%!PS %%Version: 3.3 %%DocumentFonts: (atend) %%Pages: (atend) %%EndComments % % Version 3.3 prologue for troff files. % /#copies 1 store /aspectratio 1 def /formsperpage 1 def /landscape false def /linewidth .3 def /magnification 1 def /margin 0 def /orientation 0 def /resolution 720 def /rotation 1 def /xoffset 0 def /yoffset 0 def /roundpage true def /useclippath true def /pagebbox [0 0 612 792] def /R /Times-Roman def /I /Times-Italic def /B /Times-Bold def /BI /Times-BoldItalic def /H /Helvetica def /HI /Helvetica-Oblique def /HB /Helvetica-Bold def /HX /Helvetica-BoldOblique def /CW /Courier def /CO /Courier def /CI /Courier-Oblique def /CB /Courier-Bold def /CX /Courier-BoldOblique def /PA /Palatino-Roman def /PI /Palatino-Italic def /PB /Palatino-Bold def /PX /Palatino-BoldItalic def /Hr /Helvetica-Narrow def /Hi /Helvetica-Narrow-Oblique def /Hb /Helvetica-Narrow-Bold def /Hx /Helvetica-Narrow-BoldOblique def /KR /Bookman-Light def /KI /Bookman-LightItalic def /KB /Bookman-Demi def /KX /Bookman-DemiItalic def /AR /AvantGarde-Book def /AI /AvantGarde-BookOblique def /AB /AvantGarde-Demi def /AX /AvantGarde-DemiOblique def /NR /NewCenturySchlbk-Roman def /NI /NewCenturySchlbk-Italic def /NB /NewCenturySchlbk-Bold def /NX /NewCenturySchlbk-BoldItalic def /ZD /ZapfDingbats def /ZI /ZapfChancery-MediumItalic def /S /S def /S1 /S1 def /GR /Symbol def /inch {72 mul} bind def /min {2 copy gt {exch} if pop} bind def /setup { counttomark 2 idiv {def} repeat pop landscape {/orientation 90 orientation add def} if /scaling 72 resolution div def linewidth setlinewidth 1 setlinecap pagedimensions xcenter ycenter translate orientation rotation mul rotate width 2 div neg height 2 div translate xoffset inch yoffset inch neg translate margin 2 div dup neg translate magnification dup aspectratio mul scale scaling scaling scale /Symbol /S Sdefs cf /Times-Roman /S1 S1defs cf 0 0 moveto } def /pagedimensions { useclippath userdict /gotpagebbox known not and { /pagebbox [clippath pathbbox newpath] def roundpage currentdict /roundpagebbox known and {roundpagebbox} if } if pagebbox aload pop 4 -1 roll exch 4 1 roll 4 copy landscape {4 2 roll} if sub /width exch def sub /height exch def add 2 div /xcenter exch def add 2 div /ycenter exch def userdict /gotpagebbox true put } def /pagesetup { /page exch def currentdict /pagedict known currentdict page known and { page load pagedict exch get cvx exec } if } def /decodingdefs [ {counttomark 2 idiv {y moveto show} repeat} {neg /y exch def counttomark 2 idiv {y moveto show} repeat} {neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat} {neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat} {counttomark 2 idiv {y moveto show} repeat} {neg setfunnytext} ] def /setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def /w {neg moveto show} bind def /m {neg dup /y exch def moveto} bind def /done {/lastpage where {pop lastpage} if} def /f { dup /font exch def findfont exch dup /ptsize exch def scaling div dup /size exch def scalefont setfont linewidth ptsize mul scaling 10 mul div setlinewidth /spacewidth ( ) stringwidth pop def } bind def /changefont { /fontheight exch def /fontslant exch def currentfont [ 1 0 fontheight ptsize div fontslant sin mul fontslant cos div fontheight ptsize div 0 0 ] makefont setfont } bind def /sf {f} bind def /cf { dup length 2 idiv /entries exch def /chtab exch def /newfont exch def findfont dup length 1 add dict /newdict exch def {1 index /FID ne {newdict 3 1 roll put} {pop pop} ifelse} forall newdict /Metrics entries dict put newdict /Metrics get begin chtab aload pop 1 1 entries {pop def} for newfont newdict definefont pop end } bind def % % A few arrays used to adjust reference points and character widths in some % of the printer resident fonts. If square roots are too high try changing % the lines describing /radical and /radicalex to, % % /radical [0 -75 550 0] % /radicalex [-50 -75 500 0] % % Move braceleftbt a bit - default PostScript character is off a bit. % /Sdefs [ /bracketlefttp [201 500] /bracketleftbt [201 500] /bracketrighttp [-81 380] /bracketrightbt [-83 380] /braceleftbt [203 490] /bracketrightex [220 -125 500 0] /radical [0 0 550 0] /radicalex [-50 0 500 0] /parenleftex [-20 -170 0 0] /integral [100 -50 500 0] /infinity [10 -75 730 0] ] def /S1defs [ /underscore [0 80 500 0] /endash [7 90 650 0] ] def % % Tries to round clipping path dimensions, as stored in array pagebbox, so they % match one of the known sizes in the papersizes array. Lower left coordinates % are always set to 0. % /roundpagebbox { 7 dict begin /papersizes [8.5 inch 11 inch 14 inch 17 inch] def /mappapersize { /val exch def /slop .5 inch def /diff slop def /j 0 def 0 1 papersizes length 1 sub { /i exch def papersizes i get val sub abs dup diff le {/diff exch def /j i def} {pop} ifelse } for diff slop lt {papersizes j get} {val} ifelse } def pagebbox 0 0 put pagebbox 1 0 put pagebbox dup 2 get mappapersize 2 exch put pagebbox dup 3 get mappapersize 3 exch put end } bind def %%EndProlog %%BeginSetup mark /resolution 720 def setup 2 setdecoding %%EndSetup %%Page: 0 1 /saveobj save def mark 1 pagesetup 10 R f (AT&T Bell Laboratories)2 993 1 2383 1740 t (Murray Hill, NJ 07974)3 916 1 2422 1860 t (Computing Science Technical Report No. 157)5 1848 1 1956 3180 t 12 B f (Tutorial: Design and Validation of Protocols)5 2281 1 1739 3450 t 10 I f (Gerard J. Holzmann)2 824 1 2468 3690 t 10 R f (May 1991)1 408 1 720 6240 t cleartomark showpage saveobj restore %%EndPage: 0 1 %%Page: 0 2 /saveobj save def mark 2 pagesetup 12 B f (Tutorial: Design and Validation of Protocols)5 2281 1 1739 1230 t 10 I f (Gerard J. Holzmann)2 824 1 2468 1470 t 10 R f (AT&T Bell Laboratories)2 993 1 2383 1650 t (Murray Hill, NJ 07974)3 916 1 2422 1770 t 10 I f (ABSTRACT)2643 2270 w 10 R f (It can be remarkably hard to design a good communications protocol, much harder)12 3350 1 1330 2530 t ( of a)2 179( when the design)3 680( Unfortunately,)1 637(even than it is to write a normal sequential program.)9 2104 4 1080 2650 t ( have little trouble convincing)4 1251(new protocol is complete, we usually)5 1547 2 1080 2770 t 10 I f (ourselves)3916 2770 w 10 R f (that it is)2 349 1 4331 2770 t ( con-)1 207( can be a unreasonably hard to prove those facts formally and to)12 2627( It)1 117(trivially correct.)1 649 4 1080 2890 t ( with that dilemma, a designer usually decides to trust his or her)12 2604( Faced)1 292(vince also others.)2 704 3 1080 3010 t ( subtle logical flaws in a design thus get a)9 1812( The)1 221(instincts and forgo the formal proofs.)5 1567 3 1080 3130 t ( worst possible moment in the lifetime of the proto-)9 2072(chance to hide, and inevitably find the)6 1528 2 1080 3250 t (col to reveal themselves.)3 987 1 1080 3370 t ( is a)2 191( There)1 297( and error.)2 442(Though few will admit it, most people design protocols by trial)10 2670 4 1080 3610 t ( copied in most)3 626(known set of trusted protocol standards, whose descriptions are faithfully)9 2974 2 1080 3730 t ( understanding of why some designs are correct and why oth-)10 2496(textbooks, but there is little)4 1104 2 1080 3850 t ( right)1 221( recently the)2 509( Until)1 264( design and to analyze protocols you need tools.)8 1981( To)1 169(ers are not.)2 456 6 1080 3970 t ( intro-)1 249( this tutorial we)3 628( In)1 134( that has changed.)3 718( But)1 196(tools were simply not generally available.)5 1675 6 1080 4090 t ( called SPIN and a specification language called PROMELA,)8 2518(duce a state-of-the-art tool)3 1082 2 1080 4210 t (and we show how these can be used to design reliable protocols.)11 2573 1 1080 4330 t (May 1991)1 408 1 720 4810 t cleartomark showpage saveobj restore %%EndPage: 0 2 %%Page: 1 3 /saveobj save def mark 3 pagesetup 12 B f (Tutorial: Design and Validation of Protocols)5 2281 1 1739 1230 t 10 I f (Gerard J. Holzmann)2 824 1 2468 1470 t 10 R f (AT&T Bell Laboratories)2 993 1 2383 1650 t (Murray Hill, NJ 07974)3 916 1 2422 1770 t 10 B f (1. INTRODUCTION)1 925 1 720 2130 t 9 PA f (``The queen's)1 538 1 864 2360 t 9 I f ( e)1 45(leve \302)1 140 2 1435 2360 t 9 PA f ( maid of honour had the right to)7 1368( The)1 206(took a similar course to that of the king.)8 1669 3 1653 2360 t ( if a)2 155( But)1 189( lady in waiting helped her put on her petticoat and dress.)11 2363( The)1 200(pass the queen her chemise.)4 1125 5 864 2470 t ( the chemise on the)4 821(princess of the royal family happened to be present, she had the right to put)14 3211 2 864 2580 t ( chambermaid was)2 774( Her)1 210( queen had just been undressed by her ladies.)8 1890( one occasion the)3 713(queen. On)1 445 5 864 2690 t ( presented it to the maid of honour when the Duchess of Orleans)12 2678(holding the chemise and had just)5 1354 2 864 2800 t ( gave it back to the chambermaid who was about to pass it to the)14 2782( maid of honour)3 693( The)1 211(came in.)1 346 4 864 2910 t ( chemise now made its way)5 1164( The)1 209( higher-ranking Countess of Provence entered.)5 1922(duchess when the)2 737 4 864 3020 t ( had)1 178( She)1 192( it from the hands of the countess.)7 1373(back to the chambermaid, and the queen finally received)8 2289 4 864 3130 t ( nature, watching the ladies complimenting each other with)8 2408(had to stand the whole time in a state of)9 1624 2 864 3240 t (her chemise.'')1 548 1 864 3350 t 9 I f (Court Society)1 493 1 2954 3460 t 9 R f (-- Norbert Elias, Pantheon Books, 1983)5 1426 1 3470 3460 t 10 R f ( by a chambermaid of Marie-Antoinette, nicely illustrates what hap-)9 2753(This anecdote, quoted from an account)5 1567 2 720 3664 t ( goal of the)3 473( The)1 212(pens if a presumably reasonable set of rules is interpreted rigidly in an unusual situation.)14 3635 3 720 3784 t ( to please the queen, was certainly undermined by the strict)10 2375(protocol of court etiquette, which ultimately was)6 1945 2 720 3904 t ( all, the rigid)3 553( After)1 274( quickly made.)2 619( link with computer protocol design is)6 1612( The)1 220(enforcement of the rules.)3 1042 6 720 4024 t ( at the French court, this)5 1021( As)1 171( something in which computers excel.)5 1565(interpretation of a fixed set of rules is)7 1563 4 720 4144 t (works fine in the expected cases, but can backfire when an unexpected sequence of events occurs.)15 3907 1 720 4264 t ( of protocol design can be summed up into one phrase it should be that the designer has the diffi-)19 3908(If the goal)2 412 2 720 4420 t ( the unexpected.'')2 721( ``Expect)1 395(cult task to deal with events that are, at the time of design, partly unpredictable.)14 3204 3 720 4540 t ( on fire-signals)2 603(In a remarkably astute assessment of the flaws in an early tele-communication system, based)13 3717 2 720 4660 t (with predefined meanings, the historian Polybius wrote in the 2nd Century B.C.:)11 3221 1 720 4780 t 9 PA f ( and help \320 all such)5 888(``.... it is chiefly unexpected occurrences which require instant consideration)9 3144 2 864 4974 t ( code for)2 350( it is quite impossible to have a preconcerted)8 1782( For)1 183(matters defy communication by fire signal.)5 1717 4 864 5084 t (things which there is no means of foretelling.'')7 1846 1 864 5194 t 9 I f (The Histories)1 488 1 3191 5304 t 9 R f (-- Polybius, Book X, Chapter 43.)5 1194 1 3702 5304 t 10 R f ( good method for encoding and communicating an unexpected)8 2528(In Polybius' days, the problem was to find a)8 1792 2 720 5508 t ( The)1 209( course, during a communication further unexpected events can take place.)10 3021( Of)1 159(event to a remote peer.)4 931 4 720 5628 t ( at the same time)4 681(remote peer may miss messages repeatedly, or may try to initiate an urgent communication)13 3639 2 720 5748 t ( scenarios are so)3 710( These)1 306( hide in scenarios like these.)5 1216( errors in a protocol typically)5 1257( Design)1 352(that we do.)2 479 6 720 5868 t ( first hard-learned lesson in protocol)5 1510( The)1 217( designer in his right mind will consider them.)8 1943(unlikely that no)2 650 4 720 5988 t (design is, however, that unlikely events really do happen and have to be dealt with.)14 3320 1 720 6108 t ( to the curious observation that the consequences of an error are often far more important that the)17 3911(This leads)1 409 2 720 6264 t ( events cannot be ignored simply because they have a low probability of)12 2956( Unlikely)1 406(probability of the error.)3 958 3 720 6384 t ( errors with grave consequences.)4 1376( worst kinds of errors are precisely the low-probability)8 2315(occurring. The)1 629 3 720 6504 t ( implementations, waiting patiently for the wrong)6 1985(Such errors reliably escape random testing and land in our)9 2335 2 720 6624 t ( example is the hypothetical once-in-a-lifetime error that can paralyze the entire U.S.)12 3434( An)1 176( strike.)1 276(moment to)1 434 4 720 6744 t ( since January 15, 1990 we know that the word)9 1880( Alas,)1 258( better part of a day.)5 803(national telephone network for the)4 1379 4 720 6864 t (`hypothetical' can be omitted from that sentence.)6 1960 1 720 6984 t ( to study the cor-)4 697(To tackle the protocol design problem we need a rigorous design discipline and a method)14 3623 2 720 7140 t ( of our design we have to prove, preferably)8 1840( prove the essential properties)4 1256( To)1 177(rectness of our solutions.)3 1047 4 720 7260 t cleartomark showpage saveobj restore %%EndPage: 1 3 %%Page: 2 4 /saveobj save def mark 4 pagesetup 10 R f (- 2 -)2 166 1 2797 480 t ( this tutorial we will explore how this can)8 1700( In)1 138(mechanically, that there is no scenario that can destroy them.)9 2482 3 720 840 t (be done.)1 338 1 720 960 t ( Section 3 we introduce the)5 1130( In)1 141( 2 we discuss five essential elements of a protocol specification.)10 2634(In Section)1 415 4 720 1116 t ( validation model is an abstraction of a design decision and a pro-)12 2624( A)1 122( model.)1 300(concept of a protocol validation)4 1274 4 720 1236 t ( show how correctness requirements can be expressed in the)9 2456( Section 4 we)3 556( In)1 138(totype of an implementation.)3 1170 4 720 1356 t (language,)720 1476 w 8 R f (PROMELA)1135 1476 w 10 R f ( 5 we introduce an auto-)5 987( Section)1 330( In)1 138(, that we will use for specifying validation models.)8 2066 4 1519 1476 t (mated tool called)2 704 1 720 1596 t 8 R f (SPIN)1457 1596 w 10 R f (for mechanically verifying the validity of correctness requirements, and give some)10 3376 1 1664 1596 t ( 6 discusses the application of)5 1231( Section)1 358(examples of its application.)3 1123 3 720 1716 t 8 R f (SPIN)3464 1716 w 10 R f ( A)1 104( Appendices)1 528(to large problems.)2 738 3 3670 1716 t (and B summarize the main language features of)7 1925 1 720 1836 t 8 R f (PROMELA)2673 1836 w 10 R f ( below gives an overview of the main)7 1528( table)1 222(. The)1 233 3 3057 1836 t (sections of the paper.)3 848 1 720 1956 t 9 H f ( Example Validation)2 795( An)1 230( 5.)1 1371(1. Introduction)1 738 4 1177 2126 t ( Validation Problems)2 825( Large)1 350( 6.)1 491( Basic Elements Of a Protocol)5 1195(2. The)1 423 5 1177 2236 t ( Exercises)1 510( 7.)1 776( Validation Models)2 735(3. Protocol)1 598 4 1177 2346 t ( Summary)1 505( 8.)1 301( Correctness Requirements)2 1095(4. Expressing)1 713 4 1177 2456 t ( References)1 580( 9.)1 1421(4.1. Assertions)1 688 3 1177 2566 t ( Manual for Promela)3 810( Brief)1 295( A.)1 1166( Labels)1 290(4.2. Validation)1 663 5 1177 2676 t ( Grammar)1 405( Promela)1 445( B.)1 1171( Claims)1 300(4.3. Temporal)1 648 5 1177 2786 t 10 B f ( BASIC ELEMENTS OF A PROTOCOL)5 1772(2. THE)1 337 2 720 3086 t 10 R f ( give a strictly formal and unambiguous definition of any given abstract function in)13 3444(It is fairly difficult to)4 876 2 720 3242 t ( definitions are no exception, and even the formal language of an international stan-)13 3369( Protocol)1 392(plain English.)1 559 3 720 3362 t ( relies on the good-will and common sense of the reader, and can leave much room for misinter-)17 3910(dard often)1 410 2 720 3482 t (pretation.)720 3602 w 10 B f (An Informal Example)2 939 1 720 3842 t 10 R f ( is taken from a paper)5 922( example)1 373( The)1 215(Below is a simple example of how protocols are typically specified.)10 2810 4 720 3998 t ( paper inspired the publication of the well-known paper)8 2346( The)1 221(published by Lynch in 1968 [Lynch '68].)6 1753 3 720 4118 t ( line-numbers are added for reference.)5 1521( The)1 205(introducing the alternating bit protocol [Bartlett et al. '69].)8 2342 3 720 4238 t 8 CW f ( channel, i.e., it)3 1008( protocol defines a simplex data-transfer)5 1968(1 The)1 336 3 912 4388 t ( only one direction, from sender to receiver.)7 2160( pass data in)3 768(2 will)1 384 3 912 4488 t ( is)1 192( It)1 240( directions.)1 624( information, however, flows in both)5 1728(3 Control)1 528 5 912 4588 t ( that the system has perfect error detection.)7 2160(4 assumed)1 528 2 912 4688 t ( extra bit called)3 960( each message sent from A to B we attach an)10 2064(5 To)1 288 3 912 4788 t ( B receives the message it decides if)7 1776( After)1 336( bit.)1 240( alternation)1 624(6 the)1 336 5 912 4888 t ( A a)2 384( then sends back to)4 1104( It)1 240( message is error-free.)3 1248(7 the)1 336 5 912 4988 t ( of a single verify bit,)5 1392(8 verification message, consisting)3 1920 2 912 5088 t ( not the immediately preceding A to B)7 2112( whether or)2 528(9 indicating)1 672 3 912 5188 t ( A receives this verification, one)5 1632( After)1 336( error-free.)1 576( was)1 240(10 message)1 576 5 864 5288 t ( three possibilities hold:)3 1248(11 of)1 336 2 864 5388 t ( The A to B message was good)7 1344(12 1.)1 720 2 864 5488 t ( The A to B message was bad)7 1296(13 2.)1 720 2 864 5588 t ( good or bad)3 720( A cannot tell if the A to B message was)10 1920(14 3.)1 720 3 864 5688 t ( the verification message \(sent from B to A\) was in error)11 2736(15 because)1 576 2 864 5788 t ( In)1 192( cases 2 and 3 A resends the same A to B message as before.)14 2832(16 In)1 336 3 864 5888 t ( to be sent, and sends it,)6 1248( 1 A fetches the next message)6 1680(17 case)1 432 3 864 5988 t ( the)1 240( the setting of the alternation bit with respect to)9 2448(18 inverting)1 672 3 864 6088 t ( A to B message.)4 768(19 previous)1 624 2 864 6188 t ( error it compares)3 1008( B receives a message that is not in)8 1728(20 Whenever)1 624 3 864 6288 t ( alternation bit of this new message to the alternation bit of)11 2976(21 the)1 384 2 864 6388 t ( If the alternation bits)4 1344( most recent error-free reception.)4 1632(22 the)1 384 3 864 6488 t ( new message is)3 720( The)1 240( message is not accepted.)4 1200( equal the new)3 816(23 are)1 384 5 864 6588 t ( The)1 336( bits differ.)2 816( only if the two alternation)5 1584(24 accepted)1 624 4 864 6688 t ( B to A indicate error-free reception)6 1776( messages from)2 768(25 verification)1 816 3 864 6788 t ( of the acceptance of the messages.)6 1680(26 independently)1 864 2 864 6888 t ( of this scheme depends upon A and B agreeing on an)11 2448(27 Initialization)1 912 2 864 6988 t ( is accomplished by)3 912( This)1 288( of the alternation bit.)4 1152( setting)1 432(28 initial)1 576 5 864 7088 t ( A to B message whose error-free reception \(but not necessarily)10 3024(29 an)1 336 2 864 7188 t ( Multiple)1 480( B's setting of the alternation bit.)6 1728( forces)1 384(30 acceptance\))1 768 4 864 7288 t cleartomark showpage saveobj restore %%EndPage: 2 4 %%Page: 3 5 /saveobj save def mark 5 pagesetup 10 R f (- 3 -)2 166 1 2797 480 t 8 CW f ( of such a message cannot do harm.)7 1632(31 receptions)1 720 2 864 820 t ( protocol has the property that every message fetched by A is)11 2928(32 This)1 432 2 864 920 t ( error-free at least once and accepted at most once by B.)11 2736(33 received)1 624 2 864 1020 t 10 R f ( one thing, it is much clearer than the)8 1564( For)1 198(The description certainly looks reasonable and implementable.)6 2558 3 720 1200 t ( is this example protocol fully speci-)6 1520( But,)1 230(description of essentially the same protocol in [Schwartz '63].)8 2570 3 720 1320 t ( we)1 157( Before)1 337( is correct before we go ahead and implement it?)9 2086( we determine if the protocol)5 1231(fied? Could)1 509 5 720 1440 t ( more basic question: what precisely should a protocol)8 2303(address these points, let us first try to answer a)9 2017 2 720 1560 t (define?)720 1680 w 10 B f (What Is A Protocol?)3 874 1 720 1920 t 10 R f ( is an upper interface)4 852( There)1 286( A and B.)3 395(Figure 1 shows two communicating entities,)5 1787 4 720 2076 t 10 I f (\(1\))4069 2076 w 10 R f (to code that uses the)4 826 1 4214 2076 t ( interface)1 376(A-B protocol, and a lower)4 1061 2 720 2196 t 10 I f (\(2\))2185 2196 w 10 R f ( lower interface)2 631( The)1 208(, to code that implements the A-B protocol.)7 1756 3 2301 2196 t 10 I f (\(2\))4924 2196 w 10 R f ( another level of abstraction by the dotted protocol layer from)10 2562(can be thought of as being implemented at)7 1758 2 720 2316 t ( still lower-level interface)3 1052(Figure 1, based on a)4 843 2 720 2436 t 10 I f (\(3\))2648 2436 w 10 R f ( the lowest level of abstraction interface \(3\) should)8 2093(. At)1 183 2 2764 2436 t ( each level of abstraction, the upper interface)7 1885( At)1 162(match the specification of the target physical interface.)7 2273 3 720 2556 t ( of the lower interface, by hiding details \(imperfections\) and providing)10 3070(becomes an idealized version)3 1250 2 720 2676 t ( level)1 220( we call a `protocol' is what we see if we cut the hierarchy at one specific)16 2930( What)1 266(higher-level functions.)1 904 4 720 2796 t ( for instance, is a)4 679( A-B protocol in Figure 1,)5 1049( The)1 206(of abstraction and look at the interface that is then exposed.)10 2386 4 720 2916 t (cut of the protocol stack at interface \(1\).)7 1601 1 720 3036 t 10 I f (Sender)2166 3398 w cleartomark saveobj restore %%BeginGlobal % % Version 3.3 drawing procedures for dpost. Automatically pulled in, but only % when needed. % /inpath false def /savematrix matrix def /Dl { inpath {pop pop neg lineto} {newpath neg moveto neg lineto stroke} ifelse } bind def /De { /y1 exch 2 div def /x1 exch 2 div def /savematrix savematrix currentmatrix def neg exch x1 add exch translate x1 y1 scale 0 0 1 0 360 inpath {1 0 moveto arc savematrix setmatrix} {newpath arc savematrix setmatrix stroke} ifelse } bind def /Da { /dy2 exch def /dx2 exch def /dy1 exch def /dx1 exch def dy1 add neg exch dx1 add exch dx1 dx1 mul dy1 dy1 mul add sqrt dy1 dx1 neg atan dy2 neg dx2 atan inpath {arc} {newpath arc stroke} ifelse } bind def /DA { /dy2 exch def /dx2 exch def /dy1 exch def /dx1 exch def dy1 add neg exch dx1 add exch dx1 dx1 mul dy1 dy1 mul add sqrt dy1 dx1 neg atan dy2 neg dx2 atan inpath {arcn} {newpath arcn stroke} ifelse } bind def /Ds { /y2 exch def /x2 exch def /y1 exch def /x1 exch def /y0 exch def /x0 exch def x0 5 x1 mul add 6 div y0 5 y1 mul add -6 div x2 5 x1 mul add 6 div y2 5 y1 mul add -6 div x1 x2 add 2 div y1 y2 add -2 div inpath {curveto} {newpath x0 x1 add 2 div y0 y1 add -2 div moveto curveto stroke} ifelse } bind def %%EndGlobal /saveobj save def mark 10 I f 2304 3558 2322 3615 Dl 2304 3558 2319 3616 Dl 2304 3558 2317 3617 Dl 2304 3558 2315 3617 Dl 2304 3558 2313 3617 Dl 2304 3558 2310 3617 Dl 2304 3558 2308 3618 Dl 2304 3558 2306 3618 Dl 2304 3558 2304 3618 Dl 2303 3558 2301 3618 Dl 2303 3558 2299 3618 Dl 2303 3558 2297 3617 Dl 2303 3558 2294 3617 Dl 2303 3558 2292 3617 Dl 2303 3558 2290 3617 Dl 2303 3558 2288 3616 Dl 2304 3558 2286 3615 Dl 2304 3774 2304 3558 Dl 2304 3773 2286 3716 Dl 2303 3773 2288 3715 Dl 2303 3773 2290 3714 Dl 2303 3773 2292 3714 Dl 2303 3773 2294 3714 Dl 2303 3773 2297 3714 Dl 2303 3773 2299 3713 Dl 2303 3773 2301 3713 Dl 2304 3773 2304 3713 Dl 2304 3773 2306 3713 Dl 2304 3773 2308 3713 Dl 2304 3773 2310 3714 Dl 2304 3773 2313 3714 Dl 2304 3773 2315 3714 Dl 2304 3773 2317 3714 Dl 2304 3773 2319 3715 Dl 2304 3773 2322 3716 Dl 2034 3774 2034 4134 Dl 2574 3774 2034 3774 Dl 2574 4134 2574 3774 Dl 2034 4134 2574 4134 Dl (A)2274 3974 w 2304 4134 2322 4191 Dl 2304 4134 2319 4192 Dl 2304 4134 2317 4193 Dl 2304 4134 2315 4193 Dl 2304 4134 2313 4193 Dl 2304 4134 2310 4193 Dl 2304 4134 2308 4194 Dl 2304 4134 2306 4194 Dl 2304 4134 2304 4194 Dl 2303 4134 2301 4194 Dl 2303 4134 2299 4194 Dl 2303 4134 2297 4193 Dl 2303 4134 2294 4193 Dl 2303 4134 2292 4193 Dl 2303 4134 2290 4193 Dl 2303 4134 2288 4192 Dl 2304 4134 2286 4191 Dl 2304 4494 2304 4134 Dl 3456 4494 2304 4494 Dl (\(2\))2822 4394 w 3456 4134 3456 4494 Dl 3456 4134 3474 4191 Dl 3456 4134 3471 4192 Dl 3456 4134 3469 4193 Dl 3456 4134 3467 4193 Dl 3456 4134 3465 4193 Dl 3456 4134 3462 4193 Dl 3456 4134 3460 4194 Dl 3456 4134 3458 4194 Dl 3456 4134 3456 4194 Dl 3455 4134 3453 4194 Dl 3455 4134 3451 4194 Dl 3455 4134 3449 4193 Dl 3455 4134 3446 4193 Dl 3455 4134 3444 4193 Dl 3455 4134 3442 4193 Dl 3455 4134 3440 4192 Dl 3456 4134 3438 4191 Dl 3186 3774 3186 4134 Dl 3726 3774 3186 3774 Dl 3726 4134 3726 3774 Dl 3186 4134 3726 4134 Dl (B)3426 3974 w 3456 3773 3438 3716 Dl 3455 3773 3440 3715 Dl 3455 3773 3442 3714 Dl 3455 3773 3444 3714 Dl 3455 3773 3446 3714 Dl 3455 3773 3449 3714 Dl 3455 3773 3451 3713 Dl 3455 3773 3453 3713 Dl 3456 3773 3456 3713 Dl 3456 3773 3458 3713 Dl 3456 3773 3460 3713 Dl 3456 3773 3462 3714 Dl 3456 3773 3465 3714 Dl 3456 3773 3467 3714 Dl 3456 3773 3469 3714 Dl 3456 3773 3471 3715 Dl 3456 3773 3474 3716 Dl 3456 3558 3456 3774 Dl 3456 3558 3474 3615 Dl 3456 3558 3471 3616 Dl 3456 3558 3469 3617 Dl 3456 3558 3467 3617 Dl 3456 3558 3465 3617 Dl 3456 3558 3462 3617 Dl 3456 3558 3460 3618 Dl 3456 3558 3458 3618 Dl 3456 3558 3456 3618 Dl 3455 3558 3453 3618 Dl 3455 3558 3451 3618 Dl 3455 3558 3449 3617 Dl 3455 3558 3446 3617 Dl 3455 3558 3444 3617 Dl 3455 3558 3442 3617 Dl 3455 3558 3440 3616 Dl 3456 3558 3438 3615 Dl (Receiver)3282 3398 w (\(1\))2822 3650 w 4 R f ( .)1 0(. . . . . . . . . . . . . . . .)15 550 2 2027 4640 t (.)2567 4604 w (.)2567 4568 w (.)2567 4532 w (.)2567 4496 w (.)2567 4460 w (.)2567 4424 w (.)2567 4388 w (.)2567 4352 w (.)2567 4316 w ( .)1 0( . . . . . . . . . . . . . . .)15 -540(. .)1 10 3 2567 4280 t (.)2027 4316 w (.)2027 4352 w (.)2027 4388 w (.)2027 4424 w (.)2027 4460 w (.)2027 4496 w (.)2027 4532 w (.)2027 4568 w (.)2027 4604 w (.)2027 4640 w 7 I f 2304 4638 2322 4695 Dl 2304 4638 2319 4696 Dl 2304 4638 2317 4697 Dl 2304 4638 2315 4697 Dl 2304 4638 2313 4697 Dl 2304 4638 2310 4697 Dl 2304 4638 2308 4698 Dl 2304 4638 2306 4698 Dl 2304 4638 2304 4698 Dl 2303 4638 2301 4698 Dl 2303 4638 2299 4698 Dl 2303 4638 2297 4697 Dl 2303 4638 2294 4697 Dl 2303 4638 2292 4697 Dl 2303 4638 2290 4697 Dl 2303 4638 2288 4696 Dl 2304 4638 2286 4695 Dl 4 R f (.)2297 4640 w (.)2297 4676 w (.)2297 4712 w (.)2297 4748 w (.)2297 4784 w (.)2297 4820 w (.)2297 4856 w (.)2297 4892 w (.)2297 4928 w (.)2297 4964 w ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .)32 1152(. .)1 10 2 2297 5000 t 10 I f (\(3\))2822 4892 w 4 R f (.)3449 5000 w (.)3449 4964 w (.)3449 4928 w (.)3449 4892 w (.)3449 4856 w (.)3449 4820 w (.)3449 4784 w (.)3449 4748 w (.)3449 4712 w (.)3449 4676 w (.)3449 4640 w 7 I f 3456 4638 3474 4695 Dl 3456 4638 3471 4696 Dl 3456 4638 3469 4697 Dl 3456 4638 3467 4697 Dl 3456 4638 3465 4697 Dl 3456 4638 3462 4697 Dl 3456 4638 3460 4698 Dl 3456 4638 3458 4698 Dl 3456 4638 3456 4698 Dl 3455 4638 3453 4698 Dl 3455 4638 3451 4698 Dl 3455 4638 3449 4697 Dl 3455 4638 3446 4697 Dl 3455 4638 3444 4697 Dl 3455 4638 3442 4697 Dl 3455 4638 3440 4696 Dl 3456 4638 3438 4695 Dl 4 R f ( .)1 0(. . . . . . . . . . . . . . . .)15 550 2 3179 4640 t (.)3719 4604 w (.)3719 4568 w (.)3719 4532 w (.)3719 4496 w (.)3719 4460 w (.)3719 4424 w (.)3719 4388 w (.)3719 4352 w (.)3719 4316 w ( .)1 0( . . . . . . . . . . . . . . .)15 -540(. .)1 10 3 3719 4280 t (.)3179 4316 w (.)3179 4352 w (.)3179 4388 w (.)3179 4424 w (.)3179 4460 w (.)3179 4496 w (.)3179 4532 w (.)3179 4568 w (.)3179 4604 w (.)3179 4640 w 10 I f (Figure 1 \320 Levels of Abstraction)5 1336 1 2212 5196 t 10 R f ( are given the characteristics of a specific interface \(e.g. \(3\)\), and)11 2667(In a typical protocol design problem, we)6 1653 2 720 5352 t ( \(3\) can define anything from the)6 1385( Interface)1 414( an abstract interface \(e.g. \(1\)\).)5 1283(we are given the definition of)5 1238 4 720 5472 t ( similarly, can define any-)4 1057( \(1\),)1 168( Interface)1 405(behavior of an optical fiber, to the packet layer of an OSI protocol.)12 2690 4 720 5592 t ( designer's job is to trans-)5 1080( The)1 214( to a remote data-base search service.)6 1540(thing from an error-free file transfer)5 1486 4 720 5712 t ( define any one step in this hierarchy,)7 1511( To)1 163(form \(3\) step by step until the target \(1\) is matched, or vice versa.)13 2646 3 720 5832 t ( lower interface looks like, and how it is transformed into the upper)12 2837(we must specify explicitly what the)5 1483 2 720 5952 t (interface.)720 6072 w ( that transforms it into the upper)6 1300(The lower interface definition together with the specification of the process)10 3020 2 720 6228 t ( vocabulary of that language is the set of mes-)9 1919( The)1 214( of a `language.')3 680(interface, has many of the properties)5 1507 4 720 6348 t ( format for each such mes-)5 1111( syntax rules define the)4 958( The)1 213(sages that can be exchanged across the interfaces.)7 2038 4 720 6468 t ( In)1 139( interfaces.)1 443(sage and the grammar rules define how the messages are used in the interactions across the)15 3738 3 720 6588 t ( are most easily expressed as)5 1175( They)1 260( usually called `procedure rules.')4 1330(protocol jargon, the grammar rules are)5 1555 4 720 6708 t (the behavior of an abstract protocol machine that sends and receives messages.)11 3148 1 720 6828 t ( language ele-)2 575( the specification of any of the)6 1256( Omitting)1 419(To define a protocol, then, is to define a language.)9 2070 4 720 6984 t (ments from a protocol specification unavoidably leads to an incomplete or ambiguous specification.)12 3992 1 720 7104 t cleartomark showpage saveobj restore %%EndPage: 3 5 %%Page: 4 6 /saveobj save def mark 6 pagesetup 10 R f (- 4 -)2 166 1 2797 480 t 10 B f (The Five Basic Elements)3 1047 1 720 840 t 10 R f ( of elements that must be part of a complete proto-)10 2029(We can now try to make an explicit list of the basic types)12 2291 2 720 996 t ( must include:)2 567( It)1 111(col specification.)1 682 3 720 1116 t 10 B f (1.)864 1272 w 10 R f (The)989 1272 w 10 I f (service)1169 1272 w 10 R f (to be provided by the protocol \(formalizing the upper interface\))9 2536 1 1476 1272 t 10 B f (2.)864 1392 w 10 R f (The)989 1392 w 10 I f (constraints)1169 1392 w 10 R f (of the environment in which the protocol is executed)8 2108 1 1639 1392 t (\(formalizing the lower interface\))3 1304 1 989 1512 t 10 B f (3.)864 1632 w 10 R f (The)989 1632 w 10 I f (vocabulary)1169 1632 w 10 R f (of messages that is used to implement the protocol)8 2021 1 1643 1632 t 10 B f (4.)864 1752 w 10 R f (The)989 1752 w 10 I f (encoding)1169 1752 w 10 R f (\(syntax/format\) of each message in the vocabulary)6 2017 1 1560 1752 t 10 B f (5.)864 1872 w 10 R f (The)989 1872 w 10 I f (procedure rules)1 635 1 1169 1872 t 10 R f (guarding message exchanges \(grammar/behavior\))3 1986 1 1829 1872 t (The core of the protocol definition is)6 1488 1 720 2028 t 10 B f (5)2236 2028 w 10 R f ( correctness claim is typically a claim about)7 1778( A)1 126( procedure rules.)2 675(, the)1 175 4 2286 2028 t ( behavior, and it is therefore especially important that we have)10 2502(the possibility or impossibility of a particular)6 1818 2 720 2148 t ( exercise, we can try to identify)6 1279( an)1 122( As)1 164(good formalisms for expressing and for verifying process behaviors.)8 2755 4 720 2268 t (these five basic elements in the example protocol of Lynch.)9 2379 1 720 2388 t ( service to be provided through the upper)7 1728( The)1 217( tersely define the upper and lower interface.)7 1867(Lines 1 to 4)3 508 4 720 2544 t ( to be available via the lower layer \(the con-)9 1849( service assumed)2 698( The)1 216(layer is reliable simplex data transfer.)5 1557 4 720 2664 t ( transfer messages, with perfect classification of the distorted)8 2514(straint\) is a channel that can lose, distort, or)8 1806 2 720 2784 t (and correctly transferred messages.)3 1406 1 720 2904 t ( 10 to 31, dis-)4 573( Lines)1 277( mentioned in lines 5 to 10, amidst a discussion of procedure rules.)12 2730(Message format is)2 740 4 720 3060 t ( For-)1 229( claim about the behavior of the protocol.)7 1702(cuss procedures rules alone, and lines 32 and 33 contain a)10 2389 3 720 3180 t ( the specification)2 708(mally, this claim is not part of the protocol specification itself, but we can require that)15 3612 2 720 3300 t ( protocol vocabulary and message formats are not explicitly)8 2470( The)1 215( verify it.)2 389(include enough information to)3 1246 4 720 3420 t ( but without following any particular)5 1509( procedure rules are stated in a pleasant informal tone,)9 2215(specified. The)1 596 3 720 3540 t ( becomes especially clear on lines 27 to 31, which contain only an idea for initialization.)15 3531(formalism. This)1 664 2 720 3660 t 10 B f (The Design Problem)2 872 1 720 3900 t 10 R f ( would like)2 452( We)1 189( consistent set of procedure rules.)5 1341(The heart of the protocol design problem is the design of a)11 2338 4 720 4056 t ( fairly high level of abstraction, i.e., before we)8 1907(to explore a way of defining and checking these rules on a)11 2413 2 720 4176 t ( message format)2 666( would like to defer decisions on, for instance,)8 1887( We)1 193(settle the details of an implementation.)5 1574 4 720 4296 t ( such a)2 277( With)1 250( of rules.)2 352(definitions, the layout of bits and fields in messages, until we have found a correct set)15 3441 4 720 4416 t ( can prove conclusively if the)5 1208(method, we could formalize the example specification in such a way that we)12 3112 2 720 4536 t (correctness claim on lines 32 and 33 is justified.)8 1923 1 720 4656 t ( must allow the user to)5 908( It)1 111(It can be argued that a good engineering discipline must