Abstract. This paper reports on the mechanical verification of the IEEE 1394 root contention protocol. This is an industrial leader election protocol, in which timing parameters play an essential role. A manual verification of this protocol using I/O automata has been published in [24] . We improve the communication model presented in that paper. Using the Uppaal2k tool, we investigate the timing constraints on the parameters which are necessary and sufficient for correct protocol operation: by analyzing large numbers of protocol instances with different parameter values, we derive the required timing constraints. We explore the use of model checking in combination with stepwise abstraction. That is, we show that the implementation automaton correctly implements the specification via several intermediate automata, using Uppaal to prove the trace inclusion in each step.
Introduction
Various recent studies have presented evidence for the maturity of automated tools for the verification of realistic applications [5, 21] . Several case studies are reported in which automatic verification tools are used to analyze IEEE standards. The first and probably best-known example is the verification of the IEEE Futurebus+ standard by Clarke and his students using SMV [20] . This verification revealed several errors that were previously undetected. In [22] , using the Caesar/Aldebaran tool set,
Research supported by PROGRESS Project TES4199, Verification of Hard and Softly Timed Systems (HaaST).
a deadlock was revealed in the draft IEEE 1394 standard. In this work, we investigate the applicability of the Uppaal2k version [18, 26] to analyze the IEEE 1394 root contention protocol [12, 13] , a real-time leader election protocol for two processes. We examine to what extent Uppaal can be used to do parametric analysis and verification via stepwise abstraction. As far as we know, our case study is the first time that a timed automata-based tool is used to analyze a part of a (draft) IEEE standard. Given the importance of timing constraints in many of these standards, we believe this to be a significant step forward. Although our analysis did not reveal any errors, we did discover a number of minor points where the standard is incomplete.
Timing parameters play an essential role in the root contention protocol. For certain parameter values, the protocol is correct, and for other values it fails. We are interested in deriving the precise constraints that ensure correctness. There are currently three tools available that (at least in some cases, see [3] ) can do parametric analysis of timed systems: HyTech [10] , PMC [8] and -very recently -the tool described in [4] . Whereas HyTech and PMC can currently analyse and derive linear parameter constraints, [4] describes a prototype implementation which can also deal with nonlinear constraints. Since the performance of HyTech is limited, and we expected the protocol to be too complex for it, and since only prototypes of the other two tools are currently available, we decided to use the Uppaal tool. By analyzing numerous instances of the protocol for different values of the parameters, Uppaal allowed us to do an approximate parameter analysis. Uppaal has already been used successfully in various verifications [6, 9] . It can model real-time systems with a finite control structure. A limited class of properties, viz. reachability properties, can be checked automatically and (relatively) efficiently. Our protocol models fit naturally into its input language.
We would probably have obtained the same results if, instead of Uppaal, we had used the model checker kronos [27] , which has been applied successfully in a number of case studies for timed systems, such as [7] .
A manual verification of the root contention protocol has been carried out in [24] , where two timing constraints where inferred that ensure protocol correctness. We have mechanically checked the proof invariants in the model from [24] and our Uppaal experiments affirm that all invariants hold under the conditions mentioned in [24] . However, we found informal documents [25] and [17] on the web, that derived (two slightly different) stricter constraints for the protocol. A close examination of the IEEE 1394 specification [12] revealed that the model in [24] does not completely conform to the standard and resulted in a new, enhanced protocol model, which, we believe, does carefully reflect the IEEE specification. The main difference between the models from [24] and the present work is the way in which the communication between the processes is modeled: by a package mechanism in the former versus by continuous-time signals in the latter.
Using the enhanced model, we investigate the correct operation of the root contention protocol with Uppaal. The constraints that we deduce by approximate parameter analysis are exactly those from [17] . Since the probabilistic phenomena in [24] and in this work are basically the same, we do not reconsider probabilistic aspects of the protocol here.
Unlike most other Uppaal case studies, we carry out the verification using stepwise abstraction, similarly to [24] . This method allows for separation of concerns and is common practice in automaton-based verification, but not in the context of model checkers. In this method, one relates the implementation and the specification automaton via trace inclusion, using several intermediate automata. In order to do so, we need several constructions on Uppaal models. The works [14, 15] discuss another approach to this problem. The difference with our work is that [14, 15] consider timed automata without invariants but with shared variables and urgent channels and require the specification automaton to be deterministic. We use the notion of step refinement to deal with nondeterministic specifications in certain cases.
The contributions of this work over [24] consist of: (1) a realistic model of the communication within the protocol; (2) the investigation of timing constraints with Uppaal; (3) the application of stepwise abstraction together with Uppaal; and (4) several constructions on Uppaal models to verify trace inclusion (in certain cases) with Uppaal.
