Description and formal specification of the link layer of P1394 by Luttik, S.P. (Bas)
Centrum voor Wiskunde en Informatica
REPORTRAPPORT
Description and Formal Specification of the Link Layer of P1394
S.P. Luttik
Software Engineering (SEN)
SEN-R9706 May 31, 1997
Report SEN-R9706
ISSN 1386-369X
CWI
P.O. Box 94079
1090 GB  Amsterdam
The Netherlands
CWI is the National Research Institute for Mathematics
and Computer Science. CWI is part of the Stichting
Mathematisch Centrum (SMC), the Dutch foundation
for promotion of mathematics and computer science
and their applications.
SMC is sponsored by the Netherlands Organization for
Scientific Research (NWO). CWI is a member of
ERCIM, the European Research Consortium for
Informatics and Mathematics.
Copyright © Stichting Mathematisch Centrum
P.O. Box 94079, 1090 GB  Amsterdam (NL)
Kruislaan 413, 1098 SJ  Amsterdam (NL)
Telephone +31 20 592 9333
Telefax +31 20 592 4199
Description and Formal Specication of the Link Layer of P1394
S.P. Luttik
CWI
P.O. Box 94079, 1090 GB Amsterdam, The Netherlands
Programming Research Group, University of Amsterdam,
Kruislaan 403, 1098 SJ Amsterdam, The Netherlands
Email: luttik@cwi.nl
ABSTRACT
We give a formal specication in CRL of the Link Layer as described in the IEEE Standard P1394 [IEE95]
that may serve as a starting point for further verication.
1991 Mathematics Subject Classication: 68M10 Computer networks; 68Q60 Specication and verication of
programs
1991 Computing Reviews Classication System: C.2.2 Network Protocols; D.2.1 Requirements/Specications;
D.2.4 Program Verication
Keywords and Phrases: P1394, CRL, Serial Bus Protocol.
Note: Research supported by the Netherlands Organization for Scientic Research (NWO) under contract SION
612-33-008. Work carried out under project SEN 2.1 Process Specication and Analysis.
1. Introduction
P1394 is an IEEE Standard describing a \High Performance Serial Bus" [IEE95]. It deals both with
the physical requirements and the protocol of the bus. The main feature of P1394 is that it supports
two modes of transaction: an asynchronous mode and an isochronous mode.
In asynchronous mode, one party (the sender) can send a message of arbitrary length to some other
party (the receiver). Such a message may be sent at an arbitrary moment after the sender has gained
access to the bus; the only timing restriction is that the interval during which a node may have access
to the bus is bounded. In this mode, the receiver must conrm the receipt of the message by sending
an acknowledge.
In isochronous mode the sender is obliged to send messages at xed rates, and messages are not
acknowledged. This service is useful for fast transmission of large amounts of data, if certainty at the
side of the sender about the receipt of the data by the receiver is not important, whereas the arrival
of the data at a constant rate is (for instance, audio/video data).
We give a specication of part of the P1394 protocol in CRL [GP94], a formalism based on process
algebra (see e.g. [Mil89, BW90]) that has the possibility of including algebraic data descriptions. Our
specication serves as a case study in the application of formal methods and forms a starting point
for further verication of the protocol.
We specify the behaviour in asynchronous mode of the Link Layer, the middle layer of the three
layered protocol; responsible for the construction of packets, the transmission of these over a serial (one
bit) line to other parties, and the computation and verication of checksums. Moreover, we specify
a Bus-process, describing the external behaviour of the underlying physical components according
to P1394, in order to be able to simulate the situation where a number of Link Layers communicate
asynchronously.
2The rest of this section is devoted to an informative introduction to P1394. In Section 2 we will
discuss our specication of the Link Layer protocol and in Section 3 we will explain our specication of
a process describing the external behaviour of a number of P1394-compliant Physical Layers connected
by a cable. The actual specications are included as appendices. In Section 4 we will indicate a number
of properties that should hold w.r.t. our specication.
1.1 The P1394 Protocol
The serial bus architecture is roughly as depicted in Figure 1. It consists of a number of nodes
(addressable entities that run their own part of the protocol) connected by a serial line (to which we
will refer by the term Cable in the sequel).
CABLE ENVIRONMENT
node nnode 2node 1
co
n
tr
ol
le
r
PHY
LINK
TRANS
co
n
tr
ol
le
r
PHY c
o
n
tr
ol
le
r
PHY
LINK
TRANSTRANS
LINK
Figure 1: Serial Bus architecture.
The behaviour of each node in asynchronous mode is described by three layers:
1. The Transaction Layer (the upper layer; indicated by Trans) oers three types of transactions
to the application(s) running on the node: applications may want to perform read transactions
(read data from another node), write transactions (write data to another node), and lock trans-
actions (have some of its own data processed by another node after which it is transferred back).
Such transactions consist of a request and a response; Trans can both handle `concatenated
response' transactions (response follows request immediately) as well as `split' transactions (re-
sponse not necessarilly follows immediately on the request it belongs to).
2. The Link Layer (referred to as Link) is the middle layer. It forms the interface between Trans
and the physical components of the bus (consisting of the `Physical Layers' (Phys) connected
by a serial line (Cable), together denoted by Bus). Link provides two types of services to
Trans:
Data request/response: By means of a `Link Data request' Trans instructs Link to send
a packet to some particular node or to broadcast a packet to all other nodes. Trans must
react on a packet addressed to it by sending an acknowledge by means of a `Link Data
response'.
Data indication/conrmation: By means of a `Link Data indication' Link indicates the
arrival of data (either request or response data). The receipt of an acknowledge packet is
indicated to Trans by means of a `Link Data conrmation'.
Link divides the stream of packets that it sees onBus into an alternating sequence of `subactions'
and `subaction gaps'; the latter being time intervals having a specied minimal length during
which Cable resides in an idle state (see Figure 2). A subaction either consists of a single packet
(in case of a `split transaction', see subaction 1) or of two packets (in case of a `concatenated
response transaction', see subaction 2). Within each subaction, a packet is delimited by special
2. Explanation of Link-Specication 3
`data start' and `data end' signals; the gap between two packets within a subaction must be
lled with `data prex' signals in order to distinguish these gaps from the subaction gaps.
 