have three characteristics.)12 3295 3 720 4812 t 7 S1 f ()864 4932 w cleartomark saveobj restore %%BeginGlobal /build_ci { pop size 3 mul 8 div /rad exch def currentpoint newpath rad add exch rad add exch rad 0 360 arc stroke } def %%EndGlobal /saveobj save def mark 7 S1 f 864 4932 m 53 build_ci 917 4932 m 10 R f (discriminate between requirements and implementations,)4 2283 1 942 4932 t 7 S1 f ()864 5052 w 864 5052 m 53 build_ci 917 5052 m 10 R f (use engineering models \(prototypes\) to verify design decisions, and)8 2699 1 942 5052 t 7 S1 f ()864 5172 w 864 5172 m 53 build_ci 917 5172 m 10 R f (predict essential characteristics of a product before it is implemented.)9 2772 1 942 5172 t ( expressing procedure)2 881(To allow us to design protocols in this manner, we need an unambiguous notation for)14 3439 2 720 5328 t ( and we need a method for mechan-)7 1433(rules and correctness claims, we need a method for building prototypes,)10 2887 2 720 5448 t ( explore these)2 560( We)1 191( cast in the protocol prototypes.)5 1275(ically verifying the soundness of our design decisions, as)8 2294 4 720 5568 t (issues in the next few sections.)5 1232 1 720 5688 t 10 B f ( VALIDATION MODELS)2 1134(3. PROTOCOL)1 698 2 720 5928 t 10 R f ( for formalizing the procedure rules of a protocol in such a way that)13 2793(Our first task is to develop a notation)7 1527 2 720 6084 t ( interested in a full)4 749( this level, we are not)5 859( At)1 151(we can easily verify their completeness and logical consistency.)8 2561 4 720 6204 t ( messages, memory alloca-)3 1093( we do not specify any specific encoding of)8 1759( Hence,)1 332(implementation of the rules.)3 1136 4 720 6324 t ( models we build are primarily meant for validation,)8 2097( The)1 206( general operating system support.)4 1377(tion routines, or)2 640 4 720 6444 t (and are therefore called)3 973 1 720 6564 t 10 I f (validation models)1 726 1 1730 6564 t 10 R f ( details, a validation model can be)6 1440( supplying the missing)3 940(. By)1 204 3 2456 6564 t ( the validation)2 574( merely require that)3 790( We)1 190(expanded into a full implementation, but we will not cover that here.)11 2766 4 720 6684 t ( properties rigorously, but not so much detail that analysis)9 2366(model has enough detail to allow us to check its)9 1954 2 720 6804 t ( we develop here is called)5 1108( language)1 401( The)1 221(would become intractable.)2 1088 4 720 6924 t 8 R f (PROMELA)3578 6924 w 10 R f (, short for Protocol Meta-)4 1078 1 3962 6924 t (Language.)720 7044 w cleartomark showpage saveobj restore %%EndPage: 4 6 %%Page: 5 7 /saveobj save def mark 7 pagesetup 10 R f (- 5 -)2 166 1 2797 480 t 10 B f (The Language)1 615 1 720 840 t 8 B f (PROMELA)1360 840 w 10 R f (Let us look at how the lower-layer constraints of the example protocol could be specified in)15 3693 1 720 996 t 8 R f (PROMELA)4440 996 w 10 R f (. We)1 216 1 4824 996 t ( via a lower protocol layer, as shown)7 1504(have two processes, named A and B, communicating with each other)10 2816 2 720 1116 t (in Figure 2.)2 464 1 720 1236 t 9 I f (fetch data)1 358 1 1891 1596 t 2070 1794 2070 1758 Dl 2070 1866 2070 1830 Dl 2070 1938 2070 1902 Dl 2070 1937 2052 1880 Dl 2069 1937 2053 1879 Dl 2069 1937 2054 1879 Dl 2069 1938 2055 1879 Dl 2069 1937 2057 1878 Dl 2069 1937 2058 1878 Dl 2069 1937 2059 1878 Dl 2069 1937 2061 1878 Dl 2069 1937 2062 1878 Dl 2069 1937 2064 1878 Dl 2069 1937 2064 1877 Dl 2069 1937 2066 1877 Dl 2069 1937 2067 1877 Dl 2069 1937 2069 1877 Dl 2070 1937 2070 1877 Dl 2070 1937 2072 1877 Dl 2070 1937 2073 1877 Dl 2070 1937 2075 1877 Dl 2070 1937 2075 1878 Dl 2070 1937 2077 1878 Dl 2070 1937 2078 1878 Dl 2070 1937 2080 1878 Dl 2070 1937 2081 1878 Dl 2070 1937 2082 1878 Dl 2070 1938 2084 1879 Dl 2070 1937 2085 1879 Dl 2070 1937 2086 1879 Dl 2070 1937 2088 1880 Dl 1800 1938 1800 2208 Dl 2340 1938 1800 1938 Dl 2340 2208 2340 1938 Dl 1800 2208 2340 2208 Dl (A)2043 2091 w 2646 2883 2610 2883 Dl 2718 2883 2682 2883 Dl 2790 2883 2754 2883 Dl 2862 2883 2826 2883 Dl 2934 2883 2898 2883 Dl 3006 2883 2970 2883 Dl 3078 2883 3042 2883 Dl 3150 2883 3114 2883 Dl 3150 2847 3150 2883 Dl 3150 2768 3150 2804 Dl 3150 2691 3150 2727 Dl 3150 2613 3150 2649 Dl 3114 2613 3150 2613 Dl 3042 2613 3078 2613 Dl 2970 2613 3006 2613 Dl 2898 2613 2934 2613 Dl 2826 2613 2862 2613 Dl 2754 2613 2790 2613 Dl 2682 2613 2718 2613 Dl 2610 2613 2646 2613 Dl 2610 2649 2610 2613 Dl 2610 2727 2610 2691 Dl 2610 2804 2610 2768 Dl 2610 2883 2610 2847 Dl (lower)2778 2706 w (layer)2788 2826 w 3420 1938 3420 2208 Dl 3960 1938 3420 1938 Dl 3960 2208 3960 1938 Dl 3420 2208 3960 2208 Dl (B)3663 2091 w 3690 1902 3690 1938 Dl 3690 1830 3690 1866 Dl 3690 1758 3690 1794 Dl 3690 1758 3708 1815 Dl 3690 1758 3706 1816 Dl 3690 1758 3705 1816 Dl 3690 1758 3704 1817 Dl 3690 1758 3702 1817 Dl 3690 1758 3701 1817 Dl 3690 1758 3700 1817 Dl 3690 1758 3698 1817 Dl 3690 1758 3697 1817 Dl 3690 1758 3695 1817 Dl 3690 1758 3695 1818 Dl 3690 1758 3693 1818 Dl 3690 1758 3692 1818 Dl 3690 1758 3690 1818 Dl 3689 1758 3689 1818 Dl 3689 1758 3687 1818 Dl 3689 1758 3686 1818 Dl 3689 1758 3684 1818 Dl 3689 1758 3684 1817 Dl 3689 1758 3682 1817 Dl 3689 1758 3681 1817 Dl 3689 1758 3679 1817 Dl 3689 1758 3678 1817 Dl 3689 1758 3677 1817 Dl 3689 1758 3675 1817 Dl 3689 1758 3674 1816 Dl 3689 1758 3673 1816 Dl 3690 1758 3672 1815 Dl (accept data)1 418 1 3481 1596 t 2160 2703 2160 2208 Dl 2610 2703 2160 2703 Dl 2609 2703 2552 2721 Dl 2609 2703 2551 2719 Dl 2609 2703 2551 2718 Dl 2609 2703 2550 2717 Dl 2609 2703 2550 2715 Dl 2609 2703 2550 2714 Dl 2609 2703 2550 2713 Dl 2609 2704 2550 2712 Dl 2609 2703 2550 2710 Dl 2609 2704 2550 2709 Dl 2609 2702 2549 2707 Dl 2609 2703 2549 2706 Dl 2609 2702 2549 2704 Dl 2609 2703 2549 2703 Dl 2609 2702 2549 2702 Dl 2609 2703 2549 2701 Dl 2609 2702 2549 2699 Dl 2609 2703 2549 2698 Dl 2609 2701 2550 2696 Dl 2609 2702 2550 2695 Dl 2609 2702 2550 2694 Dl 2609 2702 2550 2692 Dl 2609 2702 2550 2691 Dl 2609 2702 2550 2690 Dl 2609 2702 2550 2688 Dl 2609 2702 2551 2687 Dl 2609 2702 2551 2686 Dl 2609 2703 2552 2685 Dl (fromA)2273 2661 w 1980 2208 1998 2265 Dl 1980 2208 1996 2266 Dl 1980 2208 1995 2266 Dl 1980 2208 1994 2267 Dl 1980 2208 1992 2267 Dl 1980 2208 1991 2267 Dl 1980 2208 1990 2267 Dl 1980 2208 1988 2267 Dl 1980 2208 1987 2267 Dl 1980 2208 1985 2267 Dl 1980 2208 1985 2268 Dl 1980 2208 1983 2268 Dl 1980 2208 1982 2268 Dl 1980 2208 1980 2268 Dl 1979 2208 1979 2268 Dl 1979 2208 1977 2268 Dl 1979 2208 1976 2268 Dl 1979 2208 1974 2268 Dl 1979 2208 1974 2267 Dl 1979 2208 1972 2267 Dl 1979 2208 1971 2267 Dl 1979 2208 1969 2267 Dl 1979 2208 1968 2267 Dl 1979 2208 1967 2267 Dl 1979 2208 1965 2267 Dl 1979 2208 1964 2266 Dl 1979 2208 1963 2266 Dl 1980 2208 1962 2265 Dl 1980 2793 1980 2208 Dl (toA)1826 2518 w 2610 2793 1980 2793 Dl 3600 2208 3618 2265 Dl 3600 2208 3616 2266 Dl 3600 2208 3615 2266 Dl 3600 2208 3614 2267 Dl 3600 2208 3612 2267 Dl 3600 2208 3611 2267 Dl 3600 2208 3610 2267 Dl 3600 2208 3608 2267 Dl 3600 2208 3607 2267 Dl 3600 2208 3605 2267 Dl 3600 2208 3605 2268 Dl 3600 2208 3603 2268 Dl 3600 2208 3602 2268 Dl 3600 2208 3600 2268 Dl 3599 2208 3599 2268 Dl 3599 2208 3597 2268 Dl 3599 2208 3596 2268 Dl 3599 2208 3594 2268 Dl 3599 2208 3594 2267 Dl 3599 2208 3592 2267 Dl 3599 2208 3591 2267 Dl 3599 2208 3589 2267 Dl 3599 2208 3588 2267 Dl 3599 2208 3587 2267 Dl 3599 2208 3585 2267 Dl 3599 2208 3584 2266 Dl 3599 2208 3583 2266 Dl 3600 2208 3582 2265 Dl 3600 2703 3600 2208 Dl 3150 2703 3600 2703 Dl (toB)3313 2661 w 3780 2793 3780 2208 Dl (fromB)3783 2518 w 3150 2793 3780 2793 Dl 3150 2793 3207 2775 Dl 3150 2792 3208 2776 Dl 3150 2792 3208 2777 Dl 3150 2792 3209 2778 Dl 3150 2792 3209 2780 Dl 3150 2792 3209 2781 Dl 3150 2792 3209 2782 Dl 3150 2792 3209 2784 Dl 3150 2792 3209 2785 Dl 3150 2791 3209 2786 Dl 3150 2793 3210 2788 Dl 3150 2792 3210 2789 Dl 3150 2793 3210 2791 Dl 3150 2792 3210 2792 Dl 3150 2793 3210 2793 Dl 3150 2792 3210 2794 Dl 3150 2793 3210 2796 Dl 3150 2792 3210 2797 Dl 3150 2794 3209 2799 Dl 3150 2793 3209 2800 Dl 3150 2794 3209 2802 Dl 3150 2793 3209 2803 Dl 3150 2793 3209 2804 Dl 3150 2793 3209 2805 Dl 3150 2793 3209 2807 Dl 3150 2793 3208 2808 Dl 3150 2793 3208 2809 Dl 3150 2793 3207 2811 Dl 10 I f (Figure 2 \320 A-B protocol)4 1005 1 2377 3081 t 10 R f (In this case the lower layer corresponds to a physical connection, but that is irrelevant to the validation)17 4320 1 720 3237 t ( We)1 194( rules\) that we must formalize.)5 1250( lower layer has a behavior \(i.e., follows certain procedure)9 2389(model. The)1 487 4 720 3357 t ( messages to process B)4 965( A sends data)3 565( Process)1 365(make minimal assumptions about the format of a message.)8 2425 4 720 3477 t ( control messages, containing just)4 1360( B answers with)3 650( Process)1 358(that consist of a data field and an alternation bit.)9 1952 4 720 3597 t ( we can work with two formal message types, declared in)10 2332( in the validations)3 723( So,)1 184(a single bit of information.)4 1081 4 720 3717 t 8 R f (PROMELA)720 3837 w 10 R f (as:)1129 3837 w 8 CW f ( */)1 384( data and acks)3 672( /*)1 864(mtype = { data, control })5 1200 4 864 3987 t 10 R f ( delete the)2 432(Since the correct working of the protocol must be independent of the data field, we can either)16 3888 2 720 4167 t ( place-holder)1 526( The)1 208( use a place-holder.)3 784(field completely from the validation model, or, as we shall do below,)11 2802 4 720 4287 t ( message channels between A and B can then be)9 2012( The)1 214( of information.)2 648(we choose consists of a single byte)6 1446 4 720 4407 t (formalized in)1 535 1 720 4527 t 8 R f (PROMELA)1280 4527 w 10 R f (as follows.)1 433 1 1689 4527 t 8 CW f ( */)1 192(chan fromA = [N] of { byte, byte, bit }; /* data, udata, seqno)13 2976 2 864 4677 t ( */)1 192( [N] of { byte, byte, bit }; /* data, udata, seqno)11 2400( =)1 192(chan toB)1 384 4 864 4777 t ( */)1 384( control, seqno)2 720( /*)1 432(chan fromB = [N] of { byte, bit };)8 1632 4 864 4877 t ( */)1 384( control, seqno)2 720( /*)1 432( [N] of { byte, bit };)6 1056( =)1 192(chan toA)1 384 6 864 4977 t 10 R f ( the width is specified: a message-type)6 1560(The channels from A to B carry three unnamed fields, of which only)12 2760 2 720 5157 t (field \(specifying)1 660 1 720 5277 t 9 CW f (data)1406 5277 w 10 R f (or)1650 5277 w 9 CW f (control)1759 5277 w 9 R f (\),)2137 5277 w 10 R f ( in one byte of information, a dummy data field, also)10 2129(encoded liberally)1 693 2 2218 5277 t ( channels from B to A just have the type field and the verify bit.)14 2555( The)1 205(of one byte, and the alternation bit.)6 1398 3 720 5397 t 9 CW f (N)720 5553 w 10 R f ( constant that specifies the capacity of the channel, i.e., the maximum number of messages it can hold.)17 4105(is a)1 136 2 799 5553 t ( can check)2 438( We)1 197( this protocol, this maximum need not be larger than one.)10 2377( for)1 175( we can guess that,)4 787(For now)1 346 6 720 5673 t (later that this assumption is justified with a formal validation.)9 2461 1 720 5793 t (A)720 5949 w 8 R f (PROMELA)831 5949 w 10 R f ( message channels, processes and)4 1398(specification consists of only three basic building blocks:)7 2388 2 1254 5949 t ( formalized and declared \(the least intuitive part)7 1950( have just shown how message channels are)7 1791(variables. We)1 579 3 720 6069 t ( how)1 210( next example shows how processes and variables are formally declared, and)11 3196( The)1 217(of the language\).)2 697 4 720 6189 t (message channels are used.)3 1091 1 720 6309 t 10 B f (Model of an Ideal Channel)4 1140 1 720 6549 t 10 R f ( could specify an ideal lower layer, that flawlessly shuttles messages between)11 3160(As a first approximation, we)4 1160 2 720 6705 t (A and B, as follows \(as usual, line numbers are added and are not part of the specification\).)17 3642 1 720 6825 t 8 CW f ( lower\(chan fromA, toA, fromB, toB\))5 1680(1 proctype)1 528 2 864 6975 t ( d; bit b;)3 480( byte)1 384(2 {)1 192 3 864 7075 t (3)864 7175 w (4 do)1 480 1 864 7275 t cleartomark showpage saveobj restore %%EndPage: 5 7 %%Page: 6 8 /saveobj save def mark 8 pagesetup 10 R f (- 6 -)2 166 1 2797 480 t 8 CW f ( fromA?data\(d,b\) -> toB!data\(d,b\))3 1584(5 ::)1 480 2 864 820 t ( fromB?control\(b\) -> toA!control\(b\))3 1680(6 ::)1 480 2 864 920 t (7 od)1 480 1 864 1020 t (8 })1 192 1 864 1120 t 10 R f (We have specified a behavior for the lower protocol in a)10 2289 1 720 1300 t 9 CW f (proctype)3036 1300 w 10 R f ( process type is named)4 920(definition. The)1 623 2 3497 1300 t 9 CW f (lower)720 1420 w 10 R f ( body of the)3 486( The)1 207( must access \(line 1\).)4 848(and has four parameters, one for each message channel that it)10 2481 4 1018 1420 t ( declaration of two internal variables on line)7 1787( starts with the)3 592( It)1 113(process definition is enclosed in curly braces.)6 1828 4 720 1540 t ( variable is of type)4 819(2. One)1 310 2 720 1660 t 9 CW f (byte)1891 1660 w 10 R f ( type)1 215(and one is of)3 570 2 2151 1660 t 9 CW f (bit.)2977 1660 w 10 R f (We have now seen four different types of)7 1779 1 3261 1660 t 8 R f (PROMELA)720 1780 w 10 R f (objects:)1129 1780 w 8 CW f (proctype)864 1930 w 8 R f (,)1248 1930 w 8 CW f (chan)1316 1930 w 8 R f (,)1508 1930 w 8 CW f (bit)1576 1930 w 8 R f (, and)1 155 1 1720 1930 t 8 CW f (byte)1923 1930 w 10 R f (There are only two other types \(both data types, i.e., for variables\))11 2641 1 720 2110 t 8 CW f (short)864 2260 w 8 R f (, and)1 155 1 1104 2260 t 8 CW f (int)1307 2260 w 8 R f (.)1451 2260 w 10 R f (A object of type)3 673 1 720 2440 t 9 CW f (bit)1425 2440 w 10 R f ( object of type)3 601( An)1 181(is a variable that can hold a single bit of information.)10 2207 3 1621 2440 t 9 CW f (byte)4643 2440 w 10 R f (is a)1 146 1 4894 2440 t ( a type that is equivalent to a C)8 1334(variable with)1 537 2 720 2560 t 9 CW f (unsigned char)1 714 1 2626 2560 t 9 R f (.)3340 2560 w 10 R f (The precise range of such a variable is)7 1615 1 3425 2560 t ( of types)2 360( Objects)1 363( suffices to store 8 bits of information.)7 1588( most machines it)3 724( On)1 179(machine dependent.)1 805 6 720 2680 t 9 CW f (short)4770 2680 w 10 R f (and)720 2800 w 9 CW f (int)896 2800 w 10 R f ( most machines again, a)4 989( On)1 180( that are mapped onto the same data types in C.)10 1969(are signed variables)2 810 4 1092 2800 t 9 CW f (short)720 2920 w 10 R f (stores 16 bits of information, and an)6 1446 1 1015 2920 t 9 CW f (int)2484 2920 w 10 R f (stores 32 bits.)2 553 1 2671 2920 t ( com-)1 236( syntax is derived from Dijkstra's guarded)6 1716( The)1 210(The behavior is specified as a single loop \(lines 4-7\).)9 2158 4 720 3076 t ( Hoare's language CSP [Hoare '78], but the semantics are different \(cf.)11 2916(mand language [Dijkstra '75], and)4 1404 2 720 3196 t ( A)1 135(Appendix A\).)1 562 2 720 3316 t 9 CW f (do)1453 3316 w 9 R f (-loop,)1561 3316 w 10 R f (for instance, is repeated until it is explicitly terminated by the execution of a)13 3228 1 1812 3316 t 9 CW f (break)720 3436 w 10 R f (statement, or a)2 585 1 1015 3436 t 9 CW f (goto)1623 3436 w 10 R f (jump.)1864 3436 w ( are two options in the loop,)6 1179( There)1 292(The loop on lines 4-7 is not broken, and therefore will not terminate.)12 2849 3 720 3592 t (each starting with the)3 860 1 720 3712 t 9 CW f (::)1604 3712 w 10 R f ( time though the cycle of the loop, one of)9 1648( Each)1 249(flag, and each with two statements.)5 1406 3 1737 3712 t ( token)1 251( The)1 209( below.)1 298(the two options is selected for execution, using the rules stated)10 2530 4 720 3832 t 9 CW f (->)4035 3832 w 10 R f (is a statement separa-)3 868 1 4172 3832 t ( fact,)1 205(tor. In)1 275 2 720 3952 t 8 R f (PROMELA)1230 3952 w 10 R f ( are)1 151( They)1 260(allows two statement separators, the traditional semicolon, and the arrow.)9 2985 3 1644 3952 t (semantically completely equivalent.)2 1440 1 720 4072 t ( each option is called a)5 957(The first statement in)3 876 2 720 4228 t 10 I f (guard)2587 4228 w 10 R f ( option can only be selected if the guard is exe-)10 1975(. The)1 239 2 2826 4228 t ( message)1 375( guard of the first option, on line 5, specifies the reception of a)13 2662(cutable. The)1 531 3 720 4348 t 9 CW f (data\(d,b\))4323 4348 w 10 R f (from)4846 4348 w (channel)720 4468 w 9 CW f (fromA)1053 4468 w 9 R f (.)1323 4468 w 8 CW f (fromA?data\(d,b\))864 4618 w 10 R f ( type is queued in channel)5 1115(This receive operation is executable if and only if a message of the required)13 3205 2 720 4798 t 9 CW f (fromA)720 4918 w 9 R f (.)990 4918 w 10 R f ( message of type)3 689( A)1 129( FIFO queues.)2 583(Channels behave as)2 803 4 1071 4918 t 9 CW f (data)3305 4918 w 10 R f (must therefore be at the head of that)7 1487 1 3553 4918 t ( receive statement is unexecutable when, for instance, a message of type)11 2895(queue. The)1 469 2 720 5038 t 9 CW f (control)4108 5038 w 10 R f ( head)1 215(is at the)2 313 2 4512 5038 t (of channel)1 431 1 720 5158 t 9 CW f (fromA)1187 5158 w 9 R f (.)1457 5158 w 10 R f ( the)1 159(The number of parameters specified in the receive operation must always match)11 3338 2 1543 5158 t (number specified in the corresponding channel declaration.)6 2364 1 720 5278 t ( the first option, for instance,)5 1157( For)1 189(The second statement in both options is a send operation.)9 2287 3 720 5434 t 8 CW f (toB!data\(d,b\))864 5584 w 10 R f ( message)1 379(specifies the sending of)3 985 2 720 5764 t 9 CW f (data\(d,b\))2123 5764 w 10 R f (to channel)1 429 1 2650 5764 t 9 CW f (toB)3118 5764 w 9 R f (.)3280 5764 w 10 R f (By default, the send action is only exe-)7 1671 1 3369 5764 t ( means that in validation runs it is considered a design error if)12 2517( This)1 232( the target channel is not full.)6 1192(cutable if)1 379 4 720 5884 t ( the default though and stipulate that mes-)7 1700(message queues can be made to overflow. \(The user can override)10 2620 2 720 6004 t ( a central concept in)4 847( is)1 104( ``Executability'')1 727(sages sent to full queues must be discarded.\))7 1859 4 720 6124 t 8 R f (PROMELA)4293 6124 w 10 R f (, and the)2 363 1 4677 6124 t (main tool for formalizing process synchronization in a validation model.)9 2897 1 720 6244 t 10 B f (Executability in PROMELA)2 1212 1 720 6484 t 10 R f (Every statement in)2 761 1 720 6640 t 8 R f (PROMELA)1512 6640 w 10 R f ( semantics of)2 539( The)1 211(is either executable or non-executable.)4 1561 3 1927 6640 t 8 R f (PROMELA)4269 6640 w 10 R f (\(summa-)4685 6640 w ( statements,)1 473( Assignment)1 529( Appendix A\) specify the rules of executability for every type of statement.)12 3014(rized in)1 304 4 720 6760 t ( Any)1 233( and only if they are true.)6 1072( conditions are executable if)4 1165( Boolean)1 393(for instance, are always executable.)4 1457 5 720 6880 t ( the loop of the example above, the)7 1480( In)1 144( the executing process.)3 942(statement that is non-executable can block)5 1754 4 720 7000 t ( lower)1 253(state of the channels determines which of the two guards will be executable and thus selectable by the)17 4067 2 720 7120 t ( one guard is executable, one of)6 1302( more than)2 441( If)1 123( no guard is executable, the process blocks.)7 1776( If)1 123(layer process.)1 555 6 720 7240 t cleartomark showpage saveobj restore %%EndPage: 6 8 %%Page: 7 9 /saveobj save def mark 9 pagesetup 10 R f (- 7 -)2 166 1 2797 480 t (them is selected at random.)4 1090 1 720 840 t 10 B f (Model of a Non-Ideal Channel)4 1295 1 720 1080 t 10 R f ( the informal)2 524( In)1 137( example protocol does not always transfer messages correctly.)8 2551(The real lower layer for the)5 1108 4 720 1236 t ( is implicitly assumed that the channel can corrupt messages, but not lose them.)13 3334(description, lines 3-4, it)3 986 2 720 1356 t ( certainly a practical)3 838(The error detection scheme is assumed to be flawless \(not a realistic assumption, but)13 3482 2 720 1476 t ( we will assume that the error detection scheme will)9 2167( build our validation model)4 1133( To)1 172(and a common one\).)3 848 4 720 1596 t (label corrupted messages appropriately as)4 1668 1 720 1716 t 9 CW f (error)2411 1716 w 10 R f ( formalize this, we first expand our message)7 1770(messages. To)1 564 2 2706 1716 t (vocabulary to three types of messages \(luckily we used a)9 2279 1 720 1836 t 9 CW f (byte)3023 1836 w 10 R f ( distin-)1 281(for the message-type field; enough to)5 1494 2 3265 1836 t (guish between up to 256 different message types\):)7 2005 1 720 1956 t 8 CW f (mtype = { data, control, error })6 1536 1 864 2106 t 10 R f (We can now formalize the new behavior as follows.)8 2075 1 720 2286 t 8 CW f ( lower\(chan fromA, toA, fromB, toB\))5 1680(1 proctype)1 528 2 912 2436 t ( d; bit b;)3 480( byte)1 336(2 {)1 192 3 912 2536 t (3)912 2636 w (4 do)1 432 1 912 2736 t ( fromA?data\(d,b\) ->)2 912(5 ::)1 432 2 912 2836 t (6 if)1 816 1 912 2936 t ( */)1 240( correct)1 384( /*)1 480( toB!data\(d,b\))1 672(7 ::)1 816 5 912 3036 t ( distorted */)2 624( /*)1 672( toB!error)1 480(8 ::)1 816 4 912 3136 t (9 fi)1 816 1 912 3236 t ( fromB?control\(b\) ->)2 960(10 ::)1 480 2 864 3336 t (11 if)1 864 1 864 3436 t ( toA!control\(b\))1 720(12 ::)1 864 2 864 3536 t ( toA!error)1 480(13 ::)1 864 2 864 3636 t (14 fi)1 864 1 864 3736 t (15 od)1 480 1 864 3836 t (16 })1 240 1 864 3936 t 10 R f ( either forward the message)4 1106( can)1 163( It)1 111(The lower layer now has two possible responses to an incoming message.)11 2940 4 720 4116 t ( The)1 207(correctly, as before, or it can change the message into an error message.)12 2890 2 720 4236 t 9 CW f (if)3841 4236 w 10 R f (statement specifies a num-)3 1065 1 3975 4236 t ( a)1 75(ber of options for execution, just like)6 1509 2 720 4356 t 9 CW f (do)2333 4356 w 10 R f ( the)1 153(statement. Unlike)1 736 2 2472 4356 t 9 CW f (do)3390 4356 w 10 R f (statement, however, the)2 960 1 3529 4356 t 9 CW f (if)4518 4356 w 10 R f (statement)4657 4356 w ( mechanism for select-)3 918( The)1 209( it is not repeated.)4 729(terminates when the option that was selected terminates, i.e.,)8 2464 4 720 4476 t ( the two)2 340( In)1 142( is the same as before.)5 926(ing an option)2 544 4 720 4596 t 9 CW f (if)2704 4596 w 10 R f (statements above both options consist of just a single)8 2194 1 2846 4596 t ( model the possibility of message loss, we could add yet another option to)13 3006( we wanted to)3 572( If)1 121(send statement.)1 621 4 720 4716 t ( consisting of a single statement)5 1295(this set,)1 308 2 720 4836 t 9 CW f (skip)2349 4836 w 9 R f (.)2565 4836 w 10 R f (The)2641 4836 w 9 CW f (skip)2822 4836 w 10 R f (statement is the null operation of)5 1328 1 3066 4836 t 8 R f (PROMELA)4422 4836 w 10 R f ( is)1 95(. It)1 139 2 4806 4836 t (always executable and has no effect.)5 1456 1 720 4956 t (This definition of process)3 1039 1 720 5112 t 9 CW f (lower)1787 5112 w 10 R f ( description of the behavior of the lower layer protocol that accu-)11 2668(gives a)1 285 2 2087 5112 t ( must com-)2 456( complete the validation model, we)5 1424( To)1 165(rately matches the assumptions of the protocol designer.)7 2275 4 720 5232 t ( process of type)3 659(bine it with the declarations of the channels, and we must find a place where a)15 3256 2 720 5352 t 9 CW f (lower)4668 5352 w 10 R f (is)4973 5352 w ( return to that below, after we discuss the modeling of sender)11 2440( We)1 188( channels.)1 399(instantiated with the appropriate)3 1293 4 720 5472 t (and receiver process types A and B.)6 1432 1 720 5592 t 10 B f (Model of the Sender and Receiver Process)6 1791 1 720 5832 t 10 R f ( information we need)3 866( The)1 210( at the procedure rules for the sender process A.)9 1950(We start by taking a closer look)6 1294 4 720 5988 t ( code below is annotated with references to the)8 1889( The)1 207( Lynch.)1 307(is on lines 5-19 in the informal specification by)8 1917 4 720 6108 t (line numbers in the informal description, where the corresponding design decisions are mentioned.)12 3944 1 720 6228 t 8 CW f ( A\(chan in, out\))3 768(1 proctype)1 528 2 912 6378 t ( */)1 672( message data)2 624( /*)1 1248( mt;)1 192( byte)1 336(2 {)1 192 6 912 6478 t ( */)1 528( alternation bit)2 768( /*)1 1248( at;)1 240(3 bit)1 480 5 912 6578 t ( */)1 768( verify bit)2 528( /*)1 1248( vr;)1 240(4 bit)1 480 5 912 6678 t (5)912 6778 w ( */)1 576( get a new mesg)4 720( /*)1 1344(6 FETCH;)1 624 4 912 6878 t ( */)1 912( send it)2 384( /*)1 864(7 out!data\(mt,at\);)1 1104 4 912 6978 t (8 do)1 432 1 912 7078 t ( line 11, await response */)5 1296( /*)1 672( in?control\(vr\) ->)2 864(9 ::)1 432 4 912 7178 t (10 if)1 864 1 864 7278 t cleartomark showpage saveobj restore %%EndPage: 7 9 %%Page: 8 10 /saveobj save def mark 10 pagesetup 10 R f (- 8 -)2 166 1 2797 480 t 8 CW f ( */)1 240( line 12, correct send)4 1056( /*)1 528( \(vr == 1\) ->)4 624(11 ::)1 864 5 864 820 t ( */)1 288( line 17, new message)4 1008( /*)1 576(12 FETCH;)1 1440 4 864 920 t ( */)1 336( line 18, toggle bit)4 960( /*)1 432( = 1-at)2 336(13 at)1 1248 5 864 1020 t ( */)1 336( line 13, send error)4 960( /*)1 528( \(vr == 0\) ->)4 624(14 ::)1 864 5 864 1120 t ( */)1 288( line 16, don't fetch)4 1008( /*)1 672(15 skip)1 1344 4 864 1220 t (16 fi;)1 912 1 864 1320 t ( */)1 912( line 16)2 384( /*)1 528(17 out!data\(mt,at\))1 1488 4 864 1420 t ( */)1 192( line 14-15, recv error)4 1104( /*)1 768( in?error\(vr\) ->)2 768(18 ::)1 480 5 864 1520 t ( */)1 912( line 16)2 384( /*)1 528(19 out!data\(mt,at\))1 1488 4 864 1620 t (20 od)1 480 1 864 1720 t (21 })1 240 1 864 1820 t 10 R f ( and the)2 334(The only new language features that we have used is the assignment to toggle the alternation bit,)16 3986 2 720 2000 t (conditions as guards in the)4 1090 1 720 2120 t 9 CW f (if)1839 2120 w 10 R f ( parameter)1 429(statement. The)1 619 2 1978 2120 t 9 CW f (vr)3055 2120 w 10 R f (on line 18 is not used, but must be present to)10 1846 1 3194 2120 t ( a receive equal the number of message fields)8 1969(fulfill the requirement that the number of parameters in)8 2351 2 720 2240 t ( are defined to be always executable, unconditionally.)7 2162( Assignments)1 569(declared for the corresponding channel.)4 1589 3 720 2360 t ( A)1 126( is not true in C.\))5 698( \(This)1 265( assignment can have no side-effects.)5 1505(The evaluation of the right-hand side of an)7 1726 5 720 2480 t ( is only executable if it evaluates to a)8 1561(condition, or in general any expression that is used as a statement,)11 2759 2 720 2600 t ( not have side-effects when)4 1099( used as statements must be `pure,' that is they may)10 2066( Expressions)1 534(non-zero value.)1 621 4 720 2720 t ( trivial encoding for the dummy statement)6 1754(evaluated. A)1 542 2 720 2840 t 9 CW f (skip)3051 2840 w 10 R f (is therefore the expression)3 1086 1 3304 2840 t 9 CW f (\(1\))4425 2840 w 9 R f (.)4587 2840 w 10 R f (It has no)2 368 1 4672 2840 t (effect, and is always executable.)4 1290 1 720 2960 t ( Lynch's informal spec-)3 959(We still have to decide on the modeling of the initialization idea from lines 27-31 in)15 3361 2 720 3116 t (ification, and we have to expand the macro)7 1732 1 720 3236 t 9 CW f (FETCH)2477 3236 w 10 R f ( the)1 148( before we do that, let us first look at)9 1488(somehow. But,)1 630 3 2774 3236 t (matching receiver.)1 742 1 720 3356 t 8 CW f ( B\(chan in, out\))3 768(1 proctype)1 528 2 912 3506 t ( */)1 768( message data)2 624( /*)1 1248( mr;)1 192( byte)1 336(2 {)1 192 6 912 3606 t ( mr of last error-free msg */)6 1392( /*)1 1008( last_mr;)1 432(3 byte)1 528 4 912 3706 t ( */)1 624( alternation bit)2 768( /*)1 1248( ar;)1 240(4 bit)1 480 5 912 3806 t ( ar of last error-free msg */)6 1392( /*)1 1248( lar;)1 240(5 bit)1 480 4 912 3906 t (6)912 4006 w (7 do)1 432 1 912 4106 t ( */)1 288( lines 7-10)2 528( /*)1 624( in?error\(mr,ar\) ->)2 912(8 ::)1 432 5 912 4206 t ( lines 8,25,26 */)3 816( /*)1 576(9 out!control\(0\))1 1392 3 912 4306 t ( */)1 288( lines 7-10)2 528( /*)1 672( in?data\(mr,ar\) ->)2 864(10 ::)1 480 5 864 4406 t ( lines 8,25,26 */)3 816( /*)1 528(11 out!control\(1\);)1 1488 3 864 4506 t ( */)1 432( line 20)2 384( /*)1 1152(12 if)1 864 4 864 4606 t ( */)1 432( line 21)2 384( /*)1 432( \(ar == lar\) ->)4 720(13 ::)1 864 5 864 4706 t ( */)1 432( line 23)2 384( /*)1 672(14 skip)1 1344 4 864 4806 t ( */)1 432( line 24)2 384( /*)1 432( \(ar != lar\) ->)4 720(15 ::)1 864 5 864 4906 t ( */)1 432( line 24)2 384( /*)1 528(16 ACCEPT;)1 1488 4 864 5006 t ( */)1 432( line 22)2 384( /*)1 432( = ar;)2 288(17 lar)1 1296 5 864 5106 t ( = mr)2 240(18 last_mr)1 1488 2 864 5206 t (19 fi)1 864 1 864 5306 t (20 od)1 480 1 864 5406 t (21 })1 240 1 864 5506 t 10 R f (We introduced a new macro)4 1164 1 720 5686 t 9 CW f (ACCEPT)1917 5686 w 10 R f ( previous one)2 560(that, just like the)3 697 2 2276 5686 t 9 CW f (FETCH)3567 5686 w 10 R f (remains to be expanded, but)4 1167 1 3873 5686 t ( A)1 134( proper initializations\) the behavior specifications are now complete.)8 2838(apart from these details \(and the)5 1348 3 720 5806 t (trivial implementation is to use the macro)6 1684 1 720 5926 t 9 CW f (FETCH)2430 5926 w 10 R f ( integers, modulo some maximum)4 1380(to obtain a sequence of)4 932 2 2728 5926 t (number)720 6046 w 9 CW f (MAX)1048 6046 w 8 CW f ( = \(mt+1\)%MAX)2 624( mt)1 240(#define FETCH)1 624 3 864 6196 t 10 R f ( the last number received, we can build in a simple check to verify that the)15 3047(If we let the receiver remember)5 1273 2 720 6376 t (same message cannot be accepted twice in a row by)9 2069 1 720 6496 t 9 CW f (B)2812 6496 w 10 R f (\(line 33 from the informal specification\):)5 1639 1 2891 6496 t 8 CW f ( == \(last_mr+1\)%MAX\))2 960( assert\(mr)1 528(#define ACCEPT)1 672 3 864 6646 t 10 R f (The statement)1 577 1 720 6826 t 9 CW f (assert\(e\))1335 6826 w 10 R f (is a pre-defined statement in)4 1191 1 1861 6826 t 8 R f (PROMELA)3092 6826 w 10 R f (, with)1 243 1 3476 6826 t 9 CW f (e)3757 6826 w 10 R f ( The)1 220(an arbitrary expression.)2 969 2 3851 6826 t ( an error if expression)4 887( is)1 96( It)1 115(statement is always executable and has no effect.)7 1984 4 720 6946 t 9 CW f (e)3828 6946 w 10 R f (can be false when the asser-)5 1130 1 3910 6946 t ( can use an automated validator to prove that this is impossible.)11 2537( We)1 188(tion is executed.)2 652 3 720 7066 t ( the specification.)2 711(The assertion above does not cover the first part of the correctness claim on lines 31-33 in)16 3609 2 720 7222 t cleartomark showpage saveobj restore %%EndPage: 8 10 %%Page: 9 11 /saveobj save def mark 11 pagesetup 10 R f (- 9 -)2 166 1 2797 480 t ( we describe how the process)5 1196( First,)1 265( see later how this requirement can be expressed and checked.)10 2533(We will)1 326 4 720 840 t (behaviors can be included into a complete validation model.)8 2405 1 720 960 t 10 B f (The Initial PROMELA Process)3 1336 1 720 1200 t 10 R f (A)720 1356 w 9 CW f (proctype)819 1356 w 10 R f ( specify when that behavior must be per-)7 1662(definition only defines process behavior, it does not)7 2098 2 1280 1356 t ( this, every validation model is defined to have an initial process,)11 2600( For)1 189(formed, or how it is to be instantiated.)7 1531 3 720 1476 t (that performs much the same function as the)7 1807 1 720 1596 t 9 CW f (main)2555 1596 w 10 R f ( minimal)1 365( The)1 211(routine of a C-program.)3 966 3 2802 1596 t 8 R f (PROMELA)4375 1596 w 10 R f (model)4790 1596 w (does not declare any objects or instantiate any processes:)8 2273 1 720 1716 t 8 CW f (init { skip })3 624 1 864 1866 t 10 R f (More interesting is an)3 883 1 720 2046 t 9 CW f (init)1629 2046 w 10 R f ( channels from Figure 2 and instantiates a single copy)9 2186(process that declares the)3 981 2 1873 2046 t (of each of the)3 545 1 720 2166 t 9 CW f (proctypes A)1 563 1 1288 2166 t 9 R f (,)1851 2166 w 9 CW f (B)1897 2166 w 9 R f (,)1951 2166 w 10 R f (and)1999 2166 w 9 CW f (lower)2166 2166 w 9 R f (.)2436 2166 w 8 CW f ( 2)1 192( N)1 96(1 #define)1 480 3 912 2316 t ( MAX 8)2 288(2 #define)1 480 2 912 2416 t ( = \(mt+1\)%MAX)2 624( mt)1 432( FETCH)1 288(3 #define)1 480 4 912 2516 t ( == \(last_mr+1\)%MAX\))2 960( assert\(mr)1 720( ACCEPT)1 336(4 #define)1 480 4 912 2616 t (5)912 2716 w ( = { data, control, error };)6 1344(6 mtype)1 384 2 912 2816 t (7)912 2916 w ( "lynch0.A")1 528(8 #include)1 528 2 912 3016 t ( "lynch0.B")1 528(9 #include)1 528 2 912 3116 t ( "lynch0.C")1 528(10 #include)1 576 2 864 3216 t (11)864 3316 w ( {)1 96(12 init)1 384 2 864 3416 t ( fromA = [N] of { byte, byte, bit };)9 1728(13 chan)1 576 2 864 3516 t ( [N] of { byte, byte, bit };)7 1344( =)1 192( toB)1 192(14 chan)1 576 4 864 3616 t ( fromB = [N] of { byte, bit };)8 1440(15 chan)1 576 2 864 3716 t ( [N] of { byte, bit };)6 1056( =)1 192( toA)1 192(16 chan)1 576 4 864 3816 t (17)864 3916 w ( {)1 96(18 atomic)1 672 2 864 4016 t ( A\(toA, fromA\);)2 720(19 run)1 912 2 864 4116 t ( B\(toB, fromB\);)2 720(20 run)1 912 2 864 4216 t ( lower\(fromA, toA, fromB, toB\))4 1440(21 run)1 912 2 864 4316 t (22 })1 432 1 864 4416 t (23 })1 240 1 864 4516 t 10 R f ( in an)2 236(The three processes are initiated)4 1309 2 720 4696 t 9 CW f (atomic)2295 4696 w 10 R f (statement, to guarantee that they all start at the same time.)10 2389 1 2651 4696 t ( separators,)1 462(Note, there is no semicolon at the end of the atomic block: semi-colons are used as statement)16 3858 2 720 4816 t (not as statement terminators.)3 1149 1 720 4936 t 10 B f (Simulation and Validation with SPIN)4 1598 1 720 5176 t 10 R f ( the informal specification, and we)5 1421(We have not yet formalized the complete correctness requirement from)9 2899 2 720 5332 t ( included the proper protocol initialization, but just as an experiment we can try to check the)16 3814(have not yet)2 506 2 720 5452 t ( a)1 83( the example simulation-runs below we assume)6 1970( In)1 146(behavior of the model as it stands.)6 1446 4 720 5572 t 9 R f (UNIX)4402 5572 w 10 S f (\322)4627 5572 w 10 R f (System)4745 5572 w (environment, with `$' the shell prompt:)5 1577 1 720 5692 t 8 CW f ($ spin lynch0)2 624 1 864 5842 t (spin: "./lynch0.B" line 16: assertion violated)5 2208 1 864 5942 t (#processes: 4)1 624 1 864 6042 t (_p = 8)2 288 1 1632 6142 t ( \(lower\) line 11 \(state 9\))5 1248(proc 3)1 336 2 864 6242 t ( 16 \(state 8\))3 624( line)1 432( \(B\))1 192(proc 2)1 336 4 864 6342 t ( 8 \(state 14\))3 624( line)1 432( \(A\))1 192(proc 1)1 336 4 864 6442 t ( \(_init\) line 23 \(state 5\))5 1248(proc 0)1 336 2 864 6542 t (4 processes created)2 912 1 864 6642 t ($)864 6742 w 10 R f (The default usage of)3 841 1 720 6922 t 8 R f (SPIN)1594 6922 w 10 R f ( no correctness)2 616( Almost)1 354(starts a random simulation run of the validation model.)8 2268 3 1802 6922 t (checks are performed during)3 1158 1 720 7042 t 8 R f (SPIN)1908 7042 w 10 R f ( errors, such as system dead-)5 1167( exception are inescapable)3 1064(simulations. The)1 697 3 2112 7042 t ( class of correctness criteria that)5 1292( excludes a larger)3 703( \(This)1 262(lock, unspecified reception, and assertion violation.)5 2063 4 720 7162 t ( when an assertion violation occurred.)5 1614( the above case the simulation run aborted)7 1823( In)1 153(we discuss later.