SoC Design Approach Using Convertibility Verification by unknown
Hindawi Publishing Corporation
EURASIP Journal on Embedded Systems
Volume 2008, Article ID 296206, 19 pages
doi:10.1155/2008/296206
Research Article
SoC Design Approach Using Convertibility Verification
Roopak Sinha,1 Partha S. Roop,1 and Samik Basu2
1 Department of Electrical and Computer Engineering, The University of Auckland, Auckland 1142, New Zealand
2 Department of Computer Science, Iowa State University, Ames, Iowa 50011, USA
Correspondence should be addressed to Roopak Sinha, roopak.sinha@gmail.com
Received 13 April 2008; Accepted 23 October 2008
Recommended by Eric Rutten
Compositional design of systems on chip from preverified components helps to achieve shorter design cycles and time to market.
However, the design process is aﬀected by the issue of protocol mismatches, where two components fail to communicate with each
other due to protocol diﬀerences. Convertibility verification, which involves the automatic generation of a converter to facilitate
communication between two mismatched components, is a collection of techniques to address protocol mismatches. We present
an approach to convertibility verification using module checking. We use Kripke structures to represent protocols and the temporal
logic ACTL to describe desired system behavior. A tableau-based converter generation algorithm is presented which is shown to be
sound and complete. We have developed a prototype implementation of the proposed algorithm and have used it to verify that it
can handle many classical protocol mismatch problems along with SoC problems. The initial idea for ACTL-based convertibility
verification was presented at SLA++P ’07 as presented in the work by Roopak Sinha et al. 2008.
Copyright © 2008 Roopak Sinha et al. This is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
1. INTRODUCTION
Systems on chip (SoC) are complex embedded systems built
using preverified components (called intellectual property
blocks or IPs) chosen from available IP libraries. The various
IPs of an SoC may be interconnected via a central system bus
on a single chip.
The integration of IPs into an SoC involves addressing
key compatibility and communication issues. One such
important issue is that of protocol mismatches which arise
when two or more IPs in an SoC have incompatible
protocols. Protocol mismatches may prevent meaningful
communication between IPs as they may not be able to cor-
rectly exchange control signals (due to control mismatches),
exchange data (due to data-width mismatches), and/or
connect to each other at all (due to interface mismatches). For
example, two IPs that have diﬀerent handshaking sequences
have inherent control mismatches. If their word-sizes (the
sizes of their data read/write operations) diﬀer, they suﬀer
from data-width mismatches. Interface mismatches occur
when two IPs use diﬀerent naming conventions for the same
control/data signals, disallowing straightforward integration
of the IPs into an SoC. Unless any mismatches between IPs
are resolved, it is impossible to build an SoC that is consistent
with the intended system-level behavior.
Protocol mismatches may be resolved if one or all of
the mismatched IPs are modified. However, this process of
manual modification is usually ineﬀective because firstly, it
requires significant time and eﬀort to modify complex IPs,
and secondly, if requirements change later in the design
cycle, further repetitions of manual modification might
be required. Protocol mismatches may also be resolved
by using convertibility verification (or protocol conversion)
techniques, which involve the generation of a converter, some
additional glue, that guides mismatched components to
satisfy system-level behavioral requirements while bridging
the mismatches as well.
A possible solution to convertibility verification comes
from the verification of open systems using module checking
[1]. An embedded system may behave diﬀerently under
diﬀerent environments, and verification of an embedded
system under the influence of diﬀerent environments was
studied in [2]. In [3], local module checking, an approach
to build an environment under which a system satisfies
a given specification, was presented. In this paper, we
adapt local module checking for convertibility verification to
build a converter under which IPs satisfy given system-level
specifications.
The main features of the proposed solution are as
follows. Firstly, IPs are represented using Kripke structures
2 EURASIP Journal on Embedded Systems
and communicate synchronously with each other through
input/output control signals. The desired behavior of the
interaction between IPs is described using the tempo-
ral logic ACTL. ACTL is the universal fragment of CTL
which allows only universal path quantification. ACTL is
used for two main reasons. Firstly, the intended behav-
ior of the interaction between mismatched protocols is
usually required to be exhibited over all paths. Hence,
universally quantified specifications are usually suﬃcient
to describe such intended behavior. Secondly, the handling
of existentially quantified formulas (EU and EG) results
in the high (exponential) complexity of module checking
[2].
Given two mismatched IPs and a set of ACTL specifi-
cations to be satisfied by their interaction, an automatic
converter generation algorithm is employed to generate a
converter if possible. We prove that the algorithm is sound
and complete and can be used to resolve many commonly
encountered control mismatches.
The rest of this paper is organized as follows. Section 2
discusses literature related to the proposed approach. An
illustrative example is presented in Section 3. Section 4
presents the formal description of protocols and their
interaction. Section 5 shows how specifications are described
in our setting. Section 6 defines converters and shows how
they control a given pair of mismatched protocols. The
converter generation and extraction algorithm is presented
in Section 7. Implementation results are given in Section 8
followed by concluding remarks in Section 9.
2. RELATED WORK
A number of techniques have been developed to address
the problem of protocol conversion using a wide range
of formal and informal settings with varying degrees
of automation—projection approach [4], quotienting [5],
conversion seeds [6], synchronization [7], and supervisory
control theory [8], just to name a few. Some techniques,
like converters for protocol gateways [9] and interworking
networks [10], rely on ad hoc solutions. Some other
approaches, like protocol conversion based on conversion
seeds [6] and protocol projections [4], require significant
user expertise and guidance. While this problem has been
studied in a number of formal settings [4, 6, 7, 11], only
recently some formal verification-based solutions have been
proposed [8, 12–14].
The closest ones to our approach are [12, 13]. In [12],
the authors present an approach using finite state machines
to represent both the protocols and the desired specifications.
A game-theoretic framework is used to generate a converter.
This solution is restricted only to protocols with half-
duplex communication between them. D’silva et al. [13, 15]
present synchronous protocol automata to allow formal
protocol specification and matching, as well as converter
synthesis. The matching criteria between protocols are based
on whether events are blocking or nonblocking and no
additional specifications can be used. The approach allows
model checking only as an auxiliary verification step to



















Figure 1: The handshake-serial protocol pair.
In contrast to the above techniques, we use temporal
logic to represent desired functionality of the combined
protocols. Being based on temporal logic, our technique
can define desired properties succinctly and with a higher
level of granularity. For example, a desired behavior of the
combination may be sequencing of events such that event
a in protocol P1 always happens before event b in P2. Also,
as our technique is based on the (tableau-based) module
checking algorithm, the converter synthesized is correct by
construction, unlike [13].
The presented approach, based on extending the local
module checking algorithm [3], is similar to the synthesis of
discrete controllers using temporal logic specifications [16,
17]. In [17], a controller synthesis paper using temporal logic
(ctl∗) specifications, the authors note that the problems
of module checking and supervisory control are duals of
each other. The problem of conversion can therefore be
handled by extending any of these dual approaches. However,
it must be noted that the conversion problem addressed
in this paper is not a straight forward implementation of
either module checking or supervisory control. It requires
nontrivial extensions including the handling of multiple
protocols, input-output signals, exchange of signals between
protocols, and special states such as output-only states or
delayed-output states (described later in Section 4).
3. ILLUSTRATIVE EXAMPLE
We motivate our protocol conversion technique using the
following example of two mismatched IPs. Figure 1 shows
the protocols of two IPs, handshake and serial, that need to
communicate with each other. This example was presented
originally in [12] and has been adapted by adding state labels
to each protocol. The handshake protocol emits the outputs
req and gnt which can be read by the serial protocol. The IPs
are expected to communicate by exchanging these I/O signals
infinitely often.
The protocols of the two devices are described as follows.
In its initial state s0, the handshake protocol emits the signal
req and makes a transition to state s1. In s1, it can wait for an
indefinite number of clock ticks (shown as the self-loop on
s1) before writing the signal gnt and moving back to its initial
state s0. Outputs are distinguished from inputs by placing a
bar over them.
Roopak Sinha et al. 3
The serial protocol operates as follows. In its initial state
t0, it waits indefinitely (using the self-loop on t0) for the
signal req and makes a transition to state t1 when req is
available. In t1, it immediately requires the input gnt to make
a transition back to its initial state t0.
Intuitively, the mismatch between the two protocols can
be described as follows. The handshake protocol can wait
indefinitely before writing the signal gnt once it has emitted
the signal req. On the other hand, the serial protocol needs
gnt to be available immediately following the reception of
req. Given this basic diﬀerence in their protocols, it is possible
that their interaction results in the violation of system-level
specifications, such as
(1) a protocol must never attempt to read a signal before
it is emitted by the other;
(2) each emission of a signal by a protocol must be read
successfully by the other protocol before it attempts
to emit more instances of the same signal.
Due to diﬀerent protocols, the IPs cannot guarantee
satisfaction of the above specifications. To enable these IPs
to interact in the desired fashion, a converter to bridge
inconsistencies between their protocols is generated. The
converter acts as a communication medium between the
protocols, as shown in Figure 1, and guides the interaction
between the two protocols by controlling the exchange of
control signals between them. The resulting system, in the
presence of the converter, guarantees the satisfaction of the
given system-level properties.
We use the above handshake-serial example throughout
the the rest of this paper to illustrate our approach.
4. MODEL OF PROTOCOLS
4.1. Kripke structures
Protocols are formally represented using Kripke structures,
defined as follows.
Definition 1 (Kripke structure). A Kripke structure (KS)
is a finite state machine represented by a tuple 〈AP,
S, s0, Σ, R, L, clk〉, where
(i) AP is a set of atomic propositions,
(ii) S is a finite set of states,
(iii) s0 ∈ S is the initial state,
(iv) Σ = ΣI ∪ ΣO ∪ {T} is a finite set of events, where ΣI
is the set of all input events, ΣO is the set of all output
events, and T is the tick event of the clock clk,
(v) R : S × Σ → S is a total (with respect to S) and
deterministic transition function,
(vi) L : S → 2AP is the state labelling function,
(vii) clk is the system clock event.
Transitions of a Kripke structure can be divided into
three categories: input transitions, output transitions, and tick
