The modeling and verification effectively took us approximately 1 month. Most of this time has been spent in understanding the IEEE 1394 standard and in several prototype-model improvements. Some time could have been saved by automating tasks, such as certain syntactic operations on the automaton models and repeated verification of the same properties for different parameter values.
The rest of this paper is organized as follows. Section 2 informally describes the root contention protocol. In Sect. 3, we describe how Uppaal can be used in verifying system correctness via stepwise abstraction. Section 4 presents the new protocol model and contains the associated verification results. Finally, in Sect. 5, conclusions are given.
The IEEE 1394a root contention protocol
The IEEE 1394 standard [12] (also known under the popular names of FireWire and iLink) specifies a high performance serial bus. It has been designed for interconnecting computer and consumer equipment, such as VCRs, PCs, and digital camera's. It supports fast and cheap, peer-to-peer data transfer among up to 64 devices, both asynchronous and isochronous. The bus is hot-plug-and-play, which means that devices can be added or removed at any time.
The IEEE standard provides a layered, OSI-style description, defining four protocol layers. The root contention protocol is part of the Tree-identify phase, present in the lowest, physical layer (PHY). This layer provides the electrical and mechanical interface for data transmission across the bus. Furthermore, it handles bus configuration, arbitration, and data transmission. At the present time, the IEEE 1394a supplement [13] to the standard is the latest approved standard that concerns root contention and includes several clarifications, extensions, and performance improvements over earlier standards.
A 1394 network consist of several nodes (devices), having one or more ports. Each port may be connected to one other node's port, via a bi-directional cable. Nodes should be connected in a tree-like network topology, without cycles. First, bus configuration is performed. This is done automatically upon a bus reset: after power up and after device addition or removal. Bus configuration proceeds in three phases. It starts with bus initialization. This is followed by the Tree-identify phase (Tree ID). The purpose of this phase is to identify a leader (root) node and the topology of all attached nodes. The root will act as bus master in subsequent phases of the protocol. Finally, in the Self-identify phase (Self ID), each node selects a unique physical ID and identifies itself to the other nodes. When bus configuration has been completed, nodes can arbitrate for access to the bus and transfer data to any other node.
The Tree ID phase works as follows. First, it is checked whether the network topology is indeed a tree. If so, a spanning tree is constructed over the network and the root of this tree is elected as leader in the network.
The spanning tree is built as follows. As a basic operation, each node can drive a PARENT_NOTIFY (PN) or a CHILD_NOTIFY (CN) signal to a neighbor node, or the node can leave the line undriven (IDLE). The PN signal is to ask the receiving node to become parent (connecting closer to the root) of the sending node (then connecting further away from the root) and is acknowledged by a CN signal. The receipt of a CN signal on a port in its turn, is acknowledged by removing the PN signal from the connecting cable. A node only sends a PN signal via a port, after it has received a PN signal on all other ports. Thus, initially, only the leaf nodes send out a PN signal. If a node has received PN signals on all of its ports, then it has only child ports and it knows that is has been elected as the root of the tree. In the final stage of Tree ID, two neighboring nodes may each try to find their parent by sending a PN signal to each other. This situation is called root contention and when it arises, the contention protocol is initiated to elect one of the two nodes as the root of the tree.
The root contention protocol
If a node receives a PN signal on a port, while sending a PN signal on that port, it knows it is in root contention. Note that root contention is detected by each of the two contending nodes (Node 1 and Node 2 ) individually. Upon detection of root contention, a node backs off by removing the PN signal, and leaving the line in the state IDLE. At the same time, it starts a timer and picks a random bit. If the random bit is one, then the node waits for a time ROOT_CONTEND_SLOW, whereas, if the random bit is zero, it will wait for a shorter time ROOT_CONTEND_FAST. Figure 1 lists the wait times as specified in the latest draft version of the IEEE 1394a standard [13] .
When its timer expires, a node samples its contention port once again. If it sees IDLE, then it starts sending PN anew and waits for a CN signal as an acknowledgment. If, on the other hand, a node samples a PN on its port, it will send the CN signal back as an acknowledgement and becomes the root.
If both nodes pick different random bits, then the slowest (picking one) is elected as leader. In the case that both nodes pick identical random bits, there are two possibilities. The root contention times allow one process to wait significantly longer than the other, even if both processes pick the same random bits. If this is the case, then the slower node becomes the root. Second, if the nodes proceed with about the same speed, then root contention reoccurs: each node sees an IDLE signal when its timer expires and they both start sending PN signals and detect renewed root contention. The whole process is repeated until one of them becomes root. Eventually (with proba- bility one), both nodes will pick different random bits, in which case root contention certainly is resolved.
Protocol timing constraints and their implications
The timing parameters that are used in the protocol include the wait times as listed above, and the delay parameter, which corresponds to the maximal total time from sending a signal by one node to receiving it by the other node. It includes the cable propagation delay, and the time to process the cable line states by the hardware and software layers at the ports of the two nodes. For the protocol to work correctly, two constraints on these timing parameters are essential (equations (1) and (2)).