\))2 730 4 720 7282 t cleartomark showpage saveobj restore %%EndPage: 9 11 %%Page: 10 12 /saveobj save def mark 12 pagesetup 10 R f (- 10 -)2 216 1 2772 480 t (Before)720 840 w 8 R f (SPIN)1011 840 w 10 R f (exits it prints the control-flow state of all processes at the time the error was detected.)15 3416 1 1210 840 t ( we need to make sure that)6 1076( First,)1 261(To find out what happened we need more information about the run itself.)12 2983 3 720 996 t ( all, this is a concurrent system with several asynchronously executing)10 2840( \(After)1 296( reproducible error.)2 778(we have a)2 406 4 720 1116 t ( can secure a reproducible)4 1068( We)1 195( sequences, all equally likely.\))4 1237(processes, there are many possible execution)5 1820 4 720 1236 t ( number generation \(by default)4 1268(run by selecting a fixed seed for the random)8 1829 2 720 1356 t 8 R f (SPIN)3850 1356 w 10 R f (uses the)1 327 1 4057 1356 t 9 R f (UNIX)4415 1356 w 10 R f (System's)4673 1356 w 9 CW f (time)720 1476 w 10 R f ( can do this as follows:)5 919( We)1 188(command as a seed\).)3 831 3 961 1476 t 8 CW f ($ spin -n123 lynch0)3 912 1 864 1626 t (spin: "./lynch0.B" line 16: assertion violated)5 2208 1 864 1726 t (#processes: 4)1 624 1 864 1826 t (_p = 8)2 288 1 1632 1926 t ( \(lower\) line 11 \(state 9\))5 1248(proc 3)1 336 2 864 2026 t ( 16 \(state 8\))3 624( line)1 432( \(B\))1 192(proc 2)1 336 4 864 2126 t ( 8 \(state 14\))3 624( line)1 432( \(A\))1 192(proc 1)1 336 4 864 2226 t ( \(_init\) line 23 \(state 5\))5 1248(proc 0)1 336 2 864 2326 t (4 processes created)2 912 1 864 2426 t ($)864 2526 w 10 R f (The seed selected was)3 883 1 720 2706 t 9 CW f (123)1626 2706 w 9 R f (,)1788 2706 w 10 R f ( we can now repeat the run reliably, by using the same)11 2184(the same error was hit, so)5 1020 2 1836 2706 t (seed consistently in all further probings into the nature of this error.)11 2702 1 720 2826 t 8 R f (SPIN)720 2982 w 10 R f ( leading into the assertion vio-)5 1223(allows us to get arbitrarily detailed information about the simulation run)10 2897 2 920 2982 t ( be obtained)2 492( quick overview of the available information can)7 1964( A)1 125(lation, by combining different option flags.)5 1739 4 720 3102 t (by providing an illegal option flag such as ")8 1815 1 720 3222 t 9 CW f (spin -h)1 387 1 2535 3222 t 10 R f (" or ")2 233 1 2922 3222 t 9 CW f (spin -?)1 387 1 3155 3222 t 10 R f ( of these options are relevant)5 1195(." Five)1 303 2 3542 3222 t (here:)720 3342 w 8 CW f ($ spin -?)2 432 1 864 3492 t (-g print all global variables)4 1392 1 1248 3592 t (-l print all local variables)4 1344 1 1248 3692 t (-p print all statements)3 1104 1 1248 3792 t (-r print receive events)3 1104 1 1248 3892 t (-s print send events)3 960 1 1248 3992 t 10 R f (So we can try:)3 574 1 720 4172 t 8 CW f ($ spin -n123 -r lynch0)4 1056 1 864 4322 t ( queue 2 \(fromA\))3 768( <-)1 192( Recv data,1,0)2 672( 5,)1 240( \(lower\) line)2 624(proc 3)1 336 6 864 4422 t ( Recv error,0,0 <- queue 3 \(in\))6 1488( 8,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 5 864 4522 t ( Recv control,0 <- queue 4 \(fromB\))6 1632( 10,)1 240( \(lower\) line)2 624(proc 3)1 336 4 864 4622 t ( Recv control,0 <- queue 1 \(in\))6 1488( 9,)1 240( line)1 432( \(A\))1 192(proc 1)1 336 5 864 4722 t ( queue 2 \(fromA\))3 768( <-)1 192( Recv data,1,0)2 672( 5,)1 240( \(lower\) line)2 624(proc 3)1 336 6 864 4822 t ( queue 3 \(in\))3 624( <-)1 192( Recv data,1,0)2 672( 10,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 7 864 4922 t ( Recv control,1 <- queue 4 \(fromB\))6 1632( 10,)1 240( \(lower\) line)2 624(proc 3)1 336 4 864 5022 t ( Recv control,1 <- queue 1 \(in\))6 1488( 9,)1 240( line)1 432( \(A\))1 192(proc 1)1 336 5 864 5122 t ( queue 2 \(fromA\))3 768( <-)1 192( Recv data,2,1)2 672( 5,)1 240( \(lower\) line)2 624(proc 3)1 336 6 864 5222 t ( queue 3 \(in\))3 624( <-)1 192( Recv data,2,1)2 672( 10,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 7 864 5322 t ( Recv control,1 <- queue 4 \(fromB\))6 1632( 10,)1 240( \(lower\) line)2 624(proc 3)1 336 4 864 5422 t (spin: "./lynch0.B" line 16: assertion violated)5 2208 1 864 5522 t (#processes: 4)1 624 1 864 5622 t (_p = 8)2 288 1 1632 5722 t ( \(lower\) line 11 \(state 9\))5 1248(proc 3)1 336 2 864 5822 t ( 16 \(state 8\))3 624( line)1 432( \(B\))1 192(proc 2)1 336 4 864 5922 t ( 8 \(state 14\))3 624( line)1 432( \(A\))1 192(proc 1)1 336 4 864 6022 t ( \(_init\) line 23 \(state 5\))5 1248(proc 0)1 336 2 864 6122 t (4 processes created)2 912 1 864 6222 t 10 R f ( out uninteresting data, for instance the actions of the lower layer channel pro-)13 3212(Trivially, we can also filter)4 1108 2 720 6402 t (cess:)720 6522 w 8 CW f ($ spin -n123 -r lynch0 | grep -v lower)8 1824 1 864 6672 t ( Recv error,0,0 <- queue 3 \(in\))6 1488( 8,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 5 864 6772 t ( Recv control,0 <- queue 1 \(in\))6 1488( 9,)1 240( line)1 432( \(A\))1 192(proc 1)1 336 5 864 6872 t ( queue 3 \(in\))3 624( <-)1 192( Recv data,1,0)2 672( 10,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 7 864 6972 t ( Recv control,1 <- queue 1 \(in\))6 1488( 9,)1 240( line)1 432( \(A\))1 192(proc 1)1 336 5 864 7072 t ( queue 3 \(in\))3 624( <-)1 192( Recv data,2,1)2 672( 10,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 7 864 7172 t (spin: "./lynch0.B" line 16: assertion violated)5 2208 1 864 7272 t cleartomark showpage saveobj restore %%EndPage: 10 12 %%Page: 11 13 /saveobj save def mark 13 pagesetup 10 R f (- 11 -)2 216 1 2772 480 t 8 CW f (#processes: 4)1 624 1 864 820 t (_p = 8)2 288 1 1632 920 t ( 16 \(state 8\))3 624( line)1 432( \(B\))1 192(proc 2)1 336 4 864 1020 t ( 8 \(state 14\))3 624( line)1 432( \(A\))1 192(proc 1)1 336 4 864 1120 t ( \(_init\) line 23 \(state 5\))5 1248(proc 0)1 336 2 864 1220 t (4 processes created)2 912 1 864 1320 t 10 R f (Or, we can add explicit)4 936 1 720 1500 t 9 CW f (printf)1681 1500 w 10 R f (statements to the)2 676 1 2032 1500 t 8 R f (PROMELA)2736 1500 w 10 R f (source text for the model to keep track of what)9 1892 1 3148 1500 t ( instance, we can experiment by expanding the)7 1868( For)1 189(is happening.)1 533 3 720 1620 t 9 CW f (ACCEPT)3333 1620 w 10 R f (macro,)3682 1620 w 8 CW f ( %d0, mr\); assert\(mr == \(last_mr+1\)%MAX\))5 1920( printf\("ACCEPT)1 768(#define ACCEPT)1 672 3 864 1770 t 10 R f (which produces:)1 657 1 720 1950 t 8 CW f (pipe: spin -n123 -r lynch0 | grep -v lower)8 2016 1 864 2100 t ( Recv error,0,0 <- queue 3 \(in\))6 1488( 8,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 5 864 2200 t ( Recv control,0 <- queue 1 \(in\))6 1488( 9,)1 240( line)1 432( \(A\))1 192(proc 1)1 336 5 864 2300 t ( queue 3 \(in\))3 624( <-)1 192( Recv data,1,0)2 672( 10,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 7 864 2400 t ( Recv control,1 <- queue 1 \(in\))6 1488( 9,)1 240( line)1 432( \(A\))1 192(proc 1)1 336 5 864 2500 t ( queue 3 \(in\))3 624( <-)1 192( Recv data,2,1)2 672( 10,)1 240( line)1 432( \(B\))1 192(proc 2)1 336 7 864 2600 t (ACCEPT 2)1 384 1 864 2700 t (spin: "./lynch0.B" line 16: assertion violated)5 2208 1 864 2800 t (#processes: 4)1 624 1 864 2900 t (_p = 9)2 288 1 1632 3000 t ( 16 \(state 9\))3 624( line)1 432( \(B\))1 192(proc 2)1 336 4 864 3100 t ( 8 \(state 14\))3 624( line)1 432( \(A\))1 192(proc 1)1 336 4 864 3200 t ( \(_init\) line 23 \(state 5\))5 1248(proc 0)1 336 2 864 3300 t (4 processes created)2 912 1 864 3400 t 10 R f ( first message accepted carries the integer)6 1679( The)1 208(The error is now clear.)4 917 3 720 3580 t 9 CW f (2)3550 3580 w 9 R f (.)3604 3580 w 10 R f ( with integer value)3 758(The message)1 521 2 3680 3580 t 9 CW f (1)4986 3580 w 10 R f ( by process)2 453(is received correctly but not accepted)5 1502 2 720 3700 t 9 CW f (B)2700 3700 w 9 R f (.)2754 3700 w 10 R f (The only reason for that is line 13 in)8 1470 1 2829 3700 t 9 CW f (proctype B)1 542 1 4324 3700 t 9 R f (:)4866 3700 w 10 R f (the)4918 3700 w ( the first message equals the value of)7 1493(alternation bit on)2 687 2 720 3820 t 9 CW f (lar)2926 3820 w 9 R f (.)3088 3820 w 10 R f (This initialization problem can be patched \(we)6 1876 1 3164 3820 t ( the informal specification\) by)4 1249(didn't look seriously yet at the rules for the initialization that are given in)13 3071 2 720 3940 t (giving)720 4060 w 9 CW f (lar)999 4060 w 10 R f (a non-zero initial value \(by default everything in)7 1938 1 1186 4060 t 8 R f (PROMELA)3149 4060 w 10 R f (has initial value zero\):)3 890 1 3558 4060 t 8 CW f ( B\(chan in, out\))3 768(1 proctype)1 528 2 912 4210 t ( */)1 768( message data)2 624( /*)1 1248( mr;)1 192( byte)1 336(2 {)1 192 6 912 4310 t ( mr of last error-free msg */)6 1392( /*)1 1008( last_mr;)1 432(3 byte)1 528 4 912 4410 t ( */)1 624( alternation bit)2 768( /*)1 1248( ar;)1 240(4 bit)1 480 5 912 4510 t ( ar of last error-free msg */)6 1392( /*)1 1152( lar=1;)1 336(5 bit)1 480 4 912 4610 t (....)1248 4710 w (21 })1 240 1 864 4810 t 10 R f (With this modification, the simulation proceeds as expected.)7 2417 1 720 4990 t 8 CW f ($ spin lynch0)2 624 1 864 5140 t (ACCEPT 1)1 384 1 864 5240 t (ACCEPT 2)1 384 1 864 5340 t (ACCEPT 3)1 384 1 864 5440 t (ACCEPT 4)1 384 1 864 5540 t (ACCEPT 5)1 384 1 864 5640 t (ACCEPT 6)1 384 1 864 5740 t (ACCEPT 7)1 384 1 864 5840 t (ACCEPT 0)1 384 1 864 5940 t (ACCEPT 1)1 384 1 864 6040 t (ACCEPT 2)1 384 1 864 6140 t (ACCEPT 3)1 384 1 864 6240 t (...)864 6340 w 10 R f (repeating the series)2 794 1 720 6520 t 9 CW f (ACCEPT 0)1 444 1 1549 6520 t 10 R f (to)2030 6520 w 9 CW f (ACCEPT 7)1 444 1 2143 6520 t 10 R f ( prove with simulation)3 942( course, we cannot)3 778( Of)1 167(ad infinitum.)1 529 4 2624 6520 t ( can only serve as a quick debugging tool, not for)10 2042( Simulation)1 497(alone that the assertions cannot be violated.)6 1781 3 720 6640 t ( exhaustive validation,)2 920(validation. An)1 606 2 720 6760 t 10 I f (proving)2280 6760 w 10 R f ( validation)1 435(that the assertions can never be validated in this)8 1980 2 2625 6760 t (model, is performed in three steps:)5 1387 1 720 6880 t 10 B f (1.)864 7036 w 10 R f (Generate the analyzer source, using)4 1420 1 989 7036 t 8 R f (SPIN)2434 7036 w 10 R f (option)2633 7036 w 9 CW f (-a)2912 7036 w 9 R f (.)3020 7036 w 10 B f (2.)864 7156 w 10 R f (Compile this source with the C-compiler.)5 1655 1 989 7156 t 10 B f (3.)864 7276 w 10 R f (Run the resulting executable analyzer.)4 1527 1 989 7276 t cleartomark showpage saveobj restore %%EndPage: 11 13 %%Page: 12 14 /saveobj save def mark 14 pagesetup 10 R f (- 12 -)2 216 1 2772 480 t (This analysis proceeds as follows \(after removing the)7 2132 1 720 840 t 9 CW f (printf)2875 840 w 10 R f (statement we added earlier for debugging\).)5 1712 1 3224 840 t 8 CW f ( generate analyzer)2 864( #)1 432($ spin -a lynch0)3 768 3 864 990 t ( compiler source in pan.c)4 1200( #)1 384($ cc -o pan pan.c)4 816 3 864 1090 t ( run)1 192( #)1 960($ pan)1 240 3 864 1190 t (full statespace search for:)3 1296 1 864 1290 t (assertion violations and invalid endstates)4 2016 1 1248 1390 t (vector 84 byte, depth reached 350, errors: 0)7 2112 1 864 1490 t (1558 states, stored)2 912 1 1056 1590 t (2 states, linked)2 768 1 1200 1690 t ( 2729)1 432( total:)1 816(1169 states, matched)2 960 3 1056 1790 t (hash conflicts: 201 \(resolved\))3 1440 1 864 1890 t (\(max size 2\30318 states, stackframes: 0/102\))5 2016 1 864 1990 t (unreached in proctype _init:)3 1344 1 864 2090 t (reached all 5 states)3 960 1 1248 2190 t (unreached in proctype lower:)3 1344 1 864 2290 t (line 16 \(state 14\))3 864 1 1248 2390 t (reached: 13 of 14 states)4 1152 1 1248 2490 t (unreached in proctype B:)3 1152 1 864 2590 t (line 21 \(state 17\))3 864 1 1248 2690 t (reached: 16 of 17 states)4 1152 1 1248 2790 t (unreached in proctype A:)3 1152 1 864 2890 t (line 21 \(state 17\))3 864 1 1248 2990 t (reached: 16 of 17 states)4 1152 1 1248 3090 t ( pan)1 384(0.4u 0.3s 5r)2 576 2 864 3190 t 10 R f ( this example it was a full)6 1099( In)1 145( analysis was performed.)3 1028(The first line in the printout tells us what type of)10 2048 4 720 3370 t ( such as deadlocks \(we will discuss the other)8 1794(statespace search for assertion violations and invalid endstates,)7 2526 2 720 3490 t (possible types of analyses later\).)4 1295 1 720 3610 t ( now, just)2 414( For)1 199(The next six lines report some statistics on the analysis itself that will become clear later.)15 3707 3 720 3766 t ( \(depth)1 307(note that the longest unique execution sequence that was analyzed contained 350 statements)12 4013 2 720 3886 t ( 1558 unique system states were encountered during the search, each occupying 84)12 3384(reached\), and a total of)4 936 2 720 4006 t (bytes of storage.)2 657 1 720 4126 t ( gives us information about the statements in the validation model that were)12 3115(The remainder of the printout)4 1205 2 720 4282 t ( either necessarily indicate dead code in the)7 1800( states in this listing)4 836( Unreachable)1 563(analyzed during the search.)3 1121 4 720 4402 t ( when we look at partial searches of)7 1516( \(Later,)1 330( is run to completion.)4 901(model for a full statespace search that)6 1573 4 720 4522 t ( unreached)1 446( The)1 217( search.\))1 349(large models, the unreachable states give information about the coverage of the)11 3308 4 720 4642 t ( intended)1 377(states in the current listing are benign: they point at the end-states of the three processes that we)17 3943 2 720 4762 t (not to terminate.)2 658 1 720 4882 t 10 B f (Modeling Protocol Initialization)2 1367 1 720 5122 t 10 R f ( informal)1 372( The)1 208( the rules for the proper initialization of Lynch's protocol yet.)10 2490(We haven't looked seriously at)4 1250 4 720 5278 t (specification is rather vague:)3 1150 1 720 5398 t 8 CW f ( of this scheme depends upon A and B agreeing on an)11 2448(27 Initialization)1 912 2 864 5548 t ( is accomplished by)3 912( This)1 288( of the alternation bit.)4 1152( setting)1 432(28 initial)1 576 5 864 5648 t ( A to B message whose error-free reception \(but not necessarily)10 3024(29 an)1 336 2 864 5748 t ( Multiple)1 480( B's setting of the alternation bit.)6 1728( forces)1 384(30 acceptance\))1 768 4 864 5848 t ( of such a message cannot do harm.)7 1632(31 receptions)1 720 2 864 5948 t 10 R f (One way to implement this is to change the start of)10 2037 1 720 6128 t 9 CW f (proctype A)1 540 1 2780 6128 t 10 R f (into:)3345 6128 w 8 CW f (1 proctype A\(chan in, out\))4 1248 1 960 6278 t ( */)1 288( message data)2 624( /*)1 1248( mt;)1 192( byte)1 336(2 {)1 144 6 960 6378 t ( alternation bit */)3 912( /*)1 1248( at;)1 240(3 bit)1 432 4 960 6478 t ( */)1 384( verify bit)2 528( /*)1 1248( vr;)1 240(4 bit)1 432 5 960 6578 t (5)960 6678 w ( */)1 384( initialize)1 528( /*)1 960( out!data\(0,1\);)1 912(> 6)1 144 5 864 6778 t ( do)1 336(> 7)1 144 2 864 6878 t ( */)1 432( ack error)2 480( /*)1 768( in?error\(vr\) ->)2 768( ::)1 336(> 8)1 144 6 864 6978 t ( */)1 576( repeat)1 336( /*)1 624( out!data\(0,1\))1 1248(> 9)1 144 5 864 7078 t ( */)1 384( send error)2 528( /*)1 720( in?control\(0\) ->)2 816(>10 ::)1 480 5 864 7178 t ( */)1 576( repeat)1 336( /*)1 624(>11 out!data\(0,1\))1 1392 4 864 7278 t cleartomark showpage saveobj restore %%EndPage: 12 14 %%Page: 13 15 /saveobj save def mark 15 pagesetup 10 R f (- 13 -)2 216 1 2772 480 t 8 CW f ( */)1 240( success: done)2 672( /*)1 720( in?control\(1\) ->)2 816(>12 ::)1 480 5 864 820 t (>13 break)1 1008 1 864 920 t (>14 od;)1 528 1 864 1020 t (15 FETCH;)1 624 1 912 1120 t (...)1248 1220 w (30 })1 192 1 912 1320 t 10 R f (The corresponding changes in)3 1200 1 720 1500 t 9 CW f (proctype B)1 540 1 1943 1500 t 10 R f (below refer to lines 27-31 in the informal specification:)8 2213 1 2508 1500 t 8 CW f (1 proctype B\(chan in, out\))4 1248 1 960 1650 t ( */)1 768( message data)2 624( /*)1 1248( mr;)1 192( byte)1 336(2 {)1 144 6 960 1750 t ( mr of last error-free msg */)6 1392( /*)1 1008( last_mr;)1 432(3 byte)1 480 4 960 1850 t ( */)1 624( alternation bit)2 768( /*)1 1248( ar;)1 240(4 bit)1 432 5 960 1950 t ( ar of last error-free msg */)6 1392( /*)1 1152( lar=1;)1 336(5 bit)1 432 4 960 2050 t ( */)1 240( lines 27-31)2 576( /*)1 1248( ini;)1 240( bit)1 384(> 6)1 144 6 864 2150 t (7)960 2250 w (8 do)1 384 1 960 2350 t ( */)1 288( lines 7-10)2 528( /*)1 624( in?error\(mr,ar\) ->)2 912(9 ::)1 384 5 960 2450 t ( lines 8,25,26 */)3 816( /*)1 576(10 out!control\(0\))1 1392 3 912 2550 t ( */)1 288( lines 7-10)2 528( /*)1 672( in?data\(mr,ar\) ->)2 864(11 ::)1 432 5 912 2650 t ( lines 8,25,26 */)3 816( /*)1 528(12 out!control\(1\);)1 1440 3 912 2750 t ( */)1 240( lines 27-31)2 576( /*)1 1152(>13 if)1 864 4 864 2850 t ( */)1 240( lines 27-31)2 576( /*)1 672( \(!ini\) ->)2 480(>14 ::)1 864 5 864 2950 t ( */)1 240( lines 27-31)2 576( /*)1 480( = 1;)2 240(>15 ini)1 1296 5 864 3050 t ( */)1 240( lines 27-31)2 576( /*)1 480( = ar)2 240(>16 lar)1 1296 5 864 3150 t ( */)1 240( lines 27-31)2 576( /*)1 816( ini ->)2 336(>17 ::)1 864 5 864 3250 t ( */)1 336( line 20)2 384( /*)1 864(18 if)1 1200 4 912 3350 t ( */)1 336( \(ar == lar\) -> /* line 21)7 1248(19 ::)1 1200 3 912 3450 t ( */)1 336( line 23)2 384( /*)1 384(20 skip)1 1680 4 912 3550 t ( */)1 336( \(ar != lar\) -> /* line 24)7 1248(21 ::)1 1200 3 912 3650 t ( */)1 336( line 24)2 384( /*)1 240(22 ACCEPT;)1 1824 4 912 3750 t ( */)1 336( = ar; /* line 22)5 816(23 lar)1 1632 3 912 3850 t ( = mr)2 240(24 last_mr)1 1824 2 912 3950 t (25 fi)1 1200 1 912 4050 t ( */)1 240( lines 27-31)2 576( /*)1 1152(26 fi)1 816 4 912 4150 t (27 od)1 432 1 912 4250 t (28 })1 192 1 912 4350 t 10 R f ( independent)1 514(It is quickly confirmed by simulation and validation that the protocol works correctly, this time)14 3806 2 720 4530 t (of the initial value of variable)5 1184 1 720 4650 t 9 CW f (lar)1927 4650 w 10 R f (in)2114 4650 w 9 CW f (proctype B)1 540 1 2215 4650 t 9 R f (.)2755 4650 w 10 B f ( CORRECTNESS REQUIREMENTS)2 1624(4. EXPRESSING)1 765 2 720 4890 t 10 R f ( respect to specific correctness)4 1238( can only be called correct with)6 1276( Protocols)1 432(There are no ``correct'' protocols.)4 1374 4 720 5046 t ( a set of fairly standard requirements,)6 1488( in protocol validations we check a protocol for)8 1899(requirements. Usually,)1 933 3 720 5166 t ( and completeness)2 744(such as absence of deadlocks \(i.e., improper terminations\), and for a range of soundness)13 3576 2 720 5286 t ( receptions, dead code segments, race conditions and buffer)8 2465(requirements, such as absence of unspecified)5 1855 2 720 5406 t (overrun.)720 5526 w ( a design effectively solves a given problem, such as data transfer, however, requires us to)15 3762(To prove that)2 558 2 720 5682 t ( requirements typically state that a certain)6 1717( These)1 297(express more specific types of correctness requirements.)6 2306 3 720 5802 t ( such require-)2 552( this section we discuss how)5 1135( In)1 134(behavior of the protocol system is either feasible or infeasible.)9 2499 4 720 5922 t (ments can be expressed in)4 1042 1 720 6042 t 8 R f (PROMELA)1787 6042 w 10 R f (and checked with)2 698 1 2196 6042 t 8 R f (SPIN)2919 6042 w 10 R f (.)3093 6042 w 10 B f (Formalizing Behavior)1 936 1 720 6282 t 10 R f ( by the set of execution sequences that it defines,)9 1997(The behavior of a validation model is completely defined)8 2323 2 720 6438 t ( execution sequence is a)4 976( An)1 175( interleavings of the concurrent behavior of its processes.)8 2305(including all possible)2 864 4 720 6558 t ( state is a complete specification of values of local and global vari-)12 2691(finite, ordered set of system states, and a)7 1629 2 720 6678 t ( validation model can)3 872( A)1 125( flow points of running processes, and contents of message channels.)10 2781(ables, control)1 542 4 720 6798 t (reach a given state by executing)5 1317 1 720 6918 t 8 R f (PROMELA)2070 6918 w 10 R f ( the semantics of executability discussed ear-)6 1856(statements, using)1 697 2 2487 6918 t (lier.)720 7038 w 8 R f (PROMELA)720 7194 w 10 R f ( are bounded, including the maximum num-)6 1793(validation models are by definition finite \(all ranges)7 2113 2 1134 7194 t ( is therefore necessarily a bounded, and)6 1606( There)1 287( be created\).)2 499(ber of processes and message channels that can)7 1928 4 720 7314 t cleartomark showpage saveobj restore %%EndPage: 13 15 %%Page: 14 16 /saveobj save def mark 16 pagesetup 10 R f (- 14 -)2 216 1 2772 480 t ( the behavior of any given)5 1090(enumerable, number of execution sequences that defines)6 2306 2 720 840 t 8 R f (PROMELA)4150 840 w 10 R f (model. We)1 472 1 4568 840 t (can distinguish two different types of sequences:)6 1947 1 720 960 t 7 S1 f ()864 1116 w 864 1116 m 53 build_ci 917 1116 m 10 R f (Terminating sequences.)1 948 1 967 1116 t 7 S1 f ()864 1236 w 864 1236 m 53 build_ci 917 1236 m 10 R f (Cyclic sequences.)1 715 1 967 1236 t (The specification of a correctness requirement is defined minimally by propositions \(Boolean expressions\))12 4320 1 720 1392 t ( elements of a system state: control-flow)6 1650( expressions can in principle refer to all the)8 1772( The)1 211(on system states.)2 687 4 720 1512 t ( each proposition defines a map-)5 1320( Formally,)1 446( data, and message queues.)4 1091(points of processes, local and global)5 1463 4 720 1632 t (ping of all reachable system states onto the Boolean values)9 2355 1 720 1752 t 10 I f (true)3100 1752 w 10 R f (and)3286 1752 w 10 I f (false)3455 1752 w 10 R f (.)3644 1752 w ( to define a correctness requirement is the)7 1777(A simple example of the use of these propositions)8 2118 2 720 1908 t 8 R f (PROMELA)4656 1908 w 10 R f ( we used in the definition of the)7 1352(assertion statement that)2 964 2 720 2028 t 9 CW f (ACCEPT)3071 2028 w 10 R f ( assertion specifies a)3 859( An)1 184(macro earlier.)1 565 3 3432 2028 t ( specific control-flow point \(i.e., the)5 1467(proposition that must always be true when a given process can reach a)12 2853 2 720 2148 t ( the proposition only depends on the)6 1485( this case,)2 403( In)1 139(place in the process body where the assertion is placed\).)9 2293 4 720 2268 t (control-flow point of a single process, and on the relative values of two local variables within that process.)17 4257 1 720 2388 t ( process, more complicated)3 1101(If more than one simple proposition is used, possibly applying to more than one)13 3219 2 720 2544 t ( specifying, for instance, the temporal order in which the proposi-)10 2663(correctness requirements can be build by)5 1657 2 720 2664 t ( orderings are)2 568( and equivalently, we may specify which temporal)7 2076( Alternatively,)1 611(tions are required to hold.)4 1065 4 720 2784 t ( fact, only the second flavor of temporal orderings is used in)11 2407(forbidden. \(In)1 579 2 720 2904 t 8 R f (PROMELA)3731 2904 w 10 R f (.\))4115 2904 w (There are three ways in which correctness criteria can be expressed in)11 2787 1 720 3060 t 8 R f (PROMELA)3532 3060 w 7 S1 f ()864 3180 w 864 3180 m 53 build_ci 917 3180 m 10 R f (Assert statements, as discussed above.)4 1531 1 967 3180 t 7 S1 f ()864 3300 w 864 3300 m 53 build_ci 917 3300 m 10 R f (Three types of validation labels.)4 1284 1 967 3300 t 7 S1 f ()864 3420 w 864 3420 m 53 build_ci 917 3420 m 10 R f (Temporal claims, specifying invalid system behavior.)5 2145 1 967 3420 t (We will illustrate the use of each type of correctness requirement with examples below.)13 3498 1 720 3576 t 10 B f (4.1. ASSERTIONS)1 835 1 720 3816 t 10 R f (The)720 3972 w 8 R f (PROMELA)900 3972 w 10 R f (statement)1309 3972 w 8 CW f (assert\(condition\))864 4122 w 10 R f ( a)1 75(is always executable and can be placed anywhere in)8 2111 2 720 4302 t 8 R f (PROMELA)2937 4302 w 10 R f ( condition can be an arbitrary)5 1202(model. The)1 486 2 3352 4302 t ( validity of the statement is)5 1126( The)1 213( the statement has no effect.)5 1154( the condition is true,)4 883( If)1 125(Boolean expression.)1 819 6 720 4422 t ( is at least one execution sequence in which the condition is false when the)14 3222(violated, however, if there)3 1098 2 720 4542 t 9 CW f (assert)720 4662 w 10 R f (statement becomes executable.)2 1233 1 1069 4662 t 10 B f (Process Invariants)1 791 1 720 4902 t 10 R f ( can)1 166( We)1 191( correctness requirement that is local to a process.)8 2011(A first method to use assertions is to formalize a)9 1952 4 720 5058 t ( the following example)3 924( Consider)1 411(call such a requirement a ``process invariant.'')6 1858 3 720 5178 t 8 CW f (byte state = 1;)3 720 1 864 5328 t (proctype A\(\) { \(state == 1\) -> state = state + 1 })12 2400 1 864 5428 t (proctype B\(\) { \(state == 1\) -> state = state \261 1 })12 2400 1 864 5528 t (init { run A\(\); run B\(\) })6 1200 1 864 5628 t 10 R f (We could try to claim that when a process of type)10 2055 1 720 5808 t 9 CW f (A\(\))2805 5808 w 10 R f ( of variable)2 470(completes the value)2 807 2 2999 5808 t 9 CW f (state)4307 5808 w 10 R f (must be 2,)2 430 1 4610 5808 t ( process of type)3 644(and when a)2 466 2 720 5928 t 9 CW f (B\(\))1858 5928 w 10 R f ( could be expressed with two process invari-)7 1812( This)1 233(completes it must be 0.)4 945 3 2050 5928 t (ants as follows.)2 619 1 720 6048 t 8 CW f (byte state = 1;)3 720 1 864 6198 t (proctype A\(\))1 576 1 864 6298 t ( == 1\) -> state = state + 1;)8 1344({ \(state)1 672 2 864 6398 t (assert\(state == 2\))2 864 1 1248 6498 t (})864 6598 w (proctype B\(\))1 576 1 864 6698 t ( == 1\) -> state = state \261 1;)8 1344({ \(state)1 672 2 864 6798 t (assert\(state == 0\))2 864 1 1248 6898 t (})864 6998 w (init { run A\(\); run B\(\) })6 1200 1 864 7098 t 10 R f (The claims are false, and an automated validator could easily produce a scenario to prove it.)15 3672 1 720 7278 t cleartomark showpage saveobj restore %%EndPage: 14 16 %%Page: 15 17 /saveobj save def mark 17 pagesetup 10 R f (- 15 -)2 216 1 2772 480 t 10 B f (System Invariants)1 775 1 720 840 t 10 R f (A more general application of the)5 1364 1 720 996 t 9 CW f (assert)2111 996 w 10 R f ( Boolean condi-)2 648(statement is to formalize system invariants, i.e.,)6 1928 2 2464 996 t (tions that, if true in the initial system state, remain true in)11 2335 1 720 1116 t 10 I f (all)3084 1116 w 10 R f ( the)1 150(reachable system states, independently of)4 1671 2 3219 1116 t ( express this in)3 627( To)1 171( each specific state.)3 805(execution sequence that leads to)4 1322 4 720 1236 t 8 R f (PROMELA)3680 1236 w 10 R f (, it suffices to place the)5 976 1 4064 1236 t (system invariant by itself in a separate, ``monitor'' process)8 2354 1 720 1356 t 8 CW f (proctype monitor\(\) { assert\(invariant\) })4 1920 1 864 1506 t 10 R f (Once an instance of the process type)6 1475 1 720 1686 t 9 CW f (monitor)2221 1686 w 10 R f ( with a regular)3 591(has been started \(the name is irrelevant\),)6 1633 2 2627 1686 t 9 CW f (run)4878 1686 w 10 R f ( any)1 171( can decide to evaluate the assertion at)7 1553( It)1 114(statement, it executes independently of the rest of the system.)9 2482 4 720 1806 t (time; its)1 334 1 720 1926 t 9 CW f (assert)1085 1926 w 10 R f ( exhaustive)1 460( An)1 180(statement can become executable in every reachable state of the system.)10 2958 3 1442 1926 t ( scenario exists where the monitor)5 1412(check of correctness for the system should be able to determine if any)12 2908 2 720 2046 t (process executes the invariant just when it happens to be false.)10 2498 1 720 2166 t 10 B f (Question:)720 2322 w 10 R f (can we remove the ACCEPT macro from our earlier)8 2169 1 1171 2322 t 8 R f (PROMELA)3370 2322 w 10 R f (specification from the receiver)3 1251 1 3789 2322 t ( yes, show how; if no, why not?)7 1274( If)1 116(process and place it into a separate monitor process?)8 2095 3 720 2442 t 10 S1 f ()4230 2442 w cleartomark saveobj restore %%BeginGlobal /build_sq { pop size 2 div /side exch def currentpoint newpath moveto 0 side rlineto side 0 rlineto 0 side neg rlineto closepath font B eq {fill} {stroke} ifelse } def %%EndGlobal /saveobj save def mark 10 S1 f 4230 2442 m 50 build_sq 4280 2442 m 10 B f ( LABELS)1 421(4.2. VALIDATION)1 850 2 720 2682 t (End State Labels)2 729 1 720 2922 t 10 R f ( after a finite number of state transitions, or)8 1757(In a finite state system, all execution sequences either terminate)9 2563 2 720 3078 t ( all terminating sequences, however, are necessarily bad.)7 2308( Not)1 206(they cycle back to a previously visited state.)7 1806 3 720 3198 t ( in a)2 198(In order to define what an invalid end-state)7 1805 2 720 3318 t 8 R f (PROMELA)2761 3318 w 10 R f (model is, we must be able to distinguish the)8 1857 1 3183 3318 t (expected, or)1 490 1 720 3438 t 10 I f (valid)1237 3438 w 10 R f ( term ``invalid end-state'' includes)4 1394( The)1 207(, end-states from the unexpected, or invalid, ones.)7 2002 3 1437 3438 t ( of a logical incompleteness of the protocol)7 1812(deadlock states, but also many error states that are the result)10 2508 2 720 3558 t ( classic example of the latter is the)7 1378(specification. The)1 740 2 720 3678 t 10 I f (unspecified reception)1 857 1 2863 3678 t 10 R f (.)3720 3678 w ( in a terminating execution sequence must satisfy the following two criteria to be)13 3297(By default, the final state)4 1023 2 720 3834 t (considered a valid end-state:)3 1139 1 720 3954 t 7 S1 f ()864 4110 w 864 4110 m 53 build_ci 917 4110 m 10 R f (Every process that was instantiated has reached the end of its code.)11 2677 1 967 4110 t 7 S1 f ()864 4230 w 864 4230 m 53 build_ci 917 4230 m 10 R f (All message channels are empty.)4 1311 1 967 4230 t ( can be perfectly valid, for instance, for)7 1661( It)1 124( necessarily reach the end of their code.)7 1669(But not all processes)3 866 4 720 4386 t ( transaction is completed,)3 1060(server processes to enter a wait state, ready to spring back into action, after a)14 3260 2 720 4506 t ( must be able, therefore, to identify individ-)7 1766( We)1 191( all user processes have terminated.)5 1428(immune to the fact that)4 935 4 720 4626 t ( program block in a)4 870( that by default only the end of the)8 1560( \(Note)1 300(ual process states as valid end-states.)5 1590 4 720 4746 t 9 CW f (proctype)720 4866 w 10 R f ( can be done with)4 748( This)1 239( a valid end-state.\))3 770(definition, i.e., the closing curly brace, is)6 1694 4 1187 4866 t 10 I f (end-state)4674 4866 w 10 R f ( following example, for instance, specifies a binary semaphore, that accepts)10 3028(labels. The)1 464 2 720 4986 t 9 CW f (P)4235 4986 w 10 R f (and)4314 4986 w 9 CW f (V)4481 4986 w 10 R f (messages in)1 480 1 4560 4986 t (strict alternation via a synchronous channel)5 1733 1 720 5106 t 9 CW f (sema.)2476 5106 w 8 CW f (chan sema = [0] of { byte };)7 1344 1 864 5256 t (proctype dijkstra\(\))1 912 1 864 5456 t ({)864 5556 w (end: do)1 480 1 864 5656 t (:: sema!p -> sema?v)3 912 1 1248 5756 t (od)1248 5856 w (})864 5956 w 10 R f ( is non-terminating, but it should always be in its initial state, at the start of the loop, when a)19 3834(The process)1 486 2 720 6136 t ( more than one valid end-state within a single)8 1852( there is)2 326( If)1 121(system execution sequence terminates.)3 1562 4 720 6256 t 9 CW f (proctype)4608 6256 w 10 R f ( that has)2 341( end-state label is defined to be any label-name)8 1903( An)1 175(definition, all label-names must still be unique.)6 1901 4 720 6376 t (a three-character prefix)2 928 1 720 6496 t 9 CW f (end)1671 6496 w 9 R f (.)1833 6496 w 10 R f (So it is valid to use variations such as)8 1500 1 1906 6496 t 9 CW f (enddne)3429 6496 w 9 R f (,)3753 6496 w 9 CW f (end0)3799 6496 w 9 R f (,)4015 6496 w 9 CW f (end_war)4061 6496 w 9 R f (.)4439 6496 w 10 B f (Progress State Labels)2 921 1 720 6736 t 10 R f (The analyzer)1 530 1 720 6892 t 8 R f (SPIN)1288 6892 w 10 R f ( question then is, of)4 842( The)1 219( find all invalid cyclic execution sequences.)6 1828(can be asked to)3 651 4 1500 6892 t ( invalid cyclic execution)3 1051( An)1 196( makes a cyclic execution sequence either valid or invalid.)9 2544(course, what)1 529 4 720 7012 t ( to be a finite sequence of statements that can be repeated infinitely often, without)14 3507(sequence is defined)2 813 2 720 7132 t ( which statement\(s\) in the)4 1128( user can specify precisely)4 1152( The)1 230(achieving any ``progress'' in the protocol.)5 1810 4 720 7252 t cleartomark showpage saveobj restore %%EndPage: 15 17 %%Page: 16 18 /saveobj save def mark 18 pagesetup 10 R f (- 16 -)2 216 1 2772 480 t ( can be the increment of a sequence num-)8 1672( example of such a statement)5 1161( An)1 173(specification constitute progress.)2 1314 4 720 840 t ( such states are labeled with the word ``progress,'')8 2014( All)1 178( message, etc.)2 554(ber, the acceptance of a newly received)6 1574 4 720 960 t (just like the end-state labels before.)5 1414 1 720 1080 t ( can recognize the successful passing of a semaphore test as ``progress.'')11 3073(In the semaphore example we)4 1247 2 720 1236 t ( we can express the correctness criterion that the passing of the)11 2634(Simply by marking it as a progress state)7 1686 2 720 1356 t ( be postponed infinitely long, e.g., by an infinite execution cycle \(in the remainder)13 3339(semaphore guard cannot)2 981 2 720 1476 t (of the system\) that does not pass the progress state of any process of type)14 2923 1 720 1596 t 9 CW f (dijkstra)3666 1596 w 9 R f (.)4098 1596 w 8 CW f (proctype dijkstra\(\))1 912 1 864 1746 t ({)864 1846 w (end: do)1 480 1 864 1946 t (:: sema!p ->)2 576 1 1248 2046 t (progress: sema?v)1 1056 1 864 2146 t (od)1248 2246 w (})864 2346 w 10 R f ( a progress-state label, variations with a common prefix are again valid:)11 3070(If more than one state carries)5 1250 2 720 2526 t 9 CW f (progress0)720 2646 w 9 R f (,)1206 2646 w 9 CW f (progressisslow)1266 2646 w 9 R f (,)2022 2646 w 10 R f ( more progress states are defined, they all carry the same)10 2393( If)1 129(and so on.)2 434 3 2084 2646 t (weight, that is, passing any one of them will be considered progress.)11 2730 1 720 2766 t 10 B f (Question:)720 2922 w 10 R f (How could we use progress labels to show that several statements, potentially divided over more)14 3878 1 1162 2922 t ( consider using an extra monitor process)6 1620( [Hint:)1 290( of the same cycle?)4 768(than one process, are all executed as part)7 1642 4 720 3042 t (and extra messages.])2 828 1 720 3162 t 10 S1 f ()1573 3162 w 1573 3162 m 50 build_sq 1623 3162 m 10 B f (Acceptance State Labels)2 1037 1 720 3402 t 10 R f ( of a progress condition, e.g., we want to formalize that some-)11 2553(Suppose we wanted to express the opposite)6 1767 2 720 3558 t (thing)720 3678 w 10 I f (cannot)957 3678 w 10 R f ( An)1 177( like this with acceptance-state labels.)5 1533( can express properties)3 929( We)1 194(happen infinitely often.)2 947 5 1260 3678 t 10 I f (acceptance-state label)1 897 1 720 3798 t 10 R f ( marks a state that)4 729( It)1 113(is any label starting with the character sequence ``accept.'')8 2361 3 1644 3798 t 10 I f (may)4874 3798 w (not)720 3918 w 10 R f (be part of a sequence of states that can be repeated infinitely often.)12 2662 1 873 3918 t ( label in)2 352(For example, if we replace the progress-state)6 1876 2 720 4074 t 9 CW f (proctype dijkstra\(\))1 1010 1 2986 4074 t 10 R f (with an acceptance-state)2 1004 1 4036 4074 t (label)720 4194 w 8 CW f (proctype dijkstra\(\))1 912 1 864 4344 t ({)864 4444 w (end: do)1 480 1 864 4544 t (:: sema!p ->)2 576 1 1248 4644 t (accept: sema?v)1 1056 1 864 4744 t (od)1248 4844 w (})864 4944 w 10 R f (we claim that it is impossible to cycle through a series of)11 2295 1 720 5124 t 9 CW f (p)3041 5124 w 10 R f (and)3123 5124 w 9 CW f (v)3293 5124 w 10 R f ( claim, of course, is vio-)5 983(operations. \(The)1 682 2 3375 5124 t (lated for all correct implementations of the semaphore.