Automated Verification of Refinements of

Universität Dortmund Fachbereich Informatik

Automated Verification of Refinements of Concurrent and Distributed Systems Computer Networks and Distributed Systems Research Group (Prof. Dr. H. Krumm)

Peter Herrmann

Informatik IV

Thomas Kraatz

D-44221 Dortmund Germany

Heiko Krumm Miriam Stange

FORSCHUNGSBERICHT RESEARCH REPORT Nr. 541/1994

Automated Veri cation of Re nements of Concurrent and Distributed Systems Peter Herrmann, Thomas Kraatz, Heiko Krumm, Miriam Stange

Dept. of Computer Science, Dortmund University, D-44221 Dortmund, Germany Phone +49 231 755-4836, Fax -4730 [email protected]

March 28, 1994 Abstract In order to support the practical application of formal veri cation, a fully-automated veri cation tool has been developed which is used for the design of communication systems and distributed applications. The tool refers to the concept of Re nement Mappings, which state correspondences between speci cations of more abstract and more detailed systems. It checks the correctness of the re nements of nitestate transition systems with respect to safety and liveness properties. The liveness properties of re nements are described in terms of the strong-fairness and weak-fairness of transitions. The liveness properties to be checked are described in terms of weak-fair transitions. To tackle the problem of `state explosion' the tool performs on-the- y model checking by structuring the reachability graph of the re nement into strongly-connected components. We report on the basic algorithm, its implementation, and some performance characteristics yielded from the veri cation of data transfer protocols.

1

1 Introduction During the design of computer network applications and communication systems the inherent complexity of concurrent and loosely coupled systems is crucial. Due to the decentralized component activities nondeterministic system behaviours occur and a very large set of global system states has to be re ected. The `old-fashioned' non-formal design methods commonly tend to introduce design errors which are detected only during late development phases and may cause expensive redesigns. Therefore, the practical development of reliable communication systems increasingly resorts to formal speci cation techniques since more than a decade. Many advantages of precise, concise, and machine-processable formal design speci cations are widely appreciated, in particular those which are related with the support of traditional development subtasks by computerassistance. So, tool-supported speci cation editing, document management, textual or graphical document browsing, prototype generation, and test generation directly can improve the productivity. However, there is an important advantage which is recognized scarcely in today's practice, the possibility of formal veri cation. From a short term point of view, formal veri cation introduces additional and unnecessary work since it does not contribute to the construction of the solution directly and since the bene ts of the early detection of design errors carry less weight than the additional costs. The costs result from the necessity of completely formalized speci cations | often even minor aspects have to be modelled formally in full detail | and from the poor tool-support of the veri cation process | the degree of automation is low, the designers have to spend a lot of time for the creative design of proofs and for the man { tool interaction. The work of our group generally concentrates on the design and construction of distributed applications and underlying communication systems. It is directed to the utilization of formal speci cation techniques in practical development projects. Since the increasing complexity of the systems pleads for the introduction of formal veri cations into early design phases, we also investigate the practicability of dierent veri cation methods by means of tool-prototypes and application experiments. One promising approach, we follow up, will be reported. It is aimed to the fully automated veri cation and therefore can reduce the additional costs of formal veri cation from the tool-support point of view. To provide the possi2