Throughout the verification, we assume three basic assumptions:
We do not assume rc_fast_max ≤ rc_slow_max beforehand, but note that this follows from Constraint (2) . The origin of these equations is visualized in Fig. 2 and explained below. Ad equation (1): in case of Node 2 selecting the short waiting period, constraint equation (1) ensures that the IDLE signal from Node 1 arrives at Node 2 before the waiting period of Node 2 ends (See circle 1 in Fig. 2 ). Otherwise, the following erroneous scenario might happen: Node 2 might still see the first PN signal from Node 1, and erroneously send a CN signal to acknowledge this parent request. Once the IDLE signal from Node 1 arrives (behind schedule), Node 2 removes its CN signal again and makes itself root. When Node 1 ends its waiting period, however, it will see the IDLE signal from Node 2, as if nothing happened, and send a PN to Node 2. Awaiting the response it will time out, which leads to a bus reset. Therefore, constraint equation (1) is required for correct protocol operation.
Ad equation (2) : this constraint ensures that root contention is always resolved in case of one node (say Node 1) selecting the short waiting period and the other (Node 2) selecting the long waiting period. More precisely, constraint equation (2) ensures that the new PN signal from Node 1 arrives at Node 2 before the waiting period of Node 2 ends (see circle 2 in Fig. 2) . Otherwise, Node 2 might still see the IDLE signal from Node 1, and start sending a new PN signal. Together with the PN message coming from Node 1 (after schedule), this will again lead to root contention, although the two nodes picked different timers. Therefore, this equation ensures that renewed root contention can only occur for if both nodes pick equal random bits.
This analysis above is based on informal notes [17, 25] to the IEEE P1394a Working Group. The equations from [17] match ours, whereas [25] incorrectly cites [17] and contains some errors. In the model of [24] , the above scenario cannot be mimicked, due to an imperfection in its model, and weaker constraint equations are found.
Note that these timing constraints do not appear in the IEEE 1394 specification [12, 13] . However, the root contention wait times from the specification (see Fig. 1 ) meet these constraints. For these values of the parameters, the timing constraint equation (2), (which implies equation (1) for these parameter values) implies delay < 370 ns.
The cable propagation delay is specified to be less or equal than 5.05 ns/m. Unfortunately, any additional processing delays are not explicitly specified in the standard. If we disregard such extra delays, then a maximum cable length between two nodes of 370 ns 5.05 ns/m ≈ 73 m is allowed. In the IEEE 1394a standard the cable length is, at the moment, limited to 4.5 m by the worst case round trip propagation delay during bus arbitration. However, the above timing constraints require the root contention times to be longer, when cable lengths increase significantly. This may be disadvantageous to future applica- ns ≈ 173 ns on each side of the wire.
Verification of trace inclusion with Uppaal
Uppaal [18, 26] is a tool box for modeling, simulation, and automatic verification of real-time systems, based on timed automata. In the present case study, we used the Uppaal2k version. Uppaal can simulate a model, i.e., it can provide a particular execution of the model step by step, and it can automatically check whether a given reachability property is satisfied and provide a trace showing how the property is satisfied. Section 3.1 describes how a real-time system can be modeled in Uppaal and which properties can be checked automatically. Section 3.2 gives the semantics of a Uppaal model and Sect. 3.3 tells how Uppaal can be used to verify trace inclusion, i.e., that one model in Uppaal is a correct implementation of another one.
Model checking with Uppaal
This section gives an informal introduction to Uppaal and is based on [18] . A system in Uppaal is modeled as a network of nondeterministic processes with a finite control structure and real-valued clocks. Communication between the processes takes place via channels (via binary synchronization on complementary actions). Within Uppaal it is possible to model automata via a graphical description. Furthermore, templates are available to facilitate the specification of multiple automata with the same control structure.
Basically, a process is a finite state machine (or labeled transition system) extended with clock variables. The nodes of an automaton describe the control locations. Each location can be decorated with an invariant: a number of clock bounds expressing the range of clock values that are allowed in that location. The edges of the transition system represent changes in control locations. Each edge can be labeled by a guard g, an action (label) a, and a collection r of clock resets. All three types of labels are optional. A guard is a Boolean combination of inequalities over clock variables, expressing when the transition is enabled, i.e., when it can be taken. Upon taking a transition, the clock resets, if present, are executed. The action label, if present, enforces binary synchronization. This means that exactly one of the other processes has to take a complementary action (where a! and a? are complementary). If no other process is able to synchronize on the action, the transition is not enabled. A process can have a location from which more than one transition is enabled with the same action. Thus, nondeterministic choices can be specified within Uppaal. Note that time can only elapse at the locations (conform invariants). Transitions are taken instantaneously, i.e. no time elapses during transitions. Three special types of locations are available: 1. Initial locations, denoted by (O), define the initial state of the system (exactly one per process). 2. Urgent locations, denoted by (U), are locations in which no time can be spent, hence a shorthand notation for a location that satisfies the virtual invariant x ≤ 0. The (fresh) clock x is reset on all transitions to the urgent location. 3. Committed locations, denoted by (C), are used to make the incoming and the outgoing transition atomic. Being in a committed location, the process execution cannot be interrupted and no time elapses. We used these locations to encode multi-way synchronization in Uppaal (see Sect. A.2). Moreover, channels can be declared as urgent and shared integer variables can be used to communicate between the processes. Since we did not use these features in our verification, we do not describe them here.
