A comparison of Spin and the $ mu $ CRL toolset on HAVi leader election protocol by Usenko, Y.S. (Yaroslav)
Centrum voor Wiskunde en Informatica
REPORTRAPPORT
A Comparison of Spin and the muCRL Toolset on HAVi Leader 
Election Protocol
Y.S. Usenko
Software Engineering (SEN)
SEN-R9917 July 31, 1999
Report SEN-R9917
ISSN 1386-369X
CWI
P.O. Box 94079
1090 GB  Amsterdam
The Netherlands
CWI is the National Research Institute for Mathematics
and Computer Science. CWI is part of the Stichting
Mathematisch Centrum (SMC), the Dutch foundation
for promotion of mathematics and computer science
and their applications.
SMC is sponsored by the Netherlands Organization for
Scientific Research (NWO). CWI is a member of
ERCIM, the European Research Consortium for
Informatics and Mathematics.
Copyright © Stichting Mathematisch Centrum
P.O. Box 94079, 1090 GB  Amsterdam (NL)
Kruislaan 413, 1098 SJ  Amsterdam (NL)
Telephone +31 20 592 9333
Telefax +31 20 592 4199
A Comparison of Spin and the µCRL Toolset
on HAVi Leader Election Protocol
Y.S. Usenko
Yaroslav.Usenko@cwi.nl
CWI, P.O. Box 94079, 1090 GB Amsterdam, The Netherlands
ABSTRACT
This paper describes an attempt to compare two toolsets allowing generation of nite labeled transition systems
from underlying concurrent specication languages. The comparison is done on a specication of the leader
election protocol from Home Audio/Video interoperability (HAVi) architecture. Some important semantical
dierences of PROMELA and µCRL are identied, that lead to big dierences in size of the state spaces
generated for equivalent specications.
1991 Mathematics Subject Classification: 68Q22; 68Q45; 68Q60
1991 ACM Computing Classification System: D.1.3; D.2.4; D.2.8
Keywords and Phrases: µCRL, SPIN, Tool Comparison, State Space Generation, Specication, Deadlock
Checking.
Note: Work carried out under project SEN 2.1 Process Specication and Analysis.
1. Introduction
With current state of the art in software verication a lot of the analysis methods are based on
nite labeled transition systems (FLTS). There is a number of tools to manipulate with them, to
check dierent kind of equivalences and preorder, to nd deadlocks, to check modal and temporal
properties, to minimize in dierent ways, etc. Therefore one of the major topics that remains for
verication tools supporting concurrent languages is how fast can they generate FLTS, and how large
these FLTS are.
It appears that for many completely dierent concurrent languages FLTS can be generated to
describe behavior of specications. Although not for any specication a FLTS can be generated, it is
desirable to be able to do so in cases when it is possible. In this paper we consider two toolsets that
allow state space generation{one for algebraic concurrent language CRL [6], and one for imperative
concurrent language PROMELA; and try to compare the state spaces generated by them.
The CRL toolset [4] has been developed at CWI to support formal reasoning about systems
specied in CRL. It is based on term rewriting and linearization techniques. At the moment it
allows to generate state spaces, search for deadlocks, do some optimization for CRL specications
and simulate them. Spin [8] is one of the fastest and widely used tools for protocol verication.
It allows formal analysis of PROMELA specications, generation of state spaces, and searching for
deadlocks.
To make a comparison we consider the leader election protocol from Home Audio/Video inter-
operability (HAVi) Architecture [7]. Previously this protocol has been specied in PROMELA and
LOTOS, and analyzed formally [10]. Here we take a more abstract denition of the protocol to keep
the specication relatively simple and free of many implementation details.
The structure of this paper is as follows. First we describe the leader election protocol informally
(Section 2). Then we present the specication in CRL (Section 3) and some details about its
2translation to Spin (Section 4). We conclude with results of state space generation by the tools
(Section 5). We assume a basic familiarity of the reader with CRL and PROMELA. Subsection 3.1
contains an overview of CRL syntax that can also be found for instance in [5]. For more systematic
and available introduction to CRL see [3]. For systematic treatment of ACP style process algebra,
which is the basis of CRL see [1, 2].
2. Informal Description
The informal description of the protocol appears on pages 160-162 of [7]. The system consists of a
number of Device Control Module Managers (DCMM). Each DCMM process has its own input buer
from which it gets incoming messages. All processes communicate with the Bus process and the
Env process representing the environment. In [7] the bus is specied as IEEE P1394 Standard for a
"High Performance Serial Bus" (FireWire). There is a formal specication of the Link Layer of IEEE
P1394 Standard in CRL[9]. We do not use this specication because of the complexity reasons. The
processes and synchronous communications are presented on Figure 1.
Env
reset, resef_off
send
on,off
flip leader
rcv
BufferBuffer
DCMM
Bus
DCMMDCMM
Buffer
Figure 1: Processes and Communications in the System.
Each DCMM process has its unique ID number by which it can be addressed. The environment may
flip (switch on or o) DCMM processes. The Bus observes such changes in the network communicating
with the DCMM process that was flipped. It informs all working DCMM processes about changes in
the network communicating with their buers. As the result, the buers become empty, and deliver
the network reset to the corresponding DCMM processes.
The leader election is performed in the following way. After receiving a
NetworkReset(nst) message, a DCMM process has the status information about the network from
parameter nst . This status information says which processes are "on" within the network. Each
DCMM process uses function il(N; nst) to determine the ID of the initial leader. By comparing this
ID with its own ID, the DCMM knows if it is an initial leader or an initial follower. In the former case
it behaves as follows.
3. Specification in µCRL 3
 From each initial follower m it awaits DMCapabilityDeclaration (m;URL) message, from which
it knows if the process m has URL capability.
 It uses function fl(N; nst ;URLs) to determine the ID of the nal leader.
 It sends DMLeaderDeclaration(m;fl ;URLs) message to each initial follower m. The nal leader
is the last one to which this message is sent.
 Finally, it communicates with process Env by leader action.
Initial follower m shall behave as follows.
 It keeps sending DMCapabilityDeclaration (m;URL) message to the initial leader until it gets
DMLeaderDeclaration(m;fl ;URLs) from it.
 Finally, it communicates with process Env by leader action.
After electing a leader DCMM processes inform the environment about the results of the election.
At any moment of the election any DCMM process may be flipped, or it may receive a NetworkReset
message. In case a DCMM process was switched on, it awaits for a NetworkReset message. In case
of receiving a NetworkReset message it restarts the election procedure. The DCMM processes ignore
any unexpected messages. The goal of the election procedure is to elect a nal leader. This means
that when no network resets occur any more, then each DCMM process will eventually get information
about the nal leader. And this information is the same for each DCMM process.
3. Specification in µCRL
The complete CRL specication can be found in Appendix A. The language appears to be suitable
for such kind of specication. The specication could be much shorter if there were libraries of
standard data types available. The introduction of generic data types might be useful for this, but
it introduces technical problems associated with rewriting. Emulation of generic data types using
preprocessor might be considered as an alternative approach. The language allows to improve the
specication in several ways, but the current tool support (the linearizer), either does not handle this
features or produces results of much bigger complexity.
3.1 Overview of syntax
Starting from a set Act of actions that can be parameterized with data, processes are dened by means
of guarded recursive equations and the following operators.
First, there is a constant  ( 62 Act) that cannot perform any action and is called deadlock or
inaction.
Next, there are the sequential composition operator  and the alternative composition operator +.
The process x  y rst behaves as x and if x successfully terminates continues to behave as y. The
process x + y can either do an action of x and continue to behave as x or do an action of y and
continue to behave as y.
Interleaving parallelism is modeled by the operator k. The process x k y is the result of interleaving
actions of x and y, except that actions from x and y may also synchronize to a communication action,
when this is explicitly allowed by a communication function. This is a partial, commutative and
associative function γ : Act Act ! Act that describes how actions can communicate; parameterized
actions a(d) and b(d′) communicate to γ(a; b)(d), provided d = d′. A specication of a process typically
contains a specication of a communication function.
