A Hybrid Approach to Formal Verification Applied to an ATM Switching System by Clarke, Duncan & Lee, Insup
University of Pennsylvania 
ScholarlyCommons 
Technical Reports (CIS) Department of Computer & Information Science 
January 1996 
A Hybrid Approach to Formal Verification Applied to an ATM 
Switching System 
Duncan Clarke 
University of Pennsylvania 
Insup Lee 
University of Pennsylvania, lee@cis.upenn.edu 
Follow this and additional works at: https://repository.upenn.edu/cis_reports 
Recommended Citation 
Duncan Clarke and Insup Lee, "A Hybrid Approach to Formal Verification Applied to an ATM Switching 
System", . January 1996. 
University of Pennsylvania Department of Computer and Information Science Technical Report No.MS-CIS-96-04. 
This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_reports/182 
For more information, please contact repository@pobox.upenn.edu. 
A Hybrid Approach to Formal Verification Applied to an ATM Switching System 
Abstract 
Verifying the correctness of real-time system models by traditional approaches that depend on the 
exploration of the entire system state space is impractical for large systems. In contrast, testing allows 
the search for violations of a property to be narrowed to a relatively small portion of the overall state 
space based on assumptions regarding the structure of an implementation. We present a hybrid 
approach that exploits formal methods to verify subcomponents of a system and testing to gain 
confidence in the correctness of the assembled system. The feasibility of the approach is demonstrated 
by application of the method to a process algebra model of the Sunshine ATM switching network. 
Comments 
University of Pennsylvania Department of Computer and Information Science Technical Report No.MS-
CIS-96-04. 
This technical report is available at ScholarlyCommons: https://repository.upenn.edu/cis_reports/182 
A Hybrid Approach to Formal Verification 
Applied to an ATM Switching System * 
Duncan Clarke and Insup Lee 
Department of Computer and Information Science 
University of Pennsylvania 
Philadelphia, PA 19104-6389 
January 29, 1996 
Abstract 
Verifying the correctness of real-time system models by traditional approaches that depend 
on the exploration of the entire system state space is impractical for large systems. In contrast, 
testing allows the search for violations of a property to be narrowed to a relatively small portion 
of the overall state space based on assumptions regarding the structure of an implementation. We 
present a hybrid approach that exploits formal methods to verify subcomponents of a system 
and testing to  gain confidence in the correctness of the assembled system. The feasibility of 
the approach is demonstrated by applicatioii of the method to a process algebra model of the 
Sunshine ATM switching network. 
*This research was supported in part by NSF CCR-9415346, AFOSR F49620-95-1-0508, and A R O  DAAH04-95- 
1-0092. 
1 
Contents 
1 Introduction 3 
2 Algebra of Communicating Shared Resources with Value Passing and its Toolkit 4 
2.1 ACSR-VP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 
2.2 VERSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  11 
3 The Sunshine ATM Switch Architecture 14 
4 Modeling a Sunshine Switch with ACSR-VP 15 
4.1 Sorting Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 
4.2 T h e T r a p S t a g e . .  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 
4.3 The Selector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 
4.4 Banyan Output Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 
4.5 The Delay Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 
4.6 Final Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 
5 Analysis of the  Sunshine Switch Model 20 
5.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 
5.2 Empirical Results for the Sunshine Switch Model . . . . . . . . . . . . . . . . . . . . 22 
6 Summary 25 
A 2x2 Crossbar Switching Element (ACSR) 28 
B 2x2 Crossbar Switching Element (ACSR-VP) 30 
C 4x4 Merge Network 32 
D 8x8 Merge Network 3 3 
E 8x8 Batcher Sorting Network 34 
F Trap 36 
G Selector 3 7 
H Banyan Network 39 
I Delay Line 4 2 
J Sunshine Packet Switch 43 
K Two-Port Sequential Delay Line 45 
1 Introduction 
In the fifty years since the birth of electronic digital computing, computers have evolved from 
room-sized machines requiring constant attention from a staff of human servants into omnipresent 
servants of the masses. Having proved their worth in their roles as passive assistants in non-critical 
tasks, computers are increasingly being applied in safety-critical areas where the programming 
errors that cause annoyance and lost productivity in more mundane applications become a threat 
to  property and life. 