bility of exibly verifying dierent aspects of design and of addressing models on dierent levels of abstraction, the tool is based on the approach of Re nement Mappings [1]. A Re nement Mapping maps states of a more detailed system  to states of a more abstract system . By means of this mapping a designer formally can de ne intended relationships between two system models. The mapping has the so-called RM-property, if and only if the safety and liveness properties of are implied by  under the mapping. Then  can be called a correct implementation or correct re nement of . In our eld of application  ? -pairs are given, e.g., by a communication protocol and the service provided (protocol veri cation), by the software speci cation of a protocol entity and the corresponding component of the protocol speci cation (implementation veri cation), by models of some protocol mechanisms and some abstract service properties (veri cation of speci c aspects of protocols), by the speci cation of a distributed application and dierent functional requirements to this application (speci cation check), or by the speci cation of a component of a distributed application and the model of a generalized communication service user (veri cation of the standard-conformable use of a communication service). Sect. 2 describes the relations to other work. Sect. 4 introduces the fundamentals of the algorithm in more detail. Sect. 5 outlines the algorithm and its implementation in the tool prototype. To support the understanding of the algorithm, Sect. 3 describes the underlying modeling concept. Performance characteristics of the tool are reported in Sect. 6. Sect. 7 comments on enhancements which are planned to support strong-fairness constraints of speci cation actions. Sect. 8 concludes the contribution by comments on the integration of the tool in our broader context of tool-assisted system design.

2 Related Work Concurrent and distributed event-discrete systems can be modelled by state transition systems representing concurrency by the interleaving of component transitions. The standardized protocol speci cation languages SDL, Estelle, and Lotos [4, 15, 16] refer to this type of modelling as well as some temporal logic languages (e.g., TLA/TLA+ [19, 20]) which in comparison with the standard languages additionally support the notation of interesting liveness properties. As already mentioned, our approach strongly refers to Re nement 3

Mappings [1]. So, also the form of system de nitions follows the concepts of [1]. The safety properties of a system are de ned by a state transition system, the Next-State relation is structured into actions. Liveness properties are expressed in terms of weak-fairness and strong-fairness constraints for the occurrence of actions and do not implicitly contain safety-constraints. The algorithm takes pro t from the RM-information | and from the restriction of -actions to be at most weak-fair | in order to perform space-ecient on-the- y model checks. Related work concerns the topics `Reachability Graph Exploration', `Model Checking of Re nements', `On-The-Fly Model Checking', and `OnThe-Fly Model-Checking of Liveness Properties'. With respect to reachability graph exploration, [28] introduces the construction and exploration of the reachability graph for the validation of nitestate systems. [13] proposes a space-ecient state representation by hashed bitmaps and introduces the concept of partial state exploration to encounter the state explosion problem. [17] performs partial exploration on the basis of a limited heap. [27] proposes an enhancement of [13] to reduce the probability of non-exhaustive search. With respect to model checking, [5, 6] use state space exploration to check if a formula is met by the corresponding system. [18, 25, 26] propose the application of reachability graph based model-checking algorithms for re nement proofs. Checking on-the- y reduces memory requirements, since only part of the reachability graph has to be kept in memory. So [17] checks the observation equivalence of nite acceptors by a depth- rst search in the partially stored reachability graph and [8] proposes an on-the- y algorithm to decide the bisimulation equivalence of two labelled transition systems. These approaches concentrate on safety properties. The use of Model Checking to verify liveness properties imposes higher memory requirements than checking safety properties since it is necessary to keep track of in nite state sequences. [12] veri es liveness properties by the search for `bad cycles' in strongly-connected components of the graph of Lautomata. [7] represents properties by Buchi-automata whose emptiness can be proved by DFS. These approaches either depend on a complete memory representation of the model or are based on some form of product automaton, only actual traces have to be kept in memory. Advantages of our algorithm are, that | due to the utilization of the 4

RM information | only the simple reachability graph of the re nement is necessary, and that | due to the resort to fairness terms and the RMde ned correspondences between re ned actions and speci cation actions | an on-the- y structuring of this reachability graph into strongly-connected components is possible.