To enforce that actions in processes x and y synchronize, we can prevent actions from happening
on their own, using the encapsulation operator @H . The process @H(x) can perform all actions of x
4except that actions in the set H are blocked. So, assuming γ(a; b) = c, in @{a,b}(x k y) the actions a
and b are forced to synchronize to c.
We assume the existence of a special action  ( 62 Act) that is internal and cannot be directly
observed. The hiding operator I renames the actions in the set I to  . By hiding all internal
communications of a process only the external actions remain.
The following two operators combine data with processes. The sum operator
∑
d:D p(d) describes the
process that can execute the process p(d) for some value d selected from the sort D. The conditional
operator   describes the then-if -else. The process x  b  y (where b is a boolean) has the
behavior of x if b is true and the behavior of y if b is false.
We apply the convention that  binds stronger than∑, followed by   , the parallel operators,
and + binds weakest.
3.2 Data Types
The sorts B and N represent booleans and natural numbers respectively. Sort ABI is a boolean array
with natural indices. It is implemented by keeping the list of indices of elements that are true in
ascending order. Sorts Message and Status are described below. Finally there is an implementation
of FIFO queues for Message as sort Queue. It is used in Buffer process denition.
3.2.1 Constants
The initial parameters of the protocol are dened as constants. The value of nB determines the
capacity of the buers. We have to limit the capacity, because otherwise the state space may become
innite. The value of initNDCMM is the number of DCMM processes in the system. The value
of initNst is the boolean array of size initNDCMM representing the initial network status (which
processes are "on" initially). The value of initURLs contains the information on URL capabilities of
the DCMM processes. The function il is dened as the minimal ID of a process that is "on". The
function fl is the minimal ID of a URL capable process that is on, or the minimal ID of a process that
is "on" if all of the URL capable processes are o.
map
nB :→ N
initNDCMM :→ N
initNst :→ ABI
initURLs :→ ABI
rew
nB = 2
initNDCMM = 3
initNst = seton(0 0, 0)
initURLs = seton(0 0, 1)
map
il : N×ABI → N
fl : N×ABI×ABI → N
var
N : N
nst ,URLs : ABI
rew
il(N,nst) = if (eq(nst , 0 0), 0,min on(nst))
fl(N,nst ,URLs) = if (eq(nst , 0 0), 0,
if (eq(URLs, 0 0),min on(nst),min on(URLs)))
3. Specification in µCRL 5
3.2.2 Messages
The sort Message is used to dene all messages DCMM processes can receive. The use of abstract
data types allows us to dene messages having dierent parameters. However, if we had more types
of messages, the denition of the equality predicate eq would be much more complex.
sort Message
func
NetworkReset : ABI → Message
DMCapabilityDeclaration : N× B → Message
DMLeaderDeclaration : N×ABI → Message
map
eq : Message × Message → B
3.2.3 Status
Sort Status is a simple enumerated type to represent statuses in which a DCMM process can be.
We could use dierent CRL processes for each status, but in this case the two alternatives that are
enabled in each status would be repeated in each such process. This could be avoided if we had a
disrupt mechanism in CRL. The drawback of such an approach of having just one process is that
we have a lot of parameters in each recursive call, most of which are not used in that status of the
DCMM process.
The denition of sort Status is a common way to represent enumerated types in CRL. One could
also use the sort N directly and the constructors INIT , etc., as maps to the corresponding natu-
rals. However, such an approach leads to rewriting of the symbolic information to natural numbers,
decreasing the readability of the output generated by the tools.
sort Status
func
INIT ,LE ,LEIF , LEIL, LEILS ,AOS ,AO :→ Status
map
n : Status → N
eq : Status × Status → B
rew
n(INIT ) = 0 n(LE ) = 1 n(LEIF ) = 2 n(LEIL) = 3
n(LEILS ) = 4 n(AOS) = 5 n(AO) = 6
var a, b : Status
rew eq(a, b) = eq(n(a), n(b))
3.3 Actions and Communication Function
The following actions are used in the specication. The names of the actions have the following
intuition. The actions with underscores correspond to "send" actions, the actions without underscores
{ to "read" actions, and the actions with double underscores { to "communicate" actions. The
communication function is dened according to this intuition.
6act
flip, flip on, flip o, flip : N
on, o, on, o, on, o : N
send, send, rcv, rcv, send, rcv : N× Message
reset, reset, reset : N×ABI
reset o, reset o, reset o : N
leader : N× N
comm
flip |flip on = flip
flip |flip o = flip
on |on = on
o |o = o
send |send = send
rcv |rcv = rcv
reset |reset = reset
reset o |reset o = reset o
3.4 Processes
3.4.1 DCMM Process
The parameters of the process have the following meaning: St is the status of the process; URL is true
if it has URL capabilities; n is the ID of the process; N is the total number of processes in the system,
nst is the current network status; wait is the array of processes from which a message is awaited, or
the array of processes to which a message still has to be sent; URLs is the array of URL capabilities
of other processes, collected by the process; il and fl are the initial and nal leader IDs respectively;
and am on is true i the process is on.
DCMM(St : Status ,URL : B, n : N, N : N,nst : ABI,
wait : ABI,URLs : ABI, il : N,fl : N, am on : B) =
The following alternatives are enabled in any status of the DCMM process. It can be switched on, if
it was o. In this case it communicates with Bus process by on action, and it’s status becomes INIT .
If the DCMM process is on, it can receive a NetworkReset(nst1 ) message and change it’s status to
LE . Or it can be flipped o, communicate with Bus process by off, and change it’s status to INIT .
flip on(n) · on(n) · DCMM(INIT ,URL, n, N, 0 0, 0 0, 0 0, 0, 0, t) ¬am on  δ
+∑
nst1 :ABI rcv(n,NetworkReset (nst1 )) ·
DCMM(LE ,URL, n, N,nst1 , 0 0, 0 0, 0, 0, t) am on  δ
+
flip o(n) · o(n) · DCMM(INIT ,URL, n, N, 0 0, 0 0, 0 0, 0, 0, f) am on  δ
+
If the status of the DCMM process is LE , the following alternatives may be enabled. In case the
DCMM process is the only process in the network that is "on", it declares itself to be the nal leader,
informs the environment about it, and goes to autonomous operation. In case the DCMM process is
not the initial leader, it sends its capabilities to the initial leader, and its status becomes LEIF . In
case when none of the two above applies, the DCMM process can receive capability declaration from
a process m and then, depending on whether it still has to wait for messages from another processes,
its status becomes either LEIL or LEILS . Finally, the DCMM process ignores any leader declaration
messages in this status.
( leader(n, n) ·
DCMM(AO ,URL, n, N,nst , 0 0, upd(0 0, n,URL), 0, n, t)  n on(nst) = 1 δ
+
send(il(N,nst),DMCapabilityDeclaration(n, URL)) ·
DCMM(LEIF ,URL, n, N, nst , 0 0, 0 0, il(N,nst), 0, t) il(N,nst) 6= n δ
+
(
∑
m:N
∑
d:B
rcv(n, DMCapabilityDeclaration(m,d)) ·
3. Specification in µCRL 7
DCMM(LEILS ,URL, n, N, nst , seto (nst , n), upd(upd(0 0), n,URL), m, d),
0, fl(N,nst , upd(upd(nst , n, URL), m, d)), t)
 n on(nst) = 2
rcv(n, DMCapabilityDeclaration(m,d)) ·
DCMM(LEIL,URL, n, N, nst , seto (seto (nst , n), m),
upd(upd(0 0, n, URL), m, d), 0, 0, t)
) il(N, nst) = n ∧ n on(nst) 6= 1 δ
+
(
∑
m:N
∑
URLs1 :ABI rcv(n,DMLeaderDeclaration (m,URLs1 ))) ·
DCMM(LE ,URL, n, N,nst , 0 0, 0 0, 0, 0, t)
) St = LE  δ
+
If the status of the DCMM process is LEIF it behaves as an initial follower. It can send its
capabilities to the initial leader. It can receive a leader declaration. And it ignores any capability
declaration messages in this status.
