Radboud University Nijmegen

# PDF hosted at the Radboud Repository of the Radboud University Nijmegen

The version of the following full text has not yet been defined or was untraceable and may differ from the publisher's version.

For additional information about this publication click this link. http://hdl.handle.net/2066/18759

Please be advised that this information was generated on 2017-12-05 and may be subject to change.

Gambling for Leadership: Verification of Root Contention in IEEE 1394

M.I.A. Stoelinga

Computing Science Institute/

CSI-R9904 March 1999

Computing Science Institute Nijmegen Faculty of Mathematics and Informatics Catholic University of Nijmegen Toernooiveld 1 6525 ED Nijmegen The Netherlands

# Gambling for Leadership: Verification of Root Contention in IEEE 1394

Mariëlle Stoelinga Computing Science Institute University of Nijmegen P.O. Box 9010, 6500 GL Nijmegen, The Netherlands marielle@cs.kun.nl

#### Abstract

This report presents a formal verification of root contention in IEEE 1394. Root contention is a simple yet realistic protocol that solves leader election for two processes, using coin flips.

The verification has been carried out in the probabilistic automaton model of [Seg95]. Correctness of an implementation automaton w.r.t. a specification automaton is defined as so-called fair trace distribution inclusion.

Similarly to the non-probabilistic setting, probabilistic simulation relations provide a technique for proving trace distribution inclusion. Then additional reasoning proves fair trace distribution inclusion. Our verification follows this strategy. We introduce two simulation relations, viz. probabilistic step refinements and probabilistic hyperstep refinements. These notions are not very complicated and are sufficient in our verification. They are special cases of the simulation relations from [Seg95].

The verification also involves non-probabilistic techniques. For instance, the invariants have been checked with the model checker SMV.

Key words and phases: IEEE 1394, leader election algorithms, communication protocols, probabilistic and distributed algorithms, formal verification, SMV, probabilistic automata.

**AMS Subject Classification:** 68Q10, 68Q22, 68Q60, 68Q75. **CR Subject Classification:** C.2.2, C.3, F.1.2, K.1.

# 1 Introduction

Recently, the analysis of probabilistic, distributed algorithms and protocols has gained new attention. Various methods and formalisms have been extended with probabilism and quite some case studies have been carried out using these formalisms, c.f. [Agg94, PSL97].

This report verifies a small sub-protocol of the IEEE 1394 protocol, called root contention. The IEEE 1394 high performance serial bus [IEE96, IEE98], also called FireWire, has been developed for interconnecting computer and consumer equipment, such as PCs, VCRs and CD players. The bus is "hot pluggable," which means that equipment can be added and removed at any time, and allows quick, reliable and inexpensive high-bandwidth transfer. This protocol probably becomes the new standard for connecting digital multimedia equipment. Various parts of IEEE have been verified formally, see [DGRV97, Sha98, Lut97]. However, as far as we know, root contention has not.

Root contention in IEEE 1394 is a simple but realistic protocol that involves both real-time and probabilistic aspects. As a first approach we abstract from the real-time aspects and model time passage by discrete actions. The verification in this report is carried out in the probabilistic automaton model from [Seg95]. Following the tradition, the correctness of the protocol is proven by establishing a probabilistic simulation relation between the implementation and the specification, both probabilistic automata.

The probabilistic simulation relations from [Seg95] are rather complex. In order to simplify the simulation proofs, this report introduces the notions of probabilistic step refinement and of probabilistic hyperstep refinement. These are rather obvious extensions of non-probabilistic simulations. However, it has taken some effort to find a formulation which makes the definition fit into the standard pattern of simulation relations.

The strategy followed in the simulation proof is the following. Given the protocol specification P and the abstract specification S, we define two intermediate automata, I and A. The automaton I abstracts from the message passing in Pbut keeps all probabilistic choices. The automaton A combines the probabilistic choices in I. Then we can separate our concerns. The simulation between P and I, a probabilistic step refinement, is easy from probabilistic point of view and mainly deals with traditional, non-probabilistic techniques like proving invariants. Therefore, existing tools for the analysis of non-probabilistic systems can be used. We have checked the invariants with the tool SMV. The probabilistic analysis is concentrated in the simulation relations between between I and A and between A and S. Since these automata are small, this is not so difficult any more.

Furthermore, we have proven inclusion of fair behaviour – technically: fair trace distribution inclusion – between the protocol specification P and the high level specification S. Therefore, we have developed a result that reduces reasoning about fair probabilistic executions to reasoning about fairness of (non-probabilistic) executions.

This report is organized as follows. Section 2 recalls some probability theory and Section 3 introduces the probabilistic automaton model. Section 4 provides automaton models of the implementation and the specifications of the root contention protocol. Then Sections 6 and 7 proves the simulation relations. Finally section 8 presents the conclusions and some topics for future research.

# 2 Probability theory

This section recalls some probability theory. We denote the set  $\mathbb{R} \cup \{\infty\}$  by  $[0, \infty]$ .

#### Summation over index sets

**Definition 2.1** Let  $\mathcal{I}$  be a(n index) set and  $x_i \in [0, \infty]$  for all  $i \in \mathcal{I}$ . Define  $\sum_{i \in \mathcal{I}} x_i$  by

- 1.  $\sum_{i \in \emptyset} x_i \stackrel{\mathrm{d}}{=} 0;$
- 2.  $\sum_{i \in \mathcal{I}} x_i \stackrel{d}{=} x_{i_1} + x_{i_2} + x_{i_3} + \dots + x_{i_n}$ , if  $\mathcal{I}$  is finite, nonempty and  $\mathcal{I} = \{i_1, i_2, i_3, \dots, i_n\};$
- 3.  $\sum_{i \in \mathcal{I}} x_i \stackrel{d}{=} \sup \{\sum_{i \in \mathcal{I}} x_i \mid \mathcal{J} \subseteq \mathcal{I} \text{ is finite }\}, \text{ if } \mathcal{I} \text{ is infinite.}$

Here supr X denotes the supremum, i.e. the smallest upper bound, of the set X. Notice that that  $\sum_{i \in \mathbb{N}} x_i = \sum_{i=0}^{\infty} x_i$  because the summation order is irrelevant, due to the fact that  $x_i \geq 0$ .

**Fact 2.2** Let  $\mathcal{I}, \mathcal{I}_1, \mathcal{I}_2, \ldots$  be sets,  $\mathcal{I} = \bigcup_{n \in \mathbb{N}} \mathcal{I}_n$  and  $x_i \in [0, \infty]$  for all  $i \in \mathcal{I}$ .

- 1. If  $\mathcal{I}_1 \subseteq \mathcal{I}_2$ , then  $\sum_{i \in \mathcal{I}_1} x_i \leq \sum_{i \in \mathcal{I}_2} x_i$ ;
- 2. If  $\mathcal{I}_1 \subseteq \mathcal{I}_2 \subseteq \mathcal{I}_3, \ldots$ , then  $\sum_{i \in \mathcal{I}} x_i = \lim_{n \to \infty} \sum_{i \in \mathcal{I}_n} x_i$ ;
- 3. If  $\mathcal{I}_1, \mathcal{I}_2, \mathcal{I}_3, \ldots$  are pairwise disjoint, then  $\sum_{i \in \mathcal{I}} x_i = \sum_{n \in \mathbb{N}} \sum_{i \in \mathcal{I}_n} x_i$ .

**Fact 2.3** Let  $\mathcal{I}$  be a set,  $x_i \in [0, \infty]$  for all  $i \in \mathcal{I}$  and  $\sum_{i \in \mathcal{I}} x_i < \infty$ . Then the set  $\{x_i \in [0, \infty] \mid x_i > \varepsilon, i \in \mathcal{I}\}$  is finite for every  $\varepsilon > 0$  and  $\{x_i \in [0, \infty] \mid x_i > 0, i \in \mathcal{I}\}$  is countable.

#### **Probability spaces and distributions**

**Definition 2.4** A probability space is a triple  $(\Omega, \mathcal{F}, \mathbf{P})$ , where

- $\Omega$  is a set, called the *sample space*,
- $\mathcal{F} \subseteq 2^{\Omega}$  is  $\sigma$ -field, i.e. a collection of subsets of  $\Omega$  which is closed under countable<sup>1</sup> union and complement and which contains  $\Omega$ ,
- $\mathbf{P}: \mathcal{F} \to [0, 1]$  is a probability measure on  $\mathcal{F}$ , which means that  $\mathbf{P}[\Omega] = 1$  and for any countable collection  $\{C_i\}_i$  of pairwise disjoint subsets in  $\mathcal{F}$  we have  $\mathbf{P}[\cup_i C_i] = \sum_i \mathbf{P}[C_i].$

If  $\{x\} \in \mathcal{F}$  then we write  $\mathbf{P}[x]$  for  $\mathbf{P}[\{x\}]$ . If  $\mathcal{P}$  is a probability space, we denote its sample space by  $\Omega_{\mathcal{P}}$ , its  $\sigma$ -field by  $\mathcal{F}_{\mathcal{P}}$  and its probability measure by  $\mathbf{P}_{\mathcal{P}}$ .

**Definition 2.5** A probability distribution (function) over a set X is a function  $\mu: X \to [0,1]$  such that

$$\sum_{x \in X} \mu(x) = 1.$$

Define the support of  $\mu$  by  $\operatorname{supp}(\mu) \stackrel{d}{=} \{ \mathbf{x} \in \mathbf{X} \mid \mu(\mathbf{x}) > 0 \}$ . By fact 2.3 this is a countable set. We denote the set of all probability distributions over X by  $\Pi(X)$ .

**Remark 2.6** A probability space  $(\Omega, \mathcal{F}, \mathbf{P})$  is discrete if  $\mathcal{F} = 2^{\Omega}$  and  $\mathbf{P}[C] = \sum_{x \in C} \mathbf{P}[x]$ , for all  $C \subseteq \Omega$ . A discrete probability space  $(\Omega, \mathcal{F}, \mathbf{P})$  determines a unique probability distribution  $f : \Omega \to [0, 1]$  by  $f(x) = \mathbf{P}[x]$ . Conversely, a probability distribution f determines a unique discrete probability space: take  $\Omega = X$ ,  $\mathcal{F} = 2^{\Omega}$  and  $\mathbf{P}[C] = \sum_{x \in C} f(x)$  for all  $C \subseteq \Omega$ .

We denote a (probability distribution) function f on a countable domain by enumerating it as a set of pairs. So, if  $\text{Dom}(f) = \{x_1, x_2 \dots\}$  then denote f by  $\{x_1 \mapsto f(x_1), x_2 \mapsto f(x_2) \dots\}$ . If the domain of f is known, then we often leave out elements of probability zero. For instance, the probability distribution assigning probability one to an element  $x \in X$  is denoted by  $\{x \mapsto 1\}$ , irrespective of X. Such distribution is called the *Dirac distribution* over x. The *uniform distribution* over a finite set, say  $\{x_1, \dots, x_n\}$ , is given by  $\{x \mapsto \frac{1}{n}, \dots, x_n \mapsto \frac{1}{n}\}$ .

**Definition 2.7** Let X and Y be sets. If  $\mu \in \Pi(X)$  and  $\nu \in \Pi(Y)$  then the *product*  $\mu \times \nu : X \times Y \to [0, 1]$  defined by

$$(\mu \times \nu)(x,y) \stackrel{\mathrm{d}}{=} \mu(x) \cdot \nu(y)$$

is a probability distribution over  $X \times Y$ .

<sup>&</sup>lt;sup>1</sup>In our terminology, countable objects include finite ones.

The operation above can also be defined for general probability spaces by a more complex definition, see [Seg95].

**Definition 2.8** Let  $\mathcal{P} = (\Omega, \mathcal{F}, \mathbf{P})$  be a probability distribution,  $\Omega'$  a set and  $f : \Omega \to \Omega'$  be a function. Define the *image space of*  $\mathcal{P}$  *under* f, notation  $f_*(\mathcal{P})$ , as the triple consisting of

- 1.  $f(\Omega)$ ;
- 2.  $\{X \in 2^{f(\Omega)} \mid f^{-1}(X) \in \Omega_{\mathcal{P}}\};\$
- 3.  $\mathbf{P} \circ f^{-1}$ .

It is not difficult to show that  $f_*(\mathcal{P})$  is a probability space indeed. If  $\mathcal{P}$  is discrete, then so is  $f_*(\mathcal{P})$ . We write  $f_*(\mu)$  to indicate the distribution function associated to  $f_*(\mathcal{P}_{\mu})$ , where  $\mathcal{P}_{\mu}$  is the distribution function associated to  $\mu$ .

**Lemma 2.9** The operations \* and  $\circ$  commute, that is  $(g \circ f)_* = g_* \circ f_*$  for all functions  $f: X \to Y$  and  $g: Y \to Z$ .

The below definition gives two formulations for choosing a probability space with a certain probability.

- **Definition 2.10** 1. If  $\{p_i\}_{i \in \mathcal{I}}$  is a collection of reals in [0, 1] such that  $\sum_i p_i = 1$  and  $\mu_i \in \Pi(X_i)$  for all  $i \in \mathcal{I}$ , then  $x \mapsto \sum_i p_i \cdot \mu_i(x)$  is a probability space over  $\bigcup_i X_i$ .
  - 2. Let X be a set and  $\mu \in \Pi(\Pi(X))$ . Then  $\mu$  induces a probability distribution  $\mu_F$  on X, given by

$$\mu_F(x) = \sum_{\nu \in \Pi(X)} \mu(\nu) \cdot \nu(x).$$

for all  $x \in X$ . We call  $\mu_F$  the fold of  $\mu$ . The idea is that  $\mu_F$  chooses between all probability distributions the distribution  $\nu$  with probability  $\mu(\nu)$  and then elements x of X with probability  $\nu(x)$ .

**Example 2.11** Let x, y, z denote different elements.

1. If  $f : \{x, y\} \to Y$  for some set Y, then

$$f_*(\lbrace x \mapsto \frac{1}{3}, y \mapsto \frac{2}{3} \rbrace) = \begin{cases} \lbrace f(x) \mapsto 1 \rbrace & \text{if } f(x) = f(y), \\ \lbrace f(x) \mapsto \frac{1}{3}, f(y) \mapsto \frac{2}{3} \rbrace & \text{otherwise;} \end{cases}$$

3. If  $\mu\{x \mapsto \frac{1}{3}, y \mapsto \frac{2}{3}\} = \frac{1}{2}$  and  $\mu\{x \mapsto \frac{1}{2}, z \mapsto \frac{1}{2}\} = \frac{1}{2}$ , then  $\mu_F = \frac{1}{2} \cdot \{x \mapsto \frac{1}{3}, y \mapsto \frac{2}{3}\} + \frac{1}{2} \cdot \{x \mapsto \frac{1}{2}, z \mapsto \frac{1}{2}\}$  $= \{x \mapsto \frac{5}{13}, y \mapsto \frac{1}{2}, z \mapsto \frac{1}{4}\}.$ 

# 3 Probabilistic probabilistic automata

This section introduces probabilistic automata and their behaviour. Most of the concepts in 3.1 and 3.2 have been taken over from [Seg95]. However, we have reformulated their definitions to a form that we believe is more readable.

#### 3.1 The model

**Definition 3.1** A probabilistic automaton A consists of five components:

- 1. a set  $states_A$  of states;
- 2. a nonempty set  $start_A \subseteq states_A$  of start states;
- 3. an action signature  $sig_A = (ext_A, int_A)$ , consisting of external and internal actions respectively. Then define the set of actions as  $act_A \stackrel{d}{=} ext_A \cup int_A$ ;
- 4. a transition relation  $trans_A \subseteq states_A \times act_A \times \Pi(states_A)$ . We write  $s \xrightarrow{a}_A \mu$  if  $(s, a, \mu) \in trans_A$ ;
- 5. a *task partition tasks*<sub>A</sub>, which is a partial equivalence relation over  $act_A$  with countably many equivalence classes.

Sometimes, a more general definition of probabilistic automata is given by having  $trans_A \subseteq states_A \times \Pi(act_A \times states_A)$ . In this context the probabilistic automata from the definition are called *simple* probabilistic automata.

**Definition 3.2** Let A be a probabilistic automaton. The automaton  $A^-$ , the non-probabilistic variant of A, which behaves like A but discards all probabilistic information, is defined by

- 1.  $states_{A^-} \stackrel{d}{=} states_A;$
- 2.  $start_{A^-} \stackrel{\mathrm{d}}{=} start_A;$
- 3.  $sig_{A^-} \stackrel{\mathrm{d}}{=} sig_A;$
- 4.  $trans_{A^-} \stackrel{d}{=} \{s \stackrel{a}{\to}_{A^-} s' \mid \exists \mu \in \Pi(states_A) [s \stackrel{a}{\to}_A \mu \land \mu(s') > 0\};$
- 5.  $tasks_{A^-} \stackrel{d}{=} tasks_A$ .

**Definition 3.3** For a probabilistic automaton A define  $reach_A$ , the set of *reachable* states of A, by  $reach_A \stackrel{d}{=} reach_{A^-}$ .