Figure 2: Possible types of states in a well-formed Kripke structure.
(a) An input state. (b) An output-only state. (c) A delayed-output
state.
to the tick T of clk which represents the rising edge of
the clock. An input transition from a system’s current state
triggers when the input trigger of the transition is present
at the next tick of the clock. Similarly, an output transition
triggers when the system, at the next clock tick, emits the
output corresponding to a given transition. Finally, in case
of a tick transition, a transition simply triggers on the next
clock tick without the Kripke structure reading any inputs or
emitting any outputs. A tick transition is used to implement
delays. In all three cases, the Kripke structure moves from a
current state to a destination state.
The presence of an event a as an input is denoted as a
(a ∈ Σ) over a transition whereas the emission of a signal b
as an output is denoted as b (b ∈ Σ). In case no input/output
triggers are present, the transition with respect to solely the
clock’s tick event T is taken (T ∈ Σ). Note that R is total
with respect to S, implying that each reachable state in a
KS must have at least one outgoing transition. Furthermore,
R is deterministic, implying that each reachable state can
have only one transition to a unique successor state for any
particular input or output event. The shorthand s
a−→ s′ is
used to represent the transitions of a Kripke structure (s′ =
R(s, a)).
Restrictions
The following restrictions are placed on Kripke structures
representing IP protocols.
(1) Well-formedness. A well-formed KS has only the
following types of states (Figure 2 shows the diﬀerent types
of states in a well-formed Kripke structure).
(i) Input states. A state s ∈ S is an input state if none of
its transitions results in the emission of an output. In other
words, all of its transitions are triggered by input events or
T (see Figure 2(a)). Whenever the KS reaches s, if no input
triggers are present in the next tick, the tick transition is
taken. In case there is no tick transition, s must be provided
with an input that enables one of its transition.
For example, consider the state t1 of the serial protocol
presented in Figure 1. The state must be provided with the
input gnt in the next tick, otherwise its behavior is not
defined.
(ii) Output-only states. A state s ∈ S is an output-only
state if it has only one transition that is triggered by an output
4 EURASIP Journal on Embedded Systems
signal (see Figure 2(b)). Whenever a KS reaches an output-
only state, in the next tick, the lone output transition is taken
(and the corresponding output is emitted). We introduce
the function OutputOnly, where OutputOnly(s) returns true
when the state s is an output-only state.
(iii) Delayed-output states. A state s ∈ S is a delayed-
output state when it has exactly two transitions: one triggered
by an output signal and the other triggered by T . The tick
transition must be a self-loop (s
T−→ s) and must model
an arbitrary delay before the output transition is taken
(see Figure 2(c)). We introduce the function DelayedOutput,
where DelayedOutput(s) returns true when the state s is a
delayed-output state.
We restrict states in a well-formed KS to have at most one
output transition to ensure determinism. A state with two
output transitions is nondeterministic because whenever the
KS reaches such a state, it is not known which output will be
emitted (and which transition will be taken) in the next tick.
For example, state s0 of the handshake protocol presented
in Figure 1 is a delayed-output state with a tick transition
modelling an arbitrary delay. Hence, DelayedOutput (s0) =
tt.
(2) Shared clock. Each KS must execute using the same
clock, allowing multiple protocols to only make synchronous
transitions. This restriction assumes that there are no clock
mismatches between protocols.
Consider the protocol for the handshake IP presented
in Figure 1. The protocol can be described as the Kripke
structure P1 = 〈AP1, S1, s01 ,Σ1,R1,L1, clk1〉, where AP1 =
{Idle1,ROut}, S1 = {s0, s1}, s01 = s0, Σ1 = {req, gnt,T}, R1 =
{s0 T−→ s0, s0 req−→ s1, s1 T−→ s1, s1 gnt−→ s0}, L1(s0) = {Idle1},
and L1(s1) = {ROut}.
In our setting, all Kripke structures execute syn-
chronously using the same clock. Hence, for the protocols
P1 and P2 described above, clk1 = clk2 = clk.
4.2. Composition of Kripke structures
The parallel composition defines the unrestricted composite
behavior of two protocols when they are physically connected
(without a converter).
Definition 2 (parallel composition). Given Kripke structures
P1 = 〈AP1, S1, s01 ,Σ1,R1,L1, clk〉 and P2 = 〈AP2, S2, s02 ,Σ2,
R2,L2, clk〉, their parallel composition, denoted by P1‖P2, is
〈AP1‖2, S1‖2, s01‖2 ,Σ1‖2,R1‖2,L1‖2, clk〉, where
(i) AP1‖2 = AP1 ∪ AP2,
(ii) S1‖2 ⊆ S1 × S2,
(iii) s01‖2 = (s01 , s02 ),
(iv) Σ1‖2 ⊆ Σ1 × Σ2,





]∧ [s2 σ2−→ s′2
] =⇒ [(s1, s2) (σ1,σ2)−−−−→ (s′1, s′2)
]
, (1)
(vi) finally, L1‖2[(s1, s2)] = L1(s1)∪ L2(s2).
Each state s of the parallel composition corresponds to
unique individual states s1 and s2 in the protocols, and its
labels contain every proposition contained as a label of any
of its constituent states. The initial state of the composition
is (s01 , s02 ). Each state s = (s1, s2) of the composition makes a
transition to a successor state s′ = (s′1, s′2) when both protocol
states s1 and s2 make individual transitions to s′1 and s
′
2,
respectively. The transition trigger is obtained by combining
the transition triggers of the participating protocols. Note
that the set of states S1‖2 is a subset of the cartesian product
of the sets of states S1 and S2. This is because S1‖2 contains
only those states that are reached by both protocols making
simultaneous transitions. For the same reason, the event set
Σ1‖2 does not contain all elements of the cartesian product of
Σ1 and Σ2.
Semantics of the transitions of
states in the parallel composition
The parallel composition of two well-formed KS can contain
diﬀerent types of states. The state (s, t) resulting from the
parallel composition of two states s and t can be of 4 diﬀerent
types, depending on types of s and t, as shown in Figure 1.
An output state (see Figure 3(a)) in the parallel compo-
sition results if each of the states s and t is either an output-
only or a delayed-output state. If both s and t are output-
only states with (sole) transitions to states s′ and t′ triggered
by the outputs a and b, the composite state (s, t) has only
one transition to (s′, t′) which results in the emission of the
outputs a and b. If s and/or t have tick transitions (in case one
or both are delayed-output states), the composite state (s, t)
may have additional transitions triggered by a combination
of T and the outputs a and b, as shown in Figure 3(a).
An input-output state (see Figure 3(b)) results when one
of the states s or t is an input state and the other is an output-
only state. Note that for input-output states, all transitions
trigger with respect to one KS emitting an output and the
other reading an input (or the tick event).
An input-delayed-output state (see Figure 3(c)) is
obtained when one of the states s or t is an input state and
the other is a delayed-output state. In this case, half of the
transitions of the input-delayed-output state corresponds to
one KS emitting an output and the other reading an input
(or making a T-transition). For example, in Figure 3(c), the
transitions (s, t)
a, c−−→ (s′, t′) and (s, t) b, c−−→ (s′, t′′) result
in the output c being emitted. We introduce a function
Out : S1‖2 → 2Σ1‖2 , where for any input-delayed-output
state s ∈ S1‖2, Out(s) returns the set of transition triggers
that result in the emission of an output (e.g., in Figure 3(c),
Out((s, t)) = {(a, c), (b, c)}). The remaining transitions of
an input-delayed-output state correspond to one protocol
taking a tick transition and the other reading an input
(hence delaying the emission of the output). We introduce a
function Delay : S1‖2 → 2Σ1‖2 , where for any input-delayed-
output state, s ∈ S1‖2, Delay(s) returns the set of transition
triggers that do not result in the emission of an output (e.g.,
in Figure 3(c), Delay((s, t)) = {(a,T), (b,T)}). Note that
taking the delay transitions merely delays the emission of
an output. For example, if the transition (s, t)
b, T−−→ (s, t′′)




































a, c b, c








































Figure 3: Possible types of states in the composition of two well-formed Kripke structures. (a) An output state. (b) An input-output state.
(c) An input-delayed-output state. (d) An input-only state.
is taken by the state (s, t) in Figure 3(c), the state (s, t′′)
still refers to the delayed-output state s which is capable of
emitting the output c in the next tick after it is reached.
Finally, an input state (see Figure 3(d)) results when both
the states s and t are input states. Each transition in the input
state is triggered when a pair of inputs (or T) is read.
Illustration
The parallel composition P1‖P2 of P1 and P2 in Figure 1 is
shown in Figure 4. The initial state (s0, t0) corresponds to the
initial states s0 and t0 of the two protocols and is labelled by
Idle1 and Idle2.
Each transition from the state (s0, t0) is triggered when
both s0 and t0 take their respective transitions. For example,
the transition from state (s0, t0) to state (s1, t1) is triggered
when s0 makes a transition to s1 (emitting gnt) and t0 makes
a simultaneous transition to t1 (reading gnt).
All states in the parallel composition presented in
Figure 4 are input-delayed-output states as each corresponds
to a delayed-output state from P1 and an input state from
P2 (P1 has only delayed-output states whilst P2 has only
input states). For the input-delayed-output state (s0, t0),
Out((s0, t0)) = {(req,T), (req, req)} while Delay((s0, t0)) =
{(T ,T), (T , req)}.
5. SPECIFICATIONS
Specifications of correct interaction between protocols may
be formally described using temporal logic. In our approach,
ACTL (∀CTL), the universal fragment of CTL is used. ACTL
is a branching time temporal logic with universal path
quantifiers. As described earlier, ACTL is used because it can
describe common protocol conversion specifications and at
the same time results in a lower worst-case complexity of the
conversion algorithm than CTL.
ACTL is defined over a set of propositions using temporal
and boolean operators as follows:
φ −→ P|¬P|tt| f f |φ ∧ φ|φ∨ φ|AXφ|A(φ Uφ)|AGφ|. (2)
Note that, in the above, negation is not applied on temporal
and boolean operators. This restriction is due to the fact that
the converter generation algorithm uses tableau generation
(similar to the local module checking algorithm presented in
[3]), where tableau rules can operate only on formulas where
negations are applied over propositions.
Semantics of ACTL formula, ϕ denoted by [[ϕ]]M , is given
in terms of the set of states in Kripke structure, M, which
satisfies the formula (see (3)):
[[p]]M = {s | p ∈ L(s)},
[[tt]]M = S,
[[ f f ]]M = ∅,
[[ϕ∧ ψ]]M = [[ϕ]]M ∩ [[ψ]]M ,
[[ϕ∨ ψ]]M = [[ϕ]]M ∪ [[ψ]]M ,
[[AXϕ]]M = {s | ∀s −→ s′ ∧ s′ ∈ [[ϕ]]M},
[[A(ϕ Uψ)]]M = {s | ∀(s = s1 −→ s2 −→ · · · ),
∃ j·(s j  ψ)∧∀i < j·(si  ϕ)[i, j ≥ 1]},
[[AGϕ]]M = {s | ∀s = s1 −→ s2 −→ · · ·∧
∀i·si  ϕ(i ≥ 1)}.
(3)
A state s ∈ S is said to satisfy an ACTL formula expression ϕ,
denoted by M, s  ϕ, if s ∈ [[ϕ]]M . We will omit M from the
[[]] and the  relation if the model is evident in the context.
The short hand M  ϕ is used to indicate M, s0  ϕ.
The desired behavior of the interaction of the handshake
and serial protocols presented in Section 3 is described
formally using the following ACTL formulas.


