3 Model

In [1] system speci cations are based on behaviours hh(e0; y0); (e1; y1); : : :ii, nite or in nite sequences of states, that are structured into externally visible state components ei and internal state components yi. An externally visible behaviour hhe0 ; e1; : : :ii is the projection of a behaviour to its externally visible state components. A set of behaviours is called a Q-property if it is closed under stuttering and the states of its behaviours are elements of the set Q. The basic model for speci cations are state machines, triples (Q; F; N ):  Q  QE  QI is a set of states consisting of externally visible states QE and internal states QI .  F  Q is the subset of initial states.  N  Q  Q is the next state relation. A property generated by the state machine is the set of all behaviours hhq0; q1; : : :ii with q0 2 F and 8i > 0 : hqi; qi+1i 2 N _ qi = qi+1. A speci cation is de ned as a tuple (Q; F; N; L):  (Q; F; N ) is a state machine that generates the safety property M of the speci ed system.  L is an additional property de ning liveness requirements. The complete property S of a system is de ned to be M \ L. A speci cation  is an implementation, a re nement, of a speci cation , if for each behaviour of the property S there is a behaviour of the property S with the same externally visible behaviours. In [1] a re nement mapping between a speci cation = (Q ; F ; N ; L ) and its implementation  = (Q; F; N ; L) is de ned as a mapping f : Q  ! Q 5

that holds the following conditions (Ex((ei; yi)) = ei maps a state to its externally visible component): R1. 8q 2 Q : Ex(f (q )) = Ex(q ) (f preserves the externally visible state components.) R2. f (F )  F (Initial states are mapped into initial states.) R3.

hq; ri 2 N ) hf (q); f (r)i 2 N _ f (q) = f (r) (State transitions of N

are mapped to either state transitions of N or stuttering steps.) R4. f (S )  L (All mapped behaviours of  preserve the supplementary property of .)  is an implementation of if a re nement mapping f between Q and Q exists. Fairness assumptions of state transitions are sucient to express liveness requirements [2]. Actions, subsets of the next state relation N of a speci cation, can be marked as weak-fair or strong fair. A property PW of a weak fair action FW is the set of all behaviours, at least one of the following conditions is valid for (Enabled(Fn) = fqj9r : hq; ri 2 Fng):  The behaviour contains in nitely many state pairs hqi; qi+1i with hqi; qi+1i 2 FW .  For in nitely many states qi of the behaviour qi 2= Enabled(FW ) holds. A property PS of a strong-fair action FS consists of all behaviours holding at least one of the following conditions:  The behaviour contains in nitely many state pairs hqi; qi+1i with hqi; qi+1i 2 FS .  For just nitely many states qi of the behaviour qi 2 Enabled(FW ) holds. If FW 1; : : :; FWn are the weak-fair actions and FS 1; : : :; FSm the strongfair actions of N , then the supplementary property is de ned as

L = PW 1 \ : : : \ PWn \ PS 1 \ : : : \ PSm 6

PWi and PSj being the related properties of FWi resp. FSj . A suitable speci cation and veri cation technique for this model is Lamport's \Temporal Logic of Actions" (TLA) [19] and the related description technique TLA+ [20] that we used for our implementation. Nevertheless, other state transition based techniques can be used, esp. the standardized formal description techniques ESTELLE [15] and SDL [4], if the transition clauses are extended by fairness markings.

4 Basic Idea The use of model checking for verifying the re nement between a detailed speci cation  and a more abstract speci cation is limited to a restricted class of speci cations. The reachable state space of  must be nite. Further the initial state set and the sets of successor states have to be eciently computable. Also the Enabled-predicates of the dierent actions have to be eciently decidable and the re nement mapping function must be eciently computable. The speci cations express liveness just by fairness assumptions and at most assumes weak-fairness of actions (an extension to abstract actions with strong-fairness assumptions will be discussed in Sect. 7). Based on the speci cations  = hQ ; F; N; L i, = hQ ; F ; N ; L i, and a mapping f between Q and Q the algorithm checks if the re nement mapping conditions R1, : : :, R4, hold for f . G = hV ; Ei and G = hV ; E i are the reachability graphs of  resp. . The safety conditions R1, R2, and R3 are met, if the following lemmata are valid:

  

8q 2 V : Ex(q) = Ex(f (q)) R2: 8q 2 F : f (q ) 2 F (The initial states are reachable per. def.) R3: 8hq; r i 2 E : f (q ) = f (r ) _ hf (q ); f (r )i 2 E