\))7 2223 1 720 5244 t (Again, all variations, such as)4 1154 1 720 5400 t 9 CW f (acceptor)1897 5400 w 9 R f (,)2329 5400 w 9 CW f (acceptable)2375 5400 w 9 R f (,)2915 5400 w 10 R f (and)2963 5400 w 9 CW f (accept_yo)3130 5400 w 9 R f (,)3616 5400 w 10 R f (are allowed.)1 487 1 3664 5400 t 10 B f ( CLAIMS [skip on a first reading])6 1456(4.3. TEMPORAL)1 778 2 720 5640 t 10 R f ( and the most rarely used, method for expressing correctness)9 2480(We now come to the last, the most powerful,)8 1840 2 720 5796 t (requirements on)1 651 1 720 5916 t 8 R f (PROMELA)1401 5916 w 10 R f ( the complexity of the validations is higher for)8 1886( Unavoidably,)1 595(validation models.)1 744 3 1815 5916 t ( and end-state labels can be checked)6 1457( Assertions)1 474( other requirements.)2 805(temporal claims than it is for any of the)8 1584 4 720 6036 t ( finally temporal claims.)3 1019(most efficiently, then progress-state labels, followed by accept-state labels, and)9 3301 2 720 6156 t ( instance, how temporal claims can be used to express linear-time temporal)11 3143(We will illustrate below, for)4 1177 2 720 6276 t (logic formulae.)1 610 1 720 6396 t 10 B f (The Never Primitive)2 870 1 720 6636 t 10 R f (The syntax of a temporal claim is as follows.)8 1795 1 720 6792 t 8 CW f (never { ...body... })3 960 1 864 6942 t 10 R f (where)720 7122 w 9 CW f (never)994 7122 w 10 R f ( the keyword)2 539(is a keyword, comparable to)4 1160 2 1297 7122 t 9 CW f (proctype)3028 7122 w 9 R f (,)3460 7122 w 10 R f (and)3517 7122 w 9 CW f (body)3693 7122 w 10 R f (is a behavior specification.)3 1097 1 3943 7122 t (The)720 7242 w 9 CW f (never)900 7242 w 10 R f ( that is claimed to be)5 835(claim expresses behavior)2 1007 2 1197 7242 t 10 I f (impossible)3065 7242 w 10 R f ( correctness violation occurs if and)5 1399(. A)1 148 2 3493 7242 t cleartomark showpage saveobj restore %%EndPage: 16 18 %%Page: 17 19 /saveobj save def mark 19 pagesetup 10 R f (- 17 -)2 216 1 2772 480 t ( be completely)2 602(only if a temporal claim can)5 1153 2 720 840 t 10 I f (matched)2507 840 w 10 R f ( can be only one)4 682( There)1 289(by a system behavior.)3 892 3 2877 840 t 9 CW f (never)4770 840 w 10 R f (claim per validation model.)3 1099 1 720 960 t ( system behavior, but they for-)5 1271(Confusing at first may be that temporal claims do not specify independent)11 3049 2 720 1116 t (malize claims about)2 835 1 720 1236 t 10 I f (existing)1598 1236 w 10 R f ( system behavior does not change when a temporal)8 2171( The)1 222(system behavior.)1 695 3 1952 1236 t (claim is added or removed: it is completely specified by the)10 2386 1 720 1356 t 9 CW f (init)3129 1356 w 10 R f (clause and the)2 565 1 3370 1356 t 9 CW f (proctype)3958 1356 w 10 R f (definitions.)4415 1356 w (Formally, a)1 471 1 720 1512 t 9 CW f (never)1224 1512 w 10 R f ( Every)1 299( labeling of reachable system states with boolean propositions.)8 2588(claim defines a)2 624 3 1529 1512 t ( interpreted as a proposition, where the executability of the state-)10 2632(statement in a temporal claim is therefore)6 1688 2 720 1632 t (ment defines the truth-value.)3 1148 1 720 1752 t 10 B f (Labeling System States)2 989 1 720 1992 t 10 R f ( first statement \(i.e., proposi-)4 1177( The)1 210( claim matching can be explained as follows.)7 1832(The mechanics of temporal)3 1101 4 720 2148 t ( \(The)1 245(tion\) in the body of a temporal claim labels the first reachable system state of the validation model.)17 4075 2 720 2268 t (system state that is reached)4 1127 1 720 2388 t 10 I f (after)1882 2388 w 10 R f (first statement in the)3 849 1 2106 2388 t 9 CW f (init)2989 2388 w 10 R f ( every new)2 459( For)1 200(process has been executed.\))3 1140 3 3241 2388 t ( of the)2 275(reachable system state along an execution path, the executability of the corresponding proposition)12 4045 2 720 2508 t ( things can happen.)3 771( Two)1 233(temporal claim must be evaluated.)4 1373 3 720 2628 t 10 S1 f ()720 2784 w 720 2784 m 50 build_sq 770 2784 m 10 R f ( statement is executable, and thus the implicit proposition is true, the state of the temporal claim is)17 3962(If the)1 214 2 864 2784 t (updated with a move to its next statement \(i.e., it ``executes'' the statement\).)12 3062 1 864 2904 t 10 S1 f ()720 3060 w 720 3060 m 50 build_sq 770 3060 m 10 R f ( is)1 94(If the statement)2 623 2 864 3060 t 10 I f (not)1608 3060 w 10 R f (executable, and thus the implicit proposition is false, this means that the behavior)12 3277 1 1763 3060 t (performed by the)2 691 1 864 3180 t 8 R f (PROMELA)1577 3180 w 10 R f (validation model can)2 842 1 1988 3180 t 10 I f (not)2857 3180 w 10 R f ( automated validator,)2 848( An)1 173( the claim.)2 421(be matched by)2 586 4 3012 3180 t (such as)1 294 1 864 3300 t 8 R f (SPIN)1186 3300 w 10 R f ( search for errors \(since no future pattern of system behaviors)10 2494(, will in this case truncate the)6 1186 2 1360 3300 t ( match of the temporal claim\) and continue the search by inspecting other reach-)13 3264(can lead to a complete)4 912 2 864 3420 t (able system states.)2 741 1 864 3540 t ( curly)1 242(The temporal claim is completely matched if and when it reaches its normal end-state \(the closing)15 4078 2 720 3696 t ( The)1 211( held for the reachable system states along some execution path.)10 2619(brace\), meaning that all propositions)4 1490 3 720 3816 t ( the temporal claim is then violated and an error has been found.)12 2774(correctness requirement expressed by)3 1546 2 720 3936 t ( match can, however, always be)5 1291( The)1 209( an end-state label to match a claim.)7 1464(\(Note: it is not sufficient to reach)6 1356 4 720 4056 t (forced with a jump to the normal end state.\))8 1750 1 720 4176 t ( we will also show how they)6 1144( Below,)1 337( behaviors.)1 439(Temporal claims can thus be used to trap illegal terminating)9 2400 4 720 4332 t (can be used to catch illegal cyclic behaviors.)7 1779 1 720 4452 t (Two things make temporal claims a little harder to define than process behaviors.)12 3253 1 720 4608 t 10 S1 f ()720 4764 w 720 4764 m 50 build_sq 770 4764 m 10 R f ( and therefore it must be side-effect)6 1466(Every ``statement'' in a temporal claim must model a proposition,)9 2710 2 864 4764 t ( proposi-)1 364( The)1 211( operations, etc.\), that is, it is a pure condition.)9 1908(free \(i.e., no assignments, receive or send)6 1693 4 864 4884 t (tions in a temporal claim do not \(should not\) define but ``monitor'' system behavior.)13 3386 1 864 5004 t 10 S1 f ()720 5160 w 720 5160 m 50 build_sq 770 5160 m 10 R f ( of propositions listed in a temporal claim must match the system behavior)12 3018(To violate a claim, the series)5 1158 2 864 5160 t (at every single step of system execution.)6 1617 1 864 5280 t (If, for instance, we want to say that whenever some proposition)10 2604 1 720 5436 t 9 CW f (P)3354 5436 w 10 R f ( always the case that)4 852(becomes true, it is)3 748 2 3440 5436 t (eventually another proposition)2 1221 1 720 5556 t 9 CW f (Q)1964 5556 w 10 R f (becomes true, we would be tempted to express this claim as follows:)11 2741 1 2043 5556 t 8 CW f (never {)1 336 1 864 5706 t (P -> Q)2 288 1 1248 5806 t (})864 5906 w 10 R f (The syntax for the body of the claim is precisely that of)11 2238 1 720 6086 t 9 CW f (proctype)2983 6086 w 10 R f (bodies \(convenient, but potentially con-)4 1598 1 3442 6086 t ( propositions must be)3 877(fusing, because the semantics of execution are different\), with the exception that the)12 3443 2 720 6206 t ( not express the right correctness)5 1421( above claim, though syntactically correct, does)6 2028( The)1 226(side-effect free.)1 645 4 720 6326 t ( expresses that it would be an error if proposition)9 1979(requirement. It)1 621 2 720 6446 t 9 CW f (P)3345 6446 w 10 R f (is true in the first reachable system state)7 1614 1 3426 6446 t (and)720 6566 w 9 CW f (Q)887 6566 w 10 R f (is true in the state that)5 880 1 966 6566 t 10 I f (immediately)1871 6566 w 10 R f (\(not eventually\) follows it.)3 1066 1 2384 6566 t 10 B f (Matching Behavior)1 825 1 720 6806 t 10 R f ( allow for preceding or intermediate events, for instance for the possibility that)12 3178(If we want to)3 535 2 720 6962 t 9 CW f (P)4459 6962 w 10 R f (remains true)1 499 1 4541 6962 t ( toggles between true and false after it has become true at least once, we have to)16 3194(for some amount of time, or)5 1126 2 720 7082 t ( leads to the following revision of the claim)8 1743( This)1 228(say so explicitly.)2 675 3 720 7202 t cleartomark showpage saveobj restore %%EndPage: 17 19 %%Page: 18 20 /saveobj save def mark 20 pagesetup 10 R f (- 18 -)2 216 1 2772 480 t 8 CW f (never {)1 336 1 864 820 t (S0: do)1 480 1 864 920 t ( */)1 432( or, equivalently: skip)3 1104( /*)1 384(:: P || !P)3 480 4 1248 1020 t (:: P -> break)3 624 1 1248 1120 t (od;)1248 1220 w (S1: do)1 480 1 864 1320 t (:: !Q)1 240 1 1248 1420 t (:: Q -> break)3 624 1 1248 1520 t (od;)1248 1620 w ( if reached: claim is matched */)6 1536( /*)1 672(S2: skip)1 576 3 864 1720 t (})864 1820 w 10 R f ( the first state proposition)4 1058( In)1 142(This claim has three ``states.'')4 1247 3 720 2000 t 9 CW f (P)3199 2000 w 10 R f (may be either true or false for an arbitrary)8 1752 1 3288 2000 t ( any time when)3 628( At)1 155(number of steps.)2 673 3 720 2120 t 9 CW f (P)2204 2120 w 10 R f (is true, a transition can be made to the second state, which can only)13 2752 1 2288 2120 t (be left when)2 493 1 720 2240 t 9 CW f (Q)1236 2240 w 10 R f ( temporal claim reaches its end-state only when both events happen.)10 2720( The)1 205(is true.)1 272 3 1315 2240 t 10 B f (Inverting a Claim)2 761 1 720 2480 t 10 R f (Temporal claims are named)3 1132 1 720 2636 t 9 CW f (never)1882 2636 w 9 R f (,)2152 2636 w 10 R f (to indicate that they express behavior that should)7 2005 1 2207 2636 t 10 B f (never)4244 2636 w 10 R f (happen. The)1 526 1 4514 2636 t (temporal claim is)2 706 1 720 2756 t 10 B f (violated)1457 2756 w 10 R f ( Our)1 210( when the end state is reached\).)6 1279(, not satisfied, when they are matched \(i.e.,)7 1755 3 1796 2756 t ( proposition)1 493(example correctness requirement stated that whenever some)6 2465 2 720 2876 t 9 CW f (P)3713 2876 w 10 R f (becomes true, it is always the)5 1236 1 3804 2876 t (case that eventually another proposition)4 1628 1 720 2996 t 9 CW f (Q)2380 2996 w 10 R f ( we produced above, therefore, is)5 1366( last claim)2 429( The)1 214(becomes true.)1 563 4 2468 2996 t ( get the right claim we must invert the above)9 1838( To)1 166( unlikely to happen in practice.\))5 1295( \(Not)1 238(still not quite right.)3 783 5 720 3116 t ( correctness claim is only violated when the truth of)9 2135( do this, notice that our)5 962(specification. To)1 704 3 720 3236 t 9 CW f (P)4551 3236 w 10 R f (is)4637 3236 w 10 I f (not)4736 3236 w 10 R f (fol-)4896 3236 w (lowed by the eventual truth of)5 1241 1 720 3356 t 9 CW f (Q)1992 3356 w 9 R f (.)2046 3356 w 10 R f ( forever, in an infinite cycle, or the)7 1451(This happens when Q remains false)5 1462 2 2127 3356 t ( already know how to match terminating)6 1638( We)1 191( Q ever becoming true.)4 929(execution sequence terminates without)3 1562 4 720 3476 t (behaviors, but not cyclic behaviors.)4 1420 1 720 3596 t 10 B f (Matching Cyclic Behaviors)2 1155 1 720 3836 t 10 R f ( a)1 71(A cyclic behavior is matched in a temporal claim precisely as it is matched elsewhere in)15 3533 2 720 3992 t 8 R f (PROMELA)4351 3992 w 10 R f (model:)4762 3992 w ( example:)1 391( For)1 189(with acceptance labels.)2 922 3 720 4112 t 8 CW f (never {)1 336 1 864 4262 t (do)1248 4362 w (:: skip)1 336 1 1248 4462 t (:: P -> break)3 624 1 1248 4562 t (od;)1248 4662 w (accept: do)1 480 1 864 4762 t (:: !Q)1 240 1 1248 4862 t (od)1248 4962 w (})864 5062 w 10 R f ( fact,)1 211( In)1 145( violation when a cycle is detected through the accept label, as before.)12 2937(Would trap a correctness)3 1027 4 720 5242 t ( trap errors.)2 470(acceptance labels, progress state labels, and assertions can freely be used in temporal claims to)14 3850 2 720 5362 t (End-state labels, however, have no meaning inside temporal claims.)8 2715 1 720 5482 t (Adding a check for the second case, for terminating executions, produces the following extension:)13 3923 1 720 5638 t 8 CW f (never {)1 336 1 864 5788 t (do)1248 5888 w (:: skip)1 336 1 1248 5988 t (:: P -> break)3 624 1 1248 6088 t (od;)1248 6188 w (accept: do)1 480 1 864 6288 t (:: !Q)1 240 1 1248 6388 t (:: timeout && !Q -> break)5 1200 1 1248 6488 t (od)1248 6588 w (})864 6688 w 10 R f (The keyword)1 539 1 720 6868 t 9 CW f (timeout)1292 6868 w 10 R f (has a special meaning in)4 1016 1 1705 6868 t 8 R f (PROMELA)2756 6868 w 10 R f ( only when no further)4 909( becomes executable)2 845(. It)1 146 3 3140 6868 t ( is true in end-states and it can be used to model recovery)12 2422( This)1 240(action is possible in a validation model.)6 1658 3 720 6988 t ( the above example, the)4 977( In)1 141(from potential deadlock states \(e.g., after message loss\).)7 2293 3 720 7108 t 9 CW f (timeout)4162 7108 w 10 R f (option only)1 467 1 4573 7108 t ( if it terminates while)4 871( Clearly,)1 373( the system has terminated.)4 1101(becomes executable \(true as a proposition\) when)6 1975 4 720 7228 t cleartomark showpage saveobj restore %%EndPage: 18 20 %%Page: 19 21 /saveobj save def mark 21 pagesetup 10 R f (- 19 -)2 216 1 2772 480 t 9 CW f (Q)720 840 w 10 R f (is false, we have another correctness violation.)6 1862 1 799 840 t ( effort, temporal claims used in combination with acceptance-state labels can express also the)13 3874(With some)1 446 2 720 996 t ( The)1 221( labels.)1 299( claims are therefore more general than progress-state)7 2259( The)1 222(absence of non-progress cycles.)3 1319 5 720 1116 t ( progress-state labels, however, is smaller)5 1676(expense \(complexity\) of finding non-progress cycles directly with)7 2644 2 720 1236 t (than the expense of the validation of a claim that specifies the same property.)13 3083 1 720 1356 t 10 B f (Linear-Time Temporal Logic)2 1255 1 720 1596 t 10 R f ( logic formulae that they believed)5 1370(Zohar Manna and Amir Pnueli recently defined three classes of temporal)10 2950 2 720 1752 t ( Pnueli '90] The)3 694(together cover ``the majority of properties one would ever wish to verify.'' [Manna &)13 3626 2 720 1872 t ( quotes below are taken from [Manna &)7 1655( The)1 212(properties are named Invariance, Response, and Precedence.)6 2453 3 720 1992 t ( give an example of the representation in)7 1627( We)1 188(Pnueli '90].)1 472 3 720 2112 t 8 R f (PROMELA)3032 2112 w 10 R f (for each type of claim.)4 900 1 3441 2112 t 10 B f (Invariance Claims)1 786 1 720 2352 t 10 PA f ( over all)2 359(``An invariance property refers to an assertion p, and requires that p is an invariant)14 3673 2 864 2556 t ( in a computation of P satisfy p.)7 1423(the computations of a program P, i.e., all the states arising)10 2609 2 864 2676 t (In temporal logic notation, such properties are expressed by)8 2653 1 864 2786 t 10 S1 f ()3542 2786 w 3542 2786 m 50 build_sq 3592 2786 m 10 PA f (p, for a state formula p.'')5 1090 1 3617 2786 t 10 R f (The corresponding temporal claim in)4 1481 1 720 2990 t 8 R f (PROMELA)2226 2990 w 10 R f (is as follows.)2 525 1 2635 2990 t 8 CW f (never {)1 336 1 864 3140 t (do)1248 3240 w (:: p)1 192 1 1248 3340 t (:: !p -> break)3 672 1 1248 3440 t (od)1248 3540 w (})864 3640 w 10 R f (where p is the required proposition.)5 1420 1 720 3820 t 10 B f (Response Claims)1 725 1 720 4060 t 10 PA f ( and q, and requires that every p-state \(a)8 1866(``A response property refers to two assertions p)7 2166 2 864 4300 t ( temporal)1 429( In)1 143( in a computation is eventually followed by a q-state.)9 2348(state satisfying p\) arising)3 1112 4 864 4420 t (logic notation this is written as p =)7 1529 1 864 4530 t 10 S f (> <>)1 190 1 2393 4530 t 10 PA f (q.'')2608 4530 w 10 R f (The symbol =)2 558 1 720 4734 t 10 S f (>)1278 4734 w 10 R f (used here is not the logical implication symbol -)8 1935 1 1359 4734 t 10 S f (>)3294 4734 w 10 R f (but the)1 277 1 3376 4734 t 10 I f (entails)3680 4734 w 10 R f ( =)1 108(operator, defined as \(p)3 903 2 3974 4734 t 10 S f (>)4985 4734 w 10 R f (q\) ==)1 245 1 720 4854 t 10 S1 f ()1015 4854 w 1015 4854 m 50 build_sq 1065 4854 m 10 R f (\(p -)1 141 1 1090 4854 t 10 S f (>)1231 4854 w 10 R f ( the formula p =)4 644(q\). Thus)1 358 2 1311 4854 t 10 S f (> <>)1 190 1 2313 4854 t 10 R f (q means)1 330 1 2528 4854 t 10 S1 f ()2883 4854 w 2883 4854 m 50 build_sq 2933 4854 m 10 R f (\(p -)1 141 1 2958 4854 t 10 S f (> <>)1 190 1 3099 4854 t 10 R f (q\).)3314 4854 w (The corresponding temporal claim in)4 1481 1 720 5010 t 8 R f (PROMELA)2226 5010 w 10 R f (is:)2635 5010 w 8 CW f (never {)1 336 1 864 5160 t (do)1248 5260 w (:: skip)1 336 1 1248 5360 t (:: p && !q -> break)5 912 1 1248 5460 t (od;)1248 5560 w (accept:)864 5660 w (do)1248 5760 w (:: !q)1 240 1 1248 5860 t (od)1248 5960 w (})864 6060 w 10 R f (Note that replacing the)3 936 1 720 6240 t 9 CW f (skip)1687 6240 w 10 R f (with)1936 6240 w 9 CW f (\(!p\))2145 6240 w 10 R f ( of the response)3 656(would cause the claim to only capture violations)7 1990 2 2394 6240 t (claim that follow the very first time proposition p becomes false \(it may well toggle between true and false)18 4320 1 720 6360 t (a few times before the violation occurs\).)6 1610 1 720 6480 t 10 B f (Precedence Claims)1 806 1 720 6720 t 10 PA f ( requires that any)3 806( It)1 126(``A simple precedence property refers to three assertions p, q, and r.)11 3100 3 864 6960 t ( q-interval \(i.e., an interval all of whose states satisfy q\) which, either runs)13 3276(p-state initiates a)2 756 2 864 7080 t ( property is useful to)4 951( a)1 81( Such)1 271(to the end of the computation, or is terminated by an r-state.)11 2729 4 864 7200 t cleartomark showpage saveobj restore %%EndPage: 19 21 %%Page: 20 22 /saveobj save def mark 22 pagesetup 9 R f (- 20 -)2 196 1 2782 470 t 10 PA f ( future event will always be)5 1260(express the restriction that, following a certain condition, one)8 2772 2 864 840 t ( example, it may express the property that, from the)9 2316( For)1 203(preceded by another future event.)4 1513 3 864 960 t ( that)1 207( Note)1 277(time a certain input has arrived, there will be an output before the next input.)14 3548 3 864 1080 t ( actually be produced. It only guaran-)6 1688(this does not guarantee [require] that the output will)8 2344 2 864 1200 t ( temporal logic,)2 691( In)1 142( by an output.)3 620(tees [requires] that the next input \(if any\) will be preceded)10 2579 4 864 1320 t (this property is expressed by p =)6 1448 1 864 1430 t 10 S f (>)2312 1430 w 10 PA f (\(q U r\), using the unless operator \(weak until\) U.'')9 2205 1 2392 1430 t 10 R f (The corresponding temporal claim is:)4 1498 1 720 1634 t 8 CW f (never {)1 336 1 864 1784 t (do)1248 1884 w (:: skip)1 336 1 1248 1984 t (:: p && \(!q && !r\) -> goto error)8 1536 1 1248 2084 t (:: p && \( q && !r\) -> break)8 1296 1 1248 2184 t (od;)1248 2284 w (do)1248 2384 w (:: q)1 192 1 1248 2484 t (:: !q && !r -> goto error)6 1200 1 1248 2584 t (od;)1248 2684 w (error: skip)1 576 1 864 2784 t (})864 2884 w 10 R f (Note again that the)3 787 1 720 3064 t 9 CW f (skip)1540 3064 w 10 R f (cannot be replaced with)3 980 1 1791 3064 t 9 CW f (\(!p\))2804 3064 w 10 R f ( All)1 189(without altering the semantics of the claim.)6 1795 2 3056 3064 t (types of linear-time temporal logic formulae can be expressed similarly in)10 3086 1 720 3184 t 8 R f (PROMELA)3844 3184 w 10 R f ( reliable)1 336( most)1 233(. The)1 243 3 4228 3184 t ( Brad Glade from Cornell University)5 1543(option to perform this task is probably the preprocessor written by)10 2777 2 720 3304 t ( temporal logic formulae directly into)5 1556( program translates arbitrary)3 1169( Glade's)1 372([Glade '91].)1 499 4 720 3424 t 8 R f (PROMELA)4352 3424 w 9 CW f (never)4770 3424 w 10 R f (claims.)720 3544 w 10 B f (Remote Referencing)1 866 1 720 3784 t 10 R f ( claims, we must be able to refer to the control-flow states and the vari-)14 2931(To get the full benefit of temporal)6 1389 2 720 3940 t ( a protocol sys-)3 619( an example, consider the following claim, referring to)8 2203( As)1 164(able values of running processes.)4 1334 4 720 4060 t (tem with at least one message channel called)7 1844 1 720 4180 t 9 CW f (receiver)2595 4180 w 9 R f (,)3027 4180 w 10 R f (a message type called)3 891 1 3083 4180 t 9 CW f (msg0)4006 4180 w 9 R f (,)4222 4180 w 10 R f (and a process type)3 761 1 4279 4180 t (called)720 4300 w 9 CW f (Receiver)981 4300 w 10 R f (containing at least two statements, labeled)5 1687 1 1438 4300 t 9 CW f (P0)3148 4300 w 10 R f (and)3281 4300 w 9 CW f (P1)3448 4300 w 10 R f (respectively.)3581 4300 w 8 CW f (never {)1 336 1 864 4450 t (do)1248 4550 w (:: len\(receiver\) == 0)3 1008 1 1248 4650 t (:: receiver?[msg0] -> goto accept0)4 1632 1 1248 4750 t (:: receiver?[msg1] -> goto accept1)4 1632 1 1248 4850 t (od;)1248 4950 w (accept0:)864 5050 w (do)1248 5150 w (:: !Receiver[2]:P0)1 864 1 1248 5250 t (od;)1248 5350 w (accept1:)864 5450 w (do)1248 5550 w (:: !Receiver[2]:P1)1 864 1 1248 5650 t (od)1248 5750 w (})864 5850 w 10 R f ( two states that were labeled, and the)7 1490(This claim corresponds to a machine with 4 states: the initial state, the)12 2830 2 720 6030 t ( claim)1 264( The)1 222( the initial system state.)4 1010( least one of three conditions must be true in)9 1935( At)1 168(normal end state.)2 721 6 720 6150 t (remains in this state as long as channel)7 1579 1 720 6270 t 9 CW f (receiver)2326 6270 w 10 R f ( a message)2 442( it contains)2 447( If)1 120(is empty.)1 371 4 2787 6270 t 9 CW f (msg0)4195 6270 w 10 R f (or)4441 6270 w 9 CW f (msg1)4552 6270 w 10 R f (it will)1 242 1 4798 6270 t (change state to either)3 854 1 720 6390 t 9 CW f (accept0)1600 6390 w 10 R f (or)2005 6390 w 9 CW f (accept1)2113 6390 w 9 R f (,)2491 6390 w 10 R f ( the transi-)2 431( Once)1 262(depending on the message that was matched.)6 1806 3 2541 6390 t (tion to, for instance, state)4 1038 1 720 6510 t 9 CW f (accept0)1788 6510 w 10 R f (has been made, the claim can only remain in that state if the receiver)13 2842 1 2198 6510 t ( process never)2 598(process will never accept a message with the same sequence number, i.e., if the receiver)14 3722 2 720 6630 t (passes the state labeled)3 923 1 720 6750 t 9 CW f (P0)1666 6750 w 9 R f (.)1774 6750 w 10 R f ( the process type)3 671(There can be many instantiations of)5 1428 2 720 6906 t 9 CW f (Receiver)2843 6906 w 10 R f (so we need some way of specifying exactly)7 1739 1 3301 6906 t ( is the only time that we)6 961( This)1 228(which particular instantiation we mean when we refer to the state of a process.)13 3131 3 720 7026 t ( able to refer to the)5 801(need to be)2 426 2 720 7146 t 10 I f (instantiation number)1 846 1 1981 7146 t 10 R f (or the)1 239 1 2861 7146 t 9 CW f (pid)3132 7146 w 10 R f ( The)1 214(of a process.)2 519 2 3328 7146 t 9 CW f (pid)4093 7146 w 10 R f (of a process is the)4 751 1 4289 7146 t (number that is returned by the)5 1236 1 720 7266 t 9 CW f (run)1986 7266 w 10 R f ( The)1 212(operator, when a process is instantiated.)5 1629 2 2180 7266 t 9 CW f (pid)4051 7266 w 9 R f (s)4213 7266 w 10 R f ( the)1 153(are assigned in)2 607 2 4280 7266 t cleartomark showpage saveobj restore %%EndPage: 20 22 %%Page: 21 23 /saveobj save def mark 23 pagesetup 10 R f (- 21 -)2 216 1 2772 480 t ( initial process)2 613( The)1 220( may be recycled when processes die.)6 1588(order in which processes are started, but they)7 1899 4 720 840 t ( A)1 128(always has pid zero, and its number is never recycled.)9 2207 2 720 960 t 9 CW f (pid)3084 960 w 10 R f ( be inferred from the pro-)5 1041(can usually easily)2 722 2 3277 960 t ( process that is instantiated in this system, its)8 1806( the receiver process is the second)6 1357( Since)1 272(gram text.)1 405 4 720 1080 t 9 CW f (pid)4584 1080 w 10 R f (is two.)1 268 1 4772 1080 t (We can refer to the receiver process unambiguously as)8 2254 1 720 1200 t 9 CW f (Receiver[2])3006 1200 w 9 R f (.)3600 1200 w 10 R f ( that the receiver is)4 791(The condition)1 567 2 3682 1200 t (currently in the state labeled)4 1175 1 720 1320 t 9 CW f (P0)1929 1320 w 10 R f (is expressed as)2 615 1 2073 1320 t 9 CW f (Receiver[2]:P0)2722 1320 w 9 R f (.)3478 1320 w 10 R f ( the)1 159(The condition is false whenever)4 1319 2 3562 1320 t (second process that was instantiated is in any state other than at label)12 2757 1 720 1440 t 9 CW f (P0)3500 1440 w 10 R f (of process type)2 604 1 3633 1440 t 9 CW f (Receiver)4260 1440 w 9 R f (.)4692 1440 w 10 R f (The notation)1 510 1 720 1596 t 9 CW f (Receiver[2]:P0)1255 1596 w 10 R f ( more general construct which allows temporal claims)7 2181(is a special case of a)5 821 2 2038 1596 t ( the asynchronous processes defined within a)6 1808(to refer to internal conditions of)5 1283 2 720 1716 t 8 R f (PROMELA)3837 1716 w 10 R f ( reference)1 395(model. A)1 398 2 4247 1716 t (to the current value of local variable)6 1776 1 720 1836 t 9 CW f (any)2574 1836 w 10 R f ( is written)2 512(in the receiver process, for instance,)5 1712 2 2816 1836 t 9 CW f (Receiver[2].any)720 1956 w 9 R f (.)1530 1956 w 10 R f (It can be used in arbitrary expressions, such as)8 1854 1 1603 1956 t 8 CW f (assert\(Receiver[2].any < 0\))2 1296 1 864 2106 t 10 R f ( states\) and a period is used to refer)8 1429(In process references, a colon is used to refer to labels \(i.e., control flow)13 2891 2 720 2286 t ( is the integer)3 574( the second case it)4 774( In)1 145( the first case, the value returned is a Boolean.)9 1951( In)1 145(to local variables.)2 731 6 720 2406 t (value of the variable specified.)4 1227 1 720 2526 t 10 B f ( EXAMPLE VALIDATION)2 1200(5. AN)1 269 2 720 2766 t (Lynch's Protocol)1 730 1 720 3006 t 10 R f ( We)1 195( thoroughly.)1 496(With these new tools, we can now validate the correctness of our example protocol more)14 3629 3 720 3162 t ( an)1 127(have already shown that no message is accepted more than once by B, using)13 3161 2 720 3282 t 9 CW f (assert)4039 3282 w 10 R f (statement. This)1 644 1 4396 3282 t (satisfies the second half of the correctness claim that was made on lines 32-33 of the informal specification.)17 4320 1 720 3402 t (To prove also the first half, we must show that:)9 1887 1 720 3522 t 7 S1 f ()864 3678 w 864 3678 m 53 build_ci 917 3678 m 10 R f (Every message fetched by A is received at least once by B.)11 2355 1 967 3678 t ( progress labels,)2 676(The execution sequences we are looking at here are cyclic, that means that we can use)15 3644 2 720 3834 t ( loops are usually identified by a process of elimina-)9 2166( Non-progress)1 601( claims.)1 319(acceptance labels, or temporal)3 1234 4 720 3954 t ( the absence of progress labels\) all execution cycles are considered to be non-)13 3302( default \(i.e., in)3 655(tion. By)1 363 3 720 4074 t ( can eliminate cycles from consideration by iden-)7 1971( We)1 188( correctness violations.)2 918(progress loops, and reported as)4 1243 4 720 4194 t ( instance, the statements corresponding to the accep-)7 2136( For)1 194( in the process bodies.)4 905(tifying progress statements)2 1085 4 720 4314 t ( can mark any one of them to rule out)9 1545( We)1 193( statements.)1 477(tance of a correct message in B are clearly progress)9 2105 4 720 4434 t ( leads to the following revised specification for B.)8 2000( This)1 228(cycles in which messages are accepted.)5 1567 3 720 4554 t 8 CW f (1 proctype B\(chan in, out\))4 1248 1 912 4704 t ( */)1 768( message data)2 624( /*)1 1248( mr;)1 192( byte)1 384(2 {)1 144 6 912 4804 t ( mr of last error-free msg */)6 1392( /*)1 1008( last_mr;)1 432(3 byte)1 528 4 912 4904 t ( */)1 624( alternation bit)2 768( /*)1 1248( ar;)1 240(4 bit)1 480 5 912 5004 t ( ar of last error-free msg */)6 1392( /*)1 1152( lar=1;)1 336(5 bit)1 480 4 912 5104 t ( */)1 240( lines 27-31)2 576( /*)1 1248( ini;)1 240(6 bit)1 480 5 912 5204 t (7)912 5304 w (8 do)1 432 1 912 5404 t ( */)1 288( lines 7-10)2 528( /*)1 624( in?error\(mr,ar\) ->)2 912(9 ::)1 432 5 912 5504 t ( lines 8,25,26 */)3 816( /*)1 576(10 out!control\(0\))1 1440 3 864 5604 t ( */)1 288( lines 7-10)2 528( /*)1 672( in?data\(mr,ar\) ->)2 864(11 ::)1 480 5 864 5704 t ( lines 8,25,26 */)3 816( /*)1 528(12 out!control\(1\);)1 1488 3 864 5804 t ( */)1 240( lines 27-31)2 576( /*)1 1152(13 if)1 864 4 864 5904 t ( */)1 240( lines 27-31)2 576( /*)1 672( \(!ini\) ->)2 480(14 ::)1 864 5 864 6004 t ( */)1 240( lines 27-31)2 576( /*)1 480( = 1;)2 240(15 ini)1 1296 5 864 6104 t ( */)1 240( lines 27-31)2 576( /*)1 480( = ar)2 240(16 lar)1 1296 5 864 6204 t ( */)1 240( lines 27-31)2 576( /*)1 816( ini ->)2 336(17 ::)1 864 5 864 6304 t ( */)1 336( line 20)2 384( /*)1 864(18 if)1 1248 4 864 6404 t ( */)1 336( \(ar == lar\) -> /* line 21)7 1248(19 ::)1 1248 3 864 6504 t ( */)1 336( line 23)2 384( /*)1 384(20 skip)1 1728 4 864 6604 t ( */)1 336( \(ar != lar\) -> /* line 24)7 1248(21 ::)1 1248 3 864 6704 t ( */)1 336( line 24)2 384( /*)1 240( ACCEPT;)1 1296(22 progress:)1 576 5 864 6804 t ( */)1 336( = ar; /* line 22)5 816(23 lar)1 1680 3 864 6904 t ( = mr)2 240(24 last_mr)1 1872 2 864 7004 t (25 fi)1 1248 1 864 7104 t ( */)1 240( lines 27-31)2 576( /*)1 1152(26 fi)1 864 4 864 7204 t cleartomark showpage saveobj restore %%EndPage: 21 23 %%Page: 22 24 /saveobj save def mark 24 pagesetup 10 R f (- 22 -)2 216 1 2772 480 t 8 CW f (27 od)1 480 1 864 820 t (28 })1 192 1 864 920 t 10 R f ( that the correctness)3 843(If we do the validation for non-progress cycles, however, we immediately discover)11 3477 2 720 1100 t ( is a cycle of events where A)7 1184( There)1 287( be violated when messages can be distorted infinitely often.)9 2458(claim can)1 391 4 720 1220 t (send a message, C distorts it, and B rejects it as an error, A retransmits the message, etc.)17 3522 1 720 1340 t ( to us in the search for violations of the)9 1607(After recognizing that this particular scenario is also not of interest)10 2713 2 720 1496 t ( sim-)1 210( The)1 212( eliminate it from the search as well by labeling another statement.)11 2734(correctness criterion, we can)3 1164 4 720 1616 t (plest way is to label the statements in the channel process C.)11 2414 1 720 1736 t 8 CW f ( lower\(chan fromA, toA, fromB, toB\))5 1680(1 proctype)1 528 2 912 1886 t ( d; bit b;)3 480( byte)1 336(2 {)1 192 3 912 1986 t (3)912 2086 w (4 do)1 432 1 912 2186 t ( fromA?data\(d,b\) ->)2 912(5 ::)1 432 2 912 2286 t (6 if)1 816 1 912 2386 t ( */)1 240( correct)1 384( /*)1 480( toB!data\(d,b\))1 672(7 ::)1 816 5 912 2486 t (8 ::)1 816 1 912 2586 t ( distorted */)2 624( /*)1 672( toB!error)1 720(9 progress0:)1 576 4 912 2686 t (10 fi)1 864 1 864 2786 t ( fromB?control\(b\) ->)2 960(11 ::)1 480 2 864 2886 t (12 if)1 864 1 864 2986 t ( toA!control\(b\))1 720(13 ::)1 864 2 864 3086 t (14 ::)1 864 1 864 3186 t ( toA!error)1 720(15 progress1:)1 624 2 864 3286 t (16 fi)1 864 1 864 3386 t (17 od)1 480 1 864 3486 t (18 })1 240 1 864 3586 t 10 R f ( merely for-)2 480( It)1 113(Of course, this labeling should not be interpreted to state that message distortion is desirable.)14 3727 3 720 3766 t ( the validation any cycle that involves an infinite repetition of)10 2524(malizes the designer's intention to ignore in)6 1796 2 720 3886 t ( also that labels)3 646( Note)1 253( a sequence would be infinitely small...