Model Checking in Practice: An Analysis of the ACCESS.bus Protocol using SPIN by Boigelot, Bernard & Godefroid, Patrice















1000 E. Warrenville Road
Naperville, IL 60566, U.S.A.
god@research.att.com
Abstract. This paper presents a case study of the use of model checking
for analyzing an industrial protocol, the ACCESS.bus
TM
protocol. Our
analysis of this protocol was carried out using SPIN, an automated veri-
cation system which includes an implementation of model-checking algo-
rithms. A model of the protocol was developed, and properties expressed
by linear-time temporal-logic formulas were checked on this model. This
analysis revealed subtle aws in the design of the protocol. Developers
who worked on implementations of ACCESS.bus
TM
were unaware of
these aws at a very late stage of their development process. We also
present suggestions for solving the detected problems.
1 Introduction
State-space exploration techniques are increasingly being used for debugging
and proving correct nite-state concurrent reactive systems (cf. [Rud87, Liu89,
HK90, Hol91, DDHY92, FGM
+
92]). These techniques consist of exploring a
global state graph, called the state space, representing the combined behavior of
all concurrent components in the system. This is done by recursively exploring
all successor states of all states encountered during the exploration, starting from
a given initial state, by executing all enabled transitions in each state. Many dif-
ferent types of properties of a system can be checked by exploring its state space:
deadlocks, dead code, unspecied receptions, buer overruns, etc. Moreover, the
range of properties that state-space exploration techniques can verify has been
substantially broadened during the last decade thanks to the development of
?
\Aspirant" (Research Assistant) for the National Fund for Scientic Research
(Belgium). The work of this author was done in part while visiting AT&T Bell
Laboratories.
??
This work was carried out in part while this author was with the University of Liege.
model-checking methods for various temporal logics (e.g., [CES86, LP85, QS81,
VW86]).





protocol is a serial com-
munication protocol aimed at providing a simple, uniform, and inexpensive way
to connect peripheral devices (such as keyboards, mice, modems, monitors, and
printers) to a host computer. It has been developed and standardized by an
industrial consortium of computer and peripheral manufacturers, referred to as
the ACCESS.bus
TM
Industry Group [ACC94]. At the time of this writing, im-
plementations of the ACCESS.bus
TM
protocol already exist, and are expected
to be commercialized soon.
Our analysis of the correctness of the ACCESS.bus
TM
protocol was performed
using the automated protocol verication system SPIN [Hol91]. SPIN checks
properties of communication protocols, modeled in the Promela language, by
exploring their state space. Promela is a nondeterministic guarded-command
language for modeling systems of concurrent processes that can interact via
shared variables and message channels. Interaction via message channels can
be either synchronous (i.e., by rendez-vous) or asynchronous (buered) with
arbitrary (user-specied) buer capacities, and arbitrary numbers of message
parameters. Given a concurrent system modeled by a Promela program, SPIN
can check for deadlocks, dead code, violations of user-specied assertions, and
temporal properties expressed by linear-time temporal-logic formulas. When a
violation of a property is detected, SPIN reports a scenario, i.e., a sequence of
transitions, violating this property.
Our analysis of the ACCESS.bus
TM
protocol pointed out several ambiguities
in the standardized document specifying the protocol. Moreover, it revealed sub-
tle and potentially harmful aws in the design of the protocol itself. Developers
who worked on implementations of ACCESS.bus
TM
were still unaware of these
aws at a very late stage of their development process.
This paper is organized as follows. In the next section, we present an overview
of the ACCESS.bus
TM
protocol. Next, we describe our model for this protocol,
and discuss our assumptions. In Section 4, we specify two basic properties that
the protocol has to satisfy. Then, we turn to the verication of these properties.
For both of these properties, SPIN reported scenarios violating the property.
These scenarios are presented in Sections 5 and 6. By analyzing these scenarios,







protocol is a serial communication protocol. Its purpose is
to provide a simple, uniform and inexpensive way to connect peripheral devices
to a host computer. The analysis presented in this paper is based on release 2.2
of the protocol specications [ACC94].
An important feature of ACCESS.bus
TM
is that it supports dynamic recon-
guration, which means that devices can be connected to the bus while the
system is operating, and can become operational without the system being re-
booted. The overall structure of ACCESS.bus
TM
is illustrated in Figure 1. The
protocol is composed of a hardware layer based on the I
2
C protocol developed
by Philips, and of two software layers referred to as \Base Protocol" and \Device