Figure 4: P1‖P2 for the handshake-serial protocol pair.
[ϕ1] AG(Idle1∧Idle2 ⇒ AX(ROut∨¬RIn)). Whenever a state
in the parallel composition is reached where both
protocols are in their initial states, in all its successors,
the serial protocol does not advance to a state labelled
RIn unless the handshake protocol simultaneously
moves to a state labelled ROut. In other words, the
serial protocol does not read the req signal unless the
handshake emits it simultaneously.
[ϕ2] AG(RIn ∧ ROut ⇒ AX(Idle1 ∨ ¬Idle2)). Whenever a
state in the parallel composition is reached where
both protocols are in states labelled by ROut and RIn,
respectively, in all its successors, the serial protocol
does not move to a state labelled Idle2 unless the
handshake protocol simultaneously moves to a state
labelled Idle1. In other words, the serial protocol does
not read the gnt signal unless handshake emits it
simultaneously.
[ϕ3] AG(ROut ∧ Idle2 ⇒ AX(RIn ∨ ¬Idle1)). Whenever a
state in the parallel composition is reached where the
handshake protocol is in a state labelled by ROut (req
emitted) and the serial protocol is in its initial state, in
all successors, the handshake protocol must not move
to its initial state unless the serial protocol moves to
a state labelled RIn. In other words, once req has been
emitted by the handshake protocol, it must be read
by the serial protocol before handshake moves back
to its initial state and emits gnt.
[ϕ4] AG(Idle1 ∧ RIn ⇒ AX(¬ROut ∨ ¬Idle2)). Whenever
a state in the parallel composition is reached where
the handshake protocol is in its initial state and the
serial protocol is in the state labelled by RIn (req
read), in all successors, the handshake protocol must
not move to a state labelled by ROut unless the serial
protocol moves to its initial state. In other words,
once gnt has been emitted by the handshake protocol
(by moving to its initial state), it must be read by the
serial protocol before handshake moves back to its
initial state and emits req.
In Figure 4, it can be seen that certain paths are
inconsistent with the specifications described in Section 3.
For example, the transition from the initial state (s0, t0) to
(s0, t1) results in the serial protocol reading the input req
before handshake protocol has emitted it, hence violating the
property ϕ1.
6. PROTOCOL CONVERTERS
The composition P1‖P2 (see Figure 4) represents the uncon-
strained behavior of the protocols including undesirable
paths introduced due to mismatches. A converter is needed
to bridge the mismatches appropriately. This section for-
mally introduces converters and also the control exerted by
a converter over participating protocols.
6.1. I/O relationships between
converters and protocols
Firstly, we describe the relationship between the input/
output signals of a converter and the participating protocols.
Inputs to the converter are outputs from the protocols and
vice versa. For example, Figure 1 shows the handshake and
serial protocols connected via a converter. The converter
reads the outputs req and gnt of the handshake protocol and
emits the signals gnt and req to be read by the serial protocol.
This concept of duality of I/O signals is formalized as follows.
Definition 3 (duality). Given a set of input signals ΣI , a set
of output signals ΣO, and two signals a and b, such that
D(a, b) = tt if and only if:
(i) a ∈ ΣI and b ∈ ΣO such that b = a, or
(ii) a ∈ ΣO and b ∈ ΣI such that a = b, or
(iii) a is the tick event T and b = a = T .
Generalizing to pairs of signals, given two pairs A = (a1, a2)
and B = (b1, b2) of signals D(A,B) = tt if and only if
D(a1, b1) and D(a2, b2).
Based on the above definition, each input to the converter
is a dual of an output of participating protocols, and vice
versa. Also, the tick event T is its own dual. This is so because
a converter does not need to provide any inputs/outputs
when protocols make tick-only transitions.
6.2. The role of a converter
A converter C for the parallel composition P1‖P2 of the
two protocols is represented as the Kripke structure 〈APC ,
SC , c0, ΣC , RC , LC , clk〉. Many converters that can disable
transitions in P1‖P2 to ensure the satisfaction of the given
ACTL formulas can be envisaged. However, some of these
may be incorrect. For example, an output transition in one
of the protocols is uncontrollable because a converter cannot
prevent it from happening. A converter that attempts to
block or disable such a transition is not realizable and hence,
deemed incorrect. In our setting, we want to synthesize
correct converters. This notion of correctness is formalized by
defining a conversion refinement relation between converters
and participating protocols. We first provide the intuition
Roopak Sinha et al. 7
behind the converter refinement relation by describing the
role of a correct converter in controlling a given protocol pair.
Given a converter C = 〈APC , SC , c0, ΣC , RC , LC , clk〉,
every state c ∈ SC controls exactly one state s ∈ S1‖2 and we
say that c is matched to s. The following restrictions must be
satisfied by the matched states c and s.
(1) Every transition out of c must correspond to a dual
transition out of s. A transition s
(a,b)−−→ s′ is a dual of a
transition c
(c,d)−−→ c′if D(a, c)and D(b,d) (transitions
have dual I/O). Further, the destinations states of
the dual transitions must also match. This restriction
forms the basis of the control of a converter state over
the matched state in the given parallel composition.
The converter allows a transition in s only if c has a
transition that is a dual of the s transition. In case
neither has a dual transition for a given transition in
s, the transition is disabled by the converter, nor does
the converter disable all transitions of s.
(2) Whenever s is an output state (see Figure 3(a)), the
converter is not permitted to disable any transitions
of s. In other words, corresponding to each transition
of s, c must have a dual transition. This restriction
comes from the fact that each transition of an output
state corresponds to the protocols emitting outputs
or choosing to remain in the current state. These
transitions cannot be disabled by the converter as
the protocols do not read any inputs during any
transition in an output-state.
(3) If s is an input-delayed-output state (see Figure 3(c)),
the converter has to enable precisely one output
transition and one delay transition of s. An input-
delayed-output state corresponds to a delayed-output
state in one protocol and an input state in the
other and has two types of transitions. A delayed-
output protocol state has two types of transitions:
output transitions (returned by the set Out) and
delay transitions (returned by the set Delay). Output
transitions (triggered by the elements of Out(s))
result in an output being emitted by the protocol
while the delay transitions (triggered by the elements
of Delay(s)) result in the protocols delaying the
emission of the output to at least the next tick. As the
converter cannot force the protocols from emitting
an output or taking a delay transition, it must enable
one transition each from the sets Out(s) and Delay(s).
We now define the conversion refinement relation.
Definition 4 (conversion refinement relation). Let P1‖P2 be
the parallel composition of two protocols P1 and P2. A state
s ∈ S1‖2 can be represented as the state (s1, s2), where s1 ∈ S1
and s2 ∈ S2.
Given a converter C = 〈APC , SC , c0, ΣC , RC , LC , clk〉,
a relation B ⊆ SC × S1‖2 is a conversion refinement relation if
for any (c, s) ∈ B, the following conditions hold.
(1) Enabled transitions. For all c
σ ′−→ c′, there exists s σ−→ s′,
for some s, s′ ∈ S1‖2, such that D(σ , σ ′) and (c′, s′) ∈
B.
(2) Output states restriction. If s is an output state, then
there must exist a c
σ ′−→ c′ for every s σ−→ s′ such that
D(σ , σ ′) and (c′, s′) ∈ B.
(3) Input-delayed-output states restriction. If s is an input-
delayed-output state, then c must have precisely two
transitions c
σ ′c−→ c′ and c σ
′′
c−→ c′′ that match transitions
s
σ ′s−→ s′ and s σ
′′
s−→ s′′ of s, respectively, such that
D(σ ′c , σ ′s ), D(σ ′′c , σ ′′s ), σ ′s ∈ Out(s), σ ′′s ∈ Delay(s),
(c′, s′) ∈ B and (c′′, s′′) ∈ B.
A conversion refinement relation between a converter KS
and a given parallel composition states the constraints on a
converter state c that controls a state s in the composition.
Illustration
Figure 5 presents a converter C for the composition of
handshake-serial protocol pair presented in Figure 4. There
exists a conversion refinement relation B between the
converter and the protocols, where
(1) B(c0, (s0, t0)): each transition of c0 is dual to some
transition of (s0, t0) (rule 1) and c0 has at least one
transition (rule 2). State (s0, t0), being an input-
delayed-output state, requires c0 to enable one output
transition and another tick transition (rule 3). c0
satisfies this restriction by having the transition
c0
(req,T)−−−−→ c1 that reads req if it is emitted by the
protocols and the transition c0
(T ,T)−−−→ c0 allowing
(s0, t0) to wait;
(2) B(c1, (s1, t0)): each transition of c1 is dual to some
transition of (s1, t0) (rule 1) and c1 has at least one
transition (rule 2). State (s1, t0), being an input-
delayed-output state, requires c1 to one output tran-
sition and another tick transition (rule 3). c1 satisfies
this restriction by having the transition c1
(gnt,req)−−−−→ c2
that reads gnt if it is emitted by the protocols and the
transition c1
(T ,T)−−−→ c1 allowing (s1, t0) to wait;
(3) B(c2, (s0, t1)): each transition of c2 is dual to some
transition of (s0, t1) (rule 1) and c2 has at least one
transition (rule 2). State (s0, t1), being an input-
delayed-output state, requires c2 to enable one output
transition and another tick transition (rule 4). c2
satisfies this restriction by having the transition
c2
(req,gnt)−−−−→ c1 that reads req if it is emitted by the
protocols and the transition c2
(T ,gnt)−−−−→ c0 allowing
(s0, t1) to wait.
We use the conversion refinement relation to define
correct converters.








