\).)6 1674(message distortion \(the probability of such)5 1747 4 720 4006 t (are placed after the double-colon flags, and not before them \(a label must always prefix a statement\).)16 4023 1 720 4126 t ( is also wise to leave)5 869( It)1 120( cycles proceeds as follows.)4 1147(With these extensions the validation for non-progress)6 2184 4 720 4282 t (the)720 4402 w 9 CW f (printf)865 4402 w 10 R f (statements in)1 525 1 1214 4402 t 9 CW f (ACCEPT)1762 4402 w 10 R f (statements disabled.)1 805 1 2111 4402 t 8 CW f ($ spin -a lynch01)3 816 1 864 4552 t ($ cc -o pan pan.c)4 816 1 864 4652 t 10 R f ( for non-progress loops is listed among the avail-)8 1967( search)1 279( The)1 205(The executable analyzer is compiled as before.)6 1869 4 720 4832 t ( it as follows.)3 539( Check)1 305(able options of the executable validator.)5 1597 3 720 4952 t 8 CW f ( check the options)3 864( #)1 432($ pan -?)2 384 3 864 5102 t (unknown option)1 672 1 864 5202 t (-cN stop at Nth error \(default=1\))5 1584 1 864 5302 t ( non-progress loops)2 912(-l find)1 384 2 864 5402 t (-mN max depth N \(default=10k\))4 1392 1 864 5502 t (-wN hashtable of 2\303N entries \(default=18\))5 1968 1 864 5602 t ($ pan -l)2 384 1 864 5702 t (full statespace search for:)3 1296 1 864 5802 t (assertion violations and non-progress loops)4 2064 1 1248 5902 t (vector 88 byte, depth reached 399, non-progress loops: 0)8 2688 1 864 6002 t (4433 states, stored)2 912 1 1056 6102 t (4 states, linked)2 768 1 1200 6202 t ( 9476)1 432( total:)1 816(5039 states, matched)2 960 3 1056 6302 t (hash conflicts: 2107 \(resolved\))3 1488 1 864 6402 t (\(max size 2\30318 states, stackframes: 0/108\))5 2016 1 864 6502 t ($)864 6602 w 10 R f ( no non-progress loops were found, which)6 1743( a full state space search \(with 100% coverage\))8 1949( In)1 142(Good news.)1 486 4 720 6782 t ( illustrate also the usage of temporal claims, suppose we)9 2301( To)1 167(proves the correctness requirement we stated.)5 1852 3 720 6902 t ( in the absence of message distortion, there can be no infinite stream of duplicate mes-)15 3509(wanted to show that)3 811 2 720 7022 t ( by the last validation run, but we)7 1352( proof is implied)3 673( The)1 208(sages, without any correct message getting through.)6 2087 4 720 7142 t (can try to express it in a different way with a temporal claim.)12 2437 1 720 7262 t cleartomark showpage saveobj restore %%EndPage: 22 24 %%Page: 23 25 /saveobj save def mark 25 pagesetup 10 R f (- 23 -)2 216 1 2772 480 t (First, we mark line 20 in the specification for B above with the label)13 2730 1 720 840 t 9 CW f (Dup)3473 840 w 10 R f (\(the name is irrelevant\).)3 953 1 3660 840 t 8 CW f ( {)1 96(1 never)1 384 2 912 990 t ( there is no cycle through label ``Dup'' in B that)10 2400(2 /*)1 432 2 912 1090 t ( doesn't also pass through label ``progress'')6 2160(3 *)1 432 2 912 1190 t (4 */)1 480 1 912 1290 t ( do)1 336(5 accept:)1 480 2 912 1390 t ( do)1 384(6 ::)1 816 2 912 1490 t ( && !B[2]:progress)2 864(7 ::!B[2]:Dup)1 1632 2 912 1590 t ( B[2]:Dup -> break)3 864(8 ::)1 1200 2 912 1690 t (9 od;)1 1248 1 912 1790 t (10 do)1 1248 1 864 1890 t ( B[2]:Dup)1 432(11 ::)1 1248 2 864 1990 t ( && !B[2]:progress -> break)4 1296(12 ::!B[2]:Dup)1 1680 2 864 2090 t (13 od)1 1248 1 864 2190 t (14 od)1 864 1 864 2290 t (15 })1 240 1 864 2390 t 10 R f ( The)1 208( propositions, covering all intermediate states.)5 1855(We have to be careful again to specify a complete set of)11 2257 3 720 2570 t ( cycles are invalid that consist of a prefix of an arbitrary number of states)14 2949(specification above claims that all)4 1371 2 720 2690 t ( transition to the second half of the claim)8 1669( The)1 209( 6-9\).)1 220(in which process B is at neither of the two labels \(lines)11 2222 4 720 2810 t ( label ``Dup'' \(line 8\), to make sure that the cycle contains at least)13 2657(can only happen when process B is at the)8 1663 2 720 2930 t ( the ``Dup'' state again without passing)6 1713( cycle is completed when B leaves)6 1501( The)1 226(one such occurrence.)2 880 4 720 3050 t (through ``progress'' \(line 12\).)3 1197 1 720 3170 t ( error is reported, confirming that the sce-)7 1738( No)1 181(The validation run shows that this scenario is not feasible.)9 2401 3 720 3326 t (nario is indeed impossible:)3 1075 1 720 3446 t 8 CW f ($ spin -a lynch02)3 816 1 864 3596 t ($ cc -o pan pan.c)4 816 1 864 3696 t ( presence of accept labels disables loop analysis option:)8 2736( #)1 432($ pan -?)2 384 3 864 3796 t (unknown option)1 672 1 864 3896 t (-cN stop at Nth error \(default=1\))5 1584 1 864 3996 t (-mN max depth N \(default=10k\))4 1392 1 864 4096 t (-wN hashtable of 2\303N entries \(default=18\))5 1968 1 864 4196 t ($ pan)1 240 1 864 4296 t (full statespace search on behavior restricted to claim for:)8 2832 1 864 4396 t (assertion violations)1 960 1 1248 4496 t (and absence of acceptance labels in all cycles)7 2208 1 1248 4596 t (vector 88 byte, depth reached 81, errors: 0)7 2064 1 864 4696 t (263 states, stored)2 864 1 1104 4796 t (2 states, linked)2 768 1 1200 4896 t ( 461)1 432( total:)1 816(196 states, matched)2 912 3 1104 4996 t (hash conflicts: 76 \(resolved\))3 1392 1 864 5096 t (\(max size 2\30318 states, stackframes: 0/13\))5 1968 1 864 5196 t 10 B f ( VALIDATION PROBLEMS)2 1262(6. LARGE)1 481 2 720 5532 t 10 R f ( is well beyond what can)5 1030(Protocol validation models of practical significance can quickly reach a size that)11 3290 2 720 5688 t (be analyzed with a traditional reachability analysis method \(i.e., the default analysis method of)13 3926 1 720 5808 t 8 R f (SPIN)4681 5808 w 10 R f (dis-)4890 5808 w ( sim-)1 204( A)1 123( for instance, a standard flow control protocol for selective retransmission.)10 2982( Consider,)1 437( far\).)1 194(cussed so)1 380 6 720 5928 t ( protocol derived in [Holzmann '91] includes three processes \(sender, receiver)10 3167(ple validation model for this)4 1153 2 720 6048 t ( state takes 160 bytes of)5 1027( system)1 316( Each)1 262(and channel process\) and four message queues of two slots each.)10 2715 4 720 6168 t ( below lists the total number of reachable states for three different types of)13 3156( table)1 234( The)1 220(memory to store.)2 710 4 720 6288 t (assumptions about the transmission channel, and the resulting size of a complete state space in Megabytes.)15 4264 1 720 6408 t ( tra-)1 166( A)1 125( of storage.)2 452(Assume we want to perform the three validations on a large machine with 128 Megabyte)14 3577 4 720 6564 t ( reachability analysis can give complete coverage of the state spaces for the first two)14 3487(ditional \(exhaustive\))1 833 2 720 6684 t ( limited to the fraction)4 934( the third case the maximum coverage that can be obtained seems to be)13 2953(cases. For)1 433 3 720 6804 t (128)720 6924 w 10 I f (/)878 6924 w 10 R f ( 92 %.)2 224( or 12.)2 258(990. 1)1 233 3 914 6924 t ( disk-based algo-)2 686( A)1 124(Alas, maintaining the state space on disk instead of in main memory is no real solution.)15 3510 3 720 7080 t ( practice)1 340( In)1 133( algorithm [Holzmann '91].)3 1104(rithm is three to four orders of magnitude slower than an in-memory)11 2743 4 720 7200 t cleartomark showpage saveobj restore %%EndPage: 23 25 %%Page: 24 26 /saveobj save def mark 26 pagesetup 10 R f (- 24 -)2 216 1 2772 480 t 10 HB f (Table 6.1 \320 State Space Sizes for a Sample Problem)9 2499 1 1630 900 t 9 S f (________________________________________________________________________)1260 1040 w (________________________________________________________________________)1260 1060 w 9 H f ( Space Size)2 480( State)1 345( of Reachable States)3 835( Number)1 455(Assumptions about Channel)2 1125 5 1260 1170 t 9 S f (________________________________________________________________________)1260 1200 w 9 H f ( Mbyte)1 270( 14.5)1 835( 90,845)1 1482(Ideal Channel)1 555 4 1260 1320 t ( Mbyte)1 270( 63.4)1 835( 396,123)1 1457(Message Loss)1 580 4 1260 1440 t ( Mbyte)1 270( 990.1)1 835( 6,188,322)1 1255(Loss + Duplications)2 782 4 1260 1560 t 9 S f (________________________________________________________________________)1260 1590 w 10 R f ( states)1 250(this means that even on the fastest machines a disk-based algorithm does not run faster than about 10)17 4070 2 720 1890 t (per second, giving a runtime of more than 7 days to generate six million states.)14 3152 1 720 2010 t (Compiling the analyzers generated by)4 1518 1 720 2166 t 8 R f (SPIN)2264 2166 w 10 R f ( executable that is optimized)4 1151(with a single extra flag produces an)6 1425 2 2464 2166 t (for large state spaces \(see also the Exercises\).)7 1816 1 720 2286 t 8 CW f ( compile a supertrace analyzer)4 1440( #)1 240($ cc -DBITSTATE -o pan pan.c)5 1344 3 864 2436 t ( run it as before)4 816( #)1 1344($ pan)1 240 3 864 2536 t (...)864 2636 w 10 R f ( billion available bits and achieves a measured)7 1876(A supertrace search hashes the six million states into the one)10 2444 2 720 2816 t ( for the same problem, taking no more than a few minutes of CPU time.)14 2869( 99%)1 191(coverage of 99.)2 617 3 720 2936 t ( supertrace search gives a superior coverage of the state space for all proto-)13 3050(It can easily be measured that a)6 1270 2 720 3092 t ( where the total state space size is larger than available memory, independent of the protocol or)16 3800(col problems)1 520 2 720 3212 t ( is used provides a random sampling of states from the)10 2301( hashing mechanism that)3 1024( The)1 216(the machines used.)2 779 4 720 3332 t ( details of the super-)4 823( For)1 191( with a high probability of catching errors, should they exist.)10 2440(reachable state space,)2 866 4 720 3452 t (trace algorithm and its implementation in)5 1652 1 720 3572 t 8 R f (SPIN)2397 3572 w 10 R f (, we refer to [Holzmann '91].)5 1171 1 2571 3572 t ( validation labels, all correctness requirements can be checked with a)10 2927(With the exception of acceptance)4 1393 2 720 3728 t ( the default search)3 731( Clearly,)1 370( search for non-progress cycles\).)4 1302(supertrace search \(including, for instance, a fast)6 1917 4 720 3848 t (mode of)1 343 1 720 3968 t 8 R f (SPIN)1101 3968 w 10 R f ( the)1 161(, a traditional reachability analysis, is the preferred method when the estimated size of)13 3604 2 1275 3968 t ( all other cases, a supertrace search)6 1445( In)1 141( of available memory.)3 900(reachable state space is less than the amount)7 1834 4 720 4088 t (will be superior.)2 652 1 720 4208 t 10 B f (7. EXERCISES)1 693 1 720 4448 t ( Search Complexity)2 838(7.1. Evaluating)1 668 2 720 4688 t 10 R f ( phenomenon,)1 572(This first problem is meant to give an indication \(appreciation?\) of the state space explosion)14 3748 2 720 4844 t (and how)1 349 1 720 4964 t 8 R f (SPIN)1102 4964 w 10 R f ( consists of eight small exercises using)6 1597( It)1 119(deals with it.)2 530 3 1309 4964 t 8 R f (SPIN)3588 4964 w 10 R f (, numbered)1 457 1 3762 4964 t 10 B f ([1.a])4252 4964 w 10 R f (through)4475 4964 w 10 B f ([1.h])4818 4964 w 10 R f (.)5015 4964 w ( think should happen, write down your predictions, perform the experi-)10 2860(At each step, try to predict what you)7 1460 2 720 5084 t ( not continue until you understand precisely what you observed.)9 2558( Do)1 172(ment, and explain what happened.)4 1364 3 720 5204 t 10 B f ([1.a])720 5360 w 10 R f (How many reachable states do you predict will the following naive)10 2679 1 936 5360 t 8 R f (PROMELA)3640 5360 w 10 R f (system generate?)1 684 1 4049 5360 t 8 CW f ( file: ex.1a */)3 720( /*)1 192(init {)1 288 3 864 5510 t (byte i = 0;)3 528 1 1248 5610 t (do)1248 5710 w (:: i = i+1)3 480 1 1248 5810 t (od)1248 5910 w (})864 6010 w 10 R f (Try a simulation run:)3 847 1 720 6190 t 8 CW f ( print out local vars at every step)7 1680( #)1 336($ spin -p -l ex.1a)4 864 3 864 6340 t (...)864 6440 w 10 R f (Will the simulation terminate?)3 1219 1 720 6620 t 10 S1 f ()1964 6620 w 1964 6620 m 50 build_sq 2014 6620 m 10 B f ([1.b])720 6776 w 10 R f ( Is)1 127( that should be inspected in an exhaustive validation.)8 2152(Estimate the total number of reachable states)6 1815 3 946 6776 t ( it as follows.)3 539( Try)1 194( a validation run terminate?)4 1098( Will)1 228(it a finite number?)3 735 5 720 6896 t 8 CW f ($ spin -a ex.1a)3 720 1 864 7046 t ($ cc -o pan pan.c)4 816 1 864 7146 t ($ pan)1 240 1 864 7246 t cleartomark showpage saveobj restore %%EndPage: 24 26 %%Page: 25 27 /saveobj save def mark 27 pagesetup 10 R f (- 25 -)2 216 1 2772 480 t 8 CW f (...)864 820 w 10 R f (Explain the output in detail.)4 1114 1 720 1000 t 10 S1 f ()1859 1000 w 1859 1000 m 50 build_sq 1909 1000 m 10 B f ([1.c])720 1156 w 10 R f (What would happen if you had declared the variable to be a)11 2457 1 937 1156 t 9 CW f (short)3424 1156 w 10 R f (instead of a)2 476 1 3726 1156 t 9 CW f (byte)4233 1156 w 9 R f (?)4449 1156 w 10 R f (What if you)2 493 1 4547 1156 t (use an)1 252 1 720 1276 t 9 CW f (int)995 1276 w 9 R f (?)1157 1276 w 10 R f ([Hint: use Table A.2 from Appendix A.])6 1614 1 1247 1276 t ( check the analyzer's)3 889( [Hint:)1 306( do you explain the result?)5 1142( How)1 261( run.)1 200(Try either of them with a validation)6 1522 6 720 1432 t (defaults by saying)2 727 1 720 1552 t 9 CW f (pan -?)1 324 1 1470 1552 t 9 R f (])1794 1552 w 10 S1 f ()1874 1552 w 1874 1552 m 50 build_sq 1924 1552 m 10 B f ([1.d])720 1708 w 10 R f ( them down as a)4 677( Write)1 284( are for this system.)4 813(Next, predict accurately how many reachable states there)7 2318 4 948 1708 t (complete reachability tree.)2 1061 1 720 1828 t 8 CW f ( 2)1 384(#define N)1 432 2 864 1978 t ( file: ex.1b */)3 720( /*)1 192(init {)1 288 3 864 2078 t (chan dummy = [N] of { byte };)7 1392 1 1248 2178 t (do)1248 2278 w (:: dummy!85)1 528 1 1248 2378 t (:: dummy!170)1 576 1 1248 2478 t (od)1248 2578 w (})864 2678 w 10 R f ( the obvious)2 507( only interested in the size of the state space, not in)11 2124( We're)1 306(Check your prediction as follows.)4 1383 4 720 2858 t ( buffer overflow, so we use the)6 1256(problems caused by)2 801 2 720 2978 t 9 CW f (-m)2803 2978 w 10 R f (option from)1 478 1 2939 2978 t 8 R f (SPIN)3445 2978 w 10 R f (to define that buffer overflow is to)6 1393 1 3647 2978 t ( appended to a full buffer are then lost.\))8 1582( \(Messages)1 471(be ignored.)1 449 3 720 3098 t 8 CW f ( use -m to ignore buffer overflow)6 1584( #)1 336($ spin -m -a ex.1b)4 864 3 864 3248 t ($ cc -o pan pan.c)4 816 1 864 3348 t ($ pan)1 240 1 864 3448 t (...)864 3548 w 10 R f (Explain the result.)2 730 1 720 3728 t 10 S1 f ()1475 3728 w 1475 3728 m 50 build_sq 1525 3728 m 10 B f ([1.e])720 3884 w 10 R f ( the formula to)3 597( Use)1 207( the number of states as a function of N.)9 1615( Express)1 368( set N to 3 ?)5 490(What happens if you)3 832 6 931 3884 t ( your prediction as follows.)4 1096( Check)1 305(calculate how many states there will be if you set N to 14 ?)13 2360 3 720 4004 t 8 CW f ( use -m to ignore buffer overflow)6 1584( #)1 336($ spin -m -a ex.1b)4 864 3 864 4154 t ( optional: use the optimizer -O)5 1488( #)1 384($ cc -o pan pan.c)4 816 3 864 4254 t ($ time pan)2 480 1 864 4354 t (...)864 4454 w 10 R f (Write down:)1 502 1 720 4634 t (T: the)1 236 1 864 4874 t 10 I f (sum)1125 4874 w 10 R f (of user time plus system time for the run)8 1621 1 1311 4874 t (S: the number of states)4 916 1 864 4994 t 10 I f (stored)1805 4994 w 10 R f (G: the number of)3 685 1 864 5114 t 10 I f (total)1574 5114 w 10 R f (number of states generated and analyzed)5 1620 1 1783 5114 t (V: the vector-size \(the amount of memory needed to store one state\))11 2719 1 864 5234 t ( experiment on)2 619( a kick: do the same)5 841( \(for)1 208(G/T gives you an accurate measure for the efficiency of the run.)11 2652 4 720 5474 t (other validation systems, if you have access to them\).)8 2136 1 720 5594 t ( not the only place)4 786( is)1 103( This)1 239(S*V gives you the amount of memory that was used to store the state space.)14 3192 4 720 5834 t ( memory\) but it is typically the larg-)7 1473(where memory that is used during the search \(the stack also consumes)11 2847 2 720 5954 t (est memory requirement.)2 1001 1 720 6074 t 10 S1 f ()1746 6074 w 1746 6074 m 50 build_sq 1796 6074 m 10 B f ([1.f])720 6230 w 10 R f ( state space storage func-)4 1022(The efficiency of the conventional reachability analysis is determined by the)10 3095 2 923 6230 t ( study this, repeat the last validation run with a smaller and a bigger hash table for the state space:)19 3905(tions. To)1 381 2 720 6350 t 8 CW f ( hash table with 2\30310 slots)5 1296( #)1 480($ time pan -w10)3 720 3 864 6500 t (...)864 6600 w ( hash table with 2\30320 slots)5 1296( #)1 480($ time pan -w20)3 720 3 864 6700 t (...)864 6800 w 10 R f ( compare the number of hash conflicts.])6 1588( [Hint:)1 289(Explain the results.)2 769 3 720 6980 t 10 S1 f ()3391 6980 w 3391 6980 m 50 build_sq 3441 6980 m 10 B f ([1.g])720 7136 w 10 R f ( both the number of reachable)5 1199( \(Warning:)1 461( N=20 ?)2 324(How much memory would you need to do a run with)10 2120 4 936 7136 t ( about 30 bytes per state for N=20.\))7 1518( Estimate)1 414( bytes per state goes up with N.)7 1352(states and the number of)4 1036 4 720 7256 t cleartomark showpage saveobj restore %%EndPage: 25 27 %%Page: 26 28 /saveobj save def mark 28 pagesetup 10 R f (- 26 -)2 216 1 2772 480 t ( your system, what maximal fraction of the state-space would you)10 2642(Given that you have about 8 Megabyte on)7 1678 2 720 840 t (expect to be able to analyze ?)6 1174 1 720 960 t (Now set N to 20 and perform a supertrace validation, as follows.)11 2581 1 720 1116 t 8 CW f ( as before)2 480( #)1 720($ spin -m -a ex.1b)4 864 3 864 1266 t ( different)1 480( #)1 240($ cc -DBITSTATE -o pan pan.c)5 1344 3 864 1366 t ($ time pan)2 480 1 864 1466 t (...)864 1566 w 10 R f ( system states)2 570(If you did the calculation, you probably estimated that there should be 2,097,151 reachable)13 3750 2 720 1746 t ( memory was)2 560( much)1 259( How)1 256( percentage of these states was reached in the supertrace run?)10 2561( What)1 278(for N=20.)1 406 6 720 1866 t (used [Hint: cf.)2 580 1 720 1986 t 10 B f ([1.h])1328 1986 w 10 R f ( vali-)1 212( to the earlier estimated maximal coverage for a conventional)9 2474( \(Compare)1 452(below] ?)1 349 4 1553 1986 t (dation and explain the difference.\))4 1371 1 720 2106 t 10 S1 f ()2116 2106 w 2116 2106 m 50 build_sq 2166 2106 m 10 B f ([1.h])720 2262 w 10 R f ( run has 2\30322 bits \(i.e., 2\30318 bytes, or about one)10 1912(The default bit-state space in a supertrace, used above,)8 2185 2 943 2262 t ( what)1 225( Check)1 311( different amount of memory to get different coverage.)8 2234(quarter Megabyte\) repeat the run with)5 1550 4 720 2382 t ( on which your first)4 804(percentage of the number of states is reached when you use the 8 Megabyte state space)15 3516 2 720 2502 t ( \(2\30323 bytes is 2\30326 bits, which means)7 1542(estimate for maximal coverage in a full state space search was based)11 2778 2 720 2622 t (a runtime flag)2 560 1 720 2742 t 9 CW f (-w26)1303 2742 w 9 R f (\))1519 2742 w 10 B f ( of a Protocol)3 568(7.2. Validation)1 651 2 720 2982 t 10 R f ( a protocol that is very similar to the)8 1465(This problem let's you apply the validation strategies from the paper to)11 2855 2 720 3138 t ( a protocol specification given by Bartlett et al. in)9 2080( 3 shows)2 374( Figure)1 323(informal example that was discussed.)4 1543 4 720 3258 t ( Use)1 207( al. 1969, Figure 3c].)4 843(their seminal paper introducing the alternating-bit protocol [Bartlett et)8 2810 3 720 3378 t 8 R f (SPIN)4607 3378 w 10 R f (to see)1 232 1 4808 3378 t ( this)1 173(if it meets the same correctness criteria as the informal protocol defined by Lynch, discussed earlier in)16 4147 2 720 3498 t (paper.)720 3618 w 10 S1 f ()991 3618 w 991 3618 m 50 build_sq 1041 3618 m 10 R f (Terminal A)1 463 1 1668 5540 t (S5)4060 4550 w (S5)2301 4561 w (S4)4078 5186 w (S4)2314 3938 w (S3)3388 3949 w (S3)1630 5186 w (S2 S2)1 -1676 1 3406 4561 t (S1)3394 5186 w (S1)1624 3938 w (?err)3676 4484 w (?err)4468 4916 w (?err)1924 4664 w (?err)2740 4237 w (!a0)2370 4232 w (!a1)1134 4903 w (!a1)1512 4244 w (?b1)1166 4237 w 4269 5166 4269 5166 4454 5053 Ds 4269 5166 4454 5053 4454 4753 Ds 4454 5053 4454 4753 4262 4543 Ds 4454 4753 4262 4543 4262 4543 Ds 4263 4541 4324 4582 Dl 4262 4543 4323 4584 Dl 4263 4541 4323 4584 Dl 4263 4542 4322 4586 Dl 4262 4542 4321 4587 Dl 4264 4542 4321 4588 Dl 4264 4542 4320 4589 Dl 4262 4542 4318 4590 Dl 4263 4542 4318 4591 Dl 4263 4542 4317 4592 Dl 4263 4542 4316 4593 Dl 4263 4542 4315 4594 Dl 4263 4542 4314 4595 Dl 4263 4542 4313 4596 Dl 4263 4542 4312 4597 Dl 4263 4541 4311 4597 Dl 4263 4542 4310 4598 Dl 4263 4543 4309 4600 Dl 4263 4542 4308 4600 Dl 4263 4542 4307 4601 Dl 4262 4542 4305 4602 Dl 4263 4541 4305 4602 Dl 4262 4542 4303 4603 Dl 4264 4542 4303 4604 Dl 4263 4542 4301 4605 Dl 4263 4541 4300 4605 Dl 4263 4542 4299 4606 Dl 4263 4542 4298 4607 Dl 3321 4595 3321 4595 3136 4733 Ds 3321 4595 3136 4733 3136 4990 Ds 3136 4733 3136 4990 3316 5164 Ds 3136 4990 3316 5164 3316 5164 Ds 3314 5165 3250 5128 Dl 3314 5165 3251 5127 Dl 3313 5165 3251 5126 Dl 3313 5165 3252 5125 Dl 3314 5165 3253 5124 Dl 3314 5165 3254 5123 Dl 3314 5165 3255 5122 Dl 3315 5165 3256 5121 Dl 3314 5165 3256 5119 Dl 3314 5165 3257 5119 Dl 3314 5165 3258 5117 Dl 3314 5165 3259 5117 Dl 3314 5165 3260 5115 Dl 3315 5165 3261 5114 Dl 3313 5165 3261 5114 Dl 3314 5165 3263 5112 Dl 3315 5166 3264 5112 Dl 3313 5165 3264 5111 Dl 3314 5165 3266 5110 Dl 3315 5165 3267 5109 Dl 3314 5165 3268 5108 Dl 3315 5165 3269 5107 Dl 3313 5165 3269 5106 Dl 3314 5165 3271 5106 Dl 3314 5165 3272 5105 Dl 3314 5165 3273 5104 Dl 3314 5165 3274 5104 Dl 3314 5165 3275 5103 Dl 3308 4492 3236 4477 Dl 3308 4493 3236 4476 Dl 3309 4493 3237 4475 Dl 3308 4494 3237 4474 Dl 3309 4493 3238 4472 Dl 3308 4493 3238 4471 Dl 3308 4493 3238 4470 Dl 3307 4494 3238 4469 Dl 3308 4493 3239 4467 Dl 3309 4493 3240 4466 Dl 3308 4493 3240 4465 Dl 3308 4494 3241 4464 Dl 3307 4493 3241 4462 Dl 3308 4493 3242 4461 Dl 3309 4493 3243 4460 Dl 3308 4493 3243 4458 Dl 3307 4493 3243 4457 Dl 3308 4493 3244 4456 Dl 3308 4493 3245 4455 Dl 3308 4493 3246 4454 Dl 3307 4494 3246 4453 Dl 3308 4492 3247 4451 Dl 3308 4494 3248 4451 Dl 3308 4492 3249 4449 Dl 3309 4493 3250 4448 Dl 3309 4493 3251 4447 Dl 3307 4493 3251 4446 Dl 3308 4494 3252 4446 Dl 3308 4494 3308 4494 3069 4374 Ds 3308 4494 3069 4374 3069 4158 Ds 3069 4374 3069 4158 3315 3919 Ds 3069 4158 3315 3919 3315 3919 Ds 1580 4440 1580 4440 1341 4320 Ds 1580 4440 1341 4320 1341 4104 Ds 1341 4320 1341 4104 1539 3919 Ds 1341 4104 1539 3919 1539 3919 Ds 1538 3918 1498 3980 Dl 1538 3918 1497 3979 Dl 1538 3917 1496 3978 Dl 1538 3918 1495 3978 Dl 1538 3918 1494 3977 Dl 1538 3918 1493 3976 Dl 1538 3918 1492 3975 Dl 1538 3919 1491 3975 Dl 1538 3917 1490 3973 Dl 1538 3918 1489 3972 Dl 1538 3918 1488 3972 Dl 1538 3918 1487 3971 Dl 1538 3918 1486 3970 Dl 1538 3918 1485 3969 Dl 1538 3918 1484 3968 Dl 1538 3918 1483 3967 Dl 1538 3918 1482 3966 Dl 1538 3918 1482 3965 Dl 1538 3918 1480 3964 Dl 1538 3917 1479 3962 Dl 1538 3919 1479 3962 Dl 1538 3917 1478 3960 Dl 1538 3919 1477 3960 Dl 1538 3917 1477 3958 Dl 1538 3918 1476 3957 Dl 1538 3918 1475 3956 Dl 1538 3918 1474 3955 Dl 1538 3918 1474 3954 Dl 1539 5166 1539 5166 1293 5022 Ds 1539 5166 1293 5022 1293 4734 Ds 1293 5022 1293 4734 1539 4542 Ds 1293 4734 1539 4542 1539 4542 Ds 1539 4542 1539 4542 1539 4542 Ds 1539 4541 1557 4613 Dl 1539 4542 1555 4614 Dl 1539 4542 1554 4614 Dl 1539 4543 1553 4615 Dl 1539 4542 1551 4615 Dl 1539 4542 1550 4615 Dl 1539 4542 1549 4615 Dl 1539 4542 1547 4615 Dl 1539 4541 1546 4615 Dl 1539 4541 1544 4615 Dl 1539 4541 1544 4615 Dl 1539 4541 1542 4615 Dl 1539 4541 1541 4615 Dl 1539 4541 1539 4615 Dl 1538 4541 1538 4615 Dl 1538 4541 1536 4615 Dl 1538 4541 1535 4615 Dl 1538 4541 1533 4615 Dl 1538 4541 1533 4615 Dl 1538 4541 1531 4615 Dl 1538 4542 1530 4615 Dl 1538 4542 1528 4615 Dl 1538 4542 1527 4615 Dl 1538 4542 1526 4615 Dl 1538 4543 1524 4615 Dl 1538 4542 1523 4614 Dl 1538 4542 1522 4614 Dl 1539 4541 1521 4613 Dl 3591 5166 3981 5166 Dl 3591 5166 3663 5148 Dl 3591 5165 3663 5149 Dl 3591 5165 3663 5150 Dl 3591 5165 3663 5151 Dl 3591 5165 3664 5153 Dl 3591 5165 3664 5154 Dl 3591 5165 3664 5155 Dl 3591 5165 3664 5157 Dl 3591 5165 3665 5158 Dl 3591 5165 3665 5160 Dl 3591 5165 3665 5160 Dl 3591 5165 3665 5162 Dl 3591 5165 3665 5163 Dl 3591 5165 3665 5165 Dl 3591 5166 3665 5166 Dl 3591 5166 3665 5168 Dl 3591 5166 3665 5169 Dl 3591 5166 3665 5171 Dl 3591 5166 3665 5171 Dl 3591 5166 3665 5173 Dl 3591 5166 3664 5174 Dl 3591 5166 3664 5176 Dl 3591 5166 3664 5177 Dl 3591 5166 3664 5178 Dl 3591 5166 3663 5180 Dl 3591 5166 3663 5181 Dl 3591 5166 3663 5182 Dl 3591 5166 3663 5184 Dl 4125 5022 4125 4680 Dl 4125 5022 4107 4950 Dl 4123 5022 4107 4950 Dl 4124 5021 4109 4949 Dl 4124 5021 4110 4949 Dl 4124 5021 4112 4948 Dl 4124 5021 4113 4948 Dl 4125 5021 4115 4948 Dl 4124 5021 4116 4948 Dl 4124 5021 4117 4947 Dl 4123 5021 4118 4947 Dl 4125 5021 4120 4947 Dl 4124 5021 4121 4947 Dl 4125 5021 4123 4947 Dl 4124 5021 4124 4947 Dl 4125 5021 4125 4947 Dl 4124 5021 4126 4947 Dl 4125 5021 4128 4947 Dl 4124 5021 4129 4947 Dl 4126 5021 4131 4947 Dl 4125 5021 4132 4947 Dl 4125 5021 4133 4948 Dl 4125 5021 4135 4948 Dl 4125 5021 4136 4948 Dl 4125 5021 4137 4948 Dl 4124 5021 4138 4949 Dl 4125 5021 4140 4949 Dl 4125 5022 4141 4950 Dl 4125 5022 4143 4950 Dl 3987 4541 3915 4559 Dl 3987 4543 3915 4559 Dl 3986 4542 3914 4557 Dl 3986 4542 3914 4556 Dl 3986 4542 3913 4554 Dl 3986 4542 3913 4553 Dl 3986 4541 3913 4551 Dl 3986 4542 3913 4550 Dl 3986 4542 3912 4549 Dl 3986 4543 3912 4548 Dl 3986 4541 3912 4546 Dl 3986 4542 3912 4545 Dl 3986 4541 3912 4543 Dl 3986 4542 3912 4542 Dl 3986 4541 3912 4541 Dl 3986 4542 3912 4540 Dl 3986 4541 3912 4538 Dl 3986 4542 3912 4537 Dl 3986 4541 3912 4536 Dl 3986 4541 3912 4534 Dl 3986 4541 3913 4533 Dl 3986 4541 3913 4531 Dl 3986 4541 3913 4530 Dl 3986 4541 3913 4529 Dl 3986 4542 3914 4528 Dl 3986 4541 3914 4526 Dl 3987 4541 3915 4525 Dl 3987 4541 3915 4523 Dl 3591 4541 3987 4541 Dl 3452 4055 3470 4127 Dl 3454 4056 3470 4128 Dl 3453 4056 3468 4128 Dl 3453 4057 3467 4129 Dl 3453 4056 3465 4129 Dl 3453 4056 3464 4129 Dl 3452 4056 3462 4129 Dl 3453 4056 3461 4129 Dl 3453 4055 3460 4129 Dl 3454 4055 3459 4129 Dl 3452 4055 3457 4129 Dl 3453 4055 3456 4129 Dl 3452 4055 3454 4129 Dl 3453 4055 3453 4129 Dl 3452 4055 3452 4129 Dl 3453 4055 3451 4129 Dl 3452 4055 3449 4129 Dl 3453 4055 3448 4129 Dl 3452 4055 3447 4129 Dl 3452 4055 3445 4129 Dl 3452 4056 3444 4129 Dl 3452 4056 3442 4129 Dl 3452 4056 3441 4129 Dl 3452 4056 3440 4129 Dl 3453 4057 3439 4129 Dl 3452 4056 3437 4128 Dl 3452 4056 3436 4128 Dl 3452 4055 3434 4127 Dl 3452 4402 3452 4055 Dl 3452 4680 3470 4752 Dl 3454 4680 3470 4752 Dl 3453 4680 3468 4752 Dl 3453 4680 3467 4752 Dl 3453 4680 3465 4753 Dl 3453 4680 3464 4753 Dl 3452 4680 3462 4753 Dl 3453 4680 3461 4753 Dl 3453 4680 3460 4754 Dl 3454 4680 3459 4754 Dl 3452 4680 3457 4754 Dl 3453 4680 3456 4754 Dl 3452 4680 3454 4754 Dl 3453 4680 3453 4754 Dl 3452 4680 3452 4754 Dl 3453 4680 3451 4754 Dl 3452 4680 3449 4754 Dl 3453 4680 3448 4754 Dl 3452 4680 3447 4754 Dl 3452 4680 3445 4754 Dl 3452 4680 3444 4753 Dl 3452 4680 3442 4753 Dl 3452 4680 3441 4753 Dl 3452 4680 3440 4753 Dl 3453 4680 3439 4752 Dl 3452 4680 3437 4752 Dl 3452 4680 3436 4752 Dl 3452 4680 3434 4752 Dl 3452 5027 3452 4680 Dl 1814 3918 2210 3918 Dl 1814 3918 1886 3900 Dl 1815 3916 1887 3900 Dl 1815 3917 1887 3902 Dl 1816 3917 1888 3903 Dl 1815 3917 1888 3905 Dl 1815 3917 1888 3906 Dl 1815 3918 1888 3908 Dl 1815 3917 1888 3909 Dl 1814 3917 1888 3910 Dl 1814 3916 1888 3911 Dl 1814 3918 1888 3913 Dl 1814 3917 1888 3914 Dl 1814 3918 1888 3916 Dl 1814 3917 1888 3917 Dl 1814 3918 1888 3918 Dl 1814 3917 1888 3919 Dl 1814 3918 1888 3921 Dl 1814 3917 1888 3922 Dl 1814 3919 1888 3924 Dl 1814 3918 1888 3925 Dl 1815 3918 1888 3926 Dl 1815 3918 1888 3928 Dl 1815 3918 1888 3929 Dl 1815 3918 1888 3930 Dl 1816 3917 1888 3931 Dl 1815 3918 1887 3933 Dl 1815 3918 1887 3934 Dl 1814 3918 1886 3936 Dl 2349 4055 2367 4127 Dl 2349 4056 2365 4128 Dl 2349 4056 2364 4128 Dl 2349 4057 2363 4129 Dl 2349 4056 2361 4129 Dl 2349 4056 2360 4129 Dl 2349 4056 2359 4129 Dl 2349 4056 2357 4129 Dl 2349 4055 2356 4129 Dl 2349 4055 2354 4129 Dl 2349 4055 2354 4129 Dl 2349 4055 2352 4129 Dl 2349 4055 2351 4129 Dl 2349 4055 2349 4129 Dl 2348 4055 2348 4129 Dl 2348 4055 2346 4129 Dl 2348 4055 2345 4129 Dl 2348 4055 2343 4129 Dl 2348 4055 2343 4129 Dl 2348 4055 2341 4129 Dl 2348 4056 2340 4129 Dl 2348 4056 2338 4129 Dl 2348 4056 2337 4129 Dl 2348 4056 2336 4129 Dl 2348 4057 2334 4129 Dl 2348 4056 2333 4128 Dl 2348 4056 2332 4128 Dl 2349 4055 2331 4127 Dl 2349 4402 2349 4055 Dl 1677 5027 1677 4680 Dl 1677 5027 1659 4955 Dl 1675 5027 1659 4955 Dl 1676 5027 1661 4955 Dl 1676 5027 1662 4955 Dl 1676 5028 1664 4955 Dl 1676 5027 1665 4954 Dl 1677 5027 1667 4954 Dl 1676 5027 1668 4954 Dl 1676 5028 1669 4954 Dl 1675 5028 1670 4954 Dl 1677 5027 1672 4953 Dl 1676 5027 1673 4953 Dl 1677 5027 1675 4953 Dl 1676 5027 1676 4953 Dl 1677 5027 1677 4953 Dl 1676 5027 1678 4953 Dl 1677 5027 1680 4953 Dl 1676 5027 1681 4953 Dl 1678 5028 1683 4954 Dl 1677 5028 1684 4954 Dl 1677 5027 1685 4954 Dl 1677 5027 1687 4954 Dl 1677 5027 1688 4954 Dl 1677 5028 1689 4955 Dl 1676 5027 1690 4955 Dl 1677 5027 1692 4955 Dl 1677 5027 1693 4955 Dl 1677 5027 1695 4955 Dl 1677 4402 1677 4055 Dl 1677 4404 1659 4332 Dl 1675 4403 1659 4331 Dl 1676 4403 1661 4331 Dl 1676 4402 1662 4330 Dl 1676 4403 1664 4330 Dl 1676 4403 1665 4330 Dl 1677 4403 1667 4330 Dl 1676 4403 1668 4330 Dl 1676 4404 1669 4330 Dl 1675 4404 1670 4330 Dl 1677 4404 1672 4330 Dl 1676 4404 1673 4330 Dl 1677 4404 1675 4330 Dl 1676 4404 1676 4330 Dl 1677 4404 1677 4330 Dl 1676 4404 1678 4330 Dl 1677 4404 1680 4330 Dl 1676 4404 1681 4330 Dl 1678 4404 1683 4330 Dl 1677 4404 1684 4330 Dl 1677 4403 1685 4330 Dl 1677 4403 1687 4330 Dl 1677 4403 1688 4330 Dl 1677 4403 1689 4330 Dl 1676 4402 1690 4330 Dl 1677 4403 1692 4331 Dl 1677 4403 1693 4331 Dl 1677 4404 1695 4332 Dl 1539 5166 275 275 De 1539 4541 275 275 De 2210 4541 275 275 De 2210 3918 275 275 De 1539 3918 275 275 De 3315 5166 275 275 De 3981 5166 288 288 De 3987 4541 275 275 De 3315 4541 275 275 De 3315 3918 275 275 De 2210 4541 1814 4541 Dl 2210 4541 2138 4559 Dl 2210 4543 2138 4559 Dl 2210 4542 2138 4557 Dl 2210 4542 2138 4556 Dl 2211 4542 2138 4554 Dl 2210 4542 2137 4553 Dl 2210 4541 2137 4551 Dl 2210 4542 2137 4550 Dl 2211 4542 2137 4549 Dl 2211 4543 2137 4548 Dl 2210 4541 2136 4546 Dl 2210 4542 2136 4545 Dl 2210 4541 2136 4543 Dl 2210 4542 2136 4542 Dl 2210 4541 2136 4541 Dl 2210 4542 2136 4540 Dl 2210 4541 2136 4538 Dl 2210 4542 2136 4537 Dl 2211 4541 2137 4536 Dl 2211 4541 2137 4534 Dl 2210 4541 2137 4533 Dl 2210 4541 2137 4531 Dl 2210 4541 2137 4530 Dl 2211 4541 2138 4529 Dl 2210 4542 2138 4528 Dl 2210 4541 2138 4526 Dl 2210 4541 2138 4525 Dl 2210 4541 2138 4523 Dl 2487 3918 2487 3918 2715 4026 Ds 2487 3918 2715 4026 2715 4337 Ds 2715 4026 2715 4337 2476 4468 Ds 2715 4337 2476 4468 2476 4468 Ds 2475 4469 2529 4419 Dl 2475 4469 2530 4420 Dl 2475 4469 2531 4421 Dl 2475 4469 2531 4422 Dl 2475 4469 2532 4423 Dl 2475 4469 2534 4424 Dl 2475 4468 2534 4425 Dl 2475 4469 2535 4426 Dl 2475 4469 2536 4428 Dl 2475 4469 2536 4428 Dl 2475 4469 2537 4430 Dl 2475 4469 2538 4431 Dl 2475 4469 2539 4432 Dl 2475 4469 2539 4433 Dl 2475 4469 2540 4434 Dl 2475 4468 2541 4435 Dl 2475 4470 2541 4437 Dl 2475 4469 2541 4438 Dl 2475 4469 2542 4439 Dl 2475 4468 2543 4440 Dl 2475 4470 2544 4442 Dl 2475 4469 2544 4443 Dl 2475 4469 2544 4444 Dl 2475 4469 2545 4446 Dl 2475 4470 2545 4447 Dl 2475 4469 2546 4448 Dl 2475 4469 2546 4449 Dl 2475 4469 2547 4451 Dl (?b0)1490 4898 w (?b0)1940 4039 w (?b1)1935 3848 w (!b0)4149 4880 w (!b1)3285 4910 w (?a1)3707 5299 w (?a1)2951 4916 w (?a0)3707 5132 w (?a0)3473 4255 w (!b1)3116 4262 w (Terminal B)1 458 1 3488 5540 t 10 I f (Figure 3 \320 A Half-Duplex File Transfer Protocol from [Bartlett et al. '69])12 3008 1 1376 5765 t 10 B f ( of an Interface Standard)4 1077(7.3. Validation)1 651 2 720 6125 t 10 R f ( Recommendation X.21 has the dubious honor of)7 2049( CCITT)1 351( time to validate an international standard.)6 1756(It is)1 164 4 720 6281 t ( of the first protocols that was shown to be incompletely specified with an automated analysis.)15 3918(being one)1 402 2 720 6401 t (The validation was performed in 1977 by Colin West and Pitro Zafiropulo [West et al. 1978].)15 3737 1 720 6521 t ( was described as a ``reasonably complex protocol'' has become, after a development of)13 3744(What in 1977)2 576 2 720 6677 t ( validators, that shouldn't take more than)6 1658(almost 15 years, a rather trivial litmus test for automated protocol)10 2662 2 720 6797 t ( the X.21 protocol using)4 973( Validate)1 389( of CPU time.)3 559(a few milli-seconds)2 782 4 720 6917 t 8 R f (SPIN)3449 6917 w 10 R f ( the validation model from)4 1070(. Derive)1 347 2 3623 6917 t ( \()1 86( the original specification used in [West et al. 1978].)9 2121(Figure 4, which is based on)5 1119 3 720 7037 t 10 I f (``all'')4046 7037 w 10 R f (in Figure 4 means)3 728 1 4312 7037 t (``all other states.''