 


  
  


  
  


 
 


 
 


 
 


  
  


 
 


 
 


 
 


 
 


 
 


subaction 2
subaction gapdata end
data prefix
responseack ackarb packet
subaction 1
request
packetackpacketarb
data start
Figure 2: Link operation
Before a packet can be put on Bus, Link must rst gain access by issueing an arbitration
procedure. Moreover Link must transform the requests of Trans into a certain packet format,
computing and attaching checksums to parts of the data to be transmitted. It also decides
whether incoming packets have been received properly by verifying the attached checksums.
Every packet that is put on Bus by any of the nodes is received by each Link; however, only
packets addressed to the node that Link is a part of is forwarded to Trans. Link also directs
the process of waiting for acknowledgements.
3. The physical connection between a node and the serial line is called the Physical Layer (Phy).
It listens to and puts signals on Cable, measures the lengths of the time intervals during which
Cable resides in an idle state and determines together with the other Phys which node has
control over Cable (arbitration). It provides the following services to Link:
Arbitration request/conrmation: Link instructs Phy to start an arbitration procedure
by means of a `Phy Arbitration request'. The result of this procedure (either `won' or
`lost') is communicated to Link by means of a `Phy Arbitration conrmation'.
Data request/indication: The Link Layer instructs Phy to put some signal on Cable by
means of a `Phy Data request'. Phy indicates a signal on Cable (or information about
the status of Cable) to Link by means of a `Phy Data indication'.
Clock indication: To notify Link that it can (and should!) put a signal on Cable, Phy
communicates a `Phy Clock indication'.
According to [IEE95] there is also a so-called `node controller' that can inuence each of the three
layers. Since in asynchronous mode the ro^le of this node controller is restricted to the ability to reset
each of the three layers (force them into their initial state), we have left it out of our specication.
2. Explanation of Link-Specification
In [IEE95], data descriptions of Link mainly consist of a number of tables, that tables dene the
lengths of several dierent streams of bits and how to interpret them as packets.
The operational behaviour of Link is described by means of an (incomplete) state-transition diagram
and some informal text, meant to impose additional restrictions on the states and transitions of this
diagram.
We apply some abstractions to the data in our specication and focus on the process part of Link,
which we try to describe as precise as possible. In this section, we will explain some details of our
specication of Link (appendix B). First, we introduce some elementary and auxiliary data types
that we need in the specication. Then, we describe a single packet format that is used by Link to
communicate with the Links of other nodes, via Bus). Finally, we discuss the process part of the
specication.
42.1 Auxiliary Data Types of Link
We need in our specication a sort B with constants t and f, the logical connectives not, or and and
and a function if(x; y; z) that chooses between its second and third argument upon the value of x,
and an equality relation eq(x; y). Moreover, we have a sort N of natural numbers, with constructors
0 and succ(n), a `less than'-relation lt(n;m), and a predicate eq(x; y) reecting the standard equality
on naturals.
Furthermore, we have ve enumerated types that encode a number of attributes used in the com-
munication between Link and Trans and between Link and Phy:
 The sort BOC (for `Bus Occupancy Control') contains two elements: release, and hold. It oers
Trans the possibility to indicate Link whether a `split' transaction (release) or a `concatenated
response' transaction (hold) is requested. Namely, in the rst case Link must release the bus
after sending acknowledge packet, while in the second case the bus must be held to allow the
sending of a response packet.
 The sort LDI contains the attributes Link must attach to an incoming packet when it forwards
it to Trans.
 The sort LDC contains the values by which Link informs Trans of the success or failure of a
transaction.
 The sort PAR contains the two possible arbitration modes
1
by which Link can request Phy to
gain access to Cable.
 After Phy has performed the arbitration procedure, a result of either won or lost (sort PAC)
is communicated back to Link.
2.2 Packet Formats
The sorts DATA, HEADER, and ACK specify the actual contents of packets. In our specication
these three sorts each contain two elements, but this could have been any number of distinct elements,
given that there is a function crc, that maps each element to some checksum in CHECK. It is not
really important how such a checksum is computed, but the function crc should, of course, have an
inverse. We have specied two checksum values: > for `good crc' and ? for `bad crc'. We abstracted
here a little bit from the original descriptions in [IEE95]. There, the sorts DATA, HEADER, and
ACK contain sequences of 128, 112, and 4 bits respectively. Data elements and headers have a 32 bit
checksum; acknowledgements have a 4 bit checksum.
In [IEE95] a number of asynchronous packet formats are dened for each kind of transaction. These
formats are all in line with a general format for asynchronous packets, but dier in length, specic
values of some elds of the header, and the presence of one or more data elements. We have specied
just a single asynchronous packet format, consisting of a destination (from N), a header part (an
element from HEADER together with its crc) and one data part (an element from DATA and its crc.
The destination and the header part together form the header as described in [IEE95]. Actually, the
header part should contain al kinds of control elds that are not relevant on Link Layer level.
Every node that is connected to the Cable knows its own identication number and the total
number of nodes that are connected to the Cable. If there are n nodes, then it is assumed that they
have identication numbers 0 through n  1. Now, if the destination eld of a packet contains either
of the values 0 through n   1, then this is interpreted as the address of the node with this value as
identication number. If the destination eld has value n, then the packet is considered a broadcast
packet, i.e. a packet that is addressed to all nodes (except for the sending node).
As in [IEE95], acknowledge packets consist of an acknowledge (code) and an acknowledge checksum
(also called `parity'), together having a xed length of 1 byte (i.e. 8 bits). By means of a `Link Data
1
a third possibility is mentioned in [IEE95], but that one is not relevant in asynchronous mode.
2. Explanation of Link-Specication 5
response' Trans communicates the acknowledge code that should be put on the bus, as well as an
instruction for Link to either release, or hold control over bus.
According to [IEE95], Link should communicate packets via Bus to other Links serially, that is,
Link must send one bit as soon as Phy indicates that it is ready to put a new bit on Cable. Instead,
we chose divide packets into signals (from S). In this way we obtain a more concise specication,
avoiding a number of complications that do not inuence Link's behaviour. We do make sure that
our specication still reects naturally the serial mechanisms as described in the standard. A signal is
either a control signal or a data signal. We distinguish four types of data signals, which are embedded
in the sort S by means of the function sig:
destination signals: constructed by applying sig to a natural number | `getdest' yields the desti-
nation from such a signal;
