Application of a mechanical verification system to a high-speed transport protocol by Pederson, Carl M.
Calhoun: The NPS Institutional Archive
Theses and Dissertations Thesis Collection
1995-09
Application of a mechanical verification system to a
high-speed transport protocol
Pederson, Carl M.
Monterey, California. Naval Postgraduate School
http://hdl.handle.net/10945/7580
NAVAL POSTGRADUATE SCHOOL 
Monterey, California 
THESIS 
APPLICATION OF A 
MECHANICAL VERIFICA TJON SYSTEM 
TOA 
HIG H-SPEED TRANSPORT PROTOCOL 
by 
Car! M. Pederson, Jr. 
September 1995 
T hesis Advisor: Dennis Volpano 
Approved for public n!lease; distribution i .~ unlimited. 
-' ' I">I EY KNOX LIBRARY 
_ '.~ pa~TQRADUATE SCHOOL 
"r>lTE.REY CA 93943-5101 
REPORT DocmmNTATJON PAm: 
2. REPORT DATE J.AEPORTTYPE .o.NIlOATESCOVERED 
Sc tember 1995 Master's Thesis 
4. TITLE AND susnnE 
APPLICATION OF A MECHANICAL VERIFIC<I.,T10N SYSTEM 
TO A HIGH-SPEED TRA:\'SPORT PROTOCOl. 
6. AUTHORIS) 
Pederson, Carl. M .. .IT 
1. PERFORMING MGANlZATION NAMEIS) AND AOOAESS{ES) 
Naval Postgraduate School 
Monterey, CA 93943-5000 
11. SUPPUOMENTARYNOTES 
I . PERFORMING ORGANIZATION 
AEPORTNU"'BER 
1C,SPONSORING/MONITORING 
AGENCYREf'ORTN UM SER 
r he views expressed in this thesis are those of the author and do not refl ect the official policy or position 
of the Dcpilrtment of Defense ur tile Unill:d Slate~ GUH~mment. 
12., D1STRIBlJTIONI AVAIL .r. SILITYSTATEMENT 
Approved for puhlic release; distrihution is unlimited 
L'L 





Approved for public release; distribution is unlimited 
APPLICATION OF A 
MECHANICAL VERIFICATION SYSTEM 
TOA 
HIGH-:SPEED TRANSPORT PROTOCOL 
Carl M. Pederson. l r 
Commander, fhni ted States Navy 
B_A. , Whitman College. 1977 
Submitted in partial ful fi ll ment of the 
requirements for the degree of 
MASTER OF SCIENCIi: IN COMPUTER SCIENCE 
from the 
NA VAL POSTGRADUATE SCHOOL 
September 1995 
Ted Lewis, Chairman, 
Depanment of Computer Science 

ABSTRACT 
OUOLEY KNOX LJBRA.RY 
NA.VAL POSTGRAOUATE SCHOOL 
MONTEREY CA ~101 
The high-specd transport protocol, SNR, has never been completely analyzed. 
SNR's design incorporatcs a novel feature, specifically, periodic and frcquent ex.change 
of state information to coordinate the actions of the transmitter and receiver. This 
innovation ex.ploits the higher bandwidth of modem fiber-optic networks to increase data 
transmission rates 
Traditional methods used to verify SNR have been largely unsuccessful because 
of the protocol's inherit complex.ity. The protocol fu nctions as an asynchronous 
concurrent system and for that reason we apply a mechanic al verification tool called 
Murphi. The Murphi Verification System is used to verify two phases of SNR, the 
connection es\.ablishment phase and data transfer phase operating under Mode 0 (no 
error or flow control) and Mode 1 (flow control onlYl. The connection establishment 
phase functions as intcnded. Murphi detected apparent design flaws in both Mode 0 and 
Mode 1 of the data transfer phase. Buffer overflow can occur in Mode 1. An unexpected 
termination of the cOllilectiotJ by the receiver is possible in both modes. The feasibili ty of 
applying Murphi to vcrify communication protocols in general is also addressed. 





C THE RESEARCH QUESTION 
D. SCOPE, METiiODOLOGY, AND LLT\llT ATiONS 
E. RELATED WORK 
F.ORGANIZATIO:'-J 
II. COKCURRENCY CONCEPTS" . 
A. FUNDAMENTALS 
I. General 
2. States and Transilions 
III. VERIFICATION OF CONCURRENT SYSTEMS 
IV. THE MURPH! VERIFJCATION SYSTEM 
A OVERVIEW 
B. MURPH! DESCRlPTION LANGUAGE CONSTRUCTS 




C. SPECIAL PURPOSE VERIFIER 
I . State Generation and Property Cbecking 
1. Execution Report 
D. APPLICATION Of:-.1URPHI TO MlJIlJAL EXCLUSION 
V. TIfE SNR TRANSPORT PROTOCOL .. 
A. INTRODUCTION 













I. Periodic Slale Exchange._ .. 
VI, VERlFlCATION - CONNECTION ESTABLISHMENT PHASE OF SNR 
3,S\artslale. 
-'I . Invariants .. . 
F, REStn.TS ... 
VII. VERIFICA nON -- FLOW CON"ffiOL MODE OF SNR 
VIII. CONCLUSIONS AND RECOMMENDATION .. 
A Eci~~~~~~r:rLs 
APPENDIX A. DEADLOCKEXECUTJONTRACE . 
APPENDIXB , BUFFEROVERFLOWEXEClJnONlRACE ., . 
LIST OF REFERENCES. 






LIST OF FIGURES 
I State Transitions Leading to MlJEX Violation 
Block Diagram of SNR 
Machine TI State Diagram 
Machine 12 Slate Diagram 
Machine T3 State Diagram 
Machine R I State Diagram 
Machine R2 State Diagram 
Machine R3 State Diagram 
9 Machine T4·· Host interface 
10 Machine T2 -- Transmitter COlUlection Management 
II . Machine R2 -- Receiver Connection Management .. 
12. Machine T1 State Diagram , .. 
13 , Machine T2 State Diagram 
14. Machine R 1 Stale Diagram 











LIST OF TABLES 
I Desired Properties for Mutual Exclusion Algorithms 
2 Explanation of Rules for Mutual Exdusion Description 
Variables and Data Structures 
6 Transitions for :Machine Tl 
7 Transitions for Machine T2 
8 Transitions for Machine T3 
9. Transitions for Machine Rl 
10. Transitions for Machine R2 
II. Transitions for Machine R3 
12. Data Transfer Example . . 
13 . Connection Establishment Messages 
14. Connection Establishment Phase Variables. 
15. Connection Establishment Phase Procedures 
16, Machine T4 Connection Establishment PAT 
17 , Machine T2 -- Connection Establishment PAT 
18, Machine R2 Connection Establishment PAT 
19. Connection Establishment Phase Properties 
20. Events Leading to Unexpected Condition 
21 . Transitions for Machine 11 
22. Transitions fOf Machine T2 . . 
23 . Transitions for Machine Rl 























When building a program or system, proper operation of the entity is desired 
However, often it does not behave as expected. The improper behavior may be the result 
of a flawed conceptual design used as the basis fOf the implementation. Detecting and 
eliminating errors in the design and implementation of a program or system greatly 
enhances the likeUhood it will function correctly_ It is very difficult to assure a non-trivial 
program is free of logical errors Concurrent systems -- such as a conununicalion 
protocol-- tum oul to be some oflhe most complex programs 
Checking the correctness of a concurrent program is usually extremely challenging 
Manual analysis methods are often inadequate because orlhe inherent complex.ity_ Testing 
techniques, such as simulation, fall short because of the difficulty of exercising aU possible 
interactions in the context of nondeterministic execution. Computer aided verification 
techniques and tools have been developed to address the problem One such automatic 
tool is the Murphi Verification System developed by 0, Dill et al, [DDHY92] 
The Murphi Verification System allows the user to specifY properties for a finite 
state asynchronous concurrent system and then check whether they are violated by the 
system. The properties to be checked, the initial conditions, and allowable state 
transitions of the system being verified are wrinen in the Murphi Description Language 
The Murphi Compiler is then used to produce an executable program that will: I) 
generate all system states, 2) check the invariance of the designated properties in each of 
these states, and 3) report violations of correctness properties. Verifiable properties 
include the absence of deadlock, mutual exclusion, and others specified by the tool user 
which are considered important to the desired behavior ofthe concurrent system being 
examined 
This thesis verifies the design of a non-trivial concurrent system, specifically, the 
high speed transport protocol SNR [NRS90]. SNR may playa significant role in the 
context of very high-bandwidth communications made possible by optical fiber SNR' s 
design incorporates a novel feature, specifically, periodic and frequent exchange of state 
information to coordinate the actions of the transmitter and receiver, This innovation 
exploits the higher bandwidth of modern networks to increase data transmission rates. 
The essential properties of SNR have not been verified, or for that matter even 
adequately formalizeO. Attempts to verifY that the protocol is free oflogical errors have 
produced only limited results [McAr92], [Tipi93], The analysis ofSNR, described in 
these two documents, was conducted without first rigorously asserting specific properties 
being examined. A more structured approach, with verification as the primary goal, 
should to be taken. There is without question, a need to begin identifying key properties, 
formally describing them, and finally verifying that SNR has these properties 
B. OBJECTIVES 
Because of the complexity of communication protocols, formal verification of a 
protocol's design is typically not attempted. Instead testing techniques such as simulation 
are often used to determine if the protocol will operate as expected A relatively mature 
mechanical verification system has yet to be applied to SNR 
The primary objectives of this thesis are 
• identify and develop formal specifications of key properties ofSNR, and 
• verify these properties using the Murphi Verification System 
A secondary objective is to explore the feasibility of applying a mechanical 
verification tool, such as Murpru, to communication protocols 
C. THE RESEARCH QUESTION 
This thesis will attempt to answer the following specific questions 
• What particular properties must SNR exhibit to ensure proper behavior when 
used as the transport layer for a high speed communication network'! 
Is SNR's behavior consistent with these desired properties? 
• What properties of the protocol can be checked with Murphi? 
Are there properties that can not be checked? If so, what limitations in the tool 
prevent their verification? 
State-space explosion is likely to be encountered. Can state-space reduction 
methods be employed to overcome the problem, if it occurs? 
What advantages and disadvantages are inherent to the application of automatic 
verifiers to protocols? 
D. SCOPE, METHODOLOGY, AND I.IMITATIONS 
This thesis examines the high speed transport protocol, S"!\!"R as presented in 
[NRS90]. No attempt is made to improve upon or redesign the protocol. The focus is 
verifYing SNR's design, not discussing the strengths or weakness of a specific protocol 
Since success in the application of Murphi to SNR is uncertain, the verification is 
conducted in stages. The least complex aspe<.'ts of S"N""R are examined first. This approach 
facilitates the early identification of potential "show stoppers" and allows work done in the 
initial steps to serve as a foundation for the later and more complicated stages. 
Inconsistencies in the original specification of SNR and state space explosion 
prevented exhaustive verification of SNR. Verification is limited to the connection 
establishment phase of SNR., and two of the three operating modes of SNR 's data transfer 
phase (Mode 0 -- no error or flow control and Mode I -- flow control only). SNR's data 
transfer phase operating in Mode 2 (both flow control and error enabled) is not verified 
The verification effort of SNR would be greatly enhanced by either I) the 
existence of a single source accurate specification for SNR, or 2) coupling verification 
with a redesign effort so that problems discovered during verification could he address as 
part of the design process 
E. RELATED WORK 
Previous work on SNR, fMcAr92] and [Tipi9J], provides comprehensive 
specifications of SNR and alternative interpretations of some of its design objectives 
Although these documents are not the primary reference for the thesis, they aided 
significantly the translation ofSNR into Murphi's Descriptive Language. The etl'ort in 
[McAr92], focused mainly on obtaining an accurate specification for SNR and on analysis 
of its functional efficiency_ Further refinements to the specification and an attempt to 
examine the behavior ofSNR more deeply was made in [Tipi93] and [LuTi94] 
A software implementation of the SNR's transmitter portion and receiver portion 
is presented in [Mez95] and [Wan95] respectively Test results of this implementation are 
given in [Gri95] 
F. ORGANIZATION 
Concurrent systems and their basic properties are discussed in Chapter II First 
concepts fundamental to concurrent systems are introduce and then examples are used to 
illustrate a few of the central ideas. 
In Chapter III, concurrent system verification methods are discussed Mechanical 
verification and manual proof methods are demonstrated_ A brief introduction to the 
concept of state space explosion and state space reduction techniques is also provided 
Finally, verification concerns specific to protocols are addressed 
Chapter IV covers the Murphi Verification System_ Its key features are explained 
The SNR protocol is described in Chapter V_ An overview of the protocol is 
given followed by a detailed treatment of its organization_ The operation ofSNR' s data 
transfer phase is also explained 
The verification of SNR's connection establishment phase and its data transfer 
phase (operating in Mode 0 and Mode 1) is presented in Chapter VI and Chapter VII, 
respectively_ Each chapter covers the key properties of the phase being examined and the 
Murphi description used for its verification. Implementation problems encountered and 
inconsistencies uncovered in SNR's specification are also discussed 
Conclusions and recommendations are provided in Chapler VIII 
II. CONCURRENCY CONCEPTS 
A. FUNDAMENTALS 
Many practical situations involve concurrent systems and related concepts For 
example, the preparation of a meal often al lows performing tasks in parallel - two or 
more dishes can be cooking at the same time. Typically, communication protocols 
execute as a concurrent system. Another example, familiar to all computer users, is a 
computer's operating system. While concurrent systems are frequently encountered, 
formal !eons and analysis methods relevant to concurrency are often unfamiliar. This 
chapter introduces basic concepts of concurrent systems. These concepts are then 
revisited in the next chapter in the context of verification 
1. General 
In [Ben93], a concurrent program is defined as follows, "A concurrent program 
consists of a set of program fragments caHed processes that can potentially be executed in 
parallel. " This definition suggests characterizing a conCUffent sY!J"tem as consisting of 
individual entities that operate in parallel These distinct modules could be programs, 
machines, or any other types of agents that perfonn a process. A concurrent system may 
use some method of synchronization or communication to coordinate the actions of the 
separately running units Typically, global variables shared by the individual units are used 
for the exchange of inlimnation. Message passing is another method employed to 
facilitate cooperation among the separate entities. When explicit synchronization is not 
part of the system and the separate processes can run at arbitrary speeds, the concurrent 
system is referred to as an asynchronou.s concuffent system 
It should be clear that a concurrent program is a type of concurrent system 
Although only concurrent programs are used in the examples in this chapter, the ideas 
discussed helow apply to all types of current systems, even a concllrrent system whose 
implementation may include hardware in addition to software 
2. States and Transitions 
The set of allowable states (or reachable states) consist of those states which can 
be reached via an execution path. The initial system state is refereed to as the start slale 
There also may be states that can only be entered if an error occurs in the system. The 
global system state (or glohal stare) is defined by the values of variables comprising the 
concurrent system, both global variables and variables local to the separate units, System 
variables may by explicit or concealed. A program counter, local to a process, is an 
example of a hidden variable, The size of the global state~space is determined by the 
domain of each variable. A global state can be represented by a n-tuple, with each 
component representing one of the system variables. Ifa system consists ofn variables, 
and each variable can take on a value from domain OJ, then Dl x O2 X .. . X On defines the 
total size of the system state space. The number of states available to the system can be 
very large. It is typical, in real world systems, for the number of reachable state to be so 
large as to preclude exhaustive system analysis, When this situation occurs it is referred to 
as "state space explosionft 
When and how the values of system variables can change, characterize the 
transitions allowed in a concurrent system, Each process ofa concurrent system can 
perform atomic actiulls. These actions define the system transitions. Once started an 
atomic action is executed indivisibly until complete. Individual instructions that may 
comprise the action are assumed to execute instantly. The granularity of the atomic 
actions depends on the level of abstraction used for a particular representation, The level 
of abstraction, in tum, determines the kind of analysis that can be performed 
An important aspect of any concurrent system is the illterieaving of its atomic 
actions. Under many conditions the execution ordering, among the atomic actions of the 
various modules comprising the concurrent system, is nondeterministic. This greatly 
increases the complexity encountered when considering concurrent systems 
The history of a concurrent program's transitions can either be described using a 
sequence of states or working from the start state and applying the sequence of atomic 
actions executed , Either history can be used 10 generate the other The sequence of 
atomic actions can be reconstructed from a listing of states hy noting the change in the 
program counter from one state to the next. From a sequence of transitions the sequence 
of states is obtained by simulating the actions. Each history corresponds to one possible 
interleaving for the system, The set of all histories characterizes completely the behavior 
of the concurrent system_ Correct hehavior of the system depends on whether the set of 
all possible interleavings exhibits certain properties 
3. PropertiH 
Various properties can be attrihuted to a concurrent system Properties commonly 
belong in one of two categorizes, safety or !iveness, A liveness property asserts progress 
will be made by a program A safety property says that, if a program makes progress it 
does so without error, Some general properties are deadlock. faime.~s (.~/arvaiion), and 
/ivefock For concurrent systems, deadlock has occurred when no other states can be 
reached other than the current state, Livelock is similar to deadlock, but with some 
number of transitions occurring (i.e., altering the global state) before the current state is 
repeated and where no overall progress takes place. Fairness (or absence of starvation) is 
the condition that if a module is ready to perform an action it will be given the opportunity 
to carry out that action (no appropriate action is indefinitely delayed) 
B. EXAMPLES 
To illustrate concepts and properties discussed above, four programs that attempt 
to implement the familiar notion of mutual exclusion, are analyzed. These examples are 
based on material from [Ben90] and [BeR93}_ The programs introduced below will again 
be used in Chapter IV to demonstrate some of the features and behavior ofMurphi 
Program Descriplion 
The programs used in the examples consist of two processes, each executing a 
loop containing a sequence of instructions The two processes are referred to as P I and 
P2. The statements are presented using an Ada-style syntax. Each process contains a 
non-critical section, a critical section, some means to signal the other process when it is in 
its critical section (global variables CI and C2), and a method to control critical section 
entry. A process may stay in its non-critical section indefinitely. When ready, a process 
requests entry to its critical section and waits until admitted, Once in its critical section 
the process will eventually exit. The general pattern is shown below 
subtype TEST_ V.<\.R_ TYPE is imeger range 0" 1 ~ 





non _ critical_section~ 





L2,2 entry request section~ 
L2.3 criti~ sectio--;;; 
post_ critical_ section ~ 
end loop; 
Important locations in each process are labeled For purposes ofthe thesis, these 
labels function as program counters. The first label in P I is Ll.1 . It indicates P 1 will next 
execute the statement(s) between Ll.1 and Ll.2. (In a single processor system, this will 
be the neld: time it is PI's tum to run,) Similarly the first statement in P2 is L2.1, second 
L2.2, etc 
The system consists of four variables, two global variables - Cl and C2, and two 
local variables -- the program labels for PI and P2. Specifying their values defines a 
global state of the system. An example ofa global state: PI at Li. J (or in a short hand 
notion, Ll.1), C I = I, P2 at Ll.1, and C2 00. 1. Written as a 4-tuple, (LLl, I, L2.I, I) 
The domain ofC] and C2 is {O,l}. The domain oflocations, for PI is {l.I.i, Ll.2, LJ.3. 
Ll.4}. likewise for P2. The size of the global space state is 
IClI x IC~ xIPIJ..oco'iofJ.}j x Ip2_Locolioll~ = 2 x2x4x4 = 64 
A process's action may cause the value ofa variable (or variables) to change. For 
example, (LI ,1,1, L2,3, I) ---+ (1,1 .2, I , L2,3 , I) is a state transition where the program 
counter for PI went from Ll. 1 to [. 1.], ~ote changing the program counter for a process 
is considered an atomic action even when multiple processor instructions are involved 
The entryJequest_section and post_critical_section are instantiated with specific 
instructions for each example presented below in Sections 3, 4, 5, and 6, The sequence of 
statements from one example to the next change only slightly but the mutual exclusion 
algorithm's behavior is usually significantly altered. 
2. Program Properties 
The desired properties for the example programs attempting to provide mutual 
exclusion are 
Category Prooerty 
Safety I Mutual Exclusion - the two processes can not be in their critical regions 
at the same time 
Liveness 2, Fairness - ifa process seeks to enter its critical region, eventually it will 
be allowed, (Or stated differently -- all execution interleavings aUow a 
process to eventually enter its critical section if the process seeks entry) 
3, Absence of Deadlock -- no execution interleaving exists that results in 
both processes attempting to enter their critical region, but neither can 
succeed 
4. Absence of Live lock -- no execution interleaving exists, which could 
continue indefinitely, that does not allow either process to enter its critical 
section 
Table I, Desired Properties for Mutual Exclusion Algorithms 
The first three programs used in the examples violate one or more of the above 
properties, In contrast to the other examples, Peterson's Algorithm satisfactorily achieves 
mutual exclusion and the safety property without violating the liveness properties 
3. Eumple I - Mutual E][('lusioD Violation 
The program listed below operates as follows , When P I desires to enter its critical 
section, it tests C2 to determine ifit can safely enter, IfC2 = 0, PI waits in the inner loop 
until P2 has departed its critical section and sets C2 10 I. When C2 = I, P I sets C 1 to 0 
and enters its critical section After P 1 exits its critical section it sets C I to O. Process P2 
is analogous to PI 
subtype TEST_ V AR_ TYPE is integer range 0 .. 1; 
CI, C2: TEST _ V AR := I; -- global, set to 0 inside critical section, set to 1 after exiting 
task body PI is 
begin 
loop 
Ll.l Non Critical Section 1; 
Ll2 loop- exit wh~n C2 =0 -I; end loop; 
CI := 0; 
Critical_Section_ I ; 
/,/.5 Cl:= I; 
end loop; 
end PI; 