\))2 767 1 720 7157 t 10 S1 f ()1512 7157 w 1512 7157 m 50 build_sq 1562 7157 m cleartomark showpage saveobj restore %%EndPage: 26 28 %%Page: 27 29 /saveobj save def mark 29 pagesetup 10 R f (- 27 -)2 216 1 2772 480 t 3932 4045 3932 4284 Dl 3932 4044 3950 4116 Dl 3934 4044 3950 4116 Dl 3933 4044 3948 4116 Dl 3933 4044 3947 4116 Dl 3933 4043 3945 4116 Dl 3933 4044 3944 4117 Dl 3932 4044 3942 4117 Dl 3933 4044 3941 4117 Dl 3933 4043 3940 4117 Dl 3934 4043 3939 4117 Dl 3932 4044 3937 4118 Dl 3933 4044 3936 4118 Dl 3932 4044 3934 4118 Dl 3933 4044 3933 4118 Dl 3932 4044 3932 4118 Dl 3933 4044 3931 4118 Dl 3932 4044 3929 4118 Dl 3933 4044 3928 4118 Dl 3932 4043 3927 4117 Dl 3932 4043 3925 4117 Dl 3932 4044 3924 4117 Dl 3932 4044 3922 4117 Dl 3932 4044 3921 4117 Dl 3932 4043 3920 4116 Dl 3933 4044 3919 4116 Dl 3932 4044 3917 4116 Dl 3932 4044 3916 4116 Dl 3932 4044 3914 4116 Dl 4029 4523 4047 4595 Dl 4029 4524 4045 4596 Dl 4029 4524 4044 4596 Dl 4028 4525 4042 4597 Dl 4029 4524 4041 4597 Dl 4029 4524 4040 4597 Dl 4029 4524 4039 4597 Dl 4029 4524 4037 4597 Dl 4029 4523 4036 4597 Dl 4030 4523 4035 4597 Dl 4028 4523 4033 4597 Dl 4029 4523 4032 4597 Dl 4028 4523 4030 4597 Dl 4029 4523 4029 4597 Dl 4028 4523 4028 4597 Dl 4029 4523 4027 4597 Dl 4028 4523 4025 4597 Dl 4029 4523 4024 4597 Dl 4027 4523 4022 4597 Dl 4028 4523 4021 4597 Dl 4028 4524 4020 4597 Dl 4029 4524 4019 4597 Dl 4028 4524 4017 4597 Dl 4028 4524 4016 4597 Dl 4028 4525 4014 4597 Dl 4028 4524 4013 4596 Dl 4027 4524 4011 4596 Dl 4029 4523 4011 4595 Dl 4029 4859 4029 4523 Dl 3837 4859 3837 4523 Dl 3837 4860 3819 4788 Dl 3836 4860 3820 4788 Dl 3836 4859 3821 4787 Dl 3836 4859 3822 4787 Dl 3836 4859 3824 4786 Dl 3836 4859 3825 4786 Dl 3836 4859 3826 4786 Dl 3836 4859 3828 4786 Dl 3836 4859 3829 4785 Dl 3836 4859 3831 4785 Dl 3836 4859 3831 4785 Dl 3836 4859 3833 4785 Dl 3836 4859 3834 4785 Dl 3836 4859 3836 4785 Dl 3837 4859 3837 4785 Dl 3837 4859 3839 4785 Dl 3837 4859 3840 4785 Dl 3837 4859 3842 4785 Dl 3837 4859 3842 4785 Dl 3837 4859 3844 4785 Dl 3837 4859 3845 4786 Dl 3837 4859 3847 4786 Dl 3837 4859 3848 4786 Dl 3837 4859 3849 4786 Dl 3837 4859 3851 4787 Dl 3837 4859 3852 4787 Dl 3837 4860 3853 4788 Dl 3837 4860 3855 4788 Dl 3789 4955 3597 4955 Dl 3788 4955 3716 4973 Dl 3788 4957 3716 4973 Dl 3788 4956 3716 4971 Dl 3788 4956 3716 4970 Dl 3789 4956 3716 4968 Dl 3788 4956 3715 4967 Dl 3788 4955 3715 4965 Dl 3788 4956 3715 4964 Dl 3789 4956 3715 4963 Dl 3789 4957 3715 4962 Dl 3788 4955 3714 4960 Dl 3788 4956 3714 4959 Dl 3788 4955 3714 4957 Dl 3788 4956 3714 4956 Dl 3788 4955 3714 4955 Dl 3788 4956 3714 4954 Dl 3788 4955 3714 4952 Dl 3788 4956 3714 4951 Dl 3789 4955 3715 4950 Dl 3789 4955 3715 4948 Dl 3788 4955 3715 4947 Dl 3788 4955 3715 4945 Dl 3788 4955 3715 4944 Dl 3789 4955 3716 4943 Dl 3788 4956 3716 4942 Dl 3788 4955 3716 4940 Dl 3788 4955 3716 4939 Dl 3788 4955 3716 4937 Dl (!q)3657 5108 w 3549 3275 3837 2939 Dl 3549 3275 3582 3209 Dl 3549 3275 3583 3210 Dl 3549 3275 3584 3211 Dl 3549 3275 3585 3211 Dl 3549 3275 3587 3211 Dl 3549 3275 3587 3212 Dl 3549 3275 3589 3213 Dl 3549 3275 3590 3214 Dl 3549 3275 3591 3214 Dl 3549 3275 3592 3216 Dl 3549 3275 3593 3216 Dl 3549 3275 3594 3217 Dl 3549 3275 3595 3218 Dl 3549 3275 3596 3219 Dl 3549 3275 3597 3219 Dl 3549 3275 3598 3221 Dl 3549 3276 3600 3222 Dl 3549 3275 3600 3222 Dl 3549 3275 3601 3223 Dl 3549 3275 3603 3224 Dl 3549 3275 3603 3225 Dl 3549 3275 3604 3227 Dl 3549 3275 3605 3227 Dl 3549 3275 3606 3228 Dl 3549 3275 3607 3229 Dl 3549 3275 3608 3230 Dl 3549 3275 3608 3232 Dl 3549 3275 3609 3232 Dl 3453 4811 3453 4572 Dl 3453 4811 3435 4739 Dl 3451 4811 3435 4739 Dl 3452 4811 3437 4739 Dl 3452 4811 3438 4739 Dl 3452 4812 3440 4739 Dl 3452 4811 3441 4738 Dl 3453 4811 3443 4738 Dl 3452 4811 3444 4738 Dl 3452 4812 3445 4738 Dl 3451 4812 3446 4738 Dl 3453 4811 3448 4737 Dl 3452 4811 3449 4737 Dl 3453 4811 3451 4737 Dl 3452 4811 3452 4737 Dl 3453 4811 3453 4737 Dl 3452 4811 3454 4737 Dl 3453 4811 3456 4737 Dl 3452 4811 3457 4737 Dl 3454 4812 3459 4738 Dl 3453 4812 3460 4738 Dl 3453 4811 3461 4738 Dl 3453 4811 3463 4738 Dl 3453 4811 3464 4738 Dl 3453 4812 3465 4739 Dl 3452 4811 3466 4739 Dl 3453 4811 3468 4739 Dl 3453 4811 3469 4739 Dl 3453 4811 3471 4739 Dl 3453 4283 3453 4044 Dl 3453 4284 3435 4212 Dl 3451 4284 3435 4212 Dl 3452 4283 3437 4211 Dl 3452 4283 3438 4211 Dl 3452 4283 3440 4210 Dl 3452 4283 3441 4210 Dl 3453 4283 3443 4210 Dl 3452 4283 3444 4210 Dl 3452 4283 3445 4209 Dl 3451 4283 3446 4209 Dl 3453 4283 3448 4209 Dl 3452 4283 3449 4209 Dl 3453 4283 3451 4209 Dl 3452 4283 3452 4209 Dl 3453 4283 3453 4209 Dl 3452 4283 3454 4209 Dl 3453 4283 3456 4209 Dl 3452 4283 3457 4209 Dl 3454 4283 3459 4209 Dl 3453 4283 3460 4209 Dl 3453 4283 3461 4210 Dl 3453 4283 3463 4210 Dl 3453 4283 3464 4210 Dl 3453 4283 3465 4210 Dl 3452 4283 3466 4211 Dl 3453 4283 3468 4211 Dl 3453 4284 3469 4212 Dl 3453 4284 3471 4212 Dl 3453 3754 3453 3515 Dl 3453 3756 3435 3684 Dl 3451 3755 3435 3683 Dl 3452 3755 3437 3683 Dl 3452 3754 3438 3682 Dl 3452 3755 3440 3682 Dl 3452 3755 3441 3682 Dl 3453 3755 3443 3682 Dl 3452 3755 3444 3682 Dl 3452 3756 3445 3682 Dl 3451 3756 3446 3682 Dl 3453 3756 3448 3682 Dl 3452 3756 3449 3682 Dl 3453 3756 3451 3682 Dl 3452 3756 3452 3682 Dl 3453 3756 3453 3682 Dl 3452 3756 3454 3682 Dl 3453 3756 3456 3682 Dl 3452 3756 3457 3682 Dl 3454 3756 3459 3682 Dl 3453 3756 3460 3682 Dl 3453 3755 3461 3682 Dl 3453 3755 3463 3682 Dl 3453 3755 3464 3682 Dl 3453 3755 3465 3682 Dl 3452 3754 3466 3682 Dl 3453 3755 3468 3683 Dl 3453 3755 3469 3683 Dl 3453 3756 3471 3684 Dl 3453 3227 3453 2988 Dl 3453 3227 3435 3155 Dl 3451 3227 3435 3155 Dl 3452 3227 3437 3155 Dl 3452 3227 3438 3155 Dl 3452 3228 3440 3155 Dl 3452 3227 3441 3154 Dl 3453 3227 3443 3154 Dl 3452 3227 3444 3154 Dl 3452 3228 3445 3154 Dl 3451 3228 3446 3154 Dl 3453 3227 3448 3153 Dl 3452 3227 3449 3153 Dl 3453 3227 3451 3153 Dl 3452 3227 3452 3153 Dl 3453 3227 3453 3153 Dl 3452 3227 3454 3153 Dl 3453 3227 3456 3153 Dl 3452 3227 3457 3153 Dl 3454 3228 3459 3154 Dl 3453 3228 3460 3154 Dl 3453 3227 3461 3154 Dl 3453 3227 3463 3154 Dl 3453 3227 3464 3154 Dl 3453 3228 3465 3155 Dl 3452 3227 3466 3155 Dl 3453 3227 3468 3155 Dl 3453 3227 3469 3155 Dl 3453 3227 3471 3155 Dl 4077 2844 4269 2844 Dl 4076 2844 4148 2826 Dl 4077 2843 4149 2827 Dl 4077 2843 4149 2828 Dl 4078 2843 4150 2829 Dl 4077 2843 4150 2831 Dl 4077 2843 4150 2832 Dl 4077 2843 4150 2833 Dl 4077 2843 4150 2835 Dl 4076 2843 4150 2836 Dl 4076 2843 4150 2838 Dl 4076 2843 4150 2838 Dl 4076 2843 4150 2840 Dl 4076 2843 4150 2841 Dl 4076 2843 4150 2843 Dl 4076 2844 4150 2844 Dl 4076 2844 4150 2846 Dl 4076 2844 4150 2847 Dl 4076 2844 4150 2849 Dl 4076 2844 4150 2849 Dl 4076 2844 4150 2851 Dl 4077 2844 4150 2852 Dl 4077 2844 4150 2854 Dl 4077 2844 4150 2855 Dl 4077 2844 4150 2856 Dl 4078 2844 4150 2858 Dl 4077 2844 4149 2859 Dl 4077 2844 4149 2860 Dl 4076 2844 4148 2862 Dl 3789 2844 3597 2844 Dl 3788 2844 3716 2862 Dl 3788 2844 3716 2860 Dl 3788 2844 3716 2859 Dl 3788 2844 3716 2858 Dl 3789 2844 3716 2856 Dl 3788 2844 3715 2855 Dl 3788 2844 3715 2854 Dl 3788 2844 3715 2852 Dl 3789 2844 3715 2851 Dl 3789 2844 3715 2849 Dl 3788 2844 3714 2849 Dl 3788 2844 3714 2847 Dl 3788 2844 3714 2846 Dl 3788 2844 3714 2844 Dl 3788 2843 3714 2843 Dl 3788 2843 3714 2841 Dl 3788 2843 3714 2840 Dl 3788 2843 3714 2838 Dl 3789 2843 3715 2838 Dl 3789 2843 3715 2836 Dl 3788 2843 3715 2835 Dl 3788 2843 3715 2833 Dl 3788 2843 3715 2832 Dl 3789 2843 3716 2831 Dl 3788 2843 3716 2829 Dl 3788 2843 3716 2828 Dl 3788 2843 3716 2827 Dl 3788 2844 3716 2826 Dl 4365 2699 4029 2417 Dl 4364 2699 4298 2667 Dl 4364 2699 4298 2666 Dl 4364 2699 4299 2665 Dl 4363 2700 4299 2664 Dl 4364 2699 4300 2662 Dl 4364 2699 4301 2661 Dl 4364 2699 4302 2660 Dl 4363 2699 4302 2658 Dl 4364 2699 4303 2658 Dl 4364 2699 4304 2656 Dl 4364 2699 4305 2656 Dl 4364 2699 4305 2654 Dl 4365 2699 4307 2653 Dl 4364 2699 4307 2652 Dl 4364 2699 4308 2651 Dl 4364 2699 4309 2651 Dl 4364 2699 4310 2649 Dl 4365 2699 4311 2648 Dl 4364 2699 4312 2648 Dl 4363 2699 4312 2646 Dl 4365 2700 4314 2646 Dl 4364 2699 4315 2645 Dl 4363 2699 4315 2643 Dl 4364 2699 4317 2643 Dl 4363 2699 4317 2642 Dl 4365 2699 4319 2641 Dl 4364 2699 4320 2640 Dl 4364 2699 4321 2640 Dl 3501 2699 3837 2417 Dl 3501 2699 3544 2640 Dl 3501 2699 3545 2640 Dl 3500 2699 3546 2641 Dl 3501 2699 3547 2642 Dl 3502 2699 3549 2643 Dl 3501 2699 3549 2643 Dl 3502 2699 3551 2645 Dl 3500 2700 3551 2646 Dl 3501 2699 3552 2646 Dl 3502 2699 3554 2648 Dl 3500 2699 3554 2648 Dl 3501 2699 3555 2649 Dl 3501 2699 3556 2651 Dl 3501 2699 3557 2651 Dl 3501 2699 3558 2652 Dl 3501 2699 3559 2653 Dl 3500 2699 3559 2654 Dl 3501 2699 3560 2656 Dl 3501 2699 3561 2656 Dl 3500 2699 3561 2658 Dl 3502 2699 3563 2658 Dl 3502 2699 3564 2660 Dl 3501 2699 3564 2661 Dl 3500 2699 3564 2662 Dl 3501 2700 3565 2664 Dl 3501 2699 3566 2665 Dl 3501 2699 3567 2666 Dl 3501 2699 3567 2667 Dl 4029 2417 4317 2417 Dl 4029 2417 4101 2399 Dl 4029 2417 4101 2401 Dl 4029 2417 4101 2402 Dl 4029 2418 4101 2404 Dl 4028 2417 4101 2405 Dl 4029 2417 4102 2406 Dl 4029 2417 4102 2407 Dl 4029 2417 4102 2409 Dl 4028 2417 4102 2410 Dl 4028 2417 4102 2412 Dl 4029 2418 4103 2413 Dl 4029 2417 4103 2414 Dl 4029 2418 4103 2416 Dl 4029 2417 4103 2417 Dl 4029 2418 4103 2418 Dl 4029 2417 4103 2419 Dl 4029 2418 4103 2421 Dl 4029 2417 4103 2422 Dl 4028 2419 4102 2424 Dl 4028 2418 4102 2425 Dl 4029 2418 4102 2426 Dl 4029 2417 4102 2427 Dl 4029 2418 4102 2429 Dl 4028 2418 4101 2430 Dl 4029 2418 4101 2432 Dl 4029 2418 4101 2433 Dl 4029 2419 4101 2435 Dl 4029 2417 4101 2435 Dl 3837 2417 3549 2417 Dl 3837 2417 3765 2435 Dl 3837 2419 3765 2435 Dl 3836 2418 3764 2433 Dl 3836 2418 3764 2432 Dl 3836 2418 3763 2430 Dl 3836 2418 3763 2429 Dl 3836 2417 3763 2427 Dl 3836 2418 3763 2426 Dl 3836 2418 3762 2425 Dl 3836 2419 3762 2424 Dl 3836 2417 3762 2422 Dl 3836 2418 3762 2421 Dl 3836 2417 3762 2419 Dl 3836 2418 3762 2418 Dl 3836 2417 3762 2417 Dl 3836 2418 3762 2416 Dl 3836 2417 3762 2414 Dl 3836 2418 3762 2413 Dl 3836 2417 3762 2412 Dl 3836 2417 3762 2410 Dl 3836 2417 3763 2409 Dl 3836 2417 3763 2407 Dl 3836 2417 3763 2406 Dl 3836 2417 3763 2405 Dl 3836 2418 3764 2404 Dl 3836 2417 3764 2402 Dl 3837 2417 3765 2401 Dl 3837 2417 3765 2399 Dl 3549 2226 3837 2226 Dl 3549 2226 3621 2208 Dl 3549 2224 3621 2208 Dl 3549 2225 3621 2210 Dl 3549 2225 3621 2211 Dl 3549 2225 3622 2213 Dl 3549 2225 3622 2214 Dl 3549 2226 3622 2216 Dl 3549 2225 3622 2217 Dl 3549 2225 3623 2218 Dl 3549 2224 3623 2219 Dl 3549 2226 3623 2221 Dl 3549 2225 3623 2222 Dl 3549 2226 3623 2224 Dl 3549 2225 3623 2225 Dl 3549 2226 3623 2226 Dl 3549 2225 3623 2227 Dl 3549 2226 3623 2229 Dl 3549 2225 3623 2230 Dl 3549 2227 3623 2232 Dl 3549 2226 3623 2233 Dl 3549 2226 3622 2234 Dl 3549 2226 3622 2236 Dl 3549 2226 3622 2237 Dl 3549 2226 3622 2238 Dl 3549 2225 3621 2239 Dl 3549 2226 3621 2241 Dl 3549 2226 3621 2242 Dl 3549 2226 3621 2244 Dl 3837 2226 3837 1890 Dl 3837 2226 3819 2154 Dl 3836 2225 3820 2153 Dl 3836 2225 3821 2153 Dl 3836 2224 3822 2152 Dl 3836 2225 3824 2152 Dl 3836 2225 3825 2152 Dl 3836 2225 3826 2152 Dl 3836 2225 3828 2152 Dl 3836 2226 3829 2152 Dl 3836 2226 3831 2152 Dl 3836 2226 3831 2152 Dl 3836 2226 3833 2152 Dl 3836 2226 3834 2152 Dl 3836 2226 3836 2152 Dl 3837 2226 3837 2152 Dl 3837 2226 3839 2152 Dl 3837 2226 3840 2152 Dl 3837 2226 3842 2152 Dl 3837 2226 3842 2152 Dl 3837 2226 3844 2152 Dl 3837 2225 3845 2152 Dl 3837 2225 3847 2152 Dl 3837 2225 3848 2152 Dl 3837 2225 3849 2152 Dl 3837 2224 3851 2152 Dl 3837 2225 3852 2153 Dl 3837 2225 3853 2153 Dl 3837 2226 3855 2154 Dl 4413 1650 4413 1458 Dl 4413 1650 4395 1578 Dl 4412 1649 4396 1577 Dl 4412 1649 4397 1577 Dl 4412 1648 4398 1576 Dl 4412 1649 4400 1576 Dl 4412 1649 4401 1576 Dl 4412 1649 4402 1576 Dl 4412 1649 4404 1576 Dl 4412 1650 4405 1576 Dl 4412 1650 4407 1576 Dl 4412 1650 4407 1576 Dl 4412 1650 4409 1576 Dl 4412 1650 4410 1576 Dl 4412 1650 4412 1576 Dl 4413 1650 4413 1576 Dl 4413 1650 4415 1576 Dl 4413 1650 4416 1576 Dl 4413 1650 4418 1576 Dl 4413 1650 4418 1576 Dl 4413 1650 4420 1576 Dl 4413 1649 4421 1576 Dl 4413 1649 4423 1576 Dl 4413 1649 4424 1576 Dl 4413 1649 4425 1576 Dl 4413 1648 4427 1576 Dl 4413 1649 4428 1577 Dl 4413 1649 4429 1577 Dl 4413 1650 4431 1578 Dl 4076 1794 4148 1776 Dl 4077 1792 4149 1776 Dl 4077 1793 4149 1778 Dl 4078 1793 4150 1779 Dl 4077 1793 4150 1781 Dl 4077 1793 4150 1782 Dl 4077 1794 4150 1784 Dl 4077 1793 4150 1785 Dl 4076 1793 4150 1786 Dl 4076 1792 4150 1787 Dl 4076 1794 4150 1789 Dl 4076 1793 4150 1790 Dl 4076 1794 4150 1792 Dl 4076 1793 4150 1793 Dl 4076 1794 4150 1794 Dl 4076 1793 4150 1795 Dl 4076 1794 4150 1797 Dl 4076 1793 4150 1798 Dl 4076 1795 4150 1800 Dl 4076 1794 4150 1801 Dl 4077 1794 4150 1802 Dl 4077 1794 4150 1804 Dl 4077 1794 4150 1805 Dl 4077 1794 4150 1806 Dl 4078 1793 4150 1807 Dl 4077 1794 4149 1809 Dl 4077 1794 4149 1810 Dl 4076 1794 4148 1812 Dl 4268 1794 4076 1794 Dl 3789 1794 3597 1794 Dl 3788 1794 3716 1812 Dl 3788 1794 3716 1810 Dl 3788 1794 3716 1809 Dl 3788 1793 3716 1807 Dl 3789 1794 3716 1806 Dl 3788 1794 3715 1805 Dl 3788 1794 3715 1804 Dl 3788 1794 3715 1802 Dl 3789 1794 3715 1801 Dl 3789 1795 3715 1800 Dl 3788 1793 3714 1798 Dl 3788 1794 3714 1797 Dl 3788 1793 3714 1795 Dl 3788 1794 3714 1794 Dl 3788 1793 3714 1793 Dl 3788 1794 3714 1792 Dl 3788 1793 3714 1790 Dl 3788 1794 3714 1789 Dl 3789 1792 3715 1787 Dl 3789 1793 3715 1786 Dl 3788 1793 3715 1785 Dl 3788 1794 3715 1784 Dl 3788 1793 3715 1782 Dl 3789 1793 3716 1781 Dl 3788 1793 3716 1779 Dl 3788 1793 3716 1778 Dl 3788 1792 3716 1776 Dl 3788 1794 3716 1776 Dl 3453 1650 3453 1458 Dl 3453 1650 3435 1578 Dl 3451 1649 3435 1577 Dl 3452 1649 3437 1577 Dl 3452 1648 3438 1576 Dl 3452 1649 3440 1576 Dl 3452 1649 3441 1576 Dl 3453 1649 3443 1576 Dl 3452 1649 3444 1576 Dl 3452 1650 3445 1576 Dl 3451 1650 3446 1576 Dl 3453 1650 3448 1576 Dl 3452 1650 3449 1576 Dl 3453 1650 3451 1576 Dl 3452 1650 3452 1576 Dl 3453 1650 3453 1576 Dl 3452 1650 3454 1576 Dl 3453 1650 3456 1576 Dl 3452 1650 3457 1576 Dl 3454 1650 3459 1576 Dl 3453 1650 3460 1576 Dl 3453 1649 3461 1576 Dl 3453 1649 3463 1576 Dl 3453 1649 3464 1576 Dl 3453 1649 3465 1576 Dl 3452 1648 3466 1576 Dl 3453 1649 3468 1577 Dl 3453 1649 3469 1577 Dl 3453 1650 3471 1578 Dl 4315 1218 4076 1074 Dl 4316 1217 4245 1196 Dl 4316 1218 4246 1195 Dl 4315 1217 4246 1193 Dl 4316 1217 4247 1192 Dl 4316 1217 4247 1191 Dl 4316 1218 4248 1190 Dl 4316 1217 4248 1188 Dl 4316 1217 4249 1187 Dl 4315 1217 4249 1186 Dl 4316 1218 4250 1185 Dl 4317 1216 4251 1183 Dl 4316 1217 4251 1182 Dl 4316 1217 4252 1181 Dl 4317 1217 4253 1180 Dl 4316 1217 4253 1179 Dl 4316 1216 4254 1177 Dl 4316 1218 4255 1177 Dl 4317 1217 4256 1175 Dl 4316 1218 4256 1175 Dl 4316 1217 4257 1173 Dl 4317 1217 4258 1172 Dl 4315 1217 4258 1171 Dl 4315 1217 4259 1170 Dl 4317 1217 4261 1169 Dl 4316 1217 4261 1168 Dl 4316 1217 4262 1167 Dl 4316 1217 4263 1166 Dl 4316 1217 4264 1165 Dl 3549 1218 3788 1074 Dl 3549 1217 3601 1165 Dl 3549 1217 3602 1166 Dl 3549 1217 3603 1167 Dl 3549 1217 3604 1168 Dl 3549 1217 3605 1169 Dl 3549 1217 3605 1170 Dl 3549 1217 3606 1171 Dl 3549 1217 3608 1172 Dl 3549 1217 3608 1173 Dl 3549 1218 3609 1175 Dl 3549 1217 3610 1175 Dl 3549 1218 3610 1177 Dl 3549 1216 3611 1177 Dl 3549 1217 3612 1179 Dl 3549 1217 3613 1180 Dl 3549 1217 3613 1181 Dl 3549 1217 3614 1182 Dl 3549 1216 3615 1183 Dl 3549 1218 3615 1185 Dl 3549 1217 3615 1186 Dl 3549 1217 3616 1187 Dl 3549 1217 3617 1188 Dl 3549 1218 3617 1190 Dl 3549 1217 3618 1191 Dl 3549 1217 3618 1192 Dl 3549 1217 3618 1193 Dl 3549 1218 3619 1195 Dl 3549 1217 3620 1196 Dl 3788 4955 288 288 De 3309 4955 288 288 De 4269 4428 288 288 De 3788 4428 288 288 De 3309 4428 288 288 De 4269 3900 288 288 De 3788 3900 288 288 De 3309 3900 288 288 De 4269 3371 288 288 De 3309 3371 288 288 De 4269 2844 288 288 De 3788 2844 288 288 De 3309 2322 288 288 De 4413 5345 4413 5099 Dl 4413 5346 4395 5274 Dl 4412 5346 4396 5274 Dl 4412 5345 4397 5273 Dl 4412 5345 4398 5273 Dl 4412 5345 4400 5272 Dl 4412 5345 4401 5272 Dl 4412 5345 4402 5272 Dl 4412 5345 4404 5272 Dl 4412 5345 4405 5271 Dl 4412 5345 4407 5271 Dl 4412 5345 4407 5271 Dl 4412 5345 4409 5271 Dl 4412 5345 4410 5271 Dl 4412 5345 4412 5271 Dl 4413 5345 4413 5271 Dl 4413 5345 4415 5271 Dl 4413 5345 4416 5271 Dl 4413 5345 4418 5271 Dl 4413 5345 4418 5271 Dl 4413 5345 4420 5271 Dl 4413 5345 4421 5272 Dl 4413 5345 4423 5272 Dl 4413 5345 4424 5272 Dl 4413 5345 4425 5272 Dl 4413 5345 4427 5273 Dl 4413 5345 4428 5273 Dl 4413 5346 4429 5274 Dl 4413 5346 4431 5274 Dl 4274 5484 275 275 De 4274 2322 275 275 De 3788 2322 288 288 De 3309 2844 288 288 De 4269 1794 288 288 De 3788 1794 288 288 De 3309 1794 288 288 De 4269 1314 288 288 De 3309 1314 288 288 De 4269 4955 288 288 De 4029 1890 4047 1962 Dl 4029 1890 4045 1962 Dl 4029 1890 4044 1962 Dl 4028 1890 4042 1962 Dl 4029 1890 4041 1963 Dl 4029 1890 4040 1963 Dl 4029 1890 4039 1963 Dl 4029 1890 4037 1963 Dl 4029 1890 4036 1964 Dl 4030 1890 4035 1964 Dl 4028 1890 4033 1964 Dl 4029 1890 4032 1964 Dl 4028 1890 4030 1964 Dl 4029 1890 4029 1964 Dl 4028 1890 4028 1964 Dl 4029 1890 4027 1964 Dl 4028 1890 4025 1964 Dl 4029 1890 4024 1964 Dl 4027 1890 4022 1964 Dl 4028 1890 4021 1964 Dl 4028 1890 4020 1963 Dl 4029 1890 4019 1963 Dl 4028 1890 4017 1963 Dl 4028 1890 4016 1963 Dl 4028 1890 4014 1962 Dl 4028 1890 4013 1962 Dl 4027 1890 4011 1962 Dl 4029 1890 4011 1962 Dl 4029 2226 4029 1890 Dl 4317 2226 4245 2244 Dl 4316 2226 4244 2242 Dl 4316 2226 4244 2241 Dl 4315 2225 4243 2239 Dl 4316 2226 4243 2238 Dl 4316 2226 4243 2237 Dl 4316 2226 4243 2236 Dl 4316 2226 4243 2234 Dl 4317 2226 4243 2233 Dl 4317 2227 4243 2232 Dl 4317 2225 4243 2230 Dl 4317 2226 4243 2229 Dl 4317 2225 4243 2227 Dl 4317 2226 4243 2226 Dl 4317 2225 4243 2225 Dl 4317 2226 4243 2224 Dl 4317 2225 4243 2222 Dl 4317 2226 4243 2221 Dl 4317 2224 4243 2219 Dl 4317 2225 4243 2218 Dl 4316 2225 4243 2217 Dl 4316 2226 4243 2216 Dl 4316 2225 4243 2214 Dl 4316 2225 4243 2213 Dl 4315 2225 4243 2211 Dl 4316 2225 4244 2210 Dl 4316 2224 4244 2208 Dl 4317 2226 4245 2208 Dl 4029 2226 4317 2226 Dl 4413 4811 4413 4572 Dl 4413 4811 4395 4739 Dl 4412 4811 4396 4739 Dl 4412 4811 4397 4739 Dl 4412 4811 4398 4739 Dl 4412 4812 4400 4739 Dl 4412 4811 4401 4738 Dl 4412 4811 4402 4738 Dl 4412 4811 4404 4738 Dl 4412 4812 4405 4738 Dl 4412 4812 4407 4738 Dl 4412 4811 4407 4737 Dl 4412 4811 4409 4737 Dl 4412 4811 4410 4737 Dl 4412 4811 4412 4737 Dl 4413 4811 4413 4737 Dl 4413 4811 4415 4737 Dl 4413 4811 4416 4737 Dl 4413 4811 4418 4737 Dl 4413 4812 4418 4738 Dl 4413 4812 4420 4738 Dl 4413 4811 4421 4738 Dl 4413 4811 4423 4738 Dl 4413 4811 4424 4738 Dl 4413 4812 4425 4739 Dl 4413 4811 4427 4739 Dl 4413 4811 4428 4739 Dl 4413 4811 4429 4739 Dl 4413 4811 4431 4739 Dl 4413 4283 4413 4044 Dl 4413 4284 4395 4212 Dl 4412 4284 4396 4212 Dl 4412 4283 4397 4211 Dl 4412 4283 4398 4211 Dl 4412 4283 4400 4210 Dl 4412 4283 4401 4210 Dl 4412 4283 4402 4210 Dl 4412 4283 4404 4210 Dl 4412 4283 4405 4209 Dl 4412 4283 4407 4209 Dl 4412 4283 4407 4209 Dl 4412 4283 4409 4209 Dl 4412 4283 4410 4209 Dl 4412 4283 4412 4209 Dl 4413 4283 4413 4209 Dl 4413 4283 4415 4209 Dl 4413 4283 4416 4209 Dl 4413 4283 4418 4209 Dl 4413 4283 4418 4209 Dl 4413 4283 4420 4209 Dl 4413 4283 4421 4210 Dl 4413 4283 4423 4210 Dl 4413 4283 4424 4210 Dl 4413 4283 4425 4210 Dl 4413 4283 4427 4211 Dl 4413 4283 4428 4211 Dl 4413 4284 4429 4212 Dl 4413 4284 4431 4212 Dl 4413 3754 4413 3515 Dl 4413 3756 4395 3684 Dl 4412 3755 4396 3683 Dl 4412 3755 4397 3683 Dl 4412 3754 4398 3682 Dl 4412 3755 4400 3682 Dl 4412 3755 4401 3682 Dl 4412 3755 4402 3682 Dl 4412 3755 4404 3682 Dl 4412 3756 4405 3682 Dl 4412 3756 4407 3682 Dl 4412 3756 4407 3682 Dl 4412 3756 4409 3682 Dl 4412 3756 4410 3682 Dl 4412 3756 4412 3682 Dl 4413 3756 4413 3682 Dl 4413 3756 4415 3682 Dl 4413 3756 4416 3682 Dl 4413 3756 4418 3682 Dl 4413 3756 4418 3682 Dl 4413 3756 4420 3682 Dl 4413 3755 4421 3682 Dl 4413 3755 4423 3682 Dl 4413 3755 4424 3682 Dl 4413 3755 4425 3682 Dl 4413 3754 4427 3682 Dl 4413 3755 4428 3683 Dl 4413 3755 4429 3683 Dl 4413 3756 4431 3684 Dl 4413 3227 4413 2988 Dl 4413 3227 4395 3155 Dl 4412 3227 4396 3155 Dl 4412 3227 4397 3155 Dl 4412 3227 4398 3155 Dl 4412 3228 4400 3155 Dl 4412 3227 4401 3154 Dl 4412 3227 4402 3154 Dl 4412 3227 4404 3154 Dl 4412 3228 4405 3154 Dl 4412 3228 4407 3154 Dl 4412 3227 4407 3153 Dl 4412 3227 4409 3153 Dl 4412 3227 4410 3153 Dl 4412 3227 4412 3153 Dl 4413 3227 4413 3153 Dl 4413 3227 4415 3153 Dl 4413 3227 4416 3153 Dl 4413 3227 4418 3153 Dl 4413 3228 4418 3154 Dl 4413 3228 4420 3154 Dl 4413 3227 4421 3154 Dl 4413 3227 4423 3154 Dl 4413 3227 4424 3154 Dl 4413 3228 4425 3155 Dl 4413 3227 4427 3155 Dl 4413 3227 4428 3155 Dl 4413 3227 4429 3155 Dl 4413 3227 4431 3155 Dl 1677 3900 288 288 De (?u)2170 2606 w (?v)1198 3175 w (!e)1219 3697 w (!c)1194 4262 w (?r)1201 4790 w 1916 2417 2204 2417 Dl 1916 2417 1988 2399 Dl 1917 2417 1989 2401 Dl 1917 2417 1989 2402 Dl 1918 2418 1990 2404 Dl 1917 2417 1990 2405 Dl 1917 2417 1990 2406 Dl 1917 2417 1990 2407 Dl 1917 2417 1990 2409 Dl 1916 2417 1990 2410 Dl 1916 2417 1990 2412 Dl 1916 2418 1990 2413 Dl 1916 2417 1990 2414 Dl 1916 2418 1990 2416 Dl 1916 2417 1990 2417 Dl 1916 2418 1990 2418 Dl 1916 2417 1990 2419 Dl 1916 2418 1990 2421 Dl 1916 2417 1990 2422 Dl 1916 2419 1990 2424 Dl 1916 2418 1990 2425 Dl 1917 2418 1990 2426 Dl 1917 2417 1990 2427 Dl 1917 2418 1990 2429 Dl 1917 2418 1990 2430 Dl 1918 2418 1990 2432 Dl 1917 2418 1989 2433 Dl 1917 2419 1989 2435 Dl 1916 2417 1988 2435 Dl 1196 1314 288 288 De (?m)1184 1573 w 1340 4811 1340 4572 Dl 1340 4811 1322 4739 Dl 1340 4811 1324 4739 Dl 1340 4811 1325 4739 Dl 1341 4811 1327 4739 Dl 1340 4812 1328 4739 Dl 1340 4811 1329 4738 Dl 1340 4811 1330 4738 Dl 1340 4811 1332 4738 Dl 1340 4812 1333 4738 Dl 1340 4812 1335 4738 Dl 1341 4811 1336 4737 Dl 1340 4811 1337 4737 Dl 1341 4811 1339 4737 Dl 1340 4811 1340 4737 Dl 1341 4811 1341 4737 Dl 1340 4811 1342 4737 Dl 1341 4811 1344 4737 Dl 1340 4811 1345 4737 Dl 1342 4812 1347 4738 Dl 1341 4812 1348 4738 Dl 1341 4811 1349 4738 Dl 1340 4811 1350 4738 Dl 1341 4811 1352 4738 Dl 1341 4812 1353 4739 Dl 1341 4811 1355 4739 Dl 1341 4811 1356 4739 Dl 1342 4811 1358 4739 Dl 1340 4811 1358 4739 Dl 2204 1218 1965 1074 Dl 2205 1217 2134 1196 Dl 2204 1218 2134 1195 Dl 2203 1217 2134 1193 Dl 2204 1217 2135 1192 Dl 2204 1217 2135 1191 Dl 2204 1218 2136 1190 Dl 2205 1217 2137 1188 Dl 2204 1217 2137 1187 Dl 2203 1217 2137 1186 Dl 2204 1218 2138 1185 Dl 2205 1216 2139 1183 Dl 2204 1217 2139 1182 Dl 2204 1217 2140 1181 Dl 2204 1217 2140 1180 Dl 2204 1217 2141 1179 Dl 2204 1216 2142 1177 Dl 2203 1218 2142 1177 Dl 2204 1217 2143 1175 Dl 2205 1218 2145 1175 Dl 2204 1217 2145 1173 Dl 2205 1217 2146 1172 Dl 2204 1217 2147 1171 Dl 2203 1217 2147 1170 Dl 2204 1217 2148 1169 Dl 2205 1217 2150 1168 Dl 2204 1217 2150 1167 Dl 2204 1217 2151 1166 Dl 2204 1217 2152 1165 Dl 2163 5484 275 275 De 2301 3754 2301 3515 Dl 2301 3756 2283 3684 Dl 2299 3755 2283 3683 Dl 2300 3755 2285 3683 Dl 2300 3754 2286 3682 Dl 2300 3755 2288 3682 Dl 2300 3755 2289 3682 Dl 2301 3755 2291 3682 Dl 2300 3755 2292 3682 Dl 2300 3756 2293 3682 Dl 2299 3756 2294 3682 Dl 2301 3756 2296 3682 Dl 2300 3756 2297 3682 Dl 2301 3756 2299 3682 Dl 2300 3756 2300 3682 Dl 2301 3756 2301 3682 Dl 2300 3756 2302 3682 Dl 2301 3756 2304 3682 Dl 2300 3756 2305 3682 Dl 2302 3756 2307 3682 Dl 2301 3756 2308 3682 Dl 2301 3755 2309 3682 Dl 2301 3755 2311 3682 Dl 2301 3755 2312 3682 Dl 2301 3755 2313 3682 Dl 2300 3754 2314 3682 Dl 2301 3755 2316 3683 Dl 2301 3755 2317 3683 Dl 2301 3756 2319 3684 Dl (?m)1472 2198 w (!b)1479 1105 w (!m)4183 1069 w (!m)3301 1573 w (?b)4479 1604 w (?b)4054 2066 w (?d)3478 2606 w (!v)3724 3206 w (all)1771 1028 w (16)1285 1316 w (19)2262 1328 w (20 21)1 -397 1 2262 1814 t (17)1285 1807 w ( 14)1 517(18 1)1 555 2 1285 2342 t (2)1315 2858 w (15)1776 2864 w (8)2282 2858 w (3)1322 3380 w (9)2276 3386 w (4)1322 3913 w (10B 10)1 -353 1 2218 3920 t (5)1322 4424 w (6B 6C)1 598 1 1768 4448 t (6A)1292 4970 w (7)1801 4975 w (11)2251 4970 w (12)2251 5497 w (?v)1581 3193 w (!u)4294 2594 w (!u)3646 2797 w (!v)3333 3175 w (?e)3319 3697 w (?c)3312 4214 w (!r)3312 4766 w (?d)4119 2797 w (?a)3733 2066 w (!m)3602 2167 w (!l)3627 2372 w (?i)4155 2210 w (?a)4158 2383 w 1916 4523 1934 4595 Dl 1918 4524 1934 4596 Dl 1917 4524 1932 4596 Dl 1917 4525 1931 4597 Dl 1917 4524 1929 4597 Dl 1917 4524 1928 4597 Dl 1916 4524 1926 4597 Dl 1917 4524 1925 4597 Dl 1917 4523 1924 4597 Dl 1918 4523 1923 4597 Dl 1916 4523 1921 4597 Dl 1917 4523 1920 4597 Dl 1916 4523 1918 4597 Dl 1917 4523 1917 4597 Dl 1916 4523 1916 4597 Dl 1917 4523 1915 4597 Dl 1916 4523 1913 4597 Dl 1917 4523 1912 4597 Dl 1916 4523 1911 4597 Dl 1916 4523 1909 4597 Dl 1916 4524 1908 4597 Dl 1916 4524 1906 4597 Dl 1916 4524 1905 4597 Dl 1916 4524 1904 4597 Dl 1917 4525 1903 4597 Dl 1916 4524 1901 4596 Dl 1916 4524 1900 4596 Dl 1916 4523 1898 4595 Dl 1916 4859 1916 4523 Dl 1965 2844 2157 2844 Dl 1965 2844 2037 2826 Dl 1965 2843 2037 2827 Dl 1965 2843 2037 2828 Dl 1965 2843 2037 2829 Dl 1965 2843 2038 2831 Dl 1965 2843 2038 2832 Dl 1965 2843 2038 2833 Dl 1965 2843 2038 2835 Dl 1965 2843 2039 2836 Dl 1965 2843 2039 2838 Dl 1965 2843 2039 2838 Dl 1965 2843 2039 2840 Dl 1965 2843 2039 2841 Dl 1965 2843 2039 2843 Dl 1965 2844 2039 2844 Dl 1965 2844 2039 2846 Dl 1965 2844 2039 2847 Dl 1965 2844 2039 2849 Dl 1965 2844 2039 2849 Dl 1965 2844 2039 2851 Dl 1965 2844 2038 2852 Dl 1965 2844 2038 2854 Dl 1965 2844 2038 2855 Dl 1965 2844 2038 2856 Dl 1965 2844 2037 2858 Dl 1965 2844 2037 2859 Dl 1965 2844 2037 2860 Dl 1965 2844 2037 2862 Dl 2301 1650 2301 1458 Dl 2301 1650 2283 1578 Dl 2299 1649 2283 1577 Dl 2300 1649 2285 1577 Dl 2300 1648 2286 1576 Dl 2300 1649 2288 1576 Dl 2300 1649 2289 1576 Dl 2301 1649 2291 1576 Dl 2300 1649 2292 1576 Dl 2300 1650 2293 1576 Dl 2299 1650 2294 1576 Dl 2301 1650 2296 1576 Dl 2300 1650 2297 1576 Dl 2301 1650 2299 1576 Dl 2300 1650 2300 1576 Dl 2301 1650 2301 1576 Dl 2300 1650 2302 1576 Dl 2301 1650 2304 1576 Dl 2300 1650 2305 1576 Dl 2302 1650 2307 1576 Dl 2301 1650 2308 1576 Dl 2301 1649 2309 1576 Dl 2301 1649 2311 1576 Dl 2301 1649 2312 1576 Dl 2301 1649 2313 1576 Dl 2300 1648 2314 1576 Dl 2301 1649 2316 1577 Dl 2301 1649 2317 1577 Dl 2301 1650 2319 1578 Dl 2157 4428 288 288 De 2157 2844 288 288 De 2157 1794 288 288 De 1916 1890 1916 2226 Dl 1916 1890 1934 1962 Dl 1918 1890 1934 1962 Dl 1917 1890 1932 1962 Dl 1917 1890 1931 1962 Dl 1917 1890 1929 1963 Dl 1917 1890 1928 1963 Dl 1916 1890 1926 1963 Dl 1917 1890 1925 1963 Dl 1917 1890 1924 1964 Dl 1918 1890 1923 1964 Dl 1916 1890 1921 1964 Dl 1917 1890 1920 1964 Dl 1916 1890 1918 1964 Dl 1917 1890 1917 1964 Dl 1916 1890 1916 1964 Dl 1917 1890 1915 1964 Dl 1916 1890 1913 1964 Dl 1917 1890 1912 1964 Dl 1916 1890 1911 1964 Dl 1916 1890 1909 1964 Dl 1916 1890 1908 1963 Dl 1916 1890 1906 1963 Dl 1916 1890 1905 1963 Dl 1916 1890 1904 1963 Dl 1917 1890 1903 1962 Dl 1916 1890 1901 1962 Dl 1916 1890 1900 1962 Dl 1916 1890 1898 1962 Dl (!d)2019 2815 w (?m)2048 1094 w (!a)1590 2054 w 1821 4044 1839 4116 Dl 1821 4044 1837 4116 Dl 1821 4044 1836 4116 Dl 1821 4044 1835 4116 Dl 1821 4043 1833 4116 Dl 1821 4044 1832 4117 Dl 1821 4044 1831 4117 Dl 1821 4044 1829 4117 Dl 1821 4043 1828 4117 Dl 1821 4043 1826 4117 Dl 1821 4044 1826 4118 Dl 1821 4044 1824 4118 Dl 1821 4044 1823 4118 Dl 1821 4044 1821 4118 Dl 1820 4044 1820 4118 Dl 1820 4044 1818 4118 Dl 1820 4044 1817 4118 Dl 1820 4044 1815 4118 Dl 1820 4043 1815 4117 Dl 1820 4043 1813 4117 Dl 1820 4044 1812 4117 Dl 1820 4044 1810 4117 Dl 1820 4044 1809 4117 Dl 1820 4043 1808 4116 Dl 1820 4044 1806 4116 Dl 1820 4044 1805 4116 Dl 1820 4044 1804 4116 Dl 1821 4044 1803 4116 Dl 1821 4283 1821 4044 Dl 1676 4955 1484 4955 Dl 1677 4955 1605 4973 Dl 1677 4957 1605 4973 Dl 1676 4956 1604 4971 Dl 1676 4956 1604 4970 Dl 1676 4956 1603 4968 Dl 1676 4956 1603 4967 Dl 1676 4955 1603 4965 Dl 1676 4956 1603 4964 Dl 1676 4956 1602 4963 Dl 1676 4957 1602 4962 Dl 1676 4955 1602 4960 Dl 1676 4956 1602 4959 Dl 1676 4955 1602 4957 Dl 1676 4956 1602 4956 Dl 1676 4955 1602 4955 Dl 1676 4956 1602 4954 Dl 1676 4955 1602 4952 Dl 1676 4956 1602 4951 Dl 1676 4955 1602 4950 Dl 1676 4955 1602 4948 Dl 1676 4955 1603 4947 Dl 1676 4955 1603 4945 Dl 1676 4955 1603 4944 Dl 1676 4955 1603 4943 Dl 1676 4956 1604 4942 Dl 1676 4955 1604 4940 Dl 1677 4955 1605 4939 Dl 1677 4955 1605 4937 Dl (?q)1527 5090 w (!q)3711 4754 w (!r)4086 4759 w (!q)3808 4219 w (!r)4164 4232 w (!n)4467 5222 w (!l)4437 4723 w (!r)4452 4196 w (!q)4444 3679 w (?c)4428 3157 w (?q)1612 4705 w (?q)1696 4201 w (?r)2083 4298 w (?r)1939 4736 w (?l)2355 4712 w (?n)2373 5222 w (?r)2335 4178 w (?q)2326 3656 w (!c)2328 3121 w (?b)3586 1076 w 1340 3754 1340 3515 Dl 1340 3756 1322 3684 Dl 1340 3755 1324 3683 Dl 1340 3755 1325 3683 Dl 1341 3754 1327 3682 Dl 1340 3755 1328 3682 Dl 1340 3755 1329 3682 Dl 1340 3755 1330 3682 Dl 1340 3755 1332 3682 Dl 1340 3756 1333 3682 Dl 1340 3756 1335 3682 Dl 1341 3756 1336 3682 Dl 1340 3756 1337 3682 Dl 1341 3756 1339 3682 Dl 1340 3756 1340 3682 Dl 1341 3756 1341 3682 Dl 1340 3756 1342 3682 Dl 1341 3756 1344 3682 Dl 1340 3756 1345 3682 Dl 1342 3756 1347 3682 Dl 1341 3756 1348 3682 Dl 1341 3755 1349 3682 Dl 1340 3755 1350 3682 Dl 1341 3755 1352 3682 Dl 1341 3755 1353 3682 Dl 1341 3754 1355 3682 Dl 1341 3755 1356 3683 Dl 1342 3755 1358 3683 Dl 1340 3756 1358 3684 Dl 2252 2699 1916 2417 Dl 2252 2699 2186 2667 Dl 2252 2699 2186 2666 Dl 2252 2699 2187 2665 Dl 2252 2700 2188 2664 Dl 2252 2699 2188 2662 Dl 2252 2699 2189 2661 Dl 2252 2699 2190 2660 Dl 2252 2699 2191 2658 Dl 2252 2699 2191 2658 Dl 2252 2699 2192 2656 Dl 2252 2699 2193 2656 Dl 2252 2699 2193 2654 Dl 2252 2699 2194 2653 Dl 2252 2699 2195 2652 Dl 2252 2699 2196 2651 Dl 2252 2699 2197 2651 Dl 2252 2699 2198 2649 Dl 2253 2699 2199 2648 Dl 2252 2699 2200 2648 Dl 2252 2699 2201 2646 Dl 2252 2700 2201 2646 Dl 2252 2699 2203 2645 Dl 2252 2699 2204 2643 Dl 2252 2699 2205 2643 Dl 2252 2699 2206 2642 Dl 2252 2699 2206 2641 Dl 2252 2699 2208 2640 Dl 2252 2699 2209 2640 Dl 1437 2226 1725 2226 Dl 1437 2226 1509 2208 Dl 1437 2224 1509 2208 Dl 1437 2225 1509 2210 Dl 1437 2225 1509 2211 Dl 1436 2225 1509 2213 Dl 1437 2225 1510 2214 Dl 1437 2226 1510 2216 Dl 1437 2225 1510 2217 Dl 1436 2225 1510 2218 Dl 1436 2224 1510 2219 Dl 1437 2226 1511 2221 Dl 1437 2225 1511 2222 Dl 1437 2226 1511 2224 Dl 1437 2225 1511 2225 Dl 1437 2226 1511 2226 Dl 1437 2225 1511 2227 Dl 1437 2226 1511 2229 Dl 1437 2225 1511 2230 Dl 1436 2227 1510 2232 Dl 1436 2226 1510 2233 Dl 1437 2226 1510 2234 Dl 1437 2226 1510 2236 Dl 1437 2226 1510 2237 Dl 1436 2226 1509 2238 Dl 1437 2225 1509 2239 Dl 1437 2226 1509 2241 Dl 1437 2226 1509 2242 Dl 1437 2226 1509 2244 Dl 1676 1794 1484 1794 Dl 1677 1794 1605 1812 Dl 1677 1794 1605 1810 Dl 1676 1794 1604 1809 Dl 1676 1793 1604 1807 Dl 1676 1794 1603 1806 Dl 1676 1794 1603 1805 Dl 1676 1794 1603 1804 Dl 1676 1794 1603 1802 Dl 1676 1794 1602 1801 Dl 1676 1795 1602 1800 Dl 1676 1793 1602 1798 Dl 1676 1794 1602 1797 Dl 1676 1793 1602 1795 Dl 1676 1794 1602 1794 Dl 1676 1793 1602 1793 Dl 1676 1794 1602 1792 Dl 1676 1793 1602 1790 Dl 1676 1794 1602 1789 Dl 1676 1792 1602 1787 Dl 1676 1793 1602 1786 Dl 1676 1793 1603 1785 Dl 1676 1794 1603 1784 Dl 1676 1793 1603 1782 Dl 1676 1793 1603 1781 Dl 1676 1793 1604 1779 Dl 1676 1793 1604 1778 Dl 1677 1792 1605 1776 Dl 1677 1794 1605 1776 Dl 1677 4955 288 288 De 1196 4428 288 288 De 2157 3371 288 288 De 1196 2322 288 288 De 1677 2322 288 288 De 1196 1794 288 288 De 2301 4811 2301 4572 Dl 2301 4811 2283 4739 Dl 2299 4811 2283 4739 Dl 2300 4811 2285 4739 Dl 2300 4811 2286 4739 Dl 2300 4812 2288 4739 Dl 2300 4811 2289 4738 Dl 2301 4811 2291 4738 Dl 2300 4811 2292 4738 Dl 2300 4812 2293 4738 Dl 2299 4812 2294 4738 Dl 2301 4811 2296 4737 Dl 2300 4811 2297 4737 Dl 2301 4811 2299 4737 Dl 2300 4811 2300 4737 Dl 2301 4811 2301 4737 Dl 2300 4811 2302 4737 Dl 2301 4811 2304 4737 Dl 2300 4811 2305 4737 Dl 2302 4812 2307 4738 Dl 2301 4812 2308 4738 Dl 2301 4811 2309 4738 Dl 2301 4811 2311 4738 Dl 2301 4811 2312 4738 Dl 2301 4812 2313 4739 Dl 2300 4811 2314 4739 Dl 2301 4811 2316 4739 Dl 2301 4811 2317 4739 Dl 2301 4811 2319 4739 Dl (?u)1534 2815 w (!d)1378 2599 w (!i)2066 2192 w (?l !a)1 651 1 1497 2390 t (!b)2356 1573 w (?l ?l)1 599 1 1497 1766 t (!b)1972 2054 w 2253 4283 1965 3900 Dl 2252 4283 2195 4237 Dl 2252 4283 2196 4236 Dl 2252 4283 2196 4235 Dl 2252 4283 2198 4234 Dl 2253 4283 2199 4232 Dl 2252 4283 2199 4232 Dl 2252 4283 2201 4231 Dl 2252 4284 2201 4230 Dl 2252 4283 2202 4229 Dl 2252 4283 2204 4228 Dl 2252 4283 2204 4227 Dl 2252 4283 2205 4226 Dl 2252 4283 2206 4225 Dl 2252 4283 2207 4224 Dl 2252 4283 2209 4224 Dl 2252 4283 2209 4223 Dl 2252 4283 2211 4222 Dl 2252 4283 2212 4222 Dl 2252 4283 2213 4221 Dl 2252 4283 2214 4220 Dl 2252 4283 2215 4219 Dl 2253 4283 2217 4219 Dl 2252 4283 2218 4218 Dl 2252 4283 2219 4217 Dl 2252 4283 2220 4217 Dl 2252 4283 2222 4217 Dl 2252 4283 2222 4216 Dl 2252 4283 2224 4215 Dl 1725 4859 1725 4523 Dl 1725 4860 1707 4788 Dl 1723 4860 1707 4788 Dl 1724 4859 1709 4787 Dl 1724 4859 1710 4787 Dl 1724 4859 1712 4786 Dl 1724 4859 1713 4786 Dl 1725 4859 1715 4786 Dl 1724 4859 1716 4786 Dl 1724 4859 1717 4785 Dl 1723 4859 1718 4785 Dl 1725 4859 1720 4785 Dl 1724 4859 1721 4785 Dl 1725 4859 1723 4785 Dl 1724 4859 1724 4785 Dl 1725 4859 1725 4785 Dl 1724 4859 1726 4785 Dl 1725 4859 1728 4785 Dl 1724 4859 1729 4785 Dl 1726 4859 1731 4785 Dl 1725 4859 1732 4785 Dl 1725 4859 1733 4786 Dl 1725 4859 1735 4786 Dl 1725 4859 1736 4786 Dl 1725 4859 1737 4786 Dl 1724 4859 1738 4787 Dl 1725 4859 1740 4787 Dl 1725 4860 1741 4788 Dl 1725 4860 1743 4788 Dl 1437 3275 1725 2939 Dl 1437 3275 1470 3209 Dl 1437 3275 1471 3210 Dl 1437 3275 1472 3211 Dl 1437 3275 1473 3211 Dl 1436 3275 1474 3211 Dl 1438 3275 1476 3212 Dl 1437 3275 1477 3213 Dl 1437 3275 1478 3214 Dl 1437 3275 1479 3214 Dl 1437 3275 1480 3216 Dl 1437 3275 1481 3216 Dl 1437 3275 1482 3217 Dl 1438 3275 1484 3218 Dl 1437 3275 1484 3219 Dl 1437 3275 1485 3219 Dl 1437 3275 1486 3221 Dl 1436 3276 1487 3222 Dl 1438 3275 1489 3222 Dl 1437 3275 1489 3223 Dl 1436 3275 1490 3224 Dl 1437 3275 1491 3225 Dl 1437 3275 1492 3227 Dl 1437 3275 1493 3227 Dl 1437 3275 1494 3228 Dl 1436 3275 1494 3229 Dl 1437 3275 1496 3230 Dl 1438 3275 1497 3232 Dl 1437 3275 1497 3232 Dl 1340 4283 1340 4044 Dl 1340 4284 1322 4212 Dl 1340 4284 1324 4212 Dl 1340 4283 1325 4211 Dl 1341 4283 1327 4211 Dl 1340 4283 1328 4210 Dl 1340 4283 1329 4210 Dl 1340 4283 1330 4210 Dl 1340 4283 1332 4210 Dl 1340 4283 1333 4209 Dl 1340 4283 1335 4209 Dl 1341 4283 1336 4209 Dl 1340 4283 1337 4209 Dl 1341 4283 1339 4209 Dl 1340 4283 1340 4209 Dl 1341 4283 1341 4209 Dl 1340 4283 1342 4209 Dl 1341 4283 1344 4209 Dl 1340 4283 1345 4209 Dl 1342 4283 1347 4209 Dl 1341 4283 1348 4209 Dl 1341 4283 1349 4210 Dl 1340 4283 1350 4210 Dl 1341 4283 1352 4210 Dl 1341 4283 1353 4210 Dl 1341 4283 1355 4211 Dl 1341 4283 1356 4211 Dl 1342 4284 1358 4212 Dl 1340 4284 1358 4212 Dl 1340 3227 1340 2988 Dl 1340 3227 1322 3155 Dl 1340 3227 1324 3155 Dl 1340 3227 1325 3155 Dl 1341 3227 1327 3155 Dl 1340 3228 1328 3155 Dl 1340 3227 1329 3154 Dl 1340 3227 1330 3154 Dl 1340 3227 1332 3154 Dl 1340 3228 1333 3154 Dl 1340 3228 1335 3154 Dl 1341 3227 1336 3153 Dl 1340 3227 1337 3153 Dl 1341 3227 1339 3153 Dl 1340 3227 1340 