R1:

The proof of the liveness condition R4 has to be performed separately for every weak-fair action FWn of N . For each FWn a subgraph G = hV ; E i with n

n

n

 V = V \ fqjf (q) 2 Enabled(FWn )g n

7

 E = E \ (V  V ) \ fhq; rijhf (q); f (r)i 2= FWn g n

n

n

will be generated. If a behaviour b exists which violates the weakfairness assumption of FWn , then in the state sequence b the following will hold: States will occur in nitely often, the f -images of which are in Enabled(FWn ). And also b at most nitely often will contain state pairs, the f -images of which are in FWn . Thus there exists an in nite tail of b, which corresponds to an in nite trace of the subgraph G . Therefore, in order to prove that  meets the weak-fairness of FWn , one has to exclude in nite traces of G . In nite traces may result from stuttering in the same state or from cycles. So, the following conditions have to be proved: 1. For all q 2 V a weak or strong-fair action Fm with q 2 Enabled(Fm) must exist. Otherwise the system might stutter forever in q and consequently in G . 2. For all cycles hQc; Nc i of G at least one of the two following conditions is met: (a) For at least one node q of the cycle a strong-fair action FSm with the following properties exists:  q 2 Enabled(FSm)  Nc \ FSm = ; In the state q a strong-fair cycle-leaving action FSm is enabled. In nite cycling would cause an in nite enabling of FSm. The strong-fairness assumption of FSm therefore is in contradiction with in nite cycling. (b) For all nodes q of the cycle a weak-fair action FWn with the following properties exists:  q 2 Enabled(FWn)  Nc \ FWn = ; In all states of the cycle the same weak-fair cycle-leaving action FWn is enabled. Therefore the weak-fairness of FWn forbids an in nite cycling. These conditions guarantee that f (M )  FWn is ful lled. Because the examination is done for all weak-fair actions of N , R4: f (M )  L n

n

n

n

n

8

holds. The conditions concern the subgraphs of the dierent weak-fair actions FWn . The subgraphs can be processed separately from each other and moreover can be structured into strongly connected components.

5 Algorithm and Implementation Based on this idea not only the safety conditions R1, R2, and R3 but also the liveness condition R4 can be checked on-the- y in order to decrease the memory consumption. The algorithm checks safety and liveness in separate passes of the reachability graph ([10] proposes a similar algorithm which integrates both aspects into one exploration). The check of the safety conditions is oriented at the Supertrace algorithm [13, 14]. At rst the initial states of the detailed speci cation  will be computed and checked for R2. Then the transitions and reachable states will be computed in order to examine the states for R1 and the transitions for R3. The set of reached states is represented in a hash table. The detailed state representation of a state is kept in memory only during the time period of its rst occurrence as successor state and its examination. The check of the liveness condition R4 consists of separate passes for each weak-fair action FWn . Each such exploration computes the initial states, the reachable states, and the transitions just as it is done for the safety check. Additionally each state q is checked for the condition f (q) 2 Enabled(FWn ). If q meets this condition, the strongly connected component SCCq is generated by DFS and stored. SCCq contains q and all strongly connected states p with f (p) 2 Enabled(FWn ). The condition 1 of Sect. 4 is checked immediately when integrating a state into SCCq. The check of the other two conditions starts after the generation of SCCq . In accordance with condition 2a of Sect. 4 all corresponding states are removed from SCCq. Thus SCCq may be reduced. The reduced SCCq possibly can be splitted into a set of strongly connected components SCCq . Recursively, these are examined for condition 2a, until no more states can be removed. For the remaining SCCq , the condition 2b of Sect. 4 is checked by examination of the transitions. Fig. 1 shows an example. G0 is an example of SCCq. The condition 2a is valid in state d because of transition , but it fails in state b because the outgoing transition  is also internal in G0. G1 is the reduced graph and G2 i

i

9

resp. G3 are its strongly connected components SCCq . In G2 resp. G3 all states must contain a transition ful lling condition 2b of Sect. 4. Otherwise, R4 is violated. In Fig. 1 condition 2b is ful lled by in G2 and  in G3 . i

 and  marked strong fair, and  marked weak fair   b

c G0 a    e d  @I

?