loop exit when C 1 = I; end loop; 
L23 C2:= 0; 
Critical_Section_2; 
L2.5 C2:== I; 
end loop; 
end P2; 
This program violates mutual exclusion (MUEX). The following interleaving 
results in PI and P2 in their critical sections simultaneous: Ll. l, 12.1, LJ.2, L2.2, Ll.3, 
L2.3, Ll..f, L2.4. From the starting condition, (LLl, I, L2.1 , I), alternate execution of 
statements in each process can set up an unsafe situation. The system can find itself with 
P I waiting at LJ.3, after testing C2 and exiting the inner loop but prior to setting CI to 0, 
when P2, with its program coumer atL2.2, gets its turn to run. P2 test CI, finds it 
equals I, and exits its inner loop. P2's program counter changes to L2.3 At this point, 
executing statements from each process alternately results in the violation Figure I 
illustrates the transitions leading to the violation ofMUEX 
Figure 1. State Transitions Leading to MUEX Violation, I 
4. Example 2 - Deadlock 
Unlike the first example this program satisfies mutual exclusion When P I seeks 
critical section entry, it sets C I to 0 and then tests C2 to determine ifcan enter. IfC2 = 0, 
P I waits in a loop unt il P2 has set C2 to 1. When C2 = I, P I enters its critical section 
After P I leaves its critical section C 1 is set to O. Process P2 works the same as PI 
'Stale lat><.ls hav~ the following f<>IIIllOt: PI ', program locauun, Cl's value, Pl', program localion , C2' s value. Ouly 
th(}!IC states imm ediately availahle from the pt.""iou.< stale are shown. The pat/, leading to 1M viol ation ofMUEX i. 
indicated by arrow. 
sublyptl TEST _ V AR _TYPE is integer range 0 .. 1; 
C I, C2 TEST _V AR := I; -- global, set to 0 when process wishes to enter critical 
sectIon, 
-- set to 1 after exiting 




LU CI :=" 0; 
Ll.3 loop exit when C2 '" 1; end loop; 
1.J4 Critical_Section_.I; 
LJ.5 C I := I ; 
end loop; 
end PI; 




[2.2 C2:= 0; 
[2.3 loop exit when C1 = 1; end loop; 
L2.4 Critical_Section 2; 
/2 5 C2:= I; 
end loop; 
end P2; 
Although the program accomplishes MUEX, it exhibits deadlock The following 
interleaving results in a situation with PI and P2 unable to make further progress: L1. 1, 
L2.1, U.2, L2.2. Ll.3, L2.3. At LI.2PI signals its intention to enter its critical section 
and then stops at L1.3, while P2 executes. P2 does the same thinS. PI sets CI and P2 
sets C2 just before the other process checks if entry is allowed. Both P I and P2 become 
"stuck" in their inner loops unable to exit . The global state remains at (Ll .3,0, L2.3,0) 
since the action of the inner loop does not change the value of any system variables 
Deadlock occurs in this program when atomic actions from each process execute 
alternately. Interleavings that do not alternately set C1 and C2 to 0 do not violation this 
liveness property 
5. Example 3 - Starvation and Linlock 
The program listed below works as fo1Iows . When PI desires to enter its critical 
section, it sets CI to ° and then tests C2 to determine if it can safely enter. !fC2 --" 0, P1 
gives ups its attempt to enter its critical region by setting C1 to I . P I then resets CI to 0, 
and tries once again to enter its critical region, When C2 = I, PI exits the inner loop and 
enters ils critical section. After P I completes its critical section it sets ( I to O. Process 
P2 works just like PI. Because oflhe concurrent nature of this program, the two 
statements inside the inner loop, where C I is assigned one value and then anolhl:r value, 
are important to the behavior of the algorithm, Each assignment is atomic and the 
resulting state transition may l'Ilable an action in the other parallel process 
subtype TEST_ V AR_TYPE is integer range 0" 1; 
(1, C2. TEST _V AR := I; -- g lobal, set to 0 when process wishes to enter critical 
section, 
-- set to I after exiting 




LI.2 CI:= 0; 
Ll.3 loop exit when C2 = I ; 
LJ.4 (1 := I ; 
Ll.5 Cl:= 0; 
end loop; 
Ll. (; Critical_Section _I ; 
LJ 7 (1:= 1; 
end loop; 
end PI ; 
task body P2 is 
begin 
loop 
Non _ Critical_Section _2 ; 
L2.2 C2 := 0; 
Ll.3 loop exit Whl"IlCI = 1; 
L2.4 C2 :;= I; 
L2.5 C2 ::= 0, 
cnd loop; 
U,6 Critica1_Sectionj; 
L2.7 C2:= I ; 
end loop; 
end P2; 
Starvation and livelock are both possible in this prognun, Explained first is the 
circumstances leading to starvation, then livclock is eovered 
Starvation occurs under the following situation: PI al LI.2 and P2 at L2.2; P2 
transitions 10 [2.3 and checks C I , Since C I = 0, P2 cannot exit the inner loop and enter 
ils critical region so P2 transitions to L2 . .J setting C2 an to I (Note since arbitrary 
interleaving is possible, P2 eould have stayed at U.3 and PI transition to LI.3); PI 
transitions to LJ.3, checks C2 and advances 10 U. 6, entering its critical section; P I can 
now exit its critical section, set C I to I, execute its non-critical section, set C I to 0 and 
end up back at L I . 2. This particular sequence can continue without P2 gening an 
opportunity to enter its critical section. Likewise, starvation of PI can occur. 
The following interleaving illustrates a situation where P I and P2 continue to 
execute a sequence indefmitely (livelock) ' 
LI.2, U.2, L1.3, L2.3. LJA, U.4, /./.5, L2.5, 
L1.3, U .3, L/A, /.2.4, U .5. U .5, 
L1.3, U.3, LJA, U.4. U.5, U.5 
In this particular interleaving, neither PI nor P2 enters its critical section This occurs 
because the setting and resetting of the global variables C 1 and C2 is not coordinated with 
the test of the loop exit condition. Any deviation in the sequence will break the Jivelock 
and allow progress 
6. E:umple 4 - Peterson's Algorithm 
Peterson's Algorithm, as implemented below, is similar to the program given in 
Section n.B.4 (example 2 above), except the addition of the global variable LAST 
prevents violation of desired program properties. LAST indicates which process, PI or 
P2, most recently executed its critical section. If both processes request entry to their 
critical section at the same time, LAST is used to break the tie. The process that has 
waited the longest is allowed to enter. The global variables C I and C2 are used, as 
before, to indicate a process' s desire to enter its critical section. 
subtype TEST _ VAR_TYPE is integer range 0 .. 1; 
subtype LAST _TYPE is integer range 1 . .2; 
C I, C2: TEST _ V AR:= I ; -- global, set to 0 when process wishes to enter its critical 
-- section, 1 after exiting 
LAST: LAST_TYPE .. I; -- global, indicates most recent process to execute its critical 
-- section, used to break ties 
task body P I is 
begin 
loop 
Non Critical Section I; 
Ll.2 Cl:= 0; - -
Ll.3 LAST:= I; 
L/. 4 loop 
exit when C2 = 1 or LAST /= I ; 
end loop; 
Ll.5 Critical_Section_l ; 
LI.6 C1 := I; 
end loop; 
end PI ; 
task body P2 is 
begin 
loop 
/,] I Non Critical Section 2; 
LV C2:;;;'-0; - _. 
L2.3 LAST _= 2; 
U.4 loop 
exit when Cl '" I or LAST /= 2; 
end loop; 
L2.6 Critical_Section_2; 
L2.7 C2 := 1; 
end loop; 
end P2, 
The safety property, mutual exclusion, and the liveness properties are satisfied by 
Peterson' s Algorithm, To gain some insight into its behavior let's compare the programs 
from example 2 and 3 with Peterson's Algorithm, In example 2, deadlock occurred when 
atomic actions from each process were executed alternately Both PI and P2 became 
"stuck" in their inner loops when each process signaled their intentions to enter its critical 
section just before the other process checked if entry was allowed. With a similar 
alternating execution interleaving, deadlock is avoided in Peterson's Algorithm because 
both PI and P2 set the variable LAST. Suppose PI is at Ll.4 and P2 is at Ll.4 and P2 
had just assigned LAST the value 2, Assume now PI starts to execute again, and the loop 
condition at LI. 4 is checked, Since LAST = 2, P I can exit its inner loop and enter its 
critical section Starvation and livduck as demonstrated in example 3 is avoided in 
Peterson's Algorithm. The assignment made to LAST in each process prohibit that 
process from starving the other process, Analogously, since an execution sequence can 
not be immediately repeated, livelock is also prevented 
C. COMMUNICATION PROTOCOLS 
Cormnunication protocols are often implemented as communicating concurrent 
programs. Thus, like all concurrent systems protocols can be ascribed properties. Correct 
infonnation transfer is the desired primary property of any protocol. The iiveness 
properties covered above also apply and safety properties specific to a particular protocol 
can be formulated . Some examples include 
• Safety -- The number of messages acknowledged by the receiver is the same as 
the number sent by the transmitter 
Safety -- If any data is delivered to the destination it is the same as the data 
given to the protocol by the source 
Liveness -- Ifthe transmitter's host has a message to send it is eventually 
delivered to the receiver's host 
Another interesting concept applicable to protocols (and other concurrent systems) 
is self stabilization as discussed in [GoMu91] A concurrent system is usually designed so 
that only safe states are reachable from the stan states of the system and program 
execution from any safe state results in another safe state, Under normal execution, 
transitions to unsafe states are not allowed. A system is self stabilizing if a system in an 
unsafe state can reach a safe state after completing a finite number of actions. The system 
could have ended up in an unsafe state as a result of any number of causes. A 
communication protocol could find itself in an unsafe state by such actions as, improper 
initialization, the corruption of a packet's sequence number, the transmitter or receiver 
'crashes' and then recovered, etc 
III. VERIFICATION OF CONCURRENT SYSTEMS 
A. METHODS 
Verification, in the framework of software engineering, entails checking if the 
program meets its specification. Tn the oontext oflhis paper, verification involves 
characterizing the concurrent system in some language, deductive system or modeling 
scheme and then showing that the behavior of this description satisfies the correctness 
criteria given in the specification. One method of specifYing the correctness criteria for a 
system is to list required program properties. The task then is to show these properties 
remain true in all reachable states. This chapter introduces fonnal methods for verifying 
concurrent systems 
Various approaches for modeling and verifying concurrent systems have been 
employed Finite-state modeling methods, such as communicating finite state machines 
(CFSMs), Petri nets, and Kripke structures have been used to represent concurrent 
systems. The model chosen usually depends on the type of analysis being perfonned and 
the behavior exhibited by the system. Concurrent system verification includes such 
activities as 
• proof construction using axioms and inference rules of a logic, or 
• analyzing the set of possible system states 
Each approach has particular advantages and disadvantages depending on the concurrent 
system being examined 
1. Formal Proofs iu Logical Systems 
Fonnal proofs are the most familiar approach used for concurrent system 
verification. Mathematical proof.<; are constructed, showing the truth of system properties 
expressed as propositions_ Various types of logical systems have been used, including 
temporal logic. A proof constructed manually may require considerablc ingenuity to 
manageably organize the proof The process can be quite tedious, and, due to limitations 
on human's abilities to deal with complex system, is prone to errors. Mechanical theorem 
provers have not provided as much help as hoped in constructing mathematical proofs for 
concurrent systems, The task of proving the correctness of programs described in even 
some of the more simple deductive logical systems is inherently difficulty_ To illustrate the 
manual proof procedure, a formal proof for the mutual exclusion algorithm of example 2 
(from Section II.B.4) is given below 
a. Formal Proof Example 
This section illustrates the formal proof verification approach It uses the 
mutual exclusion algorithm presented in Section a,BA. This algorithm satisfies the 
mutual exclusion property but can deadlock. To prove mutual exclusion it must be shown 
that this property is satisfied in all allowed states, A proof of mutual exclusion is given 
below using propositional logic 
The program is reproduced in this section for easy reference 
subtype TEST _V AR _TYPE is integer range 0., I; 
CI, C2: TEST_YAR := 1 
task body PI is 
begin 
loop 
Li.J Non_Critical_Section_l ; 
Ll.2 CI:=- 0; 
Li.3 loop exit when C2 = I; end loop; 
Ll.4 Critical_Section_l; 
CI := I ; 
end loop; 
end PI; 
task body P2 is 
begin 
loop 
L2, J Non _ Critical_ Section_ 2; 
C2 :==0; 
Ll,3 loop exit when Cl = I; end loop, 
Critical_Section _ 2; 
C2 := I; 
end loop; 
end P2; 
The mutual exclusion property is false if P I is at Ll. 4 and P2 is at L2.4 al 
the same time, Expressed as a logic formula,..., (at(Ll.4) v al(L2.4», This formula must 
be shown to be invariant through all transitions. The proof is based on induction on the 
execution sequence and was originally pre~ented in [Ben901 It is reproduced here using 
notation consistent with that used in this thesis 
First two lemmas are required for the proof 
Lemma I . C[ '" ° == at(Ll.3) v at(Ll.4) v at(Ll.5) is invariant 
This states, when P I is at LJ.3 or Ll.4 or U.S the variable Cl i~O and when Cl is 0, PI 
is at LI.3 or Ll.4 ur /.1.5 
frnclQ(l&!!!!D.ll 
Basis Step: C1 is initialized to 1 and the first statement label in PI is LI. I Thus both 
sides of the equivalence are false, so the formula of u:mma I is true prior to executing any 
of the statements in the program 
Inductive Step: Assume the formula is true before any statement is executed. We need to 
show that the formula is true after each statement is executed. Nl possible transition of 
P I and P2 \.vill be examined 
1 LI.i toLl. 2 : The truth of the formula is not affected by this transition lfthe 
formula was true before making the transition, it is true after the transit ion 
2 LI.2 to LI.3: CI is assigned 0, making the left side of the formula true. The 
proeess advances to Ll.3, making the right side true since PI is now at Li.3 
Li.3 tu Ll.3: For this transition to take place, the test ofC2 = 1 must be false . 
The loop is not exited. The truth of the formula is not affected by this 
transi tion since no assignment to CI occurred and PI remained at Ll.3 
4 Li.3 to Ll.4: The test ofC2 = 1 must be t rue for this transition, however 
there is no affect on the formula 
5 Ll.4 to Ll.5 Again no affect on the formula 
6 Li.5 to Ll.i: CI is assigned 1 and the program location for PI changes to 
Ll. i . The left side of the formula is now false . Also the right side becomes 
false since P I is not at Li.3, Li.4 or Li.5 The equivalence remains true 
7 Transitions in 1'2: The formula is not affected since assignmcnt to C I does nm 
occur in P2, and the execution location in P I is not changed by P2 
Hence the formula of Lemma 1 is invariant since it is initially true and remains true 
through all transitions. : 
umma 2. C2 = 0 "" III(L2.3) v at(L2A) v al(U.5) is invariant 
fL~e.Il1l1ill....b 
A symmetric proof of the invariance of the formula of Lemma 2 foltows from the proof 
above lor Lemma I 
Theorem 1 The formula..., (at(LlA) A at(U.4» is invariant 
proof ofTheorem I 
lnitiaUy P I and P2 are at L1. 1 and U .l , respectively. Each proposition is false, so the 
conjunction is false, and the negation makes the formula true. Thus the formula is initially 
The only transitions that can affect the truth of the formula are L2. 3 to U.4 in P2 while 
at(Ll.4) or advancing from Ll.3 to LlA in PI while at(LlA). By Lemma I, al(l,IA) 
implies C I = 0, so the transition L2.3 to 12.4 can not occur since C 1 """ 1 must be true for 
P2 to exit the loop and make the transition. By Lennna 2 at(L2. 4) implies C2 = 0, so the 
transition Ll.3 to UA is impossible for PI 
The formula is not falsified by any ofthe program's possible transitions, thus the formula is 
always true . : 
(The proof can be simplified by using a proof hy contradiction as follows 
Suppose (al(Ll.4) 1\ al(U.4» is true. Then C2 = I or C l = 1 which contradicts Lemmas 
1 and 2. Therefore..., (at(L!.4) A al(U.4» must always be true.) 
It is interesting to note that a different proof of this algorithm is given in 
[Ben82]. Its approach is to show that the proposition, (PI in its critical sution), implies 
the proposition, (P2 is nol in its critical sution). Similarly, multiple formulations of 
correctness proofs for the alternating bit protocol can also be found in the research 
literature on concurrent system verification They are usually constructed to demonstrate 
some particular proof technique or system 
2. Stale Enumeration and Analysis 
Verification based on state enumeration usually proceeds by describing the 
concurrent system in a particular modeL Transition relations and properties orthe 
concurrent system are described at the level of detail appropriate for the desired analysis 
The description can be in such ronns as finite·state machines. programming·language like 
notion, a Petri net, or a finite Kripke structure, The system states are then generated 
based on this description. Each generated state is examined to determine if it is consistent 
with the specification, The specification includes properties required 10 be true in all 
reachable states, !fan undesirable state can be reached then the concurrent system's 
design has been shown to contain an error 
rne main advantage of using state enumeration and analysis for verification is it 
can he automated, Tne Murpni Verification System and the SMV model checker 
[McMi92] are examples of automatic verification tools, Verifying a concurrent system 
with Murpni involves describing its benavior in the descriptive language recognized by 
Murpru, generating a C++ program from the Murphi description, and then running the 
program to check the invariance of desired properties in aU reachable slates, See Chapter 
IV for a detailed discussion or the Murphi Verification System. Section IV.D. presents 
the Murphi descriptions for the same mutual exclusion algorithm used in the manual proof 
example 
The process of describing the actions and properties of a concurrent system for a 
mecnanical verification system has its disadvantages. The difficulty is assuring the 
description will generated alJ al lowable states. Will some interleaving be omitted because 
of an error in the description? Also producing correct descriptions of desired properties 
can be more problematic than it appears. It is not always easy to translate a simple 
property expressed in natural language into the formal language used by the verifier 
Another significant disadvantage is the problem of state· space explosion, An 
exponential growth in the size of possible system states occurs as the complexity of the 
system increases. Verification may not always be feasible, because of time and space 
constraints, without employing space state reduction techniques The next section 
discusses methods to lessen the state space explosion problem 
B. STATE SPACE REDUCTION TECHNIQUES 
The size ofa concurrent system's state space may grow very rapidly as the domain 
or number of system variables increases Employing state-space reduction techniques, 
such as eliminating redundant interleaving, folding related states, and down-scaling the 
concurrent system under analysis, can help. The basic idea is to develop an approximation 
ofthe concurrent system. The approximation is achieved by exploiting characteristics 
such as symmetry or equivalence classes inherit in the structure of the concurrent system 
The trick is to eliminate states without loss of analysis precision by ignoring some level of 
detail (increasing the level of abstraction). Significant space state reduction has been 
achieved by the application of these methods. A reduction of over 90% is reported in 
[IpD93] when state reduction based on symmetry was applied to the verification ofa 
cache coherence protocol. In [CGL92] verification ofa pipelined ALU circuit design 
containing more than 10 1300 states was reported 
1. Eliminating Redundant Interteavings 
An example of state space reduction based on symmetry is available from the 
mutual exclusion algorithms used in Chapter II. Each program contained two processes 
PI and P2. These two processes are symmetric in their actions. Enumerating all possible 
interleaving generates one state with PI in its critical section and P2 waiting to enter and 
another state with P2 is in its critical section while PI waits. From an analysis perspective 
these two states are equivalent in the sense that one process is in its critical section and the 
other is waiting to enter. Which particular case is examined in the verification process is 
not important, the same results are obtained from either choice This is an example of 
eliminating redundant interleavings discussed in [ChHa94] and exploiting symmetry 
covered in [IplJi93] . 
2. Folding Related States 
Abstraction is another method for reducing the state space by considering the 
domains of the concurrent system's variables, It may be possible to partition a variable's 
domain. Instead of using the full range ofa variable it may be only necessary to examine 
situations where the variable is greater or less than some particular value. 'Folding related 
states' is also referred to as abstract interpretation. see [ChHa92], [ChHa94], and 
[CGL92] 
A variation of the mUTual exclusion problem can be used to illustrate state folding 
Consider a mutual exclusion implementation for N processes that uses a queue to store the 
process id of all processes waiting to enter its critical section. Let a variable queue_count 
represent the number of queued processes. To individual processes, the specific process 
id ' s contained in the queue and their ordering is generally not significant. What is 
important is whether the process requesting entry is allowed to enter its critical section 
(i.e, queue_count is zero). The full domain of the variable queue_count does not need 10 
be modeled. As an approximation, queue_count could be replaced by a boolean variable 
that would indicate yes or no when a process requests entry into its critical section 
This granularity of abstraction may not be suitable for all analyses. For example. if 
a particular process execution sequence is required to ensure the correct operation of the 
overall system (say process P3 must complete its critical section prior 10 PIO entering its 
critical section) then an abstraction level that prevents checking the queue's ordering of 
process ids is unacceptable. An essential detail of the system has been lost 
3. Down·scaling 
"One of the most important ways to make verification of large systems possible is 
down·scaling·- pretending that they are smaU systems ," Dill argues [DDHY92]. The idea 
of down-scaling is to conduct the verification using a subset of the concurrent system 
When a system is scaleable, analysis precision is not lost. Results obtained from work 
with a subset should reflect problems that exist in the full-scale system 
The concept of down-scaling can be extended further When a system consists of 
discrete phases, each phase can be analyzed separately. For this approach to succeed each 
phase IIlllSt have a distinct stan and end. This idea was used successfully in the 
verification of SNR conducted for this thesis 
C. COMMUNICATION PROTOCOLS 
The parallel actions occurring in protocols makes reasoning about their design 
difficult. Adding to the inherit complexity of the interactions among the protocol' s 
components are the affects of the transmission media. Data and control errors can be 
introduced by the channel. Also, there can be a significant time delay from when 
information is sent until it is received . Specific problems that can be introduced by a 
network include 
• Data packets delivered out of order 
Variable round trip delay 
• An intermittent or broken connection 
• Data corruption 
When a verification technique is applied to a protocol, both its concurrent nature and the 
characteristics of the communication channel should be considered 
The verification process can be simplified if the communication channel is assumed 
to be perfect (i,e. reliable, packets are always delivered in order, constant delay time, 
congestion free, data is never corrupted by the channel, etc.), This is a fairly reasonable 
assumption in the context offiber optic networks. Invoking this restriction can facilitate 
the initial verification ofa protocol design However, even under the most ideal 
conditions network problems can occur. After an initial attempt, verification should be 
applied to more complex characteristics of a specific target network. It should be kept in 
mind that if all relevant details are included, complete verification of a protocol may not be 
feasible . 
IV. THE MIJRPH! VERIFICATION SYSTEM 
A. OVERVIEW 
The Murphi Verification System is a tool designed to facilitate the verification of 
finite-state asynchronous concurrent systems. Murplti consist of a description language 
and compiler. The Murphi Description Language furnishes a fairly rich set of features for 
characterizing the behavior and properties of concurrent systems_ Two important 
constructs of the descriptive language are rulr and invariant. Invariants are used to 
express system properties. Rules portray a portion oftbe system's overall behavior 
Carrying out the action of a rule usually changes one or more system variables, resulting in 
a transition to another state. The Murphi compiler is used to create an executable 
program that automatically tests invariants and error conditions while generating all 
reachable system states 
Four steps are required to use Murphi. First, the concurrent system's speciftcation 
is translated into the descriptive language recognized by Murphi. Next, the Murphi 
description is transfonned into C+-+ code using the Murphi compiler. The C++ code 
produced contains code to generate all allowed state transitions, (i.e. , the behavior of the 
concurrent system) and, code to check for error conditions and the violation of invariants 
contained in the source description (i.e. , the properties of the concurrent system). The 
e++ code is then complied with a standard e++ language compiler, creating an executable 
program The executable program is referred to as the " special purpose verifier" 
Running the program results in either a verification of the concurrent system or a 
simulation of the system's execution 
In the next sc(..1ion, a summary of the Murphi Description Language is h>iven The 
following section describes the basic operation of the special purpose verifier. In the last 
section Murphi is applied to the already familiar, mutual exclusion example from Section 
II.BA. The Murphi description and the output produced for the example are explained in 
detail. This demonstration of the tool in the context ofa familiar and relatively simple 
program should provide the necessary background to understand the application of 
Murphi to SNR Additional information about Murphi can be found in [DDHY92] and 
tMeDi93f 
B. MURPHl DESCRIPTION LANGUAGE CONSTRUCTS 
The Murphi description of a typical concurrent system's specification has four 
parts: a declaration part; a rules' section; a startstate portion; and a col1ection of invariants 
For the most part, the syntax and semantics of the expressions, statements, and 
declarations used in the description language are similar to those of general purpose 
programming languages, such as Pascal, C, and Ada. Their employment is usually 
straightforward, and no explanation is required. However, since rules, invariaats, 
startstate, and rulesets are not found in general purpose languages, they will be explained 
in detail 
I. Dec:laration Part 
The declaration part contains definitions for constants, data·types, variables, 
procedures and functions used in a description. Constants and types are declared first 
They are then used in the declarations of global and local variables. Types that can be 
defined by tne user include: simple types •• enumerations and finite integer subranges; and 
compound types •• arrays and records. Boolean is the only predefined type available 
A potentially powerful feature found in Murphi is a data·type called Scalarset 
When the concurrent system being investigated exhibit's synunetry with respect to one or 
more variables, these variables can be declared type scalarset. The use of a scalarset 
variable allows Murphi to automatically reduce the system's state.space 
'11lcuserIIlllllWlJ nlld cxccutable soft"'are"", available ,-ia fip from Stanford University 
2. Rules 
Rules come after the declarations in a Murphi description They are used to 
describe the conditions under which transitions are allowed to lake place and the action to 