( send(il ,DMCapabilityDeclaration(n, URL)) ·
DCMM(LEIF ,URL, n, N, nst , 0 0, 0 0, il , 0, t)
+∑
m:N
∑
URLs1 :ABI rcv(n,DMLeaderDeclaration (m,URLs1 )) ·
DCMM(AOS ,URL, n, N,nst , 0 0, URLs1 , 0, m, t)
+
(
∑
m:N
∑
d1:B rcv(n, DMCapabilityDeclaration(m, d1))) ·
DCMM(LEIF ,URL, n, N, nst , 0 0, 0 0, il , 0, t)
) St = LEIF  δ
+
If the status of the DCMM process is LEIL, it behaves as initial leader. It can receive a capability
declaration from process m and then, depending on if this was the last message it was waiting for, its
status becomes LEIL or LEILS . The DCMM process ignores any leader declarations in this state.
(
∑
m:N
∑
d:B
rcv(n, DMCapabilityDeclaration(m,d)) ·
DCMM(LEILS ,URL, n, N, nst , seto (nst , n), upd(URLs, m, d),
0, fl(N,nst , upd(URLs, m, d)), t)
 n on(wait) = 1 ∧ wait [m]
rcv(n, DMCapabilityDeclaration(m,d)) ·
DCMM(LEIL,URL, n, N, nst , seto (wait , m), upd(URLs, m, d), 0, 0, t)
+
(
∑
m:N
∑
URLs1 :ABI rcv(n,DMLeaderDeclaration (m,URLs1 ))) ·
DCMM(LEIL,URL, n, N,nst ,wait , URLs, 0, 0, t)
) St = LEIL δ
+
If the status of the DCMM process is LEILS , it informs initial followers about the nal leader. If
the nal leader has to be informed, it is informed the last. Any message is ignored by the process in
this state. After informing the last initial follower, the status of the process becomes AOS .
(
∑
m:N
( send(m,DMLeaderDeclaration(fl ,URLs)) ·
DCMM(LEILS ,URL, n, N, nst , seto (wait , m),URLs , 0,fl , t)
m 6= fl ∧ n on(wait) > 1 δ
8+
send(m,DMLeaderDeclaration(fl ,URLs)) ·
DCMM(AOS ,URL, n, N, nst , 0 0, URLs, 0, fl , t)
 n on(wait) = 1 δ
) wait [m] δ
+
(
∑
m:N
∑
URLs1 :ABI rcv(n,DMLeaderDeclaration (m,URLs1 ))) ·
DCMM(LEILS ,URL, n, N,nst ,wait ,URLs , 0, fl , t)
+
(
∑
m:N
∑
d1:B rcv(n, DMCapabilityDeclaration(m, d1))) ·
DCMM(LEILS ,URL, n, N,nst ,wait ,URLs , 0, fl , t)
) St = LEILS  δ
+
If the status of the DCMM process is AOS , it informs the environment about the result of the
election, and its status becomes AO . If the status of the DCMM process is AO , it performs a  loop.
This is an abstraction of autonomous behavior of the process.
leader(n,fl) · DCMM(AO ,URL, n, N,nst , 0 0, URLs, 0, fl , t) St = AOS  δ
+
τ · DCMM(AO ,URL, n, N,nst , 0 0, URLs, 0,fl , t) St = AO  δ
3.4.2 Environment
In CRL it is not necessary to specify the environment explicitly. The reactive system is described
by its interaction with the environment. Everything else within the system may be abstracted from.
However, for verication or testing purposes some assumptions about the environment have to be
made. This can be done by specifying the assumed environment as a process, and putting it in
parallel with the system.
In our particular case, the environment may flip DCMM processes in the system, any number of
times, and then stop. But it cannot stop when all of the DCMM are "o".
Env(N : N,nst : ABI) =
∑
m:N
( flip(m) · Env(N, reverse(nst , m))
+ flip(m) · δ  n on(reverse(nst , m)) > 0 δ
)N > m δ
3.4.3 Bus
The bus can observe changes in the network conguration and inform the active processes about these
changes. It is specied with the help of two processes. Process Bus can communicate with a DCMM
process by action on or off to observe that a process was flipped. Process Bus1 is used to reset buers
of all active processes in no particular order.
Bus(N : N,nstat : ABI) =∑
m:N on(m) · Bus1(N, seton(nstat , m), seton(nstat , m))
+ ∑
m:N o(m) · reset o(m) ·
(Bus(N, seto (nstat , m)) n on(nstat) = 1
Bus1(N, seto (nstat , m), seto (nstat , m)))
Bus1(N : N,nstat : ABI,wait : ABI) =∑
m:N reset(m,nstat) · (Bus(N,nstat) n on(wait) = 1
Bus1(N,nstat , seto (wait , m))) wait [m] δ
4. Translation to PROMELA 9
3.4.4 Buffer
Process Buffer is a FIFO queue of capacity nB that can be reset in two dierent ways. It can receive
a message if it is not full, or send a message if it is not empty. It can communicate with the Bus
by action reset or reset off. In the rst case it clears its message queue, and puts the network reset
message in it. In the second case it just clears the queue.
Buer(N : N, n : N, q : QMes) =
(
∑
mes:Message send(n, mes) · Buer(N, n, add(q,mes))) nB > size(q) δ
+
rcv(n, rst(q)) · Buer(N, n, remrst(q)) ¬is empty(q) δ
+ ∑
nst1 :ABI reset(n, nst1 ) · Buer(N, n, add(〈〉,NetworkReset (nst1 )))
+
reset o(n) · Buer(N, n, 〈〉)
3.5 System
The whole system consists of several processes in parallel. First three pairs of DCMM and Buffer
processes are composed. Then they are merged together, and merged with the Bus process. Finally
the Env is merged to the system.
SYSTEMDCMM(N : N, nstat : ABI,URLs : ABI) =
∂{ flip,flip on,flip o}(
τ{ on, o, reset, reset o} ◦ ∂{ on,on, o,o, reset,reset, reset o,reset o}(
τ{ send} ◦ ∂{ send,send}(
τ{ rcv} ◦ ∂{ rcv,rcv}(
DCMM(INIT , URLs[0], 0, N, 0 0, 0 0, 0 0, 0, 0, nstat [0]) ‖ Buer(N, 0, 〈〉))
‖ τ{ rcv} ◦ ∂{ rcv,rcv}(
DCMM(INIT , URLs[1], 1, N, 0 0, 0 0, 0 0, 0, 0, nstat [1]) ‖ Buer(N, 1, 〈〉))
‖ τ{ rcv} ◦ ∂{ rcv,rcv}(
DCMM(INIT , URLs[2], 2, N, 0 0, 0 0, 0 0, 0, 0, nstat [2]) ‖ Buer(N, 2, 〈〉))
) ‖ Bus(N,nstat)
) ‖ Env(N,nstat)
)
The system is initialized in the following way.
init SYSTEMDCMM(initNDCMM , initNst , initURLs)
4. Translation to PROMELA
PROMELA { the underlying language of SPIN is a C-like imperative concurrent nondeterministic lan-
guage. It has no explicit parallel operator, but has a process creation mechanism. Communication can
happen via explicitly dened channels. It may be either synchronous or asynchronous. It is possible
to pass data values during the communication. There are loops and goto statements. Nondeterminism
is modeled by the following construction:
if
:: <alternative 1>
:: <alternative 2>
...
:: <alternative n>
fi
10
If an alternative starts with a blocking statement then it is disabled. The blocking statements are send
and read statements in cases when synchronous communication is not possible, and any expressions
with value 0. Each process may have local variables. Shared variables are also allowed. To minimize
state space and interleavings special constructions like atomic{<block>} and d_step{<block>} are
allowed. Atomic sequences do not interleave with other processes executions. Sequences within d_step
are considered to be one statement. No transfers of control to or from, as well as communications are
allowed within d_step. The source code of the PROMELA specication can be found in Appendix B.
We tried to do the translation preserving the semantics as close as possible. Some of the crucial details
of the translation are described below.