C protocol is a serial protocol that is used for interconnecting IC's
inside electronic appliances such as TV's and VCR's. It uses a bus composed of
two wires, serial data (SDA) and serial clock (SCL), which connects the host
and the devices together. Each component (i.e., device or host) has an 8-bit I
2
C
address which is not necessarily unique and may change over time. When a com-
ponent is plugged in, its address becomes the default I
2
C address. Information is
transmitted on the I
2
C bus by means of messages composed of an address part
and a data part. Since the bus is synchronous, there is no propagation delay. Any
I
2
C component may try to send a message at any time over the bus. Although a
same message can be sent simultaneously by several components, an arbitration
mechanism ensures that two dierent messages are never sent at the same time.
This mechanism is deterministic: whenever two or more components attempt to
simultaneously send dierent messages over the I
2
C layer, the conict is resolved
in favor of the same message. A transmitted message is received by a component
if and only if the address of the component matches the address part of the
message, and the component is not simultaneously transmitting the same mes-
sage over the bus. A message can thus be lost if its recipient is simultaneously
transmitting the same message, or if there is no recipient. Each time a message
is sent over the I
2
C layer, its sender receives a Positive Acknowledgment from
the I
2
C layer if the message is received by another component, and a Negative
Acknowledgment otherwise.
The Base Protocol aims at ensuring that every device will always be recog-
Message Types Purpose
Reset() Force a device to its power-up state and to the default
I
2
C address. This message is sent by the host on power-up
to all the I
2
C addresses. A device also sends this message
to its address right after being assigned a new address.
Attention() Inform the host that a device has nished its power-
up/reset test and needs to be congured.
IdenticationRequest() Ask a device for its identication string, which is a se-
quence of bytes describing the hardware composing the
device. This message is issued by the host after reception
of an Attention message from a device.
IdenticationReply(Id) Reply to IdenticationRequest with the identication
string Id of the device.
AssignAddress(Id, Addr) Ask all the devices with a matching identication string
Id to turn their address into Addr.
PresenceCheck() Check if a device is present on the bus at a specic ad-
dress (specied in the address part of the message). This
message is sent by the host at regular intervals of time in
order to detect new and missing devices.
CapabilitiesRequest(Oset) Ask a device to send a fragment (specied byOset) of its
capabilities string, which is a sequence of bytes describing
the functional characteristics of the device.
CapabilitiesReply(Oset, Data) Reply to CapabilitiesRequest with a fragment of the ca-
pabilities string of the device.
EnableApplicationReport() Enable or disable a device to send application reports,
that is, device-dependent functional information, to the
host.
ApplicationReport(Data) Send device-dependent functional information.
Fig. 2. Base Protocol Message Types.
nized by the host within a nite amount of time after being plugged in, that it
will be assigned a unique I
2
C address, and that its Device Drivers will be able to
send and receive device-dependent functional data (such as mouse moves). The
Base Protocol denes a set of message types that can be sent over the I
2
C layer.
These message types are listed in Figure 2. When a device is plugged in, it sends
an Attention message to the host, which should reply with an Identication-
Request message, which should itself be replied to with an IdenticationReply
message from the device. Then, the host should send an AssignAddress message
containing a new I
2
C address for the device. When processing this message, the
device updates its address, and sends a Reset message to this address.
3 Design of the Model
Our analysis of ACCESS.bus
TM
focused on the power-up/reset and identication
phases, that is, the part of the Base Protocol dealing with Reset, Attention, Iden-
ticationRequest, IdenticationReply, AssignAddress and PresenceCheck mes-
sages. We made the following assumptions in order to resolve ambiguities in
the specication document.
3
{ At the Base Protocol layer, every message received from the I
2
C layer is
stored in a bounded fo buer while waiting to be processed. If the buer is
full, new incoming messages are lost.
{ The processing of a Reset message by a Base Protocol entity empties its
associated fo buer.
Moreover, the following features of ACCESS.bus
TM
were not modeled:
{ the deterministic nature of the I
2
C arbitration mechanism,
{ the timing constraints dened in the specication document, and
{ the possible corruption of messages sent over the I
2
C bus.
Consequently, if a message is sent over the I
2
C layer at the same time by one or
more components, it is always correctly received exactly once by every compo-
nent with a matching address that does not belong to the set of the senders.
The overall structure of the model is shown in Figure 3. Each component is
modeled by two processes: a microcontroller and an Upper Base Protocol (UBP).
The I
2
C bus is modeled by shared variables, since message broadcasting is not
a basic communication primitive in Promela. A set of semaphores is used to
control the access to the bus.
Each microcontroller continually listens to the bus, grabs messages destined
to its corresponding UBP, and appends them to a bounded fo buer, which
is a basic Promela data type. Each UBP takes messages from its associated
fo buer, and processes them according to the protocol rules (cf. Figure 2).
It can send messages directly (without queuing) over the I
2
C layer. Moreover,
it can nondeterministically switch between two modes, plugged and unplugged,
3