header signals: constructed by sig from a header and a checksum | `gethead' yields the header
from such a signal;
data signals: constructed by sig from a data part and a checksum | `getdata' and `getdcrc' respec-
tively yield the data element and the checksum of such a signal;
acknowledge signals: constructed by sig from an acknowledge and a checksum { `getack' yields
the acknowledge part of such a signal.
The predicates dest?(s), header?(s), data?(s) and ack?(s) respectively yield t if s is a destination, a
header, a data element, or an acknowledge. Furthermore, valid hpart(s) and valid ack(s) equal t if s
is a header or an acknowledge signal (respectively) with a checksum value of >.
To simulate the situation of [IEE95] where incoming destinations (consisting of 2 bytes) and ac-
knowledgements (consisting of 1 byte) are distinguished by their length, we have an additional signal
that is considered a data signal: dhead. Thus, destinations must be transmitted by means of two
signals, dhead and the `real' destination, whereas acknowledgements consist of one signal.
The sort S contains four control signals:
start: used to mark the beginning of a packet;
end, Prefix: both used to mark the end of a packet; end indicates Phy to release control over Cable
afterwards; Prefix tells Phy not to release control over Cable;
subactgap: is used by Phy to notice Link that it has detected that Cable has been idle for some
specic amount of time.
The predicate physig? holds when a signal is one of the four control signals; terminator? determines
it is start, Prefix, or end; and hda? is t if the signal is either a header signal, a data signal or an
acknowledgement signal.
Within Link, asynchronous packets reside in a buer that is either empty (void) or contains a
quadruple of four signals: a destination header, a destination signal, a header signal and a data signal
(see SIG TUPLE). Acknowledge packets will be represented just by their signal.
2.3 Link Layer Operation
Our specication of the process behaviour of Link is based on the state machine as depicted in [IEE95,
Figure 6-19, Page 174] and the informal explanation it is accompanied by. We have derived process
names of the names of the states in the state machine as follows: process Linkn for 0  n  7
corresponds to state Ln. Each process receives at least three parameters: the total number of nodes
that are connected to Cable, the identication number of the particular node, and a buer to contain
a pending request of Trans. Each action receives the identication number as its rst parameter.
Link starts as process Link0 with an buer that is void; it can either receive a data request from
Trans (LDreq(id; dest; h; d)) or a data indiation from Phy (rPDind(id; p)).
6At a data request, a packet s (quadruple) is constructed from the parameters put into the buer.
Since the buer then is not void anymore Link starts a fair arbitration procedure to gain access to
Bus (sPAreq(id; fair)). If this results in won then the underlying Phy controls Cable, so Link enters
`send mode' (Link2
req
, see below). However, it can also happen that Phy indicates a the arrival of
data: the packet is stored in buer and the data is received rst (Link4).
At a data indiction, it must be checked whether the received signal is a start-signal. If it is, then
this indicates that some node has control over Cable and is sending a packet. The incoming packet
must be received in `receive mode' (Link4). However, if the signal was not a start-signal, it may be
ignored.
Send Mode As soon as it has gained control over Cable, Phy starts indicating clock signals
(rPCind(id)) to notify Link that it should send a signal. Link is supposed to respond to every
such clock indication and sends the entire packet |delimited by a start- and an end-signal|, one
signal at a time (Link2
req
).
The end signal also noties Phy that Link has sent all of its packet; it will cease to send clock
indications. Upon the value of the destination eld, Link either informs Trans that a broadcast
packet was sent (LDcon(id; broadsent)) properly (Link0), or it must wait for an acknowledge packet
(Link3).
The acknowledge packet must arrive within some specic amount of time: if a subactgap occurs
before an acknowledgement with valid checksum has been received entirely (i.e. up to and including
the terminating end signal), then Link will act as if the acknowledge is missing. Recall that an
acknowledge packet can be identied by its length (1 signal). As a start signal arrives, Link evolves
into Link3
RA
, expecting an acknowledge signal. If the next signal is indeed a data signal, then Link
receives the terminating end signal (Link3
RE
), checks the validity of the received acknowledge signal
and sends an `acknowledgement received' (ackrec) to Trans. On the other hand, if anything goes
wrong (for instance, another data signal arrives, there is no terminating end, or the acknowledge
packet is not valid), then Link sends `acknowledgement missing' (ackmiss) to Trans. Both in case
of failure and in case of success, Link does wait for an indication of Phy that a `subaction gap'
(subactgap) has occurred, before it returns the initial state (LinkWsa). Of course, if a subaction
gap interferes in the above described behaviour, Link should immediately send an ackmiss and return
to its initial state.
Receive Mode If Link receives a start signal is indicated, it enters `receive mode' (Link4) and
expects to see a packet being put on Bus by some other Link. Asynchronous packets consist of
4 signals, and Link will receive at least two signals before it can determine whether the packet is
addressed to it. If it only receives one signal followed by a terminating end (Link4
DH
), then it has
received an acknowledge packet, which it should ignore: it will wait for the next subaction gap and
return to the initial state (LinkWsa). If the second signal is indeed a destination signal, then it must
check whether the incoming packet is either (1) a packet addressed to it, (2) a broadcast packet or
(3) a packet destinated to some other node.
In the rst case it must notify Phy that it wants access to Bus as soon as the packet has been
received entirely, in anticipation of sending an acknowledge. It does this by means of an immediate
arbitration request sPAreq(id; immediate). Broadcast packets, however, should not be acknowledged,
so in the second case no such request is needed. In both cases Link evolves into state Link4
RH
; by
means of the parameter dest, it still can decide whether the incoming packet was broadcast or not. In
the third case Link should completely ignore the packet; it returns to Link0 at the next subaction
gap (LinkWsa).
The third signal is expected to be a header signal (Link4
RH
), and the fourth signal should be a data
signal (Link4
RD
). If the packet is correctly terminated by either an end signal or a Prefix signal,
then the packet is indicated to Trans as either a broadcast packet (Link4
BRec
), or as a packet that
was addressed to this node (Link4
DRec
). In both cases the data checksum is veried. Observe that in
3. The Auxiliary Bus Protocol 7
the broadcast-case, a packet with invalid data checksum is ignored. In the other case, the packet will
have to be acknowledged, so upon a `Phy Arbitration conrmation' of won, Link evolves into `send
acknowledge mode' (Link5).
Any deviation of the above described procedure will cause Link to ignore the packet; it will wait for
a subaction gap to return to the initial state (LinkWsa). However, an immediate arbitration request
will always be followed by a `Phy Arbitration conrmation' of won. In such a case, Link is granted
access to Cable, although it does not need to send an acknowledgement. Therefore, if the destination