Consider the Buffer process automaton displayed in Fig. 3 . This automaton models a one-place buffer which delivers a message with a time delay between 12 and 15 time units.
Uppaal is able to analyze reachability properties automatically. These properties must be of the form E3p or A2p, where p is Boolean expression over clock constraints and locations of the automata. For example, E3Buffer.filled ∧ x > 13 is a property over the automaton Buffer. Informally, E3p denotes that there must be some state (= location + clock values) which is reachable from the initial state (= initial location where all clocks are 0) and in which the property p holds. Dually, A2p denotes that p holds for all reachable states, i.e., that p is an invariant of the automaton.
This logic is sufficient to specify reachability properties, invariants, and bounded liveness properties. For the latter, see [1] . However, general liveness and fairness properties, e.g., whether an event occurs infinitely often, cannot be expressed in Uppaal. 
Notational conventions
Throughout this paper we use the following conventions for automata.
We assume that the automata do not have urgent channels, committed locations, and shared variables and we assume that any two components in a network use different clocks.
We denote the absence of a transition label by a special symbol τ . When convenient, we assume that all labels on a transition are present, interpreting the absence of a guard or invariant by true and the absence of a reset set by ∅. We denote the invariant of a location q by Inv(q).
Moreover, we assume a fixed set of action names, Names, such that τ / ∈ Names, and for any subset of N ⊆ Names, we write N ! = {a! | a ∈ N }, N ? = {a? | a ∈ N }. Then the set of discrete actions is given by Act = Names? ∪ Names! ∪ {τ }. The action τ is called the invisible or internal action; the other actions are called visible. The set of visible actions occurring in automaton A is the denoted by Act A . By abuse of notation, we let a, b range over Act, but in the expressions a? and a!, a ranges over action names. See also Appendix B for a glossary of symbols.
The semantics of Uppaal models
In our verification, we express the behaviour of a system by the set of its traces and use trace inclusion to express that one system correctly implements another one. The Uppaal tool interprets networks of automata as closed systems, which are systems that cannot interact with their environment. In closed systems we cannot express many sets of traces. (The traces of closed systems consists of their time passage actions.) Therefore, we provide -in addition to the standard Uppaal semantics -an interpretation of Uppaal models as open systems, which still have the possibility to interact with the environment. Then we define two operators, parallel composition and action restriction \, to express the closed system semantics in terms of the open system semantics. Finally, we give a translation of each open model to a closed model with equivalent reachability properties. In this way, we are able to verify all reachability properties of open systems (and in particular trace inclusion) with Uppaal.
We use the same (Uppaal) syntax for open and for closed systems. We use the word "automaton" if we interpret the model as an open system and the term "network of automata" if we use the standard closed system interpretation. Now, we give the open system semantics of an automaton A by its underlying timed labeled transition system (TLTS). We may assume that A consists of one component, because we give the semantics of the parallel composition later in this section.
The states (q, v) of the TLTS consist of a location q of A and a clock valuation v. The latter is a function that assigns a value in R ≥0 to each clock variable of the automaton. We require that each state (q, v) of the TLTS underling A meets the location invariant of q. The initial state of the TLTS, if any, is given by the initial location q 0 in the automaton and the clock valuation v 0 that assigns 0 to each clock variable. (Note that there is no initial state if v 0 does not meet the location invariant of q 0 .)
The transitions s − → s of the TLTS, labeled with a discrete or time passage action, indicate the following: being in state s = (q, v), that is, the system is in location q and the clocks have the values as described by v, the system can move from to a new state s , in which the location and clock variables have been updated according to the delay or discrete step taken in the automaton. The time passage actions s d − → s of the TLTS, where d ∈ R >0 , augment all clocks with d time units and leave the locations unchanged. Such a transition is enabled if augmenting the clocks with d time units is allowed by Inv(q). The discrete actions s a − → s change the state as specified by the transition in the automaton of automata. This means that the guard of the transition involved is met in s, that the invariant of the destination of the transition involved is met in s and that the clock variables are set according to the transition involved. We label the transition in the TLTS by a special symbol τ if the corresponding transition in the automaton is unlabeled.