@

?

j

*



HY



H





H





H





H



-

j

j

@



A

@R



A



AU

-

j

j

@

+ Elimination of d +   b

a c    @R

@I

?

@

?

j

*



HY



H





H

G1





H





H



-

j

j

@

A

@R

A

AU



e j

?

+ Reduce to strongly connected components +   b

c e G2 G3 a    ?

@I

?

@

?

j

*





HY

H





H





H





H



j

j

?

?

-

?

j

@

?

Correct due to

Correct due to 

@R

Figure 1: Reduction of a strongly connected component The correctness of the algorithm is proved in [23]. The worst-case performance is O(n3) with n being the number of reachable states of the re ned system. An average-case analysis is dicult because of the dependence on the size of the strongly connected components. An estimation is given in [23]. The management of visited states is similar to the approach of [27]. The 10

states are compressed by a cyclic redundancy check method (in our implementation 2 Bytes). The compressed states are stored in a collision-detecting hash table (199,999 entries). A state is recognized as already reached if the hash table contains an entry with the same hash and cyclic redundancy check values. In the current implementation the algorithm is reliable with a likelihood of 7  10?6 or better if no more than 65 states are mapped to the same hash value. This did never happen in our experiments. Based on the algorithm a prototypical fully-automated \batch-job" veri cation tool has been implemented [23]. The input for the tool are C-routines of the two system descriptions and of the re nement mapping which can be produced by a compiler of a TLA+ -subset for executable speci cations [9].

6 Experiments By application of the tool we proved dierent data link protocols on a DECStation 5000/240 equipped with 108 MBytes-RAM. The rst veri cation was of the Alternating Bit Protocol, a simple stop-and-go protocol for correcting data corruptions. In Table 1 proofs with dierent numbers of message-types Total Runtime Allocated number memory of states (hh:mm:ss) (kBytes) 160 0:02 783.8 1,680 0:03 789.7 15,360 0:19 843.1 152,160 3:03 1377.5 760,160 18:13 3752.5 1,520,160 39:16 6,721.3 3,040,160 1:31:49 12,658.8 6,080,160 3:12:00 24,533.8 12,160,160 9:42:41 48,283.8 Table 1: Time and memory consumption for the proof of the Alternating Bit Protocol 11

are shown. For this protocol the number of elapsed time and allocated memory is linear to the number of explored states. Only in the experiment with the highest number of states page-faults became a major factor worsening the runtime. More realistic data transfer protocols providing for full-duplex data transfer over unreliable media (loss, duplication, reordering, corruption) are Sliding Window Protocols (e.g., HDLC [3]). Due to a relatively long transfer time a certain number of data packets simultaneously can be in transfer. The basic protocol mechanisms are based on sequencing, ow control, packet repetition, and cyclic redundancy checks. Each data packet is supplied with a sequence number by its sender, enabling the receiver to detect ordering exceptions. In the version described here, the receiver reacts by feed back messages of the type \go-back-n" causing the sender to send the demanded packet and its successors again. Packets, that are not con rmed for a long period, will be repeated on timeout demand. In enhanced versions the \selective repeat" of single packets is possible. Our example refers to protocol No. 5 of [24]. Number of states of longest trace: 467,856 Total number of states: 3,742,848 Elapsed time: 8:23:50 Elapsed time of longest trace: 1:03:12 Memory consumption in kBytes: 26,159.3 Number of strongly connected components: 9315 Maximal number of nodes in strongly connected components: 45,324 The table shows statistics from the veri cation of an instance of the protocol, which allows up to three packets to be in transit simultaneously. Remarkable is the relatively high number of small strongly connected components resulting in a low memory consumption. Only 125 strongly connected components contained more than 1,000 states and only 10 more than 10,000 states. The fairly long runtime is acceptable because of the high automization and can be reduced by running the examination of dierent weak-fairness constraints in parallel. 12