4.1 Abstract Data Types
There is no support for specifying abstract data types in PROMELA. There is built-in support for
arrays, structures and enumerated data types though. Operations on data types can be encoded as
macro denitions or inline functions. Computations may be done within atomic or d step blocks, that
allow to consider long deterministic computations as one step.
4.2 Conditions and Nondeterminism
The semantics of PROMELA conditional operator is slightly dierent from semantics of conditions in
CRL. In PROMELA conditions are statements and represent transitions to another states by their
execution. In CRL conditions are of a dierent kind than actions. They do not represent transitions
to another state, but conditions under which such transitions are possible.
Therefore we cannot just translate CRL expression of the form
X(d) = a(d)  X(d)  d < 5  +
b(d)  X(d) d < 7  to
X:
if
:: d<5 -> a!d; goto X;
:: d<7 -> b!d; goto X;
fi;
because we get dierent semantic behavior. For instance, if d < 5 and there is another process Y
willing to communicate with our process via channel b, then one of the possible executions in SPIN
leads to a deadlock. Namely, when condition d < 5 is evaluated to true, and process X is waiting for
communication via a, while Y is waiting for communication via b. In CRL no execution leads to a
deadlock in this case. So the semantically sound translation in this case could be:
X:
if
:: d<5 -> if
:: a!d; goto X;
:: b!d; goto X;
fi;
:: (d<7)&&!(d<5) -> b!d; goto X;
fi;
In general case to make a correct translation we need rst to make all conditions in each state of
CRL process disjoint. Disjointness means that at most one condition can be true for any parameter
values. It is always possible to make all conditions disjoint in CRL, however instead of n conditions
in the original process we may get up to 2n− 1 conditions. In the worst case instead of one state with
n conditions in CRL we get an equivalent process in PROMELA with 2n dierent states.
5. State Space Generation 11
4.3 Parameterized Nondeterminism and Value-Passing Communication
In value-passing communication of CRL read and send actions are dual. This is due to commutativity
of communication function γ. The value-passing mechanism is based on matching parameter values:
a(e1)jb(e2) = γ(a; b)(e1) if eq(e1; e2). That is why both read and send actions can be parameterized by
arbitrary expressions. In PROMELA value-passing communication is done dierently. Send statement
a!e1 means that the value of e1 is put to the channel a. Read statement a?m means that a value is
read from channel a and assigned to variable m.
Another problem of translation is non-bounded and parameterized nondeterminism possible in
CRL. Consider the following process equation.
X(d : N) =
∑
n:N a(n; d)  X(g(n; d))  n  d   Here the set of possible alternatives depends
on the value of d . Assuming that a is not a read action, we can translate this process equation to
PROMELA in the following way:
X:
n=0;
TEMP:
if
:: n<=d -> a!n,d; atomic{d_step{g(n,d)}; goto X;}
:: n<d -> atomic{n=n+1; goto TEMP}
fi
In this case we again have increase of state space which is linear in the number of alternatives in a
state of the CRL process.
For the case with read action a the translation is performed in the following way: X(d : D) =∑
n:N a(n; d)  X(g(n; d))  b(d) 
X:
b(d) -> a[d]?n; atomic{d_step{g(n,d)}; goto X}
Here we assume that a is an array of channels indexed by elements of D . If D is an innite set,
we cannot dene such an array in PROMELA. The corresponding send action should also look as
a[d]!e, not as a!d,e.
We can only transform equations where predicate b does not depend on n. This is due to the fact
that it is not possible to analyze the value to be read from a channel before actually reading it. We
can achieve similar to CRL matching in communication by using arrays of channels. But this can
only be done for bounded set of values. If we want to pass values from unbounded domains we need
to use the original value passing mechanism of PROMELA.
5. State Space Generation
Spin and CRL toolset were used to generate the entire state spaces and search for deadlocks for
specications in PROMELA and CRL respectively. Unfortunately it is not possible to get the state
transition system as an output of Spin. Therefore it is not possible to compare the generated state
spaces. The following results were obtained by considering systems with two or three DCMM processes
and dierent buer sizes. State spaces for four DCMM processes was not possible to generate by either
toolset. In case with three DCMM processes we could not get the state space analyzed by Spin. The
results of state space generation are presented in Table 1.
The command line arguments for both tools are given in Table 2. The parameter <depth> was
30000 for systems with 2 DCMMs, and 50000000 for 3 DCMMs.
From this we can conclude that Spin generates states faster, but the resulting transition system
has more states. The results shown above cannot be interpreted as a direct comparison of state space
12
Table 1: Results of state space generation.
Spin CRL
2 DCMMs states: 128,807 states: 3,842
Buer transitions: 187,343 transitions: 13,460
size 2 elapsed time: 15.5s elapsed time: 14.6s
actual memory used total memory used: 6.8Mb
for states: 8.6Mb
total actual memory
used: 4.2Mb
2 DCMMs states: 208,223 states: 7,292
Buer transitions: 301,598 transitions: 26,048
size 5 elapsed time: 29,2s elapsed time: 24.9s
actual memory used total memory used: 7.1Mb
for states: 12.2Mb
total actual memory
used: 6.9Mb
3 DCMMs states: >47,291,200 states: 3,136,289
Buer transitions: >78,622,800 transitions: 18,248,754
size 2 elapsed time: >8h:04m:22.6s elapsed time: 5h:49m:24.2s
actual memory used total memory used: 155Mb
for states: >1,665.1Mb
total actual memory
used: >5,621.3Mb
Table 2: Command line arguments.
Spin CRL
$ spin -av HAVi.spin $ mcrl -regular -tbfile HAVI.mcrl
$ cc -64 -w -o pan $ instantiator -i HAVi.mcrl
-D_POSIX_SOURCE-DMEMCNT=35
-DSAFETY -DXUSAFE -DNOFAIR
-DCOLLAPSE -g pan.c
$ ./pan -m<depth>
generation capabilities of Spin and CRL toolset due to the dierences in the underlying languages.
However, the PROMELA specication was optimized to use many of its features that do not exist
in CRL. Some of such features were not deployed for several reasons. The unless statement has
unclear semantics when used in combination with synchronous communication. An attempt to use
channels with nonzero capacity as storage instead of arrays lead to 250% increase of the state space.
The trick to use 3 channels instead of 1 to achieve conditional synchronous communication was not
tried, and will be tried in the future.
The results may look misleading due to the fact that the PROMELA code was derived from CRL
code instead of being written directly from the informal description. However, a native PROMELA
specication of the same protocol was analyzed in [10]. The model is quite dierent, as it employs
most of the PROMELA communication primitives, but the sizes of state spaces were comparable to
the ones presented here.
It is also quite dicult to analyze the correspondence between the two specications presented
here. Possibly a better comparison could be achieved using much smaller protocols available in the
literature. However, the choice for HAVi leader election protocol was due to the fact that it is a
REFERENCES 13
protocol some industrial groups are interested in now, and are going to use it in the future.
Acknowledgments
Thanks go to Dragan Boshnachki and Judi Romijn for carefully reading and commenting on PROMELA
specication and the rest of the paper, as well as to Jan Bergstra, Jan Friso Groote and Andre van
Delft for helpful discussions.
References
[1] J.C.M. Baeten and C. Verhoef. Concrete process algebra. In S. Abramsky, D. Gabbay, and T.S.E.
Maibaum, editors, Handbook of Logic in Computer Science, Vol 4, chapter 2. Oxford University
Press, 1994.
[2] J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts in Theoretical Computer
Science 18, Cambridge University Press, 1990.
[3] Jan Friso Groote. The syntax and semantics of timed CRL. Technical Report SEN-R9709,
CWI, Amsterdam, June 1997.
[4] Jan Friso Groote and Bert Lisser. Tutorial and reference guide for the CRL
toolset version 1.0. Technical report, CWI, 1999. To appear, available from URL
http://www.cwi.nl/~mcrl/mutool.html.
[5] J.F. Groote, F. Monin, and J. Springintveld. A computer checked algebraic verication of a
distributed summation algorithm. Technical Report 97-14, Dept. of Mathematics and Computing
Science, October 1997.