The spread of computers into safety critical applications has been propelled by a rapid growth 
in our ability to  efficiently describe and implement complex systems. Unfortunately there has 
not been a corresponding rapid growth in our ability to  effectively verify the correctness of such 
systems. To date the best developed methods for improving system reliability are 1) verification 
using formal methods; and 2) software testing. 
Formal methods use abstract system models such as process algebras or formal logic to  repre- 
sent systems and their requirements. Myriad techniques have been developed for demonstrating the 
equivalence of syntactically different formulations, deriving proofs of system properties, and demon- 
strating that a system model satisfies its requirements. Fornial approaches to  systems analysis are 
valuable because they offer absolute proof of system correctness with respect to  requirements. How- 
ever they have the distinct disadvantage that present techniques are applicable only to  relatively 
small systems. 
In contrast to formal methods, software testing is an analysis and validation technique that is 
applied to  the end-product of development-the executable program-rather than a model. There 
are a great many techniques that explore system behaviors based on simplifying assumptions about 
their internal structure or use a randomized method to test as many behaviors as possible in a 
fixed amount of time. Software testing is valuable because it provides insight into the reliability 
of software systems of any size. However, software testing only provides qualitative assurances of 
reliability. Only in trivial instances does it provide an absolute proof of correctness. 
In this paper we propose a method that brings together formal methods and testing techniques 
to assess the correctness of system models that are too large for analysis by formal methods alone. 
Specifically, a process algebra is used to  model a large system and key subcomponents of the 
system are verified using traditiollal formal methods techniques. For other subcomponents and the 
assembled system we use testing techniques to sample behaviors and check their correctness. The 
end result of analysis is a system model that has been rigorously verified at its lowest level and 
tested to  varying degrees at higher levels. 
Modeling and analysis will be carried out using the Algebra of Communicating Shared Resources 
with Va,lue Passing (ACSR-VP) and the Verification, Execution, and Rewrite System for ACSR 
(VERSA), a toolkit for constructing and analyzing ACSR processes. The analysis techniques are 
made tractable by two novel features of ACSR-VP and the VERSA toolkit. 1) The built-in priority 
mechanism of ACSR-VP can be used to impose a strict ordering on otherwise unordered events. 
This results in an asymptotic reduction in the size of the state space that is constructed during 
testing. 2) VERSA uses a top-down technique to construct the LTS corresponding to  a system's 
state space. During testing this allows us to derive state machines that correspond exactly to the 
state space that is explored by the tests. This is in contrast to  bottom-up state space derivation 
techniques that result in so many unreachable states being computed that the computation is 
intractable. 
To demonstrate the feasibility of the approach we model and analyze the Sunshine Asynchronous 
Transfer Mode (ATM) packet switch architecture. ATM is a packet-switched networking technology 
that exploits small packet sizes and high data link speeds to support a wide range of network 
applications. Correct operation of the packet switch is essential to insuring correct and timely 
routing of packets. The Sunshine packet switch architecture was chosen because its modular design 
made it an ideal candidate for our hybrid analysis techniques, and its large state space made it 
inlpossible to verify with a pure formal methods approach. 
The remainder of this paper is organized as follows. Section 2 describes the process algebra 
that we use to model real-time systems and the toolkit that we have built to support it. Section 3 
presents the architecture of the Sunshine ATM switch that will be the vehicle for presenting our 
method. Section 4 derives an ACSR-VP model of a Sunshine ATM switch. Section 5 describes our 
inethodology and presents the results of applying our hybrid verification techniques to the ATM 
switch model. Section 6 presents concluding remarks. 
2 Algebra of Communicating Shared Resources with Value Pass- 
ing and its Toolkit 
In this section we describe the Algebra of Communicating Shared Resources with Value Passing 
(XCSR-VP). We also describe a toolkit called Verification, Execution, and Rewrite System for 
-4CSR (VERSA) that we have implemented for analyzing processes written in the Algebra of 
Communicating Shared Resources (ACSR), a precursor of ACSR-VP. ACSR-VP is an enhanced 
version of ACSR that has an explicit notion of value passing between concurrent processes. ACSR- 
VP processes can be translated into ACSR processes by a method that will be presented, allowing 
VERSA to be used to analyze ACSR-VP processes. 