Device #1 Device #2 Host
Fig. 3. Structure of the model.
in order to simulate repeated pluggings and unpluggings of the corresponding
component.
Initially, all devices are assumed to be unplugged. To keep the state space
of the Promela model as small as possible, the maximum size of each fo buer
was set to two elements, and the number of devices was limited to two. The
complete Promela model contains about 200 lines of code.
4 Properties
The specication document [ACC94] does not contain a precise and complete de-
scription of the service provided by the Base Protocol to the Device Drivers. Two
basic properties that have to be satised by the Base Protocol were extracted
from the document.
Property 1. A device d
i





) dierent from the default I
2
C address, and it has sent a Reset
message to the address addr(d
i
). At any time, all devices that are operational
must have dierent I
2
C addresses.
This property can be formalized by using linear-time propositional temporal
logic [MP92]. Linear-time temporal logic can be used for specifying properties
of innite sequences of states. Propositions in the logic correspond to boolean
conditions on variables and process states of the program. Formulas are con-
structed over propositions using the classical boolean connectives (:, _, : : : )
and the temporal operators 2 (always), 3 (eventually), and

(next). Formulas






: : : of states: given a particular in-
nite sequence of states, the formula is either satised or falsied by this sequence.
Informally, one has:
{ 2 p holds in state s
i
if p holds in s
i
and in all successor states of s
i
in the
sequence on which the formula is interpreted;
{ 3 p holds in s
i







p holds in s
i
if p holds in the next state of the sequence.
We refer the reader to [MP92, Eme90] for a detailed presentation of the syntax
and the semantics of linear-time temporal logic.

















) is true if device d
i











C addresses () denotes logical
implication).
The second property of the Base Protocol we consider is the following.
Property 2. Whenever a device is plugged in, it will eventually become oper-
ational, provided that it remains plugged.











) is true if device d
1
is plugged.
Given the nite state space A
G
of a system and a linear-time temporal-
logic formula f , checking that all innite sequences of states dened by tran-
sitions in A
G
satisfy f is known as the model-checking problem. Various tech-
niques have been proposed for solving this problem [LP85, VW86, CVWY90,
GH93, GPVW95]. SPIN includes an implementation of the algorithms presented
in [GH93] and [GPVW95], which are based on a depth-rst search in the state
space of the system (see [GH93] for details). When SPIN detects a sequence
of states that violates the property to be checked, it stops its search, and ex-
hibits this scenario (formed by all states and transitions currently stored in the
depth-rst-search \stack") to the user.
Let us now turn to the results obtained by SPIN with the Promela model
described in the previous section and the two properties dened above.
5 Verication of Property 1
5.1 First Flaw
After a few seconds of computation, SPIN detected that the rst property was
not satised.
Figure 4 depicts a rst sequence of transitions leading to a state where two
devices are operational while having been assigned the same I
2
C address. In this
diagram, a thin vertical time line is associated with each plugged component.
Time increases from the top to the bottom of the time lines. The sending of a
Dev #1 Host Dev #2
Attention Attention
Ident. Request Ident. Request
Ident. Reply Ident. Reply
Reset Reset
Assign Address(a) Assign Address(a)
Fig. 4. First aw.
message through the I
2
C layer is represented by an horizontal arrow drawn from
the time line of the sender to the time line of the receiver. (Indeed, there is no
delay between the sending and the reception of a message.) The head and the
tail of the arrow correspond to the exact moment when the message starts to
be transmitted on the I
2
C bus. If a message is lost (i.e., is not received by any
component), the corresponding arrow does not reach any time line. A message
is lost when its recipient does not exist, when its recipient is sending the same
message over the bus, or when the fo buer of the recipient is full. Thick vertical
lines represent the delay between the moment when the message is appended to
the input buer of its recipient and the moment when the message is actually
processed by its recipient.
In the scenario of Figure 4, two devices with the same identication string
are plugged in at the same time. If both devices send and receive simultaneously
all the messages shown in Figure 4, it is impossible for the host to distinguish
them. Moreover, the self-addressed Reset message is not received by any device
if they both send this message at the same time.
This problem is a direct consequence of the properties of I
2
C, and is not
surprising. However, it is worth noticing that having two devices sending the
same message at exactly the same time is not an unlikely event. Two devices
that wait for sending a message will synchronize on the message frame currently
being transmitted on the I
2
C bus, and will both start trying to transmit their
message at the exact end of this frame.
5.2 Second Flaw
A more complex sequence of events violating Property 1 is given in Figure 5. As
in the previous scenario, two devices are plugged in and have the same identica-
tion string. The rst device nishes its internal initialization process, and sends
an Attention to the host at time t
0
. At time t
1
, the host assigns the address a to






