signal indicated that the packet was meant for this Link, the arbitration conrmation must be received
and Cable-control must be terminated immediately by sending an end signal (LinkWsa).
Send Acknowledge Mode While Link is waiting for Trans to respond to a data indication with the
proper acknowledgement code, it must keep Cable `busy' by sending a Prefix signal on every clock
indication; this is to avoid the occurrence of a subactgap. Depending on the type of the received
packet, Trans may need to issue a so-called `concatenated response' (for instance, the packet was a
read request and Trans immediately wants to send the requested data to the requesting node). By
means of a data response (LDreq(id; dest; h; d)) Trans communicates the proper acknowledgement,
as well as one of the values release or hold. The former means that no concatenated response
is requested and that, after sending the acknowledge (Link6), Link may release Cable and go to
its initial state. The latter means that a concatenated response is requested and that Link should
hold Cable after sending the acknowledgement packet by responding to clock indications by Prefix
signals (Link7). Now, Link already has control over Cable, so upon a data request it may evolve
into `send mode' (Link2
resp
) immediately.
3. The Auxiliary Bus Protocol
In order to simulate the interaction of n Link Layers, we have also specied the external the behaviour
of n Phys, connected by Cable (see appendix C) in the process Bus.
3.1 Tables over B
As an auxiliary data type we need a sort Btable of tables over booleans. It is constructed from ; and
btable(n; b; B), where b from B, n from N and B from Btable. For example,
btable(succ(0); t; btable(0; f; ;))
denotes a table over booleans with 3 entries, numbered 0 through succ(succ(0)), and with entries 0
and succ(succ(0)) set to t and succ(0) set to f.
Additionally, a function init(n) that creates a table with n entries (number 0 through n   1), all
initalized to f; a function get(n;B) yields the nth value of B; a function invert(n;B) that updates
the nth value of B to not(get(n;B)); a function if(b;B
1
;B
2
) that chooses between B
1
and B
2
, and
functions zero(B), one(B), and more(B) that return t if either none of the entries, precisely one entry,
or more than one entry (respectively) of B has/have the value t, and f otherwise.
Most notably, this sort is used to store information about the specic nodes connected to Bus.
3.2 Bus Operation
Initially, Bus is idle (BusIdle); it knows the number of Link processes that should communicate
with it (n), and administrates in a Btable which Links have had control during a `fairness interval'
(t).
During each fairness interval, each Link process is allowed to gain control over Bus by means of
a fair arbitration request at most once; it may access Bus more than once as a consequence of an
immediate arbitration request. As soon as Bus has been idle for some specic amount of time and
some Link has had access during the running fairness interval (not(zero(t))), an `arbitration reset
gap' (arbresgap) occurs, to indicate that every Link may again be granted access by fair arbitration.
8The time interval that Bus must be idle before such an arbresgap may occur should be longer than
that of a subactgap.
As soon as some Link requests arbitration (rPAreq(id; astat)), Bus enters `decision mode': it checks
in its table whether the requesting node has or has not had access during the present fairness interval;
if not, then Busconrms by won and evolves into a `busy state' (BusBusy); otherwise, Bus just
responds lost (DecideIdle).
In a busy state, it also has to be administrated which nodes have requested immediate arbitration
(next), and which node has control over Bus (busy). The fourth parameter keeps track of which nodes
have received a bad destination eld, and is only present to be able to simulate loss and corruption
of data (see the discussion of the Distribute process).
Being in a busy state, Bus may still receive fair arbitration requests, but they will be conrmed
by lost. A potential candidate for a response on the packet that is put on Bus must make itself
known by an immediate arbitration request, this will be recorded in next. No conrmation is sent,
however, until the `busy node' releases its control.
Furthermore, as long as busy < n some Link process is still wanting to send signals, so the apropriate
clock indications must be generated (sPCind(busy)), and signals must be distributed (Distribute).
The Distribute process recurses over all nodes (as long as lt(i; n)) delivering the requested signal
(except if eq(i; busy)). However, to obtain a realistic simulation, we also modelled the potential loss
or corruption of signals. We have added a function corrupt to S which changes the checksum eld
of header signals, data signals, and acknowledge signals to ?. Moreover, an extra dummy is used to
simulate the situation in which packets with a wrong length are delivered.
 If the signal is a destination signal, then this signal may get invalid in Bus (second summand of
Distribute). However, if this happens, then the header checksum (which comes with the next
signal) is no longer valid. Therefore, it is recorded in the table destfault to which nodes invalid
destinations have been distributed.
 Any signal, except for header signals which should have a corrupted checksum according to the
above, may be delivered correctly (the rst summand of Distribute).
 If the signal to be delivered is either a header signal, a data signal or an acknowledge signal,
then it may be delivered corrupted (third summand) or it may not be delivered at all (fourth
summand).
 If the signal to be delivered is a data signal, then the packet may be extended by sending a
dummy-signal immediately after the data signal.
After Distribute has distributed the signal to every node, it checks whether the distributed signal
was a terminating end. Namely, if it is then the present `busy node' no longer requires access to
Bus and BusBusy is called with n, instead of busy. It should be tested whether there is some node
that has requested immediate arbitration request by examining next. If this is not the case then a
subactgap is distributed to all nodes (SubactionGap) and Bus returns to idle (BusIdle). However,
if some of the entries of next have value t, then control over the Bus must go to some other node
(Resolve).
The Resolve process sends arbitration conrmations (won) and a clock indication to all nodes that
requested immediate arbitration. As long as there is more than one node (more(Next)) having control
over Bus there is a conict situation. Terminating end signals must be received from Link processes
(Resolve2), until there is only one Link having access to Bus. Then, a data request is received from
this node and if it is not an end signal, this signal is distributed to all other nodes; this particular
node becomes the `busy node'. However, if the received signal is indeed an end signal, then no Link
has control over the Bus anymore, so a subactgap is distributed to all Link processes, after which
Bus becomes idle again (BusIdle).
4. Correctness Properties 9
4. Correctness Properties
In this section we formulate some properties we expect to hold for our specications of Link and Bus
(see also appendix D).
We will denote by P1394(n) the process consisting of n Link Layers numbered 0 through n   1
running in parallel with the specication of Bus, assuming that the `send actions' sPDind; sPDreq; : : :
can only happen when they communicate with their corresponding `read actions' rPDind; rPDreq; : : :
and that only the services provided by the Link Layers to the respective Transaction Layers are visible.
That is, if we assume that I and H represent the following sets of actions:
I
def.
=