3153 Dl 1341 3227 1341 3153 Dl 1340 3227 1342 3153 Dl 1341 3227 1344 3153 Dl 1340 3227 1345 3153 Dl 1342 3228 1347 3154 Dl 1341 3228 1348 3154 Dl 1341 3227 1349 3154 Dl 1340 3227 1350 3154 Dl 1341 3227 1352 3154 Dl 1341 3228 1353 3155 Dl 1341 3227 1355 3155 Dl 1341 3227 1356 3155 Dl 1342 3227 1358 3155 Dl 1340 3227 1358 3155 Dl 1676 2844 1484 2844 Dl 1677 2844 1605 2862 Dl 1677 2844 1605 2860 Dl 1676 2844 1604 2859 Dl 1676 2844 1604 2858 Dl 1676 2844 1603 2856 Dl 1676 2844 1603 2855 Dl 1676 2844 1603 2854 Dl 1676 2844 1603 2852 Dl 1676 2844 1602 2851 Dl 1676 2844 1602 2849 Dl 1676 2844 1602 2849 Dl 1676 2844 1602 2847 Dl 1676 2844 1602 2846 Dl 1676 2844 1602 2844 Dl 1676 2843 1602 2843 Dl 1676 2843 1602 2841 Dl 1676 2843 1602 2840 Dl 1676 2843 1602 2838 Dl 1676 2843 1602 2838 Dl 1676 2843 1602 2836 Dl 1676 2843 1603 2835 Dl 1676 2843 1603 2833 Dl 1676 2843 1603 2832 Dl 1676 2843 1603 2831 Dl 1676 2843 1604 2829 Dl 1676 2843 1604 2828 Dl 1677 2843 1605 2827 Dl 1677 2844 1605 2826 Dl 1389 2699 1725 2417 Dl 1389 2699 1432 2640 Dl 1389 2699 1433 2640 Dl 1389 2699 1435 2641 Dl 1389 2699 1435 2642 Dl 1389 2699 1436 2643 Dl 1389 2699 1437 2643 Dl 1389 2699 1438 2645 Dl 1389 2700 1440 2646 Dl 1389 2699 1440 2646 Dl 1389 2699 1441 2648 Dl 1389 2699 1443 2648 Dl 1389 2699 1443 2649 Dl 1389 2699 1444 2651 Dl 1389 2699 1445 2651 Dl 1389 2699 1446 2652 Dl 1389 2699 1447 2653 Dl 1389 2699 1448 2654 Dl 1389 2699 1448 2656 Dl 1389 2699 1449 2656 Dl 1389 2699 1450 2658 Dl 1389 2699 1450 2658 Dl 1389 2699 1451 2660 Dl 1389 2699 1452 2661 Dl 1389 2699 1453 2662 Dl 1389 2700 1453 2664 Dl 1389 2699 1454 2665 Dl 1389 2699 1455 2666 Dl 1389 2699 1455 2667 Dl 1725 2417 1437 2417 Dl 1725 2417 1653 2435 Dl 1724 2419 1652 2435 Dl 1724 2418 1652 2433 Dl 1723 2418 1651 2432 Dl 1724 2418 1651 2430 Dl 1724 2418 1651 2429 Dl 1724 2417 1651 2427 Dl 1724 2418 1651 2426 Dl 1725 2418 1651 2425 Dl 1725 2419 1651 2424 Dl 1725 2417 1651 2422 Dl 1725 2418 1651 2421 Dl 1725 2417 1651 2419 Dl 1725 2418 1651 2418 Dl 1725 2417 1651 2417 Dl 1725 2418 1651 2416 Dl 1725 2417 1651 2414 Dl 1725 2418 1651 2413 Dl 1725 2417 1651 2412 Dl 1725 2417 1651 2410 Dl 1724 2417 1651 2409 Dl 1724 2417 1651 2407 Dl 1724 2417 1651 2406 Dl 1724 2417 1651 2405 Dl 1723 2418 1651 2404 Dl 1724 2417 1652 2402 Dl 1724 2417 1652 2401 Dl 1725 2417 1653 2399 Dl 1725 2226 1725 1890 Dl 1725 2226 1707 2154 Dl 1723 2225 1707 2153 Dl 1724 2225 1709 2153 Dl 1724 2224 1710 2152 Dl 1724 2225 1712 2152 Dl 1724 2225 1713 2152 Dl 1725 2225 1715 2152 Dl 1724 2225 1716 2152 Dl 1724 2226 1717 2152 Dl 1723 2226 1718 2152 Dl 1725 2226 1720 2152 Dl 1724 2226 1721 2152 Dl 1725 2226 1723 2152 Dl 1724 2226 1724 2152 Dl 1725 2226 1725 2152 Dl 1724 2226 1726 2152 Dl 1725 2226 1728 2152 Dl 1724 2226 1729 2152 Dl 1726 2226 1731 2152 Dl 1725 2226 1732 2152 Dl 1725 2225 1733 2152 Dl 1725 2225 1735 2152 Dl 1725 2225 1736 2152 Dl 1725 2225 1737 2152 Dl 1724 2224 1738 2152 Dl 1725 2225 1740 2153 Dl 1725 2225 1741 2153 Dl 1725 2226 1743 2154 Dl 1965 1794 2037 1776 Dl 1965 1792 2037 1776 Dl 1965 1793 2037 1778 Dl 1965 1793 2037 1779 Dl 1965 1793 2038 1781 Dl 1965 1793 2038 1782 Dl 1965 1794 2038 1784 Dl 1965 1793 2038 1785 Dl 1965 1793 2039 1786 Dl 1965 1792 2039 1787 Dl 1965 1794 2039 1789 Dl 1965 1793 2039 1790 Dl 1965 1794 2039 1792 Dl 1965 1793 2039 1793 Dl 1965 1794 2039 1794 Dl 1965 1793 2039 1795 Dl 1965 1794 2039 1797 Dl 1965 1793 2039 1798 Dl 1965 1795 2039 1800 Dl 1965 1794 2039 1801 Dl 1965 1794 2038 1802 Dl 1965 1794 2038 1804 Dl 1965 1794 2038 1805 Dl 1965 1794 2038 1806 Dl 1965 1793 2037 1807 Dl 1965 1794 2037 1809 Dl 1965 1794 2037 1810 Dl 1965 1794 2037 1812 Dl 2157 1794 1965 1794 Dl 1340 1650 1340 1458 Dl 1340 1650 1322 1578 Dl 1340 1649 1324 1577 Dl 1340 1649 1325 1577 Dl 1341 1648 1327 1576 Dl 1340 1649 1328 1576 Dl 1340 1649 1329 1576 Dl 1340 1649 1330 1576 Dl 1340 1649 1332 1576 Dl 1340 1650 1333 1576 Dl 1340 1650 1335 1576 Dl 1341 1650 1336 1576 Dl 1340 1650 1337 1576 Dl 1341 1650 1339 1576 Dl 1340 1650 1340 1576 Dl 1341 1650 1341 1576 Dl 1340 1650 1342 1576 Dl 1341 1650 1344 1576 Dl 1340 1650 1345 1576 Dl 1342 1650 1347 1576 Dl 1341 1650 1348 1576 Dl 1341 1649 1349 1576 Dl 1340 1649 1350 1576 Dl 1341 1649 1352 1576 Dl 1341 1649 1353 1576 Dl 1341 1648 1355 1576 Dl 1341 1649 1356 1577 Dl 1342 1649 1358 1577 Dl 1340 1650 1358 1578 Dl 1438 1218 1677 1074 Dl 1437 1217 1489 1165 Dl 1437 1217 1490 1166 Dl 1437 1217 1491 1167 Dl 1436 1217 1491 1168 Dl 1437 1217 1493 1169 Dl 1438 1217 1494 1170 Dl 1437 1217 1494 1171 Dl 1436 1217 1495 1172 Dl 1437 1217 1496 1173 Dl 1437 1218 1497 1175 Dl 1437 1217 1498 1175 Dl 1438 1218 1499 1177 Dl 1437 1216 1499 1177 Dl 1437 1217 1500 1179 Dl 1437 1217 1501 1180 Dl 1437 1217 1501 1181 Dl 1437 1217 1502 1182 Dl 1436 1216 1502 1183 Dl 1437 1218 1503 1185 Dl 1438 1217 1504 1186 Dl 1437 1217 1504 1187 Dl 1436 1217 1504 1188 Dl 1437 1218 1505 1190 Dl 1437 1217 1506 1191 Dl 1437 1217 1506 1192 Dl 1438 1217 1507 1193 Dl 1437 1218 1507 1195 Dl 1436 1217 1507 1196 Dl 1196 4955 288 288 De 1677 4428 288 288 De 2157 3900 288 288 De 1196 3900 288 288 De 1196 3371 288 288 De 1677 2844 288 288 De 2301 5345 2301 5099 Dl 2301 5346 2283 5274 Dl 2299 5346 2283 5274 Dl 2300 5345 2285 5273 Dl 2300 5345 2286 5273 Dl 2300 5345 2288 5272 Dl 2300 5345 2289 5272 Dl 2301 5345 2291 5272 Dl 2300 5345 2292 5272 Dl 2300 5345 2293 5271 Dl 2299 5345 2294 5271 Dl 2301 5345 2296 5271 Dl 2300 5345 2297 5271 Dl 2301 5345 2299 5271 Dl 2300 5345 2300 5271 Dl 2301 5345 2301 5271 Dl 2300 5345 2302 5271 Dl 2301 5345 2304 5271 Dl 2300 5345 2305 5271 Dl 2302 5345 2307 5271 Dl 2301 5345 2308 5271 Dl 2301 5345 2309 5272 Dl 2301 5345 2311 5272 Dl 2301 5345 2312 5272 Dl 2301 5345 2313 5272 Dl 2300 5345 2314 5273 Dl 2301 5345 2316 5273 Dl 2301 5346 2317 5274 Dl 2301 5346 2319 5274 Dl 2163 2322 275 275 De 1196 2844 288 288 De 1677 1794 288 288 De 2157 1314 288 288 De 2157 4955 288 288 De 2204 2226 2132 2244 Dl 2204 2226 2132 2242 Dl 2204 2226 2132 2241 Dl 2204 2225 2132 2239 Dl 2205 2226 2132 2238 Dl 2204 2226 2131 2237 Dl 2204 2226 2131 2236 Dl 2204 2226 2131 2234 Dl 2205 2226 2131 2233 Dl 2205 2227 2131 2232 Dl 2204 2225 2130 2230 Dl 2204 2226 2130 2229 Dl 2204 2225 2130 2227 Dl 2204 2226 2130 2226 Dl 2204 2225 2130 2225 Dl 2204 2226 2130 2224 Dl 2204 2225 2130 2222 Dl 2204 2226 2130 2221 Dl 2205 2224 2131 2219 Dl 2205 2225 2131 2218 Dl 2204 2225 2131 2217 Dl 2204 2226 2131 2216 Dl 2204 2225 2131 2214 Dl 2205 2225 2132 2213 Dl 2204 2225 2132 2211 Dl 2204 2225 2132 2210 Dl 2204 2224 2132 2208 Dl 2204 2226 2132 2208 Dl 1916 2226 2204 2226 Dl 2301 4283 2301 4044 Dl 2301 4284 2283 4212 Dl 2299 4284 2283 4212 Dl 2300 4283 2285 4211 Dl 2300 4283 2286 4211 Dl 2300 4283 2288 4210 Dl 2300 4283 2289 4210 Dl 2301 4283 2291 4210 Dl 2300 4283 2292 4210 Dl 2300 4283 2293 4209 Dl 2299 4283 2294 4209 Dl 2301 4283 2296 4209 Dl 2300 4283 2297 4209 Dl 2301 4283 2299 4209 Dl 2300 4283 2300 4209 Dl 2301 4283 2301 4209 Dl 2300 4283 2302 4209 Dl 2301 4283 2304 4209 Dl 2300 4283 2305 4209 Dl 2302 4283 2307 4209 Dl 2301 4283 2308 4209 Dl 2301 4283 2309 4210 Dl 2301 4283 2311 4210 Dl 2301 4283 2312 4210 Dl 2301 4283 2313 4210 Dl 2300 4283 2314 4211 Dl 2301 4283 2316 4211 Dl 2301 4284 2317 4212 Dl 2301 4284 2319 4212 Dl 2301 3227 2301 2988 Dl 2301 3227 2283 3155 Dl 2299 3227 2283 3155 Dl 2300 3227 2285 3155 Dl 2300 3227 2286 3155 Dl 2300 3228 2288 3155 Dl 2300 3227 2289 3154 Dl 2301 3227 2291 3154 Dl 2300 3227 2292 3154 Dl 2300 3228 2293 3154 Dl 2299 3228 2294 3154 Dl 2301 3227 2296 3153 Dl 2300 3227 2297 3153 Dl 2301 3227 2299 3153 Dl 2300 3227 2300 3153 Dl 2301 3227 2301 3153 Dl 2300 3227 2302 3153 Dl 2301 3227 2304 3153 Dl 2300 3227 2305 3153 Dl 2302 3228 2307 3154 Dl 2301 3228 2308 3154 Dl 2301 3227 2309 3154 Dl 2301 3227 2311 3154 Dl 2301 3227 2312 3154 Dl 2301 3228 2313 3155 Dl 2300 3227 2314 3155 Dl 2301 3227 2316 3155 Dl 2301 3227 2317 3155 Dl 2301 3227 2319 3155 Dl 3783 1026 288 288 De (all)3877 1046 w (16)3396 1328 w (17)3396 1802 w (18)3403 2324 w (DTE process)1 518 1 1304 5504 t (DCE process)1 524 1 3485 5497 t (2)3421 2858 w (3)3434 3391 w (4)3428 3920 w (5)3416 4448 w (6A)3416 4970 w (7)3914 4964 w (6B)3869 4448 w (10)3895 3913 w (8)4406 2858 w (14)4363 2336 w (1)3902 2342 w (21)3882 1807 w (20)4375 1814 w (19)4363 1334 w (15)3877 2851 w (9)4393 3380 w (10B)4342 3920 w (6C)4360 4442 w (11)4350 4975 w (12)4368 5497 w 1677 1026 288 288 De 4364 4283 4076 3900 Dl 4364 4283 4307 4237 Dl 4364 4283 4308 4236 Dl 4365 4283 4309 4235 Dl 4364 4283 4310 4234 Dl 4364 4283 4310 4232 Dl 4365 4283 4312 4232 Dl 4363 4283 4312 4231 Dl 4364 4284 4313 4230 Dl 4365 4283 4315 4229 Dl 4363 4283 4315 4228 Dl 4364 4283 4316 4227 Dl 4364 4283 4317 4226 Dl 4364 4283 4318 4225 Dl 4365 4283 4320 4224 Dl 4363 4283 4320 4224 Dl 4365 4283 4322 4223 Dl 4364 4283 4323 4222 Dl 4364 4283 4324 4222 Dl 4364 4283 4325 4221 Dl 4364 4283 4326 4220 Dl 4365 4283 4328 4219 Dl 4364 4283 4328 4219 Dl 4364 4283 4330 4218 Dl 4364 4283 4331 4217 Dl 4364 4283 4332 4217 Dl 4363 4283 4333 4217 Dl 4365 4283 4335 4216 Dl 4363 4283 4335 4215 Dl 10 I f (Figure 4 \320 X.21 Specification \(1977\))5 1510 1 2125 5819 t 10 B f ( of Mutual Exclusion Algorithms)4 1401(7.4. Validation)1 651 2 720 6059 t 10 R f ( potential)1 385(If two or more concurrent processes execute the same code and access the same data, there is a)17 3935 2 720 6215 t ( mutual exclusion problem is)4 1169( The)1 207( results and corrupt the data.)5 1141(problem that they may overwrite each others)6 1803 4 720 6335 t ( a time, assuming)3 706(the problem of restricting access to a critical section in the code to a single process at)16 3415 2 720 6455 t 10 I f (only)4868 6455 w 10 R f ( assume an indivis-)3 769( problem becomes trivial if you can)6 1426( \(The)1 239(the indivisibility of read and write instructions.)6 1886 4 720 6575 t ( problem was first posed by Dijkstra in [Dijkstra 1965].)9 2220( The)1 205(ible test-and-set instruction.\))2 1146 3 720 6695 t 10 B f ([4.a])720 6851 w 10 R f ( the same journal \()4 775(The following `improved' solution appeared one year later in)8 2501 2 943 6851 t 10 I f (Comm. of the ACM)3 796 1 4219 6851 t 10 R f (,)5015 6851 w ( is reproduced here as it was published \(in pseudo Algol\).)10 2299( It)1 111(Vol. 9, No. 1, p. 45\) by another author.)8 1559 3 720 6971 t 8 CW f (1)960 7121 w 8 B f (Boolean array)1 486 1 1056 7121 t 8 I f (b\(0;1\))1562 7121 w 8 B f (integer)1780 7121 w 8 I f (k, i, j,)2 179 1 2038 7121 t 8 CW f (2)960 7221 w 8 B f (comment)1056 7221 w 8 I f (process i, with i either 0 or 1;)7 947 1 1389 7221 t cleartomark showpage saveobj restore %%EndPage: 27 29 %%Page: 28 30 /saveobj save def mark 30 pagesetup 10 R f (- 28 -)2 216 1 2772 480 t 8 CW f (3)960 820 w 8 I f ( :=)1 100(C0: b\(i\))1 306 2 1056 820 t 8 B f (false)1482 820 w 8 I f (;)1636 820 w 8 CW f (4)960 920 w 8 I f (C1:)1056 920 w 8 B f (if)1248 920 w 8 I f (k != i)2 177 1 1316 920 t 8 B f (then begin)1 358 1 1513 920 t 8 CW f (5)960 1020 w 8 I f (C2:)1056 1020 w 8 B f (if)1248 1020 w 8 I f (not \(b\(j\))1 262 1 1316 1020 t 8 B f (then go to)2 337 1 1598 1020 t 8 I f (C2;)1955 1020 w 8 CW f (6)960 1120 w 8 B f (else)1248 1120 w 8 I f (k := i;)2 203 1 1391 1120 t 8 B f (go to)1 166 1 1614 1120 t 8 I f (C1)1800 1120 w 8 B f (end)1914 1120 w 8 I f (;)2039 1120 w 8 CW f (7)960 1220 w 8 B f (else)1248 1220 w 8 I f (critical section;)1 500 1 1391 1220 t 8 CW f (8)960 1320 w 8 I f (b\(i\) :=)1 214 1 1248 1320 t 8 B f (true)1482 1320 w 8 I f (;)1623 1320 w 8 CW f (9)960 1420 w 8 I f (remainder of program;)2 740 1 1248 1420 t 8 CW f (10)912 1520 w 8 B f (go to)1 166 1 1248 1520 t 8 I f (C0;)1434 1520 w 8 CW f (11)912 1620 w 8 B f (end)1248 1620 w 10 R f (Modeling the solution in)3 990 1 720 1800 t 8 R f (PROMELA)1736 1800 w 10 R f ( long did it)3 443( How)1 246( or disproof the correctness of the algorithm.)7 1794(, and proof)2 437 4 2120 1800 t (take you?)1 385 1 720 1920 t 10 S1 f ()1130 1920 w 1130 1920 m 50 build_sq 1180 1920 m 10 B f ([4.b])720 2076 w 10 R f ( an overview solution attempts up to roughly 1984, see)9 2319( For)1 203(The problem continues to be popular.)5 1563 3 955 2076 t ( two processes, for instance, a particularly elegant solution was)9 2529( For)1 190( [Lamport 1986].)2 687(Raynal [1984/1986] or)2 914 4 720 2196 t ( In)1 133(published by G.L. Peterson [Peterson 1981].)5 1776 2 720 2316 t 8 R f (PROMELA)2654 2316 w 10 R f (the solution can be modeled as follows.)6 1579 1 3063 2316 t 8 CW f ( 1)1 240(#define true)1 576 2 864 2466 t ( 0)1 192(#define false)1 624 2 864 2566 t (bool flag[2];)1 624 1 864 2666 t (bool turn;)1 480 1 864 2766 t (proctype user\(bool i\))2 1008 1 864 2866 t ( = true;)2 384({ flag[i])1 720 2 864 2966 t (turn = i;)2 432 1 1248 3066 t (\(flag[1-i] == false || turn == 1-i\);)6 1728 1 1248 3166 t ( critical section */)3 960(crit: skip; /*)2 864 2 864 3266 t (flag[i] = false)2 720 1 1248 3366 t (})864 3466 w (init { atomic { run user\(0\); run user\(1\) } })9 2112 1 864 3566 t 10 R f (Prove Peterson's algorithm correct with)4 1592 1 720 3746 t 8 R f (SPIN)2337 3746 w 10 R f (.)2511 3746 w 10 S1 f ()2561 3746 w 2561 3746 m 50 build_sq 2611 3746 m 10 B f ([4.c])720 3902 w 10 R f ( is no shortage of faulty solutions to the mutual)9 2003(Alas, despite all the publications, even today there)7 2095 2 942 3902 t ( next version was recommended only recently by a major computer manufacturer in)12 3348( The)1 205(exclusion problem.)1 767 3 720 4022 t ( omitted to protect the guilty.\))5 1200( \(Name)1 321(the U.S. to a client.)4 769 3 720 4142 t 8 CW f (byte in;)1 384 1 864 4292 t (byte x, y, z;)3 624 1 864 4392 t (proctype user\(byte me\))2 1056 1 864 4492 t ({)864 4592 w ( = me;)2 288(L1: x)1 432 2 864 4692 t (L2: if)1 480 1 864 4792 t ( try again */)3 624( /*)1 432(:: \(y != 0 && y != me\) -> goto L1)10 1584 3 1248 4892 t (:: \(y == 0 || y == me\))7 1056 1 1248 4992 t (fi;)1248 5092 w ( = me;)2 288(L3: z)1 432 2 864 5192 t (L4: if)1 480 1 864 5292 t ( try again */)3 624( /*)1 864( goto L1)2 384( ->)1 192(:: \(x != me\))3 576 5 1248 5392 t (:: \(x == me\))3 576 1 1248 5492 t (fi;)1248 5592 w ( = me;)2 288(L5: y)1 432 2 864 5692 t (L6: if)1 480 1 864 5792 t ( try again */)3 624( /*)1 912(:: \(z != me\) -> goto L1)6 1104 3 1248 5892 t (:: \(z == me\))3 576 1 1248 5992 t (fi;)1248 6092 w ( success */)2 528(L7: /*)1 2400 2 864 6192 t (in = in+1;)2 480 1 1248 6292 t (assert\(in == 1\);)2 768 1 1248 6392 t (in = in - 1;)4 576 1 1248 6492 t (goto L1)1 336 1 1248 6592 t (})864 6692 w (init { atomic { run user\(1\); run user\(2\) } })9 2112 1 864 6792 t 10 R f ( faulty with)2 477( show that it is)4 612( Next)1 251(First convince yourself that the algorithm is correct.)7 2124 4 720 6972 t 8 R f (SPIN)4217 6972 w 10 R f ( long did)2 372(. How)1 277 2 4391 6972 t (each step take you?)3 778 1 720 7092 t 10 S1 f ()1523 7092 w 1523 7092 m 50 build_sq 1573 7092 m cleartomark showpage saveobj restore %%EndPage: 28 30 %%Page: 29 31 /saveobj save def mark 31 pagesetup 10 R f (- 29 -)2 216 1 2772 480 t 2280 1300 200 200 De 2380 1600 2380 1400 Dl 2380 1600 2362 1528 Dl 2379 1599 2363 1527 Dl 2379 1599 2364 1527 Dl 2379 1598 2365 1526 Dl 2379 1599 2367 1526 Dl 2379 1599 2368 1526 Dl 2380 1599 2370 1526 Dl 2378 1599 2370 1526 Dl 2379 1600 2372 1526 Dl 2378 1600 2373 1526 Dl 2380 1600 2375 1526 Dl 2379 1600 2376 1526 Dl 2380 1600 2378 1526 Dl 2379 1599 2379 1525 Dl 2380 1599 2380 1525 Dl 2379 1600 2381 1526 Dl 2380 1600 2383 1526 Dl 2379 1600 2384 1526 Dl 2381 1600 2386 1526 Dl 2380 1600 2387 1526 Dl 2380 1599 2388 1526 Dl 2380 1599 2390 1526 Dl 2380 1599 2391 1526 Dl 2380 1599 2392 1526 Dl 2380 1598 2394 1526 Dl 2380 1599 2395 1527 Dl 2380 1599 2396 1527 Dl 2380 1600 2398 1528 Dl 2179 1600 2579 1600 Dl 2380 1800 2380 1600 Dl 2380 1799 2362 1727 Dl 2379 1799 2363 1727 Dl 2379 1799 2364 1727 Dl 2379 1799 2365 1727 Dl 2379 1800 2367 1727 Dl 2379 1799 2368 1726 Dl 2380 1799 2370 1726 Dl 2378 1799 2370 1726 Dl 2379 1800 2372 1726 Dl 2378 1800 2373 1726 Dl 2380 1799 2375 1725 Dl 2379 1799 2376 1725 Dl 2380 1799 2378 1725 Dl 2379 1799 2379 1725 Dl 2380 1799 2380 1725 Dl 2379 1799 2381 1725 Dl 2380 1799 2383 1725 Dl 2379 1799 2384 1725 Dl 2381 1800 2386 1726 Dl 2380 1800 2387 1726 Dl 2380 1799 2388 1726 Dl 2380 1799 2390 1726 Dl 2380 1799 2391 1726 Dl 2380 1800 2392 1727 Dl 2380 1799 2394 1727 Dl 2380 1799 2395 1727 Dl 2380 1799 2396 1727 Dl 2380 1799 2398 1727 Dl 2280 1899 200 200 De 2380 2199 2380 1999 Dl 2380 2200 2362 2128 Dl 2379 2199 2363 2127 Dl 2379 2199 2364 2127 Dl 2379 2199 2365 2127 Dl 2379 2199 2367 2126 Dl 2379 2199 2368 2126 Dl 2380 2199 2370 2126 Dl 2378 2199 2370 2126 Dl 2379 2199 2372 2125 Dl 2378 2199 2373 2125 Dl 2380 2199 2375 2125 Dl 2379 2199 2376 2125 Dl 2380 2199 2378 2125 Dl 2379 2199 2379 2125 Dl 2380 2199 2380 2125 Dl 2379 2199 2381 2125 Dl 2380 2199 2383 2125 Dl 2379 2199 2384 2125 Dl 2381 2199 2386 2125 Dl 2380 2199 2387 2125 Dl 2380 2199 2388 2126 Dl 2380 2199 2390 2126 Dl 2380 2199 2391 2126 Dl 2380 2199 2392 2126 Dl 2380 2199 2394 2127 Dl 2380 2199 2395 2127 Dl 2380 2199 2396 2127 Dl 2380 2200 2398 2128 Dl 2680 2200 2280 2200 Dl 2479 2400 2479 2200 Dl 2479 2400 2461 2328 Dl 2479 2399 2463 2327 Dl 2479 2399 2464 2327 Dl 2480 2398 2466 2326 Dl 2479 2399 2467 2326 Dl 2479 2399 2468 2326 Dl 2479 2399 2469 2326 Dl 2479 2399 2471 2326 Dl 2479 2400 2472 2326 Dl 2478 2400 2473 2326 Dl 2480 2400 2475 2326 Dl 2479 2400 2476 2326 Dl 2480 2400 2478 2326 Dl 2479 2400 2479 2326 Dl 2480 2400 2480 2326 Dl 2479 2400 2481 2326 Dl 2480 2400 2483 2326 Dl 2479 2400 2484 2326 Dl 2481 2400 2486 2326 Dl 2480 2400 2487 2326 Dl 2481 2399 2489 2326 Dl 2479 2399 2489 2326 Dl 2480 2399 2491 2326 Dl 2480 2399 2492 2326 Dl 2480 2398 2494 2326 Dl 2480 2399 2495 2327 Dl 2480 2399 2496 2327 Dl 2479 2400 2497 2328 Dl 2380 2500 200 200 De 2479 2799 2479 2599 Dl 2479 2799 2461 2727 Dl 2479 2799 2463 2727 Dl 2479 2799 2464 2727 Dl 2480 2799 2466 2727 Dl 2479 2800 2467 2727 Dl 2479 2799 2468 2726 Dl 2479 2799 2469 2726 Dl 2479 2799 2471 2726 Dl 2479 2800 2472 2726 Dl 2478 2799 2473 2725 Dl 2480 2799 2475 2725 Dl 2479 2799 2476 2725 Dl 2480 2799 2478 2725 Dl 2479 2799 2479 2725 Dl 2480 2799 2480 2725 Dl 2479 2799 2481 2725 Dl 2480 2799 2483 2725 Dl 2479 2799 2484 2725 Dl 2481 2799 2486 2725 Dl 2480 2800 2487 2726 Dl 2481 2799 2489 2726 Dl 2479 2799 2489 2726 Dl 2480 2799 2491 2726 Dl 2480 2800 2492 2727 Dl 2480 2799 2494 2727 Dl 2480 2799 2495 2727 Dl 2480 2799 2496 2727 Dl 2479 2799 2497 2727 Dl 2680 2799 2280 2799 Dl 2380 2999 2380 2799 Dl 2061 3000 2380 3000 Dl 2059 1301 2059 3000 Dl 2279 1300 2059 1300 Dl 2280 1300 2208 1318 Dl 2279 1300 2207 1316 Dl 2279 1300 2207 1315 Dl 2278 1299 2206 1313 Dl 2279 1301 2206 1313 Dl 2279 1300 2206 1311 Dl 2279 1300 2206 1310 Dl 2279 1300 2206 1308 Dl 2280 1300 2206 1307 Dl 2280 1300 2206 1305 Dl 2280 1299 2206 1304 Dl 2280 1300 2206 1303 Dl 2280 1300 2206 1302 Dl 2280 1300 2206 1300 Dl 2280 1299 2206 1299 Dl 2280 1299 2206 1297 Dl 2280 1299 2206 1296 Dl 2280 1300 2206 1295 Dl 2280 1298 2206 1293 Dl 2280 1299 2206 1292 Dl 2279 1299 2206 1291 Dl 2279 1300 2206 1290 Dl 2279 1299 2206 1288 Dl 2279 1299 2206 1287 Dl 2278 1299 2206 1285 Dl 2279 1299 2207 1284 Dl 2279 1299 2207 1283 Dl 2280 1300 2208 1282 Dl 3280 1300 200 200 De 3379 1600 3379 1400 Dl 3379 1600 3361 1528 Dl 3379 1599 3363 1527 Dl 3379 1599 3364 1527 Dl 3380 1598 3366 1526 Dl 3379 1599 3367 1526 Dl 3379 1599 3368 1526 Dl 3379 1599 3369 1526 Dl 3379 1599 3371 1526 Dl 3379 1600 3372 1526 Dl 3378 1600 3373 1526 Dl 3380 1600 3375 1526 Dl 3379 1600 3376 1526 Dl 3380 1600 3378 1526 Dl 3379 1599 3379 1525 Dl 3380 1599 3380 1525 Dl 3379 1600 3381 1526 Dl 3380 1600 3383 1526 Dl 3379 1600 3384 1526 Dl 3381 1600 3386 1526 Dl 3380 1600 3387 1526 Dl 3381 1599 3389 1526 Dl 3379 1599 3389 1526 Dl 3380 1599 3391 1526 Dl 3380 1599 3392 1526 Dl 3380 1598 3394 1526 Dl 3380 1599 3395 1527 Dl 3380 1599 3396 1527 Dl 3379 1600 3397 1528 Dl 3179 1600 3579 1600 Dl 3379 1800 3379 1600 Dl 3379 1799 3361 1727 Dl 3379 1799 3363 1727 Dl 3379 1799 3364 1727 Dl 3380 1799 3366 1727 Dl 3379 1800 3367 1727 Dl 3379 1799 3368 1726 Dl 3379 1799 3369 1726 Dl 3379 1799 3371 1726 Dl 3379 1800 3372 1726 Dl 3378 1800 3373 1726 Dl 3380 1799 3375 1725 Dl 3379 1799 3376 1725 Dl 3380 1799 3378 1725 Dl 3379 1799 3379 1725 Dl 3380 1799 3380 1725 Dl 3379 1799 3381 1725 Dl 3380 1799 3383 1725 Dl 3379 1799 3384 1725 Dl 3381 1800 3386 1726 Dl 3380 1800 3387 1726 Dl 3381 1799 3389 1726 Dl 3379 1799 3389 1726 Dl 3380 1799 3391 1726 Dl 3380 1800 3392 1727 Dl 3380 1799 3394 1727 Dl 3380 1799 3395 1727 Dl 3380 1799 3396 1727 Dl 3379 1799 3397 1727 Dl 3280 1899 200 200 De 3379 2199 3379 1999 Dl 3379 2200 3361 2128 Dl 3379 2199 3363 2127 Dl 3379 2199 3364 2127 Dl 3380 2199 3366 2127 Dl 3379 2199 3367 2126 Dl 3379 2199 3368 2126 Dl 3379 2199 3369 2126 Dl 3379 2199 3371 2126 Dl 3379 2199 3372 2125 Dl 3378 2199 3373 2125 Dl 3380 2199 3375 2125 Dl 3379 2199 3376 2125 Dl 3380 2199 3378 2125 Dl 3379 2199 3379 2125 Dl 3380 2199 3380 2125 Dl 3379 2199 3381 2125 Dl 3380 2199 3383 2125 Dl 3379 2199 3384 2125 Dl 3381 2199 3386 2125 Dl 3380 2199 3387 2125 Dl 3381 2199 3389 2126 Dl 3379 2199 3389 2126 Dl 3380 2199 3391 2126 Dl 3380 2199 3392 2126 Dl 3380 2199 3394 2127 Dl 3380 2199 3395 2127 Dl 3380 2199 3396 2127 Dl 3379 2200 3397 2128 Dl 3079 2200 3479 2200 Dl 3280 2400 3280 2200 Dl 3280 2400 3262 2328 Dl 3279 2399 3263 2327 Dl 3279 2399 3264 2327 Dl 3279 2398 3265 2326 Dl 3279 2399 3267 2326 Dl 3279 2399 3268 2326 Dl 3280 2399 3270 2326 Dl 3278 2399 3270 2326 Dl 3279 2400 3272 2326 Dl 3278 2400 3273 2326 Dl 3280 2400 3275 2326 Dl 3279 2400 3276 2326 Dl 3280 2400 3278 2326 Dl 3279 2400 3279 2326 Dl 3280 2400 3280 2326 Dl 3279 2400 3281 2326 Dl 3280 2400 3283 2326 Dl 3279 2400 3284 2326 Dl 3281 2400 3286 2326 Dl 3280 2400 3287 2326 Dl 3280 2399 3288 2326 Dl 3280 2399 3290 2326 Dl 3280 2399 3291 2326 Dl 3280 2399 3292 2326 Dl 3280 2398 3294 2326 Dl 3280 2399 3295 2327 Dl 3280 2399 3296 2327 Dl 3280 2400 3298 2328 Dl 3180 2500 200 200 De 3280 2799 3280 2599 Dl 3280 2799 3262 2727 Dl 3279 2799 3263 2727 Dl 3279 2799 3264 2727 Dl 3279 2799 3265 2727 Dl 3279 2800 3267 2727 Dl 3279 2799 3268 2726 Dl 3280 2799 3270 2726 Dl 3278 2799 3270 2726 Dl 3279 2800 3272 2726 Dl 3278 2799 3273 2725 Dl 3280 2799 3275 2725 Dl 3279 2799 3276 2725 Dl 3280 2799 3278 2725 Dl 3279 2799 3279 2725 Dl 3280 2799 3280 2725 Dl 3279 2799 3281 2725 Dl 3280 2799 3283 2725 Dl 3279 2799 3284 2725 Dl 3281 2799 3286 2725 Dl 3280 2800 3287 2726 Dl 3280 2799 3288 2726 Dl 3280 2799 3290 2726 Dl 3280 2799 3291 2726 Dl 3280 2800 3292 2727 Dl 3280 2799 3294 2727 Dl 3280 2799 3295 2727 Dl 3280 2799 3296 2727 Dl 3280 2799 3298 2727 Dl 3480 2799 3080 2799 Dl 3379 2999 3379 2799 Dl 3698 3000 3379 3000 Dl 3700 1301 3700 3000 Dl 3480 1300 3700 1300 Dl 3479 1300 3551 1282 Dl 3480 1299 3552 1283 Dl 3480 1299 3552 1284 Dl 3481 1299 3553 1285 Dl 3480 1299 3553 1287 Dl 3480 1299 3553 1288 Dl 3480 1300 3553 1290 Dl 3480 1299 3553 1291 Dl 3479 1299 3553 1292 Dl 3479 1298 3553 1293 Dl 3479 1300 3553 1295 Dl 3479 1299 3553 1296 Dl 3479 1299 3553 1297 Dl 3479 1299 3553 1299 Dl 3479 1300 3553 1300 Dl 3479 1300 3553 1302 Dl 3479 1300 3553 1303 Dl 3479 1299 3553 1304 Dl 3479 1300 3553 1305 Dl 3479 1300 3553 1307 Dl 3480 1300 3553 1308 Dl 3480 1300 3553 1310 Dl 3480 1300 3553 1311 Dl 3480 1301 3553 1313 Dl 3481 1299 3553 1313 Dl 3480 1300 3552 1315 Dl 3480 1300 3552 1316 Dl 3479 1300 3551 1318 Dl 2679 1300 2479 1300 Dl 3178 2200 2679 1300 Dl 3179 2200 3129 2146 Dl 3179 2199 3130 2144 Dl 3179 2199 3131 2143 Dl 3179 2199 3132 2143 Dl 3179 2199 3133 2142 Dl 3179 2199 3134 2141 Dl 3179 2199 3135 2140 Dl 3179 2199 3136 2139 Dl 3179 2199 3137 2138 Dl 3179 2199 3138 2138 Dl 3179 2199 3139 2137 Dl 3179 2199 3141 2136 Dl 3179 2200 3142 2136 Dl 3179 2199 3143 2135 Dl 3179 2199 3144 2134 Dl 3179 2198 3145 2133 Dl 3180 2199 3147 2133 Dl 3178 2199 3147 2133 Dl 3179 2199 3149 2132 Dl 3179 2199 3150 2131 Dl 3180 2199 3152 2131 Dl 3178 2199 3152 2130 Dl 3179 2199 3154 2130 Dl 3179 2199 3155 2130 Dl 3180 2199 3157 2129 Dl 3178 2199 3157 2128 Dl 3179 2199 3159 2128 Dl 3179 2200 3160 2128 Dl 3080 1300 3280 1300 Dl 2581 2200 3080 1300 Dl 2580 2200 2599 2128 Dl 2580 2199 2600 2128 Dl 2581 2199 2602 2128 Dl 2579 2199 2602 2129 Dl 2580 2199 2604 2130 Dl 2580 2199 2605 2130 Dl 2581 2199 2607 2130 Dl 2579 2199 2607 2131 Dl 2580 2199 2609 2131 Dl 2580 2199 2610 2132 Dl 2581 2199 2612 2133 Dl 2579 2199 2612 2133 Dl 2580 2198 2614 2133 Dl 2580 2199 2615 2134 Dl 2580 2199 2616 2135 Dl 2580 2200 2617 2136 Dl 2580 2199 2618 2136 Dl 2580 2199 2620 2137 Dl 2580 2199 2621 2138 Dl 2580 2199 2622 2138 Dl 2580 2199 2623 2139 Dl 2580 2199 2624 2140 Dl 2580 2199 2625 2141 Dl 2580 2199 2626 2142 Dl 2581 2199 2628 2143 Dl 2580 2199 2628 2143 Dl 2580 2199 2629 2144 Dl 2580 2200 2630 2146 Dl 10 S f (\267 \267)1 1045 1 2357 1320 t 2579 3099 2579 2799 Dl 1980 3100 2579 3100 Dl 1980 900 1980 3100 Dl 2679 899 1980 899 Dl 2979 999 2679 899 Dl 3380 999 2980 999 Dl 3379 1199 3379 999 Dl 3379 1200 3361 1128 Dl 3379 1200 3363 1128 Dl 3379 1199 3364 1127 Dl 3380 1199 3366 1127 Dl 3379 1199 3367 1126 Dl 3379 1199 3368 1126 Dl 3379 1199 3369 1126 Dl 3379 1199 3371 1126 Dl 3379 1199 3372 1125 Dl 3378 1199 3373 1125 Dl 3380 1199 3375 1125 Dl 3379 1199 3376 1125 Dl 3380 1199 3378 1125 Dl 3379 1199 3379 1125 Dl 3380 1199 3380 1125 Dl 3379 1199 3381 1125 Dl 3380 1199 3383 1125 Dl 3379 1199 3384 1125 Dl 3381 1199 3386 1125 Dl 3380 1199 3387 1125 Dl 3381 1199 3389 1126 Dl 3379 1199 3389 1126 Dl 3380 1199 3391 1126 Dl 3380 1199 3392 1126 Dl 3380 1199 3394 1127 Dl 3380 1199 3395 1127 Dl 3380 1200 3396 1128 Dl 3379 1200 3397 1128 Dl 3180 3099 3180 2799 Dl 3779 3100 3180 3100 Dl 3780 900 3780 3100 Dl 3081 899 3780 899 Dl 2780 999 3080 899 Dl 2379 999 2779 999 Dl 2380 1199 2380 999 Dl 2380 1200 2362 1128 Dl 2379 1200 2363 1128 Dl 2379 1199 2364 1127 Dl 2379 1199 2365 1127 Dl 2379 1199 2367 1126 Dl 2379 1199 2368 1126 Dl 2380 1199 2370 1126 Dl 2378 1199 2370 1126 Dl 2379 1199 2372 1125 Dl 2378 1199 2373 1125 Dl 2380 1199 2375 1125 Dl 2379 1199 2376 1125 Dl 2380 1199 2378 1125 Dl 2379 1199 2379 1125 Dl 2380 1199 2380 1125 Dl 2379 1199 2381 1125 Dl 2380 1199 2383 1125 Dl 2379 1199 2384 1125 Dl 2381 1199 2386 1125 Dl 2380 1199 2387 1125 Dl 2380 1199 2388 1126 Dl 2380 1199 2390 1126 Dl 2380 1199 2391 1126 Dl 2380 1199 2392 1126 Dl 2380 1199 2394 1127 Dl 2380 1199 2395 1127 Dl 2380 1200 2396 1128 Dl 2380 1200 2398 1128 Dl 10 R f (t1)2620 1620 w (t2)2172 2220 w (t3)2172 2819 w (t4)3061 1620 w (t5)3509 2220 w (t6)3509 2819 w (p1 p4)1 1100 1 2490 1160 t (p2)2529 1919 w (p3)2629 2520 w (p5)3529 1919 w (p6)3429 2520 w 10 I f (Figure 5 \320 Petri Net with Hang State)7 1520 1 2120 3298 t 10 B f ( of Petri Nets)3 556(7.5. Validation)1 651 2 720 3538 t 10 R f ( mechanically verify it than it is to understand)8 1869(It is often much easier to build an little validation model and)11 2451 2 720 3694 t ( Nets are relatively easy to model as)7 1444( Petri)1 240(a manual proof of correctness in detail.)6 1566 3 720 3814 t 8 R f (PROMELA)3995 3814 w 10 R f (validation mod-)1 636 1 4404 3814 t (els. A)1 258 1 720 3934 t 8 R f (PROMELA)1003 3934 w 10 R f (model for the net in Figure 5, for instance, is quickly made.)11 2375 1 1412 3934 t 8 CW f ( assume < 256 tokens per place */)7 1584( /*)1 288( byte)1 336(#define Place)1 624 4 864 4084 t (Place p1, p2, p3;)3 816 1 864 4284 t (Place p4, p5, p6;)3 816 1 864 4384 t ( -> x=x-1)2 432( \(x>0\))1 672(#define inp1\(x\))1 720 3 864 4484 t ( -> x = x-1; y=y-1)5 864( \(x>0&&y>0\))1 816(#define inp2\(x,y\))1 816 3 864 4584 t ( x=x+1)1 672(#define out1\(x\))1 720 2 864 4684 t ( y=y+1)1 288( x=x+1;)1 624(#define out2\(x,y\))1 816 3 864 4784 t (init)864 4884 w ( = 1; p4 = 1; /* initial marking */)9 1680({ p1)1 480 2 864 4984 t (do)1248 5084 w ( out1\(p2\) })2 528( ->)1 288( atomic { inp1\(p1\))3 864(/*t1*/ ::)1 480 4 864 5184 t ( atomic { inp2\(p2,p4\) -> out1\(p3\) })6 1680(/*t2*/ ::)1 480 2 864 5284 t ( out2\(p1,p4\) })2 672( ->)1 288( atomic { inp1\(p3\))3 864(/*t3*/ ::)1 480 4 864 5384 t ( out1\(p5\) })2 528( ->)1 288( atomic { inp1\(p4\))3 864(/*t4*/ ::)1 480 4 864 5484 t ( atomic { inp2\(p1,p5\) -> out1\(p6\) })6 1680(/*t5*/ ::)1 480 2 864 5584 t ( out2\(p4,p1\) })2 672( ->)1 288( atomic { inp1\(p6\))3 864(/*t6*/ ::)1 480 4 864 5684 t (od)1248 5784 w (})864 5884 w 10 R f ( \(Copies)1 377( [Berthelot and Terrat 1982].)4 1214(For this exercise, consider the Petri Net published as Figure 1 in)11 2729 3 720 6100 t ( proven to be deadlock free with a manual reduction and proof)11 2491( net was)2 329( The)1 206(available at the tutorial session.\))4 1294 4 720 6220 t ( a model in)3 447( Build)1 273(technique in the paper.)3 909 3 720 6340 t 8 R f (PROMELA)2374 6340 w 10 R f (and find the deadlock with)4 1065 1 2783 6340 t 8 R f (SPIN)3873 6340 w 10 R f (.)4047 6340 w 10 S1 f ()4097 6340 w 4097 6340 m 50 build_sq 4147 6340 m 10 B f (8. SUMMARY)1 657 1 720 6580 t 10 R f (There are several ways of expressing correctness requirements in)8 2653 1 720 6736 t 8 R f (PROMELA)3405 6736 w 10 R f ( from simple, but fre-)4 889(, ranging)1 362 2 3789 6736 t ( logical soundness and completeness criteria \(absence of dead-)8 2603(quently used, requirements for specifying)4 1717 2 720 6856 t ( loops, absence)2 623(locks, unspecified receptions\), to more subtle liveness conditions \(absence of non-progress)10 3697 2 720 6976 t ( express and can be validated efficiently.)6 1662( simpler claims are easy to)5 1097( The)1 212(of livelocks\), to temporal claims.)4 1349 4 720 7096 t ( complicated claims require more thought and increase the run-time)9 2991(As can be expected, the more)5 1329 2 720 7216 t cleartomark showpage saveobj restore %%EndPage: 29 31 %%Page: 30 32 /saveobj save def mark 32 pagesetup 10 R f (- 30 -)2 216 1 2772 480 t (requirements for an automated validator.)4 1627 1 720 840 t ( design, a user is unlikely to use more than assertions and perhaps end-state labels.)14 3365(In the initial stages of a)5 955 2 720 996 t (In the final stages of a design, when all initial flaws have been corrected and a more precise qualitative)18 4320 1 720 1116 t ( In)1 148( made, validations with explicit temporal claims may be developed.)9 2835(assessment of the design can be)5 1337 3 720 1236 t ( level of sophistication in a validation is never required and all the necessary properties can)15 3685(many cases this)2 635 2 720 1356 t (be established without it.)3 1000 1 720 1476 t ( have discussed, no)3 783(It is almost impossible to manually verify correctness requirements such as the ones we)13 3537 2 720 1632 t ( protocol systems can be of a)6 1183( behavior of even simple)4 1007( The)1 210(matter how diligent or disciplined the designer.)6 1920 4 720 1752 t (complexity that no designer can be expected to assess accurately.)9 2605 1 720 1872 t ( following quote illustrates how Korean typesetters)6 2090( The)1 213(There are several ways to approach this problem.)7 2017 3 720 2028 t (solved it in the 15th Century.)5 1167 1 720 2148 t 9 PA f ( be flogged thirty times for an error per chapter; the printer)11 2483(``The supervisor and compositor shall)4 1549 2 864 2342 t ( bad impression, either too dark or too light, of one character per)12 2717(shall be flogged thirty times for)5 1315 2 864 2452 t (chapter.'')864 2562 w 9 I f (Early Movable Type in Korea)4 1077 1 2899 2672 t 9 R f (-- Kim Won-Yong, 1954)3 897 1 3999 2672 t 10 R f ( observes:)1 402( He)1 166(The quote appears in a book by Daniel Boorstin.)8 1939 3 720 2876 t 9 PA f ( reputation for accuracy earned by the earliest Korean imprints and the)11 2890(``This helps explain both the)4 1142 2 864 3070 t (difficulty that Koreans found in recruiting printers.'')6 2092 1 864 3180 t 9 I f (The Discoverers)1 593 1 3048 3290 t 9 R f (-- Chapter 62, D.J. Boorstin, 1983)5 1232 1 3664 3290 t 10 R f ( that can help them)4 784(In protocol design at least, a better approach seems to be to provide designers the tools)15 3536 2 720 3494 t ( tools are needed not only to)6 1192( Such)1 260(secure the desired accuracy.)3 1147 3 720 3614 t 10 I f (express)3353 3614 w 10 R f (the correctness requirements of a)4 1354 1 3686 3614 t ( efficient tools for protocol valida-)5 1403( first)1 190( The)1 209(protocol design, but also to verify those requirements reliably.)8 2518 4 720 3734 t (tion are becoming available.)3 1149 1 720 3854 t 8 R f (SPIN)1915 3854 w 10 R f ( followed by many others supporting)5 1499(is such a tool, and it is likely to be)9 1421 2 2120 3854 t (different types of languages and systems.)5 1647 1 720 3974 t (One of the main strengths of)5 1140 1 720 4130 t 8 R f (SPIN)1885 4130 w 10 R f ( explicitly takes the constraints of a)6 1415( It)1 111(is that it can work on any hardware.)7 1430 3 2084 4130 t ( Cray, a VAX, or a PC, and delivers the best results possible.)12 2460(machine into account, be it a)5 1163 2 720 4250 t 8 R f (SPIN)4385 4250 w 10 R f (is available)1 454 1 4586 4250 t (for educational purposes at no charge.)5 1518 1 720 4370 t 10 B f (9. REFERENCES)1 798 1 720 4610 t 10 R f ( ``A note on reliable full-duplex transmission)6 1815( [1969],)1 342(Bartlett, K.A., Scantlebury, R.A., and Wilkinson, P.T.)6 2163 3 720 4766 t (over half-duplex lines,'')2 967 1 720 4886 t 10 I f (Comm. of the ACM)3 772 1 1712 4886 t 10 R f (, Vol. 12, No. 5, 260-265.)5 1030 1 2492 4886 t ( ``Petri Net Theory for the correctness of protocols,'' IEEE Trans. on)11 2828( [1982],)1 347( Terrat, R.)2 422(Berthelot, G., and)2 723 4 720 5042 t (Comm., Vol COM-30, No. 12, Dec. 1982, pp. 2497-2505.)8 2324 1 720 5162 t ( control,'')1 406( ``Solution to a problem in concurrent programming)7 2126( [1965],)1 347(Dijkstra, E.W.)1 583 4 720 5318 t 10 I f (Comm. of the ACM)3 793 1 4214 5318 t 10 R f (,)5015 5318 w (Vol 8, No. 9, p. 569.)5 822 1 720 5438 t ( derivation of programs,'')3 1037( ``Guarded commands, nondeterminacy and formal)5 2050( [1975],)1 342(Dijkstra, E.W.)1 578 4 720 5594 t 10 I f (Comm.)4754 5594 w (of the ACM)2 461 1 720 5714 t 10 R f (, Vol. 18, No. 8, pp. 453-457.)6 1180 1 1189 5714 t ( logic to Promela ``never clause'' converter,'' EE594 final project, Cor-)10 2940( ``A temporal)2 555( [1991],)1 347(Glade, B.B.)1 478 4 720 5870 t (nell University, Electrical