2.1 ACSR-VP 
The formal model of real-time systems that we are using to develop our analysis techniques is 
the Algebra of Communicating Shared Resources with Value-Passing, a timed process algebra that 
includes features for representing synchronization, value passing communication, time, temporal 
scopes, resource requirements, and priorities. This section presents a summary of ACSR-VP7s 
syntax and semantics necessary to  understand the descriptions of models to  be analyzed. For a 
complete exposition of the algebra see [LBGG94, BG94, CLX95al. The description of ACSR-VP 
presented here is based on a discrete-time model. The analysis techniques presented in this paper 
are equa1l.y applicable to  a dense-time ACSR-VP that could be derived from [BG94]. We omit 
further consideration of the dense-time model due to space limitations. 
Event and Action Model. ACSR-VP is based on the synchronization model of CCS[Mil89], 
with the addition of (1) value passing communication; and (2) synchronous timed steps to  model 
time consuming tasks and their resource requirements. Synchronization takes place through un- 
timed events denoted by a pair (l ,p),  where 1 is the label of the event, and p is its priority. We 
use DE to denote the domain of events, and let e, f and g range over I D E .  We use l ( e )  and ~ ( e )  
to represent the label and priority, respectively, of the event e. If an event transmits values a "!" 
operator and value vector will be appended to  it, as in (l,p)!(3,4,5). If an event receives values a 
"?" operator and variable vector will be appended to it, as in ( l , p ) ? ( a ,  b, c). 
P ::= N I L I A : P / e . P I b e i P I P l + P 2 1 P l J I P 2  
1 P\F 1 P\\I I P[Re, Ra] 1 rec X - P  I C(Z) 
e ::= (T, ve) 1 (1, ve)?(g) 1 ( ( I ,  ve)!(vel) 
A ..- 
..- 0 I {S) 
S ::= ( r ,  ve) 1 ( r ,  ve), S 
Figure 1: ACSR-VP Syntax 
An action that consumes resources from a set R at priorities from W for one unit of time is 
drawn from the domain P(R  x W), with the restriction that each resource be represented at  most 
once. As an example, the singleton action {(r,p)) denotes the use of some resource r E R running 
at the priority level p for one unit of discrete time. The action 0 represents idling for one time 
unit, since all resources are inactive. We use 'DR to denote the domain of timed actions, and we let 
A,  B and C range over DR. We define p(A) to  be the set of resources used by the action A; e.g., 
p({(rl,pl), (r2,p2))) = {rl, 7-2). We also use n,(A) to denote the priority level of the resource r in 
the action A; e.g., nTl({(rl,pl), (r2,p2))) = pl. By convention, if r is not in p(A), then n,(A) = 0. 
Syntax and Semantics. We use x,  y for value variables, ve, vel for value expressions and be, bel 
for boolean expressions. We denote a vector of value variables, value expressions and boolean 
variables as x, ve and be, respectively. Also, we use 1, l1 to  denote event labels and r ,  r l  to  denote 
resources. F and I represent sets of event labels and resources, respectively. Re and R, are event 
label and resource relabeling functions, respectively. We assume that a process name, denoted by 
C, is associated with the parameters it takes. ACSR-VP's syntax is defined by the BNF grammar 
shown in Figure 1. Parenthesis may be introduced to clarify the grouping of operators. Process 
expressions may be bound to  names and names may be referenced in process expressions. 
NIL is a process that executes no action (i.e., it is deadlocked). The two prefix operators 
correspond to  the two types of actions. The first, A : P, executes a timed, resource-consuming 
action A, consumes one unit of discrete time, and proceeds to  the process P. The second prefix 
operator, e .P ,  executes the instantaneous event e,  and proceeds to  P .  The conditional operator 
be i P continues as P if be evaluates to  true, otherwise it executes no action, like NIL. The Choice 
operator PI + Pz represents nondeterminism - either of the processes may be chosen to  execute, 
subject to  the event offerings and resource limitations of the environment. The operator Pl(IP2 is 
the concurrent execution of PI and P2. 
The restriction operator, P\F, limits the behavior of P by disallowing any externally observable 
events with labels in F. The resource hiding operator, P\I, hides the resources consumed by P that 
appear in I C_ 'R by eliding them from any observable resource consuming steps they may appear 
in. The relaheling operator, P[R,, R,], relabels the externally observable events of P according to  
the relabeling function Re and the resources of P according to the relabeling function R,. 