PDind;PDreq;PAcon;PAreq;
PCind; arbresgap; losesignal

H
def.
=

rPDind; sPDind; rPDreq; sPDreq; rPAcon;
sPAcon; rPAreq; sPAreq; rPCind; sPCind

then P1394(n)
def.
= 
I
 @
H
(Bus (n)kLink (n; 0)).
The following requirements should hold in our specication for every n  1:
 \P1394(n) is deadlock free". That is, it has no trace that ends in a deadlock. Of course,
as soon as one of the Links exhibits a deadlock, then P1394(n) will also eventually enter a
deadlock situation, since subactgaps can no longer be communicated to this process. In real
implementations such deadlocks can be resolved by the node controllers: they can reset every
layer.
 \Between the occurrence of two `subaction gaps' at most two asynchronous packets have travelled
over the Bus". This can be veried by checking that in any trace of @
H
(Bus (n)kLink (n; 0))
at most two LDcon actions take place.
 \If a LDreq action at node 0 < i < n occurred and node i communicates a PAreq each time it
receives a subactgap signal (and before an arbresgap occurs), it also eventually does a LDcon".
Since timing is absent in our specication we need the extra proviso that the PAreq occurs before
the arbresgap. In real implementations timers must make sure that this is the case.
 \Every PAreq with parameter immediate is followed by a a matching PAcon with parameter
won" in any trace of @
H
(Nodes(n))".
 \Between two arbitration reset gaps no node receives a PAcon with parameter won upon a PAreq
with parameter fair more than once."
10
A. Link Data
sort B
func t, f : ! B
func and : B  B ! B func or : B  B ! B func not : B ! B
if : B  B  B ! B
var b : B
rew and(t,b) = b
and(b,t) = b
and(b,f) = f
and(f,b) = f
var b : B
rew or(t,b) = t
or(b,t) = t
or(b,f) = b
or(f,b) = b
var b1, b2 : B
rew not(f) = t
not(t) = f
if(t,b1,b2) = b1
if(f,b1,b2) = b2
sort N
func 0 : !N
succ :N !N
func eq :N N ! B
var n, m :N
rew eq(0,0) = t
eq(succ(n),0) = f
eq(0,succ(n)) = f
eq(succ(n),succ(m)) = eq(n,m)
func lt :N N ! B
var n, m :N
rew lt(0,0) = f
lt(succ(n),0) = f
lt(0,succ(n)) = t
lt(succ(n),succ(m)) = lt(n,m)
sort DATA
func d1, d2 : ! DATA
crc : DATA ! CHECK
rew crc(d1) = >
crc(d2) = >
sort HEADER
func h1, h2 : ! HEADER
crc : HEADER ! CHECK
rew crc(h1) = >
crc(h2) = >
sort ACK
func a1, a2 : ! ACK
crc : ACK ! CHECK
rew crc(a1) = >
crc(a2) = >
sort CHECK
func ?, > : ! CHECK
eq : CHECK  CHECK! B
rew eq(?,?) = t
eq(>,>) = t
eq(>,?) = f
eq(?,>) = f
sort S
func sig : N ! S
sig : HEADER  CHECK! S
sig : DATA  CHECK ! S
sig : ACK  CHECK ! S
start, end : ! S
Prefix, subactgap : ! S
dhead, dummy : ! S
A. Link Data 11
func start?, end? : S ! B
prex?, sagap? : S ! B
var n :N
h : HEADER
d : DATA
a : ACK
c : CHECK
rew
start?(start) = t
start?(end) = f
start?(Prefix) = f
start?(subactgap) = f
start?(dhead) = f
start?(dummy) = f
start?(sig(n)) = f
start?(sig(h,c)) = f
start?(sig(d,c)) = f
start?(sig(a,c)) = f
end?(end) = t
end?(start) = f
end?(Prefix) = f
end?(subactgap) = f
end?(dhead) = f
end?(dummy) = f
end?(sig(n)) = f
end?(sig(h,c)) = f
end?(sig(d,c)) = f
end?(sig(a,c)) = f
prex?(Prefix) = t
prex?(start) = f
prex?(end) = f
prex?(subactgap) = f
prex?(dhead) = f
prex?(dummy) = f
prex?(sig(n)) = f
prex?(sig(h,c)) = f
prex?(sig(d,c)) = f
prex?(sig(a,c)) = f
sagap?(subactgap) = t
sagap?(start) = f
sagap?(end) = f
sagap?(Prefix) = f
sagap?(dhead) = f
sagap?(dummy) = f
sagap?(sig(n)) = f
sagap?(sig(h,c)) = f
sagap?(sig(d,c)) = f
sagap?(sig(a,c)) = f
func dest?, header? : S ! B
data?, ack? : S ! B
var n :N
h : HEADER
d : DATA
a : ACK
c : CHECK
rew
dest?(sig(n)) = t
dest?(sig(h,c)) = f
dest?(sig(d,c)) = f
dest?(sig(a,c)) = f
dest?(start) = f
dest?(end) = f
dest?(Prefix) = f
dest?(subactgap) = f
dest?(dhead) = f
dest?(dummy) = f
header?(sig(h,c)) = t
header?(sig(n)) = f
header?(sig(d,c)) = f
header?(sig(a,c)) = f
header?(start) = f
header?(end) = f
header?(Prefix) = f
header?(subactgap) = f
header?(dhead) = f
header?(dummy) = f
data?(sig(d,c)) = t
data?(sig(n)) = f
data?(sig(h,c)) = f
data?(sig(a,c)) = f
data?(start) = f
data?(end) = f
data?(Prefix) = f
data?(subactgap) = f
data?(dhead) = f
data?(dummy) = f
ack?(sig(a,c)) = t
ack?(sig(n)) = f
ack?(sig(h,c)) = f
ack?(sig(d,c)) = f
ack?(start) = f
ack?(end) = f
ack?(Prefix) = f
ack?(subactgap) = f
ack?(dhead) = f
ack?(dummy) = f
func physig?, terminator? : S ! B
var s : S
rew physig?(s) =
or(start?(s),
or(end?(s),or(prex?(s),sagap?(s))))
terminator?(s) = or(end?(s),prex?(s))
func hda? : S ! B
var s : S
rew hda?(s) =
or(header?(s),or(data?(s),ack?(s)))
12
func valid hpart, valid ack : S ! B
var n :N
h : HEADER
d : DATA
a : ACK
c : CHECK
rew
valid ack(sig(a,c)) = eq(c,>)
valid ack(sig(h,c)) = f
valid ack(sig(d,c)) = f
valid ack(sig(n)) = f
valid ack(start) = f
valid ack(end) = f
valid ack(Prefix) = f
valid ack(subactgap) = f
valid ack(dummy) = f
valid ack(dhead) = f
valid hpart(sig(h,c)) = eq(c,>)
valid hpart(sig(n)) = f
valid hpart(sig(d,c)) = f
valid hpart(sig(a,c)) = f
valid hpart(start) = f
valid hpart(end) = f
valid hpart(Prefix) = f
valid hpart(subactgap) = f
valid hpart(dummy) = f
valid hpart(dhead) = f
func getdest : S !N
getdcrc : S ! CHECK
getdata : S ! DATA
gethead : S ! HEADER
getack : S ! ACK
corrupt : S ! S
var n :N
h : HEADER
d : DATA
a : ACK
c : CHECK
rew getdest(sig(n)) = n
gethead(sig(h,c)) = h
getdcrc(sig(d,c)) = c
getdata(sig(d,c)) = d
getack(sig(a,c)) = a
corrupt(sig(h,c)) = sig(h,?)
corrupt(sig(d,c)) = sig(d,?)
corrupt(sig(a,c)) = sig(a,?)
sort SIG TUPLE
func quadruple : S  S  S  S ! SIG TUPLE
void : ! SIG TUPLE