[6] J.F. Groote and A. Ponse. The syntax and semantics of CRL. In A. Ponse, C. Verhoef, and
S.F.M. van Vlijmen, editors, Algebra of Communicating Processes 1994, pages 26{62. Workshop
in Computing Series, Springer-Verlag, 1995.
[7] Grundig, Hitachi, Matsushita, Philips, Sharp, Sony, Thomson, Toshiba. Specication of the Home
Audio/Video Interoperability (HAVi) Architecture, November 19 1998. Version 1.0 beta. Available
from URL http://www.havi.org/.
[8] G.J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering,
23(5):279{295, May 1997.
[9] Bas Luttik. Description and formal specication of the link layer of P1394. In Ignac Lovrek,
editor, Proceedings of the 2nd International Workshop on Applied Formal Methods in System
Design. University of Zagreb, Croatia, June 18-19 1997.
[10] J.M.T. Romijn. Model checking the HAVi leader election protocol. Technical Report SEN-R9915,
CWI, Amsterdam, 1999.
14 REFERENCES
A. µCRL Source1
1 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2 %%% Constants, Parameters %%%
3 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
4 map
5 nB:->NAT % Limit for Buffer capasity
6 initNDCMM:->NAT % Initial Number of processes
7 initNst:->ABI % Initial Network status
8 initURLs:->ABI % Initial URL processes status
9 rew
10 nB=2
11 initNDCMM=3
12 initNst=seton(0_0,0)
13 initURLs=seton(0_0,1)
14 map
15 il: NAT#ABI->NAT
16 fl: NAT#ABI#ABI->NAT
17 var
18 N: NAT
19 nst,URLs: ABI
20 rew
21 il(N,nst)=if(eq(nst,0_0),0,min_on(nst)) %Minimal on
22 fl(N,nst,URLs)=if(eq(nst,0_0),0, %Minimal URL on or minimal
23 if(eq(URLs,0_0),min_on(nst), %on if there is no URL.
24 min_on(URLs)))
25
26 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
27 %%% Bool %%%
28 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
29 sort Bool
30 func
31 T,F: -> Bool
32 map
33 and: Bool#Bool -> Bool
34 or: Bool#Bool -> Bool
35 not: Bool -> Bool
36 if: Bool#Bool#Bool -> Bool
37 eq: Bool#Bool -> Bool
38 var
39 b,b1,b2: Bool
40 rew
41 and(T,b)=b and(b,T)=b
42 and(b,F)=F and(F,b)=F
43 or(T,b)=T or(b,T)=T
44 or(b,F)=b or(F,b)=b
45 not(F)=T not(T)=F
46 if(T,b1,b2)=b1 if(F,b1,b2)=b2
47 eq(F,F)=T eq(F,T)=F
48 eq(T,F)=F eq(T,T)=T
49
50 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
51 %%% NAT %%%
52 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
53 sort NAT
54 func
55 0: -> NAT
56 x2p1: NAT -> NAT
57 _x2p0: NAT -> NAT
58 map
59 x2p0: NAT -> NAT
60 eq: NAT#NAT -> Bool
61 1,2,3,4,5,6: -> NAT
62 succ: NAT -> NAT
63 gt: NAT#NAT -> Bool
64 if: Bool#NAT#NAT -> NAT
65 var
66 n,m: NAT
67 rew
68 x2p0(0)=0
69 x2p0(x2p1(n))=_x2p0(x2p1(n))
70 x2p0(_x2p0(n))=_x2p0(_x2p0(n))
1Note that the source code can also be obtained from http://www.cwi.nl/˜ysu/sources/HAVi or by contacting the
author.
A. µCRL Source1 15
71
72 eq(0,0)=T
73 eq(x2p1(n),0)=F
74 eq(0,x2p1(n))=F
75 eq(_x2p0(n),0)=F
76 eq(0,_x2p0(n))=F
77 eq(x2p1(n),_x2p0(m))=F
78 eq(_x2p0(n),x2p1(m))=F
79 eq(_x2p0(n),_x2p0(m))=eq(n,m)
80 eq(x2p1(n),x2p1(m))=eq(n,m)
81
82 1=x2p1(0) 2=_x2p0(1)
83 3=x2p1(1) 4=_x2p0(2)
84 5=x2p1(2) 6=_x2p0(3)
85
86 succ(0)=x2p1(0)
87 succ(x2p1(n))=_x2p0(succ(n))
88 succ(_x2p0(n))=x2p1(n)
89
90 gt(0,n)=F gt(x2p1(n),0)=T gt(_x2p0(n),0)=T
91
92 gt(x2p1(n),_x2p0(m))=not(gt(m,n))
93 gt(_x2p0(n),x2p1(m))=gt(n,m)
94
95 gt(x2p1(n),x2p1(m))=gt(n,m)
96 gt(_x2p0(n),_x2p0(m))=gt(n,m)
97
98 if(T,n,m)=n if(F,n,m)=m
99
100 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
101 %%% ABI (Bool array with NAT indices) %%%
102 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
103 sort ABI
104 func
105 0_0 : ->ABI
106 add : ABI#NAT ->ABI
107 map
108 rem : ABI#NAT ->ABI
109 upd : ABI# NAT#Bool->ABI
110 n_on : ABI ->NAT
111 min_on : ABI ->NAT
112 setoff : ABI#NAT ->ABI
113 seton : ABI#NAT ->ABI
114 reverse: ABI#NAT ->ABI
115 acc : ABI#NAT ->Bool
116 eq : ABI#ABI ->Bool
117 if : Bool#ABI#ABI->ABI
118 var
119 n,m:NAT
120 abi,abi1:ABI
121 b1,b2:Bool
122 rew
123 rem(0_0,n)=0_0
124 rem(add(abi,m),n)=if(gt(m,n),add(abi,m),if(eq(n,m),abi,add(rem(abi,n),m)))
125
126 upd(0_0,n,F)=0_0
127 upd(0_0,n,T)=add(0_0,n)
128 upd(add(abi,m),n,F)=rem(add(abi,m),n)
129 upd(add(abi,m),n,T)=if(gt(m,n),add(add(abi,m),n),
130 if(eq(n,m),add(abi,m),add(upd(abi,n,T),m)))
131
132 n_on(0_0)=0 n_on(add(abi,n))=succ(n_on(abi))
133
134 min_on(0_0)=0 min_on(add(abi,n))=n
135
136 seton(abi,n)=upd(abi,n,T) setoff(abi,n)=upd(abi,n,F)
137
138 reverse(abi,n)=upd(abi,n,not(acc(abi,n)))
139
140 acc(0_0,n)=F
141 acc(add(abi,m),n)=if(gt(m,n),F,if(eq(m,n),T,acc(abi,n)))
142
143 eq(0_0,0_0)=T eq(0_0,add(abi,n))=F eq(add(abi,n),0_0)=F
144 eq(add(abi,n),add(abi1,m))=and(eq(n,m),eq(abi,abi1))
145
146 if(T,abi,abi1)=abi if(F,abi,abi1)=abi1
16 REFERENCES
147
148 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
149 %%% Messages %%%
150 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
151 sort Message
152 func
153 NetworkReset : ABI -> Message
154 DMCapabilityDeclaration : NAT#Bool -> Message
155 DMLeaderDeclaration : NAT#ABI -> Message
156 map
157 eq:Message#Message->Bool
158 var
159 n,m:NAT
160 abi,abi1:ABI
161 b1,b2:Bool
162 rew
163 eq(NetworkReset(abi),NetworkReset(abi1))=eq(abi,abi1)