The process rec X.P denotes standard recursion, allowing the specification of infinite behaviors. 
A process variable X is free in a process expression if it is not contained within the scope of a rec X 
operator. An agent is a syntactically valid process expression with no free process variables. 
In [CLX95a] the formal semantics of ACSR-VP is given in two steps. The first is an operational 
semantics t l ~ a t  describes the translation of ACSR-VP agent expressions into the unprioritized la- 
1)rlctl transitioil systeni (LTS) L L - + " .  The second step uses a preemption relation defined for events 
and actions to  incorporate notions of preemption and priority, producing the prioritized transition 
hystenl "- 7 i .  " 
Tlir following rules describing the Choice operator are typical of the rules that  describe the 
translation t o  the unprioritized transition system: 
These rules state that if an  agent P is capable of executing a (an event or action) and proceeding 
as P'. then P + & is capable of doing the same. Tlle case for events and actions of Q is symmetric. 
'S l~r~s  t11t. clloicr operator "+" is given meaning in terms of transitions in -. 
P r e e m p t i o n  a n d  Pr io r i t i zed  Transi t ions .  The prioritized transition system is based on pre- 
emption, whirh incorporates ACSR-VP's treatment of synchronization, resource-sharing, and pri- 
ority. 'Shc clefinition of preemption is straightforward. Let "<", called the preemption rclalion, be 
ii t ransitivc.. irreflexive, binary relation on actions. Then for two actions a and P, if n 4 ,4, we 
( ; i n  hily Illat "a is preempted by P." This means that  in any real-time system. if there is a choice 
I)c~t\crorn c3sc~cuting either a or p, it will always execute p.  
Definit ion 2.1 ( P r e e m p t i o n  Rela t ion)  For two actions, a, ,!3, 111r say that P preempts a (a 4 
i), iJ' o 1 l r  oJ' the follouing cases holcls: 
1. Both a and 3 arc timed artions in DR, where 
2. Both a and j? are events in DE, where ~ ( a )  < x(P)  A l ( a )  = I(/?) 
3. n E Dl, and /3 E DE, with I ( @ )  = T and r (P )  > 0. 
('asp (1) showi that  the two timed actions, a and P ,  compete for common resources, and in fact, 
the preempted action a may use a superset of p's resources. However, /? uses all of the resources 
Ilrat have a t  least tlrt. same priority level as cu (recall that  r T ( B )  is, by convention, O when r is not 
in U ) .  Also. ,l r1ws a t  least one resource a t  a higher level. 
( ' a w  ( 2 )  shows that  all event may be preempted by another event having the same label but a 
liigli~i priority. 
Finally, case (3)  shows the only case in which an event and a timed action are comparable under 
"4." That is, if 7) > 0 in an  event (T, n), we let the event preempt any timed action. 
The following examples show some comparisons made by the preemption relation, "4." 
\Are define the prioritized transition system "+,," which refines "4" t o account for preemption. 
XBSorto(Icey, pay) = (swap, l ) ! ( key ,  pay).(swap, l)?(key2,  pay2). 
( key  < key2) + XBOuto(key, pay) 
+ (key2 < key) + XBOuto (key2,  pay2) 
XBSortl  ( k e y ,  pay) = (swap, l)?(key2,  payZ).(swap, l ) ! ( k e y ,  pay). 
(key > key2) + XBOutl (key ,  pay) 
+ (key2 > key) + XBOutl(key2,  pay21 
XBOutport (key ,  pay) = (key < KeyRange) + (XOutport ,  l ) ! ( k e y ,  pay), I ) .@ : XBInport 
+ (key = KeyRange) + 0 : XBInport 
XBar  = ( X B I n o  I XBInl)\\{Patho, Pathl, Idlero, Idlerl}\{swap) 
Figure 2: ACSR-VP model of a 2 x 2 Switching Element 
Definition 2.2 The labeled transition system "+," is defined as follows: P s, P' i f  and only if 
01 
I .  P - P' is an unprioritized transition, and 
P 
2. There is no unprioritized transition P - P" such that cr 4 P.  
Example:  A 2 x 2 Crossbar  Switching Element .  We demonstrate the main features of the 
ACSR-VP paradigm by presenting two approaches to  the specification of a 2 x 2 crossbar switching 
element. A 2 x 2 switching element sorts a pair of inputs according to  key field values embedded in 
the inputs. Since only two input values are involved, sorting reduces to reversing the order of the 
inputs when the input keys are out of order. 2 x 2 switching elements are the basic building block 
of the Sunshine network. 