Hence, the TLTS has an infinite set of states, actions and -for non-trivial automata -transitions. Example 1. The TLTS underlying the system in Fig. 3 consists of the states (empty, u) and (filled, u ) for u ≥ 0 and u < 15 (where u and u denote the valuations that assign, respectively, the values u and u to the clock x), the initial state (empty, 0) and the transitions (empty, u)
When interpreted as a closed system, the TLTS underlying Buffer would not have any transitions, because the actions receive and send cannot synchronize. The following theorem expresses the main result by Alur and Dill [2] , upon which Uppaal and other model checkers based on timed automata are built.
Theorem 1. The set of reachable states of a timed automaton is decidable.
An important class of automata and TLTS is formed by the deterministic systems. Intuitively, determinism means that, given the current state and the action to be taken, the next state (if any) is uniquely determined. Definition 2.
A TLTS is called
−−−→ q implies that q = q ∧ r = r or that g ∧ Inv(q) and g ∧ Inv(q) are disjoint, (i.e., g ∧ g ∧ Inv(q) is unsatisfiable).
It is not difficult to prove that if an automaton is deterministic then its underlying TLTS is so, too.
Definition 3. Let C be a set of action names and A be an automaton. Then A \ C is the automaton obtained from A by disabling all action with names in C, (i.e., by removing all transitions labeled by an action in C? ∪ C!.) Example 3. The automaton Buffer\ {receive} is shown in Fig. 4 .
The parallel composition operator we consider is basically the one from CCS. The automaton A 1 A 2 contains the control locations of both automata. A transition in the parallel composition corresponds to either one of the components taking a transition and the other one remaining in the same location or to both components taking a transition simultaneously, while synchronizing on complementary actions a? and a!. Synchronization yields an invisible action in the composition (and hence no other components can synchronize with the same action). Figure 5 shows the automaton Sender and the automaton Sender (Buffer \ {receive}).
Compositionality results for trace inclusion have been proven in several settings; for example, see [19] . It also holds for the automata we consider. Proposition 1. Trace inclusion is compositional, i.e.
It is crucial here that the automata we consider do not contain committed locations, urgent channels and shared variables. However, the auxiliary automata that we use to establish trace inclusion within Uppaal do contain committed locations in some cases. This, of course, does not affect the compositionality result. The following proposition is an immediate consequence of the definitions. by the automaton
Example 5. In Fig. 6 presents the the Uppaal semantics N (Sender, Buffer \ {receive}) of the network consisting of the components Sender and Buffer \ {receive}.
Thus
, the network does not have any visible actions, and therefore its traces only contain time passage actions. Since we are interested in describing sets of traces, we cannot do with closed systems only. With Uppaal we can, of course, only verify closed systems. However, the reachability problems of automata can be expressed in terms of reachability properties of closed systems, by simply adding an automaton to the open system that synchronizes with every visible action. See Appendix A, Sect. A.3 for the details.
Verification of trace inclusion
Within automaton-based verification, it is common practice to describe both the implementation and the specification of a system as automata. Then an automaton A is said to be a (correct) implementation of another one B if A TR B. 1 Although it is, in general, undecidable whether A TR B, Alur and Dill [2] have shown (in a timed automaton setting without location invariants) that deciding whether A TR B can be reduced to reachability checking, provided that B is deterministic. The basic step in this reduction is the construction of an automaton which we call B err here. In our setting, B err is constructed by adding a location error to B and transitions q a g −→ error for all locations q and action labels a in such a way that this transition is enabled if no other a-transition is enabled from q. Furthermore, an internal transition from q to error with the guard ¬Inv(q) is added and all location invariants are removed. The basic result is that we need in the verification is that, if the visible actions of A are included in those of B, then
The reader is referred to the Appendix A, Sect. A.41 for an elaboration of this. Moreover, if B is not deterministic, we can try to make it so by renaming its actions and apply the method above.
We can use what is called a step refinement f (or a conjectured one) for this relabeling. To put it very briefly, a step refinement is basically a function from the states of 1 In fact, a coarser notions exist, viz. timed trace and timed trace inclusion, which abstract from certain irrelevant timing aspects that are still present in the traces. Timed trace inclusion has a rather technical definition and trace inclusion implies timed trace inclusion. Therefore, we deal with trace inclusion in the remainder rather than with timed trace inclusion.
A to the states of B that induces a function from the atransitions of A to the a-transitions of B. Thus, we can give a transition in A and its image in B the same fresh label and remove all sources of nondeterminism in B. This yields automata A f and B f such that
(but not conversely). We refer the reader to Appendix A, Sect. A.42 for the details.
The enhanced protocol model
A manual verification of the root contention protocol is described in [24] . However, a major difference between the model in [24] Fig. 7 . The Uppaal wire automaton template its output port signal. An important difference between communication via messages and via channels is that one can distinguish two subsequent messages with the same contents, but it is not possible to distinguish two subsequent signals that are equal. Besides driving PN and CN signals, the wire can be left undriven (IDLE). Since the enhanced model presented in this paper closely follows the draft IEEE 1394a standard, we believe that our model now adequately reflects the root contention protocol as specified in the IEEE standard. However, we can never formally prove this because the specification is partly informal.