164 eq(DMCapabilityDeclaration(n,b1),DMCapabilityDeclaration(m,b2))
165 =and(eq(n,m),eq(b1,b2))
166 eq(DMLeaderDeclaration(n,abi),DMLeaderDeclaration(m,abi1))
167 =and(eq(n,m),eq(abi,abi1))
168 eq(NetworkReset(abi),DMCapabilityDeclaration(n,b1))=F
169 eq(NetworkReset(abi),DMLeaderDeclaration(n,abi1))=F
170 eq(DMCapabilityDeclaration(n,b1),NetworkReset(abi))=F
171 eq(DMCapabilityDeclaration(n,b1),DMLeaderDeclaration(m,abi))=F
172 eq(DMLeaderDeclaration(n,abi),NetworkReset(abi1))=F
173 eq(DMLeaderDeclaration(n,abi),DMCapabilityDeclaration(m,b1))=F
174
175 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
176 %%% Status %%%
177 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
178 sort Status
179 func
180 INIT,LE,LEIF,LEIL,LEILS,AOS,AO:->Status
181 map
182 n:Status->NAT
183 eq:Status#Status->Bool
184 rew
185 n(INIT)=0 n(LE)=1 n(LEIF)=2 n(LEIL)=3 n(LEILS)=4 n(AOS)=5 n(AO)=6
186 var a,b:Status
187 rew eq(a,b)=eq(n(a),n(b))
188
189 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
190 %%% Actions %%%
191 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
192 act
193 _flip, flip_on, flip_off, __flip:NAT
194 _on, _off, on, off, __on, __off:NAT
195 _send, send, _rcv, rcv, __send, __rcv:NAT#Message
196 _reset, reset, __reset:NAT#ABI
197 _reset_off, reset_off, __reset_off:NAT
198 _leader:NAT#NAT
199
200 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
201 %%% Communication Function %%%
202 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
203 comm
204 _flip|flip_on=__flip
205 _flip|flip_off=__flip
206 _on|on=__on
207 _off|off=__off
208 _send|send=__send
209 _rcv|rcv=__rcv
210 _reset|reset=__reset
211 _reset_off|reset_off=__reset_off
212
213 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
214 %%% DCMM Process %%%
215 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
216 proc
217 DCMM(St:Status, URL:Bool, n:NAT, N:NAT, nst:ABI, wait:ABI, URLs:ABI,
218 il:NAT, fl:NAT, am_on:Bool)=
219 flip_on(n)._on(n).DCMM(INIT,URL,n,N,0_0,0_0,0_0,0,0,T)
220 <|not(am_on)|>delta
221 +
222 sum(nst1:ABI,rcv(n,NetworkReset(nst1)).DCMM(LE,URL,n,N,nst1,0_0,0_0,0,0,T))
A. µCRL Source1 17
223 <|am_on|>delta
224 +
225 flip_off(n)._off(n).DCMM(INIT,URL,n,N,0_0,0_0,0_0,0,0,F)
226 <|am_on|>delta
227 +
228
229 ( _leader(n,n).DCMM(AO,URL,n,N,nst,0_0,upd(0_0,n,URL),0,n,T)
230 <|eq(n_on(nst),1)|> delta
231 +
232 _send(il(N,nst),DMCapabilityDeclaration(n,URL)).
233 DCMM(LEIF,URL,n,N,nst,0_0,0_0,il(N,nst),0,T)
234 <|not(eq(il(N,nst),n))|> delta
235 +
236 ( sum(m:NAT,sum(d:Bool,(
237 rcv(n,DMCapabilityDeclaration(m,d)) .
238 DCMM(LEILS,URL,n,N,nst,setoff(nst,n),upd(upd(0_0,n,URL),m,d),0,
239 fl(N,nst,upd(upd(nst,n,URL),m,d)),T)
240 <|eq(n_on(nst),2)|>
241 rcv(n,DMCapabilityDeclaration(m,d)) .
242 DCMM(LEIL,URL,n,N,nst,setoff(setoff(nst,n),m),
243 upd(upd(0_0,n,URL),m,d),0,0,T))))
244 )<|and(eq(il(N,nst),n),not(eq(n_on(nst),1)))|>delta
245 +
246 sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1)))).
247 DCMM(LE,URL,n,N,nst,0_0,0_0,0,0,T)
248 )<|eq(St,LE)|>delta
249 +
250
251 ( _send(il,DMCapabilityDeclaration(n,URL)).
252 DCMM(LEIF,URL,n,N,nst,0_0,0_0,il,0,T)
253 +
254 sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1)).
255 DCMM(AOS,URL,n,N,nst,0_0,URLs1,0,m,T)))
256 +
257 sum(m:NAT,sum(d1:Bool,rcv(n,DMCapabilityDeclaration(m,d1)))).
258 DCMM(LEIF,URL,n,N,nst,0_0,0_0,il,0,T)
259 )<|eq(St,LEIF)|>delta
260 +
261
262 ( sum(m:NAT,sum(d:Bool,(
263 rcv(n,DMCapabilityDeclaration(m,d)).
264 DCMM(LEILS,URL,n,N,nst,setoff(nst,n),upd(URLs,m,d),0,fl(N,nst,upd(URLs,m,d)),T)
265 <|and(eq(n_on(wait),1),acc(wait,m))|>
266 rcv(n,DMCapabilityDeclaration(m,d)).
267 DCMM(LEIL,URL,n,N,nst,setoff(wait,m),upd(URLs,m,d),0,0,T))))
268 +
269 sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1)))).
270 DCMM(LEIL,URL,n,N,nst,wait,URLs,0,0,T)
271 )<|eq(St,LEIL)|>delta
272 +
273
274 ( sum(m:NAT,(
275 _send(m,DMLeaderDeclaration(fl,URLs)).
276 DCMM(LEILS,URL,n,N,nst,setoff(wait,m),URLs,0,fl,T)
277 <|and(not(eq(m,fl)),gt(n_on(wait),1))|> delta
278 +
279 _send(m,DMLeaderDeclaration(fl,URLs)).
280 DCMM(AOS,URL,n,N,nst,0_0,URLs,0,fl,T)
281 <|eq(n_on(wait),1)|> delta
282 )<|acc(wait,m)|>delta)
283 +
284 sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1)))).
285 DCMM(LEILS,URL,n,N,nst,wait,URLs,0,fl,T)
286 +
287 sum(m:NAT,sum(d1:Bool,rcv(n,DMCapabilityDeclaration(m,d1)))).
288 DCMM(LEILS,URL,n,N,nst,wait,URLs,0,fl,T)
289 )<|eq(St,LEILS)|>delta
290 +
291 _leader(n,fl).DCMM(AO,URL,n,N,nst,0_0,URLs,0,fl,T)
292 <|eq(St,AOS)|>delta
293 +
294 tau.DCMM(AO,URL,n,N,nst,0_0,URLs,0,fl,T)
295 <|eq(St,AO)|>delta
296
297 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
298 %%% Env Process %%%
18 REFERENCES
299 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
300 Env(N:NAT,nst:ABI)=sum(m:NAT,(_flip(m).Env(N,reverse(nst,m))
301 +_flip(m).delta<|gt(n_on(reverse(nst,m)),0)|>delta
302 )<|gt(N,m)|>delta)
303
304 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
305 %%% Bus Process %%%
306 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
307 Bus(N:NAT,nstat:ABI)=
308 sum(m:NAT,on(m).Bus1(N,seton(nstat,m),seton(nstat,m)))
309 +
310 sum(m:NAT,off(m)._reset_off(m).