The processes shown in Figure 2 implement the switch as process XBar. Concurrent port 
processes XBI% and XBInl receive the data for ports 0 and 1 via the indexed input event labels 
XI%,,t with parameters key and pay. The port subscript represents the port number the data is 
a,ddressed to  (0 or l), and the key variable represents the key value of the input (from the range 
[O, KeyRange)), and the pay variable represents the payload, or data content of the input (from the 
range [0, PayRange)). The processed data is output via the indexed output event labels XOutPoTt 
with parameters Ley and pay. 
Figure 3 illustrates the structure and operation of the XBar process. Process XBar uses two 
concurrent port processes that (1) autonomously receive inputs; (2) exchange their input values so 
each port process can make a comparison internally; and (3) output the smaller (port 0) or larger 
(port 1) value. The dashed lines indicate the point at which one unit of discrete time passes. 
Smaller 
. . . . . . . . . . . . . . . . . . . . . . . . .  
Figure 3: Structure and Operation of 2 x 2 Crossbar Model 
When an input value is received on port port the XBInpoTt process consumes the PathpoTt and 
Iclle~*~-,,,~ resources for one time unit and continues as XBSortpOTt. The XBSort processes share 
the key values between port processes and proceed t o  the output processes XBOutPoTt. If each port 
detects that  the key values are incorrectly ordered they autonomously swap their key and payload 
values for the values communicated by the other port during the sort step. Otherwise key and 
payload values are passed through unchanged. The XBOut processes output the key and payload 
values received from the sort step, consume one unit of time idling and restart the XBIn processes. 
The second and third lines of the the XBIq,oTt definition provide alternative actions that  are 
executed when one input is inactive, and both inputs are inactive, respectively. For example, if port 
0 receives an input value and port 1 does not, then port 0 will execute a {(Patho, 3),  (Idlerl, 3))  
action. Port 0's use of the Idlerl resource preempts port 1's attempt t o  use it (in line three of the 
definition of XBIq,oTt) so port 1 must execute the other timed action step {(Pathl, 1), (Idle%, 1)) 
that  passes the out-of-range key value KeyRange to  XBSortl. This value is later filtered by the 
,YBOutl process and it is not output as part of an event. The use of a key value larger than 
any valid input key insures that  any singleton inputs will be forwarded to  port 0. If neither port 
receives input then both ports execute the timed action step in which PathpoTt has a priority of 2, 
preempting the lower priority possibility. This Path consumes two units of time and restarts the 
XBIn processes without performing comparisons. 
The XBar process hides its use of the Path and Idler resources t o  avoid conflict between con- 
current XBnr/s. Restriction of the swap event labels insures that  exchanges within XBar use local 
values. 
The XBar process of Figure 2 has the virtue that it is a relatively compact and concise descrip- 
tion of the switching element. However, because of the complex internal actions that  are used in 
this implementation its correctness is not readily apparent. In contrast, the processes of Figure 4 
present a more direct implementation of the switch requirements a t  the expense of a larger and 
more cunibersome -4CSR-VP representation. 
The XBarSeq process of Figure 4 is a switching element implementation that  is equivalent 
(in a sense that  will be defined below) to XBar of Figure 2. However XBarSeq uses no parallel 
composition. The sorting of input and output values is implicit in the the events that  XBarSeq 
offers a t  any given time. Figure 5 illustrates the operation of XBarSeq. 
Initially XBarSeq accepts any input event. If an input event is received on port p then XBarSeq 
proceeds t o  a state that  allows any input key and payload to  be accepted on the complementary 
XBarSeq = ( X I % ,  1)?(key0, pa Y O ) .  
( X I n l ,  l ) ? ( k e y l ,  payl).XBarSeq'(keyO, pay0, keyl ,  payl) 
+ 0 : ( T , ~ ) . ( T ,  2).(XOuto, l ) ! (keyO,  pay0) .0 : XBarSeq 
+ ( X I n l ,  l ) ? ( k e y l ,  payl). 
