A Model Checking Approach to Protocol Conversion  by Sinha, Roopak et al.
A Model Checking Approach to Protocol
Conversion
Roopak Sinhaa,1 Partha S Roopa,2 Samik Basub,3
a Electrical and Computer Engineering
University of Auckland
Auckland, New Zealand
b Department of Computer Science
Iowa State University
Ames, USA
Abstract
System-on-chip veriﬁcation is an active research area. Of particular interest is protocol conversion, where
two components with diﬀerent protocols are controlled to communicate accurately. We present an approach
to protocol conversion using model checking. The temporal logic ACTL is used to describe desired behaviour
and ﬁnite state machines are used for protocol description. We use tableau-based converter construction and
prove that a converter exists only when a successful tableau can be constructed. Liveness is incorporated so
that converters satisfy additional constraints on protocol communication. A NuSMV-based implementation
has been created and we present results on various problems including a large NuSMV example.
Keywords: model checking, protocol conversion, protocol mismatches
1 Introduction
A System-on-a-chip (SoC) integrates components of a computer system into a single
chip with various hardware and software components connected using a central bus
such as AMBA [8]. SoC veriﬁcation is an active area of interest and veriﬁcation
strategies are based on data-ﬂow and/or control-ﬂow analysis of the system. The
focus of this paper is protocol conversion for mismatched protocols [13]. Although
physical connectivity (interconnection using physical channels) between components
can generally be achieved, logical connectivity, where processes communicate in the
desired fashion, cannot always be guaranteed [13]. A mismatch occurs when pro-
cesses fail to be logically connected. The aim of protocol conversion is to synthesize
1 Email:rsin077@ec.auckland.ac.nz
2 Email:p.roop@auckland.ac.nz
3 Email:sbasu@cs.iastate.edu
Electronic Notes in Theoretical Computer Science 203 (2008) 81–94
1571-0661 © 2008 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2008.05.012
Open access under CC BY-NC-ND license.
Specifications
ConverterP1 P2
Fig. 1. Protocol conversion
extra glue-logic, called a converter, to control mismatched protocols to reconcile
mismatches. A converter can control the communication between protocols by em-
ploying strategies such as event hiding [13], event translation [5] and inhibition [16].
The automatic generation of a converter is known as converter synthesis whereas
convertibility veriﬁcation focuses on establishing whether protocols are mismatched
and whether a converter exists. Fig. 1 gives an overview of protocol conversion
where a converter controls two protocols P1 and P2 to satisfy given speciﬁcations.
We present a technique using model checking for automatically synthesizing a
converter. Protocols, in our setting, are represented using Kripke Structures (KS) [7]
and the desired properties of the combined protocols are represented using temporal
logic ACTL, a branching time temporal logic with universal path quantiﬁers. The
logic is particularly interesting and relevant for protocol conversion as mismatches
in protocols must be addressed for every path of their KS descriptions. Given two
KSs P1 and P2 and a set of desired properties in ACTL, Ψ, the protocol conversion
via converter synthesis problem (illustrated in Fig. 1) is equivalent to checking for
the existence of a converter under which the protocols satisfy all formulas in Ψ.
Central to our technique is the construction of a tableau where satisfaction
of Ψ by the protocols and the converter is deﬁned in terms of the satisfaction
of its subformulas (similar to [2]). The tableau construction also results in the
synthesis of a converter as the protocol-composition states are explored along with
the subformulas of the desired property. The technique leads to local and on-the-ﬂy
construction of the converter, one where the state-space of the protocols and the
subformulas of the property are explored and expanded as and when needed. In fact,
in the event there exists no converter, i.e., the protocols cannot be matched (hard
mismatch [10]), our tableau-based technique can potentially identify the failure
without exploring the state-space that is irrelevant for failure inference.
The main contributions of this paper are summarized as follows:
• We present a temporal logic based formulation for protocol conversion where
temporal logic formulas in ACTL are used to specify the desired communication
between participating protocols.
• A tableau-based technique for identifying a converter, if one exists, as a glue-logic
between composed protocols to reconcile the protocol mismatches and ensure that
the desired speciﬁcations are satisﬁed. The tableau is sound and complete and
the converter, thus synthesized, is correct by construction.