Fig. 5. Second aw.
fo buer of the device. Then the second device sends an Attention to the host,
and enters its identication phase. When the host assigns the address b to the
second device at time t
2
, the AssignAddress message is also received by the rst
device, since its address is still the default address at that time, because the
request to change its address to a is still waiting in its buer and has not been
processed yet. When the rst device nally processes its incoming messages, it
changes its address to a at time t
3
, sends a self addressed Reset, and sets its
address to b at time t
4
. The self addressed Reset messages are then sent simulta-
neously by both devices, and are thus lost, allowing the two devices to become
operational with the same address b.
This scenario reveals another problem in the protocol: here, the erroneous
situation results not only from losing two Reset messages, but also from delaying
an AssignAddress in a fo buer.
5.3 Third Flaw
When observing the rst two aws, one could wonder if Property 1 is violated
only when two devices may share the same identication string. SPIN can easily



















Fig. 6. Third aw.
address to two devices with dierent identication strings is given in Figure 6.
As in the previous scenario, the rst device starts its identication phase at time
t
0
, and the processing of the AssignAddress message received from the host at
time t
1
is delayed until time t
2
. In the meantime, the second device sends an
Attention to the host, and proceeds with its identication phase. On reception of
an IdenticationReply from the second device, the host issues a PresenceCheck
aimed at checking if the rst device is still plugged. The rst device does not
receive this PresenceCheck message, since it is still using the default bus address.
Therefore, the host receives a Negative Acknowledgment from the I
2
C layer. It
concludes that the rst device is not present anymore, and that address a is
available. It then assigns address a to the second device at time t
3
. Again, if the
self-addressed Reset messages are sent simultaneously by the two devices, they
are lost, and both devices become operational with the same address a, thus
violating the rst property.
5.4 Suggestions
The three scenarios presented in Figures 4, 5, and 6 reveal the existence of three
causes of errors for Property 1 in the Base Protocol:
{ a Reset message is lost,
{ two devices share the same identication number, and
{ the processing of an AssignAddress is delayed.
For eliminating these causes of errors, we suggest the following modications
to the Base Protocol.
In order to avoid losing Reset messages, these messages should not be ap-
pended to the input buers of their recipients, but should rather be processed
immediately upon reception, for instance by issuing hardware interrupts to no-
tify immediately the corresponding UBP of the arrival of such a message. In
such a way, Reset messages will not be lost when the input buers of their re-
cipients are full. Moreover, the loss of a Reset message due to the fact that it is
simultaneously sent by two (or more) components can be avoided by adding a
unique rmware number of the sender to each Reset message frame. If this radi-
cal solution is too expensive to be implemented, adding a random number (e.g.,
the value of an internal clock) to each Reset message frame will strongly reduce
the probability of losing a Reset message because of simultaneous transmissions
of it. This probability can be further reduced by waiting for a random amount
of time before trying to send a Reset message.
Concerning the second cause, preventing identical identication strings can
be done by using a unique rmware number in the identication string of each
device.
Finally, the problems resulting from delaying an AssignAddress message can
be avoided by the two following modications. First, AssignAddress messages
should be processed immediately upon reception, for instance by using hard-
ware interrupts as indicated above. Second, whenever a component receives an
AssignAddress message requesting a modication of its current I
2
C address, its
fo buer should be emptied.
Once we have modied our Promela model by following the above sugges-
tions, SPIN proved in about 30 minutes of computation on a SPARC20 worksta-
tion with 256 Megabytes of RAM that Property 1 was satised by all possible
executions of the model. Note that the correctness proof of our model does not
guarantee that the modications suggested above are sucient for avoiding the
reported problems in practice.
It is worth noticing that the timing constraints dened in the specication
document do not prevent any of the three scenarios discussed in this section
from occurring. Indeed, each of these scenarios can easily be annotated with
timestamps satisfying these timing constraints.
6 Verication of Property 2
6.1 Fourth Flaw
SPIN quickly found scenarios violating Property 2 as well. Indeed, two or more
devices can hold the I
2
C bus for an unbounded amount of time, and thus prevent
other components from sending messages. The timing constraints described in
the protocol specication help to prevent such situations, but it is easy to show
that these constraints are not sucient to completely solve the problem. More-
over, the deterministic nature of the I
2
C arbitration mechanism (which we did
not model) does not help to solve this problem. Indeed, if two devices alterna-
tively send ApplicationReport messages over the bus, it can be deduced from the
arbitration rules that, if their addresses have high-priority values (i.e., 02 and