( X I n O ,  l)?(keyO, pay0) .XBarSeq'(keyO, pay0, keyl ,  payl) 
+ 0 : (r ,  2 ) . ( r ,  2) .(XOuto,  l ) ! ( k e y l ,  payl).O : XBarSeq 
+ 0 : 0 : XBarSeq 
SBnrSeq1(keyO, pay0, keyl ,  payl) = 0 : (r,  2 ) . ( ~ ,  2 ) .  
(key0 < k e y l )  7- (XOuto,  l)!(keyU,payU). 
( X O u t l ,  l ) ! ( k e y l ,  payl).@ : XBarSeq 
+ ( X O u t l ,  l ) ! ( k e y l ,  payl) .  
(XOuto ,  l)!(keyO, payO).fl : XBarSeq 
+ (key0 > k e y l )  + (XOuto ,  l ) ! ( k e y l ,  ~ a y l ) .  
( X O u t l ,  l )!(keyO, payo).@ : XBarSeq 
+ ( X O u t l ,  l )!(keyO, pay0). 
(XOuto ,  l ) ! ( k e y l ,  payl) .0 : XBarSeq 
Figure 4: Sequential ACSR-VP model of a 2 x 2 Switching Element 
port (1-p). Once both input values have been received computation advances through an idle step 
and two T steps. Then a state is reached that outputs the keys and payloads in the correct order on 
the appropriate ports. Tlze sorting of key values is implicit in the conditional operators of process 
,YBarSeq'-the only XOut events that can occur are the events that produce the keys and payloads 
in the correct order. Once the outputs have been delivered XBarSeq executes another idle step and 
returns to the initial state. 
Bisimulation and St rong  Equivalence. Our formal analysis techniques are based on process 
equivalence, where we attempt to  prove that a process P is equivalent to a process Q. Typically, 
P is an abstract operational specification of the problem, while Q is a more detailed implemen- 
tation. The objective is to show that the two processes are operationally equivalent. Equivalence 
between two ACSR-VP processes is based on the concept of bisimulation[Par81], which compares 
the computation trees of the two processes. 
Definition 2.3 For a given transition system "-+ " any binary relation r is a strong bisimulation 
if, for (P, Q )  E r and a! E D, 
1. if P -5 P' then, for some &I, & 5 Q' and (PI, Q') E r ,  and 
2. if Q -5 Q' then, for some P I ,  P 5 P' and ( P I ,  Q') E r. 
To achieve similar behavior using ACSR we would create the following process: 
67 
Therrn = x ( t e m p i ,  I). Heat + 
i=O 
78 
( t emp; ,  l ) . Id le  + 
i=68 
120 
( t empi ,  I). Cool 
In contrast to the pure value-passing implementation, here the event that is received determines 
the next process. There is no explicit conditional operator since the decision is implicit in the 
process structure. Note also that the range of values for the input temperature must be explicitly 
enumerated in this scheme. 
2.2 VERSA 
The Verification, Execution, and Rewrite System for ACSR (VERSA) is an integrated set of tools 
for developing system models using ACSR. We present here an overview of the features that are per- 
tinent to the development of the ATM switching system example. For a more complete presentation 
of VERSA'S capabilities see [CLX95b]. 
VERSA is an interactive system with a text based interface. Users enter their process descrip- 
tions with a syntax that is as close to the pure ACSR syntax as the keyboard will allow. Readability 
of processes and the ability to  describe systems with repetitive structure is enhanced by a macro 
facility that allows manifest constants and parameterized niacros to be used in process descrip- 
tions. Description of modular systems is facilitated by a file inclusion facility that allows system 
descriptions to  be broken up into manageable components and re-combined during analysis. 
System Features. Description and analysis of system models in ACSR is facilitated by the 
following features and capabilities: 
Syntax Checking. Processes are checked for syntactic and semantic correctness as they are 
entered. When errors are discovered they are fed back to the user immediately. 
Compilation. Finite state ACSR agent expressions (processes in which all process variables 
referenced are bound) can be translated into their underlying LTS representation. Translation 
is carried out by a top-down technique that builds the LTS by applying the ACSR semantic 
rules. The translation is top-down in the sense that it begins with the initial process term 
and computes the process terms that derive from it by one transition. This is in contrast 
to  bottom-up techniques that recursively form the LTS froni the components of the initial 
process term. 