**Definition 3.4** Let A be a probabilistic automaton and  $X \subseteq ext_A$ . The restriction of A to X, notation  $A \upharpoonright_X$ , is defined by

- 1.  $states_{A \upharpoonright x} \stackrel{d}{=} states_A;$
- 2.  $start_{A \upharpoonright x} \stackrel{d}{=} start_A;$
- 3.  $sig_{A \upharpoonright X} \stackrel{\mathrm{d}}{=} (X, act_A \setminus X);$
- 4.  $trans_{A \upharpoonright x} \stackrel{d}{=} trans_A;$
- 5.  $tasks_{A \uparrow x} \stackrel{d}{=} tasks_A$ .

**Fact 3.5** For all probabilistic automata A and  $X \subseteq ext_A$  we have  $A^- \upharpoonright_X = (A \upharpoonright_X)^-$ .

**Definition 3.6** Let  $A_1$  and  $A_2$  be two probabilistic automata.

- 1. Then  $A_1$  and  $A_2$  are *compatible* if
  - (a)  $int_{A_1} \cap act_{A_2} = \emptyset$ ,  $act_{A_1} \cap int_{A_2} = \emptyset$  and

- (b) for all  $C_1 \in task_{A_1}$ ,  $C_2 \in task_{A_2}$ , either  $C_1 \cap C_2 = \emptyset$  or  $C_1 = C_2$ .
- 2. For  $A_1$  and  $A_2$  compatible define the *parallel composition* of  $A_1$  and  $A_2$ , notation  $A_1 \parallel A_2$ , by
  - (a)  $states_{A_1||A_2} = states_{A_1} \times states_{A_2};$
  - (b)  $start_{A_1||A_2} = start_{A_1} \times start_{A_2};$
  - (c)  $sig_{A_1||A_2} = (ext_{A_1} \cup ext_{A_2}, int_{A_1} \cup int_{A_2});$
  - (d)  $trans_{A_1||A_2}$  is the set of triples  $((s_1, s_2), a, \mu_1 \times \mu_2)$  such that for i = 1, 2, if  $a \in act_{A_i}$  then  $(s_i, a, \mu_i) \in trans_{A_i}$ , otherwise  $\mu_i = \{s_i \mapsto 1\}$ ;
  - (e)  $tasks_{A_1||A_2} = tasks_{A_1} \cup tasks_{A_2}$ .

Informally, two probabilistic automata synchronize on their common actions and evolve independently on others. Whenever synchronization occurs, the state reached is obtained by choosing a state independently for both probabilistic automata. See Remark 3.24 for a comment on the treatment of task partitions.

# 3.2 The behaviour of probabilistic automata

**Definition 3.7** An execution (execution fragment, trace) of a probabilistic automaton A is an execution (execution fragment, trace) of  $A^-$ . The set of executions (execution fragments, traces) and finite executions (execution fragments, traces) of A are respectively denoted by execs(A)(frags(A), traces(A)) and by  $execs^*(A)$  (frags<sup>\*</sup>(A), traces<sup>\*</sup>(A)).

An execution fragment is the result of resolving both probabilistic and nondeterministic choices. A *probabilistic* execution fragment only resolves the nondeterministic choices. In any state of the probabilistic execution fragment, we choose probabilistically between the enabled transitions. We choose  $\delta$  to obtain a finite execution (with some probability). Each of these executions lead to a Markov chain, which allows us to compute the probabilities on the behaviour obtained by the specific choice of resolving the nondeterminism.

**Definition 3.8** A probabilistic execution fragment E of a probabilistic automaton A consists of three components.

- 1. A state space  $states_E \subseteq frags^*(A) \cup frags^*(A) \cdot \delta$ ;
- 2. A start state  $start_E \in states_E \cap frags^*(A)$ ;
- 3. A transition function  $trans_E : states_E \to \Pi(states_E)$  such that
  - (a) for all  $\alpha \in states_E \cap frags^*(A)$  there is a  $\mu_{\alpha} \in \Pi(trans_A(last(\alpha)) \cup \{\delta\})$ satisfying

$$trans_{E}(\alpha)(\alpha\delta) = \mu_{\alpha}(\delta),$$
  
$$trans_{E}(\alpha)(\alpha as) = \sum_{\nu:(last(\alpha), a, \nu) \in trans_{A}} \mu_{\alpha}(a, \nu) \cdot \nu(s)$$

(b) and for all  $\alpha \in states_E \cap frags^*(A) \cdot \delta$ 

 $trans_E(\alpha)(\alpha) = 1.$ 

Here  $trans_A(t)$  denotes  $\{(a, \nu) \mid (t, a, \nu) \in trans_A\}$ . Notice that  $trans_E(\alpha)$  indeed is a probability distribution over  $states_E$ . The idea is that  $\mu_{\alpha}$  chooses probabilistically between all transitions starting from  $last(\alpha)$  and  $\delta$ . Furthermore, we require that every state in  $states_E$  is reachable from  $start_E$  via the relation  $\{(\alpha, \alpha') \mid trans_E(\alpha)(\alpha') > 0\}$ .

A probabilistic execution E is a probabilistic execution fragment such that  $start_E \in start_A$ . The set of probabilistic execution (fragments) is denoted by pexecs(A) (pfrags(A)).

**Fact 3.9** 1. A probabilistic execution fragment E is a Markov chain over states<sub>E</sub>.

2. The state space states E is countable, due to the reachability condition.

A Markov chain allows us to compute the probability of reaching a state. Hence, we can compute the probability on (certain) sets of execution fragments, given a probabilistic execution. The following definition associates a probability space to a probabilistic execution fragment.

**Definition 3.10** The associated probability space  $E = (\Omega_E, \mathcal{F}_E, \mathbf{P}_E)$  of a probabilistic execution fragment E is defined by

- 1.  $\Omega_E$  is the limit closure of  $states_E$  under the prefix order  $\sqsubseteq$ ;
- 2.  $\mathcal{F}_E$  is the smallest  $\sigma$ -field that subsumes the set  $\{C_\alpha \mid \alpha \in states_E\}$ . Here  $C_\alpha$  is the cone on  $\alpha$ , defined by  $C_\alpha \stackrel{\mathrm{d}}{=} \{\beta \in \Omega_E \mid \alpha \sqsubseteq \beta\};$
- 3.  $\mathbf{P}_E$  is the unique measure on  $\mathcal{F}_E$  such that  $\mathbf{P}_E[C_\alpha]$  is the product of the probabilities on the (shortest) path starting in the start state of E and leading to  $\alpha$ . So  $\mathbf{P}_E[C_{s_0a_1s_1a_2...a_ns_n}] = trans_E(s_0) \cdot trans_E(s_0a_1s_1) \cdots trans_E(s_0a_1s_1...a_ns_n)$ .

The fact that  $(\Omega_E, \mathcal{F}_E, \mathbf{P}_E)$  is well-defined follows from standard measure theory arguments, see in [Seg95] for a similar case and [Hal50] for a more general treatment. When no confusion arises, we denote both the probabilistic execution fragment and its associated probability space by E.

The following definition allows us to compute the probability on (certain) sets of traces given a probabilistic execution.

**Definition 3.11** The *trace distribution* H of a probabilistic execution fragment E of A is the probability space given by

- 1.  $\Omega_H = ext_A^* \cup ext_A^\infty;$
- 2.  $\mathcal{F}_H$  is the smallest  $\sigma$ -field that subsumes the set  $\{C_\alpha \mid \alpha \in ext^*(A)\}$ . Now  $C_\alpha \stackrel{\mathrm{d}}{=} \{\beta \in \Omega_H \mid \alpha \sqsubseteq \beta\};$

3. 
$$\mathbf{P}_H = \mathbf{P}_E \circ trace^{-1}$$
, that is  $\mathbf{P}_H[X] = \mathbf{P}_E[trace^{-1}(X)]$  for all  $X \in \mathcal{F}_H$ .

The fact that  $(\Omega_H, \mathcal{F}_H, \mathbf{P}_H)$  is well-defined follows from the fact that  $X \in \mathcal{F}_H \implies trace^{-1}(X) \in \mathcal{F}_E$ , see [PSL97] and [Hal50]. Notice that the probability space above is quite similar to the image space  $trace_*(E)$ , but that it may contain some more elements, which all have probability zero.

**Notation 3.12** The set of trace distributions of A is denoted by trdistr(A). If  $trdistr(A) \subseteq trdistr(B)$  then we write  $A \sqsubseteq_{TD} B$ . It is obvious that  $\sqsubseteq_{TD}$  is a partial order.

# 3.3 Step refinements and hyperstep refinements

This section introduces two new probabilistic simulation relations, viz. probabilistic step refinements and probabilistic hyperstep refinements. We show that these are sound for trace distribution inclusion.<sup>2</sup>

#### **Probabilistic step refinements**

**Definition 3.13** Let A, B be two probabilistic automata with the same external actions. A probabilistic step refinement is a function  $r : states_A \rightarrow states_B$  such that:

- 1. for all  $s \in start_A, r(s) \in start_B$ ;
- 2. for all  $s \in reach_A, a \in act_A, \mu \in \Pi(states_A)$ , if  $s \xrightarrow{a}_A \mu$  then either of the following conditions is met:
  - (a)  $r(s) \xrightarrow{a}_{B} r_{*}(\mu)$  or
  - (b)  $a \in int_A \wedge r(s) \xrightarrow{a'}_B r_*(\mu)$  for some  $a' \in int_B$  or
  - (c)  $a \in int_A \wedge r_*(\mu) = \{r(s) \mapsto 1\}.$

We write  $A \sqsubseteq_{\text{PSR}} B$  if there is a probabilistic step refinement between A and B. Remark that the third condition is equivalent to  $a \in int_A \land \forall s' \in \text{supp}(\mu)[r(s') = r(s)].$ 

**Example 3.14** The following diagrams illustrate three typical situations that may occur if r is a probabilistic step refinement from A to B. The transitions on the left are steps of the probabilistic automaton A, those on the right of B.

Condition 2a. and  $r(t_1) \neq r(t_2) \neq r(t_3) \neq r(t_1)$ :



Condition 2b.,  $a \in int_A$ ,  $a' \in int_B$  and  $r(t_1) = r(t_2) \neq r(t_3)$ :



Condition 2c. and  $a \in int_A$ :



<sup>&</sup>lt;sup>2</sup>Concerning the terminology, we use the prefix *hyper* to refer to a probabilistic simulation of type  $states_A \times \Pi(states_B)$ . Our simulation relations abstract from internal computation, so one could could add the adjective "weak" to their names.

**Fact 3.15** If r is a probabilistic step refinement from A to B then it is a step refinement from  $A^-$  to  $B^-$  and a probabilistic step refinement from  $A \upharpoonright_X$  to  $B \upharpoonright_X$  for all  $X \subseteq ext_A$ .

**Theorem 3.16** The relation  $\sqsubseteq_{PSR}$  is a preorder, i.e. it is reflexive and transitive.

PROOF: Reflexivity is obvious. For transitivity, suppose r is a probabilistic refinement from A to B and u is one from B to C. We claim that  $u \circ r$  is a probabilistic step refinement from A to C. In fact the proof, which is spelled out below, is similar to the proof of transitivity for non-probabilistic step refinements. We only need that  $u_* \circ r_* = (u \circ r)_*$ .

**condition 1** Obviously, if  $s \in start_A$ , then  $(u \circ r)(s) \in start_C$ .

**condition 2** Assume  $s \xrightarrow{a}_{A} \mu$ . As r is a probabilistic step refinement from A to B we have the following cases.

- 1.  $a \in int_A$  and  $r_*(\mu) = \{r(s) \mapsto 1\}$ . Then  $(u_* \circ r_*)(\mu) = u_*(\{r(s) \mapsto 1\}) = u_*(\{r(s) \mapsto 1\}) = \{u(r(s)) \mapsto 1\};$
- 2.  $r(s) \xrightarrow{a}_{B} r_{*}(\mu)$ . As *u* is a probabilistic step refinement we are in either of the following cases:
  - (a)  $a \in int_B$  and  $u_*(r_*(\mu)) = \{u(r(s)) \mapsto 1\}$ . Then  $a \in int_A$  by  $ext_A = ext_B$ and  $(u \circ r)_*(\mu) = \{u(r(s)) \mapsto 1\}$  by  $u_* \circ r_* = u \circ r$ . Therefore,  $u \circ r$  is a probabilistic step refinement from A to C;.
  - (b)  $u(r(s)) \xrightarrow{a}_{C} u_*(r_*(\mu))$ . Then  $(u \circ r)(s) \xrightarrow{a}_{C} (u \circ r)_*(\mu)$  by  $(u \circ r)_* = u_* \circ r_*$  and therefore  $u \circ r$  is a probabilistic step refinement from A to C;
  - (c)  $u(r(s)) \xrightarrow{a''}_{C} u_*(r_*(\mu))$  and  $a' \in int_B$  and  $a'' \in int_C$ : similarly to the case above;
- 3.  $r(s) \xrightarrow{a'}_{B} r_*(\mu), a \in int_A \text{ and } a' \in int_B$ : similarly to the above case.

Therefore,  $u \circ r$  is a probabilistic step refinement from A to C.  $\Box$ 

#### **Probabilistic hyperstep refinements**

**Definition 3.17** Let X, Y be sets and  $R \subseteq X \times \Pi(Y)$ . Define the *lifting of* R to  $\Pi(X) \times \Pi(Y)$ , notation  $R_{**}$ , as the set of pairs  $(\mu, \nu) \in \Pi(X) \times \Pi(Y)$  such that there exists a choice function  $r : \operatorname{supp}(\mu) \to \Pi(Y)$  for R, (i.e. a function such that  $(x, r(x)) \in R$  for all  $x \in \operatorname{supp}(\mu)$ ) satisfying

$$\sum_{x \in \text{supp}(\mu)} \mu(x) \cdot r(x) = \nu.$$

The idea is that we can obtain  $\nu$  by choosing the probability distribution r(x), which should be related to x, with probability  $\mu(x)$ . The above sum is a probability distribution by Definition 2.10.

**Fact 3.18** If R is a function – considered as a set of pairs – then so is  $R_{**}$  and for all  $\mu \in \Pi(X)$ 

$$R_{**}(\mu) = \sum_{x \in X} \mu(x) \cdot R(x) = \{R(x) \mapsto \mu(x) \mid x \in X\}_F.$$

**Example 3.19** Given a probabilistic automaton A and an action  $a \in act_A$ , we can lift the relation  $\xrightarrow{a}$  over  $states_A \times \Pi(states_A)$  to the relation  $\xrightarrow{a}_{**}$  over  $\Pi(states_A) \times \Pi(states_A)$ . For instance, if  $s_1 \xrightarrow{a} \mu_1$ ,  $s_2 \xrightarrow{a} \mu_2$  and  $s_1 \neq s_2$ , then

$$\{s_1 \mapsto \frac{1}{3}, s_2 \mapsto \frac{2}{3}\} \xrightarrow{a} ** \frac{1}{3} \cdot \mu_1 + \frac{2}{3} \cdot \mu_2.$$

Intuitively, if  $s_1 \xrightarrow{a} \mu_1$ ,  $s_2 \xrightarrow{a} \mu_2$  and the probability on being in  $s_1$  is  $\frac{1}{3}$  and on being in  $s_2$  is  $\frac{2}{3}$ , then we choose the next state according to  $\mu_1$  with probability  $\frac{1}{3}$  and according to  $\mu_2$  with probability  $\frac{2}{3}$ . If there is another *a*-transition, say  $s_2 \xrightarrow{a} \nu$ , then we can also choose the next state according to  $s_1$  with probability  $\frac{1}{3}$  and according to  $\nu$  with probability  $\frac{2}{3}$ . Hence

$$\{s_1 \mapsto \frac{1}{3}, s_2 \mapsto \frac{2}{3}\} \xrightarrow{a} * * \frac{1}{3} \cdot \mu_1 + \frac{2}{3} \cdot \nu.$$

We do *not* have

$$\{s_1 \mapsto \frac{1}{3}, s_2 \mapsto \frac{2}{3}\} \xrightarrow{a} ** \frac{1}{3} \cdot \mu_1 + \frac{1}{3} \cdot \mu_2 + \frac{1}{3} \cdot \nu.$$

Furthermore, if the sequence  $s_1, s_2, \ldots$  is such that  $s_i \xrightarrow{a} \mu_i$  and  $s_i \neq s_j$  for  $i \neq j$ , then we have that

$$\{s_i \mapsto \frac{1}{2^i} \mid i \in \mathbb{N}\} \xrightarrow{a}_{**} \sum_{i \in \mathbb{N}} \frac{1}{2^i} \cdot \mu_i.$$

Notice that in fact the tuple  $(\Pi(states_A), \{\{s \mapsto 1\} \mid s \in startA\}, sig_A, \rightarrow_{A^{**}})$  is in fact a non-probabilistic automaton. However, the moves of this automaton do not coincide with the lifting of the moves of the automaton A.