The expression is a guard and must evaluate to a Boolean value. The kinds of 
operators available are quite extensive and include such things as logical implication, and 
universal and existential quantification. If the expression is true, then the rule's body is 
executed The sequence of statements between the keywords begin and end comprise the 
body of the rule. A rule's entire body is executed indivisibly. Example of statements 
available in Murphi are: Switch statementsJor and while loop statements; procedure and 
function calls; assertions; and output statements 
Rules can be grouped in a set by the Ruleset construct. It has the form: 
Ruleset identifier: range of identifier Do 
set oj rules 
Endruleset; 
The variable identifier is local, and only effects those rules within the set oj rule As the 
verifier executes, identifier takes on each value in its range. A ruleset essentially 
duplicates the behavior of the individual rules contained in the set vj rules for each value 
in range oj identifier 
3. Startstate 
Variable initialization is accomplished using a special rule called Startstate. All 
variables must be given initial values by the startstate rule The startstate is only executed 
once, at the beginning of the verification process 
form 
4. Invariant 
Invariants are used to specify properties of the concurrent system They have the 
Invll.riant "name" 
express/OIl 
The expression must evaluate to type Boolean. Its value will be checked in each state 
generated during execution of the verifier 
Similar to Invariant is a construct called LivenessJ With Liveness a property 
can be written using a subset of Linear Time Temporal Logic (LTL). The temporal 
operators, EVENTUALLY, AL WAYS, and UNTIL, are supported 
C. SPECIAL PURPOSE VERIFIER 
l. State <rtneration and Property Checking 
The executable program generated from the Murphi description, called the special 
purpose verifier, (or just verifier) can run in two modes -- verification or simulation. The 
first rule executed in either mode is the Startstate rule The body of Startstate initializes 
all system variable and defines the first global state available to the verifier. Based on the 
values of the system variables, the verifier iderrtifies all rules with guards that evaluate to 
true. The body of each enabled rule is executed. The state generated is checked for 
various error conditions (i.e., run-time errors, deadlock, vlolation of user-defined asserts 
staternerrts, error statements, and invariants). Ifno error is detected, then these newly 
generated states are inserted into a queue. After all enabled rules have fired, a state is 
extracted from the queue to become the new system state. Execution of the verifier then 
continues from this state. The process ofdetennining all state transition rules satisfied, 
generating the new states, checking for errors in those states, inserting the states into the 
queue, and extracting a state from the queue, is repeated In the verification mode, the 
'LivellCAAi.,upportedinMurphi V=iun271. 
28 
user can select either a depth-first or a breadth·first state generation path, During 
execution, Murphi chooses among the enabled rules arbitrari ly to generate the next stale 
If an eITor condition occurs, the verifier halts and reports the cause, otherwise its 
termination depends on the run mode In the verification mode the verifier runs until all 
states have been generated, In the simulation mode it continues to execute until 
terminated by the user 
2. Execution Report 
When ran in the verification mode, the verifier displays, every 1000 events, the 
number of states explored and the amount of time expendt:d. When execution is complete, 
the errors encountered and the tota] size of the state space explored are reported. I,n the 
simulation mode the verifier nonnally displays the total number of rules fired every 1000 
event. Murphi has various options available for controlling its output. The level of detail 
in the ext."Cution report can be increased, decreased or changed to meet the user's need 
Examples of these options include: "make simulation or verification verbose"; "print out 
rule infonnation" ; and "write a violation trace" 
D. APPLICATION OF MURPHI TO MUTUAL EXCLUSION 
l. The Murphi Descripiion 
The verificat ion process begins by translating a concurrent program to a Murph.i 
Description. For this example, the mutual exclusion algorithm discussed in Section II,B.4 
has been translated into the descriptive language recognized by Murphi. The description is 
presented on the next two pages. Note the correspondence between the concurrent 
program (shown in the box) an its description 




test_var_type: 0. 1; 
PI label t: Enum{LI I. -- non critical section 
CU , :' assignCI ---:" O 
LI_J, - ]oopwhileotherproce5.~incritical 
section 
LI 4, -- critical section 
LI) - assign C I := I J: 
P21abel t:Enum{L2 I, -- noncritical section 
C2_2. :.. assign CI---:" 0 
L2_3, - loop while othcr prooess in crilical section 
L2 4, - criticalscction 
Ll- S - assignCl:= IJ; 
Var -
Pl : PUabcU; 
P2: P2 label t 
g: ::=:=~~~ 
-Rules 
Rule "PI non-critical section" 
PI - LI I ~> 
Begin -
PI :- LI 2; 
End; -
Rule ' PI assign CI O' 
PI " LI 2 - > 
Begin -
CI :- 0; 
PI := Ll 3; 
End; -
Rule 'PI wait" 
PI " Ll_J = > 
Begin 
if (C2 " 1) Thcn 
PI := LI_4; 
End; --If 
End; 
Portion of Program 
subtype TEST _ VAR_ TYPE is inleger range 
0 .. 1; 
C1 , C2: TEST_ YAR;= I; 
iask body PI is 
begin 
loop 
L1.1 Non Critical Section I; 
Ll.2 CI ~= 0; - -
L1. 3 loop exil when C2 '" I; end loop; 
Ll.4 Critical_Section_ l ; 
L1.5 CI := I ; 
end loop; 
end PI: 
Rule "PI critical section " 
PI ~ LI 4 '""""> 
Begin -
PI := LI_S: 
End; 
Rule "PI assign C I ' 
PI = Li 5 => 
Begin -
C1 :'" 1; 
PI := LI I; 
End; -
Rule"P2 DOn-critical sectioo" 




Rulc"P2 3ssign CI 0" 
Pl - L2_2 ==> 
Begm 
C2 ~ 0; 
End, 
RUlc"Plwait" 
1'2 = 1.2_3 => 
Begin 
rf(C I "" I) Then 
Pl :or L2_4; 
End: -If 
End; 
Rule" 1'2 critical SCC1ion " 
P2=L1_4 => 
Begm 
P2 = L2_5; 
End 
a. Declarations 
Rule"Pl assign C2 I" 
P2 ~ L2_5 = > 
Dcgin 
C2 :- 1; 




PI :a Ll J; 
C1:= 1; -
P2 :=L2_I; 
C2 :"' 1; 
End; 
- safdyproperty 
Invariant "Mulual Exclusion Violated" 
I (PI =Ll3& P2 = ] .2_4) 
Three data-types are declared The statement 'test_ vaT_type: 0, I~ ' 
specifies an integer subrange with domain to, I). The next declaration is an enumeration-
type, called 'Pl _labelJ with domain {Ll_I , Ll_2, Ll_3, LI_ 4, LI _5). 'P2JabeU' is 
also an enumeration-type with domain {L2_1, L2_2. L2_3, Ll 4, LZ_5 L 
Next to appear is the declaration of variables Four variables are declared 
The first variable, 'PI " represents the "program counter" of process PI and can take on 
values of type 'Pl_labeU' Similarly, the second variable repr~sents the "program 
counter" of process Pl. Th~ two variables CI and C2 are of type ' test_var _type' and can 
be assigned a value ofO or I . They serve a binary semaphores 
b. RJlles 
The first rule in the description, named "PI non-critical section", is enabled 
ifits guard' PI = Ll _ l ' is true. The a,,1ion of its body is to assigns P I the valu~ L 1_2 
Behavior of the other rules is similar to the first rule The table below explains the 
purpose of each rule 
Nrune 
PI non·critical section 
PI assign C ° 
PI wait 
PI critical section 
PI assign C I 
P2 . 
When at Ll . l advance PI 's program counter to U.2 
When at U .2, assignCI the value 0, advance PI's program I 
counter to L1.2 
When at U .3, check the value ofC2, ifC2 I then advance 
PI's program counter to U .4, ifC2 = ° then the program 
counter remains at Ll.3 
When at L /A advance P l'~am counter to L1.5 
When at U.5, assignCI the value I, change PI '5 program 
counter to Ll.l 
Analogous to the first five, exce t for process P2 
Table 2 Explanation of Rules for Mutual Exclusion Description. 
The rules used in this example are very simple. Rules can be much more 
involved For example, a rule 's guard can consist of a complicated expression. Also, 
declarations of local variables, constants and types can be inserted between the rule's 
condition and body. 
c. Startstale 
In this example four variables must be initialized The initial value of these 
variables are as expected for the MUEX program. PI and P2 start at Ll.2 and L2. }, 
respectively Cl and C2 are both assigned a value of I 
d. Invariants 
This example has only one invariant . The invariant's name is 'Mutual 
Exclusion Violated' . The expression is read as : .«(Pl = LI _ 4) 1\ (P2 = L2 _ 4». It is 
false (ie., the invariant is violated) if a state is generated where both PI and P2 are in their 
critical sections. After each new state is generated, the invariant is checked If false, 
execution of the verifier terminates and a report is displayed. 
2. Murpbi's Output 
Below is the report generated by the ~pecial pur;>ose verifier produced from the 
Murphi descri;>tion presented in ;>aragraph IV.D. I, Only the first few states and Ihe final 
states of the report are shown. See Appendix A for a complete listing of this report 
Verboscoptionselectt:d 
The foJiowmg is the d<:uiled progress 









The following nex! sUles are obtained 






Firing rule PI non-.critical section 
Obtaincdsta\e 








The following next states arc obtained 















C2 : I 
The following next slales arc obtained 
... skipping to the last few 
transitions of the trace report . 
Unpacking Slate from queue: 
Pl:L1_3 




C2 : 0 
The following next states are obtained: 
Firing rule P2 wait 
Obtained state ' 
PILl_J 




Deadlocked stale found 
State Space Explored 
17 states. 26 rules fired inO.40s 
Rules Information 
Fired I times • Rule"P2 assign C2 I" 
Fired 2 times . Rule" critical section" 
Fired J times _ Rule"n wait" 
Fired 3 times . Rule"P2 assign Cl O' 
P2:L2 3 
CI: 0-
C2 : 0 
Fired 4 times • Rule "2P non-critical section' 
Fired 0 times _ Rule "P assign C I" 
Fired I times _ Rule' critical section" 
Fired 3 times - Rule 'PI wait" 
Fired 4 times _ Rule "PI assign C1 0" 
Fired 5 times - Rule 'PI non-critkal section' 
The first state of the execution path -- (LI .I , 1, L2.I, 1) -- is that defined by the 
startstate. In this state, two rules are enabled: 'PI non-critical section' and ' P2 non-
critical section' . The body of each of these rules engender separate transitions and 
produce distinct states as shown below 
Name ofmle enabled PI non-critical section P2 non-critical section 
~ (L1.2, I, L2.1, I) (Ll.l, I , L2.2, I) 
Since no error or violation of the invariant occurred, both of these states are 
placed on a queue. The state produced from rule 'P2 non-critical section' is extracted 
first In this state, the guards of two rules, 'P2 assign CI 0' and ' PI non-critical section'. 
are true. The states produced by these rules are checked for errors and placed in the 
queue. The queue now contains three states {(Ll.2, I, L2.1, I), (Ll.I, I, L2.3, 0). (L1.2. 
I, L2.2, I)}. (Note, even though the execution of a rule is repeated - 'PI non-critical 
section'·- a different state is obtained since in this interleaving, rule 'P2 assign C1 0' has 
already fired.) The verifier is using a breadth first search strateb'Y, so state (Ll .2, I, L2.1, 
I) is chosen, and the verification continues. After ten more states are reached. the state 
(LL3, 0, L2.3, 0) is the next state removed from the queue. Two rules arc enabled in this 
state, 'P2 wait ' and 'PI wait' Execution of the body of either rule produces the state 
(L1.3, 0, L2.3, 0). However this state is the same as the previous state -- deadlock Since 
an error condition has been detected, the verification process stops and a report is 
displayed. The report shows all states examined, rules fired. and the error detected The 
sequence of states leading to the deadlocked condition can be dctennincd and analyzed 
A report tracing the path to an error can be helpful for identifying flaws in the 
design ofa concurrent system Basl-d on insight gained from an analysis of the verifier's 
output. it may be possible to modify the concurrent system and prevent occurrence of the 
execution interleaving that results in the undesirable state 