State ,Space Analysis. Once an LTS has been constructed it can be explored to  determine 
various key properties including (1) state and edge count; (2) presence of deadlocks; (3)  
presence of Zeno states (states involved in cycles of untimed events); and (4) presence of 
states that can "stop the clock" (states that are deadlocked if synchronization on external 
events does not occur). 
Table 1: Pure ACSR vs. VERSA Syntax 
Pure ACSR 
a, Si, a', a; 
T 
NIL 
I I (composition) 
PA%& R?  S )  
cc 
[PI I
\I 
P[Re , Ral 
Re and Ra 
8 
Definition of index i 
CEO P
nEo P (indexed composition) 
{ail i = 1, . . . , N A pred(i ) )  
Bis imulat ion Checking. VERSA can test whether two finite state ACSR agent expressions 
are bisiniilar. Bisimulation checking is implemented using a state space minimization based 
algorit hm[KS90]. 
VERSA Syntax 
a ,  ' a ,  a ' ,  a [ i l  
t or tau  
Any capitalization of NIL 
1 1  Or I 
scope(P,a,t ,Q,R,S) 
inf or i n f i n i t e  or i n f i n i t y  
[PI 1 
P \ \ I  
P% [Re , RaI 
{11'/11,12'/12,~~~,1n'/ln) 
{) or i d l e  
{ i ,  begin, end,  step,predicate) 
Choice [P {i $ 1 ,  N)] 
Para l l e l  [P {i , l a  N}] 
Set[a[i]{i,l,N,l,pred(i))l 
This list includes only those features of VERSA that will be useful in analyzing the ATM switching 
system. For a complete description of VERSA'S capabilities see [CLX95b]. 
Process Syntax. Wherever possible the standard ACSR syntax has been retained in VERSA. 
The changes made to  accommodate the capabilities of most keyboards are outlined in Table 1. 
An identifier (process variable names, resource names, event labels, etc.) can be any length 
string of alphanumerics or the underscore character that begins with a letter. An identifier preceded 
by an apostrophe (e.g., ' i d )  is an output event label, as in z. The types of identifiers (process 
variable vs. resource names, etc.) are inferred from their first use. 
Process expressions are bound to  process names by the following syntax: 
Process expressions can be bound to a sequence of process names by the following syntax: 
<indexed process name> = <process expression> <index definitions> ; 
Definitions of indices take the form shown in Table 1, where i is the index being defined; begin is an 
integer expression defining the initial value for i ;  end is an integer expression for the largest allowed 
value of i ;  step is an integer expression for the value i is incremented by; and predicate is a boolean 
predicate that is tested for each value of i. If predicate is false, the index value is not used. 
Preprocessing facilities including file inclusion and macro definition are implemented with the 
standard C programming language syntax. That is, #include is used for file inclusion and #define 
is used for constant and parameterized macro definition. The # i fde f  and # i fndef  conditional 
compilation directives are also implemented. Comments can be added t o  process descriptions using 
the standard C / *  and */  block delimiters or the C++ line delimiter, //. 
Example: 2 x 2 Crossbar Switching Element Revisited. Section A of the Appendix presents 
a complete translation of the switching element of Figure 2 into VERSA syntax. It also augments 
the original process description with indices that allow multiple copies of the process to  be created 
with priorities assigned t o  their events. Thus the original XBar specification is translated into 
XBar [ptyl  with p t y  taken froni a range of priority values, one for each different crossbar that  is 
createci. 
The VERSA description begins with header comments that describe the operation of the XBar 
process in detail. Processes XBIn and XBSort are translations of the XBIn and XBSort processes 
of Figure 2. The p t y  index is added to  the process name to  distinguish multiple copies running a t  
different priority levels, and the p t y  index as used as the priority level in events. 
Process XBOut is a similar translation of XBOut with the addition of the XBarReversal param- 
eter. If the XBarReversal name is defined the sort order is reversed (the larger value is output on 
port 0). The description of XBar uses the shorthand notation (*I t o  hide all resources instead of 
naming thein explicitly as they were in the original ACSR version of Figure 2. 