• The tableau-based technique describes a local and on-the-ﬂy algorithm for con-
verter synthesis—one where the state-space of the protocols being composed are
explored only as and when needed to prove or disprove the existence of a con-
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9482
verter. The algorithm is polynomial in the size of the participating protocols and
the given speciﬁcations.
The rest of this paper is organized as follows. We summarize works related to our
approach in section 2 and provide a motivating example in section 3. The problem
of protocol conversion is described in section 4 and we provide our proposed tableau-
based protocol-conversion approach in section 5. Section 7 presents implementation
results with concluding remarks in section 8.
2 Related Work
A number of techniques have been developed to address the problem of protocol
conversion using a wide range of formal and informal settings with varying degrees
of automation—projection approach [13], quotienting [5], conversion seeds [15], syn-
chronization [17], supervisory control theory [11], to name a few. Some techniques,
like converters for protocol gateways [3] and interworking networks [4], rely on ad
hoc solutions. Some approaches, like protocol conversion based on conversion seeds
[15] and protocol projections [13], require signiﬁcant user expertise and guidance
during converter construction. While this problem has been studied in a number
of formal settings [10,13,15,17], only recently have some formal veriﬁcation based
solutions been proposed [16,8,11,9].
The closest to our approach are [16,8]. In [16], the authors present an approach
towards protocol conversion using ﬁnite state machines to represent participating
protocols as well as speciﬁcations employing a game-theoretic framework to generate
a converter. This solution is restricted only to protocols with half-duplex commu-
nication between them. D’Silva et al [8] present synchronous protocol automata
to allow formal protocol speciﬁcation and matching, as well as converter synthesis.
The matching criteria between protocols are based on whether events are blocking
or non-blocking and no additional speciﬁcations can be used. The approach allows
model checking only as an auxiliary veriﬁcation step to ensure that conversion is
correct.
In contrast to the above techniques, we use temporal logic to represent desired
functionality of the combined protocols. Being based on temporal logic, our tech-
nique can deﬁne desired properties succinctly and with a higher-level of granularity.
For example: a desired behavior of the combination may be sequencing of events
such that event a in protocol P1 always happens before event b in P2. Also, as our
technique is based on the (tableau-based) model checking algorithm, the converter
synthesized is correct by construction.
The presented approach is similar to the synthesis of discrete controllers with
temporal logic and Control-D system [1]. However, the approach in[1] generates
controllers that can only perform disabling, i.e, transitions in the underlying system
can be disabled that lead to the eventual failure of given CTL formulas. Additionally,
the approach does not handle liveness properties. On the other hand, converters
generated using our approach not only perform disabling, but they can also buﬀer
events for later use in the communication of the protocols. Additionally, the syn-
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–94 83
req TT
Error R_Out
Idle
1s 3s
2s
ack
0s
D_OutT
ack
T’
Idle
Req_In
T’
req
T’
0t
1t
2t
D_In
(a) (b)
Fig. 2. The producer-consumer protocol pair. (a) Producer P1, (b) Consumer P2.
thesized converters can generate extra control signals expected as input by one
protocol but not emitted by the other, in order to lead the communication between
the protocols to states that conform to given speciﬁcations.
3 Illustrative Example
We motivate our approach using the following example. Fig. 2 shows the com-
munication protocols of two devices, a producer and a consumer, which need to
communicate with each other. In its initial state s0, the producer protocol P emits
a request (req) and makes a transition to state s1. In s1, an acknowledge input
(ack) is expected immediately. In case ack is not available, a transition to the error
state s2 is made. In case ack is available, a transition to state s3 is made where one
packet of data is produced (denoted by the D Out label). From s3, the producer
resets back to its initial state s0.
The consumer protocol P2 operates as follows. In its initial state t0, the consumer
awaits a request from the producer protocol. Once a request is received, a transition
to state t1 is made. In state t1, an acknowledge signal ack is emitted and a transition
to state t2 is made. In t2, a packet of data is read (denoted by the label D In) and
a transition back to the initial state is made. Note that an event a represents an
input whereas a represents an output. We specify their desired behaviour using the
following ACTL formulas:
(i) AG¬Error: The communication never enters a state labelled by Error.
(ii) AG [D Out ⇒ ( D In ∨ AXA(¬D Out U D In) )]: Each data packet emitted
by the producer is read by the consumer before another data packet is emitted
(no loss).