1
, 
2
, 
3
, 
4
: SIG TUPLE ! S
void? : SIG TUPLE ! B
var x1, x2, x3, x4 : S
rew 
1
(quadruple(x1,x2,x3,x4)) = x1

2
(quadruple(x1,x2,x3,x4)) = x2

3
(quadruple(x1,x2,x3,x4)) = x3

4
(quadruple(x1,x2,x3,x4)) = x4
void?(void) = t
void?(quadruple(x1,x2,x3,x4)) = f
B. Link Layer 13
sort PAC
func won, lost : ! PAC
eq : PAC  PAC! B
rew eq(won,won) = t
eq(lost,lost) = t
eq(won,lost) = f
eq(lost,won) = f
sort PAR
func fair, immediate : ! PAR
eq : PAR  PAR ! B
rew eq(fair,fair) = t
eq(immediate,immediate) = t
eq(fair,immediate) = f
eq(immediate,fair) = f
sort LDC
func ackrec : ACK! LDC
ackmiss, broadsent : ! LDC
sort LDI
func good, broadrec : HEADER  DATA ! LDI
dcrc err : HEADER ! LDI
sort BOC
func release, hold : ! BOC
eq : BOC  BOC! B
rew eq(release,release) = t
eq(hold,hold) = t
eq(release,hold) = f
eq(hold,release) = f
B. Link Layer
act LDreq : N N  HEADER  DATA
LDcon : N  LDC
LDind : N  LDI
LDres : N  ACK  BOC
sPDreq, rPDind :N  S
sPAreq : N  PAR
rPAcon : N  PAC
rPCind : N
proc Link0(n :N, id :N, buer :SIG TUPLE) =
(
P
(dest :N,
P
(h :HEADER,
P
(d :DATA,
LDreq(id,dest,h,d) 
Link0(n,id,quadruple(dhead,sig(dest),sig(h,crc(h)),sig(d,crc(d)))))))
/ void?(buer) . sPAreq(id,fair)  Link1(n,id,buer))
+
P
(p :S, rPDind(id,p)  (Link4(n,id,buer) / start?(p) . Link0(n,id,buer)))
Link1(n :N, id :N, p :SIG TUPLE) =
rPAcon(id,won)  Link2
req
(n,id,p) + rPAcon(id,lost)  Link0(n,id,p)
Link2
req
(n :N, id :N, p :SIG TUPLE) =
(rPCind(id) 
sPDreq(id,start)  rPCind(id)  sPDreq(id,
1
(p))  rPCind(id)  sPDreq(id,
2
(p))) 
(rPCind(id) 
sPDreq(id,
3
(p))  rPCind(id)  sPDreq(id,
4
(p))  rPCind(id)  sPDreq(id,end)) 
(LDcon(id,broadsent)  Link0(n,id,void) / eq(getdest(
2
(p)),n) . Link3(n,id,void))
14
Link3(n :N, id :N, buer :SIG TUPLE) =
P
(p :S,
rPDind(id,p) 
(Link3(n,id,buer) / prex?(p) .
(Link3
RA
(n,id,buer) / start?(p) .
(LDcon(id,ackmiss)  Link0(n,id,buer) / sagap?(p) .
LDcon(id,ackmiss)  LinkWSA(n,id,buer,n)))))
Link3
RA
(n :N, id :N, buer :SIG TUPLE) =
P
(a :S,
rPDind(id,a) 
((LDcon(id,ackmiss)  Link0(n,id,buer) / sagap?(a) .
LDcon(id,ackmiss)  LinkWSA(n,id,buer,n))
/ physig?(a) . Link3
RE
(n,id,buer,a)))
Link3
RE
(n :N, id :N, buer :SIG TUPLE, a :S) =
P
(e :S,
rPDind(id,e) 
(LDcon(id,ackrec(getack(a)))  LinkWSA(n,id,buer,n)
/ and(valid ack(a),terminator?(e)) .
(LDcon(id,ackmiss)  Link0(n,id,buer) / sagap?(e) .
LDcon(id,ackmiss)  LinkWSA(n,id,buer,n))))
Link4(n :N, id :N, buer :SIG TUPLE) =
P
(dh :S,
rPDind(id,dh) 
((Link0(n,id,buer) / sagap?(dh) . LinkWSA(n,id,buer,n)) / physig?(dh) .
Link4
DH
(n,id,buer)))
Link4
DH
(n :N, id :N, buer :SIG TUPLE) =
P
(dest :S,
rPDind(id,dest) 
((sPAreq(id,immediate)  Link4
RH
(n,id,buer,id) / eq(getdest(dest),id) .
(Link4
RH
(n,id,buer,n) / eq(getdest(dest),n) . LinkWSA(n,id,buer,n)))
/ dest?(dest) . (Link0(n,id,buer) / sagap?(dest) . LinkWSA(n,id,buer,n))))
Link4
RH
(n :N, id :N, buer :SIG TUPLE, dest :N) =
P
(h :S,
rPDind(id,h) 
(Link4
RD
(n,id,buer,dest,h) / valid hpart(h) . LinkWSA(n,id,buer,dest)))
Link4
RD
(n :N, id :N, buer :SIG TUPLE, dest :N, h :S) =
P