v. THE SNR TRANSPORT PROTOCOL 
A. INTRODUCTION 
At the top level, the transport protocol SNR is a set of rules controlling the 
exchange of data between a transmitter and receiver connected by a ne~·ork. The 
transmitter and receiver run in parallel. They cooperate to transfer data from a sending 
host (interfaced with the transmittt:r), and the receiving host (linked to the receiver), The 
transmitter and receiver use packets to exchange data and control information 
The data transfer process consists of four basic steps_ The transmitter is given data 
by its host to send. The transmitter encapsulates the data into packets and inserts them 
into the network for transmission. After the propagation delay intrinsic to the channel, the 
data packets arrive at the receiver and are extracted from the network. The receiver 
processes the packets and then delivers the data to its host This process would be 
relatively straight forward if not for finite receiver resources and problems4 introduced by 
the network . The constraints of the receiver are: 1) an upper bound on the rate at which 
it can process data packets, and 2) a limit of the size of its buffer. (A buffer is required to 
temporarily hold and reorder packets prior to delivety to the receiver's host) 
The a(.1:ions of the transmitter and receiver must be coordinated to reliably transfer 
data over a network Infonnation is passed between these two entities to achieve the 
C<lordination required to carry out the five functions provided by SNR. These functions 
• Connection Management •• establishing the conn~tion, detection of an 
unintended connection termination, and connection tennination after completing 
the data transfer 
• Flow Control .- reslficting the number of packets in transit from the transmitter 
to prevent buffer overflow in the receiver 
4 Problero.thalcant..intHxlw;"dbyanemurkinclude.datacorruplioll. outofordt:r,lat1p"ck~(". Jo"tdatap"cket". 
\"art"ble fOlUldtrip deJay, brol<cn conn<:ction, nc 
• Error Control -- detecting and recovering from lost packets or corrupted data 
SNR employs a modified selective repeat error recovery method 
Ordered Delivery -- delivering data packets to the receiver's host in the 
sequence sent by the transmitter 
MultiplexinglDemuitiplexing -- establishing and communicating on more than 
one connection at a time, (MultiplexinglDemultiplexing will not be covered in 
this thesis.) 
The description ofSNR's organization and operation will be introduced in steps 
First a block diagram of SNR is presented. Second, a brief overview of the protocol's 
operation is given, This is followed by a description and explanation of connection 
parameters, packet formats, variables, and data structures used in SNR, Next, state 
transition diagrams of the machines internal to the transmitter and receiver are presented 
Finally, a detailed example ofa portion ofa typical data transfer session is given to 
iUustrate the actions of these machines 
The following concepts are useful to keep in mind when reading the following 
sectIOns 
The transmitter attempts to send as many data packets as possible without 
overflowing the receiver's buffer, When the transmitter believes the receiver's 
buffer is fun, the transmitter must halt transmission of data packets and wait 
until a receiver control packet arrives acknowledging blocks previously sent. 
The transmitter must retain a copy of data already sent (in case retransmission is 
required) until that data has been acknowledged by the receiver 
The state of the receiver, as known by the transmitter, is never current. Any 
state information sent by the receiver takes a finite amount of time before it gets 
to the transmitter 
B. DESIGN FEATURES 
Most transport protocols in use today fail to deliver the performance expected 
with networks utilizing advanced components such as fiber optics. Existing protocols, for 
the most part, were conceived and implemented prior to the development of technologies 
used in modem networks, To overcome the deficiencies present in older, less reliable, and 
slower networks, current protocols employ complex control procedures and thus suffer 
from high processing overhead. The large processing demands placed on a system 
running an inefficient protocol, reduces its ability to transfer data to and from the ner..vork 
This creates a mismatch between the communication channel 's capacity for sustained high 
transmission rates and the system's slower throughput. The transport protocol SNR has 
been proposed to address this problem. It is specifically designed to take advantage of the 
extended bandwidth, high speed switching, and lower error rate of modern networks 
The design goal of SNR is to increase its overall performance while still coping 
with problems that can be encountered even in modem ner..vorks, Two primary 
innovations in SJ\'R 's design aim to achieve this goal . They are 
• frequent and periodic exchange of complete state information between the 
transmitter and receiver, and 
• flow and error control based on packets grouped in blocks vice individual 
packets 
The concepts of periodic statf' f'IchB.oge and blocking are intended to simplify the 
protocol's overall design, diminish its processing demands, and pennit an implementation 
based on parallel processing . Parallel processing coupled with lower processing overhead 
should significantly increase the throughput of the system running the protocol. The 
expected result is a faster transport protocol even in the presence of transmission errors 
l. Periodic Slate [schange 
SNR exchanges complete state information of the transmitter and receiver 
frequently and periodically apart from the occurrence of significant events, Most other 
protocols pass the status of the transmitter or receiver only after detecting an error such as 
a lost data packet. The error detection procedures typically involve explicit round-trip 
delay timers, large data structures and complex packet acknowledgment schemes 
Decoupling state exchange from specific events and frequently passing complete state 
information, reduces the protocol's processing requirements for two reasons 
First, the loss of a control packet (a packet containing state information not data) 
has no significant impact in SNR. A new one, with the same or more current information, 
will be along shortly. Other protocols must have some means, usually complicated, for 
dealing with lost state packets since the information in each of these is accumulative. :Vith 
most protocols the information in the most recent control packet augments a history of 
state information In SNR, the information of individual control packets is complete and 
can be processed independently of previously transmitted control packets 
Second, frequent and periodic transmission of control packets can be used to 
implement implicit timers. SNR uses simple counters to achieve the functionality of clock 
based timers. The control packets are transmitted at a frequency linked to the reception 
rate of data packets. Each time a control packet is received, a counter is incremented 
Thus the interval between control packets and the rate at which a counter is altered 
roughly corresponds to the current round trip delay of the network. With this approach, 
SNR can automatically adjust to varying network conditions. SNR uses these "implicit 
timers" for its retransmission and broken connection timers. The elimination of explicit, 
clock-based, round-trip delay timers, and their associated problems~ potentially provides 
the greatest gain from using periodic state exchange See [ZhaS6 J for a detailed 
discussion of timer problems in network protocols 
It may appear that passing state information in a fashion as in SNR might reduce 
the throughput of the system. After all, this approach places extra packets into the 
communication channel. However, it must be kept in mind that the transmission rate of 
the channel is not limiting. Since a high speed network is normally running below 
capacity, a protocol design that speeds up the transmitter and receiver, even though 
additional packets are generated, should increase the achievable overall data transfer rate 
'n.., problem ... -;thexplicit timer is: towhal valU(;should it re.C1'1 Too small, and = ssaryrelrllIDIIli,"ioos 
OC<:Ul. Too large and the protocol responds 100 slo",I),10 a lostpac~et. Any stahctirMr setting 'Irnt~'Vi'iU be 
unable 10 respond to changing netviork: conditi,,"s. PropolOCd ""hemes 10 d)nanllcalh' modify the yah", so far 11/".., 
fail cd loprovidco.nadequalesoluhon 
2. Blocks or Packets 
fo take advantage ofa fiber optic network' s low error rate, SNR implements a 
block-based flow control and error control scheme. Rather then acknowledging and 
retransmitting individual data packets, groups of packets are managed. This approach has 
two effects on the data transfer process. First, the size of tables and the complexity oflhe 
procedures used by the protocol to track the slatus of data packets are reduced. Second, 
the number of packets sent during a session may increase because blocks (all packets in 
the block not just the single lost or damaged packet) are retransmitted when data is lost or 
corrupted . The first has a positive impact on the protocol's performance while the second 
tends to reduce its throughput. Tn networks with low error rates, the retransmission of a 
full block should nol occur very often and therefore unnecessary packets arc sent very 
infrequently The processing speedup is expected 10 outweigh the higher packet count, 
resulting in better overall efficiency compared to a non packet-blocking protocol 
J. Operating Modes 
SNR's design allows the level of service provided by the protocol to be controlled 
Three operating modes are available in SNR. In Mode 0, SNR runs with flow and error 
control omitted. In Mode I , flow control is provided but not error control. Both error 
and flow control function in Mode 2 
The reliability of the nrlwork and the type of data being transferred influences 
mode selection. Mode 0 is used when a fast data t ransfer rate without concern for errors 
is the principal objective .. Mode 1 is best suited for real time applications. The preferred 
choice for transferring large files over a network likely to introduce errors is Mode 2 
According to {NRS901 the efficiency of SNR is optimized when large packets are used in 
Mode 2, and small sized packets ",ith Modes 0 and I 
C. THE SNR ARCHITECTURE 
The formal specification for SNR, provided in [NRS90], is based on a finite-state 
machine model The protocol is specified by seven machines, three machines for the 
transmitter (T! , T2, TJ) and four for the receiver (RI, R2, RJ, R4), The machines 
internal to the transmitter and the receiver are intended 10 run in parallel without explicit 
synchronization, The machines cooperate to pass data from the transmitter to the 
receiver. Their actions are coordinated by means of shared variables and message passing 
A block diagram of SNR is displayed in Figure 2 and a table summarizing the purpose of 
each macrune is presented in Table 3, The arrows in the diagram represent infonnation 
flow across the network accomplished by passing messages 
D. OVERVIEW OF SNR'S OPERATION 
Below is a sequence of actions perfonned during a data transfer session under 
SNR, Most of the details have been omitted. See the last section oftrus chapter for an 
example with actions at the state transition level of the internal machines 
I The transmitter's host signals T2 that it has a message to send 
2 T2 and R2 negotiate the parameters for the session and establish the 
connection 
3 Tl transmits blocks of new data packets until the preset limit on the capacity of 
the receiver's buffer is reached or retransmission of a block is required. 
4 R I processes the incoming data packets and updates the receiver's tables used 
for tracking the reception status of packets and blocks, These two tables 
indicate the need for data retransmission 
5 At the appropriate interval, R3 sends receiver state infonnation to T2. This 
information is used to update the status of the receiver's buffer (as known by 
the transmitter) and acknowledge blocks of data 
6 T3 periodically sends transmitter state infonnation to R2. There are a set 
number of blocks transmitted between each control packet 
7 R I reorders the data packets as appropriate 
8 The processed packets are passed to the host by R4 
9 Control packets continue to be exchanged and blocks of data packets sent until 
the entire me~sagt: has been acknowledged by the receiver 
; Network Receiver 
Figure 2 Block Diagram of SNR 
Machi ne Purpose 
T1 Transmits/retransmits data packets 
T2 Manages the connection and flow control for the transmitter 
T3 Sends the t ransmitter ' s state infonnation to the receiver 
R 1 Processes incoming data packets. 
R2 Manages the connection and flow control for the receiver 
R3 Sends the receiver' s state information to the transmitter 
R4 Passes processed data packets to the host 
Table 3. Purpose of Each Machine in SNR 
10. T I will retransmit a block of data packets if the receiver fails to acknowledge a 
packet from that panicular block prior to its retransmission counter expiring 
II. TI temporally halts transmission of data packets if its information indicates the 
receiver's buffer will be full when all of the data packets it has sent arrive at the 
receiver, TI resumes sending data packets when state information from the 
receiver indicates buffer space is once again available 
12. T3 will terminate the connection if it has not received a receiver control packet 
within the required time limit 
~. COMMUNICATION PARAMETERS AND STRUCTURES 
1. Connection Parameters 
Parameters panicular to each cOIUlection are determined during the connection 
establislunent phase, They include: number of bits per packet; number of packets per 
block; buffer size; round trip delay (R TD); and bandwidth. Their values are then used for 
calculating other connection parameters and initial values for protocol variables 
Discussed below are important connection parameters calculated by ST\"R 
a. L - Largest Allow~tl Number of Outstanding Blocks 
The value of I, is chosen be slightly larger than 
For example, assuming 
( R1V x banciwith] 
bits per block 
RID "'- 20 msec bandwidth = I Gbit/sec 
1000 bits per data packet g packets per block, 
lor the connection gives the result 
[ (20xIO-Jsec)x(lxIO~hitspersec) ]=25OOhlOCks (1000 hits per packet) x (8 packets per block) 
Rased on these values, L must be greater than 2500 blocks 
T;" ~. Periodic Time Interval 
Control packets are transmitter at interval 
Tm = rna:! [RID ,lPT] 
ko, 
The constant kvll is typically a power of 2 such as 32, and lPT is the average time between 
the transmission of two data packets, The value of T'n changes when the connection 
becomes inactive If a data racket has not been sent within the period 'I',.., the value of l:~ 
is increased by a factor of 2. While the connection remains inactive, T;n continues to 
increase by a factor 0[2, However, it never exceeds the maximum oflhe either R: or 
IPT, where m is another constant such as 8, The value of T,. immediately changes back to 
( Rm -J -max kou ,IPf when data packet transnussion resumes 
For example, using RID '" 20 mscc, kou == 32 and lPT = 0,05 msec gives, 
[ 20X lO-J sec 1 1 T,n=mAI --,-z-, Q,OSX10- sec =Q.625mscc 
If the connection is inactive T," increase to 1.25 msec, then to 2.5 msec 
2. Packets 
The formats of the packets Ilsed by SN"R for transferring data and excbanging state 
infolTIlation over the network are shown below. Following the packet fonnats are 
descriptions oftbe fields comprising the packets (Table 4) 
Data Packct I I.CI I T~pe~2 I Seq~ I 
T ransmittcrControlPackcl I leI I T}1Ie=l I Seq# I" I uw, I No.ofblocls'l""ued I ErrOJChe.:;k 
Receiver Control Packel I LeI I Type--O I Seq' I" I J.w, I lluff"l"_"v.ilable I LOll I Error Chec k I 
FIELD NA.\,fE PURPOSE 
LCI Logical Connection Identifier, indicates with which connection the packet 
is associated, OnIv significant when multiple connections are estahlished 
rile et's o,rence number 
Data Contains the data being transferred. The nwnber of bits used for thls field 
is ne otiated durin COnDe;:tion establishment 
Rcceiver control et-O, Transmitter l'Ontrolket -1, Data ckct - 2 
The inten'al between sending two ~uentiaJ state control packets in units 
ofT,. 
UW, Scqucn(.'(l number of the highest block transmittod but that may not have 
(Upper Window been ackno\\'1edged. (UW, is analogous ,) 
Transmitter 
LW, Every block I' .. itha sequence number lcss than thls nwnbcr has been 
(Lower Window acknowledged. (LW, is analogous,) 
Rcceh'er 
No. ofblock.~ ueued The number ofblock.s that have not vet been transmitted 
Buffer avai lable The 5 remainin in the Teeeh-er's buffer (in blocks) 
LOB Table of Outstanding Blocks - A bit map maintained by the receiver 
indicatin the outstandin blocks in its "indow 
Error Check Error detection code 
Table 4. Fields ofSNR's Packets 
3. Shared Variables 
Presented below are the primary variables of the transmitter and receiver used in 
the implementation discussed in [NRS90]. These variables are local to either the 







Sent by T2 and R2 to indicate the connection has been estahli~hcd 
In the transmitter it indicates whether a data packet has been sent recently 
In the recei,'er it indicates whether a datepaci..et has arrived recenLlv 
Periodic event occurring at interval T •• 
Counter employed to implement a timer used to detect a broken coonection or a 
tailed tran~mitterorrcceiver 
Counter used to implement a timer that marks the interval between sending 
controlpacke1.5 
The interval. in units of T;. between sending two sequential state control 
I paclClI; 
A table used m the transmitter to maintain the acknowledgment status of 
traru;mitted bl~s. Jt has three fields for each element, [~#, oount, ad 
bufJer _available The amount of space available in the receiver's buffer, as knOWll by the 
transmitter. This variable is updated with the information in the 
buffer available field contained in receiver controlPackct 
NOll 'The number ofblQl;ks senl by the transmitter but not yet acknov.1edgcd by the 
receiver . . 1;'O[Jmust 31wa 'S be less than L 
AREq,j A table used by the receiver to maintain the Siatw;of recei"ed bloc.ks 
AREC i is set 10 I when all packelS in blQl;i< 'i ' rccej\'cd errorfrce 
RECElVE[ I A table u.\Cd to maintain the status of recei\'ed packets RECElVEUI is set to 
1 when packets " rccci\'cd error frce 
Table S. Variables and Data Structures 
Additional details of the variables required for the operation of the connection 
establishment phase and flow control will be provided, as appropriate, in Chapter VI and 
Chapter VII respectively 
F. TilE SNR MACHINES 
A state transition diagram of each machine used in Sl'.'R is given below along with 
an explanation of its transition. These diagrams mimic the FSM's given in [NRS90 J 
They are provided as a means of illustrating the concurrent action of the various entities 




Figure 3 Machine Tl State Diagram 
EXPLANATION 
O;x;urs after start si received from 1'2 
Occurs if Mode 2 (flow control and error control) is being used 
~u:::~=j:: ~tO~eo;r:::u=t:~1~:~i~e~~ ;! ~':e ~~e~~~~s I 
buffcr fora blockofdau Daekets 
Occurs if the retransmission coonter for an outstanding block reaches zero 
Occurs if there are no outstanding blocks to retransmit, and the receiver's buffer 
has space for another block even after all blocks in transit have arrived 
Occurs after an outstanding block has been rclrnnsmitted and the variablehllsy 
has becn sct to true 
Occurs after the transmitter Iuvi: sent a new block; updated the table of 
outstanding blocks ([UP); and signals 1'3 that a block of data has been,;ent (busy 
settolrue) 
Table 6 Transitions tor Machine Tl 
8"~'~"~ oom.«<LCI:. 
I 




Figure 4 Machine T2 State Diagram 
TRANSITION EXPLANA nON 
0--> I Occurs after a connection r uest is received . T2 from th~ transmitter ' s host 
Occurs after scoum, VW, LW,. and L UP arc initialized 
Occurs after the connection is established with the receiver 
Occur!; after start si is sent 10 1'1 and 1'3 
fu1ltS if a conlto\ eket is received from the receiver 
Occu~ after Updating the receiver ' s stale information mamtained at the transmincr 
and the disconnect counter scounl) has been reset 
6-->4 OccursifModcOorModclarcbcinguscd 
Occurs if\'lodc 2 is bcin uscd 
Occurs after u . lin the block retransmission table LUP, 
Table 7. Transitions fo r Machine T2 
I 
TRANSITION 
Figure 5 Machine T3 State Diagram 
EXPLANATION 
Occurs after rcccivin stan ~I and variables k and count 3re initialized 
Occurs if Mode 2 is being used and the periodic event, c1ock __ hck, is detected 
Additionallv, the shared variable scauni is incremented 
Ot;curs if the lransmitter has sent data since the last occurrence of clock_lick 
AdI;liuonall ,the shared variable counl is incremented 