Given the producer-consumer protocol pair in Fig. 2, it is possible that the
unrestricted behavior of the protocols may lead to states that fail to satisfy the
above properties. We formalize our solution to resolve these issues in the following
sections.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9484
4 Preliminaries
Model of Protocols: Kripke Structures.
Protocols are described using Kripke structures as follows:
Deﬁnition 4.1 [Kripke Structure] A Kripke structure (KS) is a ﬁnite state ma-
chine represented by a tuple 〈AP , S, s0, Σ, R, L, 〉 where AP is a set of atomic
propositions; S is a ﬁnite set of states; s0 ∈ S is the initial state; Σ is a ﬁnite set
of events; R ⊆ S × Σ × S is the transition relation; and L : S → 2AP is the state
labelling function.
We consider that the transitions in a Kripke structure trigger with respect to a
clock. At each clock cycle, the KS checks for the presence of input/output events
that can trigger a transition from the current state. If no input/output triggers are
present, the transition using the event T (or T ′) is made. In case there is no T or
T ′-transition, the protocol remains in the current state. The relations (s, a, s′) ∈ R
will be represented by s
a
−→ s′. Given two KS P1 and P2 using a shared clock, their
combined behavior is given by their parallel composition as follows:
Deﬁnition 4.2 [Parallel Composition] Given two Kripke structures P1 = 〈AP1, S1,
s01 , Σ1, R1, L1〉 and P2 = 〈AP2, S2, s02 , Σ2, R2, L2, 〉, their parallel composition,
denoted by P1||P2, is 〈AP1||2, S1||2, s01||2 ,Σ1||2, R1||2, L1||2〉 where AP1||2 = AP1∪AP2;
S1||2 = S1 × S2; s01||2 = (s01 , s02); and Σ1||2 ⊆ Σ1 × Σ2. R1||2 ⊆ S1||2 × Σ1||2 × S1||2
such that
(s1
σ1−→ s′1) ∧ (s2
σ2−→ s′2) ⇒ ((s1, s2)
(σ1,σ2)
−→ (s′1, s
′
2))
Finally, L1||2((s1, s2)) = L1(s1) ∪ L2(s2).
We restrict the scope of this paper to protocols that can be represented as
deterministic Kripke structures only. A Kripke structure is deterministic if and
only if for all states s, the number of outgoing transitions on any event a is less
than equal to 1. The parallel composition of P1 and P2 in Fig. 2 (assuming a shared
clock) is P1||P2 and is shown in Fig. 3.
Model of Speciﬁcations.
ACTL is a branching time temporal logic with universal path quantiﬁers. It is
deﬁned over a set of propositions using temporal and boolean operators as follows:
Ψ → P | ¬P | tt | ﬀ | Ψ ∧Ψ | Ψ ∨Ψ | AXΨ | A(Ψ U Ψ) | AGΨ
Semantics of an ACTL formula, ϕ denoted by [[ϕ]]M are given in terms of set of
states in a Kripke structure (or a KS), M , which satisﬁes the formula (see Fig. 4).
A state s ∈ S is said to satisfy a ACTL formula ϕ, denoted by M,s |= ϕ, if s ∈ [[ϕ]]M .
Typically, the context of the semantics, i.e., M in [[ ]]M is implicit, and omitted. We
also say that M |= ϕ to indicate M,s0 |= ϕ. In this paper, we restrict ourselves to
formulas where negations are applied to propositions only.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–94 85
Error
D_In
R_Out
D_In
Idle
D_In
D_Out
D_In
0,2
1,2
2,2
3,2
D_Out
Req_In
0,1
2,1
3,1
Idle
Req_In
R_Out
Req_In
Error
Req_In
1,1
D_Out
Idle
0,0
2,0
3,0
Idle,
Idle
R_Out
Idle
Error
Idle
1,0
req,req
T,req
T,T’
T,req
T,T’
T,req
req,T’
req,ack
T,T’
T,ack
ack,T’
T,T’ T,ack
T,T’
T,ack
req,T’
T,T’
ack,T’
T,T’
T,T’
ack,req
T,T’
ack,T’
ack,ack
req,T’
Fig. 3. Unrestricted composition of producer-consumer protocol pair: P1||P2.