(d :S,
rPDind(id,d)  (Link4
RE
(n,id,buer,dest,h,d) / data?(d) . LinkWSA(n,id,buer,dest)))
Link4
RE
(n :N, id :N, buer :SIG TUPLE, dest :N, h :S, d :S) =
P
(e :S,
rPDind(id,e) 
((Link4
DRec
(n,id,buer,h,d) / eq(dest,id) . Link4
BRec
(n,id,buer,h,d))
/ terminator?(e) . LinkWSA(n,id,buer,dest)))
C. Bus 15
Link4
DRec
(n :N, id :N, buer :SIG TUPLE, h :S, d :S) =
LDind(id,good(gethead(h),getdata(d)))  rPAcon(id,won)  Link5(n,id,buer)
/ eq(getdcrc(d),>) .
LDind(id,dcrc err(gethead(h)))  rPAcon(id,won)  Link5(n,id,buer)
Link4
BRec
(n :N, id :N, buer :SIG TUPLE, h :S, d :S) =
LDind(id,broadrec(gethead(h),getdata(d)))  Link0(n,id,buer) / eq(getdcrc(d),>) .
Link0(n,id,buer)
Link5(n :N, id :N, buer :SIG TUPLE) =
P
(a :ACK,
P
(b :BOC, LDres(id,a,b)  Link6(n,id,buer,sig(a,crc(a)),b)))
+ rPCind(id)  sPDreq(id,Prefix)  Link5(n,id,buer)
Link6(n :N, id :N, buer :SIG TUPLE, p :S, b :BOC) =
(rPCind(id)  sPDreq(id,start)  rPCind(id)  sPDreq(id,p)) 
(rPCind(id) 
(sPDreq(id,end)  Link0(n,id,buer) / eq(b,release) .
sPDreq(id,Prefix)  Link7(n,id,buer)))
Link7(n :N, id :N, buer :SIG TUPLE) =
rPCind(id)  sPDreq(id,Prefix)  Link7(n,id,buer)
+
P
(dest :N,
P
(h :HEADER,
P
(d :DATA,
LDreq(id,dest,h,d) 
Link2
resp
(n,id,buer,quadruple(dhead,sig(dest),sig(h,crc(h)),sig(d,crc(d)))))))
Link2
resp
(n :N, id :N, buer :SIG TUPLE, p :SIG TUPLE) =
(rPCind(id) 
sPDreq(id,start)  rPCind(id)  sPDreq(id,
1
(p))  rPCind(id)  sPDreq(id,
2
(p))) 
(rPCind(id) 
sPDreq(id,
3
(p))  rPCind(id)  sPDreq(id,
4
(p))  rPCind(id)  sPDreq(id,end)) 
(LDcon(id,broadsent)  Link0(n,id,buer) / eq(getdest(
2
(p)),n) . Link3(n,id,buer))
LinkWSA(n :N, id :N, buer :SIG TUPLE, dest :N) =
P
(p :S, rPDind(id,p)  (Link0(n,id,buer) / sagap?(p) . LinkWSA(n,id,buer,dest)))
+ (rPAcon(id,won)  rPCind(id)  sPDreq(id,end)  Link0(n,id,buer) / eq(dest,id) . )
C. Bus
sort Btable
func ; : ! Btable
btable :N  B  Btable ! Btable
16
func init : N ! Btable
invert :N  Btable ! Btable
get : N  Btable ! B
if : B  Btable  Btable ! Btable
func zero, one, more : Btable ! B
var n, m :N
b : B
bt1, bt2 : Btable
rew init(0) = ;
init(succ(n)) = btable(n,f,init(n))
invert(n,;) = ;
invert(n,btable(m,b,bt1)) =
if(eq(n,m),btable(m,not(b),bt1),
btable(m,b,invert(n,bt1)))
get(n,btable(m,b,bt1)) =
if(eq(n,m),b,get(n,bt1))
if(t,bt1,bt2) = bt1
if(f,bt1,bt2) = bt2
var n :N
bt : Btable
rew zero(;) = t
zero(btable(n,t,bt)) = f
zero(btable(n,f,bt)) = zero(bt)
one(;) = f
one(btable(n,t,bt)) = zero(bt)
one(btable(n,f,bt)) = one(bt)
more(bt) =
and(not(zero(bt)),not(one(bt)))
act rPAreq : N  PAR
rPDreq, sPDind :N  S
sPAcon : N  PAC
sPCind : N
arbresgap
losesignal
proc BusIdle(n :N, t :Btable) =
P
(id :N,
P
(astat :PAR, rPAreq(id,astat)  DecideIdle(n,t,id,astat)))
+ arbresgap  BusIdle(n,init(n)) / not(zero(t)) . 
DecideIdle(n :N, t :Btable, id :N, astat :PAR) =
(sPAcon(id,won)  BusBusy(n,invert(id,t),init(n),init(n),id)) / not(get(id,t)) .
(sPAcon(id,lost)  BusIdle(n,t))
BusBusy(n :N, t :Btable, next :Btable, destfault :Btable, busy :N) =
((sPCind(busy) 
P