Occurs ir count ~ k, indicatin the transmitter's curren! state is required to be sent 
Occurs if count <: k 
Cb;un; aller the transmitter's state has been sent and count reset to zero 
Occurs if the transmitter has not recentlY ~n! data (busy - false)_ Additionally, k is 
increased to lengthen the interval ~tw~n control packet transmissions 
Occurs if the transmitter has sent data recentl (bu~y- true) 
CXcurs if scount <: Limil (the disconnect "timer" has not expired) and after busy set 
to false 
Occurs if scounl Limit (a receivcr control pilcket has not been received in the 
expected interval aodscounl reached the ~ned value 
Table 8, Transitions for Machine T3 
J 
rRAt'lSITIONS 
Figure 6 Machine Rl State Diagram 
EXPLAN A TlON 
Occursafierstart signal receil'cd from R2 
Occurs if a data 'ket is received from the transmitter 
Occurs if operating in Mode 0_ The packet is deJivered to the host without any 
l orocessin in Mode O. 
Occurs ifModc 1 is bein used 
Occurs if Mode 2 is bein used 
Occurs after daLa is stored in the receiver" s buffer 
J 
4----> 16 ~;:;e:n~;~~'cr has processed the data packet and updating the two tables I 
Table 9. Transitions for Machine Rl 
'1be~fiCllti()!lfO£Rl in [NRS90] shnwslhisa.tnlllsitiou4 ... 2_ Howc~crtitismUSlbc1lIlerrorbecauseafter 
retuminglO rule 2 fion\4.titelUllChi""'MlIlldbcstucl<ir1 state2sinceMode=2.nnl 1 orO 
cp 
1 ~bli~ 
Figure 7 Machine R2 State Diagram 
EXPLANATION 
Occurs after the connection has been established Y,ilh the transmitter 
1 ~ 2 Occurs after start si sent to RI, RJ , and R4 
2 ---} 3 Occurs if a control cket is receiyed from the transmitter 
.1 -4 2 Occurs after the variable scount is reset to 7.ero 
Table 10_ Transitions for Machine R2 
TRANSITIONS 
Figure 8 Machine R3 State Diagram 
EXPLANATION 
Occurs aftcr starl~signal received from R2 and variables imtiah1.oo (bu~y 10 
false, k to I, andcoun!toO 
I __ 2 Occurs if cven! clock Jick detected and after "coun! incremented 
2 __ 3 Occurs if a Dew data ket ~ not been received and after count incremeDted 
2 __ 4 Occurs if a new data packet received and after coun! incremented 
Oc\;ursifitisnot 'ettimetosend acontrol ket(cou/l/<k) 
3 __ .. Occurs if count k and aftcr k has been modified 10 reduce the traIl5mission 
rate ofrecei\'cr control packets " 
.. ---+ I Oo;urs after a control kct is sent, and after bu and coun! arc r~t 
Occurs if the receiver has not received a control pad'ct frOlll thc transmitter in 
the cxnoctcd inten,aJ scuuntrcachedprcdctermilloo,'aJuc 
rable 11, Transitions for Machine RJ 
7 TIl<: CfS\1 diagram in It.'RS901 inoonectly indiCl1«,d that k is mOOiticd during th~ t",nS;!''''' from Slak: 4 to 'Ulte 1 
and that. control packd is scnt during the transition from state 3 to state 4 
Omitted from [NRS90] are the details of mac rune R4 and the connection 
establishment phase. It assumes the connection will be estabLished based on the three-way 
handshake technique, The specification in [McAr92] includes the details of the connection 
establishment pbase and R4, Additionally it adds another machine to the transmitter, T4, 
to serve as an interface to the transmitter's host. The specification presented in [McAr92] 
is refined in [Tipi93] and [LuTi94] 
G. THE OPERATION OF SNR'S MACHINES 
A fragment ofa data transfer session is used to illustrate interactions of SNR's 
machines internal to the transmitter and the receiver. Only the most basic actions will be 
shown, It is assumed that no errors are caused by the netWork during the exchange. For 
this example assume the transmitter's host (called source) has a large file to send to the 
receiver's host (called destination), and data transfer pbase Mode 2 will be used. The 
value of variables will be given only when significant. The state of each machine will be 
given after the occurrence of major events that modify its state. Additional details relating 
to an event are provided following the table as appropriate (event numbers marked with an 
asterisk), Two or more events written in the same table row, indicate that in this 
particular example, the actions are concurrent 
No Descri lion 
I Transmitter and n:eeiver idle no connection 
I 2 = :i~on:!~:etransmitter that it has a 
Variables initialized 
I" The paramelen of the cOI\llCction are determined T2 and R1 establish the connection 
I 6 ~rt_Signal received at Tl and T2 and at Rl and 
7 Mod: 2 hein used for connection 
I' Check of retraru;mission table indicates there are n{) blocks to relran~mil and infonnation indicates Ispaccavailable inthereceiver'sbuffer 
State of State of Receiver's 
Transmitter's Machines after event 
MlIehines after event 
T! T2 T3 R2 R~ 
-~ 
State of StatcofReccivcr's 
EVENT Transmitter's Machines afi~r event 
Machines afier evcnt 
No Deseri lion I Tl 1"2 T3 RI R2 RJ 
9 TI transmits 3 block of data packets, updates the 
retransmission table, 3ndsctbusvtotruc 
to M<XIe 2 beln 11...00 for oonnection 
II Check: of retr3nsmission tablc indicatcs thcrc are 
no blocks to retransmit and the information at the 
transmittcr indicates there is space for anotber 
block: in the recciver' sbuffer 
Tl lr.rnsmils block of data packels, update thc 
retransmission tablc, and sct busY 10 lIUe 
13 Clock_tick dctcctcd at RJ (0.625 mscc since event 
6 
14 Clock lickdctected31 T3 
15 busy is tmc in tbctrnnsmittcr,sostatcJ inT3 is 
'-",,, 
busy is false In the receiver. so ~'oum incremented 
"'RJ 
16 A control ckctissent T3 
17 TI issc:ndin dataMlkisnolincrcascd""'T3 
18 crnml - k and sincc no data has been received al 
RI,kisincl"CllSCd 
]9 Aconlmi etissenlbvRJ 
20 1lledisconnccttimcrhasnotexpircd(scount< 
Limit, so 1'3 sets bus\-' to false 
21 T1 continues 10 send data packets, T, oontinues to 1,2, 
scndoonlT0lpacketsC\-'cryO,625 mscc, RJ 4.1. 
increased k (al C\'cnt 18), so receiver conlrol 
packets are sent less frequently until a data packet 
isrecei\-'td. 
22 The first data packet arrives at the reccl\-'Cr 
(approximately 10 mscc Slnct: event 9). busy is set 
13 Modc2bcin used for connection 
24 Thc data packet is proccsSl;d and RECEIVEf 11 set 
~I 
25 RI oontinue to receivc and process data packets 
A lTan$mitter oontrol kCI arrives 
R2 sets scoum to 0 and waits for Ihe arrival of 
annthercontrol packet 
29· At appro1cimately 20 mscc since evcnl 9, data 
transmission stOp5 while Tl waits for an 









30 Control packet from the receiver containing 
acknowledgments is received at the transmitter. 
31 Control ekel roc<:sscd '12 
32 Mode 2 is bein used. 
33 T2 updates LUP and waits for another receiver 
conlrol packct. 
34 S for il block exist in \he receivcr 's buffcr 
35* Transmission of data ets resumed Tl. 
State of 
Transmitter's 
Machines after evcnt 
TI T2 T3 
Table 12. Data Transfer Example 
4' 
Details of significant events marked with an asterisk 
Connection Parameters for this example are 
StatcofReceiver's I 
Machinesaftcr cvcnt 
RI R2 R3 
RID = 20 msec bandwidth '" I Gbit/sec 
packet 8 packets per block L> 2500 blocks 
1000 bits per data 
T." = 0.625 
msec 
12* Events 10, II, and 12 are a repeat of events 7, 8 and 9. These actions continue to 
repeat until retransmission of a block is required, the transmitter has filled the 
receiver's buffer and must wait until space is again available, or the entire message 
has been sent 
29* The transmitter has sent 2500 blocks and an acknowledgment has not been 
received. buffer_available was set initially to 2500 block and nas not yet changed. 
The number of outstanding blocks, NOU. now equals 2500 
The condition (buffer_availahle - NOlf) > 0 is no longer true, so TI must wait in 
state 2 until control packets from the receiver reflect available buffer space or 
acknowledge some of the transmitted blocks 
35* The protocol will continue to operate, executing actions similar to those described 
in the table above, until the entire message is transferred 
The operation of the protocol is significantly more complex then presented above 
Only one of many possible execution interleavings is given and many of the finer details 
are omitted. The example above demonstrates the difficulty of attempting to investigate 
the correctness of SNR manually. The next two chapters cover the verification SNR's 
connection establishment phase and data transfer phase, with the assistance ofMurphi. 
VI. VERIFICATION -- CONNECTION ESTABLISHMENT PHASE 
OFSNR 
A. INTRODUCTION 
This chapter describe~ the verification of SI\'R' s connection establishment phase 
The Murphi Verification System is used to determine if properties attributed to the 
connection establishment phase remain true in all reachable states. The reader may 
wonder why formal verification of the connection establishment phase is addressed, 
considering the designers of SNR omitted its details in a detailed description of the 
protocol in [NRS901 Why not just assume the connection establishment phase functions 
as required, skip its verification, and jump into the analysis of the more interesting data 
transfer phase? There are four reasons for proceeding with its verification 
I The function of the connection establishment phase is to prepare the 
transmitter and receiver for a data transfer session It is during this phase that 
connection parameters are negotiated and variables used by SNR are 
initialized After it is complete, the protocol should be rcady to conunence the 
data transfer phase. The corrcct operation of the connection establishment 
phase is necessary for the protocol to function as intended_ Therefore 
verification of this phase is a natural stan to verifying S?\"R. 
2 The complexity of the phase is appropriate for the initial application of Murphi 
to the Sl\'R protocol. Staning out with a simple phase of SNR provides an 
opportunity to gain insight on the workings of the protocol and a ben,er 
understanding of how best to employ Murphi for protocol verification The 
work can serve as a " stepping stone" for applying Murphi to the more 
complicated data transfer phase of SNR 
3 A detailed analysis of this phase had already been attempted using the syslem 
!!'"Iafe analysi~' method lLuTi94 J- The system state analysis approach 
encountered difficulties and was unable to provide a complete analysis of SNR 
Problems with the method arose because the role oflocal variables, such as 
counters, were ignored. A modification to the techniques was employed in 
[LuTi94] to overcome this problem and a fairly complete analysis resulted. It 
is important to determine early whether Murphi will cncounter similar 
difficulties 
4 A comparison of the results obtained with Murphi and the system state analysis 
method can serve as a "validation" ofthe mechanical verification approach 
The remainder of this chapter covers five topics. First, a complete and detailed 
specification of the connection establishment phase is given. Next, the operation of the 
connection establishment phase is explained. This is followed by a discussion of the 
significant properties to be verified. The Murphi description of SNR' s connection 
establishment phase is then presented Finally, the verification results are discussed. 
B. SPECIFICATION 
The formal specification ofthe connection establishment phase is provided below 
This specification is based on the systems of corrununicating machine (SCM) model 
discussed in [McAr92] and the specification ofSNR given in [Tipi93] . The SCM model 
uses a combination of finite state machines with their associated Predicate Action Tables 
(PAT) to characterize the behavior of a concurrent system. The finite state machines 
denote the states of individual machines comprising the system, and the allowable state 
transitions. The PAT describes the enabling predicates and actions for every transition in 
the system 
Only three of SNR's machines are involved in connection establishment . Two 
machines from the transmitter participate. Machine T4' interfaces with the transmitter ' s 
host (Figure 9 and Table 16). T2 is the machine responsible for establishing the 
cOlUlection over the network with the receiver (Figure 10 and Table 17 ). In the receiver, 
only one machine, R2, is concerned with this phase (Figure 11 and Table 18). R2 
cooperates with T2 to set up the connection 
In this specification, two shared variables, T _CHAN and R _CHAN arc used to 
represent the network connecting the transmitter and receiver. T _CHAN is used for 
passing data and state information from the transmitter to the receiver. R _CHAN is used 
to pass the receiver's state information to the transmitter. They are both based on a FlFO 
' lllCspecificalioo giV<:llin IMcAr<J2Iaddedthisrnachin" 
data structure, T __ CHAN(front) and R_CHAN(front) refer to the head elements of the 
queues_ Additionally, a representation completely faithful to the characteristic ofa 
network would prevent packet delivery prior to a specific time delay, Network 
propagation delay is ignored in this implementation 
Messages and variables used in this phase of the protocol are described in Table 13 
and Table 14, respectively , Non-trivial processing required by an action or predicate, 
associated with a transition, is perfonned using a pseudo procedure call. Procedures 
required for the connection establishment phase are explained in Table 15 Procedure 
names are in bold type in the PAT's 
MESSAGES 
Name Flow Purpose 
(FrOID ~To) 
Conn J eq T2 ~ R2 Connoction request, oomains the connection parameters desired by 
the transmiuer 
Conn _ ock R2 ---+ T2 Connection acknowledgment, oonlains the connection parameters 
the receiver is ble ofsu rtin 
Corm _con! Connection confirmation, indicates thaI the response send by 
rece'VCflS ble lothe transmincr. 
T ~ote T2 ---+ R2 Control packet conlains tr.msmitter ' s Slate inf"ormation 
Data T2 ---+ R2 Data packet. contains data for the recci"cr's host 
























Boolean Set to TRUE by T4 to indicate that a connection 
sbould be established 
Boolean Set to TRUE by T2 when the connection has been 







Set to TRUE by T2 when the attempt to establish a 
conneo;tion failed because a responds to the COIIJeq 
was neverrooei~'Cd. 
Set to FALSE by 12 when parametersconcained in 
Con_ockarc unsatisfactory for thedaca ttansfer 
sessIon. 
Set to TRUE by R2 when the connection lias been 
successful established wilh the uansmitter. Used to 
sig.nal thc: start of the daca uansfer phase in the 
rCCCJVer. 
Atiminge\'entoccurringatiDtervalsof r, •. 
Used as an implicit timer for determining wben T2 lias 
waited a sulJieient time period for a response to the 
previous ConJeq message and that anot.herone 
shouldbesellt. 
Used as an implicit timer for determining when R2 
ru.s waited 10ngenOligh for a response to the Con_ocll: 
messal!e it sent. 
Used as an implicit timer for determining when 12 has 
sent ample Can Jeq messages and waited long enough 
I'ithout a response from the receiver and the attempt 
to est.:Jblish the connoction moukl be aborted. 


















Evaluatcs the connection par.lmctcn; in the Conn acl; message 
Retums true if the oarameters are a(;reotabie. -
Remcves the daUi packet from the front ofthc indicated 
channel 
Returns true ift~channcl is e~·. 
Inserts tbe message (pa.'iSCd in as a parameter) into the 
indicated channcl for transmission 
Processes the CO" _ req scm by the transmincr al1d determines 
the connection parameters 10 be sent in the Can Gck mcssa e 
Increments the indicated counter variable 
Table 15 . Connection Establishment Phase Procedures 








Transmit :- TRUE; 
notify host of unacceprable 
connection 
mill 





Figure 10 Machine T2 -- Transmitter Connection Management 
Predicate 
Transmit TRUE A AcccpI: TRUE 
A Fai\ = FALSE 
R CHAN(front) - CQnn ack A 
Acceptable (R_CHAN(front» 
n~(~"::~:.:t:;~~~~~ ) 




T_active :-- TRUE; 
ILnqumc{CQnn cQn[. T CHAN); 
Dcqueue{R cHAN:>: 
Accept :-FALSE 
Dcqucue(R CHAN : 
lDcrcmen dela : 
mill 
IDcrcment(attemplS); dcla' - 0; 
En ut'lle Cunn re , T mAN): 
Fail :-TRUE 




Figure II Machine R2 -- Receiver Connection Management 
Predicate 
Em t CHAN 1\ clock tick 
delav< resct 
dcj!!)'_ reset 
T_CHAN(froDt) - Conn_c(mf y 
T CHAN(from) ~ T stale v 
- T _ CHAN(eroDI) ~ Dolo 




Enqneue(Conn ock R CHAN); 
Incrementdclav): 
ED ueu~(Conn ock, R CHAN; 
.wl 
R_ actiw :- TRUE; 




En ueuc{ronn ;;ck R CHAN); 
Table 18. Machine R2 Connection Estabhstunent PAT 
C. OPERATION 
When the transmitter 's host has data to send, the transmitter attempts to establish 
a connection between e itself and the receiver using a standard three-way handshake This 
process was outlined in steps two through five orTable lOin the previous chapter. A 
more comprehensive description of the actions of each machine is presented in this 
section. The operation of the connection establishment phase will first be explained when 
no error occurs The names of variables are in bold type 
In the absence of errors, the actions of connection establishment phase occur as 
follows . T4 signals T2 that the transmitter's host has data to transfer to the receiver 
(Transmit set to TRUE). T2 checks Transmit, finds it value is TRUE, and sends a 
connection request message (Con J eq) to the receiver Information in Con Jeq specifies 
parameters desired by the transmitter for the connection, After processing the Con J eq 
message, R2 respond with a connection acknowledgment message (Con _ack) , Con_ack 
contains the connection parameters the receiver is able to acconunodate, If the parameters 
returned by the receiver in the COf/_Gck message are acceptable to the transmitter, T2 
sends a connection confirmation message (Con_conf) and signals the transmitter's other 
machines that the connection establishment phase was successful and to begin transferring 
data (T_ active set to TRUE). Upon receiving the Con con/, R2 signals the receiver's 
other machines to start the data transfer phase (R_active set to TRUE). The connection 
establishment phase of the protocol is complete and the transmitter and receiver begin the 
data transfer phase. If the transmitter finds the response of the receiver to its proposed 
connection parameters unacceptable, T2 quits its attempt to establish a connection and 
notifies T4 (Accept set to FALSE) 
If the connection establishment phase was as uncomplicated as described above, its 
verification would be relatively simple, However, other situations may occur that must be 
taken into account. For example, ifT2 fails to receive a Con_ad within a set time delay it 
sends another Con Jeq message. After a preset number of COII_ req messages have been 
transmitted and nu response has been received, T2 terminates the connection 
establislunent phase and notifies T4 (Fail set to TRUE). Likewise, ifR2 does not receive 
a response to its Con _ ack witttin a set time delay the linkup routine in the receiver is 
terminated 
The coupling of concurrent actions and the possibility of problems due to failed 
machines or errors introduced by the network makes this apparently simple phase of the 
protocol more complex than expected 
D. PROPERTIES 
The desired outcome ortbe connection establishment pbase can be characterized 
intuitively as follows 
If the transmitter ' s host has data to send onc of two outcomes is acceptable 
I A connection is correctly established so that the data transfer can take 
place 
2 Ifthc connection carmot be established as required then the attempt is 
tenninated and the transmitter's host is informed of the failurc. Both thc 
receiver and the transmitter should return to a ready condition 
If data transfer has not been requested then a connection establishment is not 
attempted 
Specifically, the connection establishment phase must possess the safety and 
liveness properties listed in the table below. Addit ionally, the desired outcome is not 









IfT2 signals Illat the connection bas been succcssfuUy established (T _acth"e · 
TRUE). then all variables relating 10 the connectIOn establishment phase are 
consistent \\itb this condition (Accept - TRUE and Fail "" TRUE). It would be 
inappropriate for T4 10 notify the host ofa failure to COIUlect while TI is 
atte~ptin tottansmildata 
When the connection establishment phase is completed successfully, both the 
transmitter and receiver arc ready to commence the data transfer phase 
(T active = TRUE and R active-TRUE) 
If an attempt to establish the connection is lUlJ)u=sful, then either the respoTISC 
oflhe recei,'cr was unacccpWble (Accep t = FALSE) or T2 failed to obtain a 
response from the receiver in the preset time limit (Fai l = TRUE . 
If T4 receives a transmiS!Sion request from the transmitter's host then eventually 
cilhcr the connection isestablishcd (T_actin = TRUE) or me attempt to 
establish the connection is unsuccessful and either Accept .. FALSE or Fail .. 
TRUE (sec 53 above). In other words, the actions taken in the traru;mitter must 
roduce an exocctcdresult 
If eventually the transmitter is ready for the data transfer phase (T_llttin true) 
then the rocei"cr will become ready to accept data (R_lcti\'e = true) or the 
allempt to eslabl.ish the connection is unsuccessful (again S3 above) or R2 ~ 
out aDd temlinates its conneaion establishment effon. L2 differs from LI in that 
it is based on the receiver - actions taken in the receiver produce an expected 
result but only under the condition that the transmitter behaves properly 
Table 19. Connection Establishment Phase Properties 
Now that the properties have been detenninoo the verification process can begin 
Recall the task of verification is to show that these properties remain true in all reachable 
states of the connection establishment phase Murphi is used to check for deadlock and 
the invariants of the above properties 
E. MURPHI DESCRIPTION 
The first step for using Murphi to verifY the connection establishment phase is to 
translate its SCM specification into a Murphi description. The SCM guarded transitions 
convert easily into Murphi's rules Correctly expressing the properties is the more difficult 
task. The Murphi description of the connection establishment phase is displayed on the 
ne",t three pages. Significant elements of each section of the description are discussed 






State_labels : 0,,7: 
/'" Declarations ., 
- number of clock_licks lx:t .... een Con_req retransmi5~ions 
-- number of clock_ticks before quitting 
-- number of times Con_req retransmitted lx:fore quitting 
Mcssagc_type . Enum {None, ConnJ Cq, Conn_ack, Conn_conf, T_stale. DalaL 
Counler _Iype : 0,,2; - used for variables that incremenl or deuement 
T2 stale : State labels; 
n-statl: : Slate-labels; 
R2 -state : State- labels; 
Tj:aA.N : MesSagc_Iype; 
R CHAN: Mcssagc_type: 
Hosl_ T : Boolean: - true if transmitter host has data to send 
Transmit: Boolean 
T_aetive: Boolean; 
R active: Boolean: 
~:Boolean; 
Fail: Boolean; 
delaLT : Coumer_type. 
delay_R: Counter_type: 
attempts : Counter_type~ 
Rl_timcout : boolean; -- true iflransition timoout taken by R2 
/'" Rules Section ., 
Rule "signal" Rule "unacccpt_T4" 
End~ 
T4_state =0 & HO~1_T 
T4_statc:= I; 
Transmit :=truc: 
Rule "fail " 
End, 