1 : [[p]] = {s | p ∈ L(s)} 2 : [[¬p]] = {s | p ∈ L(s)} 3 : [[tt]] = S 4 : [[ﬀ]] = ∅
5 : [[ϕ ∧ ψ]] = [[ϕ]] ∩ [[ψ]] 6 : [[ϕ ∨ ψ]] = [[ϕ]] ∪ [[ψ]]
7 : [[AXϕ]] = {s|∀s −→ s′ ∧ s′ ∈ [[ϕ]]}
8 : [[A(ϕ U ψ)]] = {s|∀s = s1 −→ s2 −→ . . . ∧ ∃j.sj ∈ [[ψ]] ∧ ∀i < j.si ∈ [[ϕ]]}
9 : [[AGϕ]] = {s|∀s = s1 −→ s2 −→ . . . ∧ ∀i.si ∈ [[ϕ]]}
Fig. 4. Semantics of ACTL
4.1 Protocol Converters
The composition P1||P2 (Fig. 3) represents the unconstrained behaviour of the
protocols including undesirable paths introduced due to mismatches. A converter
is needed to bridge the mismatches appropriately. In this section, we introduce
converters and also the control actions of a converter (such as event blocking, event
buﬀering and generation of extra signals) by introducing a new composition of the
participating protocols with the converter.
Deﬁnition 4.3 [Converter] A converter C for two protocols P1 and P2 is a Kripke
structure 〈APC , SC , sC0, ΣC , RC , LC〉 such that APC = ∅ and ΣC = (Σ1×Σ2)∪{(∗, ∗)}.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9486
In the above, the event-element (∗, ∗) is a wild-card event tuple, short-hand
form of denoting any event-pairs from Σ1 ∪ Σ2. The composition of a converter
with the protocols is performed using the following rule: inputs to (outputs from) a
protocol are outputs from (inputs to) the converter, i.e., the participating protocols
communicate via the converter which acts as an intermediary. Input and output on
the same event are duals and we will say that D(a, b) evaluates to true if a = σ (σ¯)
and b = σ¯ (σ) or if either a and/or b is the wildcard event ∗. We extend D to
operate on pairs of signals, where D((a, b), (c, d)) evaluates to true iﬀ both D(a, c)
and D(b, d) evaluate to true.
After establishing the i/o relationship between a converter and the participating
protocols, we now deﬁne the control of a converter over the protocols using the //
operator as follows.
Deﬁnition 4.4 [Lock-Step Converter Composition] Given the KS P1||P2 = 〈AP1||2,
S1||2, s01||2 , Σ1||2, R1||2, L1||2〉 and a converter C = 〈APC , SC, sC0, ΣC , RC , LC〉,
the lock-step composition C//(P1||P2) = 〈AP1||2, SC//(1||2), s0C//1||2 , Σ1||2, RC//(1||2),
LC//(1||2)〉 such that:
(i) SC//(1||2) ⊆ SC × S1||2;
(ii) s0C//1||2 = (s0C , s0(1||2));
(iii) RC//(1||2) ⊆ SC//(1||2) × Σ1||2 × SC//(1||2) where sC//(1||2)
(σ1,σ2)
−→ s′C//(1||2) ∈
RC//(1||2) when
⎡
⎢⎢⎢⎢⎢⎢⎢⎣
sC
σc1,σ
c
2−→ s′C ∧ s1||2
(σ1,σ2)
−→ s′1||2
∧
D(σc1, σ1) ∧ D(σ
c
2, σ2)
⎤
⎥⎥⎥⎥⎥⎥⎥⎦
⇒ sC//(1||2)
(σ1,σ2)
−→ s′C//(1||2)
(iv) LC//(1||2)(sC , s1||2) = L1||2(s1||2)
The transition relation of the protocols composed with a converter ensures that
protocols move only when the converter allows that move. As such the lock-step
composition // is diﬀerent from unrestricted composition (Deﬁnition 4.2).