Engineering Dept., May 3, 1991.)7 2369 1 720 5990 t ( ``Communicating sequential processes,'')3 1694( [1978],)1 351(Hoare, C.A.R.)1 583 3 720 6146 t 10 I f (Comm. of the ACM)3 802 1 3383 6146 t 10 R f (, Vol. 21, No. 8, pp.)5 847 1 4193 6146 t (666-677.)720 6266 w ( [1991],)1 345(Holzmann, G.J.)1 631 2 720 6422 t 10 I f ( of computer protocols)3 923(Design and validation)2 897 2 1725 6422 t 10 R f (, Prentice Hall, 512 pgs, ISBN 0-13-)6 1487 1 3553 6422 t ( above for more complete biblio-)5 1422( to the)2 294( [Refer)1 326(539925-4, International Edition, ISBN 0-13-539834-7.)4 2278 4 720 6542 t (graphic notes on the subject of this tutorial and access to the software.])12 2831 1 720 6662 t ( ``The mutual exclusion problem \320 parts I and II",)9 2079( [1986],)1 345(Lamport, L.)1 484 3 720 6818 t 10 I f (Journal of the ACM)3 812 1 3658 6818 t 10 R f (, Vol. 33, No.)3 562 1 4478 6818 t (2, April 1986, pp. 313-347.)4 1094 1 720 6938 t ( half-duplex telephone lines,'')3 1221( ``Reliable full duplex file transmission over)6 1806( [1968],)1 346(Lynch, W.C.)1 521 4 720 7094 t 10 I f (Comm. of)1 395 1 4645 7094 t (the ACM)1 358 1 720 7214 t 10 R f (, Vol. 11, No. 6, pp. 407-410.)6 1180 1 1086 7214 t cleartomark showpage saveobj restore %%EndPage: 30 32 %%Page: 31 33 /saveobj save def mark 33 pagesetup 10 R f (- 31 -)2 216 1 2772 480 t ( [1990],)1 343(Manna, Z., and Pnueli, A.)4 1043 2 720 840 t 10 I f (Tools and Rules for the Practicing Verifier)6 1729 1 2133 840 t 10 R f ( Report)1 300(, Stanford University,)2 870 2 3870 840 t (STAN-CS-90-1321, July 1990, 34 pgs.)4 1564 1 720 960 t ( ``Myths about the mutual exclusion problem,'' Letters,'')7 2315( [1981],)1 344(Peterson, G.L.)1 580 3 720 1116 t 10 I f (``Inf.)3959 1116 w 10 R f ( 12, No. 3,)3 434(Proc. Vol.)1 437 2 4169 1116 t (pp. 115-116.)1 508 1 720 1236 t ( [1984/1986],)1 580(Raynal, M.)1 458 2 720 1392 t 10 I f (Algorithms for Mutual Exclusion)3 1353 1 1794 1392 t 10 R f ( 0-262-)1 303(, MIT Press, Cambridge, Mass., ISBN)5 1582 2 3155 1392 t ( 1986 edition is a translation from the original French version published in 1984.])13 3259( [The)1 238(18119-3, 107 pgs.)2 722 3 720 1512 t ( ``Feedback for error control and two-way communication,'')7 2575( [1963],)1 363(Schwartz, L.S.)1 610 3 720 1668 t 10 I f (IEEE Trans. CT)2 692 1 4315 1668 t 10 R f (,)5015 1668 w (March 1963, pp. 49-56.)3 943 1 720 1788 t cleartomark showpage saveobj restore %%EndPage: 31 33 %%Page: 32 34 /saveobj save def mark 34 pagesetup 10 R f (- 32 -)2 216 1 2772 480 t 10 B f (APPENDIX A \320 BRIEF REFERENCE MANUAL FOR PROMELA)7 2957 1 1401 840 t 10 R f ( and usage)2 441( Semantics)1 471( of the language.)3 695(This appendix gives an overview of the main syntax requirements)9 2713 4 720 1116 t ( manual does not cover possible restrictions or extensions of)9 2510( This)1 239(are more fully explained in the paper.)6 1571 3 720 1236 t (specific implementations of the validator)4 1653 1 720 1356 t 8 R f (SPIN)2402 1356 w 10 R f ( has the same machine dependencies as the programming)8 2324(. It)1 140 2 2576 1356 t ( effect is of an)4 626( case of doubt, for instance, when you have to find out what the precise)14 3054( In)1 148(language C.)1 492 4 720 1476 t (expression such as)2 745 1 720 1596 t 9 CW f (\(-10\)%\(-9\))1489 1596 w 10 R f (or)2055 1596 w 9 CW f (\(-10\)<<\(-2\))2162 1596 w 10 R f ( to learn is to execute)5 861(on your machine, the quickest way)5 1397 2 2782 1596 t (a little)1 253 1 720 1716 t 8 R f (PROMELA)998 1716 w 10 R f (test program, like)2 702 1 1407 1716 t 8 CW f (init { printf\("%d\\t%d\\n", \(-10\)%\(-9\), \(-10\)<<\(-2\)\) })5 2496 1 864 1866 t 10 R f (The meaning of all conventional operators matches that of ANSI-C.)9 2712 1 720 2046 t 10 B f (LEXICAL CONVENTIONS)1 1226 1 720 2286 t 10 R f ( tokens: identifiers, keywords, constants, operators and statement separators.)8 3256(There are five classes of)4 1064 2 720 2442 t ( interpretation is pos-)3 855( more than one)3 602( If)1 118(Blanks, tabs, newlines, and comments serve only to separate tokens.)9 2745 4 720 2562 t (sible, a token is taken to be the longest string of characters that can constitute a token.)16 3428 1 720 2682 t 10 B f (COMMENTS)720 2922 w 10 R f (Any string started with)3 919 1 720 3078 t 9 CW f (/*)1662 3078 w 10 R f (and terminated with)2 799 1 1795 3078 t 9 CW f (*/)2617 3078 w 10 R f ( cannot be nested.)3 715( Comments)1 484(is a comment.)2 558 3 2750 3078 t 10 B f (IDENTIFIERS)720 3318 w 10 R f (An identifier is a single letter or underscore, followed by zero or more letters, digits, or underscores.)16 4003 1 720 3474 t 10 B f (KEYWORDS)720 3714 w 10 R f (The following identifiers are reserved for use as keywords:)8 2355 1 720 3870 t 8 CW f ( bool)1 816(assert atomic bit)2 1680 2 864 4020 t ( chan do)2 1440(break byte)1 960 2 864 4120 t ( init)1 864( if)1 672(fi goto)1 960 3 864 4220 t ( never)1 768(int len mtype)2 1776 2 864 4320 t ( proctype)1 864(od of printf)2 1824 2 864 4420 t ( timeout)1 912( skip)1 720(run short)1 1008 3 864 4520 t 10 B f (CONSTANTS)720 4820 w 10 R f (There are three types of constants.)5 1368 1 720 4976 t 7 S1 f ()864 5132 w 864 5132 m 53 build_ci 917 5132 m 10 R f (String constants)1 642 1 967 5132 t 7 S1 f ()864 5252 w 864 5252 m 53 build_ci 917 5252 m 10 R f (Enumeration constants)1 913 1 967 5252 t 7 S1 f ()864 5372 w 864 5372 m 53 build_ci 917 5372 m 10 R f (Integer constants)1 679 1 967 5372 t (String constants can only be used in)6 1438 1 720 5528 t 9 CW f (printf)2181 5528 w 10 R f (statements.)2530 5528 w ( can be defined in)4 745( They)1 264( define symbolic names for message types.)6 1765(Enumeration constants can be used to)5 1546 4 720 5684 t 9 CW f (mtype)720 5804 w 10 R f (declarations of the type)3 934 1 1015 5804 t 8 CW f (mtype = { namelist })4 960 1 864 5954 t 10 R f (where)720 6134 w 9 CW f (namelist)992 6134 w 10 R f ( one)1 175( Only)1 256(is a comma separated list of symbolic names.)7 1851 3 1455 6134 t 9 CW f (mtype)3766 6134 w 10 R f (declaration per program)2 972 1 4068 6134 t (can be used.)2 490 1 720 6254 t ( floating point num-)3 809( are no)2 273( There)1 283(An integer constant is a sequence of digits representing a decimal integer.)11 2955 4 720 6410 t (bers in)1 269 1 720 6530 t 8 R f (PROMELA)1014 6530 w 10 R f (.)1398 6530 w 10 B f (EXPRESSIONS)720 6770 w 10 R f ( declared)1 367( data, that is all variables)5 1013( Unsigned)1 437(The evaluation of expressions is defined in integer arithmetic.)8 2503 4 720 6926 t (with type)1 382 1 720 7046 t 9 CW f (bit)1132 7046 w 9 R f (,)1294 7046 w 9 CW f (byte)1347 7046 w 9 R f (,)1563 7046 w 10 R f (or)1618 7046 w 9 CW f (bool)1731 7046 w 9 R f (,)1947 7046 w 10 R f ( example,)1 395( For)1 196(are cast to signed integers before being used in expressions.)9 2447 3 2002 7046 t (the value of expression)3 935 1 720 7166 t 9 CW f (\(p-1\))1682 7166 w 9 R f (,)1952 7166 w 10 R f (with)2004 7166 w 9 CW f (p)2209 7166 w 10 R f ( zero, is the signed)4 766(a variable of type byte \(unsigned char\) and value)8 1982 2 2292 7166 t (value)720 7286 w 9 CW f (-1)974 7286 w 10 R f (in)1122 7286 w 8 R f (PROMELA)1240 7286 w 10 R f ( type of the)3 494( assignments, however, the)3 1124( On)1 187(, and not the unsigned equivalent 255.)6 1611 4 1624 7286 t cleartomark showpage saveobj restore %%EndPage: 32 34 %%Page: 33 35 /saveobj save def mark 35 pagesetup 10 R f (- 33 -)2 216 1 2772 480 t ( value)1 253( The)1 217(destination always prevails.)2 1131 3 720 840 t 9 CW f (-1)2356 840 w 10 R f ( to 255 when it is stored in a unsigned variable, but it)12 2280(is cast)1 259 2 2501 840 t (remains)720 960 w 9 CW f (-1)1059 960 w 10 R f (when stored in a signed variable.)5 1314 1 1192 960 t (The following operators can be used to build expressions.)8 2305 1 720 1116 t 8 CW f (+, \261, *, /, %,)4 672 1 864 1266 t 8 R f (arithmetic operators)1 636 1 2400 1266 t 8 CW f (>, >=, <, <=, ==, !=,)5 1008 1 864 1366 t 8 R f (relational operators)1 614 1 2400 1366 t 8 CW f (&&, ||, !)2 432 1 864 1466 t 8 R f (logical AND, OR, NOT)3 767 1 2400 1466 t 8 CW f ( C)1 864(&, |, \304, >>, <<)4 720 2 864 1566 t 8 R f (-style bit operators)2 595 1 2448 1566 t 8 CW f (!, ?)1 192 1 864 1666 t 8 R f (send and receive operators)3 844 1 2400 1666 t 8 CW f (\(\), [])1 288 1 864 1766 t 8 R f (grouping, indexing)1 607 1 2400 1766 t 8 CW f (len, run)1 384 1 864 1866 t 8 R f (special operators)1 535 1 2400 1866 t 10 R f ( effects, and machine dependencies of all operators match ANSI standard C.)11 3188(The syntax, semantics, side)3 1132 2 720 2046 t ( operators on the first line in the table have the highest prece-)12 2481( The)1 208( the precedence levels.)3 911(Table A.1 defines)2 720 4 720 2166 t (dence.)720 2286 w 10 HB f (Table A.1 \320 Precedence and Associativity)5 2019 1 1870 2466 t 10 S f (_ ___________________________________________________)1 2567 1 1596 2596 t (_ ___________________________________________________)1 2567 1 1596 2616 t 10 H f (Operators Associativity)1 1857 1 2306 2726 t 10 S f (_ ___________________________________________________)1 2567 1 1596 2746 t 10 CW f (\(\) [])1 360 1 1596 2866 t 10 R f (left to right)2 450 1 3612 2866 t 10 CW f (\304 -)1 240 1 1596 2986 t 10 I f (\(unary minus\))1 563 1 1896 2986 t 10 CW f (!)2579 2986 w 10 I f (\(boolean negation\))1 763 1 2699 2986 t 10 R f (left to right)2 450 1 3612 2986 t 10 CW f (* / %)2 420 1 1596 3106 t 10 R f (left to right)2 450 1 3612 3106 t 10 CW f (+ -)1 240 1 1596 3226 t 10 R f (left to right)2 450 1 3612 3226 t 10 CW f (>> <<)1 360 1 1596 3346 t 10 R f (left to right)2 450 1 3612 3346 t 10 CW f (> < >= <=)3 720 1 1596 3466 t 10 R f (left to right)2 450 1 3612 3466 t 10 CW f (== !=)1 360 1 1596 3586 t 10 R f (left to right)2 450 1 3612 3586 t 10 CW f (&)1596 3706 w 10 R f (left to right)2 450 1 3612 3706 t 10 CW f (|)1596 3826 w 10 R f (left to right)2 450 1 3612 3826 t 10 CW f (&&)1596 3946 w 10 R f (left to right)2 450 1 3612 3946 t 10 CW f (||)1596 4066 w 10 R f (left to right)2 450 1 3612 4066 t 10 CW f (!)1596 4186 w 10 I f (\(send\))1716 4186 w 10 CW f (?)2085 4186 w 10 I f (\(receive\))2205 4186 w 10 R f (left to right)2 450 1 3612 4186 t 10 CW f (len run)1 480 1 1596 4306 t 10 R f (left to right)2 450 1 3612 4306 t 10 CW f (=)1596 4426 w 10 R f (right to left)2 450 1 3612 4426 t 10 S f (_ ___________________________________________________)1 2567 1 1596 4446 t 10 R f ( boolean negation ! and the unary minus)7 1627( The)1 208( operands.)1 413(Most operators, including assignment =, take two)6 1989 4 720 4626 t 10 S f (-)4985 4626 w 10 R f ( expression)1 453( assignment operator takes an)4 1189( The)1 207(operator can be both unary and binary, depending on context.)9 2471 4 720 4746 t (on the right, and a variable reference on the left:)9 1922 1 720 4866 t 8 CW f (varref = expression)2 912 1 864 5016 t 10 R f ( in)1 114(Unlike C, the assignment operator cannot be used in expressions)9 2670 2 720 5196 t 8 R f (PROMELA)3540 5196 w 10 R f ( unary operator,)2 656(. The)1 241 2 3924 5196 t 9 CW f (len)4855 5196 w 9 R f (,)5017 5196 w 10 R f (applies to message channels only, and the unary operator)8 2300 1 720 5316 t 9 CW f (run)3046 5316 w 10 R f ( we talk)2 320( Informally,)1 504(applies to process types.)3 980 3 3236 5316 t (about)720 5436 w 9 CW f (len)972 5436 w 10 R f (or)1166 5436 w 9 CW f (run)1279 5436 w 10 R f ( statements that contain)3 965(statements, and similarly about send and receive statements, for)8 2602 2 1473 5436 t (these operators.)1 626 1 720 5556 t 10 B f (REMOTE REFERENCING)1 1209 1 720 5796 t 10 R f ( For)1 192( the same process type can be referred to by name.)10 2043(Global variables and local variables declared within)6 2085 3 720 5952 t (instance)720 6072 w 8 CW f (byte glob;)1 480 1 864 6222 t (proctype same\(\))1 720 1 864 6422 t ( loc;)1 240({ bool)1 576 2 864 6522 t (here: \(loc+glob\))1 864 1 864 6722 t (})864 6822 w 10 R f (Local variables of other processes can be referred to as follows:)10 2542 1 720 7002 t 8 CW f (proctype other\(\))1 768 1 864 7152 t ({)864 7252 w cleartomark showpage saveobj restore %%EndPage: 33 35 %%Page: 34 36 /saveobj save def mark 36 pagesetup 10 R f (- 34 -)2 216 1 2772 480 t 8 CW f (assert\(same[2].loc > 3\))2 1104 1 1248 820 t (})864 920 w 10 R f ( type)1 202(Here a process of)3 706 2 720 1100 t 9 CW f (other)1656 1100 w 10 R f (refers to the local variable)4 1061 1 1956 1100 t 9 CW f (loc)3045 1100 w 10 R f (of the process with)3 772 1 3237 1100 t 9 CW f (pid)4037 1100 w 10 R f (two, i.e., the second)3 811 1 4229 1100 t ( type of that process is different from the specified)9 2033( is a run-time error if the)6 999( It)1 114(process that was instantiated.)3 1174 4 720 1220 t (type)720 1340 w 9 CW f (same)915 1340 w 9 R f (.)1131 1340 w 10 R f ( instance, the con-)3 738( For)1 193(The process state of a remote process can be tested with boolean colon expressions.)13 3389 3 720 1496 t (dition)720 1616 w 8 CW f (same[2]:here)864 1766 w 10 R f ( state that was labeled)4 880(is true if and only if the process referred to is currently in the)13 2431 2 720 1946 t 9 CW f (here)4055 1946 w 9 R f (.)4271 1946 w 10 R f (Remote referenc-)1 695 1 4345 1946 t ( to be used only in assertions and in temporal claims.)10 2218(ing of variables and control flow states is intended)8 2102 2 720 2066 t (The language definition, however, does not prevent other applications.)8 2820 1 720 2186 t 10 B f (DECLARATIONS)720 2426 w 10 R f ( be declared either locally,)4 1067( can)1 165( Variables)1 434(Processes and variables must be declared before they can be used.)10 2654 4 720 2582 t ( process can only be declared globally in a)8 1792( A)1 134(within a process type, or globally.)5 1422 3 720 2702 t 9 CW f (proctype)4103 2702 w 10 R f (declaration.)4572 2702 w 9 CW f (Proctype)720 2822 w 10 R f ( The)1 208( a process body.)3 652( declarations may appear anywhere in)5 1519( Local)1 279(declarations cannot be nested.)3 1203 5 1179 2822 t ( is)1 96( It)1 115(scope of a local variable is the complete process body, irrespective of where its declaration is placed.)16 4109 3 720 2942 t ( five basic data)3 604( Ther)1 238(not accessible, though, until execution has passed the point of declaration at least once.)13 3478 3 720 3062 t (types are listed in Table A.2.)5 1151 1 720 3182 t 10 HB f (Table A.2 \320 Basic Data Types)5 1433 1 2163 3362 t 10 S f (_ ____________________________)1 1420 1 2170 3492 t (_ ____________________________)1 1420 1 2170 3512 t 10 H f ( Usage)1 558( \(bits\))1 250(Name Size)1 612 3 2170 3622 t 10 S f (_ ____________________________)1 1420 1 2170 3642 t 10 H f ( unsigned)1 725(bit 1)1 695 2 2170 3762 t ( unsigned)1 725(bool 1)1 695 2 2170 3882 t ( unsigned)1 725(byte 8)1 695 2 2170 4002 t ( signed)1 725(short 16)1 695 2 2170 4122 t ( signed)1 725(int 32)1 695 2 2170 4242 t 10 S f (_ ____________________________)1 1420 1 2170 4262 t 10 B f (VARIABLES)720 4562 w 10 R f ( a list of)3 346(A variable declaration begins with a keyword indicating the data type of the variable followed by)15 3974 2 720 4718 t (identifier names, each one optionally followed by an initializer.)8 2535 1 720 4838 t 8 CW f (byte name1, name2 = 4, name3;)5 1392 1 864 4988 t (chan qname; chan a = [3] of { byte };)9 1776 1 864 5088 t 10 R f ( basic data type, and a channel specification for vari-)9 2114(The initializer must be an expression for a variable of a)10 2206 2 720 5268 t (ables of type)2 516 1 720 5388 t 9 CW f (chan)1262 5388 w 9 R f (.)1478 5388 w 10 R f ( types except)2 525(By default, variables of all)4 1074 2 1554 5388 t 9 CW f (chan)3178 5388 w 10 R f ( of type)2 309( Variables)1 434(are initialized to zero.)3 876 3 3421 5388 t 9 CW f (chan)720 5508 w 10 R f ( is undefined what the)4 914( It)1 119(must be initialized explicitly before they can be used for message passing.)11 3039 3 968 5508 t ( likely, it causes a fatal runtime error.)7 1494( Most)1 256(result is of using an uninitialized channel variable.)7 2014 3 720 5628 t ( names)1 286( The)1 211(Table A.2 summarizes the width and attributes of the five basic data types.)12 3056 3 720 5784 t 9 CW f (bit)4303 5784 w 10 R f (and)4497 5784 w 9 CW f (bool)4671 5784 w 10 R f (are)4919 5784 w ( A)1 126(synonyms for a single bit of information.)6 1665 2 720 5904 t 9 CW f (byte)2538 5904 w 10 R f ( that can store a value between 0)7 1320(is an unsigned quantity)3 937 2 2783 5904 t (and 255.)1 344 1 720 6024 t 9 CW f (Short)1110 6024 w 9 R f (s)1380 6024 w 10 R f (and)1440 6024 w 9 CW f (int)1607 6024 w 9 R f (s)1769 6024 w 10 R f (are signed quantities that differ only in the range of values they can hold.)13 2917 1 1829 6024 t (An array of variables is declared as follows:)7 1759 1 720 6180 t 8 CW f (int name1[N];)1 624 1 864 6330 t (chan q[M];)1 480 1 864 6430 t 10 R f (where)720 6610 w 9 CW f (N)989 6610 w 10 R f (and)1071 6610 w 9 CW f (M)1241 6610 w 10 R f ( have an initializer, which initializes all elements of)8 2093( array declaration may)3 903( An)1 175(are constants.)1 546 4 1323 6610 t ( In)1 137( the array is a channel, one message channel of the given type per array element is created.)17 3682( If)1 120(the array.)1 381 4 720 6730 t (the channel initializer)2 865 1 720 6850 t 8 CW f (chan q[M] = [x] of { types })7 1344 1 864 7000 t 9 CW f (M)720 7180 w 10 R f (is a constant,)2 519 1 799 7180 t 9 CW f (x)1341 7180 w 10 R f (is an expression that specifies the size of the channel, and)10 2298 1 1420 7180 t 9 CW f (types)3741 7180 w 10 R f (is a comma separated list)4 1004 1 4036 7180 t ( can be passed through the channel.)6 1446(of one or more data types that defines the format of each message that)13 2874 2 720 7300 t cleartomark showpage saveobj restore %%EndPage: 34 36 %%Page: 35 37 /saveobj save def mark 37 pagesetup 10 R f (- 35 -)2 216 1 2772 480 t ( passed from one process to)5 1146( channel identifiers can be)4 1075( Initialized)1 462(All channels are initialized to be empty.)6 1637 4 720 840 t (another in messages or in)4 1015 1 720 960 t 9 CW f (run)1758 960 w 10 R f (statements.)1945 960 w 10 B f (PROCESSES AND TEMPORAL CLAIMS)3 1854 1 720 1200 t 10 R f ( keyword)1 382(A process declaration starts with the)5 1485 2 720 1356 t 9 CW f (proctype)2618 1356 w 10 R f (followed by a name, a list of formal parameters)8 1957 1 3083 1356 t ( body of a pro-)4 605( The)1 208( and local variable declarations.)4 1278(enclosed in round braces, and a sequence of statements)8 2229 4 720 1476 t (cess declaration is enclosed in parentheses.)5 1718 1 720 1596 t 8 CW f (proctype name\( /* parameter declarations */ \))6 2160 1 864 1746 t ({)864 1846 w (/* declarations and statements */)4 1584 1 1248 1946 t (})864 2046 w 10 R f ( is required in every)4 814( process declaration)2 798( One)1 219(The parameter declarations cannot have initializers.)5 2076 4 720 2226 t 8 R f (PROMELA)4656 2226 w 10 R f ( is declared without the keyword)5 1306( It)1 111(model: the initial process.)3 1033 3 720 2346 t 9 CW f (proctype)3193 2346 w 10 R f (and without a parameter list.)4 1140 1 3650 2346 t 8 CW f ( })1 384( declarations and statements */)4 1488( /*)1 192(init {)1 288 4 864 2496 t 10 R f (It is the first process running and it has)8 1554 1 720 2676 t 9 CW f (pid)2297 2676 w 10 R f (zero.)2484 2676 w (A temporal claim starts with the keyword)6 1659 1 720 2832 t 9 CW f (never)2402 2832 w 10 R f (and can contain any)3 795 1 2697 2832 t 8 R f (PROMELA)3517 2832 w 10 R f (text)3926 2832 w 8 CW f ( })1 384(never { /* declarations and statements */)6 1968 2 864 2982 t 10 R f ( most one temporal claim per)5 1203(There can be at)3 629 2 720 3162 t 8 R f (PROMELA)2584 3162 w 10 R f ( is used to specify a correctness require-)7 1647(model. It)1 393 2 3000 3162 t ( temporal claim specifies a behavior that is claimed)8 2076( The)1 208( the executions of the system specified.)6 1585(ment about)1 451 4 720 3282 t ( the temporal)2 535( claim will normally only contain conditions, though it is valid to allow)12 2890( The)1 208(to be impossible.)2 687 4 720 3402 t ( violate a cor-)3 551( To)1 161( sequences, and send and receive statements.)6 1784(claim to contain variable declarations, atomic)5 1824 4 720 3522 t ( to execute one statement, or one atomic sequence of statements, for)11 2884(rectness claim, it must be possible)5 1436 2 720 3642 t ( using the temporal claim in)5 1124( By)1 168( by any of the other processes in the model.)9 1745(every statement that is executed)4 1283 4 720 3762 t ( linear-time propositional temporal logic formula on the sys-)8 2468(combination with acceptance-state labels, any)4 1852 2 720 3882 t (tem behavior can be expressed \(see Chapter 6\).)7 1883 1 720 4002 t 10 B f (STATEMENTS)720 4242 w 10 R f (There are twelve types of statements:)5 1488 1 720 4398 t 8 CW f ( break)1 720( atomic)1 576(assertion assignment)1 1248 3 864 4548 t ( receive)1 816( printf)1 864(expression goto)1 960 3 864 4648 t ( timeout)1 912( send)1 480(selection repetition)1 1248 3 864 4748 t 10 R f ( statement can only be passed if it is exe-)9 1711( A)1 130( preceded by one or more declarations.)6 1596(Any statement can be)3 883 4 720 4928 t ( be evaluated: if evaluation returns a zero value the)9 2036( determine its executability the statement can)6 1809(cutable. To)1 475 3 720 5048 t ( evaluation of a)3 630( The)1 209( other cases the statement is executable and can be passed.)10 2370( all)1 128( In)1 136(statement is blocked.)2 847 6 720 5168 t ( means that the statement)4 1010( This)1 228(compound expression is always indivisible.)4 1741 3 720 5288 t 8 CW f (\(a == b && a != b\))6 864 1 864 5438 t 10 R f (will always be unexecutable, but the sequence)6 1843 1 720 5618 t 8 CW f (\(a == b\); \(a != b\))5 864 1 864 5768 t 10 R f (may be executable in that order.)5 1280 1 720 5948 t ( the ``execution'' of the statement.)5 1430(The act of passing the statement after a successful evaluation is called)11 2890 2 720 6104 t ( one)1 199(There is)1 329 2 720 6224 t 10 I f (pseudo)1278 6224 w 10 R f (statement,)1591 6224 w 9 CW f (skip)2027 6224 w 9 R f (,)2243 6224 w 10 R f (which is equivalent to the condition)5 1450 1 2295 6224 t 9 CW f (\(1\))3772 6224 w 9 R f (.)3934 6224 w 9 CW f (Skip)4007 6224 w 9 R f (,)4223 6224 w 10 R f (is a null statement;)3 765 1 4275 6224 t ( may be needed to satisfy syntax requirements.)7 1869( It)1 111(it is always executable and has no effect when executed.)9 2249 3 720 6344 t ( to transfer control to any labeled statement within the same process or proce-)13 3167(Goto statements can be used)4 1153 2 720 6500 t ( Expressions)1 537( and declarations are also always executable.)6 1810( Assignments)1 572( are always executable.)3 939(dure. They)1 462 5 720 6620 t ( is, the expression 0 \(zero\) is never executable, and)9 2045( That)1 234( if they return a non-zero value.)6 1266(are only executable)2 775 4 720 6740 t (similarly 1 is always executable.)4 1301 1 720 6860 t ( label may be used as the)6 1052( Each)1 258( a colon.)2 359(Each statement may be preceded by a label: a name followed by)11 2651 4 720 7016 t (destination of a)2 648 1 720 7136 t 9 CW f (goto)1407 7136 w 9 R f (.)1623 7136 w 10 R f ( labels,)1 298(Three types of labels have predefined meanings in validations: end-state)9 3030 2 1712 7136 t ( semantics are explained in the paper.)6 1499( The)1 205(progress-state labels, and acceptance-state labels.)4 1966 3 720 7256 t cleartomark showpage saveobj restore %%EndPage: 35 37 %%Page: 36 38 /saveobj save def mark 38 pagesetup 10 R f (- 36 -)2 216 1 2772 480 t ( break, timeout, and atomic sequences, are)6 1777(The remaining statements, selection, repetition, send, receive,)6 2543 2 720 840 t (discussed below.)1 677 1 720 960 t 10 B f (SELECTION)720 1200 w 10 R f ( statement begins with the keyword)5 1463(A selection)1 460 2 720 1356 t 9 CW f (if)2675 1356 w 9 R f (,)2783 1356 w 10 R f (is followed by a list of one or more options and ends)11 2200 1 2840 1356 t (with the keyword)2 711 1 720 1476 t 9 CW f (fi)1460 1476 w 9 R f (.)1568 1476 w 10 R f ( with the flag)3 545(Every option begins)2 817 2 1647 1476 t 9 CW f (::)3037 1476 w 10 R f ( One)1 221(followed by any sequence of statements.)5 1644 2 3175 1476 t ( first statement of an)4 869( The)1 217( be selected for execution.)4 1092(and only one option from a selection statement will)8 2142 4 720 1596 t ( more than one option is executable, one will)8 1795( If)1 116( the option can be selected or not.)7 1342(option determines whether)2 1067 4 720 1716 t ( the language defines nondeterministic machines.)5 1969( Thus)1 250(be selected at random.)3 892 3 720 1836 t 10 B f (REPETITION AND BREAK)2 1251 1 720 2076 t 10 R f (A repetition or)2 612 1 720 2232 t 9 CW f (do)1368 2232 w 10 R f (statement is similar to a selection statement, but is executed repeatedly until either a)13 3526 1 1514 2232 t 9 CW f (break)720 2352 w 10 R f (statement is executed or a)4 1039 1 1017 2352 t 9 CW f (goto)2081 2352 w 10 R f ( keywords of the repe-)4 901( The)1 206( control outside the cycle.)4 1033(jump transfers)1 576 4 2324 2352 t (tition statement are)2 766 1 720 2472 t 9 CW f (do)1509 2472 w 10 R f (and)1642 2472 w 9 CW f (od)1809 2472 w 10 R f (instead of)1 391 1 1942 2472 t 9 CW f (if)2356 2472 w 10 R f (and)2489 2472 w 9 CW f (fi)2656 2472 w 9 R f (.)2764 2472 w 10 R f (The)2837 2472 w 9 CW f (break)3016 2472 w 10 R f (statement will terminate the innermost rep-)5 1728 1 3312 2472 t ( use of a)3 365( The)1 215( executed.)1 414(etition statement in which it is)5 1264 4 720 2592 t 9 CW f (break)3011 2592 w 10 R f (statement outside a repetition statement is)5 1724 1 3316 2592 t (illegal.)720 2712 w 10 B f (ATOMIC SEQUENCE)1 998 1 720 2952 t 10 R f (The keyword)1 532 1 720 3108 t 9 CW f (atomic)1278 3108 w 10 R f ( indivisible)1 452(introduces an atomic sequence of statements that is to be executed as one)12 2958 2 1630 3108 t ( syntax is as follows:)4 839(step. The)1 391 2 720 3228 t 8 CW f (atomic { sequence };)3 960 1 864 3378 t 10 R f ( is a run-time error if any)6 1015( It)1 113( is now equivalent to one single statement.)7 1713(Logically the sequence of statements)4 1479 4 720 3558 t ( first statement is)3 695( The)1 208( the first one is found to be unexecutable.)8 1674(statement in an atomic sequence other than)6 1743 4 720 3678 t (called the)1 398 1 720 3798 t 10 I f (guard)1156 3798 w 10 R f ( general,)1 357( In)1 147( it is executable, so should be the rest of the sequence.)11 2303( If)1 129(of the sequence.)2 671 5 1433 3798 t ( atomic sequence is followed only with local assignments and local conditions, but)12 3306(therefore, the guard of an)4 1014 2 720 3918 t (not with any send or receive statements.)6 1600 1 720 4038 t 10 B f (SEND)720 4278 w 10 R f (The syntax of a send statement is)6 1326 1 720 4434 t 8 CW f (q!expr)864 4584 w 10 R f (where)720 4764 w 9 CW f (q)990 4764 w 10 R f (is the name of a channel, and the evaluation of expression)10 2349 1 1073 4764 t 9 CW f (expr)3449 4764 w 10 R f ( be appended to)3 644(returns a value to)3 702 2 3694 4764 t ( more)1 234( If)1 120( not exist.)2 400( send statement is not executable \(blocks\) if the channel is full or does)13 2869( The)1 210(the channel.)1 487 6 720 4884 t ( from sender to receiver, the expressions are written in a comma-separated)11 3079(than one value is to be passed)6 1241 2 720 5004 t (list:)720 5124 w 8 CW f (q!expr1,expr2,expr3)864 5274 w 10 R f (Equivalently, this may be written)4 1330 1 720 5454 t 8 CW f (q!expr1\(expr2,expr3\))864 5604 w 10 B f (RECEIVE)720 5904 w 10 R f (The syntax of the receive statement is)6 1508 1 720 6060 t 8 CW f (q?name)864 6210 w 10 R f (where)720 6390 w 9 CW f (q)988 6390 w 10 R f (is the name of a channel and)6 1148 1 1069 6390 t 9 CW f (name)2242 6390 w 10 R f ( a constant is specified the receive)6 1381( If)1 119( or a constant.)3 569(is a variable)2 486 4 2485 6390 t (statement is only executable if the channel exists and the oldest message stored in the channel contains the)17 4320 1 720 6510 t ( executable if the channel exists and contains)7 1827( a variable is specified, the receive statement is)8 1900( If)1 119(same value.)1 474 4 720 6630 t ( more)1 231( If)1 117( in that case will receive the value of the message that is retrieved.)13 2657( variable)1 348( The)1 207(any message at all.)3 760 6 720 6750 t ( and)1 174(than one value is sent per message, the receive statement also take a comma-separated list of variables)16 4146 2 720 6870 t (constants,)720 6990 w 8 CW f (q?name1,name2,...)864 7140 w cleartomark showpage saveobj restore %%EndPage: 36 38 %%Page: 37 39 /saveobj save def mark 39 pagesetup 10 R f (- 37 -)2 216 1 2772 480 t (which again is equivalent to)4 1121 1 720 840 t 8 CW f (q?name1\(name2,...\))864 990 w 10 R f ( condition on the executability of the receive: it must be matched by)12 2779(Each constant in this list puts an extra)7 1541 2 720 1170 t ( variable fields retrieve the)4 1073( The)1 206(the value of the corresponding message field of the message to be retrieved.)12 3041 3 720 1290 t ( attempt to receive a value when)6 1339( is an error to)4 560( It)1 118(values of the corresponding message fields on a receive.)8 2303 4 720 1410 t (none was transferred, and vice versa.)5 1475 1 720 1530 t ( list in square)3 560(Any receive statement can be used as a side-effect free condition by enclosing its parameter)14 3760 2 720 1686 t (braces:)720 1806 w 8 CW f (q?[name1,name2,...])864 1956 w (q?[name1\(name2,...\)])864 2056 w 10 R f ( \(returns a non-zero result\) only if the corresponding receive operation is exe-)12 3193(The statement is executable)3 1127 2 720 2236 t (cutable, but it has no effect on the variables or the channel.)11 2353 1 720 2356 t (The only other type of operation allowed on channels is)9 2227 1 720 2512 t 8 CW f (len\(varref\))864 2662 w 10 R f (where)720 2842 w 9 CW f (varref)1001 2842 w 10 R f ( operation returns the number of messages in the)8 2069( The)1 221(identifies an instantiated channel.)3 1385 3 1365 2842 t (channel specified, or zero if the channel does not exist.)9 2192 1 720 2962 t 10 B f (TIMEOUT)720 3202 w 10 R f (The keyword)1 529 1 720 3358 t 9 CW f (timeout)1273 3358 w 10 R f (represents a condition that becomes true if and only if no other statement in the sys-)15 3363 1 1677 3358 t ( in expres-)2 427( can be included)3 663( Timeouts)1 432( timeout statement has no effect when executed.)7 1946( A)1 126(tem is executable.)2 726 6 720 3478 t (sions.)720 3598 w 10 B f (MACROS AND INCLUDE FILES)3 1486 1 720 3838 t 10 R f ( and file inclu-)3 615(The source text of a specification is processed by the C preprocessor for macro-expansion)13 3705 2 720 3994 t (sions, Kernighan and Ritchie [1978].)4 1476 1 720 4114 t cleartomark showpage saveobj restore %%EndPage: 37 39 %%Page: 38 40 /saveobj save def mark 40 pagesetup 10 R f (- 38 -)2 216 1 2772 480 t 10 B f (APPENDIX B \320 PROMELA GRAMMAR)4 1848 1 1956 840 t 10 R f ( plus indicates a repetition of one)6 1332( A)1 123( are used for grouping.)4 910( Parenthesis)1 506(The grammar is listed in BNF-style.)5 1449 5 720 1116 t ( brack-)1 282( Square)1 331(or more times of the last syntactical unit; a star indicates a repetition of zero or more times.)17 3707 3 720 1236 t ( Terminals)1 458( are quoted.)2 474( Literals)1 358( vertical bar separates options.)4 1223( A)1 125( indicate optional elements.)3 1108(ets are used to)3 574 7 720 1356 t (are upper-case, non-terminals are lower-case.)4 1809 1 720 1476 t 8 CW f ( { unit } +)4 528(program ::=)1 672 2 864 1626 t ( NAME '\(' [ decl_lst ] '\)' body)7 1488( PROCTYPE)1 480(unit ::=)1 672 3 864 1826 t (| CLAIM body)2 576 1 1392 1926 t (| INIT body)2 528 1 1392 2026 t (| one_decl)1 480 1 1392 2126 t (| MTYPE ASGN '{' NAME { ',' NAME } * '}')10 1920 1 1392 2226 t ( sequence '}')2 624( '{')1 240(body ::=)1 672 3 864 2426 t ( { ';' step } *)5 720( step)1 288(sequence ::=)1 672 3 864 2626 t ( decl_lst ] stmnt)3 816( [)1 144(step ::=)1 672 3 864 2826 t ( TYPE ivar { ',' ivar } * ])8 1296( [)1 144(one_decl ::=)1 672 3 864 3026 t ( { ';' one_decl } *)5 912( one_decl)1 480(decl_lst ::=)1 672 3 864 3226 t ( | var_dcl ASGN expr | var_dcl ASGN ch_init)8 2064( var_dcl)1 432(ivar ::=)1 672 3 864 3426 t ( CONST ']' OF '{' TYPE { ',' TYPE } * '}')11 1968( '[')1 240(ch_init ::=)1 672 3 864 3626 t ( [ '[' CONST ']' ])5 864( NAME)1 288(var_dcl ::=)1 672 3 864 3826 t ( [ '[' expr ']' ])5 816( NAME)1 288(var_ref ::=)1 672 3 864 4026 t ( ASGN expr)2 480( var_ref)1 432(stmnt ::=)1 672 3 864 4226 t (| var_ref RCV margs)3 912 1 1392 4326 t (| var_ref SND margs)3 912 1 1392 4426 t (| PRINT '\(' STRING { ',' expr } * '\)')9 1776 1 1392 4526 t (| ASSERT expr)2 624 1 1392 4626 t (| GOTO NAME)2 528 1 1392 4726 t (| expr)1 288 1 1392 4826 t (| NAME ':' stmnt)3 768 1 1392 4926 t (| IF options FI)3 720 1 1392 5026 t (| DO options OD)3 720 1 1392 5126 t (| BREAK)1 336 1 1392 5226 t (| ATOMIC '{' sequence '}')4 1200 1 1392 5326 t ( SEP sequence } +)4 816( {)1 144(options ::=)1 672 3 864 5526 t ( | '-' | '*' | '/' | '%' | '&' | '|' | '>' | '<')16 2304( '+')1 240(binop ::=)1 672 3 864 5726 t ( LSHIFT | RSHIFT)3 768( |)1 144( AND | OR)3 432( |)1 144( NE)1 144( |)1 144( EQ)1 144( |)1 144( LE)1 144( |)1 144(| GE)1 192 11 1392 5826 t ( | '-' | SND)4 576( '\304')1 240(unop ::=)1 672 3 864 6026 t ( '\(' expr '\)')3 624(expr ::=)1 672 2 864 6226 t (| expr binop expr)3 816 1 1392 6326 t (| unop expr)2 528 1 1392 6426 t (| RUN NAME '\(' [ arg_lst ] '\)')7 1440 1 1392 6526 t (| LEN '\(' var_ref '\)')4 1008 1 1392 6626 t (| var_ref RCV '[' margs ']')5 1296 1 1392 6726 t (| var_ref)1 432 1 1392 6826 t (| CONST)1 336 1 1392 6926 t (| TIMEOUT)1 432 1 1392 7026 t (| var_ref '.' var_ref)3 1008 1 1392 7126 t (| var_ref ':' NAME)3 864 1 1392 7226 t cleartomark showpage saveobj restore %%EndPage: 38 40 %%Page: 39 41 /saveobj save def mark 41 pagesetup 10 R f (- 39 -)2 216 1 2772 480 t 8 CW f ( { ',' expr } *)5 720( expr)1 288(arg_lst ::=)1 672 3 864 820 t ( | expr '\(' arg_lst '\)')5 1104( arg_lst)1 432(margs ::=)1 672 3 864 1020 t cleartomark showpage saveobj restore %%EndPage: 39 41 %%Trailer done %%Pages: 41 %%DocumentFonts: Courier Times-Bold Palatino-Roman Helvetica Times-Italic Times-Roman Times-Roman Symbol %%+ Helvetica-Bold