**Definition 3.20** Let A, B be two probabilistic automata with the same external actions. A probabilistic hyperstep refinement is a function  $R : states_A \to \Pi(states_B)$  such that:

- 1. for all  $s \in start_A$ ,  $R(s) = \{s' \mapsto 1\}$  for some  $s' \in start_B$ ;
- 2. for all  $s \in reach_A$ ,  $a \in act_A$  and  $\mu \in \Pi(states_A)$ , if  $s \xrightarrow{a}_A \mu$  then either of the following conditions hold
  - (a)  $R(s) \xrightarrow{a}_{B^{**}} R_{**}(\mu)$  or
  - (b)  $a \in int_A \land R(s) \xrightarrow{a'}_{B^{**}} R_{**}(\mu)$  for some  $a' \in int_B$  or
  - (c)  $a \in int_A \wedge R(s) = R_{**}(\mu)$ .

We write  $A \sqsubseteq_{\text{PHSR}} B$  if there is a probabilistic hyperstep refinement between A and B.

The idea of the above notion is the following. If  $s \stackrel{a}{\to}_A \mu$  and  $R(s) = \nu$ , then the state  $s \in states_A$  is simulated by the state  $t \in states_B$  with probability  $\nu(t)$ . Consider case 2a. We require that, for t with  $\nu(t) > 0$ , there is a  $\nu'_t$  such that  $t \stackrel{a}{\to}_B \nu'_t$  and this transition is simulated with probability  $\nu(t)$  too: the requirement implies  $\nu \stackrel{a}{\to}_{B^{**}} \sum_t \nu(t) \cdot \nu'_t = \vartheta$  by definition of  $\to_{**}$ . As R is a simulation relation,  $\mu$  should be related to  $\vartheta$ , which means  $R_{**}(\mu) = \vartheta$ .

The following theorem establishes some relations between the preorders defined in this section. It implies that the simulations  $\sqsubseteq_{\text{PSR}}$  and  $\sqsubseteq_{\text{PHSR}}$  are sound for trace distribution inclusion. The proof is based on the soundness result for the simulation relation  $\sqsubseteq_{\text{PFS}}$  from [Seg95], where  $A \sqsubseteq_{\text{PFS}} B$  means that there is a probabilistic forward simulation from A to B. **Theorem 3.21** Let A, B be probabilistic automata with the same external actions.

- 1. If  $A \sqsubseteq_{\text{PSR}} B$  then  $A \sqsubseteq_{\text{PHSR}} B$ ;
- 2. if  $A \sqsubseteq_{\text{PHSR}} B$  then  $A \sqsubseteq_{\text{PFS}} B$ ;
- 3. if  $A \sqsubseteq_{\text{PFS}} B$  then  $A \sqsubseteq_{\text{TD}} B$ .

## 3.4 Fairness in probabilistic automata

This section introduces notions of fairness for executions, traces, probabilistic executions and trace distributions. We state a result that concludes inclusion of fair trace distributions from fair trace inclusion via a probabilistic step refinement.

**Definition 3.22** Let A be a (probabilistic) automaton.

- 1. An execution of A is called *(weakly)* fair if the following conditions hold for each class C of  $tasks_A$ :
  - (a) if α is finite then none of the actions in C is enabled in the final state of α;
  - (b) if  $\alpha$  is infinite, then  $\alpha$  contains either infinitely many actions from C or infinitely many occurrences of states in which no action in C is enabled;

2. a trace of A is *fair* in A if it is the trace of a fair execution.

The sets of fair executions and fair traces of A are denoted by fexecs(A) and ftraces(A) respectively.

**Lemma 3.23** Let  $A_1, A_2$  be (probabilistic) automata and let  $\alpha$  be an execution of  $A_1 \parallel A_2$ . If the projections of  $\alpha$  on A and B are both fair, then  $\alpha$  is fair.

PROOF: Let  $\alpha = s_0 a_1 s_1 \ldots = (s_{0,1}, s_{0,2}) a_1(s_{1,1}, s_{1,2}) a_2(s_{2,1}, s_{2,2}) a_3 \ldots$  be an execution of  $A_1 \parallel A_2$ . Let C be a task class from  $tasks_{A_i \parallel A_2}$ . Then  $C \in tasks_{A_i}$ , for i = 1 or i = 2. We prove that  $\alpha$  is fair with respect to C by distinguishing between the following cases.

- 1. If  $\alpha$  is finite, then the projection of  $\alpha$  on  $A_i$  is finite. Then C is not enabled in the last state of the projection, so neither is C is enabled in the last state of  $\alpha$ . Therefore,  $\alpha$  is fair with respect to C.
- 2. If  $\alpha$  is infinite, then distinguish between two more cases: If the projection of  $\alpha$  to  $A_i$  is finite, then let  $s_{k,i}$  be its last state. Then C is not enabled in  $s_{k,i}$ . The execution  $\alpha$  does not contain actions from  $A_i$  after  $s_k$ . More precisely,  $a_n \notin act_A$  for  $n \geq k$ . But then  $s_{k,i} = s_{n,i}$  for all  $n \geq k$ , which implies that C is disabled in  $s_n$  for all  $n \geq k$ . So, C is infinitely often disabled. Therefore,  $\alpha$  is fair with respect to C.

If the projection of  $\alpha$  to  $A_i$  is infinite, then either the projection contains infinitely many actions in C, in which case  $\alpha$  contains infinitely many infinitely many actions in C, or C is infinitely often disabled in the projection, in which case it is infinitely often disabled in  $\alpha$ . Therefore,  $\alpha$  is fair with respect to C. **Remark 3.24** The definitions of compatible and of task partition we have given here induce a notion of fairness which is different from that of literature, see for example [Lyn96]. In particular, our notion of fairness does not satisfy the properties with respect to compositionality from literature, viz. the converse of 3.23. However, Proposition 7.6 shows that the automaton model P of the protocol does meet this property. The same trivially holds for the other automata defined in this report.

**Lemma 3.25** Let  $E = (\Omega_E, \mathcal{F}_E, \mathbf{P}_E)$  be a probabilistic execution of a probabilistic automaton A. Then fexecs $(A) \cap \Omega_E \in \mathcal{F}_E$ .

**PROOF:** Similar to the proof of the corresponding result in [PSL97].  $\Box$ 

- **Definition 3.26** 1. A probabilistic execution  $E = (\Omega_E, \mathcal{F}_E, \mathbf{P}_E)$  is called *fair* if  $\mathbf{P}_E[fexces(A) \cap \Omega_E] = 1$ 
  - 2. A trace distribution H is called *fair* if it is the distribution of a fair execution.

**Notation 3.27** The set of fair probabilistic executions of A is denoted by fpexecs(A) and the set of fair trace distributions by ftrdistr(A). If  $ftrdistr(A) \subseteq ftrdistr(B)$  then we write  $A \sqsubseteq_{\text{FTD}} B$ . It is obvious that  $\sqsubseteq_{\text{FTD}}$  is a partial order.

## Fairness and probabilistic step refinements

**Lemma 3.28** Let A and B be probabilistic automata with the same external actions. Let  $r : states_A \rightarrow states_B$  be a probabilistic step refinement Then r induces a relation  $\overline{r} \subseteq frags(A) \times frags(B)$  as follows: if  $\alpha = s_0 a_1 s_1 \ldots \in fragsA$ , index( $\alpha$ ) is the index set of  $\alpha$ ,  $\beta = t_0 b_1 t_1 b_2 \ldots \in frags(B)$  and index( $\beta$ ) is the index set of  $\beta$ , then  $\alpha \overline{r} \beta$  holds if and only if there exists a surjective, nondecreasing index mapping  $m : index(\alpha) \rightarrow index(\beta)$ , such that for all  $i \in index(\alpha)$ ,  $j \in index(\beta)$ ,

- 1. m(0) = 0;
- 2.  $r(s_i) = t_{m(i)};$
- 3. if i > 0 then either of the following conditions holds
  - (a)  $a_i = b_{m(i)} \wedge m(i) = m(i-1) + 1$  or
  - (b)  $a_i \in int_A \land b_{m(i)} \in int_B \land m(i) = m(i-1) + 1$  or
  - (c)  $a_i \in int_A \wedge m(i) = m(i-1)$ .

**Fact 3.29** For each probabilistic step refinement r, the relation  $\tilde{r}$  has the following properties: For all  $\alpha \in frags(A)$  and  $\beta \in frags(B)$ 

- 1.  $\alpha \tilde{r}\beta \implies \ln \alpha \ge \ln \beta;$
- 2.  $\alpha \tilde{r}\beta \implies trace(\alpha) = trace(\beta)$ .

**Claim 3.30** ([SV99a]) Let A and B be probabilistic automata with the same external actions and let  $r : states_A \rightarrow states_B$  be a probabilistic step refinement. Then rinduces a function  $\tilde{r} : pfrags(A) \rightarrow pfrags(B)$  with the following properties:

- 1. For all  $E \in frags(A)$ , E and  $\tilde{r}(E)$  have the same trace distribution;
- 2. Assume that  $\forall \alpha \in frags(A), \beta \in frags(B)[\alpha \text{ is fair } \land \alpha \tilde{r}\beta \implies \beta \text{ is fair}].$ Then  $\forall E \in pfrags(A)[E \text{ is fair } \implies \tilde{r}(E) \text{ is fair}].$

**Claim 3.31** ([SV99a]) Let A and B be probabilistic automata with the same external actions and let  $r : states_A \rightarrow states_B$  be a probabilistic step refinement.

- 1.  $A \sqsubseteq_{\text{TD}} B$ .
- 2. If  $\forall \alpha \in frags(A), \beta \in frags(B)[\alpha \text{ is fair } \land \alpha \tilde{r}\beta \implies \beta \text{ is fair}], \text{ then } A \sqsubseteq_{\text{FTD}} B.$

# 4 Root contention in IEEE 1394

The IEEE 1394 protocol is a high performance serial bus protocol, developed for interconnecting consumer equipment such as PCs, VCRs and CD players. The lowest level of this protocol runs a phase, called the Tree Identify Phase, which elects a leader among the components. The leader serves as a bus manager in subsequent phases of the protocol.

The components and their connections are represented respectively as nodes and edges in an undirected graph. In the Tree Identify Phase, the protocol checks whether the graph is a(n undirected) tree and, if so, it identifies a root c.q. leader. The root is elected by directing all edges of the tree. The nodes, starting with the leaves, send requests for being a child, that is to direct the edge from the sender (c.q. child) to the receiver (c.q. parent). Then they wait for acknowledgments.

If all edges but one have been directed, a situation called *root contention* may occur. Two nodes are in root contention if they have both sent a request to each other. In this situation, it is not clear which of them should be the root. At this moment a part of the protocol is executed which resolves this root contention. The aim of this paper is to verify this part of IEEE 1394 formally.

Informally, the part of IEEE 1394 [IEE96] that solves root contention is described as follows. A process in root contention first flips a coin. If head comes up, then it waits a short time between 0.76 and  $0.80\mu s$  (micro seconds). If tail comes up, then it waits a long time; between 1.60 and  $1.64\mu s^{-3}$  Then the processes, regardless the values of their coins, check whether input has arrived. If so – then this can only be a request and the process has not yet sent one – the process sends an acknowledgment and declares itself root. If no input has arrived, then the process sends a request itself and waits for reply. If it receives an acknowledgment then it declares itself child. If it receives a request, – then both processes have sent requests and are in root contention again – the procedure starts all over again. The delay on the communication is 0.22 nano seconds per meter and the communication wires are at most 16 meter.

Informally, the processes in root contention behave as follows. The protocol elects the slowest process as root. This is so because the slower process receives a request before it checks its input and then becomes the root. Therefore, if one of the processes' coin flips yields head and the other yields tail, the tail process is elected as root. If the outcomes of both coin flips are the same then the the processes flip check input and send requests almost simultaneously. Then they both send and receive requests, so root contention occurs again. However, it can be the case that one of the processes is somewhat faster that the other, e.g. if one process takes a delay of  $0.76\mu s$  and the other of 0.80. The the first process receives a request when checking its input. As it has not sent a request, it becomes the root. Which of the two scenario's is actually carried out depends on physical circumstances such as temperature and processor speed.

The key idea of the protocol is that, eventually the coin flips in both processes will yield a different result with probability one: the probability that the first n

<sup>&</sup>lt;sup>3</sup>These figures have been taken from the IEEE 1394a standard [IEE98]; the IEEE 1394 standard [IEE96] provides respectively 0.26, 0.30, 0.60 and  $0.64 \mu s$ .

coin flips are the same is  $\frac{1}{2^n}$ . Therefore, the probability that eventually a root is elected equals one.

# 4.1 The probabilistic automaton specification of root contention

This section presents an automaton specification of the root contention protocol in IEEE 1394. We firstly specify the automaton in precondition-effect style and then we explain the model informally.

## Choices in the model

As a first approach to IEEE 1394, we use an untimed model, in which the passage of a time unit time is modeled by a discrete action tick. We observe that the long delay, between 1.60 and  $1.64\mu s$ , is almost twice as long as the short delay, between 0.76 and  $0.80\mu s$ . Therefore, we model the short delay as the passage of one time unit and the long delay as the passage of two time units.

As time is a global notion, which elapses with the same speed for both processes, the processes should synchronize on tick actions. This approach is similar to the treatment of time in the timed automaton model from [LV96].

The delay on the communication channels, 0.22 nano seconds per meter is relatively small when compared to the delays mentioned above. We model the communication between the processes by instantaneous actions.

## The model

As root contention only occurs in two (adjacent) nodes of the network the specification discards all other nodes and only describes the two processes  $P_1$  and  $P_2$  in root contention. The protocol specification P is defined by

 $P \stackrel{\mathrm{d}}{=} (P_1 \parallel P_2) \upharpoonright_{\mathsf{root}_1, \mathsf{root}_2}.$ 

A

Below the specification of  $P_i$  is given in precondition-effect style. Let  $P_j$  be the other process, i.e.  $i, j \in \{1, 2\}, i \neq j$ . A more intuitive explanation follows.

We define an auxiliary automaton  $P_{flip}$  for technical reasons in the correctness proof.

$$P_{flip} \stackrel{\text{d}}{=} (P_1 \parallel P_2) \restriction_{\mathsf{flip}_1, \mathsf{flip}_2, \mathsf{root}_1, \mathsf{root}_2}.$$

| variables               | range                               | initially |
|-------------------------|-------------------------------------|-----------|
| $status_i$              | init, waiting, checked, root, child | init      |
| $coin_i$                | head, tail                          |           |
| $\mathrm{clock}_i$      | $0, 1, 2, \infty$                   | 0         |
| $delay_i$               | 1, 2                                |           |
| $\operatorname{in}_i$   | empty, ack, req                     | empty     |
| $\operatorname{port}_i$ | empty, ack, req                     | empty     |
| $\operatorname{sent}_i$ | empty, ack, req                     | empty     |

The **external actions** of  $P_i$  are flip<sub>i</sub>, tick, root<sub>i</sub>, send<sub>i</sub>(*req*), send<sub>i</sub>(*ack*), send<sub>j</sub>(*req*) and send<sub>j</sub>(*ack*) and the **internal actions** poll\_once<sub>i</sub>, poll\_many<sub>i</sub>, child<sub>i</sub> and retry<sub>i</sub>. The **task partition** consists of two classes, {tick} and {flip<sub>i</sub>, poll\_once<sub>i</sub>, poll\_many<sub>i</sub>, send<sub>i</sub>(*req*), send<sub>i</sub>(*ack*), root<sub>i</sub>, child<sub>i</sub>, retry<sub>i</sub>}.

