 0 
transitions
in ternal F l ip ( i )
pre phase [i] =  init
if  phase[next(i)] ƒ  in it then  x := 0 
o u tpu t Root(i)
pre {phase[1], phase[2]} Ç {head, tail}
A -i(phase[i] =  head A phase[next(i)] =  tail) 
A x >  mindelay(phase[i]) — F  
eff phase := constant^done) 
in ternal Retry(c)
pre phase =  constant(c)
A x  > mindelay(c) 
eff phase := constant(im i); 
x  := 0 
delay Time(d)
pre in it € {phase[1],phase[2]} => x + d < F  
A {phase[1], phase[2]} Ç {head, tail} =>
x  + d < max(maxdelay(phase[l]), maxdelay(phase[2]))
eff x := x + d
Fig. 5. Intermediate automaton I I .
Rem,ark Jt . Figure 6 gives the values for some of the relevant parameters of the 
protocol as listed in the standard IEEE 1394 [9] and in the more recent draft 
standard IEEE 1394a [10]. Interestingly, the values in two documents are differ­
ent. Given our timing constraints (1) and (2), this leads to a maximum value for
T iming constant M in  (1394) M ax (1394) M in  (1394a) M ax (1394a)
R00T_C0NTENT_FAST
R00T_C0NTENT_SL0W
0.24 ¡is 
0.57 ps
0.26 us 
O.QOfis
0.76 ps 
1.60/is
0.80 us 
1.64 ¡is
Fig. 6. Timing parameters.
r  of °-57-a2V  =  0.155^« for IEEE 1394, and 1-60~0-8 fis =  0.4ms for the draft 
IEEE 1394a. W ith the maximal signal velocity of 5.05ns/meter that is speci­
fied in both documents, this gives a maximum cable length of appr. 31 meter 
for IEEE 1394 and 79 meter for IEEE 1394a. However, these values should be 
viewed as upper bounds since within our model we have not taken into account 
the processing times of signals. IEEE 1394 specifies a maximum cable length of 
4.5 meter.
Remark 5. In [16] it is claimed that if both nodes happen to select slow timing 
or if both nodes select fast timing, contention results again. This is incorrect. 
In automaton I I  each of the two nodes may become root if both nodes hap­
pen to select the same timing delay. This may also occur within a real-world 
implementation of the protocol: if in the implementation the timing parameters 
of one node are close to their minimum values, in the other node close to their 
maximum values, and if the communication delay is small, then it may occur 
that a message of node i  arrives at node j  before the timing delay of node j 
has expired. In fact, by instantiating the timing parameters differently in dif­
ferent devices (for instance via some random mechanism!) one may reduce the 
expected time to resolve contention. Unfortunately, a more detailed analysis of 
this phenomenon falls outside the scope of this paper.
Remark 6. Another way in which the performance of the protocol could be im­
proved is by repeatedly polling the input during the timing delay, rather than 
checking it only at the end. We suggest that, if the process receives a request 
when the timing delay has not yet expired, then it immediately sends an ac­
knowledgement (and declares itself root). If the process has not received a re­
quest during the timing delay, then it sends a request and proceeds as the current 
implementation. In a situation where node i flips head and selects a timing delay 
of ¿fast and the other node j  flips tail and selects a timing delay of Aiow> our 
version elects a leader within at most ¿fast + 3F, whereas in the current version 
this upperbound is Alow + 3F.
autom aton  12 
states
phase : Array[P, Phase] := constant(im'i) 
signature
ou tpu t Root(i: P) 
in ternal F l ip ( i :  P),
ou tpu t Root(i)
pre {phase[l],phase[2]} Ç {head, tail}
A -i(phase[i] =  head A phase[next(i)] =  tail) 
eff phase := constant(done) 
in ternal Retry(c)
pre phase =  constant(c) 
eff phase := constant(irai)
5.3 The Second In te rm ed ia te  A u to m a to n
In Figure 7 the second intermediate automaton 12 is described. 12 is a probabilis­
tic I/O  automaton that is identical to I I  except that all real-time information 
has been abstracted away; instead a (trivial) task partition is included. The proof 
of the following Proposition 2 is easy: the projection function n from I I  to 12 
trivially is a probabilistic step refinement (after hiding of the time delays).