T4_state - I & AccepI. = false 
T4 ~tatc :'" 0: 
H~t_T := false ; 
End: 
Rule "start_T4" 






T2 state " 0 & Transmit = true & 
!\cc-;;pt ", true&Fail " false 
T2_statc := I ; 
T_CRA .. "!:"" Conn_!eq~ 
Rulesct P _acceptable : BooleilnDo 
Rule "accept" 
T2 state = 1 & R CHAN = Conn ack 
& P_3CCcptable - true - -
T2_state :- 2: 
T_active := true; 
;=~~ ~:~~:~COnf; 
End; 
Rule "unaccept T2" 
Tl SbtC = 1 & R CHAN Conn_ad 
& P_~ble" falsc -
End; 
T2 state : ~ O; 
AcCept :=falsc: 
R_CHAN ;- None; 
Endrukset; 
Rule "dock_Tl" 
T2_state "t I & R_CHAt"l' = None 
Tl_stale :=6; 
delaLT := dclay_T + I ; 
End: 
Rule "ok_Tl" 




T2_statc - 6 &delaL T - rescl_T2 
T2_state :'"' 7; 
attempts := attempts + ! 
delaLT :- O; 
Rulc"retry ' 
T2_statc - 7 & attempts < 
max_attempts 
End; 
T2_statc := L 
T_CHAN :- Conn_req 
Rule "quit" 
T2_stak = 7 & attempts -
max_attempts 
End; 
T2_state :- O, 
Fail :"" true; 
/* Rl transitions *1 
Rule "ad:" 
Rl_state = 0 & T_CHAN '" Conn_Teq 
Rl st.1.tc:= I; 
T CHAN :- None; 
R CHAN := Conn aek; 
End: - -
Rulc'dock: 1U" 
Rl=statc ... I & T_CHAN = None 
Rl_state:= 3; 
delaLR :- delay_R + I : 
End; 
Rule ' ok Rl" 
Rl_state - 3 & delay_R < resct_Rl 
R2 state:= I; 
R_CHAN :=Cnnn_ack; 
End; 
Rule "timeuut Rl" 
R2_statC= 3 & delaLR=resct_Rl 
Rl stale :=0; 
dclayji.. :=o; 
R2 timeout :=lrue; 
End~ -
Rille "start Rl" 
R2 state - I & 
End; 
(T..=-CHAN " Conn_conf I T _CHAN = 
T_statc I T_CHAN = Data) 
Rule "lost ack" 
Rl_staIC :- 2; 
R 3clive:= lrue; 
1fT CHAN " Conn conf then 
- T_OIAN:: None. 
cndif; 
End; 
Rl_statc = I & T_CHAN = Conn_teq 
R2 Slate := I; 
T CHA.."I :"' !'>looc; 
R=CHAN : ~ Conll_ad:: 
/" Initialu.ation section"/ 
Stanstate 
End: 
Host_T ;" true; 
T2 Slate =0; 
T4-sta\C :"0; 
~~;~~7=Okonc: 
R - CHA'I :'" Nonc; 
T;ansmit := false ; 
T_activc: -= faJ sc; 
R aclivc: - false; 
AUepi :=truc; 
Fail : .. ralsc; 




/" Properties "/ 
In\llUiant '-consistent conditions atoo~tion establishment-' 
T_actlvc = tnte --t (AccepI = true & Fail ~ false): 
Invariant"--transmitterandreceiverrcadyatcndofphase_' 
R_Kt.ive = uuc --t T_actr.'C ~ true; 
Invarian t "--notbothfail aodlllll1ccept-_' 
f(Fail = true & AcccpC. " falsc); 
Livenc~"-oonnl:<-llooestahlishedlfdcs;"ed __ " 
Alw3ysTratlSmit = true --t EvcnruaUy((T activc" lrul:) I 
{Fail - truc I Aocept = false»; -
Livcncss "--xmillt:r ready followed by rc\T rcady-" 
Eventually Always (f_actlve = true & R_active = true) I Fail ., true I 
Ac<;ept = fal se I Rl_limeout = true; 
t. Declarations 
First three constants are declared The value of"reset_T2" limits the number of 
times the "clock -')0 ok" loop (state I to state 6 back 10 state 1, etc.) is executed by T2 
prior to retransmitting a COI1Jcq message. Since clock_lick occurs at an interval of T,", 
this loop serves as a retransmission timer T2. The constant "max_ attempts" fixes the 
number retransmissions ofCol1J cq conducted prior to giving up the attempt to establish 
the connection. A similar limit on the number oftimes Con _ ack is retransmitted is found 
in R_2 with the constant "reset_R2" 
Next, three data-types are defined. The type "State_labels" specifies an integer 
subrange which ranges over the reachable states of12, T4, and R2. The next type 
declaration is an enumeration type, called "Message_type" Its domain includes all 
messages that could be sent during the connection establishment phase. "None" indicates 
that the channel is empty 
The variable required for the connection establishment phase comprise the fmal 
part of the declaration section. They have already been explained in Table 13. In this 
description, T_CHAN and R_CHAN are implemented as scalars. A queue is unnecessary 
since the ordering of message in the channel has no impact on the operation of the 
connection establishment phase. Also, any time delay corresponding to the network's 
propagation delay is ignored 
The introduction of a variable to implement a periodic clock event is not required 
The presence or absence of a variable that alternates between two values has no impact on 
the verification of the connection establishment phase. 
2. Rules 
The rules are grouped by the machine to which they apply. Note the 
correspondence between each rule and the associated predicate and action of the guarded 
transitions listed in the PAT's. The guard for all rules involve the current state of the 
associated machine and the value of one or more variables. For most rules, the actions 
and the conditions under which the their bodies are executed is clear and no explanation is 
required 
Slightly more complicated is the ruleset that is part ofT2 ' s description. The two 
rules "accept" and "unaccep,-T2" comprise the body of the ruleset. The ruleset, causes 
the value of quantifier "p _acceptable" to alternate between TRLTE and FALSE. This 
allows the behavior of the connection establishment phase to be examined when the 
receiver responds with connection parameters acceptable to the transmitter and also when 
unacceptable parameters are sent 
3, Slartstate 
Variable initialization is as expected The machines all start from state zero The 
channels are empty. The values of Boolean variables reflect an idle transmitter and 
receiver. All counters used for the implicit timer are set to zero 
4. Invariants 
The invariants and liveness constructs correspond to the properties defined in 
Table 18. The second invariant's fonnula. R_aclive = TRUE --+- T_active = TR{}E, 
states " if the receiver is ready for the data transfer phase then the transminer is also. This 
differs slightly from what is wrinen in Table 18 (I'_active = TRlJE and R_Kclive = 
TRUE). The modification is necessary to prevent a false invariant violation. During 
execution, T _active is set to TRUE prior to R _active being set to TRUE. (R _aclive is 
not set to TRUE until after the message sent by the transmitter in respond to a Con_ad, 
is received by R2). Since 'they are not both set to TRUE simultaneously, the fonnula 
T_activc = TRUE & R_active = TRUE is not invariant 
The first liveness formula, as implemented in Murphi is equivalent to 
ALWAYS (p ~ EVENT1JALLY q) 
The second Jiveness fonnula, of the fonn EVENI1JALLY ALWAYS (0), means at some point 
p is true and remains true from then on 
F. RESULTS 
Analysis of results obtained from MUl1'hi indicates the connection establishment 
phase of SNR functions properly. However, two interesting circumstances were 
observed 
The first is a condition flagged by Murphi as a deadlocked state. Tfncar the end of 
the connection establishment phase, R2 limes out before it receives a COr/Jon! message, a 
data packet, or a state packet from the transmitter, and after T2 has set T _active to 
TRUE, the protocol ends up in a condition with the transmitter ready to send data but the 
receiver has quit the connection. 10 This appears to he a liveness violation, however, when 
the connection establishment phase and the data transfer phase are taken together, 
deadlock is avoided The protocol eventually returns to the initial state since the 
transmitter will timeout and disconnect when receiver state packets are not received 
(occurs in the data transfer phase) The sequence of events pertaining to this situation is 
given in the table below 
Event Description 
ACon ackmessa cissent R2 
R2 increments dela 
ddav is less than reset so another Con (lck III 0: is sent . R2 
Con _ ock roc;;:ived at T2 and the connection panunc:ters it contains are acceptable 
to the transmittcT, T active is sct to TRUE. ACon COli messa eisscntb\'TI 
dela 'is less than reset so another Con ack messa e is so;nt bv R2 
R2 continues to execute the "dock" "ok" transition. delay is incremented each 
cycle 
The value of T_actil'e ehecked b).' 14 and found to b).' TRUE. The ttansmitter 
he ins tho: data ttansfer phase and sendl data nackets to the receiver. 
dehn' reset so the "timeout" ttansition is taken bo.' R2 
After a period of time the transmitter will terminate the COIlnection since T3 will 
no.vcr receive a conlrol de. from the receiver 
Table 20. Events Leading to Unexpected ConditIOn 
State ofMacrunes 
T4 T2 R2 
1 
1,3.1 , 
Also of interest is the need for a conjunction of three variables in the guard of 
transition "request" of machine T2 to prevent livclock. If Transmit "" TRUE was the only 
component of the predicate for " request", then once the host signaled it had data to 
transfer, the rule would be enabled until Transmit was reset by T4. However, ifT4 was 
never again given an opportunity to execute its actions (T2 and T 4 running on a single 
CPU and starvation ofT4 occurs) then the "request" rule could fire infmitely often 
Including Accept = TRUE and Fail = FALSE with Transmit = TRUE eliminates the 
possibility of live lock 
7) 

VII. VERIFICATION - FLOW CONTROL MODE OF SNR 
A. INTRODIJCTlON 
The correctness ofSNR's connection establishment phase was examined in the 
previous chapter, The next step is veritying the PJOtocol's data transfer phase. Instead of 
attempting to investigate the data transfer phase in its entirety, a modular approach is 
employed. Recall, in SNR the data exchange can occur without flow or error control 
(Mode 0), with only flow control (Mode 1). or with both error and flow control (Mode 2) 
Even though Mode 0 is the least complicated of the three modes, and therefore its 
verification is the next logical step, its explicit verification is skipped. Mode I essentially 
includes all of the states and actions of Mode 0, (The only difference is in machine Rl, In 
Mode 1, Rl changes from state 2 to state 3 and then back to state I, while in Mode 0 R I 
changes directly back to state 1 from state 2.) This chapter describes the verification of 
SNR's data transfer phase operating with flow control only. The verification is 
accomplished with the assistance of the Murphi Verification System. AdditionaUy, state 
space explosion, as it applies 10 the Murphi description ofSNR '5 Mode I, is explored, It 
is imponant to detennine whether state space explosion will prevent the full verification of 
SNR 
This chapter follows a fonnat similar to the previous chapter. The architecture of 
SNR applicable to flow control is addressed first, followed by a description of actions in 
Mode 1, Next the safety property applicable to flow control is explored and then the 
Murphi description is presented Finally verificat ion results and stale space explosion are 
discussed 
B. MACHINE DIAGRAMS - MODE 1 
No new material is present in this section. Chapter v, serves as the framework for 
this chapter. 11 The packet types, variables, connection parameters, etc, applicable 10 
Mode 1 are the same as in Mode 2 and have already been discussed in Chapler V. Only 
TI, T2, Rl and R3 perform functions in Mode I. Presented below are extracts from the 
diagrams and tables of Section Y.D.6 for these four machines Just those states and 




Figure 12 Machine T I State Diagram 
EXPLANATION 
Occurs when information 31 the transmitter indicates there is sufficient space in the 
I fcceiver 's bufTer for a block of data kels(hu er available > O 
Qxurs after the transmitter has: sent a new block; updated the table of OUl.$Unding 
blocks LU ; and !leI buw \0 true. 
Table 21 Transitions for Machine Tl 
•• A principal goal oflhi. thesi. lS veril)ing the SNR pro!ocoJ lISintmduced in [NRS'iOj. Therefore the specification 
gm:n in [McJ\r92] and as refined in [Tipi93j 00es Dol pluya primary role in the verification of the data trans f..,-phase 




Figure 13 Machine T2 State Diagram 
EXPLANATION 
Occurs if a control Ckcl is r<.'<Xived from the rc.x:iver 
Ou:urs after updating the receiver's state inform31ioll maintained 31 the transmitter 
and the disconnect counter (.,'count) has been reset 
Occurs if Mode I arc bcin usod 
Table 22. Transitions for Machine T2 
@ "'" received data stored in 2 buffer MoOO' 
3 
figure 14 Machine R 1 State Diagram 
TRANSITIONS EXPLANATION 
Occurs if a data ck.ct is received from the transmitter 
Occurs if Mode 1 is bcin used 
Occurs after data is stored in the ro;eiver 's bufier 
Table 23. Transitions for Machine Rl 
I 
Figure IS Machine R3 State Diagram 
TRANSITIONS EXPLANATION 
t ---+ 2 Occurs if C\'cnt cluck nck detected and after scount incremented 
2 ---+ 3 Occurs if a new data ket has DOt been received and after count incremented 
Occurs if a Dew data kct received and after count incremented 
3 ---+ 1 Occurs if it is not et time to send a control Icel (count < k) 
4 ---+Disc 
o.:cw-s if count ~ k and after k has bcc::n modified to reduce the transmission 
ratc of recciver control packet.s 
Occurs after a control Icet is sent, and after bu. and. count, are reset 
Occurs if\h¢ f(x;ci"cr has oot recei,,'ed a control packet from the transmitter in 
thc expected interval scount reached nredetermim:d value) 
Table 24. Transitions for Machine R3 
C. OPERATION 
The purpose of flow control in SNR is to permit the transmitter to send as many 
data packets as possible without overflowing the receiver's buffer This is accomplished 
by regulaling the transmission of data packets using information about the receiver as 
know at the transmitter In SNR flow control is based on blocks of data packets not 
individual packets 
After the connection establishment phase is complete the protocol enters the data 
transfer phase. Below are the basic operations performed during a data transfer session 
utilizing Mode 1 
• Tl transmits blocks of data packets until the preset limit on the capacity orthe 
receiver's buffer is reached 
• R 1 stores the incoming data packets in its buffer. Packets are removed from 
the huffer hy the receiver's host. The status of buffer space (value of variable 
buffer _available) is updated as new packets are inserted and the host removes 
packets 
At the appropriate interval, R3 sends receiver state information to T2, This 
inlonnation is used to update the state of the receiver's buffer (as known by the 
transmitter) 
Tl temporally halts transmission of data packets when its information indicates 
the receiver's buffer will be full when all of the data packets it has sent arrive at 
the receiver. Tl resumes sending data packets when state infonnation from the 
receiver indicates buffer space in once again available 
Control packets and blocks of data packets continue to be exchanged until the 
entirt~ message has been acknowledged by the receiver 
RJ terminates the connection if data packet is not received within the required 
time limit 
The basic operations perfonned in Mode I are similar to those explained in 
Chapter V for SNR transferring data using Mode 2. The primary difference is that in 
Mode 1 errors are ignored. As a result, retransmission of data packets and all the 
associated processing needed to accomplish retransmission is omitted. There are six areas 
impacted significantly 
1 In Mode I, TI sends data packets as along as (buffer_uvailablCtranmu"" > 0) 
is true. In Mode 2 new data packets are transmitted when the retransmission 
of a block of data packets is not required and the predicate 
(buffer_available"on ... ",,,, - NOU > 0) is true 
2 The retransmission table (LVP) is not maintained in Mode I 
3 In Mode 1, T3 remains in state 1 Therefore transmitter state packets are not 
sent to the receiver 
4 R I stores, without processing, data packets in the buffer for the host to 
retrieve, It does no processing of the data packets since errors are ignored 
5 R2 remains in state 2 since a control packet is never received from the 
transmitter (because of number 3 above) 
6 Since data packets are not processed by the receiver (see number 4 above), no 
meaningful status information other than buffer space available can be sent in 
control packets by R3 
The differences in these six areas simplity considerable, as compared to Mode 2, 
the behavior and the Murphi description for Mode 1 
D. PROPERTIES 
The primary safety property for SNR operating with only flow control is, the 
receiver 's buffer must not overflow That is the condition (buffer _ availabie,<c<, ... ;:>: 0) 
must always be true 
E. MURPHI DESCRIPTION 
The Murphi description for SNR's data transfer phase operating in Mode I was 
developed with three goals in mind 
I. The description must correctly characterize the behavior of Mode I. 
2 The description should serve as the groundwork for SNR's data transfer phase 
operating in any mode (allow scaling up to Mode 2) 
3 The description should be as simple as possible (to enhance its 
understandably), Only those actions specifically required for flow control 
should be implemented and the number of variables kept to the absolute 
minimum (to reduce the size of the state space) 
A faci important to achieving goal number three above is: flow control is 
accomplish in SNR by managing blocks of data packets. As a result, the state space is 
reduced since the description can be based on data blocks and the variables and data 
structures needed for tracking individual data packets can be eliminated 
Displayed on the next six pages is the Murphi description for Mode I , At this 
point the reader has been exposed to numerous descriptions written in the Murphi 
Descriptive Language and much of this description should be familiar Therefore only a 
few points specific to this particular description are covered below 
The name of each rule has been formal\ed to facilitate understanding the purpose 
of the rule as follows 
machine identification. description of guard or action for rule· current stalt: oj 
machine 
For example: "Rl - receive data packet - 1'51" indicates this is a rule for machine Rl, the 
body of the rule is executed when a data packet is received, and R l must be in state I 
(1'5 1) for the rule to fire 
In this description T_CHAN and R_CHAN are implemented as circular arrays 
Each element of T _CHAN can contain either a block of data packets or is empty 
Like\'\1se each element ofR_CHAN contains a receiver control packet or is empty 
Again, the network's propagation delay is ignort:d. (Note the size of the arrays is only 
two elements, This is because these data structures contribute to the overall state space 
Increasing their size significantly impacts the state space.) 
The description also contains bold type and italicized code, When the bold lype 
code is removed and the italicized code added, an alternate implementation based on the 
SCM specification from {McAr92] is cr~ted . The specification as given in [McAr92] is 
examined because the design of SNR, with flow control based strictly on the variable 





revr buffer size: 1~ 
scoWtUim:- 11: 
DedaratioDs 
- channel capacity in blocks 
-- number of blocks in message 
-- maximum change in k 
--size of J'C\-T buffer 
-- upper bound on the value of scount 
- connection terminated if scount reaches this value 
Type 
~'Ounter_type : 0 . .30; 
timc_illlcrvaU:Ype: O. max_tilrn:_imcp,al; 
buffer_type: -L.n;VJ_buffer_size; 
block _ ~ type: 0., message_size:; _ basic counter type for blocks and block sequence numbers 
T_states_.typc: Enum {tsl, ts2 , 153, ts4, tsS, ts6L 
R_st3tes_type: Enurn IT'Sl , rs2. rs3, rs4} ; 
chan slot: O .. (ehml cap - I); 
T~keuype : Eo;;-m {none_T, datapac); 
RJIIleket_lypC: Enum {nonc_R. conpae}; 
T _Packet_record" 
Record 
packet_kind: TJIIlckeuype; - kinds of packet 
- (NOUj :ifIq_ nllm. block seqJYI>e; - packet sequence number 
End; 
packet_kind: R --.JXlckeUH";;; - kind of packet 
-- (NOU) LW_R: block_seq_type; - belov.' LW_R all blocks received 
butler_avail: buffer_type; -rcvrbutferstatus 
End; 
YM 