| $ \begin{array}{ccc} {\rm flip}_i & {\rm status}_i = init & {\rm status}_i := waiting \\ & {\rm coin}_i := \begin{cases} head & \frac{1}{2} \\ tail & \frac{1}{2} \\ tail & \frac{1}{2} \\ \\ tick & {\rm cock}_i := head \\ \\ {\rm then} \; delay_i := 1 \\ \\ else\; delay_i := 2 \\ {\rm fi} \\ \\ \\ {\rm tick} & {\rm status}_i = waiting \wedge \\ \\ {\rm clock}_i < delay_i \\ \\ \\ {\rm port}_i = empty \wedge \\ \\ {\rm port}_i = empty \wedge \\ \\ {\rm sent}_i = req \\ \\ \\ \\ {\rm tick} & {\rm status}_i = root \vee \\ \\ {\rm status}_i = child \\ \\ {\rm status}_i = child \\ \\ {\rm status}_i = child \\ \\ \\ {\rm clock}_i := delay_i \wedge \\ \\ {\rm in}_i := port_i \\ \\ {\rm in}_i := port_i \\ \\ {\rm in}_i := empty \wedge \\ \\ {\rm sent}_i = empty \wedge \\ \\ {\rm sent}_i = empty \wedge \\ \\ {\rm sent}_i = req \\ \\ \\ \\ \\ \\ {\rm sent}_i = req \\ \\ \\ \\ \\ {\rm send}_i(req) & {\rm status}_i = checked \wedge \\ \\ {\rm in}_i = empty \wedge \\ \\ {\rm sent}_i = req \\ \\ \\ \\ \\ \\ \\ \\ \\ {\rm sent}_i = empty \wedge \\ \\ \\ {\rm sent}_i = req \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | action                 | precondition                                 | effect                                                                            |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------------------------------------------|-----------------------------------------------------------------------------------|
| $\begin{aligned} & \mbox{if } \cosh_i = head \\ & \mbox{then } \operatorname{delay}_i := 1 \\ & \mbox{else} \operatorname{delay}_i := 2 \\ & \mbox{fi} \end{aligned} \\ \hline \mbox{tick} & \mbox{status}_i = waiting \wedge \\ & \mbox{clock}_i <= \operatorname{clock}_i + 1 \\ & \mbox{in}_i = empty \wedge \\ & \mbox{sent}_i = req \end{aligned} \\ \hline \mbox{tick} & \mbox{status}_i = child \\ & \mbox{status}_i := checked \wedge \\ & \mbox{status}_i := checked \wedge \\ & \mbox{status}_i := checked \wedge \\ & \mbox{in}_i := port_i \\ & \mbox{in}_i := port_i \\ & \mbox{in}_i := empty \\ \hline \mbox{poll\_many}_i & \mbox{status}_i = checked \wedge \\ & \mbox{in}_i := empty \\ \hline \mbox{poll\_many}_i & \mbox{status}_i = checked \wedge \\ & \mbox{in}_i := empty \\ \hline \mbox{sent}_i = req \\ \hline \mbox{sent}_i = req \\ \hline \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \ \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = ack \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{status}_i = child \\ & \mbox{in}_i = req \\ \hline \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = mpt \\ & \mbox{sent}_i = mpt \\ & \mbox{sent}_i = mpt \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ & \mbox{sent}_i = empty \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = mpty \\ & \mbox{sent}$                                                                                                                                                                                                                                                                                                                          | flip <sub>i</sub>      | $status_i = init$                            | $status_i := waiting$                                                             |
| $\begin{aligned} & \mbox{if } \cosh_i = head \\ & \mbox{then } \operatorname{delay}_i := 1 \\ & \mbox{else} \operatorname{delay}_i := 2 \\ & \mbox{fi} \end{aligned} \\ \hline \mbox{tick} & \mbox{status}_i = waiting \wedge \\ & \mbox{clock}_i <= \operatorname{clock}_i + 1 \\ & \mbox{in}_i = empty \wedge \\ & \mbox{sent}_i = req \end{aligned} \\ \hline \mbox{tick} & \mbox{status}_i = child \\ & \mbox{status}_i := checked \wedge \\ & \mbox{status}_i := checked \wedge \\ & \mbox{status}_i := checked \wedge \\ & \mbox{in}_i := port_i \\ & \mbox{in}_i := port_i \\ & \mbox{in}_i := empty \\ \hline \mbox{poll\_many}_i & \mbox{status}_i = checked \wedge \\ & \mbox{in}_i := empty \\ \hline \mbox{poll\_many}_i & \mbox{status}_i = checked \wedge \\ & \mbox{in}_i := empty \\ \hline \mbox{sent}_i = req \\ \hline \mbox{sent}_i = req \\ \hline \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \ \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = ack \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{status}_i = child \\ & \mbox{in}_i = req \\ \hline \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = mpt \\ & \mbox{sent}_i = mpt \\ & \mbox{sent}_i = mpt \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ & \mbox{sent}_i = empty \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = mpty \\ & \mbox{sent}$                                                                                                                                                                                                                                                                                                                          |                        |                                              | $\int head \frac{1}{2}$                                                           |
| $\begin{aligned} & \mbox{if } \cosh_i = head \\ & \mbox{then } \operatorname{delay}_i := 1 \\ & \mbox{else} \operatorname{delay}_i := 2 \\ & \mbox{fi} \end{aligned} \\ \hline \mbox{tick} & \mbox{status}_i = waiting \wedge \\ & \mbox{clock}_i <= \operatorname{clock}_i + 1 \\ & \mbox{in}_i = empty \wedge \\ & \mbox{sent}_i = req \end{aligned} \\ \hline \mbox{tick} & \mbox{status}_i = child \\ & \mbox{status}_i := checked \wedge \\ & \mbox{status}_i := checked \wedge \\ & \mbox{status}_i := checked \wedge \\ & \mbox{in}_i := port_i \\ & \mbox{in}_i := port_i \\ & \mbox{in}_i := empty \\ \hline \mbox{poll\_many}_i & \mbox{status}_i = checked \wedge \\ & \mbox{in}_i := empty \\ \hline \mbox{poll\_many}_i & \mbox{status}_i = checked \wedge \\ & \mbox{in}_i := empty \\ \hline \mbox{sent}_i = req \\ \hline \mbox{sent}_i = req \\ \hline \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = empty \\ \hline \ \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{sent}_i = ack \\ \hline \mbox{ret}_i & \mbox{status}_i = checked \wedge \\ & \mbox{status}_i = child \\ & \mbox{in}_i = req \\ \hline \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = mpt \\ & \mbox{sent}_i = mpt \\ & \mbox{sent}_i = mpt \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = req \\ & \mbox{sent}_i = empty \\ & \mbox{sent}_i = empty \\ & \mbox{sent}_i = empty \\ \hline \mbox{sent}_i = mpty \\ & \mbox{sent}$                                                                                                                                                                                                                                                                                                                          |                        |                                              | $\operatorname{coin}_i := \left\{ \begin{array}{c} 2\\ tail \end{array} \right\}$ |
| $\begin{array}{c c c c c c c c c c c c c c c c c c c $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                        |                                              |                                                                                   |
| $\begin{tabular}{lllllllllllllllllllllllllllllllllll$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                        |                                              |                                                                                   |
| $\begin{array}{c c c c c c c c c c c c c c c c c c c $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                        |                                              | · •                                                                               |
| tickstatus_i = waiting \land<br>clock_i < delay_iclock_i := clock_i + 1<br>clock_i < delay_itickstatus_i = checked \land<br>in_i = empty \land<br>port_i = empty \land<br>sent_i = reqclock_i := clock_i + 1<br>else clock_i := clo                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                        |                                              |                                                                                   |
| $\begin{array}{c c c c c c c c c } \hline {\rm clock}_i < {\rm delay}_i \\ \hline {\rm tick} & {\rm status}_i = checked \wedge & {\rm clock}_i := {\rm clock}_i + 1 \\ & {\rm in}_i = empty \wedge & \\ & {\rm port}_i = empty \wedge & \\ & {\rm sent}_i = req \\ \hline {\rm tick} & {\rm status}_i = root \vee & {\rm if \ clock}_i < 2 \\ & {\rm then \ clock}_i := {\rm clock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i + 1 \\ & {\rm else \ clock}_i := {\rm cock}_i \\ & {\rm in}_i := {\rm empty} \wedge \\ & {\rm sent}_i = {\rm empty} \\ & {\rm sent}_i = {\rm checked} \wedge \\ & {\rm status}_i = {\rm checked} \wedge \\ & {\rm status}_i = {\rm checked} \wedge \\ & {\rm status}_i := {\rm coid} \\ & {\rm in}_i = {\rm ack} \\ \hline & {\rm clock}_i := 0 \\ & {\rm sent}_i = {\rm checked} \wedge \\ & {\rm status}_i = {\rm checked} \wedge \\ & {\rm status}_i := {\rm child} \\ & {\rm in}_i = {\rm req} \\ & {\rm sent}_i := {\rm empty} \\ & {\rm sen$                                                                                                                                                                                                                                                                                                                     | tick                   | $status = waiting \Lambda$                   |                                                                                   |
| $\begin{tabular}{ c c c c c } \hline tick & status_i = checked \land & clock_i := clock_i + 1 \\ & in_i = empty \land & \\ & port_i = empty \land & \\ & sent_i = req & & & \\ \hline tick & status_i = root \lor & if clock_i < 2 & \\ & status_i = child & & then clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := clock_i + 1 & \\ & else clock_i := 0 & \\ & sent_i = empty & \\ & sent_i = empty & \\ & sent_i := empty & \\ & sent_i := empty & \\ & sent_i = checked \land & \\ & status_i := checked \land & \\ & s$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | LICK                   | - 0                                          | $\operatorname{clock}_i := \operatorname{clock}_i + 1$                            |
| $\begin{array}{c ccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | tick                   |                                              |                                                                                   |
| $\begin{array}{c c c c c c c c c } \operatorname{port}_i &= empty \wedge &&\\ &\operatorname{sent}_i &= req &&\\ \hline \operatorname{tick} & \operatorname{status}_i &= root \vee && \operatorname{if} \operatorname{clock}_i < 2 &&\\ &\operatorname{status}_i &= child && \operatorname{then} \operatorname{clock}_i := \operatorname{clock}_i + 1 &&\\ &\operatorname{else} \operatorname{clock}_i &:= \operatorname{chocked} &&\\ &\operatorname{clock}_i &= \operatorname{delay}_i \wedge && \operatorname{status}_i := \operatorname{checked} &&\\ &\operatorname{clock}_i &= \operatorname{delay}_i \wedge && \operatorname{port}_i &:= \operatorname{empty} &&\\ &\operatorname{sent}_i &= empty \wedge && \operatorname{port}_i &:= empty &&\\ &\operatorname{sent}_i &= empty \wedge && \operatorname{port}_i &:= empty &&\\ &\operatorname{sent}_i &= empty \wedge && \operatorname{port}_i &:= empty &&\\ &\operatorname{sent}_i &= empty \wedge && \operatorname{port}_i &:= empty &&\\ &\operatorname{sent}_i &= empty \wedge && \operatorname{sent}_i &:= req &&\\ &\operatorname{in}_i &= empty \wedge && \operatorname{sent}_i &:= req &&\\ &\operatorname{in}_i &= empty \wedge && \operatorname{sent}_i &:= req &&\\ &\operatorname{in}_i &= empty \wedge && \operatorname{sent}_i &:= ack &&\\ &\operatorname{in}_i &= req \wedge && \operatorname{sent}_i &:= ack &&\\ &\operatorname{in}_i &= req \wedge && \operatorname{sent}_i &:= chocked \wedge && \operatorname{status}_i &:= root &&\\ &\operatorname{sent}_i &= empty &&\\ &\operatorname{sent}_i &= checked \wedge && \operatorname{status}_i &:= root &&\\ &\operatorname{sent}_i &= checked \wedge && \operatorname{status}_i &:= child &&\\ &\operatorname{in}_i &= ack &&\\ &\operatorname{retry}_i && \operatorname{status}_i &= checked \wedge && \operatorname{status}_i &:= child &&\\ &\operatorname{in}_i &= req \wedge && & \operatorname{clock}_i &:= 0 &&\\ &\operatorname{sent}_i &= req && &\operatorname{in}_i &:= empty &&\\ &\operatorname{sent}_i &= empty && & & \operatorname{sent}_i &:= empty &&\\ &\operatorname{sent}_i &= req && &\operatorname{in}_i &:= empty &&\\ &\operatorname{sent}_i &= rep && &\operatorname{in}_i &:= empty &&\\ &\operatorname{sent}_i &= empty && & & \operatorname{sent}_i &:= empty &&\\ &\operatorname{sent}_i &= empty && & & & \operatorname{sent}_i &:= empty &&\\ &\operatorname{sent}_i &= empty && & & & & & & & & & & & & & & & & & $                                                                                                                                                      | LICK                   | -                                            | $\operatorname{clock}_i := \operatorname{clock}_i + 1$                            |
| $\begin{array}{c c c c c c c c c c c c c c c c c c c $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                        |                                              |                                                                                   |
| $\begin{tabular}{ c c c c } \hline tick & status_i = root \lor & if clock_i < 2 \\ status_i = child & then clock_i := clock_i + 1 \\ else clock_i := clock_i := clock_i = clock_i \\ esc else clock_i := clock_i := clock_i + 1 \\ else clock_i := clock_i := clock_i = clock_i := clock_i = clock_i = clock_i := clock_i = clock_i := clock_$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                        |                                              |                                                                                   |
| $\begin{array}{c cccc} {\rm status}_i = child & {\rm then} \ {\rm clock}_i := {\rm clock}_i + 1 \\ {\rm else} \ {\rm clock}_i := \infty \\ {\rm fi} & \\ \hline {\rm poll\_once}_i & {\rm status}_i = waiting \wedge & {\rm status}_i := checked \\ {\rm clock}_i = {\rm delay}_i \wedge & {\rm in}_i := {\rm port}_i \\ {\rm in}_i = empty \wedge & {\rm port}_i := empty \\ & {\rm sent}_i = empty \wedge & {\rm port}_i := {\rm empty} \\ & {\rm poll\_many}_i & {\rm status}_i = checked \wedge & {\rm in}_i := {\rm port}_i \\ {\rm in}_i = empty \wedge & {\rm port}_i := empty \\ & {\rm port}_i \neq empty \wedge & {\rm sent}_i := req \\ & {\rm send}_i(req) & {\rm status}_i = checked \wedge & {\rm sent}_i := req \\ & {\rm in}_i = empty \wedge & {\rm sent}_i := empty \\ & {\rm sent}_i = empty \\ & {\rm root}_i & {\rm status}_i = checked \wedge & {\rm status}_i := root \\ & {\rm sent}_i = ack \\ & {\rm child}_i & {\rm status}_i = checked \wedge & {\rm status}_i := child \\ & {\rm in}_i = ack \\ & {\rm retry}_i   & {\rm status}_i = checked \wedge & {\rm status}_i := init \\ & {\rm in}_i = req \wedge & {\rm status}_i := init \\ & {\rm in}_i = req \wedge & {\rm clock}_i := 0 \\ & {\rm sent}_i = req & {\rm in}_i := empty \\ & {\rm sent}_i := e$                                                                                                                                                                                                                                                                                                                                                              | tick                   |                                              | if alogh < 9                                                                      |
| $\begin{array}{c c c c c c c c c c c c c c c c c c c $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | LICK                   |                                              |                                                                                   |
| $\begin{array}{c c c c c c c c c c c c c c c c c c c $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                        | $status_i = chua$                            |                                                                                   |
| $\begin{array}{c cccc} poll\_once_i & \mathrm{status}_i = waiting \wedge & \mathrm{status}_i := checked \\ & \mathrm{clock}_i = \mathrm{delay}_i \wedge & \mathrm{in}_i := \mathrm{port}_i \\ & \mathrm{in}_i = empty \wedge & \mathrm{port}_i := empty \\ & \mathrm{sent}_i = empty \wedge & \mathrm{port}_i := empty \\ & \mathrm{poll\_many}_i & \mathrm{status}_i = checked \wedge & \mathrm{in}_i := \mathrm{port}_i \\ & \mathrm{in}_i = empty \wedge & \mathrm{port}_i := empty \\ & \mathrm{port}_i \neq empty \wedge & \mathrm{sent}_i := req \\ & \mathrm{in}_i = empty \wedge & \mathrm{sent}_i := req \\ & \mathrm{in}_i = empty \wedge & \mathrm{sent}_i := req \\ & \mathrm{in}_i = empty \wedge & \mathrm{sent}_i := empty \\ & \mathrm{sent}_i = empty & \mathrm{sent}_i = empty \\ & \mathrm{sent}_i = empty & \mathrm{sent}_i := req \\ & \mathrm{in}_i = req \wedge & \mathrm{status}_i := checked \wedge & \mathrm{status}_i := root \\ & \mathrm{sent}_i = empty \\ & \mathrm{root}_i & \mathrm{status}_i = checked \wedge & \mathrm{status}_i := root \\ & \mathrm{sent}_i = ack & & \\ & \mathrm{child}_i & \mathrm{status}_i = checked \wedge & \mathrm{status}_i := child \\ & \mathrm{in}_i = ack & & \\ & \mathrm{retry}_i & \mathrm{status}_i = checked \wedge & \mathrm{status}_i := init \\ & \mathrm{in}_i = req \wedge & & \mathrm{clock}_i := 0 \\ & \mathrm{sent}_i = req & & \\ & \mathrm{in}_i := empty & \\ & \mathrm{sent}_i = req & & \\ & \mathrm{in}_i := empty & \\ & \mathrm{sent}_i := empty & \\ & \mathrm$ |                        |                                              | ,                                                                                 |
| $\begin{array}{c ccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                        |                                              |                                                                                   |
| $\begin{array}{c c} \operatorname{in}_i = empty \wedge & \operatorname{port}_i := empty \\ \operatorname{sent}_i = empty & \\ \end{array} \\ \begin{array}{c c} \operatorname{poll\_many}_i & \operatorname{status}_i = checked \wedge & \\ \operatorname{in}_i := \operatorname{port}_i & \\ \operatorname{in}_i = empty \wedge & \\ \operatorname{sent}_i = req & \\ \end{array} \\ \end{array} \\ \begin{array}{c c} \operatorname{send}_i(req) & \operatorname{status}_i = checked \wedge & \\ \operatorname{sent}_i = empty & \\ \end{array} \\ \end{array} \\ \begin{array}{c c} \operatorname{send}_i(ack) & \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = checked \wedge & \\ \operatorname{sent}_i = req \wedge & \\ \operatorname{sent}_i = empty & \\ \end{array} \\ \end{array} \\ \begin{array}{c c} \operatorname{retry}_i & \operatorname{status}_i = checked \wedge & \\ \end{array} \\ \begin{array}{c c} \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = checked \wedge & \\ \end{array} \\ \end{array} \\ \begin{array}{c c} \operatorname{retry}_i & \\ \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = checked \wedge & \\ \end{array} \\ \begin{array}{c c} \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = child & \\ \operatorname{in}_i = ack & & \\ \end{array} \\ \end{array} \\ \begin{array}{c c} \operatorname{retry}_i & \\ \operatorname{status}_i = checked \wedge & \\ \operatorname{status}_i = child & \\ \operatorname{in}_i = req \wedge & \\ \operatorname{status}_i = empty & \\ \end{array} \\ \end{array} \\ \begin{array}{c c} \operatorname{sent}_i = req & \\ \operatorname{sent}_i = empty & \\ \end{array} \end{array} \\ \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | poil_once <sub>i</sub> | ~                                            |                                                                                   |
| $\begin{array}{c ccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                        |                                              |                                                                                   |
| $\begin{array}{c ccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                        |                                              | $port_i := empty$                                                                 |
| $\begin{array}{c ccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                        | = =                                          | •                                                                                 |
| $\begin{array}{c c} \operatorname{port}_i \neq empty \wedge & \\ \operatorname{sent}_i = req & \\ \hline \\ \operatorname{send}_i(req) & \operatorname{status}_i = checked \wedge & \\ \operatorname{sent}_i = empty \wedge & \\ \\ \operatorname{sent}_i = empty & \\ \hline \\ \operatorname{send}_i(ack) & \operatorname{status}_i = checked \wedge & \\ \\ \operatorname{sent}_i = req \wedge & \\ \\ \\ \operatorname{sent}_i = empty & \\ \hline \\ \operatorname{root}_i & \operatorname{status}_i = checked \wedge & \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \\ \operatorname{status}_i = checked \wedge & \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | poll_many <sub>i</sub> |                                              | _ •                                                                               |
| $\begin{array}{c cccc} & \operatorname{sent}_i = req \\ \hline \operatorname{send}_i(req) & \operatorname{status}_i = checked \wedge & \operatorname{sent}_i := req \\ & \operatorname{in}_i = empty \wedge \\ & \operatorname{sent}_i = empty \\ \hline \\ \operatorname{send}_i(ack) & \operatorname{status}_i = checked \wedge & \operatorname{sent}_i := ack \\ & \operatorname{in}_i = req \wedge \\ & \operatorname{sent}_i = empty \\ \hline \\ \operatorname{root}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := root \\ & \operatorname{sent}_i = ack \\ \hline \\ \operatorname{child}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := child \\ & \operatorname{in}_i = ack \\ \hline \\ \operatorname{retry}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := init \\ & \operatorname{in}_i = req \wedge & \operatorname{clock}_i := 0 \\ & \operatorname{sent}_i = req & \operatorname{in}_i := empty \\ & \operatorname{sent}_i := empty \\ \hline \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                        |                                              | $port_i := empty$                                                                 |
| $\begin{array}{c ccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                        |                                              |                                                                                   |
| $\begin{array}{c c} & \operatorname{in}_i = empty \wedge \\ & \operatorname{sent}_i = empty \\ \hline \operatorname{send}_i(ack) & \operatorname{status}_i = checked \wedge \\ & \operatorname{in}_i = req \wedge \\ & \operatorname{sent}_i = empty \\ \hline \operatorname{root}_i & \operatorname{status}_i = checked \wedge \\ & \operatorname{status}_i = init \\ & \operatorname{in}_i = req \wedge \\ & \operatorname{sent}_i = empty \\ & \operatorname{sent}_i := empty \\ \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                        |                                              |                                                                                   |
| $\begin{array}{c c} \operatorname{sent}_i = empty \\ \hline \operatorname{sent}_i = empty \\ \hline \operatorname{sent}_i = req \wedge \\ & \operatorname{sent}_i = req \wedge \\ & \operatorname{sent}_i = empty \\ \hline \operatorname{root}_i & \operatorname{status}_i = checked \wedge \\ & \operatorname{status}_i = init \\ & \operatorname{in}_i = req \wedge \\ & \operatorname{sent}_i = req \\ & \operatorname{in}_i := empty \\ & \operatorname{sent}_i := empty \\ \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | $send_i(req)$          |                                              | $\operatorname{sent}_i := req$                                                    |
| $\begin{array}{c cccc} {\rm send}_i(ack) & {\rm status}_i=checked \wedge & {\rm sent}_i:=ack \\ & {\rm in}_i=req \wedge & \\ & {\rm sent}_i=empty \\ \hline {\rm root}_i & {\rm status}_i=checked \wedge & {\rm status}_i:=root \\ & {\rm sent}_i=ack \\ \hline {\rm child}_i & {\rm status}_i=checked \wedge & {\rm status}_i:=child \\ & {\rm in}_i=ack \\ \hline {\rm retry}_i   & {\rm status}_i=checked \wedge & {\rm status}_i:=init \\ & {\rm in}_i=req \wedge & {\rm clock}_i:=0 \\ & {\rm sent}_i=req & {\rm in}_i:=empty \\ & {\rm sent}_i:=empty \\ & {\rm sent}_i:=empty \\ \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                        |                                              |                                                                                   |
| $\begin{array}{c c} & \operatorname{in}_i = \operatorname{req} \wedge & \\ & \operatorname{sent}_i = \operatorname{empty} & \\ \hline \operatorname{root}_i & \operatorname{status}_i = \operatorname{checked} \wedge & \operatorname{status}_i := \operatorname{root} & \\ & \operatorname{sent}_i = \operatorname{ack} & \\ \hline \operatorname{child}_i & \operatorname{status}_i = \operatorname{checked} \wedge & \operatorname{status}_i := \operatorname{child} & \\ & \operatorname{in}_i = \operatorname{ack} & \\ \hline \operatorname{retry}_i & \operatorname{status}_i = \operatorname{checked} \wedge & \operatorname{status}_i := \operatorname{init} & \\ & \operatorname{in}_i = \operatorname{req} \wedge & & \operatorname{clock}_i := 0 & \\ & \operatorname{sent}_i = \operatorname{req} & & \operatorname{in}_i := \operatorname{empty} & \\ & \operatorname{sent}_i := \operatorname{empty} & \\ & \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                        |                                              |                                                                                   |
| $\begin{array}{c c} & \operatorname{sent}_i = empty \\ \hline \operatorname{root}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := root \\ & \operatorname{sent}_i = ack \\ \hline \operatorname{child}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := child \\ & \operatorname{in}_i = ack \\ \hline \operatorname{retry}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := init \\ & \operatorname{in}_i = req \wedge & \operatorname{clock}_i := 0 \\ & \operatorname{sent}_i = req & \operatorname{in}_i := empty \\ & \operatorname{sent}_i := empty \\ & \operatorname{sent}_i := empty \\ \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | $send_i(ack)$          |                                              | $\operatorname{sent}_i := \operatorname{ack}$                                     |
| $\begin{array}{c cccc} \operatorname{root}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := root \\ & \operatorname{sent}_i = ack & & \\ \hline \operatorname{child}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := child \\ & \operatorname{in}_i = ack & & \\ \hline \operatorname{retry}_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := init \\ & \operatorname{in}_i = req \wedge & \operatorname{clock}_i := 0 \\ & \operatorname{sent}_i = req & & \operatorname{in}_i := empty \\ & & \operatorname{sent}_i := empty \\ & & & \\ \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                        |                                              |                                                                                   |
| $\begin{array}{c c} & \operatorname{sent}_i = ack \\ \hline child_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := child \\ & \operatorname{in}_i = ack \\ \hline retry_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := init \\ & \operatorname{in}_i = req \wedge & \operatorname{clock}_i := 0 \\ & \operatorname{sent}_i = req & \operatorname{in}_i := empty \\ & & \operatorname{sent}_i := empty \\ & & \operatorname{sent}_i := empty \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                        |                                              |                                                                                   |
| $\begin{array}{c c c c c c c c c c c c c c c c c c c $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | $root_i$               | · · · · · · · · · · · · · · · · · · ·        | $status_i := root$                                                                |
| $\begin{array}{c c} & \operatorname{in}_i = ack \\ \hline retry_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := init \\ & \operatorname{in}_i = req \wedge & \operatorname{clock}_i := 0 \\ & \operatorname{sent}_i = req & \operatorname{in}_i := empty \\ & \operatorname{sent}_i := empty \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                        | -                                            |                                                                                   |
| $\begin{array}{ccc} retry_i & \operatorname{status}_i = checked \wedge & \operatorname{status}_i := init \\ & \operatorname{in}_i = req \wedge & \operatorname{clock}_i := 0 \\ & \operatorname{sent}_i = req & \operatorname{in}_i := empty \\ & \operatorname{sent}_i := empty \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | child <sub>i</sub>     | -                                            | $status_i := child$                                                               |
| $egin{array}{lll} { m in}_i = req \wedge & { m clock}_i := 0 \ { m sent}_i = req & { m in}_i := empty \ { m sent}_i := empty \end{array}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                        |                                              |                                                                                   |
| $\operatorname{sent}_i = req$ $\operatorname{in}_i := empty$<br>$\operatorname{sent}_i := empty$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | retry <sub>i</sub>     |                                              |                                                                                   |
| $\operatorname{sent}_i := empty$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                        | -                                            |                                                                                   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                        | $\operatorname{sent}_i = \operatorname{req}$ |                                                                                   |
| $\operatorname{send}_j(m)$ true $\operatorname{port}_i := m$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                        |                                              |                                                                                   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | $send_j(m)$            | true                                         | $\operatorname{port}_i := m$                                                      |