(p :S, rPDreq(busy,p)  Distribute(n,t,next,destfault,busy,p,0)))
/ lt(busy,n) . (SubactionGap(n,t,0) / zero(next) . Resolve(n,t,next,0)))
+
P
(j :N, rPAreq(j,fair)  sPAcon(j,lost)  BusBusy(n,t,next,destfault,busy))
+
P
(j :N,
rPAreq(j,immediate) 
(BusBusy(n,t,invert(j,next),destfault,busy) / not(get(j,next)) . ))
SubactionGap(n :N, t :Btable, i :N) =
BusIdle(n,t) / eq(i,n) . sPDind(i,subactgap)  SubactionGap(n,t,succ(i))
Resolve(n :N, t :Btable, next :Btable, i :N) =
(((sPAcon(i,won)  sPCind(i)  Resolve(n,t,next,succ(i))) / get(i,next) .
(Resolve(n,t,next,succ(i))))
/ lt(i,n) . Resolve2(n,t,next))
D. P1394 17
Resolve2(n :N, t :Btable, next :Btable) =
(
P
(j :N, rPDreq(j,end)  (Resolve2(n,t,invert(j,next)) / get(j,next) . )) / more(next) .
P
(j :N,
P
(p :S,
rPDreq(j,p) 
(SubactionGap(n,t,0) / end?(p) . Distribute(n,t,init(n),init(n),j,p,0)))))
Distribute(n :N, t :Btable, next :Btable, destfault :Btable, busy :N, p :S, i :N) =
((( (sPDind(i,p)  Distribute(n,t,next,destfault,busy,p,succ(i))
/ or(not(header?(p)),not(get(i,destfault))) . )
+ (
P
(dest :N,
sPDind(i,sig(dest))  Distribute(n,t,next,invert(i,destfault),busy,p,succ(i)))
/ dest?(p) . )
+ (sPDind(i,corrupt(p))  Distribute(n,t,next,destfault,busy,p,succ(i)) / hda?(p) . )
+ (losesignal  Distribute(n,t,next,destfault,busy,p,succ(i)) / hda?(p) . )
+ (sPDind(i,p)  sPDind(i,dummy)  Distribute(n,t,next,destfault,busy,p,succ(i))
/ data?(p) . )
+ (rPAreq(i,immediate) 
(Distribute(n,t,invert(i,next),destfault,busy,p,i) / not(get(i,next)) . )))
/ not(eq(i,busy)) . Distribute(n,t,next,destfault,busy,p,succ(i)))
/ lt(i,n) .
(BusBusy(n,t,next,destfault,n) / end?(p) . BusBusy(n,t,next,destfault,busy)))
D. P1394
act PDind, PDreq :N  S
PAcon : N  PAC
PAreq : N  PAR
PCind : N
comm rPDind j sPDind = PDind
rPDreq j sPDreq = PDreq
rPAcon j sPAcon = PAcon
rPAreq j sPAreq = PAreq
rPCind j sPCind = PCind
proc Link(n :N, i :N) = (Link0(n,i,void) k Link(n,succ(i))) / lt(succ(i),n) . Link0(n,i,void)
Bus(n :N) = BusIdle(n,init(n))
P1394(n :N) =
(fPDind,PDreq,PAcon,PAreq,PCind,arbresgap,losesignalg,
@(frPDind,sPDind,rPDreq,sPDreq,rPAcon,sPAcon,rPAreq,sPAreq,rPCind,sPCindg,
Bus(n) k Link(n,0)))
18 References
Acknowledgements
Thanks to Hubert Garavel, Jan Friso Groote and Mihaela Sighireanu for a number of comments that
led to improvements and simplications of both the specication and its explanation. I would also
like to thank Judi Romijn for useful discussions on the IEEE Standard.
References
[BW90] J.C.M. Baeten and W.P. Weijland. Process Algebra. Number 18 in Cambridge Tracts in
Theoretical Computer Science. Cambridge University Press, 1990.
[GP94] J.F. Groote and A. Ponse. The syntax and semantics of CRL. In A. Ponse, C. Verhoef, and
S.F.M. van Vlijmen, editors, Algebra of Communicating Processes, Workshops in Computing,
pages 26{62, Utrecht, The Netherlands, 1994. Springer-Verlag.
[IEE95] IEEE. P1394 Standard for a high performance serial bus, 1995. Draft 8.0v2, July 7, 1995.
[Mil89] R. Milner. Communication and Concurrency. Prentice-Hall International, Englewood Clis,
1989.