Figure 5: The converter C for the handshake-serial protocol pair.
6.3. Definition of converters
Having defined the relationship between the states of a
converter and the states of participating protocols, we now
define correct converters as follows.
Definition 5 (converter). A correct converter C for two
protocols P1 and P2 with parallel composition P1‖P2 is a
Kripke structure 〈APC , SC , c0, ΣC , RC , LC , clk〉, where
(1) APC = ∅;
(2) SC is a finite set of states and there exists a conversion
refinement relation B such that for every state c ∈
SC , there is a state s ∈ S1‖2 such that B(c, s);
(3) c0 is the initial state such that B(c0, s01‖2 );
(4) ΣC ⊆ {a : b ∈ Σ1∧D(a, b)}×{a : b ∈ Σ2∧D(a, b)};
(5) RC : SC × ΣC → SC is a total (with respect to SC)
transition function;
(6) L(c) = ∅ for any state c ∈ SC .
A converter is a KS whose states are related by a
conversion refinement relation to the states of the given
parallel composition. Its inputs are the outputs from the
parallel compositions and its outputs are the inputs to the
parallel composition. Converter states do not have any state
labels. The converter also operates on the same clock clk
as the protocols. Note that converters are required to have
a transition function that is total with respect to SC . This
means that for every state c ∈ SC , there must be at least one
transition c
σc−→ c′ for some σc ∈ ΣC and c′ ∈ SC .
Illustration
The converter (see Figure 5) for the handshake-serial pair has
the following elements.
(i) SC = {c0, c1, c2} with c0 as the initial state.
(ii) APC = ∅, and for any state c in the converter, L(c) =
∅.
(iii) ΣC = [{req, gnt,T} × {req, gnt,T}].
(iv) As noted earlier, there exists a conversion refinement
relation between the states of C and P1‖P2.
6.4. Lock-step composition
The control of a converter over a given parallel composition
is defined using the // operator as follows.
Definition 6 (lock-step converter composition). Given the
KS P1‖P2 = 〈AP1‖2, S1‖2, s01‖2 , Σ1‖2, R1‖2, L1‖2, clk〉 and
a converter C = 〈APC , SC , sC0, ΣC , RC , LC , clk〉, such
that there exists a conversion refinement relation B between
the states of the C and P1‖P2, the lock-step compo-
sition C//(P1‖P2) = 〈AP1‖2, SC//1‖2, s0C//(1‖2) ,Σ1‖2,RC//(1‖2),
LC//(1‖2), clk〉, where
(1) SC//1‖2 = {(c, s) : c ∈ SC ∧ s ∈ S1‖2 ∧B(c, s)};
(2) s0C//(1‖2) ∈ SC//1‖2 is the initial state. s0C//(1‖2) = (c0, s01‖2 );
(3) RC//(1‖2) : SC//(1‖2) × Σ1‖2 → SC//(1‖2) is the transition
function, where for each state sC//(1‖2) ∈ SC//(1‖2)










⎦ =⇒ (c, s) σs−→ (c′, s′). (4)
(4) LC//(1‖2)(c, s) = L1‖2(s1‖2).
The lock-step composition ensures that states in the
protocols take only those transitions that are allowed by
the converter. Each state in the lock-step composition
corresponds to a state in the converter and its corresponding
state in the parallel composition of the given participating
protocols. For example, the initial state of the lock-step
Roopak Sinha et al. 9
composition corresponds to the initial state of the converter
and the initial state of the given parallel composition.
For any state in the lock-step composition, a transition is
allowed when its constituent converter state has a transition
which is dual to a transition in its corresponding state
in the given parallel composition. In other words, when
a transition in the converter provides any outputs needed
by the participating protocols to trigger a transition in
their composition, and the outputs emitted by the protocols
are read as inputs by the converter during the same
transition, a transition in the lock-step composition triggers.
Similarly, if the protocols emit any outputs in a transition
or do a tick transition, they are read by the converter
in a dual transition. The presence of dual transitions is
guaranteed due to the presence of a conversion refine-
ment relation between the states of the converter and the
protocols.
Illustration
Figure 6 presents the lock-step composition C//(P1‖P2) for
handshake-serial protocol pair presented in Figure 4 and the
converter C presented in Figure 5. The key features of the
composition are as follows.
(i) SC//1‖2 = {(c0, (s0, t0)), (c1, (s1, t0)), (c2, (s0, t1))} with
(c0, (s0, t0)) as the initial state.
(ii) For any state (c, s) ∈ SC//1‖2, c, s) ∈ B.
(iii) For any state (c, s) ∈ SC//1‖2,LC//(1‖2)((c, s)) = L1‖2(s).
(iv) Each transition of any state (c, s) in the lock-step is
a result of individual dual transitions of c and s. For
example, the transition (c0, (s0, t0))
req,T−−−→ (c0, (s1, t0))
is possible only because the transition c0
req,T−−−→ c1 is
dual to the transition (s0, t0)
(req,T)−−−−→ (s1, t0).
It is important to note that the lock-step composition
operator // is diﬀerent from parallel composition operator ‖
(Definition 2). // provides state-based control to a converter
over participating protocols whereas ‖ describes all possible
behaviors of the interaction between two given protocols.
The converter presented in Figure 5 can drive the
handshake-serial protocol pair to satisfy the system-level
properties given in Section 5, or C//(P1‖P2)  ϕ1∧· · ·∧ϕ3.
The next section details the automatic algorithm that is used
to generate the above converter for the handshake-serial
protocol pair.
The resulting system
The lock-step composition of a given converter and a
composition of protocols is a closed system. The protocols
read all inputs from the converter whereas the converter
reads all its inputs from the protocols. Once composed with





















Figure 6: The lock-step composition of the converter C and the
handshake-serial protocol pair.
7. CONVERTER GENERATION USING
TABLEAU-BASED MODEL CHECKING
7.1. Overview
The proposed algorithm attempts to automatically generate
a converter from a given pair of protocols and a set Ψ
of ACTL properties describing the system-level behavior of
their interaction. Given protocols P1 and P2, and a set of
ACTL properties Ψ0, the converter generation problem is
formalized as follows.
?∃ C : ∀ϕ ∈ Ψ0 : C//(P1‖P2)  ϕ. (5)
In other words, is there a converter C for the given
protocols P1 and P2 such that in the presence of C, the
protocols satisfy all the properties contained in Ψ0?
The proposed approach is based on the local module
checking algorithm presented in [3] with nontrivial exten-
sions for use in the convertibility verification domain. Con-
vertibility verification using ACTL specifications is carried
out using tableau construction. The conversion methodology
can be summarized as follows.
(1) Identify the protocols of given IPs and extract their
KS representation.
(2) Describe system-level properties using the temporal
logic ACTL.
(3) Employ tableau construction to generate (if possible)
a successful tableau given the inputs identified in
steps 1 and 2.
(4) If no successful tableau can be generated, return to
steps 1 or 2 (or both) to modify inputs (weaken ACTL
properties or use modified protocols), then repeat
step 3.
(5) If a successful tableau is generated in step 3, a
converter is extracted automatically.
The convertibility verification algorithm is broken into
two major parts: tableau construction and converter extrac-
tion. Although both these steps are carried out simultane-
ously, they are provided separately to aid readability.
10 EURASIP Journal on Embedded Systems
7.2. Tableau construction
7.2.1. Inputs
The tableau construction algorithm takes the following
two inputs into consideration: P1‖P2—the composition of
participating protocols, and Ψ0—the set of ACTL properties
to be satisfied by the interacting protocols.
7.2.2. Data structure and initialization
The proposed algorithm is based on tableau construction
where a proof structure, called a tableau, is constructed. A
tableau is essentially a table of assertions. It is structured in a
top-down manner such that an assertion, called a goal, that
appears directly above some assertions, called subgoals, is
true only when the subgoals are true. The initial goal (the
top-most assertion) for our algorithm is c0//s0  Ψ0 which
requires the existence of a converter state c0 that can guide
the initial state s0 of the protocols to satisfy Ψ. This goal is
then successively resolved into subgoals using tableau rules
(to be described later).
In our setting, like in [18], a tableau is represented as an
acyclic directed graph where goals are represented as nodes
and the edges represent the top-down hierarchy between a
goal and its subgoals. A tableau is defined as follows.
Definition 7 (tableau). Given P1‖P2, and a set of ACTL
properties Ψ0, a tableau Tab is a labelled acyclic graph
〈N ,n0,L〉, where
(i) N is a finite set of nodes of the tableau. Each node
n ∈ N corresponds to a unique state s ∈ S1‖2 and a
unique state c in the converter (to be generated) and
a set of formula Ψ where each formula ϕ ∈ Ψ is a
subformula of some formula in Ψ0;
(ii) n0 is the root node of the tableau, or the initial goal,
which corresponds to the initial state s01‖2 of P1‖P2,
the initial state c0 of the converter to be generated,
and the set of formulas Ψ0;
(iii) L ⊆ N×N is the set of all links (edges) of the tableau.
Each node, that corresponds to states c and s of the
converters and protocols, respectively, and a set of formulas
Ψ, represents the assertion c//s  Ψ. For example, the root
node n0, that corresponds to the states c0 and s0 (initial
states of the converter and the protocols, resp.) and the set
of formulas Ψ0, represents the top-assertion c0//s0  Ψ0.
A node n may have one or more children (nodes to
which it has outgoing edges). Children nodes represent the
subassertions that must be met for the assertion represented
by n is satisfied. Nodes with one or more children are called
internal nodes. Nodes with no children are called leafnodes.
A leafnode could be a TRUE NODE (represented by •), or a
FALSE NODE.
A node is successful when the assertion it represents is
found to be true. A TRUE NODE is implicitly successful as it
represents the assertion c//s  ∅. A FALSE NODE is implicitly
unsuccessful because it represents the assertion c//s  f f .
An internal node is successful when all its children nodes are
successful. Finally, a tableau is successful when its root node
is successful.
The aim of the proposed algorithm is to generate a
successful tableau for the inputs P1‖P2 and Ψ0. During the
initialization phase, only the root node n0 of the tableau is
created.
7.2.3. Tableau construction
After the tableau is initialized, the root node is processed





c//s  [{p} ∪Ψ]
c//s  Ψ , p ∈ L(s)
∧ c//s  [{ϕ1 ∧ ϕ2} ∪Ψ]
c//s  [{ϕ1,ϕ2} ∪Ψ] ,
∨1 c//s  [{ϕ1 ∨ ϕ2} ∪Ψ]
c//s  [{ϕ1} ∪Ψ] , ∨2
c//s  [{ϕ1 ∨ ϕ2} ∪Ψ]
c//s  [{ϕ2} ∪Ψ] ,
unrau
c//s  [{A(ϕ Uψ)} ∪Ψ]
c//s  [(ψ ∨ (ϕ∧ AXA(ϕ Uψ)))∪Ψ] ,
unrag
c//s  [{AGϕ} ∪Ψ]
c//s  [(ϕ∧ AXAGϕ)∪Ψ] ,
unrs
c//s  Ψ