The intuition behind the variables of process  $P_i$  is the following. The variable status<sub>i</sub> reflects the phase in the protocol. It subsequently gets the values *init*, *waiting*, *checked*, *init*, *waiting*, ..., until the process is elected as the root or the child. This leads to status<sub>i</sub> = *root* or status<sub>i</sub> = *child* respectively. The value *waiting* indicates the first phase of the protocol, in which the process waits and checks input; the value *checked* indicates the second phase of the protocol, in which the process reacts on the input. The variable coin<sub>i</sub> contains the outcome of the last coin flip. The variable clock<sub>i</sub> records the number of time units passed since the last initiation of the protocol (i.e. since the last time that status<sub>i</sub> was *init*). The variable delay<sub>i</sub>

determines the number of time units, 1 or 2, the process waits after its coin flip, before checking input. Input messages from  $P_j$  arrive at  $P_i$ 's variable port<sub>i</sub>. We may think of the variable in<sub>i</sub> as a internal memory cell in which input is stored. The variable sent<sub>i</sub> contains the last message sent since the last initiation of the protocol.

The process  $P_i$  in root contention starts with coin flipping, taking flip<sub>i</sub>. This action probabilistically chooses the value of coin<sub>i</sub>, determines the delay corresponding to the outcome of this coin flip and moves to the next phase (status<sub>i</sub> := waiting.) If coin<sub>i</sub> = head, then the process waits a short time unit. Indeed, if coin<sub>i</sub> = head, then delay<sub>i</sub> = 1, so the process takes only one action tick. If coin<sub>i</sub> = tail, then delay<sub>i</sub> = 2, so the process waits two time units, i.e. it takes two actions tick.

Now the process has waited the required amount of time, which means that  $clock_i = delay_i$ , the process checks whether input has arrived: by taking the action poll\_once<sub>i</sub>, it copies the value of the port to the variable in<sub>i</sub>. Furthermore, the process moves to the phase *checked*.

Now two situations may occur: either the process has received a request, or it has received no message at all. (An acknowledgment can only arrive if the process has send a request, which is not the case.) So either  $in_i = req$ , or  $in_i = empty$ .

Case 1: in<sub>i</sub> = empty. As the process has not sent a request itself, it sends an acknowledgment, by taking send<sub>i</sub>(ack). Then it declares itself root, by performing root<sub>i</sub>.

Case 2:  $in_i = req$ . As the process has not sent a request yet, it sends one now, taking send<sub>i</sub>(req). Now the process waits for reply. The process polls input until a message arrive. The polling on input and the arrival of a message are combined in the action poll\_many. However, while waiting for input it may synchronize on an action tick if no input has come. This only happens if the process' coin is head an the other coin is tail.

If the input arrived is a request, then the process has both sent and received a request. This means that it is in root contention again. The process reruns the protocol and takes the action  $\operatorname{retry}_i$ . This action resets the variables. If the input arrived is an acknowledgment, then  $P_i$  declares itself child performing child<sub>i</sub>. When root or child the process only performs tick actions. In order to keep the model finite, the variable clock moves to the value  $\infty$  if more than 2 time units have passed.

# 5 Stepwise abstraction of P

This section defines the automata I, A and S. Sections 6 and 7 prove that these automata are stepwise abstractions of P: We prove  $P \sqsubseteq_{\text{TD}} I \sqsubseteq_{\text{TD}} A \sqsubseteq_{\text{TD}} S$  and  $P \sqsubseteq_{\text{FTD}} I \sqsubseteq_{\text{FTD}} A \sqsubseteq_{\text{FTD}} S$ .

The specification automaton S – the S stands specification – is the most abstract specification. It expresses leader election for two processes.

The abstract automaton A is derived from S by including a minimal amount of probabilistic information: it contains one flip action that combines the two flip actions from P. The automaton I has been derived from A by separating the flip action from A into two flip actions: one for each process.

## 5.1 The intermediate specification

We define an intermediate specification I and an auxiliary automaton  $I_{flip}$ . The state names in I (and  $I_{flip}$ ) stand for the following. The state *init* is the initial state and *root<sub>i</sub>* means that process *i* has been elected as the root. The state (i, outcome) reflects that process *i* has flipped its coin but that the other process has not yet flipped it. The field *outcome* records the result *head* or *tail*. The state (both, outcome) means that both processes have flipped their coins. The second field

outcome records again the result which can be same,  $(both, tail_1)$  or  $(both, tail_2)$ . The value same means that the results are the same and The value  $(both, tail_i)$  that the results are different and that  $P_i$ 's coin is tail.

A diagram of the automaton I and a formal definition are given below. All transitions lead to a uniform distribution over the next states, that is, the transitions labeled by an action  $\mathsf{flip}_i$  choose between the next states with probability  $\frac{1}{2}$ . The other transitions choose with probability one.



**Definition 5.1** Define the probabilistic automaton  $I_{flip}$  by:

$$\begin{split} states_{I_{flip}} \stackrel{\mathrm{d}}{=} \{ init, (1, head), (1, tail), (2, head), (2, tail), \\ (both, same), (both, tail_1), (both, tail_2), root_1, root_2 \}; \end{split}$$
 $start_{I_{flip}} \stackrel{d}{=} \{init\};$  $act_{I_{flip}} \stackrel{d}{=} { {flip}_1, {flip}_2, {retry}, {root}_1, {root}_2 };$  $int_{I_{Here}} \stackrel{\mathrm{d}}{=} \{ \mathsf{retry} \};$  $ext_{I_{flip}} \stackrel{d}{=} \{\mathsf{flip}_1, \mathsf{flip}_2, \mathsf{root}_1, \mathsf{root}_2\};\$  $trans_{I_{flip}} \stackrel{d}{=} \left\{ \left( init, \mathsf{flip}_1, \left\{ (1, head) \mapsto \frac{1}{2}, (1, tail) \mapsto \frac{1}{2} \right\} \right),\right\}$  $(init, flip_2, \{(2, head) \mapsto \frac{1}{2}, (2, tail) \mapsto \frac{1}{2}\}),$  $((1, tail), flip_2, \{(both, same) \mapsto \frac{1}{2}, (both, tail_1) \mapsto \frac{1}{2}\}),$  $((1, head), \mathsf{flip}_2, \{(both, same) \mapsto \frac{1}{2}, (both, tail_2) \mapsto \frac{1}{2}\}),$  $((2, tail), flip_1, \{(both, same) \mapsto \frac{1}{2}, (both, tail_2) \mapsto \frac{1}{2}\}),$  $((2, head), flip_1, \{(both, same) \mapsto \frac{1}{2}, (both, tail_1) \mapsto \frac{1}{2}\}),$  $((both, tail_1), root_1, \{root_1 \mapsto 1\}),$  $((both, tail_2), root_2, \{root_2 \mapsto 1\}),$  $((both, same), root_1, \{root_1 \mapsto 1\}),$  $((both, same), root_2, \{root_2 \mapsto 1\}),$  $((both, same), retry, \{init \mapsto 1\})\};$  $tasks_{I_{flip}} \stackrel{d}{=} \{ \{ flip_1, flip_2, root_1, root_2, retry \} \}.$ 

-*mp* (( 11) 12) -> ->

Now define

 $I \stackrel{\mathrm{d}}{=} I_{flip} \upharpoonright_{\mathsf{root}_1,\mathsf{root}_2}.$ 

# 5.2 The abstract specification

The informal meaning of the state names in automaton A is the following. The state *init* is the initial state and the state *root*<sub>i</sub> indicates that  $P_i$  has been elected as the root. The other states *same*,  $tail_1$ ,  $tail_2$  reflect that both processes have flipped their coins. In the state *same* both coin flips have yielded the same result. The value  $tail_i$  means that the results are different and that process *i*'s coin equals tail.

The following diagram gives a graphical representation of A.