We use the constructions and techniques from Sect. 3 to verify this model and we show that -tacitly assuming the basic constraints B1, B2 and B3 -the constraints (1) and (2) are both necessary and sufficient for the correctness of the protocol. These constraints were given beforehand in the informal note [17] . However, the works [24] and [25] also claimed to give (different) constraints that ensure protocol correctness. Moreover, we consider in each step of our analysis the constraints needed for the correctness of this step.
In the sequel, the term "experimental results" is used for results that have been obtained by checking a number of instances with Uppaal, rather than by a rigorous proof. First of all, the PN message is now called req (parent request), and the CN message ack (acknowledgement). A number of timing parameter constants is defined to include the root contention wait times and the cable propagation delay into the model. The root contention wait times, like rc_fast_min, have been set to the values as specified in Fig. 1 . The actions like snd_ack and rec_req are used to send and receive ack and req messages by the nodes through the wires. The slow/fast differentiation causes the Node automaton to be rather symmetric.
Starting in the root contention location, a node picks a random bit (slow or fast). Simultaneously, a timer x is reset, and an idle message is sent to the Wire, which models the removal of the PN signal. Independently, but at about the same time, the other contending Node also sends an idle, possibly followed by a renewed req. Therefore, the receipt of this idle and req message is interleaved with the choice of the random bit and with the sending of the idle message. In this way, the two contending Node automata can operate autonomously. The Wire templates have been extended, compared to the model in [24] , such that they can now transmit PN (req), CN (ack), and IDLE (idle) messages. These messages mark the leading edge of a new signal being driven across the wire. Until a new message arrives, signals continue to be driven across the wire. Furthermore, the wires now comprise a two-place buffer, such that two messages at the same time can travel across a wire. The IEEE standard does not specify how many signals can be in the wire simultaneously. However, the following experimental results show that two-place buffer is necessary and sufficient to model the communication channels The Node automaton is not input enabled, which means that it might block input actions (rec_ack, rec_req or rec_idle) in certain locations by being unable to synchronize. Experimental result 3 however states that this never happens in the protocol, i.e., that no other input can occur than the input specified in Node provided that equation (1) 
Verification of the protocol
A key correctness property of the root contention protocol is that eventually, exactly one of the processes is elected as root. This property is described by the automaton Spec in Fig. 9 . We demonstrate that Impl (the parallel composition of the two Node and Wire automata) is a correct implementation of Spec, provided that Impl meets the timing constraint equations (1) and (2) Here, I 1 is a timed automaton, which abstracts from all message passing in Impl while preserving the timing information of Impl. The automaton I 2 is obtained from I 1 by removing all timing information. In I 3 internal choices are further contracted. Since timing aspects are only present in Impl and I 1 , the timing parameters only play a role in the first inclusion (Impl TR I 1 ).
The first intermediate automaton
The intermediate automaton I 1 is displayed in Fig. 10 . It is a Uppaal equivalent of the timed I/O automaton model from [24] , restricted to the reachable locations. It abstracts from the communication between the nodes and records the status (start, fast, slow, or done) for each of the two nodes. In addition, I 1 has a clock x to impose timing constraints on events. The outgoing internal transitions from start_start, fast_start, start_fast, start_slow, and slow_start model the consecutive random bit selection of the two nodes. For example, fast_start corresponds to Node 1 having picked the fast random bit, and Node 2 still being in root contention. The internal transitions from fast_fast and from slow_slow back to start_start represent the protocol restart, which is an option if the two random bits are equal. The invariants on clock x cause both nodes to pick a random bit within a time interval delay after the protocol (re-)start. In addition, within an interval [rc_fast_min − delay, rc_fast_max] or [rc_slow_min − delay, rc_slow_max], depending on the random bit, either a root is selected (root 1 ! or root 2 !) or a restart of the protocol occurs. The method described in Sect. 3.3 allowed us to establish trace inclusion between Impl and I 1 . Figure 11 describes how unlabeled transitions in I 1 and Impl are relabeled, yielding Impl r and I 1 r . (See also Sect. 3.3 and Appendix A, Sect. A.42.) This relabeling of transitions has been constructed from the step refinement from Impl to I 1 given in [24] . The transitions relabeled with retry synchronize with an auxiliary automaton called EchoRetry, which takes this action as soon as root contention reoccurs, i.e., as soon as both Node 1 and Node 2 have taken their snd_req! transitions to the snt_req location. This requires the automata Node i , Wire i,j and EchoRetry all to synchronize on the action snd_req i,j and Node i , Wire i,j and I 1 on snd_idle i j . We encoded multiway synchronization in Uppaal as described in Sect. A.2.