ΨAX = {ϕk|AXϕk ∈ Ψ},
Π = {σ | (s σ−→ sσ)∧ (c σ−→ cσ)∧D(σ , σ ′)}.
(6)
The tableau rules are of the following form:
c//s  Ψ
c1//s1  Ψ1 · · · cn//sn  Ψn . (7)
In the above, c, s, and Ψ are the constituent elements of the
given node n, where Ψ is the set of formulas to be satisfied by
s when it is guided (in lock-step fashion) by the converter c.
s is a state in P1‖P2 and s1, s2, . . . , sn are some successor states
of s, while c1, c2, . . . , cn are the states of the converter to be
generated. Similarly, Ψ is the set of formulas to be satisfied
by s whereas Ψ1,Ψ2, . . . ,Ψn are some derivatives of Ψ. The
numerator represents the proof obligation (goal) that s in
the presence of c must satisfy Ψ. To realize the proof, the
denominator obligations (subgoals) must be satisfied.
The construction proceeds by matching the current
tableau node (initially the root node) with the numerator
of a tableau rule and obtaining the denominator which
constitutes the next set of tableau nodes. Whenever a
tableau rule is applied to a node (goal) to create new
nodes (subgoals), the node has an edge to each such newly
created node. Equation (6) presents the tableau rules for
convertibility verification using ACTL specifications.
The rule emp corresponds to the case when there is no
obligation to be satisfied by the current state of the protocols;
any converter is possible in this case, that is, the converter
allows all possible behavior of the parallel composition at
Roopak Sinha et al. 11
state s. As this scenario describes a TRUE NODE (•), which is
implicitly successful, no further processing is possible.
The prop rule states that a converter is synthesizable only
when the proposition is contained in the labels of the parallel
composition state s; otherwise there exists no converter.
Once the propositional obligation is met, the subsequent
obligation is to satisfy the rest of the formulas in the set
Ψ. For example, if Ψ contains the formulas p, q, and r,
and if the p is a proposition, the rule checks if the parallel
composition state s is labelled by p. If this is indeed the case,
the denominator then requires that the formulas q, and r are
satisfied by the state.
The ∧-rule states that the satisfaction of the conjunctive
formula depends on the satisfaction of each of the conjuncts.
The ∨-rules are the duals of ∧-rule. The rule unrau depends
on the semantics of the temporal operator AU. A state is said
to satisfy A(ϕ Uψ) if and only if it either satisfies ψ or satisfies
ϕ and evolves to new states each of which satisfies A(ϕ Uψ).
Similarly, AGϕ is satisfied by states which satisfy ϕ and whose
all next states satisfy AGϕ (Rule unrag).
Finally, unrs is applied when the formula set in the
numerator Ψ consists formulas of the form AXϕ only.
Satisfaction of these formulas demands that all successor
states of the c//s must satisfy every ϕ where AXϕ ∈ Ψ, that
is, c//s satisfies all elements of ΨAX. A converter controls the
parallel composition through implicit disabling induced by
this rule. The unrestricted behavior of the protocols (where
c allows all the transitions from s) may not be able to satisfy
this obligation as one or more successors may fail to satisfy
the commitments passed to them. However, we can check if
a subset of the successors satisfies these commitments. If a
subset of successors satisfies these future commitments, the
converter can disable all other transitions of s that lead to
states that are not contained in this subset.
In order to identify the subset of successors that satisfies
all future commitments of the current state, we pass these
commitments to each successor of the current state. For k
possible successors, we need to perform k passes of this step.
During each step, a new successor is chosen and the future
commitments are passed to it. If it returns success, it is added
to the subset. Once all successors have been checked, we
return success if the subset is nonempty, and if it satisfies the
well-formedness conditions described earlier in Section 6.2.
In case the subset is empty, we note that there is no successor
of the state s that can fulfil its future commitments, and we
return failure (an unsuccessful tableau).
7.2.4. Termination: finitizing the tableau
It is important to note that the resulting tableau can be of
infinite depth as each recursive formula expression AU or AG
can be unfolded infinitely many times.
This problem due to the unbounded unfolding of the
formula expressions can be addressed using the fixed-point
semantics of the formulas AGϕ and A(ϕ Uψ). The former is
a greatest fixed-point formula while the later is a least fixed-
point formula,
AGϕ ≡ ZAG =ν ϕ∧ AXZAG,
A(ϕ Uψ) ≡ ZAU =μ ψ ∨ (ϕ∧ AXZAU). (8)
The greatest (least) solution for ZAG (ZAU) is the semantics of
AG(ϕ). It can be shown (details are omitted) that satisfaction
of the greatest fixed-point formula is realized via loops in
the model. Least fixed-point formulas require that the paths
satisfying the formulas must have finite length. For these
formulas, if a tableau node is revisited, then it can be inferred
that the LFP formula is not satisfied. As such, if a tableau
node c′//s  Ψ is visited and there exists a prior node
c//s  Ψ (the same tuple s paired with the same Ψ is seen
in a tableau path), we check whether there exists a least
fixed-point formula AU in Ψ. If such a formula is present,
the tableau path is said to have resulted in an unsuccessful
path (FALSE NODE is returned). Otherwise, the tableau path
is successfully terminated by equating c′ with c (a loop in the
converter is generated), and TRUE NODE is returned.
We now look at how the proposed tableau construction
algorithm is implemented.
7.3. Converter generation algorithm
Algorithm 1 shows the recursive converter generation pro-
cedure. Given a state s of the parallel composition, a set
of subformulas FS, and a history of all previously visited
tableau nodes H (all nodes visited on the path from the root
node to the current node) used for finitizing the tableau
(as discussed in Section 7.2), the algorithm first checks if
there are no commitments to be met. In that case, it returns
success (•), otherwise it creates a new node with respect
to the state s and the set of formulas FS. It then checks
if a node with the same elements (state and formulas) has
been visited before. If such a node is found, and FS contains
an AU formula, the algorithm returns failure (FALSE NODE).
Otherwise it returns success (see notes on finitizing the
tableau in Section 7.2) that results in a loop in the converter.
If no matching node is found, the current node is added to
the set of visited nodes. We remove a formula F from FS.
Depending on the type of the formula, the corresponding
tableau rule is applied by calling Algorithm 1 recursively.
If the recursive call returns a non-FALSE NODE, we return
success (by adding the node returned by the recursive call
as a child of the current node). Consider for example the
handling of a disjunction ϕ ∨ ψ. The algorithm first checks
if the state satisfies ϕ along with any other commitments
(subformulas) left after Fwas removed. If a successful tableau
can be generated, the node returns success. Otherwise, we
check if the state satisfies ψ along with the remaining
subformulas and returns success if a successful tableau can be
generated. If however neither tests returns success, the node
returns failure.
If FS contains only future commitment (AX formulas),
the algorithm proceeds as follows. Firstly, the node is marked
as an X NODE. An X NODE refers to an internal node in
the tableau that has been extended using the unrs rule
(see (6)). The future (AX) commitments are passed to each
successor of s. If success is returned, we create a link from
the current node to this newly created node (corresponding
to the selected successor). If failure is returned, we check if
the disabling of a transition to this successor would result
in the breach of a rule of the converter refinement relation
12 EURASIP Journal on Embedded Systems
(1) if FS = ∅ then
(2) return TRUE NODE
(3) end if
(4) curr = createNode(s,FS);
(5) if anc ∈ H = curr then
(6) if FS contains AU formulas then
(7) return FALSE NODE
(8) else





(14) H 1 = H ∪ {curr};
(15) if FS contains a formula F which is not of type AX then
(16) FS 1 := FS− F, Node ret := FALSE NODE
(17) if F = TRUE then
(18) ret := isConv (s,FS 1,H 1)
(19) else if F = p (p ∈ AP) then
(20) if p is satisfied in s then
(21) ret := isConv (s,FS 1,H 1)
(22) end if
(23) else if F = ¬p (p ∈ AP) then
(24) if p is not satisfied in s then
(25) ret := isConv (s,FS 1,H 1)
(26) end if
(27) else if F = ϕ∧ ψ then
(28) ret := isConv (s,FS 1∪ {ϕ,ψ},H 1)
(29) else if F = ϕ∨ ψ then
(30) ret := isConv (s,FS 1∪ {ϕ},H 1)
(31) if ret = FALSE NODE then
(32) ret := isConv (s,FS 1∪ {ψ},H 1)
(33) end if
(34) else if F = AGϕ then
(35) ret := isConv (s,FS 1∪ {ϕ∧ AXAGϕ},H 1)
(36) else if F = A(ϕ Uψ) then
(37) ret := isConv (s,FS 1∪
{ψ ∨ (ϕ∧ AXA(ϕ Uψ))},H 1)
(38) end if





(44) curr.type := X NODE
(45) FS AX = {ϕ | AXϕ ∈ FS}
(46) for each successor s′ of s do
(47) if (N :=isConv (s′,FS AX,H 1)) /=FALSE NODE then
(48) curr.addChild(N)
(49) else if Transition to s′ can not be disabled (As
disabling it would violate the conversion refinement
rules) then




Algorithm 1: NODE isConv (s,FS,E).
(1) Create new map MAP
(2) Create new map PURE MAP
(3) initialState = extractState(t .rootnode);
(4) return initialState
Algorithm 2: STATE extractConverter(Tableau t).
(1) if NODE is present in MAP then
(2) return map.get(NODE)
(3) else if NODE is an internal node then
(4) MAP.put(NODE, extract(NODE.child))
(5) return MAP.get(NODE)
(6) else if NODE is TRUE NODE then
(7) if NODE is related to an ancestor anc then







(15) else if NODE is of type X NODE then
(16) create new converter state c
(17) MAP.put(NODE, c)
(18) for each linked NODE′ of NODE do
(19) State c′ = extract(NODE′)
(20) add transition c
(σ′)−−→ c′ where
NODE.s