**Definition 5.2** Define the probabilistic automaton A by:

$$states_{A} \stackrel{d}{=} \{init, same, tail_{1}, tail_{2}, root_{1}, root_{2}\};$$

$$start_{A} \stackrel{d}{=} \{init\};$$

$$act_{A} \stackrel{d}{=} \{flip, retry, root_{1}, root_{2}\};$$

$$in_{A} \stackrel{d}{=} \{flip, retry\};$$

$$ext_{A} \stackrel{d}{=} \{root_{1}, root_{2}\};$$

$$trans_{A} \stackrel{d}{=} \{(init, flip, \{tail_{1} \mapsto \frac{1}{4}, tail_{2} \mapsto \frac{1}{4}, same \mapsto \frac{1}{2}\}),$$

$$(tail_{1}, root_{1}, \{root_{1} \mapsto 1\}),$$

$$(tail_{2}, root_{2}, \{root_{2} \mapsto 1\}),$$

$$(same, root_{1}, \{root_{1} \mapsto 1\}),$$

$$(same, root_{2}, \{root_{2} \mapsto 1\}),$$

$$(same, retry, \{init \mapsto 1\})\};$$

$$tasks_{A} = \{\{flip, root_{1}, root_{2}, retry\}\}.$$

# 5.3 The specification

The specification of a leader election protocol simply requires that one of the processes is elected as the leader, here named root. A graphical representation of S is given by:



**Definition 5.3** Define the probabilistic automaton S by:

 $states_{S} \stackrel{d}{=} \{init, root_{1}, root_{2}\};$   $start_{S} \stackrel{d}{=} \{init\};$   $act_{S} \stackrel{d}{=} \{root_{1}, root_{2}\};$   $int_{S} \stackrel{d}{=} \emptyset;$   $ext_{S} \stackrel{d}{=} \{root_{1}, root_{2}\};$   $trans_{S} \stackrel{d}{=} \{(init, root_{1}, \{root_{1} \mapsto 1\}),$   $(init, root_{2}, \{root_{2} \mapsto 1\})\};$   $tasks_{S} \stackrel{d}{=} \{\{root_{1}, root_{2}\}\}.$ 

# 6 Trace distribution inclusion

This section proves the correctness P with respect to S as far as safety properties concern. We therefore establish the following relations.

- 1a.  $P_{flip}^{-} \sqsubseteq_{SR} I_{flip}^{-}$ , meaning that there is a (non-probabilistic) step refinement from  $P_{flip}^{-}$  to  $I_{flip}^{-}$ ;
- 1b.  $P_{flip} \sqsubseteq_{PSR} I_{flip}$ .

Then Fact 3.15 implies  $P \sqsubseteq_{\text{PSR}} I$ ;

- 2.  $I \sqsubseteq_{\text{PHSR}} A;$
- 3.  $A \sqsubseteq_{\text{PSR}} S$ .

Then  $P \sqsubseteq_{\text{TD}} S$  follows from soundness of  $\sqsubseteq_{\text{PSR}}$  and  $\sqsubseteq_{\text{PHSR}}$ , stated in Theorem 3.21, and from transitivity of  $\sqsubseteq_{\text{TD}}$ .

# 6.1 The probabilistic step refinement between $P_{flip}$ and $I_{flip}$

This section proves that  $P \sqsubseteq_{\text{TD}} I$  by establishing a probabilistic step refinement r between  $P_{flip}$  and  $I_{flip}$ . We firstly present the invariants and we point out how we checked them with the model checker SMV, then we define the refinement mapping r.

## Invariants

**Definition 6.1** Define the following abbreviations for  $i, j \in \{1, 2\}, i \neq j$ .

$$\begin{aligned} & contention_i \stackrel{\mathrm{d}}{=} (\mathrm{status}_i = checked \land \mathrm{sent}_i = req \land (\mathrm{in}_i = req \lor \mathrm{port}_i = req)) \\ & \lor \mathrm{status}_i = init; \\ & waiting_i \stackrel{\mathrm{d}}{=} \mathrm{status}_i = waiting; \\ & midphase_i \stackrel{\mathrm{d}}{=} \mathrm{status}_i \in \{checked, child\} \land \neg contention_i; \\ & \rho(c_1, c_2) \stackrel{\mathrm{d}}{=} \begin{cases} same & \mathrm{if} \ c_1 = c_2, \\ tail_1 & \mathrm{if} \ c_1 \neq c_2 \land c_1 = tail, \\ tail_2 & \mathrm{otherwise.} \end{cases} \end{aligned}$$

The following lemma formulates the invariants used in the refinement proof.

**Lemma 6.2** For all  $s \in reach_{P_{flin}}, i, j \in \{1, 2\}, i \neq j$ 

$$\begin{split} s &\models \operatorname{status}_i = \operatorname{init} \implies (\operatorname{waiting}_j \lor \operatorname{contention}_j); \\ s &\models \operatorname{sent}_i = \operatorname{ack} \implies (\operatorname{coin}_i = \operatorname{tail} \lor \operatorname{coin}_1 = \operatorname{coin}_2); \\ s &\models \operatorname{sent}_i = \operatorname{ack} \implies \operatorname{midphase}_j; \\ s &\models \operatorname{in}_i = \operatorname{ack} \implies \operatorname{port}_i = \operatorname{empty}; \\ s &\models (\operatorname{status}_i = \operatorname{checked} \land \operatorname{in}_i = \operatorname{req} \land \operatorname{sent}_i = \operatorname{empty}) \implies \\ (\operatorname{port}_j = \operatorname{empty} \land \operatorname{in}_j = \operatorname{empty} \land \operatorname{status}_j = \operatorname{checked}); \\ s &\models (\operatorname{status}_i = \operatorname{checked} \land \operatorname{sent}_i = \operatorname{empty} \land \operatorname{in}_i = \operatorname{empty}) \implies \\ \operatorname{port}_i = \operatorname{sent}_j \land \operatorname{port}_j = \operatorname{empty} \land \operatorname{in}_j = \operatorname{empty} \land \\ (\operatorname{status}_j = \operatorname{checked} \lor \operatorname{status}_j = \operatorname{waiting}); \\ s &\models \operatorname{sent}_1 = \operatorname{req} \land \operatorname{sent}_2 = \operatorname{req} \implies \operatorname{coin}_1 = \operatorname{coin}_2; \\ s &\models \operatorname{sent}_i = \operatorname{req} \land \operatorname{port}_i = \operatorname{req} \implies \operatorname{status}_i = \operatorname{checked}. \end{split}$$

## Checking the invariants with SMV

The SMV system is a tool for checking finite state systems against specifications in CTL. The SMV language describes an unlabeled transition system. Basically, SMV allows one to declare a variable of a certain type and to specify its initial value and a next-value. The assignments of all variables are performed in parallel. For an introduction to SMV, the reader is referred to [McM92].

There are a few differences between SMV and automata in precondition-effect style, which prevents immediate encoding of automata in SMV. In order to minimize the risk of introducing errors, we have followed a structured method of encoding automata and invariants into SMV. We have takem the following three steps.

wegThe translation in SMV of the automaton  $P^-$  can be found in the appendix. We have taken the following steps.

- 1. Unlike a state in an automaton, needs a state in SMV to have a successor. We therefore add an action skip to the automaton, which leaves the variables unchanged and which is taken when no other action is enabled. Then these automata have exactly the same reachable states. The automaton  $P^-$  however enables at least one action in each reachable state. This is not obvious and can be checked in SMV, by showing that the disjunction of all preconditions holds in every reachable state. Although the action skip is superfluous, we leave it in the SMV encoding, for sake of a systematic translation.
- 2. For every variable in the automaton, we declare a variable with the same name in the SMV encoding. In order to simulate the action labels, we operate in two alternating phases. (This is crucial since an action may specify the next values of several variables at the time, whereas the next-function in SMV concerns one variable at the time. We must prevent the translation to update variable x according to action a and the variable y according to b.) Phase one nondeterministically chooses one of the enabled actions and phase two updates the variables according to the chosen action. In order to encode the set of enabled actions efficiently, we add, for each action a, this action to alist if it is enabled and if not we add a default action which is enabled. The latter is necessary to ensure that the list constructed is not empty.
- 3. The translation of the invariants is obvious. The invariants have the form  $\forall s \in reach_P \forall i, j \in \{1, 2\}, i \neq j[s \models \Phi(i, j)]$ . This leads to the SMV equivalent

 $AG(\Phi(1,2) \land \Phi(2,1))$ . Notice that  $AG\Psi$  means that  $\Psi$  holds for all paths, for all states on the path, which is indeed for all reachable states.

# The refinement mapping

**Definition 6.3** Define the function  $r: states_{P_{flip}^-} \rightarrow states_{I_{flip}^-}$  by

| $r(s) \stackrel{a}{=}$                                                  |                                                                                                                                                                                                                                                              |
|-------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ( init                                                                  | $ \begin{array}{l} \text{if } s \models contention_1 \land contention_2; \\ \text{if } s \models waiting_1 \land contention_2; \\ \text{if } s \models waiting_2 \land contention_1; \\ \text{if } s \models (waiting_1 \lor midphase_1) \land \end{array} $ |
| $(1, s.coin_1)$                                                         | if $s \models waiting_1 \land contention_2;$                                                                                                                                                                                                                 |
| $(2, s. \mathrm{coin}_2)$                                               | if $s \models waiting_2 \land contention_1;$                                                                                                                                                                                                                 |
| $\langle  ho(s.\operatorname{coin}_1, s.\operatorname{coin}_2) \rangle$ | $\text{if } s \models (waiting_1 \lor midphase_1) \land \\$                                                                                                                                                                                                  |
|                                                                         | $(waiting_2 \lor midphase_2);$                                                                                                                                                                                                                               |
| $root_1 \\ root_2$                                                      | if $s \models \text{status}_1 = root;$                                                                                                                                                                                                                       |
| $root_2$                                                                | otherwise.                                                                                                                                                                                                                                                   |

Notice that the conditions in the above case distinction are disjoint, so the refinement r is well-defined.

**Lemma 6.4** The function r is a step refinement from the automaton  $P_{flip}^{-}$  to  $I_{flip}^{-}$ .

PROOF: Standard.  $\Box$ 

**Lemma 6.5** For all reachable states  $s, t_1, t_2 \in reach_{P^-}$ , for all  $i \in \{1, 2\}$ ,

 $s \xrightarrow{\mathrm{flip}_i}_{P^-} t_1 \wedge s \xrightarrow{\mathrm{flip}_i}_{P^-} t_2 \wedge t_1 \neq t_2 \implies r(t_1) \neq r(t_2).$ 

(Notice that  $t_1 \neq t_2$  in this case means  $t_1.\operatorname{coin}_i \neq t_2.\operatorname{coin}_i$ .)

**Lemma 6.6** The function r is a probabilistic step refinement from  $P_{flip}$  to  $I_{flip}$ .

PROOF: Let  $s \in states_{P_{flin}}$ .

- 1. The action flip<sub>i</sub>: Let  $i \in \{1, 2\}$  and  $s \stackrel{a}{\to}_{P_{flip}} \mu \in trans_{P_{flip}}$ . Then there are  $t_1, t_2 \in states_{P_{flip}}$  such that  $\mu = \{t_1 \mapsto \frac{1}{2}, t_2 \mapsto \frac{1}{2}\}$  and  $t_1.coin_i \neq t_2.coin_i$ . Therefore, we have  $r(t_1) \neq r(t_2)$ . Then  $s \stackrel{a}{\to}_{P_{flip}} t_1 \in trans_{P_{flip}}$ , and  $s \stackrel{a}{\to}_{P_{flip}} t_2 \in trans_{P_{flip}}$  by the definition of  $P_{flip}$ . As flip<sub>i</sub> is an output action and r a step refinement, we have  $r(s) \stackrel{\text{flip}_i}{\to}_{I_{flip}} r(t_1) \in trans_{I_{flip}}$  and  $r(s) \stackrel{\text{flip}_i}{\to}_{I_{flip}} r(t_2) \in trans_{I_{flip}} r(t_1) \in supp(\nu_1)$  and  $r(s) \stackrel{\text{flip}_i}{\to}_{I_{flip}} \nu_1 \in trans_{I_{flip}} r(t_1) \in supp(\nu_1)$  and  $r(s) \stackrel{\text{flip}_i}{\to}_{I_{flip}} \nu_2 \in trans_{I_{flip}} r(t_2) \in supp(\nu_2)$ . However,  $I_{flip}$  enables at most one transition labeled by flip<sub>i</sub> from each state and this transition leads to a uniform distribution over two states. Therefore,  $\nu_1 = \nu_2 = \{r(t_1) \mapsto \frac{1}{2}, r(t_2) \mapsto \frac{1}{2}\} = r_*(\mu)$ . Then  $r(s) \stackrel{a}{\to}_{I_{flip}} r_*(\mu)$ ;
- 2. The other transitions. Let  $s \xrightarrow{a}_{P_{flip}} \mu \in trans_{P_{flip}}, a \neq \mathsf{flip}_1, \mathsf{flip}_2$ . Then  $\mu$  is a Dirac distribution, say that  $\mu = \{t \mapsto 1\}$ . Then we have  $s \xrightarrow{a}_{P_{flip}} t$ . As r is a step refinement we have three cases:

- (a)  $s \xrightarrow{a}_{P_{flip}} \mu$ . Then  $\mu = \{t \mapsto 1\}$  and  $r(s) \xrightarrow{a}_{I_{flip}} r(t)$ . Then there is a  $\nu$  such that  $r(s) \xrightarrow{a}_{I_{flip}} \nu$  and  $r(t) \in \operatorname{supp}(\nu)$ . As transitions in  $I_{flip}$  unequal to flip lead to Dirac distributions, we have  $\nu = \{r(t) \mapsto 1\} = r_*(\mu)$ . So,  $r(s) \xrightarrow{a}_{I_{flip}} r_*(\mu) \in \operatorname{trans}_{I_{flip}};$
- (b)  $a \in int_{P_{flip}}$  and  $s \xrightarrow{a'}_{P_{flip}} \mu$  for some  $a' \in int_{I_{flip}}$ . Then  $a' \neq flip_i$ , so we are in a simular case to the one above;
- (c)  $a \in int_{P_{flip}}$  and r(s) = r(t). Then  $r_*(\mu) = r_*(\{t \mapsto 1\}) = \{r(t) \mapsto 1\} = \{r(s) \mapsto 1\}.$

Corollary 6.7  $P_{flip} \sqsubseteq_{PSR} I_{flip}$ .

**Corollary 6.8**  $P \sqsubseteq_{PSR} I$ .

**Corollary 6.9**  $P \sqsubseteq_{\text{TD}} I$ .

# 6.2 The probabilistic hyperstep refinement between I and A

This section proves  $I \sqsubseteq_{\text{TD}} A$  by estabilishing a probabilistic hyperstep refinement R between I and A.

**Definition 6.10** Define a function  $R: states_I \to \Pi(states_A)$  by

$$\begin{split} R(init) &= \{init \mapsto 1\};\\ R(1, head) &= \{tail_2 \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\};\\ R(2, head) &= \{tail_1 \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\};\\ R(1, tail) &= \{tail_1 \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\};\\ R(2, tail) &= \{tail_2 \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\};\\ R(both, tail_1) &= \{tail_2 \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\};\\ R(both, tail_2) &= \{tail_2 \mapsto 1\};\\ R(same) &= \{same \mapsto 1\};\\ R(root_1) &= \{root_1 \mapsto 1\};\\ R(root_2) &= \{root_2 \mapsto 1\}. \end{split}$$

**Lemma 6.11** The function R is a probabilistic hyperstep refinement from I to A.

**PROOF:** We prove that R meets the conditions in Definition 3.20.

**condition 1.**  $R(init) = \{init \mapsto 1\}$  and  $init \in start_A$ .

**condition 2.** Let  $s \in states_I$ ,  $a \in act_I$ ,  $\mu \in \Pi(states_I)$  such that  $s \xrightarrow{a}_I \mu$ . Let  $i, j \in \{1, 2\}, i \neq j$ .