P ropos ition  2. I I  Ctd 12.
P ropos ition  3. I f  a  £ execs(I I )  is diverging n relates a  and ¡3, then ¡3 is fair.
The result formulated in the Proposition 3 above follows by the fact that a 
diverging execution of I I  either contains infinitely many Retry actions, or con­
tains an infinite suffix with a Eoot(i) transition followed by an infinite number of 
delay transitions. Now the claim at the end of Section 3.3 implies I I  Cdftf 12.
5.4 The T h ird  In te rm ed ia te  A u to m a to n
Figure 8 gives the IOA code for the probabilistic I/O  automaton 13. This au­
tomaton abstracts from 12 since it only has a single probabilistic transition. 
W ithin automaton 13, init is the initial state and done is the final state in which 
a root has been elected. The remaining states wini, win2 , same correspond to
Retry(c: Toss)
transitions
in ternal F l ip ( i )
pre phase [i] =  init
tasks
One block
F ig . 7. Intermediate automaton 12.
automaton 13
type Loc =  enumeration of init, » in i, wim, same, done
states
loc : Loc := init
signature
output Root(i: P)
internal Flips,
Retry
transitions
internal Flips
pre loc =  init
( lOTBl 14
eff loc := < win-2 1
î
2[ same
output Root(i)
pre loc e { « » i ,  same}
eff loc := done
internal Retry
pre loc =  same
eff loc := init
tasks
One block
Fig. 8. Intermediate automaton 13.
situations in which both processes have flipped but no leader has been elected 
yet. The value wirii indicates that the results are different and the outcome of 
i  equals tail. In state same both coin flips have yielded the same result.
P ropos itio n  4. 12 CTD 13. More specifically, the following function r from 
(reachable) states of 12 to discrete probability spaces over states of 13 is a prob­
abilistic hyper step refinement from 12 to 13 (we represent a state with a list 
containing the values of its variables):
r(in it, init) =  
r(head, init) =  
r(in it, head) =  
r(tail, init) =  
r(init, tail) =  
r(head,head) =  
r(tail, tail) =  
r(head, tail) =  
r(tail, head) =  
r(done, done) =
{init I—>- 1}
{wiri2 \, same |} 
{wini I—>- \, same |} 
{wini I—>- \, same |} 
{wiri2 \, same 
{same 1}
{same 1}
{wiri2 1}
{wini 1}
{done I—>■ 1}
The proofs of the following Propositions 5 and 6 can be found in [21]. These 
proofs are the only places in our verification where nontrivial probabilistic rea­
soning takes place: establishing CFTD basically amounts to proving that the 
probabilistic mechanism in the protocol ensures termination with probability 1. 
Note that the automata involved are all very simple: 12 has 10 states, 13 has 5 
states, and Spec has 2 states.
P ropos ition  5. 12 CFtd  13.
P ropos itio n  6.
1 . 13 CTD Spec. More specifically, the function determined by the predicate 
done lo c  =  4 is a probabilistic step refinement from 13 to Spec.
2. 13 C FTd  Spec.
6 Concluding Remarks
In order to make our verification easier to understand, we introduced three aux­
iliary automata in between the implementation and the specification automaton. 
We also used the simpler notion of probabilistic (hyper)step refinement rather 
than the more general but also complex simulation relations (especially in the 
timed case!) which have been proposed by Segala and Lynch [18,20]. The com­
plexity of the definitions in [18,20] is mainly due to the fact that a single step 
in one machine can in general be simulated by a sequence of steps in the other
machine with the same external behavior. In the probabilistic case this means 
that a probabilistic transition in one machine can be simulated by a tree like 
structure in the other machine. In the simulations that we use in this paper, 
a single transition in one machine is simulated by at most one transition in 
the other machine. In our case study we were able to carry out the correctness 
proof by using only probabilistic (hyper)step refinements. However, it is easy to 
come up with counterexamples which show that this is not possible in general. 