Algorithm 3: NODE extract(NODE).
(see Definition 4). For example, if the current successor is
reached via an output transition, the transition to it cannot
be disabled. In such cases when a successor does not meet
future commitments and we cannot disable transitions to
them, we return failure. The algorithm returns success when
one or more successors of s satisfy the future commitments
(and the converter refinement relation holds if a converter
state enables these transitions in s).
7.4. Converter extraction
If a successful tableau is constructed, the converter is
extracted by traversing the nodes of the tableau as shown in
extractConverter algorithm (Algorithm 2). Firstly, it creates
a map MAP. MAP is essentially a lookup table that relates
nodes in the tableau (keys) to states in the converter being
generated (values). This map is initially empty. We then pass
the tableau’s root node to the recursive procedure extract
(Algorithm 3) which processes a given node as follows.
(1) If NODE is already present in MAP as a key, return the
converter state associated with it.
Roopak Sinha et al. 13
(1) if s is present in PURE MAP then
(2) return PURE MAP.get(s)
(3) else
(4) create new converter state c
(5) PURE MAP.put(s,c)
(6) for each successor s′ of s do
(7) State c′ = getPureState(s′)
(8) add transition c
Dσ−−→ c′ where σ is the label of
the transition from s to s
(9) end forreturn c
(10) end if
Algorithm 4: NODE getPureState(s).
(2) If NODE is an internal node, the converter state
corresponding to this node is the converter state
extracted with respect to its child. An internal node
always has one child as it is expanded by the
application of a tableau rule other than unrs.
(3) If NODE is of type TRUE NODE, and it is related to an
ancestor node (see line 9 of isConv), the converter
state corresponding to the node is the same as the
converter state corresponding to its linked ancestor.
(4) If NODEis of type TRUE NODE but is not related to
any ancestors, the converter allows all transitions
in P1‖P2 from this state onwards. We return a
converter state that allows all transitions in the state
corresponding to NODE and any of its successors (see
Algorithm 4).
(5) If NODE is of type X NODE, we create a new converter
state corresponding to the node. The created state c
contains transitions to each state corresponding to
each linked child of the X NODE.
Illustration
This section presents the steps involved in the tableau
construction and converter extraction for the handshake-
serial example in Figure 1.
The tableau construction for the handshake-serial exam-
ple starts at the construction of the root node of the
tableau corresponding to the initial state (s0, t0) of P1‖P2
(see Figure 2), and the set FS (see Section 5) of system-level
properties to be satisfied. The root node is created when these
arguments are passed to the recursive algorithm isConv.
The processing of the root node is shown in Table 1. The
algorithm proceeds as follows. Given the root node (node 0),
the algorithm removes one formula F = AG(Idle1 ∧ Idle2 ⇒
AX(ROut ∨ ¬RIn)) from the set NODE.FS. Then, F is broken
down into simpler commitments (Idle1∧ Idle2 ⇒ AX(ROut∨
¬RIn)) ∧ AXAG(Idle1 ∧ Idle2 ⇒ AX(ROut ∨ ¬RIn)). These
simpler commitments are then reinserted into the set FS
of a new node (node 1 as shown in Table 1) along with all
remaining commitments in node 1.FS, and a recursive call
Table 1: Nodes with the attributes s = (s0, t0), c = c0.
Node Ψ
0
{AG(Idle1 ∧ Idle2 ⇒ AX(ROut ∨¬RIn)),
AG(RIn ∧ ROut ⇒ AX(Idle1 ∨¬Idle2)),
AG(ROut ∧ Idle1 ⇒ AX(¬Idle1 ∨¬Idle2)),
AG(Idle1 ∧ RIn ⇒ AX(¬ROut ∨¬RIn))}
0 {AGψ1,AGψ2,AGψ3,AGψ4}




to isConv is made. The newly created node is added as a
child node of NODE if it returns success. Whenever F is a
propositional formula, it can be checked against the labels
of the state (s0, t0). The process of removing one formula
and reinserting its subformulas stops when NODE contains no
formulas or only AX-type formulas (node 9).
When only AX formulas are left (node 9 in Table 1), the
node is labelled as an X NODE (line 44). At this stage, for
every successor of (s0, t0), the algorithm makes a recursive
call to itself. During each call, the arguments to isConv are
a unique successor of (s0, t0), and all the commitments to be
satisfied by the successor (if it is enabled by the converter).
For calls that return success, their corresponding nodes are
added as children of node 9.
The above process continues until the recursive call made
by the root node returns. For the given example, this call
returns success, which means that a successful tableau has
been constructed. Using the converter extraction algorithm
described earlier, the tableau yields the converter presented
in Figure 5.
7.5. Complexity
The tableau considers all possible subformulas of the given
set of desired properties. In the worst case, each subformula
can be paired with every possible state in the protocol
pair. The complexity of the tableau construction is therefore
O(|S| × 2|ϕ|), where S is the number of states in the protocol
pairs and |ϕ| is the size of the formula(s) used for conversion.
The complexity diﬀers from model checking [18, 19].
The complexity for both CTL and ACTL model checking
algorithms is O(|S| × |ϕ|), where ϕ is the size of the given
formula. The reason for this diﬀerence arises from the
handling of conjunctions of disjunctive formulas in model
checking and our algorithm. In model checking, if a state
is expected to satisfy a formula (a ∨ b) ∧ (c ∨ d) ∧ (e ∨
f ), the algorithm first computes the states that satisfy the
subformulas a, b, c, d, e, f , (a ∨ b), (c ∨ d), and (e ∨ f ) of
the given formula before computing the states that satisfy the
given formula. Hence, each subformula is only checked once.
However, in our approach, the increase in complexity occurs
due to the fact that all possible subformulas (of the given set
of formulas) are considered for every node.





























