T CHAN: T CHAN type; -- communication challl\CI from xtmr to revr 
R ~ CHAN: R = CHA"( type; - communication channel from revr to xtmr 
xtmt _ eruCfe: chao_slot; - transmitter end of T _CHAN 
ro.T end TC: chan slot: - receiver end ofT CHAN 
~ endRe:c~ slot; -traosmittcr endofR_CHAN 
rC\-'r _cnd jK: chan _sIOI: - receiver end of R _ CHAN 
kJ: timc_interval_tHJe: -value of time interval at xtmr 
k_R: timeJnterval_type: -valucof timc intcr\'al al rcvr 
late~1_ Tpacket: T _Packet_record; - block at revr fTOrn xlmr 
la\est_Rpackcl: R_Packet_rccord; -control packet at xtmr from revr 
blk_se~ num: block_seq..lYpe: -- seq nurn for entire block 
OUTBUF: block _~t)'pt; - contains message to be senl 
buffer_avail buJIer_t)'pt; - buffer space available in reVI 
buffer_avail_T: buffer_type; - valuc at Xlmr 
--(N()L~.'·.'OU" block_seq rype . --numbcr of blocks outstanding 
lIW_T. block_SC(lJyPC: 
LW_R: block_se<LtypC: 
L \\' _ T, block _ se<LJype: 
T _busy: Boolean: 
R_busy: Boolcan; 
scouut_ R: countef_l~'pe: 
count_ R: !imc_inlCl'o'a1_ type: 
PROCEDURES 
-- blk seq 1/ < UW_T have all been senl 
-- bLk seq II < LW_R have ~11 been received 
--va\ueofLW_Ta\ rum 
--statusofscndingdata packcl!; 
- status of receiving data packets 
-- counter for di5connect if no flow 
- counter for adjusting k_R 
'I 
Procedure send_blockO; - pJacesbiocks wonh ofdara packets in T _CHAN 
VaT 
next_Tpackel: T_P'JCketJecord: - next packelat:runr to send 
Begin 
bik stXLnum :=bJk SC<Lnum -ll: 
ne.~_ Tpackct.packel:,.kind :- datapac; 
-- (A'OU) next .1'packel. seq •. num , = blk _seq._ nllm 
T CHANlxunr end TC] := next Tpackel: 
x1~_cnd_TC :~(xI~_cnd_TC:;: \)%chan_Cilp; 
UW T:= bIk._SCG.,..num 
- (NOU) NOU '-- NOli + 1 
OUTHL'F := OUTHUf • I: 
1' _ _ rc:ceivc_l'Onpac __ '1 
Procedure reccivc_conpacO: .. x\mr receives colltrm packet form reVI 
Begin 
latesl_Rpacket :'" R_CHAN[xtnu_end_RC]; 
R_CHAN[xtmr_erntRC].packeU<.ind:" none_R; 
xtmr_end_RC : ~ (xtnlI_end_RC + J) ~q chan_cap; - consumes packet 
receive block 
Procedure receh'e_bJockO; - rew receives an entire block of data packets 
Begin 
latest Tpackct:~ T CHk'l[rcvr end TCj; 
T_CHAN[rcvr_end=TCj.pad::etj,ind:- ooneJ; 
rC'.'_end_TC : .. (rcvr_cnd_TC + I) %ehan_C3P; 
End; -- receive_block 
Procedure stoIe_b1ockO; - makes block available to rc-.'rhost 
Begin 
Begin 
--load data io packet 
next_Rpackel.packet_kind:= conpac; 
-- (NOU) next RpackuLW R := LW R: 
next_Rpacket.burrer_avail ::;;. buffer_;vail; 
- place packet in channel 
R CHAN[rC'., end ReI : ~ next RpackCl; 
r~r_end_RC:; (n.-.T_end_RC + - I) % chan_C3P: 
RULES 
1* Tltrausitions 
Ruk "TI -transmit possible - t5 \" 
(TI state = l~l) & (buffer a~ail T:> 0) 
- -- (}IOIJ) ((f b;;fjer _ ;;"ail- }o/OU) 
> 0) 
~> 
Tl_state ... t.s4; 
End, 
Rulc"Tl-trau5mitblocl t.s4" 
(Tl_stale = 154) & (OlITBUF > 0) 
send bloclO; 
T_tm~~, :"" UUe; 
Tl_state -= lsi; 
Eod 
T2uansitions 
Rule"T2 -reccivc rv.'I stat e info-154" 





T2 state =155 
End;-
Rule "T2 - update into about rv.'r - 155" 
(l'2_~talc ~ ts5) 
~> 
-- update infonnatioo at .xtrnr 
-- (NOL~ LW T ,- Ialm RpackerLW R 
butlcr_3\'ail T;~ Jaleslj ipacketbufIer_3vad; 
T2 state " Wi; 
End; 
Rulc "T2-goback tots4-\S6" 




(R l stalc - rsl)& 




Rl stale ;= 11;2; 
End;-
Rulc"Rl-processdatapacket - rs2" 
RI state := rs3; 
End, -
Rulc"RI-storedatapackct- Is3" 
(R I_state ~ 11;3) _. (}IOC? & 





-- included 10 simulate action of the K-vr's host 
Rule "rcmo,-c p;;cket from buffe," 




· RJ Iransitions 
Rulc"RJ-clock_tick- rsl" 
1'00001 R; E l'OOunl R + l ~ 
R3 state : ~rs2: -
End;-
Rulc"RJ noiOOsy- r52" 
(R3_state - rs2) & (R_busy= false) 
~> 
counl_R:ccounl_R + I; 
R3 stale := rs3: 
End;-
Rule "RJ-OO)1"- rs2" 
RJ_state; - rs4; 
End.; 
RJ stale :- rsi; 
End;-
(R3_statc = rs3) & (counl_R = k_R) 
==> 
Irk R < max time inter/al Then 
k,=-R ;= k_R-" 2;: 
Endil; 
RJ slate :E r54; 
EOO;-
Rule"RJ sendrcvrstate- r54" 
Rule "RJ - disconnect - r54· 
(R3_stale - r54)& (scount_R = scounUim) 
error "disconnect": 
End; 
TI_s1.a!e : - tsJ ~ 
T2_s1.ate :~ ts4~ 
RI_S1..i1e: = rsJ; 
R3_statc: oo tsl ; 
Starls1.alc 
For cs: chan_slot Do -- fill channels with cmpty packets 
T_CHAN[cs).packeU<ind:- none_T; 
- (NOL~ T_ CHANfcsj.si!q_ num . - 0; 
R OiA."l jcs].packet k:ind:= none R; 
- -(NOU)R CHAN{:Sj.LW R-ii; 
R CHAN[~J,bulTet a"aiJ :-: n:vr buffer size; 
Endior; - --
xtmr end TC :>" 0; 
rC\·t_~_TC= 0; 
lItmr_en<tRC : ~O; 
tC\,t cnd RC '=0; 
latcst_ Tpaeket,packcUond : ~ nonc_ T; 
-- (NOU) lali!sl_Tpocket.seq_num: - 0; 
13tC!;t_ RpackC1 . packet)~ind oo nonc_R; 
-- (NOU) IOlesl_Rpockel,LW_R , - 0 
latest_Rpacket.buffer_3vail := fC\'J_buffer _size; 
k_T:= 1; 
k_R:= I ; 
blk_se<Lnum :~ O; 
OliLBUF :- messagc_size; 
~;~E~6J.~~~~~;~~~£; 
UW_T :=O; 
LW_R :" 0; 
LW_T :=0; 
T_M)' :"' false: 
R_busy := false; 
scount R :- 0, 
COWl! R:=O; 
End; -
Inv;uiant '- no buffer overflow -' 
buffcr_a\'ai l > -I ; -- Q\o'crflow occurs when bufti:r space is zero 
F. RESULTS 
The data transfer phase of SNR operating with flow control only (Mode I) does 
not behave as desired. Two problems were discovered 
1, The receiver's buffer can overflow 
2 The improper termination of the connection can occur 
Mode 0 also exhibits problem number two, State space explosion did not prevent 
verification of Mode lusing the description based on [NRS90] or based on [McAr92] 
However, the size of the channels and message must be severely restricted to avoid 
significantly increasing the state space. The errors discovered in the design of Mode I and 
state space explosion are discussed in greater detail below 
1. Buffer Overflow 
The first problem arises because the variable buffer _ availableu.........;"", used to 
prevent does buffer overflow does not reflect the current status of the buffer space 
available at the receiver. In Mode 1,11 checks that the value ofbuffer_available--.m"" is 
greater than zero 0, sends a new block of data packets and then decrements 
buffer _ availabler,..",.";,,.,.. Data blocks continue to be transmitted by T I until 
buffer _ availabl~.......mc. reaches zero. The problem occurs when R3 sends a control packet 
to T2 just prior to Rl storing some number of data packets in the receiver's buffer. The 
control packet sent by R3 in this situation contains a value for the space available in the 
buffer that reflects space in the buffer subsequent to R I storing data packets_ The value of 
buffer _ availab1e.......rollor is updated by T2 using information that indicated there is more 
space in the buffer than actually exist. So, ifbuffer _ availabl~_ was zero it will be set 
to a value larger than the actual space available in the buffer. T I checks and finds 
buffer _lIvailablev-- > 0, so TI resumes sending blocks of dlltll packets If the host 
linked to the receiver has not yet removed any packets from the buffer prior to the arrival 
of the latest batch of data blocks, the capacity of the receiver's buffer \I:ill he exceed. The 
following example uses an arbitrary ~izcd message and buffer to illustrates how huffcr 
overflow arises 
Assume 
The transmitter has 100 blocks to send 
The Tccciver'sbuffer capacity is 10 blocks 
lrutial Conditions 
Transmillcr Recei,'cr 
Blocks to Transmit 100 BlocksReccivcd 
buffcr availabl 10 buffcr :n'ailabk\-,..,-
Tl sends 10 blocks of data packelS 
Transmitter Receiver 
Blocks to Transmit 90 Blocks Received 0 
buffer availablc.,..,..._ 0 buffer available,...i,,,, 10 
RJ sends a control packet ",ith a \'aiue of 10 in the buffer_available field. 
Transmitter Receiver 
Blocl:s to Transmit 9() Blocks Rtteived 
buffcr availabl 0 buffer availabk,.", !O 
Thc aata blocks arrivc at RI and are place in thc buffer 
Blocks to Transmi t 90 BlocksRecei,'C(j 10 
bulJer availabl""_jn" 0 buffcr avai.l3blc,..,.;.~ 
The receh'er's host removes 3 blocks from the butTer 
Transmittcr Receiver 
Blocks to Transmit !}() Blocks Received 
buffer availahl 0 buffer available.w~,..,-
T2 receives the control packets and updates buffer_available...n.-.., 
Transmiucr Receivcr 
Rlocks to Transmit Blocks R.:ceived 10 
buffer a...ailabl \0 buffer 3vailabl 3 





buffer availabl ~. 
The receiver's hoSL removes 3 more blocks from the OOffer. 
Transmitter Receh-er 
Blocks to Transmit 80 Blocks Rccci,'oo 10 
buffer available buffer 9vailabl i. 
Rt receives 10 data blocks, 6 are placed in the buffer. The remaining 4- blocks overflow the 
The trace of the execution path produced by Murphi for this design error is provided in 
Appendix B 
To prevent buffer overflow the condition on the transition from state I to state 4 in 
machine Tl must be changed. If the predicate (buffer_availabl"'uorumittor - NOU > 0) is used 
in place of (buffer _ availabl~ > 0), the overflow problem is eliminated. In addition 
to this change in T I, the sequence number of the most recent blocks processed by R I 
must be send to T2 by R3 in the receiver control packet. This infonnation is then used to 
update NOU. Removing the bold typ" faced code in the Murplll description and adding 
the italicized code produces a description that does not exhibit the buffer over flow 
problem. This alternate description for SNR's Mode 1 comes from the specification given 
in [McAr92] 
2. Undesired Disconnection 
The second problem. undesired disconnection, occurs because scounir«d.,,, is never 
reset in Mode I. R3 increments SCOUIlt"'<iv<r each time the transition from state I to state 
2 is taken. The value of scount,,,,,z,w is checked against its upper bound (scuuni_Iim) in 
state 4. If SCQuntroo. ;" , equals .scount _lim then the connection is tenninated at the receiver, 
otherwise the data exchange continues. The variable scountr=i_ is only reset to zero by 
maehine R2 when a control packet arrives at the receiver from T3. However in Mode I, 
T3 never sends a control packet so scounI,.c .. _ is never reset to zero Therefore unless 
the message is very short, SCOlln/,,,,,,,-oe, will reach scaunl_lim and RJ will tenninate the 
connection prematurely 
Tllis problem is masked by buffer overflow when using the Murphi description 
based on specification from [NRS90l The alternate description produced from the 
specification in [McAr92] does not cause the receiver ' s buffer to overflow As a result, 
the error in the design of the receiver's disconnect timer was discovered 
3, State Space Es:piosion 
State space explosion was avoided in the verification ofSNR's data transfer phase 
operating using flow control only by using a very small message, short channels and a tiny 
buffer The buffer overflow problems in the description based on [NRS90], was detected 
by Murphi after 19,652 states had been explored. The scounl reset problem encounter 
when the alternate description (based on specification in [McAr92 J) was used, occurred 
after examining 442,369 states. Changing the size of the channel from two to three, in the 
alternate description, resulted in over 671,000 states examined prior to detecting the 
.~COU1lf error. Adding the extra states and variables required to fully describe SNR's data 
transfer phase operating with both flow control and error will significantly increase the 
number of states generated by Murphi 

VIII. CONCLUSIONS AND RECOMMENDATION 
In this thesis the correctness of sI'm. 's design was examined. Key propenies of 
SNR's connection establishment phase and dala transfer phase operating in Mode 1 were 
identified and verified, A summary of the verification results is present in the first section 
oflhi5 chapter. The second section discusses the feasibility of using the Murpru 
Verification System for verifying communication protocols, The final section provides 
recommendations for completing the verification ofSNR and for enhancing Murphi's 
capabilities with respect to protocol verification 
A. SUMMARY -- VERIFICATION OF SNR 
The design of SNR as presented in [NRS90] appears to contain inconsistencies 
Two problems in the actions of the protocol's data transfer phase operating with flow 
control only (Mode 1) were detected by Murphi. The first is a violation of the key 
property offlow control -- buffer overflow must not occur. The second is a violation of 
the basic liveness property applicable to all protocols .- the message is eventually 
delivered. Both problems are the result ofimproper coordination between the transmitter 
and the receiver 
1 The receiver 's buffer can overflow. The strategy expected to halt the 
transmission of blocks of data packets prior to exceeding the capacity of 
receiver's buffer, does not function as intended. The scheme as specified fails 
to take into account that there may be data blocks in transit (sent by the 
transmitter but have not yet arrived at the receiver). In this situation each 
individual machine functions properly but it is the coordination between the 
transmitter and receiver that is flawed 
2 The network connection between the transmitter and receiver can be 
terminated unexpectedly by the receiver The connection termination timer 
implemented in machine RJ functions as exp«;ted, however the condition that 
resets this counter never occurs. The receiver only reset the timer when it 
receives a control packet from the transmitter. However, when SNR is 
operating in Mode I, the transmitter never sends a control packet. The 
interaction expected by the receiver with the transmitter does not take place 
The problem detected in the SCM specification of the connection establishment 
phase [Tipi931, where the transmitter is ready to send data but the receiver has terminated 
the connection, is not considered serious Even though the connection establishment 
phase seems to exhibit incorrect behavior, actions in the data transfer phase result in the 
transmitter also terminating the connection and all machines reset to their init ial 
conditions 
The verification of SNR's data transfer phase operating with both error and flow 
control (Mode 2) was not completed due to difficulties encountered during the 
examination of Mode I . These issues are discussed in the next section 
B. APPLYING MURPHI TO PROTOCOLS 
Murphi was used successfully to verify properties of the connection establishment 
phase and the data transfer pnase operating in Mode 0 and Mode I. It appears possible 
but very difficult to apply Murphi to SNR' s data transfer phase operating in Mode 2 and 
to the entire protocol (using a Murphi description that includes all phases and modes) 
Addressed below are issues related specifically to protocol verification with Murphi and 
limitations of Murphi in general. 
The prevailing models used for protocols cmploy finite state machines and shared 
variables. For some asynchronous concurrent processes, the shared variables are relatively 
simple and easily implemented in Murphi's Descriptive Language, However for protocols, 
a network channel when included as one of the shared variables adds significantly to the 
complexity of the Murphi description. Three difficulties arises when implementing 
communication channel in Murphi . 
I Implementing the channel as an array of records (each array element is a slot 
for a packet and each of the record's field corresponds to a packet field) or a 
similar data structure adds a very large number of states to the state space. For 
example. a full description of SNR would requires a minimum channel length 
off OUT slots (two blocks of two packets) with each slol containing six fields. 
The domain of each field varies and depends on the actual values used in the 
description, however if roughly the same magnitude as used for the 
description in Chapter VB is assumed, then the number of states contributed by 
the channels alone is approximately 7,000 states. Remember changing the 
value of any field of one of the channel slots changes the global state of the 
protocol being checked 
2 Real network channels arc unreliable. They lose packets, corrupt data, and 
reorder packets. An accurate implementation must simulation network 
introduced en-ors 
J Propagation delay is inherit in networks, The implementation should account 
for the time delay associated with the arrival of packet at their destination 
A clock mechanism to properly simulate the value of variable clock _lick was not 
required for the work done in this thesis. However, when all ofSNR's machines are 
included in the Murphi description, it appears clock _lick will be required to accurately 
characterize SNR behavior. A practical implementation of a clock mechanism in Murphi 
should be developed and tested 
Once deadlock is reached on any execution path, verification halts and other paths 
arc not checked. Tht:re is no simple method to ensure the first deadlock encountered is 
not masking another deadlocked path, Checking all paths for deadlock requires either the 
use of specific invariants coupled with disabling the detection of deadlock (a option of 
Murphi ' s special purpose verifier) or conditions causing deadlock must be con-ected as 
they are detected. Under some conditions selecting a depth-first search strategy may 
uncover a deadlock different from one reached using a breadth-first search 
When an invariant fails, verification halts. If there are other invariants listed in the 
description after the one that failed, they are not tested, To check other invariants, the 
failing invariant ntust be removed and then the verification started again. This is really 
only an annoyance vice an actual limitation 
Overall Murphi is fairly easy to use. Producing an accurate Murphi description 
from a specification can be fairly challenging, (However translating a SCM specification, 
with its guarded transitions, into Murphi's descriptive language is straight forward,) The 
most difficult task is con-cctly expressing the desired invariants. Once this is done initial 
analysis can start immediately. Interpreting Murphi's output is not difficult, however as 
the number of states increases detecting implementation errors and identifYing their source 
becomes extremely tedious 
C. FURTHER RESEARCH OPPORTlINITIES 
1. SNR 
The primary opportunity to expand upon the groundwork established with this 
thesis is to complete the verification of SNR, First the a single source specification must 
be written. The differences between the various documents describing SNR should be 
resolved and their content synthesized into a comprehensive specification, This master 
specification could then be analyzed and modified as design flaws are discovered. After 
modification each new version should be reanalyzed. The cycle should continue until the 
protocol exhibits the desired behavior. Specific behavior recommended to be checked 
include 
• Examine the situation where the receiver's buffer is full of partial blocks (i.e" 
blocks missing one or more packets), In this situation, none of the blocks will 
be acknowledged so retransmission is required. However since the buffer is 
full, retransmission can not occur, It appears deadlock will occur, does it? 
Does the protocol function properly when control packets containing erroneous 
information (conupted by the channel) are encountered? 
What happens if the values of Tin in the transmitter and Ii. in the receiver differ 
significantly? Does an unexpected disconnect occurs? 
Investigate self stabilization in SNR (If placed in an unsafe state, eventual the 
protocol reaches a safe state.) The originator of SNR claim SNR is self 
stabilizing in paragraph Vll of [NRS90] " Is the periodic exchange of state 
information sufficient to recover from an unexpected condition, such as a 
momentary failure ofT3? 
2. Mllrphi 
Two areas within the context ofMurphi to explore further are" I) support of 
communication channels and 2) using Murphi to investigate self stabilization 
It would be beneficial to eliminate network channels from the global state space 
and allow real network conditions to be generated. This could be accomplished by 
incorporating data channels as part ofthe underlying implementation ofMurphi. It would 
allow the user to focus on the protocol being verified, vice the modeling and 
implementation of the network. The user would be reasonably sure thai the channels are 
free of errors, and that any errors encountered were in the protocol under development 
To permit thc verification of various protocols the chalUlels should be able to be tailored 
by the user, A channel implementation should include the following controllable 
parameters 
Type of chalUlel -- simplex, duplex, or multipaths -- betwt:en each node 
Number of nodes comprising the network 
Type of errors the channel could inject, such as data loss, garbling of data, lost 
packets, reordering of packets, unanticipated disconnection, etc 
• Error injection rate 
• Channel capacity and data rate. 
• Prorogation delay 
• Type of network -- datagram or virtual circuit 
It would be interesting to explore further how an automatic verifier such as Murphi 
could be exploited tor examining self stabilization of a concurrent system. Murphi can be 
used to determine is a system placed in an unsafe state reaches a safe state The steps are 
• Generate the description for the concurrent system 
• Write an invariant for safe states 
• Negate the invariant so that when in an unsafe state the invariant is now true 
and is violated when a safe state is entered 
Use the startstate construct to begin the verification process in an unsafe state 
Run Murphi from an unsale state and violation of the negation of the invariant 
will indicate when a safe state has been entered. 
The problem comes in generating all possible unsafe state to be tested as start stales 