5 Tableau-Based Protocol Conversion
Protocol conversion, in addition to reconciling the mismatches, also requires that
certain desired behavior is exhibited by the composition of the participating proto-
cols. These desired functionalities are described by a set of ACTL formulas. We will
denote this set as Ψ. The converter synthesis problem for protocol conversion is,
therefore,
∃C : ∀ϕ ∈ Ψ : C//(P1||P2)
?
|= ϕ
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–94 87
I.e. is there a converter C for P1 and P2 such that the given protocols in the presence
of C conforms to all the properties deﬁned by formulas in Ψ?
We present a tableau-based technique for performing protocol conversion using
ACTL speciﬁcations. This technique has the following advantages:
(i) Local exploration of state-space of the protocols: the protocol transition sys-
tems are explored as and when needed to prove or disprove the existence of a
converter.
(ii) On-the-ﬂy synthesis of converter: generation of the tableau results in the gen-
eration of a converter if such a converter exists.
(iii) Sound and complete: a converter generated using the tableau is correct by
construction.
The tableau rules are of the following form:
c//s |= Ψ
c1//s1 |= Ψ1 . . . cn//sn |= Ψn
where s is a state in P1||P2 and s1, s2, . . . , sn are a function of s, while c1, c2, . . . , cn
are the states of the converter to be generated. Similarly, Ψ is the set of formulas to
be satisﬁed by s whereas Ψ1,Ψ2, . . . ,Ψn are some derivatives of Ψ. The numerator
represents the obligation to be satisﬁed, i.e., s in the presence of a converter state
c must satisfy the set of formulas in Ψ and in order to realize that, each obligation
in the denominator must be fulﬁlled.
The tableau is initiated by a tableau-node resulting from the composition of
the start state of the unrestricted composition of P1 and P2 and a generated start
state c0 of a possible converter. The construction proceeds by matching the current
tableau-node with the numerator of a tableau rule and obtaining the denominator
which constitutes the next set of tableau-nodes. Fig. 5 presents our tableau-rules
for converter synthesis and protocol conversion.
The rule emp corresponds to the case when there is no obligation to be satisﬁed
by the composition; any converter is possible in this case, i.e., the converter allows
all possible behavior of the protocol composition at state s.
The prop rule states that a converter is synthesizable only when the obligation of
satisfying the proposition is released by the protocol composition state s; otherwise
there exists no converter. Once the propositional obligation is met, the subsequent
obligation is to satisfy the rest of the formulas in the set Ψ.
The ∧-rule states that the satisfaction of the conjunctive formula depends on
the satisfaction of each of the conjuncts. The ∨-rules are the duals of ∧-rule. The
Rule unrau depends on the semantics of the temporal operator AU. A state is said to
satisfy A(ϕ U ψ) if and only if it either satisﬁes ψ or satisﬁes ϕ and evolves to new
states each of which satisﬁes A(ϕ U ψ). These equivalences can be directly derived
from the semantics of AU formulas. Similarly, AGϕ is satisﬁed by states which satisfy
ϕ and whose all next states satisfy AGϕ (Rule unrag).
Finally, unrs is applied when the formula set in the numerator Ψ consists for-
mulas of the form AXϕ. Satisfaction of these formulas demands that all next states
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9488
emp
c//s |={}
• prop
c//s |= [{p} ∪ Ψ]
c//s |= Ψ p ∈ L(s) ∨ |= p
∧
c//s |= [{ϕ1∧ϕ2} ∪ Ψ]
c//s |= [{ϕ1,ϕ2} ∪ Ψ]
∨1
c//s |= [{ϕ1∨ϕ2} ∪ Ψ]
c//s |= [{ϕ1} ∪ Ψ]
∨2
c//s |= [{ϕ1∨ϕ2} ∪ Ψ]
c//s |= [{ϕ2} ∪ Ψ]
unrau
c//s |= [{A(ϕ U ψ)} ∪ Ψ]
c//s |= [(ψ∨(ϕ∧AXA(ϕ U ψ))) ∪ Ψ]
unrag
c//s |= [{AGϕ} ∪ Ψ]
c//s |= [(ϕ∧AXAGϕ) ∪ Ψ]
unrs
c//s |= Ψ
∃π⊆Π. (∀σ∈π. cσ//sσ|=ΨAX)
{
ΨAX = {ϕk | AXϕk ∈ Ψ}
Π = {σ | (s)
σ
−→ (sσ)}
cσ = c′ : c
σ′
−→ c′ ∧ D(σ, σ′)
Fig. 5. Tableau Rules for converter generation
of the c//s must satisfy every ϕ where AXϕ ∈ Ψ, i.e., c//s satisﬁes all elements of
ΨAX .