Figure 7: Handling of disjunctive formulas.
For example, Figure 7 shows a node which requires the
conjunction of three disjunctive formulas to hold on a
state in the protocols. As there is no particular order in
which formulas are picked from the node’s commitment set
FS (containing the three formulas), we consider the order
given in Figure 7. Formulas a, . . . , f could be any type of
ACTL formulas. Each node is numbered in the order visited.
Initially, the disjunction a∨ b is removed from ψ and a child
node checking only a and the other formulas is created (node
2). In node 2, the formula c∨d is chosen which results in the
creation of node 3 which checks a, c, and e ∨ f . Similarly,
node 3 leads to node 4 which checks a, c, and e. At this
stage, as all remaining formulas are propositional, no further
breaking up can be carried out. Assuming that a, c, and e
are propositions, it is possible for the algorithm to check
their satisfaction linearly. In case any one is not satisfied, we
return failure which results in the creation of node 5 which
checks a, c, and f . Given the order in Figure 7 and assuming
that none of the propositional formulas are satisfied by the
corresponding nodes, the algorithm terminates after it has
checked all possible combination of disjuncts. It can be
seen that the number of nodes created is exponential to the
number of disjunctive formulas.
7.6. Soundness and completeness
The following theorem follows from the above discussion.
The proof of the theorem is provided in the appendix.
Theorem 1 (sound and complete). There exists a converter
C to control two given KS P1 and P2, such that the resulting
system C//(P1‖P2) satisfies a set FS of ACTL formulas, if and
only if isConv (s01‖2 ,FS, ∅) does not return FALSE NODE.
8. RESULTS
A convertibility verification tool using tableau construction
has been implemented using Java. The implementation
takes as input the Kripke structure representation of two
protocols P1 and P2 and a set Ψ of ACTL properties
from the user. The Kripke structure representation of a
protocol is extracted automatically from a given NuSMV
description of an IP. For this purpose, a modified version
of the NuSMV model checking tool is employed [20].
Given these inputs, the algorithm constructs a tableau
after computing the parallel composition P1‖P2. If a suc-
cessful tableau is created, a converter, represented as a
Kripke structure, is automatically generated. This con-
verter is guaranteed to bridge mismatches between the two
protocols.
Table 2 shows the results obtained from the protocol
conversion of various examples. Problems 1–6 are well-
known protocol mismatch problems explored by earlier
works such as [4, 12]. Problems 7–9 are derived from well-
known NuSMV examples [20]. These examples were created
by introducing commonly-encountered control mismatches,
such as incorrect signal exchange sequences and lack of
mutual exclusion, into the systems. Problems 10–14 are
SoC examples that were chosen to show the applicability of
our approach for SoC design. Each of these SoC problems
modeled control mismatches between the AMBA bus and a
peripheral. Diﬀerent version of AMBA, namely the Advanced
High-performance Bus (AHB), Advanced System Bus (ASB),
and Advances Peripheral Bus (APB) were used. Problems
12–15 involve conversion between more than 2 IPs that
is achieved by extending the proposed framework. The
proposed extension to handle “n”-protocols is presented in
[21]. This extension involves the formulation of composition
rules for multiple Kripke structures, and new constraints for
converters (conversion refinement relation) to extend their
control to multiple protocols. The conversion algorithm is
then extended such that its input KSs P1 and P2 are parallel
compositions of multiple protocols.
The first three columns of Table 2 contain the ID,
description, and size (number of states) of the participating
protocols. The intuitive description of the ACTL properties
used for each problem was shown in the fourth column. For
most of the problems presented in Table 2, our algorithm was
Roopak Sinha et al. 15
Table 2: Implementation results.
No. P1(|SP1 |) P1(|SP2 |) ACTL properties
1 Master (3) Slave (3)
Correct sequencing of signal emission, (no read
before a request, no duplicate requests)
2 ABP sender (6) NP receiver (4) Correct exchange of control signals
3 ABP receiver (8) NP sender (3) Correct exchange of control signals
4 Poll-end receiver (2) Ack-nack sender (3)
Correct, loss-free reception of packets by the
receiver
5 Handshake (2) Serial (2) Consistent sequencing [12]
6 Multiwrite master (3) Single-read slave (4)
One read per write of master, master always writes
before the slave reads
7 Mutex process (3) Mutex process (3) Mutual exclusion
8 MCP missionaries (6) MCP cannibals (5) Correct error-free sequencing of two processes
9 4-bit ABP sender (430) Modified receiver (384)
Correction of the interaction such that desired
behavior is achieved
10 AMBA AHB, ASB, or APB arbiter (3) Producer master (4) Correct arbitration (producer always gets access)
11 AMBA AHB, ASB or APB Arbiter (3) Consumer master (4) Correct arbitration (consumer always gets access)
12 AMBA AHB arbiter (3) Producer and consumer masters (16) Arbitration (both always eventually get to execute)
13 AMBA AHB arbiter (3)
Producer, consumer masters, and
memory slave (144)
Correct sequencing and arbitration (packets from
producer to memory to consumer)
14 AMBA AHB arbiter (3) 3 masters and 2 slaves (5184) Correct sequencing and arbitration
15 7-process system (2187) 7-process system (2187) Mutual exclusion and no-starvation
able to generate a converter to control the participation to
satisfy the given ACTL properties.
There was one case (Problem 11) when the algorithm
failed to generate a converter. It failed because of the
inability of the AMBA APB to allow burst transfers (multiple
operations per activation of a master). In cases where the
algorithm fails (an unsuccessful tableau is returned), it
is required that the inputs (IPs and/or specifications) be
modified manually in order to bridge mismatches between
these protocols. To carry out this manual modification,
the unsuccessful tableau returned by the algorithm can be
used (as a counterexample) to find the exact reason (state,
subformula) for failure.
The significance of these results is explained as follows.
For problems 1–6, the use of ACTL specifications resulted
in converters that were similar in size than those generated
when automata-based specifications were used (in [4, 12]).
This shows that ACTL is powerful enough to describe most
commonly-encountered specifications used for conversion.
ACTL also has the additional benefit of being succinct and
more intuitive to write than automata-based properties
for many problems. For example, to guide a 14-process
system to have mutual exclusion (Problem 15), the resulting
automaton that describes such interaction will be very
complex and diﬃcult to write while one can write simple
ACTL properties that describe such interaction. In addition,
a user may provide multiple properties and IPs during
conversion using the proposed algorithm, a feature that is not
oﬀered by earlier works [4, 6]. Furthermore, our approach
is capable of handling bidirectional communication between
IPs, which cannot be handled using approaches such as
[4, 12].
Finally, specifications in our setting are described using
temporal logic properties whereas other approaches like [4,
12] use automata-based specifications. The use of temporal
logic allows us to write complex specifications succinctly by
breaking them down into multiple properties. Furthermore,
in addition to mismatch resolution, the conversion algorithm
can be used to enforce additional properties in the converted
system.
9. CONCLUSIONS
Protocol conversion to resolve mismatches between IPs
is an active research area. A number of solutions have
been proposed. Some approaches require significant user
input and guidance, while some only partly address the
protocol conversion problem. Most formal approaches work
on protocols that have unidirectional communication and
use finite state machines to describe specifications.
In this paper, we propose the first temporal logic-based
approach to protocol conversion that can automatically
generate a converter given the protocols of mismatched
IPs and specifications described as ACTL formulas. The
proposed algorithm uses tableau generation and attempts to
construct a tableau given the above inputs. If the algorithm
succeeds (a successful tableau is constructed), a converter
is automatically generated. This converter is guaranteed to
control the given IPs such that the required ACTL properties
are satisfied.
The approach is shown to be sound and complete and
is capable of handling many common mismatches that
existing conversion techniques can address. In addition,
ACTL formulas are easier to write for complex specifications
16 EURASIP Journal on Embedded Systems
(1) process FS till no conjunctions, AG and AU formulas
remain.
(2) if FS contains no disjunctions then
(3) return FS
(4) end if
(5) Pick a disjunction F = φ∨ ϕ from FS
(6) return extractSets(FS-F + φ) ∪ extractSets(FS-F + ϕ)
Algorithm 5: FormulaSets extractSets (FS).
as compared to automata-based specifications. The proposed
technique can handle bidirectional communication between
protocols and can also ensure that the converted system
satisfies additional temporal logic constraints. All these
features are not provided by any existing approaches to
protocol conversion.
The future direction for this work involves the extension
of the approach to handle data and clock mismatches
between IPs and to provide a correct-by-construction design
technique for SoCs using protocol conversion. Another area
of exploration is the automatic derivation of ACTL properties
to describe the behavior of two or more communicating IPs.
APPENDIX
In order to prove Theorem 1, we first prove the following
lemmas.
Lemma 1 (termination). A call to isConv (s′,H′,E′) always
terminates.
Proof. The proof of this lemma follows from an analysis
of recursion in isConv. The following observations can be
made.
(i) Whenever isConv is called, if a node with the same
attributes (s′ and FS′) exists in the history set H,
then the call returns without further recursion. This
observation can be verified by checking that the
newly created node curr is only added to the tableau
in line 13, after the history set H is checked for the
presence of a node with the same attributes as curr.
If the history set does contain such a node, we either
return FALSE NODE or curr but do not call isConv
any further.
(ii) Whenever a recursive call to isConv is made, and no
node with the same attributes to curr is found in
the history set, the node created in the current call
is always added to the history set H′ before a recursive
call is made (see line 13).
(iii) The number of states in P1‖P2 and the maximum
number of valuations for the sets FS′ are finite in the
following manner.
(a) P1‖P2 has a finite number of states by defini-
tion.
(b) FS′ cannot have a valuation outside the 2|FS|
possible subsets of subformulas of FS.
(iv) As each node corresponds to a combination of
the following: a state of P1‖P2, and a subset FS′
of subformulas of FS, both of which have finite
valuations, the number of nodes that can be created
in isConv is finite.
As described above, the number of nodes that can be
created by isConv is finite. Furthermore, isConv stops
recursing if a newly created node is already present in
the history set, preventing duplicating nodes along all
paths. Hence, it is proved that a call to isConv always
terminates.
Lemma 2 (suﬃcient condition). If isConv(s01‖2 ,FS, ∅)
returns a non-FALSE NODE, there exists a correct converter C
such that C//P1‖P2  FS.
Proof. In order to prove the above lemma, we assume that we
have been given a tableau with root node n0 corresponding
to the initial state s01‖2 , and we generate a converter from
the tableau and show that the converter helps satisfy the
property.
We first note the following characteristics of a successful
tableau return by isConv.
(1) A node can never have a false node as a child. A
leafnode results when the algorithm finds the same
node in the history set. Hence, no further recursion
is done and the leafnode itself has no children. An
internal node makes a recursive call to isConv, and
if that call returns a false node, the calling node does
not add the false node to its children list.
(2) A node is present in the tableau if and only if it
returned a nonfalse node: if a call to isConv returns
false node, the node is not added to the tableau.
Hence, all nodes present in the tableau reachable
from n0 returned a nonfalse node.
(3) All leafnodes and true nodes have no children: these
nodes are formed when there are no subformulas to
satisfy (FS = ∅) or when a node with the same
attributes is found in history. In both these cases, no
further calls to isConv are made.
(4) All internal non-X NODEs have one child only.
(5) An X NODE may have more than one child.
(6) All internal nodes lead to an X NODE, true node,
or a leafnode: given a set of formulas FS, the child
of curr, if curr is an internal node, will have the
same commitments as curr except that one of the
formulas is broken into smaller commitments. If this
process is repeated infinitely often, we reach a fix-
point where no formulas in curr can be broken any
further. At this stage, we can only have AX formulas in
FS which results in the formation of an X NODE. If FS
contains no formulas, we form a true node. It is also
possible that while breaking down formulas from a
parent node to a child node (where both are internal
nodes), we may find that a matching node is already
present in the history set H. In that case, we finitize
Roopak Sinha et al. 17
the tableau by returning the current node curr and
marking it as an internal node.
(7) All leafnodes lead to an X NODE before they are visited