Griffioen and Vaandrager [7] introduce various notions of normed simulations 
and prove that these notions together constitute a complete proof method for 
establishing trace inclusion between (nonprobabilistic, untimed automata). In 
normed simulations a single step in one machine is always simulated by at most 
one step in the other machine. We think that it is possible to come up with a 
complete method for proving trace distribution inclusion between probabilistic 
automata by defining probabilistic versions of the normed simulations of [7].
For timed automata, trace inclusion is in general not an appropriate im­
plementation relation. In [15] the coarser notion of timed trace inclusion is ad­
vocated instead. Similarly, [18] suggests the notion of timed trace distribution 
inclusion as an implementation relation between probabilistic timed automata. 
Since trace distribution inclusion implies timed trace distribution inclusion, and 
the two preorders coincide for most practical cases, we prefer to use the much 
simpler proof techniques for trace distribution inclusion.
The idea to introduce auxiliary automata in a simulation proof has been 
studied in many papers, see for instance [1]. The verification reported in this 
paper indicates that the introduction of auxiliary automata can be very useful 
in the probabilistic case: it allowed us to first deal with the nonprobabilistic 
and real-time behavior of the protocol, basically without being bothered by 
the complications of randomization; nontrivial probabilistic analysis was only- 
required for automata with 10 states or less.
As a final remark we would like to point out that the root contention pro­
tocol which we discussed in this paper is essentially finite state. It is therefore 
an interesting challenge for tool builders to analyze this protocol fully automat­
ically. Most of the verification effort in our case study was not concerned with 
randomization at all, but just consisted of standard invariant proofs. In fact, one 
could use existing tools for the analysis of timed automata such as U p p a a l [3], 
K ro n o s  [4] and HyTech [8] to check these invariants. It would be especially in­
teresting to derive the constraints on the timing parameters fully automatically 
(at the moment only HyTech [8] can do parametric analysis). Tool support will 
be essential for the analysis of more detailed models of the protocol in which 
also computation delays have been taken into account.
Acknowledgement
We thank Judi Romijn for her explanation of some subtle points in IEEE 1394, 
and for her constructive criticism on early versions of our I/O  automata model.
References
1. M. Abadi and L. Lamport. The existence of refinement mappings. Theoretical 
Computer Science, 82(2):253-284, 1991.
2. R. Alur, T.À. Henzinger, and E.D. Sontag, editors. Hybrid Systems II I , volume 
1066 of Lecture Notes in Computer Science. Springer-Verlag, 1996.
3. J. Bengtsson, K.G. Larsen, F. Larsson, P. Pettersson, and Wang Yi. IJPPAAL: 
a tool suite for the automatic verification of real-time systems. In Alur et al. [2], 
pages 232-243.
4. C. Daws, A. Olivero, S. Tripakis, and S. Yovine. The tool k r o n o s . In Alur et al. 
[2], pages 208-219.
5. M.C.A. Devillers, W.O.D. Griffioen, J.M.T Romijn, and F.W. Vaandrager. Ver­
ification of a leader election protocol — formal methods applied to IEEE 1394. 
Technical Report CSI-R9728, Computing Science Institute, University of Nijmegen, 
December 1997. Submitted.
6. S.J. Garland, N.A. Lynch, and M. Vaziri. IOA: A language for specifiying, pro­
gramming, and validating distributed systems, September 1997. Available through 
URL http: //larch. Ics .m it. edu:8001/"garland/ioaLanguage .html.
7. W.O.D. Griffioen and F.W. Vaandrager. Normed simulations. In A.J. Hu and M.Y. 
Vardi, editors, Proceedings of the 8th International Conference on Computer Aided 
Verification, Vancouver, BC, Canada, volume 1427 of Lecture Notes in Computer 
Science, pages 332-344. Springer-Verlag, June/July 1998.