1. Consider the transition  $init \xrightarrow{\text{flip}_i}_{I} \{(i, head) \mapsto \frac{1}{2}, (i, tail) \mapsto \frac{1}{2}\}$ , We have that  $R(init) = \{init \mapsto 1\}$  and

$$\begin{split} R_{**}\{(i, head) \mapsto \frac{1}{2}, (i, tail) \mapsto \frac{1}{2}\} &= \\ \frac{1}{2} \cdot R(i, head) + \frac{1}{2} \cdot R(i, tail) &= \\ \frac{1}{2} \cdot \{tail_j \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\} + \frac{1}{2} \cdot \{tail_i \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\} &= \\ \{tail_1 \mapsto \frac{1}{4}, tail_2 \mapsto \frac{1}{4}, same \mapsto \frac{1}{2}\}. \end{split}$$

And indeed,  $R(init) = \{init \mapsto 1\} \xrightarrow{\text{flip}_i}_{A^{**}} \{tail_1 \mapsto \frac{1}{4}, tail_2 \mapsto \frac{1}{4}, same \mapsto \frac{1}{2}\}.$ 

2. Consider the transition  $(i, tail) \xrightarrow{\text{flip}_j} \{(both, same) \mapsto \frac{1}{2}, (both, tail_i) \mapsto \frac{1}{2}\}$ , for  $i \in \{1, 2\}$ . We have  $R(i, tail) = \{tail_i \mapsto \frac{1}{2}, same \mapsto \frac{1}{2}\}$  and

$$\begin{split} R_{**}\{(both, same) \mapsto \frac{1}{2}, (i, tail) \mapsto \frac{1}{2}\} &= \\ \frac{1}{2} \cdot R(both, same) + \frac{1}{2} \cdot R(both, tail_i) &= \\ \{same \mapsto \frac{1}{2}, tail_i \mapsto \frac{1}{2}\} &= \\ R(i, tail). \end{split}$$

- 3. Similarly, one can prove that for the transition  $(i, head) \xrightarrow{\text{flip}_j} I \{(both, same) \mapsto \frac{1}{2}, (both, tail_i) \mapsto \frac{1}{2}\}, R_{**}\{(both, same) \mapsto \frac{1}{2}, (both, tail_i) \mapsto \frac{1}{2}\} = R(i, head).$
- 4. The transition (both, same)  $\xrightarrow{\text{retry}}_{I} \{ init \mapsto 1 \}$ . We have that  $R(both, same) = \{ same \mapsto 1 \} \xrightarrow{\text{retry}}_{A^{**}} \{ init \mapsto 1 \} = 1 \cdot R(init) = R_{**} \{ init \mapsto 1 \}.$
- 5. The transitions  $s \xrightarrow{\operatorname{root}_i}_I \{\operatorname{root}_i \mapsto 1\}$ , for  $s \in \{(both, tail_i), (both, same)\}$  and  $i \in \{1, 2\}$ . We have that  $R(s) = \{s \mapsto 1\} \xrightarrow{\operatorname{root}_i}_{A^{**}} \{\operatorname{root}_i \to 1\} = 1 \cdot R(\operatorname{root}_i) = R_{**}\{\operatorname{root}_i \mapsto 1\}$ .

Corollary 6.12  $I \sqsubseteq_{\text{TD}} A$ .

# 6.3 The probabilistic step refinement between A and S

This section proves  $A \sqsubseteq_{\text{TD}} S$  by establishing a probabilistic step refinement u between A and S.

**Definition 6.13** Define a function  $u: states_A \rightarrow states_S$  by

u(init) = init; u(same) = init;  $u(tail_1) = init;$   $u(tail_2) = init;$   $u(root_1) = root_1;$  $u(root_2) = root_2.$ 

**Lemma 6.14** The function u is a probabilistic step refinement from A to S.

#### **PROOF:**

condition 1  $u(init) = init \in start_S$ . condition 2

- 1. Consider the transition  $init \xrightarrow{\text{flip}}_A \{tail_1 \mapsto \frac{1}{4}, tail_2 \mapsto \frac{1}{4}, same \mapsto \frac{1}{2}\}$ . Then  $u(init) = init = u(same) = u(tail_1) = u(tail_2)$ , so condition 2b of Definition 3.13 is met.
- 2. Consider the transition *init*  $\xrightarrow{\text{retry}}_A \{init \mapsto 1\}$ . Then u(same) = init = u(init), so condition 2b of Definition 3.13 is met.
- 3. Consider the transition  $s \xrightarrow{\text{root}_i}_A \{\text{root}_i \mapsto 1\}$ , for  $s \in \{\text{same}, \text{tail}_i\}$ . Then  $u(s) \xrightarrow{\text{root}_i}_S u_*\{\text{root}_i \mapsto 1\} = \{u(\text{root}_i) \mapsto 1\} = \{\text{root}_i \mapsto 1\}.$

Corollary 6.15  $A \sqsubseteq_{\text{TD}} S$ .

**Corollary 6.16**  $P \sqsubseteq_{\text{TD}} S$ .

# 7 Fair trace distribution inclusion

This section proves that P implements S, i.e. that  $P \sqsubseteq_{\text{FTD}} S$ . We therefore establish the following relations.

- 1.  $P_{flip} \sqsubseteq_{\text{FTD}} I_{flip}$ , using that the refinement r from  $P_{flip}^{-}$  to  $I_{flip}^{-}$  preserves fairness of executions. Then  $P \sqsubseteq_{\text{FTD}} I$  follows because P and  $P_{flip}$  as well as I and  $I_{flip}$  have the same task partitions;
- 2.  $I \sqsubseteq_{\text{FTD}} A$ ;
- 3.  $A \sqsubseteq_{\text{FTD}} S$ .

Then  $P \sqsubseteq_{\text{FTD}} S$  follows from transitivity of  $\sqsubseteq_{\text{FTD}}$ .

## Fair trace distribution inclusion for P and I

This section proves that  $P \sqsubseteq_{\text{FTD}} I$  by showing that the refinement mapping r defined in Definition 6.3 from  $P_{flip}$  to  $I_{flip}$  preserves fairness of executions. Our first aim is to show that the fair traces of P satisfy the properties desired with respect to modularity, c.f. Remark 3.24.

#### Fair and diverging executions in P and $P_i$

This section proves that the fair executions and the so-called diverging executions of P and  $P_i$  are all strongly related. This implies that no "time deadlocks" can appear in P and  $P_i$  and that the specification P has the desired properties with respect to the parallel composition.

**Notation 7.1** For  $i \in \{1,2\}$ , let  $C_i \stackrel{d}{=} \{\text{flip}_i, \text{poll\_once}_i, \text{poll\_many}_i, \text{send}_i(req), \text{root}_i, \text{child}_i, \text{send}_i(ack), \text{retry}_i\}$ . Then  $tasks_{P_i} = \{\{\text{tick}\}, C_i\}$  and  $tasks_P = \{\{\text{tick}\}, C_1, C_2\}$ . Notice that every action of P is contained in a task class.

An execution of a timed automaton is called diverging if time elapses to infinity. As time is modeled by the action tick in P and  $P_i$ , we have the following analogy.

**Definition 7.2** An execution of P,  $P_1$  or  $P_2$  is called *diverging* if it contains infinitely many tick actions.

- **Proposition 7.3** 1. Every reachable state  $s \in P^-$  enables at least one transition;
  - 2. For all infinite executions  $\alpha = s_0 a_1 s_1 \dots$  of  $P^-$  there are infinitely many k's such that

 $s_k \models (\text{status}_1 = waiting \land \text{clock}_1 = 0 \land \text{status}_2 = waiting \land \text{clock}_2 = 0) \lor \\ (\text{status}_2 = root \land \text{status}_2 = child) \lor \\ (\text{status}_1 = root \land \text{status}_1 = child);$ 

3. For all infinite executions  $\alpha = s_0 a_1 s_1 \dots$  of  $P^-$  there are infinitely many k's such that

 $s_k \models (\text{status}_1 = init \lor \text{status}_2 = init \lor \text{status}_1 = root \lor \text{status}_2 = root).$ 

**Proof**:

- 1. It has been checked in SMV that the disjunction of the preconditions of all actions is true in every reachable state of  $P^-$ ;
- 2. We have checked with SMV that the formula  $AGAF((\text{status}_1 = waiting \land \text{clock}_1 = 0 \land \text{status}_2 = waiting \land \text{clock}_2 = 0) \lor (\text{status}_2 = root \land \text{clock}_2 = child) \lor (\text{status}_1 = root \land \text{clock}_1 = child)) \text{ holds for the SMV model of } P^-$ .
- 3. We have checked that the formula  $AGAF(\text{status}_1 = init \lor \text{status}_2 = init \lor \text{status}_1 = root \lor \text{status}_2 = root)$  holds for the SMV model of  $P^-$ .

**Proposition 7.4** Every fair execution of  $P^-$  is infinite and diverging.

**PROOF:** Let  $\alpha$  be a fair execution of  $P^-$ . Assume that  $\alpha$  is finite. Then the last state of  $\alpha$  enables an action by Proposition 7.3. As this action is in one of the task classes,  $\alpha$  is not fair. Therefore,  $\alpha$  is infinite. Then Proposition 7.3-2 implies that the action tick is infinitely often enabled. Then tick is infinitely often taken because if tick is enabled, then no other action is enabled. (It is easy to see that the disjunction of the preconditions of tick and any other actions  $P^-$  is false.) Therefore,  $\alpha$  is diverging.  $\Box$ 

**Proposition 7.5** Every diverging execution of  $P_i^-$  is fair.

**PROOF:** It is easy to see that that the disjunction of the preconditions of tick and any action of  $C_i$  is false. This means that if tick is enabled, then no action in  $C_i$  is enabled. As a diverging execution contains infinitely many ticks, the actions from  $C_i$  are infinitely often disabled. Hence, every diverging execution of P is fair.  $\Box$ 

**Corollary 7.6** Let  $\alpha \in execs(P)$ . Then the following statements are equivalent.

- 1.  $\alpha$  is fair;
- 2.  $\alpha$  is diverging;
- 3. The projections of  $\alpha$  on  $P_1$  and  $P_2$  are both diverging;
- 4. The projections of  $\alpha$  on  $P_1$  and  $P_2$  are both fair.

PROOF: Proposition 7.4 states that  $1 \implies 2$ . The definition of diverging immediately yields  $2 \implies 3$  and  $3 \implies 4$  follows from Proposition 7.5. Proposition 3.23 finally implies  $4 \implies 1$ .  $\Box$ 

#### Fair trace distribution inclusion between P and I

Recall that  $r: states_{P_{flip}} \rightarrow states_{I_{flip}}$  is the probabilistic step refinement defined in 6.3 and that a probabilistic step refinement induces a relation  $\tilde{r}$  according to Lemma 3.28. Now we prove fair trace distribution inclusion between P and I by showing that the refinement r preserves fairness of executions.

**Lemma 7.7** The relation  $\vec{r} \subseteq frags(P_{flip}) \times frags(I_{flip})$  induced by r is a function.

**PROOF:** For  $s, t \in states_{I^-}$  there is at most one action a such that  $s \xrightarrow{a}_{I^-} t$ .  $\Box$ 

**Notation 7.8** In the sequel we write  $\tilde{r}(\alpha) = \beta$  for  $(\alpha, \beta) \in \tilde{r}$ .

**Lemma 7.9** The induced function  $\tilde{r}$ : states<sub> $P_{flip</sub>^-</sub> <math>\rightarrow$  states<sub> $I_{flip}^-$ </sub> preserves fairness, i.e.  $\alpha \in fexecs(P_{flip}) \implies \tilde{r}(\alpha) \in fexecs(I_{flip})$ .</sub>

**PROOF:** It is clear that in the automaton  $I_{flip}$ 

- all infinite executions are fair and
- a finite execution is fair if and only if its last state is either *root*<sub>1</sub> or *root*<sub>2</sub>.

Let  $\alpha = s_0 a_1 s_1 a_2 s_2 \dots$  be a fair execution of  $P_{flip}$ . Lemma 7.3 yields that  $\alpha$  is infinite. Consider the following cases.

If there are k, i such that  $s_k \models \text{status}_i = root$ , then  $r(s_k) = root_i$  by Definition 6.3. As the state  $root_i$  is quiescent in  $I_{flip}^{-}$ ,  $\tilde{r}(\alpha)$  is finite and ends in a quiescent state, so  $\tilde{r}(\alpha)$  is a fair execution.

If, on the contrary, there are no k,i such that  $s_k \models \text{status}_i = root]$ , then Lemma 7.3-3 implies that there are infinitely many states  $s_{n_1}, s_{n_2}, s_{n_3}, \ldots$  such that

 $s_{n_k} \models \text{status}_1 = init \lor \text{status}_2 = init.$ 

Let  $k \in \mathbb{N}$ . As  $s_{n_k}$  only enables the actions flip<sub>1</sub> and flip<sub>2</sub>, we have  $a_{n_k+1} = \text{flip}_i$ , which means that the action taken by  $\alpha$  in the state  $s_{n_k}$  is either flip<sub>1</sub> or flip<sub>2</sub>. As flip<sub>i</sub> is an external action of  $P_{flip}^{-}$ , we have  $r(s_{n_k}) \xrightarrow{\text{flip}_i}_{I_{flip}^{-}} r(s_{n_k+1})$  and therefore  $\bar{r}(s_{n_k}a_{n_k+1}s_{n_k+1}) = r(s_{n_k})a_{n_k+1}r(s_{n_k+1}) = r(s_{n_k})\text{flip}_ir(s_{n_k+1})$ . Therefore,  $\tilde{r}(\alpha)$ contains infinitely many flip actions and is therefore infinite, c.q. fair.  $\Box$ 

Corollary 7.10  $P_{flip} \sqsubseteq_{FTD} I_{flip}$ .

Corollary 7.11  $P \sqsubseteq_{\text{FTD}} I$ .

## Fair trace distribution inclusion for I and A

This section proves that  $I \sqsubseteq_{\text{FTD}} A$  by an ad hoc probabilistic argument. It is left as a topic for future research to find a proof similar to that of Section 7. The main part of this research is to define a notion of "preserving fairness of executions" for probabilistic hyperstep refinements.

**Lemma 7.12** If H is a fair trace distribution of I, then  $\mathbf{P}_H[\{root_1\}] \geq \frac{1}{4}$  and  $\mathbf{P}_H[\{root_2\}] \geq \frac{1}{4}$ .

**PROOF:** Consider a fair probabilistic execution E of I of a fair trace distribution H. Then there is a unique  $\mu$  such that  $(init, \mu) \in trans_E$ . As *init* is not a fair trace distribution of I,  $\mathbf{P}_E[init] = 0$ , so  $\delta \notin \mathbf{P}_{\mu}$ . Then there is a  $p \in [0, 1]$  such that

$$\begin{split} \mu &= p \cdot \{ init \mathsf{flip}_1(1, head) \mapsto \frac{1}{2}, init \mathsf{flip}_1(1, tail) \mapsto \frac{1}{2} \} + \\ & (1-p) \cdot \{ init \mathsf{flip}_2(2, head) \mapsto \frac{1}{2}, init \mathsf{flip}_2(2, tail) \mapsto \frac{1}{2} \}. \end{split}$$

**case 1:**  $p \neq 0, 1$ . Then there is a unique  $\nu_1$  such that  $(initflip_1(1, tail), \nu_1) \in trans_E$ . By fairness of E,  $\mathbf{P}_E[initflip_1(1, tail)] = 0$ , so  $\delta \notin \operatorname{supp}(\nu_1)$ . Then

$$\begin{split} \nu_1 &= \{ init \mathsf{flip}_1(1, tail) \mathsf{flip}_2(both, tail_1) \mapsto \frac{1}{2}, \\ &\quad init \mathsf{flip}_1(1, tail) \mathsf{flip}_2(both, same) \mapsto \frac{1}{2} \}. \end{split}$$

Again by fairness, the set  $trans_E$  contains the tuple  $(initflip_1(1, tail)flip_2(both, tail_1), \{initflip_1(1, tail)flip_2(both, tail_1)root_1root_1 \mapsto 1\})$ . Similarly, we have that

$$\begin{split} (initflip_2(1, head), \nu_2) &\in trans_E, \\ & \text{where } \nu_2 = \{initflip_2(1, head) \texttt{flip}_1(both, tail_1) \mapsto \frac{1}{2}, \\ & initflip_2(1, head) \texttt{flip}_1(both, same) \mapsto \frac{1}{2} \} \text{and} \\ (initflip_2(2, head) \texttt{flip}_1(both, tail_1), \\ & \{initflip_2(2, head) \texttt{flip}_1(both, tail_1) \texttt{root}_1 \text{ root}_1 \mapsto 1\}) \in trans_E. \end{split}$$

Then

$$\begin{split} \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})\mathrm{root}_{1}root_{1}}] &= p \cdot \frac{1}{2} \cdot \frac{1}{2} \\ \mathbf{P}_{E}[C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})\mathrm{root}_{1}root_{1}}] &= (1-p) \cdot \frac{1}{2} \cdot \frac{1}{2} \end{split}$$

**case 2:** p = 1. Then there is a unique  $\nu$  such that  $(init \operatorname{flip}_1(1, tail), \nu) \in trans_E$ . By fairness of  $E, \delta \notin \operatorname{supp}(\nu)$  so  $\nu = \{\operatorname{flip}_2(both, tail_1) \mapsto \frac{1}{2}, \operatorname{flip}_2(both, same) \mapsto \frac{1}{2}\}$ . Then

$$\begin{aligned} \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})root_{1}root_{1}}] &= \frac{1}{2} \cdot \frac{1}{2} = p \cdot \frac{1}{2} \cdot \frac{1}{2} \\ \mathbf{P}_{E}[C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})root_{1}root_{1}}] &= 0 = (1-p) \cdot \frac{1}{2} \cdot \frac{1}{2} \end{aligned}$$

case 3: p = 0. Similarly to the case above one proves

$$\begin{split} \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})\mathrm{root}_{1}root_{1}}] &= p \cdot \frac{1}{2} \cdot \frac{1}{2} \\ \mathbf{P}_{E}[C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})\mathrm{root}_{1}root_{1}}] &= (1-p) \cdot \frac{1}{2} \cdot \frac{1}{2} \end{split}$$

Now, let H be the trace distribution of E. Then

$$\begin{split} \mathbf{P}_{H}[root_{1}] &= \\ \mathbf{P}_{E}[traces^{-1}\{root_{1}\}] \geq \\ \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})root_{1}root_{1}} \cup \\ C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})root_{1}root_{1}}] &= \\ \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})root_{1}root_{1}}] + \\ \mathbf{P}_{E}[C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})root_{1}root_{1}}] &= \\ p \cdot \frac{1}{2} \cdot \frac{1}{2} + (1-p) \cdot \frac{1}{2} \cdot \frac{1}{2} = \\ \frac{1}{4}. \end{split}$$

Similarly one proves  $\mathbf{P}_H[root_2] \geq \frac{1}{4}$ .  $\Box$ 

**Lemma 7.13** If H is a fair trace distribution of I, then  $\mathbf{P}_H[\{root_1\}] \geq \frac{1}{4}$  and  $\mathbf{P}_H[\{root_2\}] \geq \frac{1}{4}$ .