Manual parameter analysis shows that the error location is unreachable in Impl r I 1 r , if the constraint equations (1) and (2) hold. Now, Experimental result 4 is a direct consequence of Lemma 3.
Experimental result 4. If the timing parameters in
Impl satisfy equations (1) and (2), then Impl TR I 1 .
In order to show the necessity of equation 2, we need a liveness argument. The key liveness property is that eventually a leader is elected with probability one. Therefore, it is essential that root contention is resolved within the same pass (i.e., without renewed root contention) if both nodes pick different random bits. This is guaranteed by equation 2, see Sect. 2.2. Since the probability to pick different random bits is strictly greater than zero in each pass, the nodes will eventually pick different bits, and thus elect a root, with probability one.
Experimental result 5. Assume that the two nodes pick different random bits. Then the root contention protocol is resolved within one pass if and only if equation 2 is satisfied.
The second intermediate automaton
The intermediate automaton I 2 is identical to I 1 , except that all timing information has been removed. Since weakening the guards and invariants in an automaton yields an automaton with more traces, we get Proposition 3, as expected. Since neither I 2 nor I 3 contains timing information, trace inclusion can be checked with standard methods, see [16] . Since we are interested in the applicability of the relabeling method, we use this one for establishing I 2 TR I 3 . Again, we added labels to certain unlabeled transitions in I 2 and I 3 , to obtain I 2 f from I 2 and (the deterministic automaton) I 3 f from I 3 . Figure 13 lists the corresponding transitions in I 3 and I 2 that should get the same (fresh) labels after relabeling. Transitions not mentioned in the table keep the same label. In particular, the transitions in I 2 leaving from start_start remain unlabeled.
It has been established by Uppaal that I 2 f TR I 3 f . Now, Proposition 4 is an immediate corollary of Lemma 3. Since the specification automaton Spec is deterministic, we only need to check for reachability of the error location in the automaton Spec err to obtain Proposition 5. (As in the previous case (I 2 TR I 3 ) trace inclusion and timed trace inclusion are the same. However, now, because Spec is deterministic, the method we use to establish timed trace inclusion this is exactly the usual method for establishing trace inclusion.) Proposition 5. I 3 TR Spec.
By transitivity of TR we get that the equations 1 and 2 are sufficient.
Experimental result 6. If equations 1 and 2 are met by Impl, then Impl TR Spec.
Combining the Results 2, 3, 5 and 6 yields the final conclusion.
Experimental result 7. The root contention protocol is correct if and only if the timing parameters satisfy equations (1) and (2).
Conclusions
This paper reports a mechanical verification of the IEEE 1394 root contention protocol. This is an industrial protocol in which timing parameters play an essential role.
In this case study, we used the Uppaal2k tool and stepwise verification of trace inclusion to investigate the timing constraints of the protocol. We analysed a large number of protocol instances with Uppaal. From these experiments, we derived that the constraints which are necessary and sufficient for correct protocol operation are exactly those from [17] . Although these experiments do not ensure correctness, we are convinced that the constraints we derived are exactly those required.
Some minor points of incompleteness have been found: the IEEE specification only specifies the propagation delay of signals but not the delay needed to process incoming and outgoing signals. Moreover, the IEEE standard only provides specific values for the timing parameters and not the general parameter constraints, although these give some useful insight in the correctness of the protocol and in restrictions on future applications. We also found some small errors in the informal notes [17, 25] .
The fact that the modeling and verification took us a relatively short time illustrates once again that model checkers can be used effectively in the design and evaluation of industrial protocols. Especially, the iterative modeling via trial and error is valuable when it comes to understanding the properties of a model. Our case study has added that this also holds in the presence of parameters: once an appropriate model and conjectured timing constraints have been obtained with Uppaal, rigorous parameter analysis could be tackled with another tool or method.
In our case, the very recent work [11] has given the full evidence of several experimental results in this paper. By feeding equations (1) and (2) and the basic assumptions B1, B2, and B3 to a prototype parametric extension of Uppaal, the Experimental result 4 has been established. Due to lack of memory, the necessity of the constraints could only be established partially by the tool.
In our experience, using the current Uppaal2k implementation to establish trace inclusion suffers from several disadvantages. The practical modeling and verification is, as pointed out above, not a problem. However, the proof that the properties we verified indeed established trace inclusion, involved several technicalities. First, due to its closed world interpretation, timed languages cannot be described in Uppaal directly. It is, however, no conceptual problem to extend Uppaal such that this would be possible. Second, the check for language inclusion (A TR B, B deterministic) is not implemented in Uppaal. However, we are not aware of any other freely available timed model checker which can do this. This might be remarkable since verification often involves checking language inclusion and it has already been known for some time [2] how to reduce language inclusion to a reachability problem.