311 (Bus(N,setoff(nstat,m))<|eq(n_on(nstat),1)|>
312 Bus1(N,setoff(nstat,m),setoff(nstat,m))))
313
314 Bus1(N:NAT,nstat:ABI,wait:ABI)=
315 sum(m:NAT,_reset(m,nstat).(Bus(N,nstat)<|eq(n_on(wait),1)|>
316 Bus1(N,nstat,setoff(wait,m)))<|acc(wait,m)|>delta)
317
318 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
319 %%% Message Queues %%%
320 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
321 sort QMes
322 func empty : -> QMes
323 add : QMes#Message -> QMes
324
325 map first : QMes -> Message
326 remfirst : QMes -> QMes
327 is_empty : QMes -> Bool
328 size : QMes -> NAT
329 var
330 mes1,mes2:Message
331 q: QMes
332 rew
333 first(add(empty,mes1))=mes1
334 first(add(add(q,mes2),mes1))=first(add(q,mes2))
335 remfirst(add(empty,mes1))=empty
336 remfirst(add(add(q,mes2),mes1))=add(remfirst(add(q,mes2)),mes1)
337 is_empty(empty)=T
338 is_empty(add(q,mes1))=F
339 size(empty)=0
340 size(add(q,mes1))=succ(size(q))
341
342 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
343 %%% Buffer Process %%%
344 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
345 proc
346 Buffer(N:NAT,n:NAT,q:QMes)=
347 sum(mes:Message,send(n,mes).Buffer(N,n,add(q,mes))) <|gt(nB,size(q))|> delta
348 +
349 _rcv(n,first(q)).Buffer(N,n,remfirst(q)) <|not(is_empty(q))|> delta
350 +
351 sum(nst1:ABI,reset(n,nst1).Buffer(N,n,add(empty,NetworkReset(nst1))))
352 +
353 reset_off(n).Buffer(N,n,empty)
354
355 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
356 %%% The Whole System %%%
357 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
358 SYSTEMDCMM(N:NAT,nstat:ABI,URLs:ABI)=
359 encap({_flip,flip_on,flip_off},
360 hide({__on,__off,__reset,__reset_off},
361 encap({_on,on,_off,off,_reset,reset,_reset_off,reset_off},
362 hide({__send},encap({_send,send},
363 (hide({__rcv},encap({_rcv,rcv},
364 DCMM(INIT,acc(URLs,0),0,N,0_0,0_0,0_0,0,0,acc(nstat,0))||
365 Buffer(N,0,empty))))
366 ||
367 (hide({__rcv},encap({_rcv,rcv},
368 DCMM(INIT,acc(URLs,1),1,N,0_0,0_0,0_0,0,0,acc(nstat,1))||
369 Buffer(N,1,empty))))
370 ||
371 (hide({__rcv},encap({_rcv,rcv},
372 DCMM(INIT,acc(URLs,2),2,N,0_0,0_0,0_0,0,0,acc(nstat,2))||
373 Buffer(N,2,empty))))
374 ))
B. PROMELA Source2 19
375 ||
376 Bus(N,nstat)
377 ))
378 ||
379 Env(N,nstat)
380 )
381
382 init SYSTEMDCMM(initNDCMM,initNst,initURLs)
B. PROMELA Source2
1 #define initNDCMM 3
2 #define nB 2
3
4 typedef ABI {bool a[initNDCMM]};
5 mtype = {NetworkReset, DMCapabilityDeclaration, DMLeaderDeclaration};
6 typedef Message {mtype MTYPE; byte NN; bool URL; ABI NST};
7
8 chan on = [0] of {byte};
9 chan off = [0] of {byte};
10 chan send[initNDCMM] = [0] of {Message};
11 chan rcv[initNDCMM] = [0] of {Message};
12 chan reset[initNDCMM] = [0] of {ABI};
13 chan reset_off[initNDCMM] = [0] of {bit};
14 chan flip[initNDCMM] = [0] of {bit};
15 chan leader = [0] of {byte, byte}
16
17 chan env = [0] of {ABI}
18 chan bus = [0] of {ABI} /* Due to the technical restrictions of spin we
19 cannot pass arrays as parameters for processes. So we use these channels to
20 pass nst to Env and Bus */
21
22 /* inlines use and sideeffect variable _i
23 (assumed that it is defined as byte) */
24
25 /* copies N first elements of array B
26 to the corresponding elements of A */
27 inline array_assign(A, B, N)
28 { _i=0; do
29 :: _i<N -> A.a[_i]=B.a[_i]; _i=_i+1
30 :: else break
31 od; _i=0;}
32
33 /* m := minimal m s.t. A[m].
34 0 if all elements of A are false */
35 inline array_min_true(A, N, m)
36 { _i=0; do
37 ::(_i<N) -> if
38 :: !A.a[_i] -> _i=_i+1
39 :: else -> break
40 fi;
41 ::else -> break
42 od; m = (_i==N -> 0 : _i); _i=0;}
43
44 /* n_on := number of true elements of A */
45 inline array_n_true(A, N, n_on)
46 { n_on=0; _i=0; do
47 ::(_i<N) -> n_on=(A.a[_i]->n_on+1:n_on);_i=_i+1
48 ::else -> break
49 od; _i=0;}
50
51 /* assign false to N first elements of A*/
52 inline array_false(A, N)
53 { _i=0; do
54 ::(_i<N) -> A.a[_i]=false; _i=_i+1
55 ::else -> break
56 od; _i=0;}
57
58 #define NETWORK_RESET_WAIT_URLS rcv[n]?NetworkReset,_,ib,nst;\
59 atomic{d_step{array_false(wait,N);array_false(URLs,N);\
2Note that the source code can also be obtained from http://www.cwi.nl/˜ysu/sources/HAVi or by contacting the
author.
20 REFERENCES
60 il=0;fl=0;m=0;n_on=0};goto LE}
61
62 #define NETWORK_RESET_URLS rcv[n]?NetworkReset,_,ib,nst;\
63 atomic{d_step{array_false(URLs,N);\
64 il=0;fl=0;m=0;n_on=0};goto LE}
65
66 #define NETWORK_RESET rcv[n]?NetworkReset,_,ib,nst;\
67 atomic{d_step{il=0;fl=0;m=0;n_on=0};goto LE}
68
69 #define FLIP_OFF_NST_WAIT_URLS flip[n]?1;off!n;\
70 atomic{d_step{array_false(nst,N);array_false(wait,N);array_false(URLs,N);\
71 il=0;fl=0;m=0;n_on=0;am_on=false};goto INIT}
72
73 #define FLIP_OFF_NST_URLS flip[n]?1;off!n;\
74 atomic{d_step{array_false(nst,N);array_false(URLs,N);\
75 il=0;fl=0;m=0;n_on=0;am_on=false};goto INIT}
76
77 #define FLIP_OFF_NST flip[n]?1;off!n;\
78 atomic{d_step{array_false(nst,N);\
79 il=0;fl=0;m=0;n_on=0;am_on=false};goto INIT}
80
81 #define FLIP_OFF flip[n]?1;off!n;\
82 atomic{d_step{il=0;fl=0;m=0;n_on=0;am_on=false};goto INIT}
83
84 bool ib; hidden ABI iabi;
85
86 /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
87 %%% DCMM Process %%%
88 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/
89 proctype DCMM(bool URL; byte n, N; bool _am_on)
90 { bool am_on; ABI nst, wait, URLs;
91 byte il,fl,m,n_on; bool d; byte _i;
92
93 d_step{ am_on=_am_on; array_false(nst,N); array_false(wait,N);
94 array_false(URLs,N); il=0; fl=0; m=0; n_on=0; d=false; _i=0;}
95 INIT:
96 if
97 :: !am_on -> flip[n]?1; on!n; atomic {am_on=true; goto INIT}
98 :: am_on -> if
99 :: NETWORK_RESET
100 :: FLIP_OFF
101 fi;
102 fi;
103
104 LE:
105 atomic{
106 d_step{array_min_true(nst,N,il);} /* il calculation */
107 if
108 :: il==n -> d_step{array_assign(wait,nst,N); wait.a[n]=false;
109 URLs.a[n]=URL; il=0;} goto LEIL;
110 :: else
111 fi;}
112
113 LE1:
114 if
115 :: send[il]!DMCapabilityDeclaration(n,URL,iabi); goto LEIF