03), it is impossible for a third device with an address of lower priority (i.e., FE)
to be granted the bus at any time. In this scenario, the third device will never
be able to send an Attention message to the host to signal its presence in the
system, and hence will never become operational.
6.2 Suggestions
The probability of occurrence of such scenarios can be reduced by modifying the
structure of the message frames in order to give a higher priority to protocol
messages, as opposed to application reports, with respect to the I
2
C arbitration
mechanism. One could use for this purpose the least signicant bit of the rst
byte of the frame (0 for protocol message frames, 1 for application reports). The
protocol specication also includes an optional Device Bandwidth Management
system, which could help avoiding the problem.
7 Conclusions
We have presented the main stages and the results of an analysis of an in-
dustrial protocol, the ACCESS.bus
TM
protocol. The analysis of this protocol
was performed using SPIN, an automated protocol verication system including
state-space exploration and model-checking algorithms. Our analysis revealed
subtle aws in the design of this protocol, which were not found by simulating
or testing the existing prototype implementations. We have also presented sug-
gestions for solving the detected problems. During this work, SPIN repeatedly
proved to be a powerful and ecient verication tool.
Model checking is an eective and simple method for verifying that a con-
current reactive system satises a temporal logic formula. It makes it possible to
reason about programs without having the burden of carrying out correctness
proofs by hand. Indeed, model checking is fully automatic: no intervention of
the user is required. This is a crucial feature for a verication technique to be
used in industry, since products are often (read always) developed under time
pressure, and therefore verication steps that would be too time consuming are
likely to be skipped.
Although model checking is fully automatic, applying model checking for
the analysis of communication protocols is not yet a systematic activity. The
ability of quickly modeling a system at the \right" level of abstraction requires
training, experience, and some knowledge of how model-checkers work: oversim-
plifying the model of the system should be avoided in order to be able to detect
potential problems in the actual system, while abstracting enough irrelevant de-
tails is needed in order to keep automatic verication computationally tractable.
Moreover, ingenuity and tenacity are often necessary for expressing interesting
properties (i.e., those that might reveal signicant errors) and for ltering er-
ror traces when looking for plausible scenarios (i.e, those that may occur in a
realistic environment). In summary, verication is and remains a discipline in
itself, even with the help of powerful verication tools such as model-checkers.
Therefore, we believe that the most promising and pragmatic way for introduc-
ing formal verication in existing development processes is by forming groups of
\validation engineers" who are specially trained for this task.
Another analysis of the Base Protocol can be found in [Hoo95]. It was carried
out by using an assertional method with the help of the interactive proof checker
included in the verication system PVS [ORS92]. Hooman proved manually that
the Base Protocol satises Property 1 and 2 provided that all the devices have a
dierent identication string, that messages between base-protocol components
are not buered, and that whenever a component wants to transmit a message
over the I
2
C layer, this message is transmitted within a bounded amount of
time. If one of these (strong) assumptions is not satised, no information about
the correctness of the protocol is provided. In contrast, our analysis was based
on a more detailed model, i.e., on weaker assumptions, and produced counter-
examples violating Property 1 and 2. This enabled us to precisely identify the
causes of these errors, and to suggest implementable solutions for these problems.
Finally, all counter-examples mentioned above and the proof of correctness of
our modied model were produced automatically by SPIN.
8 Acknowledgments
We wish to thank Didier Pirottin, who contributed to the results presented in this
paper. We are also grateful to Ron Koymans (Philips Research) for challenging
us to analyze the ACCESS.bus
TM
protocol and for fruitful discussions, and to
Mark Staskauskas for helpful comments on a preliminary version of this paper.
References
[ACC94] ACCESS.bus Industry Group. Access.bus specications, version 2.2. 370
Altair Way, Suite 215, Sunnyvale, California 94086, USA, 1994.
[CES86] E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verication of
nite-state concurrent systems using temporal logic specications. ACM
Transactions on Programming Languages and Systems, 8(2):244{263, Jan-
uary 1986.
[CVWY90] C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis. Memory e-
cient algorithms for the verication of temporal properties. In Proc. 2nd
Workshop on Computer Aided Verication, volume 531 of Lecture Notes in
Computer Science, pages 233{242, Rutgers, June 1990.
[DDHY92] D. L. Dill, A. J. Drexler, A. J. Hu, and C. H. Yang. Protocol verica-
tion as a hardware design aid. In 1992 IEEE International Conference
on Computer Design: VLSI in Computers and Processors, pages 522{525,
Cambridge, MA, October 1992. IEEE Computer Society.
[Eme90] E. A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor,