Note that unrestricted behavior of the protocol (where c allows all the transitions
from s) may not be able to satisfy this obligation; however, a converter can be
generated such that c allows a subset (π) of all possible transitions (Π) from s and
these transitions lead to states which satisfy the formulas in ΨAX (as stated by the
unrs rule). If there are k outgoing transitions from s, there are 2
k choices; however,
the tableau considers k choices (one for each successor) and unrs leads to k possible
denominators–one denominator per transition from s. These choices can then be
aggregated to represent all enabled transitions of s. Any denominators that return
failure result in the corresponding successors of s being disabled by the converter 4 .
Finitizing the tableau.
It is important to note that the resulting tableau can be of inﬁnite depth as each
recursive formula expression AU or AG can be unfolded inﬁnitely many times.
This problem arising due to unbounded unfolding of the formula expressions can
be addressed using the ﬁxed point semantics of the formulas AGϕ and A(ϕ U ψ). The
4 However, instead of examining all possible subsets, it is suﬃcient for the converter state c to allow just
one transition from s such that c′//s′ satisﬁes all formulas in ΨAX , although such a converter may be too
restrictive.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–94 89
former is a greatest ﬁxed point formula while the later is a least ﬁxed point formula.
AGϕ ≡ ZAG =ν ϕ ∧AXZAG,
A(ϕ U ψ) ≡ ZAU =μ ψ ∨ (ϕ ∧AXZAU)
The greatest (least) solution for ZAG (ZAU) is the semantics of AG(ϕ). It can be shown
(details are omitted) that satisfaction of the greatest ﬁxed point formula is realized
via loops in the model; while satisfaction of the least ﬁxed point formula demands
the existence of a loop-free tableau. As such, if a tableau-node c′//s |= Ψ is visited
and there exists a prior node c//s |= Ψ i.e. the same tuple s paired with the same Ψ
is seen in a tableau path, we verify whether there exists a least ﬁxed point formula
AU in Ψ; if such a formula is present, we say that the tableau path resulted in an
unsuccessful path; otherwise, we terminate the tableau path successfully and equate
c′ with c (a loop in the converter is generated).
Complexity.
The tableau considers all possible subformulas of the given set of desired prop-
erties. Each such subformula is paired with all possible states in the protocol-pair.
The complexity of the tableau construction is O(|S|×2|ϕ|) where S is the number of
states in the protocol pairs and |ϕ| is the size of the formula expressing the desired
properties (the conjunction of all properties).
The following theorem follows from the above discussion.
Theorem 5.1 (Sound and Complete) Two protocols P1 and P2 are compatible
wrt to a set Ψ of ACTL formulas (∀ϕ ∈ Ψ : C//(P1||P2) |= ϕ) if and only if there
exists a successful tableau for the tableau node c0//s0 |= Ψ where s0 is the start
state of P1||P2 and c0 is the start state of C.
6 Live Converters
For two protocols P1 and P2 and a set of ACTL speciﬁcations Ψ, the tableau-based
approach formulated above can generate multiple converters. This is because the
rules ∨ and unrs may lead to several choices for constructing the tableau-node
denominator. Some of the generated converters, therefore, may disable protocol-
behavior and lead to conformance of the desired property vacuously. For example,
properties of the form φ ⇒ ψ will be satisﬁed by the converted protocol pairs if φ
is not satisﬁed.
To counter this situation, we can impose further restrictions on converter gen-
eration by including liveness conditions that need to be satisﬁed by the resulting
system C//P1||P2. Such liveness conditions can be deﬁned using ACTL and used as
input to tableau along with desired properties. The goal will be avoid construc-
tion of converters that will lead to violation of liveness properties by the converted
protocols.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9490
R_Out
D_In
D_Out
D_In
5(1,2)
2(3,2)
D_Out
Req_In
4(0,1)
3(3,1)
Idle
Req_In
R_Out
Req_In1,(1,1)
D_Out
Idle
0(0,0)
6(3,0)
Idle,
Idle
req,req
T,req req,ack
ack,T’
T,T’
T,T’
ack,T’
ack,ack
Fig. 6. The combined system C//P1||P2 (Figures 2 and 3).