PROOF: Consider a fair probabilistic execution E of I of a fair trace distribution H. Given a state  $\alpha \in states_E$ , let  $\mu_{\alpha}$  be a probability distribution in  $\Pi(trans_A(last(\alpha)) \cup \{\delta\})$  as in Definition 3.8. We have  $init \in states_E$ . Consider  $trans_E(init)$ . As *init* is not a fair execution of I, we have  $\mathbf{P}_E[init] = 0$  and therefore  $\mu_{init}(\delta) = 0$ . Write

$$p = \mu_{init} \left( init \xrightarrow{\text{flip}_1} \{ init \text{flip}_1(1, head) \mapsto \frac{1}{2}, init \text{flip}_1(1, tail) \mapsto \frac{1}{2} \} \right)$$

Assume  $p \neq 0, 1$ . Then

 $\begin{aligned} trans_E(init)(initflip_1(1, head)) &= p \cdot \frac{1}{2} \\ trans_E(init)(initflip_1(1, tail)) &= p \cdot \frac{1}{2} \\ trans_E(init)(initflip_2(2, head)) &= (1-p) \cdot \frac{1}{2} \\ trans_E(init)(initflip_2(2, tail)) &= (1-p) \cdot \frac{1}{2} \end{aligned}$ 

Let  $\alpha = initflip_1(1, tail), initflip_2(2, head)$ . Then  $\alpha \in states_E$  and  $\mu_{\alpha}(\delta) = 0$  by fairness. As (1, tail) and (2, head) enable one transition, viz.  $(1, tail) \xrightarrow{\text{flip}} \{(both, tail_1) \mapsto \frac{1}{2}, (both, same) \mapsto \frac{1}{2}\}$  and  $(1, tail) \xrightarrow{\text{flip}} \{(both, tail_1) \mapsto \frac{1}{2}, (both, \mapsto)\frac{1}{2}\}$ , we have

 $trans_E(initflip_1(1, tail))(initflip_1(1, tail)flip_2(both, tail_1)) = \frac{1}{2}$  $trans_E(initflip_2(2, head))(initflip_2(2, head)flip_1(both, tail_1)) = \frac{1}{2}.$ 

Again fairness and the fact that the state  $(\mathit{both}, \mathit{tail}_1)$  enables only one transition yield

$$\begin{split} trans_E(initflip_1(1, tail)flip_2(both, tail_1)) \\ & (initflip_1(1, tail)flip_2(both, tail_1)root_1root_1) = 1 \\ trans_E(initflip_2(2, head)flip_1(both, tail_1)) \\ & (initflip_2(2, head)flip_1(both, tail_1)root_1root_1) = 1. \end{split}$$

From the above equations it follows immediately that

$$\begin{split} \mathbf{P}_E[C_{init\mathsf{flip}_1(1,tail)\mathsf{flip}_2(both,tail_1)\mathsf{root}_1 root_1}] &= p \cdot \frac{1}{2} \cdot \frac{1}{2} \cdot 1\\ \mathbf{P}_E[C_{init\mathsf{flip}_2(2,head)\mathsf{flip}_1(both,tail_1)\mathsf{root}_1 root_1}] &= (1-p) \cdot \frac{1}{2} \cdot \frac{1}{2} \cdot 1. \end{split}$$

For p = 0, 1 an even simpler calculation proves the above equation. Now, as H is the trace distribution of E, we have

$$\begin{split} \mathbf{P}_{H}[root_{1}] &= \\ \mathbf{P}_{E}[traces^{-1}\{root_{1}\}] \geq \\ \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})root_{1}root_{1}} \cup \\ C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})root_{1}root_{1}}] &= \\ \mathbf{P}_{E}[C_{initflip_{1}(1,tail)flip_{2}(both,tail_{1})root_{1}root_{1}}] + \\ \mathbf{P}_{E}[C_{initflip_{2}(2,head)flip_{1}(both,tail_{1})root_{1}root_{1}}] &= \\ p \cdot \frac{1}{2} \cdot \frac{1}{2} + (1-p) \cdot \frac{1}{2} \cdot \frac{1}{2} &= \\ \frac{1}{4}. \end{split}$$

Similarly one proves  $\mathbf{P}_H[root_2] \geq \frac{1}{4}$ .  $\Box$ 

**Lemma 7.14** If H is a fair trace distribution of I, then  $\mathbf{P}_{H}[\{root_{1}, root_{2}\}] = 1$ . PROOF: Let L and R be the sets of execution fragments of I defined by:

$$\begin{split} L &\stackrel{\mathrm{d}}{=} \{ init \mathrm{flip}_1(1, head) \mathrm{flip}_2(both, same) \mathrm{retry}, \\ init \mathrm{flip}_1(1, tail) \mathrm{flip}_2(both, same) \mathrm{retry}, \\ init \mathrm{flip}_2(2, head) \mathrm{flip}_1(both, same) \mathrm{retry}, \\ init \mathrm{flip}_2(2, tail) \mathrm{flip}_1(both, same) \mathrm{retry} \} \\ R &\stackrel{\mathrm{d}}{=} \{ init \mathrm{flip}_1(1, head) \mathrm{flip}_2(both, tail_2) \mathrm{root}_2 \mathrm{root}_2, \\ init \mathrm{flip}_1(1, head) \mathrm{flip}_2(both, tail_2) \mathrm{root}_2 \mathrm{root}_2, \\ init \mathrm{flip}_1(1, head) \mathrm{flip}_2(both, tail_1) \mathrm{root}_1 \mathrm{root}_1, \\ init \mathrm{flip}_1(1, tail) \mathrm{flip}_2(both, tail_1) \mathrm{root}_1 \mathrm{root}_1, \\ init \mathrm{flip}_1(1, tail) \mathrm{flip}_2 \mathrm{sameroot}_2 \mathrm{root}_2, \\ init \mathrm{flip}_2(2, head) \mathrm{flip}_1(both, tail_1) \mathrm{root}_1 \mathrm{root}_1, \\ init \mathrm{flip}_2(2, head) \mathrm{flip}_1 \mathrm{sameroot}_2 \mathrm{root}_2, \\ init \mathrm{flip}_2(2, head) \mathrm{flip}_1 \mathrm{sameroot}_2 \mathrm{root}_2, \\ init \mathrm{flip}_2(2, tail) \mathrm{flip}_2 \mathrm{sameroot}_2 \mathrm{root}_2, \\ init \mathrm{flip}_2(2, tail) \mathrm{flip}_2 \mathrm{sameroot}_2 \mathrm{root}_2, \\ init \mathrm{flip}_2(2, tail) \mathrm{flip}_2 \mathrm{sameroot}_2 \mathrm{root}_2, \\ init \mathrm{flip}_2(2, t$$

Then it is easy to see that the fair executions of  $I^-$  are given by

 $fexecs(I^-) = L^* \cdot R \cup L^{\infty}.$ 

Now, let *E* be a probabilistic execution of *I* with trace distribution *H*. It follows by induction that  $0 \leq \mathbf{P}_E[\cup_{\beta \in L^n} C_\beta] \leq \frac{1}{2^n}$  for all  $n \in \mathbb{N}$ . Then

$$\mathbf{P}_E[L^{\infty}] = \mathbf{P}_E[\cap_{n \in \mathbb{N}} \cup_{\beta \in L^n} C_{\beta}] = \lim_{n \to \infty} \mathbf{P}_E[\cup_{\beta \in L^n} C_{\beta}] = 0$$

and therefore,

$$\mathbf{P}_{E}[\{\operatorname{root}_{1},\operatorname{root}_{2}\}] \geq \mathbf{P}_{E}[L^{*} \cdot R] = \mathbf{P}_{E}[L^{*} \cdot R \cup L^{\infty}] = \mathbf{P}_{E}[fexecs(I^{-})] = 1.$$

# Lemma 7.15 $I \sqsubseteq_{\text{FTD}} A$ .

PROOF: Let *H* be a fair trace distribution of *I*. Then  $\mathbf{P}_H[\{root_1, root_2\}] = 1$  and  $\mathbf{P}_H[\{root_1\}] \geq \frac{1}{4}$ , say  $p = \mathbf{P}_H[\{root_1\}] - \frac{1}{4}$ . The diagram below represents a fair probabilistic execution of *A* with trace distribution *H*.



So  $H \in ftrdistr(A)$ .  $\Box$ 

# Fair trace distribution inclusion for A and S

This section proves that A implements S by an ad hoc probabilistic argument. Notice that  $A^- \not\sqsubseteq_{\text{FTD}} S^-$ , which means that the probabilistic nature of the protocol is crucial for fairness (c.q. liveness).

Lemma 7.16  $A \sqsubseteq_{\text{FTD}} S$ .

PROOF: Firstly, we prove that  $\mathbf{P}_H[\{root_1, root_2\}] = 1$  for all fair trace distributions H of A. Let H be a fair trace distribution in A and let E be a fair probabilistic execution with trace distribution H. We show that  $\mathbf{P}_E[fexecs(A^-)] = 1$ . Firstly, define

 $L \stackrel{\mathrm{d}}{=} init \text{flip} same \text{retry};$ 

 $R \stackrel{\text{d}}{=} \{ initflip tail_1 root_1 root_1, \\ \{ initflip same root_1 root_1, \\ \{ initflip tail_2 root_2 root_2, \\ \{ initflip same root_2 root_2 \} \}.$ 

Then, similarly to the proof of Lemma 7.14, we have

 $fexecs(A^-) = L^* \cdot R \cup L^\infty.$ 

Furthermore,

$$\mathbf{P}_E[L^{\infty}] = \mathbf{P}_E[\cap_{n \in \mathbb{N}} C_{L^n}] = \lim_{n \to \infty} \mathbf{P}_E[C_{L^n}] = 0,$$

because  $0 \leq \mathbf{P}_E[C_{L^n}] \leq \frac{1}{2^n}$  for all n. So,

 $\mathbf{P}_E[L^* \cdot R] = 1$ 

and as all these probabilistic executions have trace  $root_1$  or  $root_2$ ,

$$\mathbf{P}_{H}[\{root_{1}, root_{2}\}] = \mathbf{P}_{E}[trace^{-1}\{root_{1}, root_{2}\}] \ge \mathbf{P}_{E}[L^{*} \cdot R] = 1.$$

Therefore,  $\mathbf{P}_H[\{root_1, root_2\}] = 1$ . Now, let  $\mathbf{P}_H[root_1] = p$ . Then



represents a fair probabilistic execution of S with trace distribution H. So  $H \in ftrdistr(S)$ .  $\Box$ 

Corollary 7.17  $P \sqsubseteq_{\text{FTD}} S$ .

# 8 Conclusions and further research

The main result established in this paper is that the root contention subprotocol in IEEE 1394 is correct in a model that abstracts from real-time aspects. The formal verification carried out in the probabilistic automaton model model from [Seg95] was not too complex. Actually, most of the work concerned the analysis of non-probabilistic aspect of the protocol. A similar conclusion was drawn in [PSL97] for the verification of the Aspnes and Herlidy protocol.

As a first approach to this protocol, we have verified the protocol in an discretetime model. A follow-up of this study, dealing with real-time is reported in [SV99b]. In fact, we have modeled a discrete time model, where time can have integer values, into a untimed model using an action tick. As tick is neither an input not an output action, we dropped distinction between input and output actions and only distinguish between internal and external actions. The notion of parallel composition therefore becomes more general but also somewhat artificial. However, the absence of time allowed us to use tools for untimed systems.

We have introduced several techniques and strategies to make the verification easier, which can be useful in the analysis of other realistic protocols and algorithms. Some of these techniques give rise to new questions and topics for future research.

- 1. Within our verification, we introduced two intermediate automata between the specification and the implementation. This allowed a separation of concern and the use of existing tools for the analysis of non-probabilistic systems. The actual probabilistic verification was carried out on an automaton with less than ten states. Furthermore, we introduced two probabilistic simulation relations. These are less general than the simulation relations from [SL95] but they simplified the verification to a large extend.
- 2. We have proven a result that reduces reasoning about fair probabilistic executions to reasoning about fairness of (non-probabilistic) executions. We are aiming at a more general result that relates probabilistic execution properties (such as fairness) to execution properties via probabilistic step refinements and probabilistic hyperstep refinements.
- 3. We have described a method for encoding finite I/O automata in precondition effect-style and invariant properties into the SMV input language. It would be desirable to describe this relation more formally and to prove the claims made in this report more formally. Moreover, such a rigorous description would be a first step to an automatic translation from the IOA language [GLV97], which is a formal syntax for I/O automata in precondition-effect style, to SMV. Although IOA-to-PVS, IOA-to-Larch and IOA-to-Spin compilers are currently being constructed, an IOA-to-SMV compiler is still useful because SMV is easy-to-use model checker, whereas PVS and Larch are interactive proof tools.

Another interesting topic for future research would be to use tools in the verification of the probabilistic aspects of the protocol as well. Furthermore, it should not be to difficult to do some performance analysis, for instance one could calculate upper and lower bounds on the expected number of ticks before a leader is elected.

#### Acknowledgments

Thanks to Judi Romijn and to David Grifficien for their useful comments on earlier versions of the specification and to Marco Devillers for an introduction to SMV.

# References

[Agg94] S. Aggarwal. Time optimal self-stabilizing spanning tree algorithms. Master's thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, May 1994. Available as Technical Report MIT/LCS/TR-632.

- [DGRV97] M.C.A. Devillers, W.O.D. Griffioen, J.M.T Romijn, and F.W. Vaandrager. Verification of a leader election protocol — formal methods applied to IEEE 1394. Technical Report CSI-R9728, Computing Science Institute, University of Nijmegen, December 1997. Submitted.
- [GLV97] S.J. Garland, N.A. Lynch, and M. Vaziri. IOA: A language for specifying, programming, and validating distributed systems, September 1997.Available through URL http://larch.lcs.mit.edu:8001/~garland/ioaLanguage.html.
- [Hal50] P.R. Halmos. Measure Theory. Van Nostrand Reinhold Company Inc, New York, 1950.
- [IEE96] IEEE Computer Society. IEEE Standard for a High Performance Serial Bus. Std 1394-1995, August 1996.
- [IEE98] IEEE Computer Society. P1394a Draft Standard for a High Performance Serial Bus (Supplement). Draft 2.0, March 1998.
- [Lut97] S.P. Luttik. Description and formal specification of the Link layer of P1394. In I. Lovrek, editor, Proceedings of the 2nd International Workshop on Applied Formal Methods in System Design, Zagreb, pages 43–56, 1997. Also available as Report SEN-R9706, CWI, Amsterdam. See URL http://www.cwi.nl/~luttik/.
- [LV96] N.A. Lynch and F.W. Vaandrager. Forward and backward simulations, II: Timing-based systems. Information and Computation, 128(1):1–25, July 1996.
- [Lyn96] N.A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, Inc., San Fransisco, California, 1996.
- [McM92] K.L. McMillan. The smv system, draft, February 1992. Available through URL http://www.cs.cmu.edu/~modelcheck/smv.html.
- [PSL97] A. Pogosyants, R. Segala, and N.A. Lynch. Verification of the randomized consensus algorithm of Aspnes and Herlihy: a case study. In M. Mavronicolas and Ph. Tsigas, editors, *Proceedings of 11th International Workshop on Distributed Algorithms (WDAG'97)*, Saarbrucken, Germany, September 1997, volume 1320 of *Lecture Notes in Computer Science*, pages 111–125. Springer-Verlag, 1997. Also, Technical Memo MIT/LCS/TM-555, Laboratory for Computer Science, Massachusetts Institute of Technology.
- [Seg95] R. Segala. Modeling and Verification of Randomized Distributed Real-Time Systems. PhD thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, June 1995. Available as Technical Report MIT/LCS/TR-676.
- [Sha98] C. Shankland. The Tree Identify Protocol of IEEE 1394, pages 299–319. Stichting Mathematisch Centrum, 1998.
- [SL95] R. Segala and N.A. Lynch. Probabilistic simulations for probabilistic processes. *Nordic Journal of Computing*, 2(2):250–273, 1995.
- [SV99a] M.I.A. Stoelinga and F.W. Vaandrager. Gambling together in Monte Carlo: Step refinements for probabilistic automata. Report CSI-R99xx, Computing Science Institute, University of Nijmegen, Nijmegen, 1999. To appear.

[SV99b] M.I.A. Stoelinga and F.W. Vaandrager. Root contention in IEEE 1394. Report CSI-R9905, Computing Science Institute, University of Nijmegen, Nijmegen, 1999.