Third, the fact that Uppaal does not support multisynchronization enforces the need of committed locations and this makes the underlying theory more complicated. Relatively small adaptations of Uppaal would overcome these problems and make the verification of trace inclusion a lot easier. (n > 1), then the idea is as follows. Relabel a in A i intoa fresh label -a i , i ≥ 0. Whenever A 0 performs an a 0 ! action, an auxiliary automaton 'catches' it and 'distributes' it over the other automata. More precisely, the auxiliary automaton synchronizes on a 0 ! and enforces -sequentially but without delay or interruption -synchronization with a 1 ? . . . a n ? in A 1 . . . A n , respectively. A.3 Reducing reachability properties of automata to reachability properties of networks Definition 5. Let C be a set of action names. Define the automaton Snc C as the automaton with one location q C and transitions q C a − → q C for every a in C? ∪ C!. For an automaton A, define Snc A = Snc C , where C are the action names occurring in A, and write q A for q C .
The following result allows us to check the reachability properties of an automaton A via the reachability properties a network N (A Snc A ), which can be checked by Uppaal. Its proof is straightforward.
Proposition 6. Let q be a location and v a clock valuation of A. Then (q, v) is reachable in A if and only if
If A is given in terms of restriction and parallel composition over the components A 1 , A 2 , . . . , A n , then we prefer to carry out the construction with Snc A above on A's components, rather than first computing A explicitly and then performing the construction. In our verification, A is given by (A 1 A 2 ) \ C and we have checked its reachability properties via the network N (A 1 , A 2 , Snc C ). This is justified by the following argument, where C is a set of action names, C = Names \ C, s = (q, v) is a state of A and s = ((q, q C ), v).
A.31 Input enabling in Uppaal
The input actions of an automaton A are the actions of the form a?. We call A input enabled if synchronization on input actions is always (in any state of the system) possible. More precisely, if the a?-transitions in A leaving from a location q are given by 
is equivalent to true, where we use the convention that 0 i=1 . . . yields false. Here, I[r] denotes the invariant that is obtained by replacing each clock variable in I that occurs in (the reset set) r by 0. We state that an automaton is input enabled if and only if its underlying TLTS is so, using the standard notion of input enabledness for TLTSs.
A non-input enabled automaton may block input, by being unable to synchronize on it. This is often considered as a bad property, since a component is usually not able to prevent the environment from providing inputs and this might indicate a modeling error. Therefore, it is relevant whether blocking of inputs can actually occur in a network of automata, i.e., whether or not the situation can occur that one component could provide an input to another one, while the latter automaton is not able to synchronize on it. In order to check this, we make every component A input enabled by directing every input that would otherwise be blocked to a fresh location, called unexp_input A and check for reachability of this location. More precisely, we construct the automaton A u_i from A as follows. If the outgoing a?-transitions leaving from q are as above, then we add the transition q − → unexp_input A for every input action a? of A.
Proposition 7.
The automaton A u_i is input enabled.
Example 7. The automaton in Fig. 17 is input enabled. Notice that x < 3 =⇒ ((x < 2)[x := 0]) yields true. The construction to make an automaton input enabled is shown in Fig. 18 . Notice that ¬(
By checking for reachability of the location unexp_input, we can establish whether A and A u_i are semantically equivalent, i.e., whether their underlying TLTSs are exactly the same when restricted to their reachable states. If we want to check whether A TR B for a deterministic automaton B, then we build an automaton B err , which is an adaption of construction in [2] . The automaton B err is constrcted by adding a location error to B and transitions q a g −→ error for all locations q and action labels a such that this transition is enabled if no other a-transition is enabled from q. Furthermore, an internal transition from q to error with the guard ¬Inv(q) is added and all location invariants are removed.
Definition 6. The automaton B
err is defined as follows:
1. The locations of B err are the locations of B together with the (fresh) location error.
The initial location of B
err is the initial location of B. Figure 19 illustrates an automaton and its error-construction.
For a construction of B err in the presence of urgent channels and shared variables, see [14, 15] . This work also describes how to encode, what are called, timed ready simulation relations as reachability properties.
In order to decide whether A TR B, we check whether the error-location is reachable in the network consisting of A and B err . Note that B err is not deterministic, even if B is not so. Assume that B is a deterministic automaton. Then A TR B ⇐⇒ error is not reachable in (A B err ) \ Names.
A.42 The construction of A r and B r
If B is non-deterministic, then we can try to make it deterministic by renaming its labels and then use the above method to verify trace inclusion.
Definition 7.
A renaming function is a function h : Names → Names ∪ {τ }. For an automaton (respectively, a TLTS) A, we denote by A h the automaton (respectively, the TLTS) obtained by replacing every visible action a? in A by h(a)? and a! by h(a)!. Lemma 2. Let A, B be automata (respectively, TLTSs) and let h be a renaming function on A. Then
h .
The preceding result shows that, for proving A 