For the producer-consumer example, we use the following liveness conditions:
• AGA(true U D In), AGA(true U D Out): C must allow the producer to always
eventually write data and the consumer to always eventually consumer some
data.
• AG[D Out ⇒ ( D In ∨ AXA(¬R Out U D In) )]: Once data is written, no further
requests are allowed before a read operation is performed.
The combined system C//(P1||P2) is shown in Fig. 6. The converter C obtained for
the producer-consumer example is a maximally permissive converter that ensures
that C//(P1||P2) satisﬁes the above liveness constraints. For better readability in
Fig. 6, we have annotated each state with i(j, k) where i denotes the state of the
generated converter while j and k are states of P1 (producer) and P2 (consumer)
respectively.
7 Results
A protocol conversion tool employing the tableau construction approach has been
implemented by extending the NuSMV model checker [6]. The implementation takes
as input the Kripke structure representation of two protocols P1 and P2 (obtained
from NuSMV models) and a set Ψ of ACTL properties from the user. It proceeds
by computing the parallel composition P1||P2 and then uses the tableau rules to
realize the converter, if it exists. The results table (Tab.1) contains four columns.
The ﬁrst two columns contain the description and size (number of states) of the
participating protocols. The ACTL properties used are shown in the third column
with the size of the converter shown in column 4. The ﬁrst ﬁve problems are
well-known protocol conversion problems [16,13]. The next problem is a producer-
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–94 91
P1(|SP1 |) P1(|SP2 |) ACTL Properties C(|SC|)
Master (3) Slave (3) AG(¬Req InUR Out), 6
AG[R Out ⇒ ((Req In)∨
AXA(¬R Out U Req In))],
A(¬G Out U R Out),
A(¬Gnt In U G Out)
ABP sender(6) NP receiver(4) AGA(¬A Out U ACC), 8
AG[A Out ⇒ (ACC ∨
AXA(¬A Out U ACC))]
ABP receiver(8) NP sender(3) AGA(¬A Out U ACC), 8
AG[(A+ ⇒ (ACC ∨
AXA(¬A Out U ACC))]
Poll-End Receiver(2) Ack-Nack AG[Data Out ⇒ (Data In ∨ 6
Sender(3) AXA(Data In U Data Out))]
Handshake (2) Serial(2) AGA(¬A U A′), AGA(¬B U B′), 3
AG(A′ ⇒ AXA(¬A′ U A))
Multi-write Single-read AG(¬Error),A(¬D Out U Req In)
master protocol(3) slave protocol(4) A(¬Req In U R Out)
8-bit Write 8-bit Read 8
Mutex Process 1 (3) Mutex Process AG(¬critical1 ∨ ¬critical2) 7
2 (3)
MCP missionaries MCP cannibals AGAF((MCP.missionaries = 0)∧ 22
(30) (MCP.cannibals = 0))
4-bit ABP Sender Modiﬁed Receiver AGAFsender.state = get 14312
(166432)
Table 1
Implementation Results
consumer example where the producer can produce multiple 8-bit data after each
handshake whereas the slave can only read one 8-bit data after each handshake.
The generated converter controls the communication between the two components
such that paths where data is lost are never reached. The ﬁnal three results are
well-known NuSMV examples modiﬁed to create a mismatch. Note that size entry
in the second column for the ﬁnal two results refers to the combined size of the
system (size of P1||P2) for these examples.
8 Conclusions and Future Directions
Protocol conversion to resolve protocol mismatches is an active research area. A
number of solutions have been proposed. Some approaches require signiﬁcant user
input and guidance, while some only partly address the protocol conversion problem.
Most formal approaches work on protocols that have unidirectional communication
and use ﬁnite state machines to describe speciﬁcations. In this paper we propose a
formal approach to protocol conversion which alleviates the above problems. Speciﬁ-
cations are described in temporal logic and protocols are allowed to be bidirectional.
A tableau-based approach using the model checking framework is used to generate
converters in polynomial time. We prove that the approach is sound and complete
and provide implementation results.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9492
The presented approach uses ACTL to describe desired speciﬁcations. The ex-
tension to the more expressive logic CTL requires minimal eﬀort but the presence
of existential formulas in CTL will increase the complexity to EXPTIME-complete
as protocol conversion under CTL is equivalent to module checking [12,1] problem.