To demonstrate the use of ACSR's equivalence testing features to  verify the correctness of XBar 
we saved the description of XBar t o  the file XBar.acsr. We then performed a similar translation 
for XBarSeq of figure 4 and saved it as XBarseq. a c s r .  Then we carried out the steps shown in 
Figure 6. 
In Figure 6 lines 1 through 3 set the priority parameters t o  generate exactly one process named 
XBar [I] .  Lines 4 and 5 set the ranges for the key and payload values, respectively. Lines 6 and 7 
read the specifications one a t  a time, performing syntax and semantic checking as the files are read. 
Line 8 shows the switch of Figure 2 (process XBarC11) being compared t o  the purely sequential 
specification (process XBarSeq, adapted from Figure 4). The output indicates that the LTS's that  
were constructed for each process were equivalent according to our definition of prioritized strong 
equivalence. 
With the aid of VERSA'S equivalence testing features we have proved the correctness of XBar [I], 
our basic building block for the ATM switching system, subject to  the following assumptions: 
XBar [I] is an accurate encoding of XBar. 
XBarSeq is an accurate encoding of XBarSeq. 
XBarSeq is correct (which is apparent from inspection of its simple sequential structure). 
Figure 6 also includes a sample of the output generated by entering the interactive interpreter 
and analyzing the state space of the LTS. Line 9 requests that  VERSA create the LTS corresponding 
to  XBar [I] and enter interactive interpretation mode. The lines of output that  follow display 
the edges that  can be traversed from the initial state of XBar Ci1 . Line 10 requests state space 
exploration. and the Lines of output that follow are the result. According t o  the output, the LTS 
for XBar [i] contains 615 states and 1035 edges. None of the states are deadlocked, although there 
are 108 states that  require external synchronization or a deadlock will occur. 
ready> #define PtyMin 1 
ready> #define PtyMax 1 
ready> #define PtyStep 1 
ready> #define KeyRange 6 
ready> #define PayRange 2 
ready> #include "XBar.acsr" 
ready> #include "XBarSeq. acsr"  
ready> XBar [ll == XBarSeq? 
t r u e  (by p r i o r i t i z e d  s t rong equivalence) 
ready> XBar [ll ! 
XBar [ll < I >  --(XIn[O,O,O] , I ) - ->  
<2> --(XIn[O,O, 11 , I ) - ->  
. . .  
<25> --(I--> no-name 
[XBar [I] 1 ready> show s t a t s  ( l o )  
S t a t e  machine contains  615 reachable s t a t e s  (0 deadlocked), 1035 edges. 
Edges represent  171 timed t r a n s i t i o n s ,  
336 i n t e r n a l  ac t ions ,  and 
528 ex terna l  untimed ac t ions .  
108 non-deadlocked s t a t e s  a r e  capable of stopping t h e  clock. 
Time t o  compute LTS: 3 seconds user  t ime; 0.13 seconds system t ime.  
Figure 6: VERSA Verification of 2 x 2 Switching Element 
3 The Sunshine ATM Switch Architecture 
Sunshine[C~HMf 91, Zeg931 is a packet switch that uses sorting networks to route packets from 
input ports to  output ports based on a destination address field. Packet loss due to  output port 
contention is mitigated by a feedback loop that reroutes packets to the input ports rather than 
dropping them. 
Figure 7 presents a simplified representation of the basic Sunshine architecture. Packets arriving 
a t  the N input ports contain an address field that indicates which of the N output ports the 
data should be routed to. At the same time T recycled packets are received from the upper 
feedback loop. These are packets that could not be routed on their first pass due to output port 
contention. (Contention occurs when two or more packets are destined for the same output port 
acldress simultaneously.) Once received at the input ports of the first sorting network the N 
new packets and T recycled packets are treated identically. Thus the main body of the switch is 
responsible for routing N + T packets to N output ports and T overflow paths. 
The first sorter uses a Batcher sorting network to  sort packets by their output port address. 
The trap stage examines contiguous packets to determine when multiple packets are destined for 
the same output port address. Within each group of packets destined for the same output port 
one packet per port is marked for output (output bit set to  1) and the remainder for recirculation 
(output bit set to  0). The output bit is prepended as the high-order bit of the output port address 