92] J.C. Fernandez, H. Garavel, L. Mounier, A. Rasse, C. Rodriguez, and
J. Sifakis. A toolbox for the verication of LOTOS programs. In Proc.
of the 14th International Conference on Software Engineering ICSE'14,
Melbourne, Australia, May 1992. ACM.
[GH93] P. Godefroid and G. J. Holzmann. On the verication of temporal prop-
erties. In Proc. 13th IFIP WG 6.1 International Symposium on Protocol
Specication, Testing, and Verication, pages 109{124, Liege, May 1993.
North-Holland.
[GPVW95] R. Gerth, D. Peled, M. Vardi, and P. Wolper. Simple on-the-y automatic
verication of linear temporal logic. In Protocol Specication Testing and
Verication, pages 3{18, Warsaw, Poland, 1995. Chapman & Hall.
[HK90] Z. Har'El and R. P. Kurshan. Software for analytical development of com-
munication protocols. AT&T Technical Journal, 1990.
[Hol91] G. J. Holzmann. Design and Validation of Computer Protocols. Prentice
Hall, 1991.
[Hoo95] J. Hooman. Verifying part of the ACCESS.bus protocol using PVS. To
appear in the Proceedings of Foundations of Software Technology and The-
oretical Computer Science, December 1995.
[Liu89] M.T. Liu. Protocol engineering. Advances in Computing, 29:79{195, 1989.
[LP85] O. Lichtenstein and A. Pnueli. Checking that nite state concurrent pro-
grams satisfy their linear specication. In Proceedings of the Twelfth ACM
Symposium on Principles of Programming Languages, pages 97{107, New
Orleans, January 1985.
[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent
Systems: Specication. Springer-Verlag, 1992.
[ORS92] S. Owre, J. Rushby, and N. Shankar. PVS: A prototype verication system.
In Proc. 11th Conference on Automated Deduction, volume 607 of Lecture
Notes in Articial Intelligence, pages 748{752. Springer-Verlag, 1992.
[QS81] J.P. Quielle and J. Sifakis. Specication and verication of concurrent sys-
tems in CESAR. In Proc. 5th Int'l Symp. on Programming, volume 137 of
Lecture Notes in Computer Science, pages 337{351. Springer-Verlag, 1981.
[Rud87] H. Rudin. Network protocols and tools to help produce them. Annual
Review of Computer Science, 2:291{316, 1987.
[VW86] M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic
program verication. In Proceedings of the First Symposium on Logic in
Computer Science, pages 322{331, Cambridge, June 1986.




X macro package with LLNCS style