116 :: rcv[n]?DMLeaderDeclaration,_,ib,iabi; goto LE1;
117 :: rcv[n]?DMCapabilityDeclaration,_,ib,iabi; goto LE1;
118 :: NETWORK_RESET
119 :: FLIP_OFF_NST
120 fi;
121
122 LEIF:
123 if
124 :: send[il]!DMCapabilityDeclaration(n,URL,iabi); goto LEIF
125 :: rcv[n]?DMLeaderDeclaration,fl,ib,URLs; goto AOS
126 :: rcv[n]?DMCapabilityDeclaration,_,ib,iabi; goto LEIF
127 :: NETWORK_RESET
128 :: FLIP_OFF_NST
129 fi;
130
131 LEIL:
132 atomic{d_step{array_n_true(wait,N,n_on);}
133 LEIL1:
134 if
135 :: n_on==0 -> d_step{array_assign(wait,nst,N);
B. PROMELA Source2 21
136 wait.a[n]=false;
137
138 array_min_true(nst,N,fl);
139 array_min_true(URLs,N,m); /* final leader calculation */
140 fl=(m==0->fl:m); m=0;}
141
142 goto LEILS;
143 :: else
144 fi;}
145
146 LEIL2:
147 if
148 :: rcv[n]?DMCapabilityDeclaration,m,d,iabi;
149 atomic{d_step{n_on=(wait.a[m]->n_on-1:n_on);
150 wait.a[m]=false; URLs.a[m]=d; m=0; d=false}; goto LEIL1; }
151 :: rcv[n]?DMLeaderDeclaration,_,ib,iabi; goto LEIL2;
152 :: NETWORK_RESET_WAIT_URLS
153 :: FLIP_OFF_NST_WAIT_URLS
154 fi;
155
156 LEILS:
157 atomic{m=0; d=wait.a[fl]; wait.a[fl]=false; /* final leader is informed the last */
158
159 LEILS1:
160 if
161 :: (m==N && d) -> d_step{m=fl; d=false;}
162 :: (m==N && !d) -> m=0; goto AOS;
163 :: (m<N && !wait.a[m]) -> m=m+1; goto LEILS1;
164 :: else
165 fi;}
166
167 LEILS2:
168 if
169 :: send[m]!DMLeaderDeclaration(fl,false,URLs); wait.a[m]=false; goto LEILS1;
170 :: rcv[n]?DMLeaderDeclaration,_,ib,iabi; goto LEILS2;
171 :: rcv[n]?DMCapabilityDeclaration,_,ib,iabi; goto LEILS2;
172 :: NETWORK_RESET_WAIT_URLS
173 :: FLIP_OFF_NST_WAIT_URLS
174 fi;
175
176 AOS:
177 if
178 :: leader!n,fl; goto AO;
179 :: NETWORK_RESET_URLS
180 :: FLIP_OFF_NST_URLS
181 fi;
182
183 AO:
184 if
185 :: NETWORK_RESET_URLS
186 :: FLIP_OFF_NST_URLS
187 :: goto AO;
188 fi;
189 }
190
191 /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
192 %%% Bus Process %%%
193 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/
194 proctype Bus(byte N)
195 { ABI nst, wait; byte m, n_on, n_on_wait; byte _i;
196
197 d_step{array_false(nst,N); array_false(wait,N); m=0; n_on=0; _i=0;}
198 bus?nst;
199 d_step{array_n_true(nst,N,n_on);}
200
201 Bus_:
202 if
203 :: n_on==0 -> on?m; atomic{d_step{nst.a[m]=true; m=0; n_on=1;} goto Bus1}
204 :: else -> if
205 :: on?m; atomic{d_step{nst.a[m]=true; m=0; n_on=n_on+1;} goto Bus1}
206 :: off?m; reset_off[m]!1; atomic{d_step{nst.a[m]=false; m=0; n_on=n_on-1;} goto Bus1}
207 fi;
208 fi;
209
210 Bus1:
211 atomic{
22 REFERENCES
212 if
213 :: (m==N) -> m=0; goto Bus_;
214 :: (m<N && !nst.a[m]) -> m=m+1; goto Bus1;
215 :: else
216 fi;}
217
218 reset[m]!nst; atomic{m=m+1; goto Bus1};
219 }
220
221 #define BUFFER_RESET reset[n]?nst;atomic{d_step{queue_clean(nIn);\
222 queue[0].MTYPE=NetworkReset;array_assign(queue[0].NST,nst,N);\
223 array_false(nst,N);nIn=1}; goto Buffer_}
224
225 #define BUFFER_RESET_OFF reset_off[n]?1;\
226 atomic{d_step{queue_clean(nIn); nIn=0}; goto Buffer_}
227
228 /* inlines below use and sideeffect variable _j
229 (assumed that it is defined as byte) */
230
231 /* shifts queue[1..nIn-1] to queue[0..nIn-2]
232 (if nIn<=1 does nothing) */
233 inline queue_shift()
234 { _j=1; do
235 ::_j<nIn-> queue[_j-1].MTYPE=queue[_j].MTYPE;
236 queue[_j-1].NN=queue[_j].NN;
237 queue[_j-1].URL=queue[_j].URL;
238 array_assign(queue[_j-1].NST,queue[_j].NST,N);
239 _j=_j+1
240 ::else->break
241 od; _j=0;}
242
243 /* assignes default values to queue elements */
244 inline queue_clean(NNN)
245 { _j=0; do
246 :: _j<NNN -> queue_clean_element(_j); _j=_j+1
247 :: else break
248 od; _j=0;}
249
250 /* assignes default value to an element */
251 inline queue_clean_element(el)
252 { queue[el].MTYPE=NetworkReset;
253 queue[el].NN=0;
254 queue[el].URL=false;
255 array_false(queue[el].NST,N);}
256
257 /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
258 %%% Buffer Process %%%
259 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/
260 proctype Buffer(byte n, N)
261 { byte nIn,_i,_j; Message queue[nB]; ABI nst;
262
263 d_step{nIn=0; array_false(nst,N); queue_clean(nB); _i=0; _j=0;}
264
265 Buffer_:
266 if
267 :: (nIn<nB && nIn>0) ->
268 if
269 :: send[n]?queue[nIn];
270 atomic{nIn=nIn+1; goto Buffer_};
271 :: rcv[n]!queue[0];
272 atomic{d_step{queue_shift(); nIn=nIn-1;
273 queue_clean_element(nIn);} goto Buffer_}
274 :: BUFFER_RESET
275 :: BUFFER_RESET_OFF
276 fi;
277 :: (nIn==nB) -> if
278 :: rcv[n]!queue[0];
279 atomic{d_step{queue_shift(); nIn=nIn-1;
280 queue_clean_element(nIn);} goto Buffer_}
281 :: BUFFER_RESET
282 :: BUFFER_RESET_OFF
283 fi;
284 :: (nIn==0) -> if
285 :: send[n]?queue[nIn]; atomic{nIn=1; goto Buffer_}
286 :: BUFFER_RESET
287 :: BUFFER_RESET_OFF
B. PROMELA Source2 23
288 fi;
289 fi;
290 }
291
292 /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
293 %%% Env Process %%%
294 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/
295 proctype Env(byte N)
296 { ABI nst; byte n_on,j; byte _i;
297
298 d_step{j=0; n_on=0; array_false(nst,N);_i=0}
299 env?nst;
300 Env_:
301 if
302 :: flip[j]!1;
303 atomic{ d_step{nst.a[j]=!nst.a[j]; j=0; array_n_true(nst,N,n_on);}
304 if
305 :: n_on=0; goto Env_;
306 :: (n_on!=0) -> d_step{n_on=0; array_false(nst,N);} goto Env_End;
307 fi;
308 }
309 :: leader?_,_; atomic{j=0; goto Env_;}
310 :: (j<(N-1)) -> atomic{j=j+1; goto Env_;}
311 fi;
312 Env_End:
313 leader?_,_; goto Env_End;
314 }
315
316 /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
317 %%% Init %%%
318 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/
319
320 init
321 { ABI nst, URLs; byte j; byte _i;
322 atomic{
323 d_step{ array_false(nst,initNDCMM); array_false(URLs,initNDCMM);
324 nst.a[0]=true; URLs.a[1]=true; j=0;}
325 do
326 :: j<initNDCMM -> run DCMM(URLs.a[j],j,initNDCMM,nst.a[j]);
327 run Buffer(j,initNDCMM); j=j+1;
328 :: else break;
329 od; j=0;
330 run Bus(initNDCMM); run Env(initNDCMM);
331 }
332 bus!nst; env!nst;
333 }