APPENDIX A. DEADLOCK EXECUTION TRACE 
Murphi Beta Release 2.735 (With Symmetry) 
finite-stale ConcuncO\ S}'Slem Verifier 
Copyright (C) 1992, 199) 
by the Board ofTruSlCl,:!; of Leland Stanford Junior Univcrsit)' 
This program should be regarded as a DEBUGGING aid 001 as a 
ccrtifierofwrreo;tncss 
Call with the ·1 nag or read the license Hie for leons 
and conditions of Il.<;e 
RUD this program wjth • ,h" for the list of options. 
Bugs, questions. and comments should be dirocted to 
'murphi@S/1OQ;lc_s\anford.,edu" 
Murphi compiler last modified date: Apr 14 1994 
Includefileo; last modified date: Apr 14 1994 
Algorithm 
Vcrificationbybreadtb fustsean.:h 
with s)'mmctry algorithm I - fast canonicalizatioll 
Memoryusagc' 
~ The size of each state is 10 bits (rounded up \0 2 bytes) 
• Tbe memOf}" allocated for the hash table is 2 lIA.b).1cs 
With two words of overhead per stale, the maximum size of 
the state space is 15)871 stales 
• Usc option "-k" or "om" to increase this, if rn:ccssary 
• Capadty in queue for breadth-flrSI search: Jl!467 states 
• ClLange the constant gPerccnlActiveStatcs in mu~ verifierb 
to increase this, ifneccssary 











C2 : 1 
The follov.'i ng next SIlIIC5 are obtaioed 




C2 : I 






Unpacking Slale from queue 
PI:LI I 
P2:U) 
C I : I 
C2: I 
The following next Slales arc obtained 




C l : I 
C2 : 0 
Fi ring rule PI non-critical sa;lion 
ObcaillCdstate 
PILI_2 
P2 .U 2 
CI ]-
el : I 
Unpacking state from queue 
P I:LI2 P2 .u -, 
Cl : ,-
C2 : I 
The following next states are obtained 










CI : 0 
C1 : I 
Unpacking sUIte from queue 




The follo\\oing next stales are obtained 
Firing rulcP2 wail 
Ob!ainedstate 
PILI I 














C2 : 1 
The following next stales are obtained: 





C2 : 0 











TIlefoUowing ncX\ Statesareoblaincd: 





C2 : I 
102 





C2 : I 




C2 : 0 
The following nexl "~lales are obtained" 












Unpacking slale from queue 
PI:U _2 
P2 :L2 3 
CI 1-
C2 : 0 
The following next stales are obtained: 
Firing rule P2 wait 
Obt.aincdstate 














C2 : I 
The following nt''''\ stales are obtained 
Firing rule P2 assign CI 0 
Clblainedstate 
Pl:Ll_J 
P2 :L2 3 
Cl.O-
C2 :0 
Firing rule PI wait 
Obtained state 
Pl :Li 4 
P2:L2) 
Cl : 0 
C2: I 





The followiug next stales arc obtained· 
Firing rule 2P lIon-crilica] section 
Obtained state: 















The follo\\ing next states are ohlained 
firing rule P2 assign C2 I 
Obtained state 
P I:L1_ 1 
P2:L2 I 
CI 1-
C2 . 1 








rhc following ncxt states are obtained 
















Th~ following next states arc obtained 










Cl : 0 
Result 
Deadlocked state fOlllld 
Stale Spacc Explored 
17 Slates. Ui rules fired in 0.40s 
Rules Information 
Fired I times - Rule "P2 assign C2 I" 
Fired 2 times . Rule " critical SCl;tioo " 
Fired 3 times - Rule"P2 wail" 
Fired 3 times - Rule"P2 as1;ign CI O' 
FlTed 4 tinlcs - Rule '2P non-critical section' 
Fired 0 times - Rule 'P assign C I" 
Fired I times - Rule' critical section' 
Fired "3 times - Rule 'PI wait" 
Fircd4limcs -Rulc'PlassignC10' 
Fired 5 times - Rul", 'PI non-critical section" 
APPENDIX B. BUFFER OVERFLOW EXECUTION TRACE 
Murphi Beta Release 2 ,73S (With Symmetry) 
Finite-~tate Con~urrent System Verifier 
Copyright (C) 1992, 1993 
by the Board ofTruslees of Leland Stanford Junior University 
This program should be regarded as a DEBUGGrNG aid, not as a 
certifierofcorTectness 
('-aU with the -I flag or read the license file for terms 
and conditionsofust: 
Bugs, questions, and conuncnlS should be directed 10 
"murpb.i@snoolc,stanford,edu' 
\olurphi compiler lasl modified date . Apr 14 1994 
Include files last modified daIC. Apr 14 1994 
Algorithm 
Verificationh).'breadthfir~tsearch 
with symmetry algonUun I -- fasl canonicauUltion 
Memory usage 
• The size of each state is 83 bilS (rounded up 10 II bj.1es) 
• The memory allocated for the hash table is 2 Mbytes 
Wilh two words of ovcrhead per Slate, the maximum size of 
lhe stale spacc is 952J9 stales 
• Usc: oplion "ok" or "-m" 10 increase lhis. if necessary 
• Capacily in queue forbreadtb-flrstscarch : 2J809staICS 
Progress Rcpon 
1000 Slates explored in 1,805, with 2125 rules fired and 321 stales in the qucue 
2000 states explored in 3, 165, "ith4740 rules fired and 603 slates in the queue 
3000 stales explored in 457s, with 7344 rules rued and 864 states in Ihe queue 
4000 stat.esexplored in 6,OOs. "ith 9985 rules fired and 1113 stales in the queue 
5000 slates explored in 7.49s, "ith 12746 rules frredand 1326 stales in the queuc 
(j()()() states explon:d in 8 , 99~. "ith 15501 ruks fired and 1536 states in the queue 
7000 stales explored in 10,375. "ilh UI025 rules fir<:dand IS ]4 stales in the queue 
8000 states explored in 1190s, "ilb 20845 rules fire<land ]997 states in Ihe queuc 
9000 stales explored ill 13J2s, ",ith 23451 rules fired and 2259 stales in Ihequcue. 
10000 stales explored in 14,725. with 26034 rules fi red and 25 13 slates in the queue 
11000 stales explored in 16,235, "ilh 2S~16 rules fired and 2724 stales in the queue 
12000 states explored in 17,64s, with 3144] rules fired and 2989 states in Ibequcue 
13000 stales explored in 19,04s, wilh 33996 rules fired and 3244 states in the queue 
14000 stales explored in 20.515. wilb 36690 ruIcs rrrcdllnd 3489 stales in Ihe queue 
15000 stales explored In 22.015, with 19 .. 95 rules fired and 3722 stales m the queue 
16000 ~tales explored in 23 44s. "'ith 42135 rules fired and 3983 states in the queue 
17000 states explored in 24&4s. ",~ th 44713 rule:> fired and 4239 stales In the queue 
18000 stales cxplored in 26.2 Is, with 47278 rules fired and 4552 states in the queue 
19000 states explored in 27,725. with 50072 rules fired and 4757 states in lhe queue. 
107 
The following is the error trace for the error 
Invariant - no buffer overflow - failed. 
StartSlaie SlartslaleO fired 
TI_stale:\sI 
T2_Slale:ts4 
Rl .. sta\c:rsl 
R3 statersl 
T -'1t~N]O]. packeU,jnd: none _ T 
T CHAN[lj.paekcl kind:none T 
R = CHANIO]. packet)dnd:none = R
R_CHAN]OJ.buffer_3vai l .2 
R _ CHAN[IJ.p:ockct _ kind:nonc _ R 
R_CHAN[I] .butTcr_3vail : 2 
X1mr_end_TC : 0 
revr end TC:O 
~_cnd_RC : O 
ren end RC: 0 
k T~ 1 -
k=R: I 
latesl_Tpacket.packct_kind:none_T 
latcs\ Rpaekct .packcUund:nom:_R 
13\cSI_Rpackct.butTer_avail : 2 
blk_5ctLnum : 0 
OUTBUF : 3 
buffer_avaiJ: 2 




1'_~· : false 
R_bw;y : false 
soount_R : 0 
oounl_R : 0 
Rule R3 - clock_tick - rsl fired. 
R3 Slalc:rs2 
scOOnt_R. I 
RuleTl -transmit possible - lsi fired 
Tl_state:ts4 
Rule Tl - transmit block - ts4 fued 
1'1 state:ts] 
T_CHAN[Oj.packct_kind:dalapac 




buffer avail T I 
UWJ: I -
T_busy : true 
Rule RI - roceivc data pa~kel rsl fired 
RI stale:rs2 
Tj:HAN[O] packel_kind:none_T 
revr end TC: 1 
latcm _1'~kel , packet_ kind:datapac 
R_bus'i . lrue 
RuleRJ -bw.)' - rs2 fired 
R,,_stale;rs4 
Rule RJ - send reV! ~-tal~ - rs4 fned 
RJ stale:rsl 
R_CHAl'l[O] .packct kindconpac 
rc-.T end RC: I 
R~ :taJse 
RuleRJ-clock_tid.- rsl fired 
RJ_~tat~ : rs 2 
5Count_R ; Z 
Rule RI - process data packel- rs2 fired 
RI_slate:rs3 
RuleRI-,loredatapaekcl - rs3 fired 
RI_SIalc: rsl 
buffer_avail: I 
Rule '1'2 - receive Ievr Slate info - IS.:! fired 
T2 sta!c:Is5 
R j::HAN[O] .packd_ kind:none_ R 
xtnlJ_end_RC : I 
lalcst_Rpad:ct,packcl_kind:conpac 
Rul~ '1'2 - update info about reVI - ts5 fired 
r2_state:1S6 
buffer_ilvail_T : 2 
Rule TI - transmit possible - lSI fired 
Rule T1 - transmit block ts4 fired. 
TI state:tsl 
T J:HAN[ I [. packet ~ kind:datapac 
Xlmr end TC: 0 
blk~~~um:2 
OUTBUF : I 
buffer avail T I 
UWJ : 2 -
RulcRI - reccivt:datapacket-rslfm:d 
RI state:rs2 
T_CHAN[ I J ,packet_kind:none~ T 
rCYr end TC : 0 
RJ ;sy :lrue 
Rule R3 - busy - rs2 fued 
R3~statc:rs4 
Rule R3 - send re .... r state - rfA fued. 
R3 statc:rsl 
RJRAN[lj.packet_kind:ootlpal; 
R .C!lAN[Ij.buffer avail I 
re-vT end RC : 0 -
R_~S}':f315C 
Rule R I - process data packet - rs2 fired 
RI . state:rsJ 
Rule Rl - store data packet - rs3 fued 
RI~state : rsl 
buffer~3vail : 0 
RuleTI-uansmitpossiblc tslfircd 
TI~state:ts4 
Rule TI -transmit block -lS4lired 
TI stale:lsl 
T _ CHAN[OJ,packet~ kind:datapac 
xinu end TC : I 
bIk~~mun:3 
OVTBUF : 0 
110 
buffer avail T: 0 
UW~T: 3 ~ 
Rule RI-roceivCdatapackct-rsl fired. 
RI S13te:rs2 
TJ:HANrOlpackct~kind:none~T 
n;vr end TC. I 
R~b~ :lrue 
Rule Rl-processda13 pacKet- rs2 fired 
RI~51"lIe:rs3 
RuleRl-store da13paclr;:ct- rsJfired 
TI rulle :ts l 
T2~st.ate : ts6 
RI=st.ale:rs l 
R3 st.alc:rsl 
T ~CIlA..""rO].packct~kind: nonc~ T 
T CHAN[ Ij .packet kind:none T 
R- CHAN101.packC\~ kind: nonc~R 
R=ClIAN101huffcr.JlVail : 2 ~ 
R~ CHAN[ll.packet_kind:conpac 
R CHAN[ I].buffcr avail : I 
xtmr_cnd_TC: I -
ICVT cnd TC : I 
l\~ endRC. 1 
n:vrendRC:O 
kJ~ I ~ 
Ja\csl_Tpackel.packet_kind:da13pac 
lalest_Rpackel.packc\~kind : ooDpac 
lateSl~Rpacket ,buffcr_avail : 2 
blk~~nuDl:J 
OUTBUF _ 0 
buffcr_avail:-l 
buffer avail T : O 
UW T : 3 -




scount~R : 2 
cOWlt_R : 0 
End of the error trace 
Result 
Invariant - no buffer overflow -- failed 
Slate Space Explored 
19652 states, 51943 rules fired in28.8.ls 
Rules Information 
Fired 0 times -Rule"R] - disconne;;t- r54" 
Fired 1904- times - Rule"RJ · send revr Slate - rs4" 
Firedl564times-Rule"RJ-ruodifyk R- r53" 
Fired 1556 times - Rule"RJ - wait (cou;t R < J,; R) - rs3" 
FiredI126times-Rule"RJ-bu5Y- rs2"- -
Fired 3033 times - Rule "R3 - not busy - rs2" 
Fired 5~57limes -Rule"RJ - clock_tick - rsl" 
Fired 5900 times - Rule "remove packet from buffer" 
Fired 3229 times - Rule "RI -store data packet - rs.1" 
Fired 4292 times - Rule "RI - process data packet- rsl" 
Fired2116times-RuIe"RI-receivedalapacket - rsl" 
Fired 57461imes - Rule"T2 - go rock to 1.S4 -t56" 
Fired 2914 limes - Rule "T2 - updale info about revr -1.S~ " 
Fired 3714 limes - Rule "T2 - ra;eive revr stale info -l<;4" 
Fired 3534 times - Rule"n - transmit block - 154" 
Fired 5758 limes - Rule"T1 - transmit possible -l~l' 
LIST OF REFERENCES 
[Bcn82j Ben-Ari, M" Principlcs"jConClirrenl and Di.,'lribuled Programming, 
Prentice-Hal l. 1982 
[lk:n90] Ikn-Ari. M., I'n'nciples o[Concurrent and Dis/rilm/cd Programming . 
PrenticcHall,199O 
[Bt:n93] Ren·Ari, M. , .'VIa/hematica! Logic/or CQmpulerScience, Prentice Hall, 
1993 
[ChHa92] COOw.l, and Harrison, W , "Compile-time Arullysis of Parallel 
Programs that Share Memory", ACU 19th Symposium on Principle.,- of 
/'rogramming Languages, 1992 
IChHa94] Chow. 1.. and Harrison, W .. "State Sp3I;c Reduction in Abstract Interpretation 
of Parallel Programs" IEEE ]074-8970/94 )994 
[CGL92] Clarke, E" Grumberg, 0, and Long, D .• "Model Chocking and 
Abstrm:tion",ACM 19th Sympmium on Principles of Programming 
Languages, 1992 
[DDHY92] Dill. D .. Drexler, A. Hu. A .. and Yang, C. H., '·Pwto<."()l 
Verification as a Hardware Design Aid" ,lHHE International Conference on 
Computer Design, October 1992 
[GoMu91 ] Gouda, M., and Mullari, K . "Stabilizing Communication Prolocol$" , WFF 
Transaction on Computers, Vol . 40. No 4 .• April 1?91 
[Gri95] Grier, R.. "Te~ling an Implementation's Confonnarl\;e 10 a Formal 
Specification: the SNR Hlgb-Spced Transport Protocol" , M.S , Thesis. 
Naval Postgraduate School, Monterey. CA, March 1995 
[lpD93] Jp, C. N , and Dill, n" "Better Verification Through Symmetry", 
Pro,eedings of the 11th internolional Symposium on Computer 
Hardware J)escriplion Langu<11?e and Their Application" Cambridge, \tA, 
Octob.:r 1993 
[lpDi91] [p, C. N., and Dil!, D" "Efficient Verification of Synunctric Concurrent 
Systems" , iEEE inlernalional C(mjerenu On C"mpuler [)e"'ign: VLSI in 
Computers and Processors, Cambridge, MA October 1993 
[LuTi94j Lundy, G., and Tipici, H., "Specification and Analy~is oflhe SNR High-Speed 










McArthur, R"" "De5ign and Specification ofa High-Speed Transport 
Protocol", M,S. Thesis, Naval Postgraduate School, Monterey. CA., 
March 1992. 
McMillan, K., The SAIV Syslem DRAFf, Carnegie-Mellon Univcrsity, 
February 1992 
Ralph Melton, and R., Dill, D., "Murphi Annotated Refcrence Manual" , 
Version 2.735, Stanford Uniwrsity, Novcmber 1993 
Mu hound, F., "Implemcntation ofthc SNR High-Speed Tr3nSp.lrt 
Prmocol (!he Transmittcr PanF, M.S, Thesis, Naval Postgraduate School, 
Monterey, CA, March 1995 
Nctravali, A, Roome, W., and Sabnani, K., "Design and Implementation 
of a High Speed TranSp.lrt Protocol" , IEEE Transaclions in 
Communicalions, Vol, 38, No, ll, November 1990 
T ipici, H. , ~Speciflcation and Anal)'Sis ofa High Speed Transport 
PrOlocol~, M,S. Thesis, Naval Postgraduate School, Monterey, CA , 
June 1993 
Wan, W., "Implementation of the SNR High-Speed Transport Protocol 
(!be Receiver Pan)", M.S, Thesis, Naval Postgraduate School, Monlcre)', 
CA, March 1995 
Zhang, L., "Why TCP Timers Don't Work WeD", Procerdings oflhe 
AC\I SlGCOM SympoSium On Communicalions, Archilectures, and 
ProlOcois, February 1986 
INITIAL DISTRIBUTION LIST 
Defense Technical Information Center 
Cameron Station 
Alexandria, Virginia 22304-6145 
Library, Code 52 
Naval Postgraduate School 
Monterey, California 93943-5101 
Chairman, Code CS 
Computer Science Department 
Naval Postgraduate School 
Monterey, California 93943 
Dr. D, Voipano, Code CSNo 
Computer Science Department 
Naval Postgraduate School 
Mo nterey, California 93943 
Dr. OM. Lundy, Code CS/Lu 
Computer Science nepartment 
Naval Postgraduate School 
Monterey, California 93943 
CDR Carl M Pederson, Jr. , USN 
PSC 78 BOX 346 
APO AP 96326-0346 
Krishan K. Sabnani 
AT&T Bell Laboratories 
Room4G - 502 
10] Crawford's Comer Road 






DUDLEY KNOX LIBRARY 
NAVAL POSTGRADUATE SCHOOL 
MONTf;REY CA 83943-5101 
III I llmiifu'lilllllTlb llll 
32768003195629 , 