8. T.A. Henzinger and P.-H. Ho. HyTech: The Cornell HYbrid TECHnology Tool. 
In U.H. Engberg, K.G. Larsen, and A. Skou, editors, Proceedings of the Workshop 
on Tools and Algorithms for the Construction and Analysis of Systems, Aarhus, 
Denmark, volume NS-95-2 of BRICS Notes Series, pages 29-43. Department of 
Computer Science, University of Aarhus, May 1995.
9. IEEE Computer Society. IEEE Standard for a High Performance Serial Bus. Std 
1394-1995, August 1996.
10. IEEE Computer Society. P1394a Draft Standard for a High Performance Serial 
Bus (Supplement). Draft 2.0, March 1998.
11. L. Kühne, J. Hooman, and W.P. de Roever. Towards mechanical verification of 
parts of the IEEE P1394 serial bus. In I. Lovrek, editor, Proceedings of the 2nd 
International Workshop on Applied Formal Methods in System, Design, Zagreb, 
pages 73-85, 1997.
12. S.P. Luttik. Description and formal specification of the Link layer of P1394. In 
I. Lovrek, editor, Proceedings of the 2nd International Workshop on Applied Formal 
Methods in System, Design, Zagreb, pages 43-56, 1997. Also available as Report 
SEN-R9706, CWI, Amsterdam. See URL http://www.cwi.nl/~luttik/.
13. N.A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, Inc., San 
Fransisco, California, 1996.
14. N.A. Lynch, I. Saias, and R. Segala. Proving time bounds for randomized dis­
tributed algorithms. In Proceedings of the 13th, Annual ACM Symposium on the 
Principles of Distributed Computing, pages 314-323, Los Angeles, CA, August 
1994.
15. N.A. Lynch and F.W. Vaandrager. Forward and backward simulations, II: Timing- 
based systems. Inform,ation and Computation, 128(1): 1—25, July 1996.
16. MindShare, Inc, and D. Anderson. Fire Wire System, Architecture: IEEE 1394- 
Addison Wesley, 1998.
17. A. Pogosyants, R. Segala, and N.A. Lynch. Verification of the randomized consen­
sus algorithm of Aspnes and Herlihy: a case study. In M. Mavronicolas and Ph. 
Tsigas, editors, Proceedings of 11th International Workshop on Distributed Algo­
rithms (WDAG’97), Saarbrücken, Germany, September 1997, volume 1320 of Lec­
ture Notes in Computer Science, pages 111-125. Springer-Verlag, 1997. Also, Tech­
nical Memo MIT/LCS/TM-555, Laboratory for Computer Science, Massachusetts 
Institute of Technology.
18. R. Segala. Modeling and Verification of Randomized Distributed Real-Time Sys­
tems. PhD thesis, Department of Electrical Engineering and Computer Science, 
Massachusetts Institute of Technology, June 1995. Available as Technical Report 
MIT/LCS/TR-676.
19. R. Segala, R. Gawlick, J.F. Sogaard-Andersen, and N.A. Lynch. Liveness in timed 
and untimed systems. Information and Computation, 141(2):119—171, March 1998.
20. R. Segala and N.A. Lynch. Probabilistic simulations for probabilistic processes. 
Nordic Journal of Computing, 2(2):250-273, 1995.
21. M.I.A. Stoelinga. Gambling for leadership: Root contention in IEEE 1394. Techni­
cal Report CSI-R9904, Computing Science Institute, University of Nijmegen, 1999.
22. M.I.A. Stoelinga and F.W. Vaandrager. Root contention in IEEE 1394. In J.-P. 
Katoen, editor, Proceedings of the 5th AMAST Workshop on Real-Time and Prob­
abilistic Systems, Bamberg, Germany, volume 1601 of Lecture Notes in Computer 
Science. Springer-Verlag, 1999.