Similarly, tableau rules for LTL will result in PSPACE complexity of protocol con-
version. Future work includes the uniﬁcation of various protocol conversion issues
under the presented framework. The technique can be extended to resolve data-
width mismatches [8], clock-mismatches [14] and interface-mismatches between pro-
tocols. Data-width mismatches occur when protocols have varying word-sizes. A
converter must therefore ensure that no data is lost during inter-protocol commu-
nication. Clock-mismatches occur when protocols operate using clocks that may
be running at diﬀerent frequencies. Interface mismatches occur when protocols use
inconsistent naming conventions for control signals, thus requiring the converter
to perform event translation [5]. Another issue is the handling of uncontrollable
actions [11,1]. Some transitions in P1||P2 may be uncontrollable and therefore can-
not be disabled. An extension to the presented tableau-based converter generation
approach to generate a converter, if possible, under these additional restrictions is
endeavored.
References
[1] M. Antoniotti. Synthesis and veriﬁcation of discrete controllers for robotics and manufacturing devices
with temporal logic and the Control-D system. PhD thesis, New York University, New York, 1995.
[2] Girish Bhat, Rance Cleaveland, and Orna Grumberg. Eﬃcient on-the-ﬂy model checking for CTL*.
In Proceedings of the Tenth Annual Symposium on Logic in Computer Science, pages 388–397, June
1995.
[3] G V Bochmann. Deriving protocol converters for communication gateways. IEEE Transactions on
Communications, 38(9):1298–1300, September 1990.
[4] F M Burg and N D Iorio. Networking of networks: Interworking according to osi. IEEE Journal on
Selected Areas in Communications, 7(7):1131–1142, September 1989.
[5] Kenneth L Calvert and Simon S Lam. Formal methods for protocol conversion. IEEE Journal on
Selected Areas in Communication, 8(1):127–142, 1990.
[6] R. Cavada, Alessandro Cimatt, E. Olivetti, M. Pistore, and M. Roveri. NuSMV 2.1 User Manual, June
2003.
[7] E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 2000.
[8] Vijay D’Silva, S Ramesh, and Arcot Sowmya. Synchronous protocol automata : A framework for
modelling and veriﬁcation of soc communication architectures. In DATE, pages 390–395, 2004.
[9] Saurav Gorai, Saptarshi Biswas, Lovleen Bhatia, Praveen Tiwari, and Raj S. Mitra. Session 42:
simulation assisted formal veriﬁcation: Directed-simulation assisted formal veriﬁcation of serial protocol
and bridge. In Proceedings of the 43rd annual conference on Design automation DAC ’06, pages 731
– 736, 2006.
[10] P. Green. Protocol conversion. IEEE Transactions on Communications, 34(3):257–268, March 1986.
[11] R. Kumar and S. S. Nelvagal. Protocol conversion using supervisory control techniques. In IEEE
International Symposium on Computer-Aided Control System Design, pages 32–37, 1996.
[12] O. Kupferman, M. Y. Vardi, and P. Wolper. Module checking. Information and Computation, 164:322–
344, 2001.
[13] S Lam. Protocol conversion. IEEE Transactions on Software Engineering, 14(3):353–362, 1988.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–94 93
[14] J Lefebvre. Esterel v7 Reference Manual-Initial Standardization Proposal, 2005.
[15] K. Okumura. A formal protocol conversion method. In ACM SIGCOMM 86 Symposium, pages 30–37,
1986.
[16] R. Passerone, L. de Alfaro, T. A. Henzinger, and A. L. Sangiovanni-Vincentelli. Convertibility
veriﬁcation and converter synthesis: Two faces of the same coin. In International Conference on
Computer Aided Design ICCAD, 2002.
[17] J. C. Shu and Ming T. Liu. A synchronization model for protocol conversion. Proceedings of the
Eighth Annual Joint Conference of the IEEE Computer and Communications Societies. Technology:
Emerging or Converging? INFOCOM ’89, pages 276–284, 1989.
R. Sinha et al. / Electronic Notes in Theoretical Computer Science 203 (2008) 81–9494