again: a leafnode points to a node in history, which
is an ancestor of the leafnode. That ancestor node
cannot be a leafnode because otherwise there would
have been no path from the ancestor to the current
leafnodes. Furthermore, starting from the ancestor
node, none of its descendent nodes can be leafnodes
(except the current one) because otherwise a path
from that descendent to the leafnode would not have
been possible. The commitments in the leafnode
are the same as those of the matching ancestor.
Now, the child of the ancestor must contain simpler
commitments in its formula set than the ancestor. It
can be seen that the commitments of an internal node
are never repeated by their descendent nodes because
of the successive breaking down of commitments
until only AX commitments remain. Hence, the
ancestor must eventually lead to an X NODE (fix
point where all formulas except AX commitments). It
cannot come to the leafnode without an X NODE in
between because that would require that the ancestor
and leafnodes have diﬀerent attributes (formula sets)
which is not possible.
Given the above observations, we now extract a converter
that satisfies FS starting from the root node using the algo-
rithms extractConverter, extract, and getPureState
given earlier.
extractConverter creates two global variables MAP
and PURE MAP that store all converter states that are gener-
ated. It then calls the recursive algorithm extract and passes
the root node of the successful tableau obtained by isConv.
In algorithm extract, starting from the root node n0, we
recurse until we reach an X NODE or a •. We cannot come to
a leafnode before reaching an X NODE from the root node as
per the above observations. Furthermore, we can only reach
a single X NODE as all internal nodes starting from n0 can only
have one child each.
Corresponding to the X NODE, we create the initial node
c0 of the converter. To c0, we now add all states obtained
by recursively calling extractConverter on each of the
children of the X NODE.
In case we reach a true node, all commitments in FS
have been satisfied and there are no future commitments to
be satisfied. Hence, we now use getPureState to allow the
converter to enable all transitions in the parallel composition
from this point onwards.
Once the above converter is extracted, we can prove
that it indeed satisfies all formulas FS as follows. From
any node curr in the tableau, we may eventually reach an
X NODE currax (possibly through a leafnode) or a true node.
In case we reach a true node, there are no future commit-
ments to satisfy. Furthermore, all present state commitments
must be satisfied in the current node otherwise we could not
have reached a true node (each present state commitment is
removed from FS as it is satisfied by the current node).
If we instead reach an X NODE, it can only contain
AX commitments. We can see that all the present state
commitments in FS of curr are satisfied by the state
curr.state.
Now, we create a converter state c for each X NODE.
Furthermore, c contains one node corresponding to each
child of the X NODE. An X NODE contains a child only if all
AX commitments present in the present node are satisfied by
the successor corresponding to the child. Each child can only
be present in the tableau because it returned success. For each
of this children, we create a further successor of c and repeat
this process until all nodes have been processed.
We can see that each state in the converted system satisfies
all its present commitments and its enabled successors satisfy
all their future commitments.
Lemma 3 (correct converters). Any converter C obtained
from the tableau returned by the call isConv (s01‖2 ,FS, ∅) is
a correct converter.
Proof. The proof of the above lemma follows from the
proof of the previous lemma which shows that a converter
state extracted from an X NODE always ensures conversion
refinement between itself and the state corresponding to the
X NODE.
Lemma 4 (necessary condition). If there exists a converter C
such that C//P1‖P2  FS, isConv (s01‖2 ,FS, ∅) returns a non-
FALSE NODE.
Proof. We assume that we have been given a converter
C under which P1‖P2 satisfies all commitments FS. Fur-
thermore, we assume that isConv (s01‖2 ,FS, ∅) returns a
FALSE NODE.
We now show that above statements are contradictory.
We first process the set FS successively in the following
manner. Each formula F in FS is processed as follows.
(i) If F is tt, ﬀ, proposition, negated proposition, dis-
junction, or AX formula, it is not processed further.
(ii) If F = φ ∧ ϕ: after processing, FS = FS− f ∪ {φ,ϕ}.
(iii) If F = AGφ: after processing, FS = FS∪{φ∧AXAGφ}.
Again, φ can be processed further depending on its
type whilst AXAGφ is an AX formula.
(iv) If F = A(φ Uϕ): after processing, FS = FS∪{ϕ∨ (φ∧
AXA(φ Uϕ)}, which is a disjunction.
Once the above processing is completed, FS will contain
only propositions (including tt and ﬀ), negated propositions,
disjunctions, or AX formulas.
Using the algorithm extractSets, we remove all dis-
junctions by creating multiple copies of FS (Algorithm 5).
Given a formula φ ∨ ϕ in FS, we create two copies of FS,
each containing all formulas in FS except the disjunction
plus one of the operands of the disjunction. We process
FS until all disjunctive formulas are removed, and a set
SetOfFormulaSets containing multiple formula sets. Fur-
thermore, we remove from SetOfFormulaSets all sets that
contain ﬀ, because such a set cannot be satisfied by any state
18 EURASIP Journal on Embedded Systems
in a Kripke structure. Furthermore, we remove from all sets
in SetOfFormulaSets the formula tt because it is implicitly
satisfied by all states in any given Kripke structure.
Each set in SetOfFormulaSets contains only propo-
sitions, negated propositions, and disjunctions. For a state
in a Kripke structure to satisfy the original formula set
FS, it must satisfy at least one of the sets contained in
SetOfFormulaSets. The state must satisfy all propositions
and negated propositions, and its successors must satisfy all
AX formulas. A state does not satisfy FS if it does not satisfy
any of the sets contained in SetOfFormulaSets.
We now show that given a formula set FS, a call
to isConv returns failure (an unsuccessful tableau) only
after checking all possible sets that can be contained in
SetOfFormulaSets.
A call to isConv processes formulas as follows.
(i) A propositional formula p ∈ FS is always checked
against the labels of the given state s in the parallel
composition.
(ii) A negated proposition ¬p ∈ FS is always checked
against the labels of the given state s in the parallel
composition.
(iii) A conjunction is processed by adding both conjuncts
to FS, which are further processed depending on their
type.
(iv) AG formulas are replaced by conjunctions which are
processed further.
(v) AU formulas are replaced by disjunctions.
(vi) A disjunction φ ∨ ϕ is processed as follows. First,
isConv checks whether the current node can satisfy
φ by making a recursive call to isConv and passing
FS in which the disjunction is replaced by the first
disjunct φ. A failure (an unsuccessful tableau) is
returned if an eventual subformula of φ cannot be
satisfied. During this call, φ may be further broken
down to subformulas propositions, negated propo-
sitions, disjunctions, and/or conjunctions which are
handled depending on their respective types.
If the first recursive call returns failure, another call
to isConv is made where FS is passed after the
disjunction is replaced by ϕ. This call now checks all
subformulas of ϕ along with other formulas in FS.
isConv returns failure when both recursive calls
return failure, which happens after all diﬀerent sets
of commitments resulting from the disjunction have
been checked. Note that during this process, it checks
all possible sets of commitments resulting from the
disjunction (along with other formulas in FS).
(vii) When FS contains only AX formulas (all present state
commitments have been checked), isConv tries to
find a subset of the set of successors of the current
parallel composition state, such that each state in the
subset satisfies all AX formulas. Note that isConv also
ensures that the enabled subset ensures that the rules
of the conversion refinement relation are satisfied.
isConv returns failure when no conforming subset
that satisfies the above constraints could be found.
Given a set FS and the initial state s01‖2 of the parallel
composition, the call isConv (s01‖2 ,FS, ∅) results in each
formula of FS being processed as discussed above. All
diﬀerent sets of formulas resulting from the presence of dis-
junctions are checked, including all future AX commitments
that must be satisfied by the successors of the initial state.
For the call to isConv to return failure, no set of commit-
ments present in the set of formula sets extractSets (FS)
must be satisfied. In other words, there must be no possible
converter states under which s01‖2 satisfies FS. However, as
we are given that there exists a correct converter C with the
initial state c0 such that c0//s01‖2  FS, the statement that
isConv may return FALSE NODE cannot be true.
Hence, if there exists a converter that can guide a given
parallel composition to satisfy a given set of commitments,
isConv will never return FALSE NODE. In other words,
isConv will be always able to find a converter.
Proof. The proof of Theorem 1 follows from the above
lemmas.
ACKNOWLEDGMENTS
The authors acknowledge Dr. Alain Girault and Professor
Zoran Salcic for their help in formulating this approach. The
authors would also like to thank the anonymous reviewers of
SLA++p’07 and Eurasip JES (Special Issue: SLA++p’07 and
SLA++P’08) for their invaluable feedback.
REFERENCES
[1] O. Kupferman and M. Y. Vardi, “Module checking [model
checking of open systems],” in Proceedings of the 8th Interna-
tional Conference on Computer Aided Verification (CAV ’96),
pp. 75–86, New Brunswick, NJ, USA, July-August 1996.
[2] O. Kupferman, M. Y. Vardi, and P. Wolper, “Module checking,”
Information and Computation, vol. 164, no. 2, pp. 322–344,
2001.
[3] S. Basu, P. S. Roop, and R. Sinha, “Local module checking
for CTL specifications,” in Proceedings of Formal Foundations
of Embedded Software and IP-Based Software Architectures
(FESCA ’06), pp. 1–19, Vienna, Austria, March-April 2006.
[4] S. S. Lam, “Convertibility verification,” IEEE Transactions on
Software Engineering, vol. 14, no. 3, pp. 353–362, 1988.
[5] K. L. Calvert and S. S. Lam, “Formal methods for convertibility
verification,” IEEE Journal on Selected Areas in Communica-
tion, vol. 8, no. 1, pp. 127–142, 1990.
[6] K. Okumura, “A formal protocol conversion method,” SIG-
COMM Computer Communication Review, vol. 16, no. 3, pp.
30–37, 1986.
[7] J. C. Shu and M. T. Liu, “A synchronization model for
convertibility verification,” in Proceedings of the 8th Annual
Joint Conference on the IEEE Computer and Communications
Societies (INFOCOM ’89), vol. 1, pp. 276–284, Ottawa,
Canada, April 1989.
[8] R. Kumar, S. S. Nelvagal, and S. I. Marcus, “Protocol conver-
sion using supervisory control techniques,” in Proceedings of
the IEEE International Symposium on Computer-Aided Control
Roopak Sinha et al. 19
System Design (CACSD ’96), pp. 32–37, Dearborn, Mich, USA,
September 1996.
[9] G. V. Bochmann, “Deriving protocol converters for communi-
cations gateways,” IEEE Transactions on Communications, vol.
38, no. 9, pp. 1298–1300, 1990.
[10] F. M. Burg and N. Di Iorio, “Networking of networks:
interworking according to OSI,” IEEE Journal on Selected Areas
in Communications, vol. 7, no. 7, pp. 1131–1142, 1989.
[11] P. Green Jr., “Protocol conversion,” IEEE Transactions on
Communications, vol. 34, no. 3, pp. 257–268, 1986.
[12] R. Passerone, L. de Alfaro, T. A. Henzinger, and A. L.
Sangiovanni-Vincentelli, “Convertibility verification and con-
verter synthesis: two faces of the same coin [IP block
interfaces],” in Proceedings of IEEE International Conference on
Computer-Aided Design (ICCAD ’02), pp. 132–139, San Jose,
Calif, USA, November 2002.
[13] V. D’silva, S. Ramesh, and A. Sowmya, “Bridge over troubled
wrappers: automated interface synthesis,” in Proceedings of the
17th International Conference on VLSI Design (VLSID ’04), pp.
189–194, Mumbai, India, January 2004.
[14] S. Gorai, S. Biswas, L. Bhatia, P. Tiwari, and R. S. Mishra,
“Directed-simulation assisted formal verification of serial
protocol and bridge,” in Proceedings of the 43rd Annual
Conference on Design Automation (DAC ’06), pp. 731–736, San
Francisco, Calif, USA, July 2006.
[15] V. D’silva, S. Ramesh, and A. Sowmya, “Synchronous protocol
automata: a framework for modelling and verification of SoC
communication architectures,” in Proceedings of the Conference
on Design, Automation and Test in Europe (DATE ’04), vol. 1,
pp. 390–395, Washington, DC, USA, February 2004.
[16] M. Antoniotti, Synthesis and verification of discrete controllers
for robotics and manufacturing devices with temporal logic and
the control-D system, Ph.D. thesis, New York University, New
York, NY, USA, 1995.
[17] S. Jiang and R. Kumar, “Supervisory control of discrete
event systems with CTL∗ temporal logic specifications,” SIAM
Journal on Control and Optimization, vol. 44, no. 6, pp. 2079–
2103, 2006.
[18] G. Bhat, R. Cleaveland, and O. Grumberg, “Eﬃcient on-the-
fly model checking for CTL,” in Proceedings of the 10th Annual
IEEE Symposium on Logic in Computer Science (LICS ’95), pp.
388–397, San Diego, Calif, USA, June 1995.
[19] E. M. Clarke, E. A. Emerson, and A. P. Sistla, “Automatic veri-
fication of finite-state concurrent systems using temporal logic
specifications,” ACM Transactions on Programming Languages
and Systems, vol. 8, no. 2, pp. 244–263, 1986.
[20] R. Cavada, A. Cimatt, E. Olivetti, M. Pistore, and M. Roveri,
NuSMV 2.1 User Manual, June 2003.
[21] R. Sinha, P. S. Roop, and S. Basu, “A model checking approach
to protocol conversion,” Electronic Notes in Theoretical Com-
puter Science, vol. 203, no. 4, pp. 81–94, 2008.