7 Strong-Fairness in the Abstract System The limitation to weak-fair actions in the more abstract system is sucient for a great variety of abstract system descriptions. This is particularly valid for communication services. In the main, the user of a service expects a deterministic behaviour, whose liveness can be expressed by weak-fair actions. In the case of non-deterministic exceptional behaviours (e.g., provider-abort) strong-fairness constraints for the normal behaviour may be of interest. Also, strong-fairness assumptions of abstract speci cations facilitate the use of fairly small re nement steps. Therefore an extension of the algorithm for the proof of strong-fair actions FSn in is under study. Strong-fair actions must be executed in nitely often, if they are enabled in nitely often. For the proof of the liveness condition R4 with respect to a strong-fair abstract action FSn we also will compute the reachability graph G of the abstract system . G is reduced to a subgraph by removing all transitions of FSn and all states, that do not have a path to a state with FSn being enabled. Moreover the subgraph will be reduced to its strongly connected components G . FSn is violated, if \cycling" within a G is possible without ever leaving it. Therefore in the reachability graph of the detailed system G we examine the strongly connected components of the states which are mapped to the same G . They are checked for the conditions 1, 2a, and 2b as described in Sect. 4. Unfortunately these strongly connected components are expected to be usually greater than those of the weak-fairness proofs. Therefore presently we are designing an algorithm which facilitates a memory-ecient representation of strongly-connected components. Further, we are thinking about possibilities to store only partial subsets of the strongly connected components. n

n

n

8 Conclusion We introduced an algorithm for safety and liveness proofs of re nements and reported about some application experiments of a corresponding veri cation tool. The use of on-the- y techniques for storing only partial reachability graphs was successful since the state space explosion problems were drastically reduced. In [22] reachability graphs of 106 states can be handled, while the new tool renders possibly the exploration of 107 states. 13

Indeed, realistic systems like models of distributed software systems and even abstract protocol models and models of distributed algorithms have many more states. Therefore creativity is necessary in order to prepare the tool-application. One has to identify the essentials, to elaborate abstractions, and to split the veri cation into manageable subtasks. We also performed veri cation experiments which are based on direct logical reasoning and its support by automated theorem prover utilization. In comparison with this, of course, the batch-job character of state-exploration is an advantage, and it is an disadvantage that abstraction and subtask-splitting are not supported by state-exploration. Special experiences from the practical application of both methods showed that in both sometimes errors occurred. When performing logical reasoning inconsistencies were introduced via subordinary axioms and theorems, and also during the | sometimes tricky | control of the theorem prover. When performing state-exploration, the preparation phase is prone to errors. Therefore it is of interest for us, to be able to tackle the same veri cation problem by dierent techniques. The experience shows, that dierent veri cations of corresponding views mutually can expose errors. Thus the work described only is one but substantial step into the direction of formally veri ed practical designs. Additionally we investigate the possibilities of automated abstraction and subtask splitting of proofs. We follow up an approach which is also based on the concept of re nement mappings and moreover combines it with formal composition and decomposition. The experience from this ongoing work shows that the automated veri cation support can be improved, in particular if application- eld speci c principles of construction and design are utilized additionally. With respect to this two more speci c approaches are under study. Both are based on a compositional speci cation style for TLA which supports the automated reduction of veri cations into separated component proofs. One approach deals with the actual problem of exibly con gured high-speed transfer protocols and facilitates the functional analysis of corresponding protocol spectra [11]. The application- eld speci c information here is provided by a library of high-speed protocol mechanisms, corresponding service properties, re nement mapping constraints, and lemmata of component proofs. The second approach is directed to the tool-supported construction of standardconformable distributed applications [21]. A library re ects patterns of distributed algorithms, user models of communication service standards, and application program interface mechanisms. This information supports the construction of speci c applications since the construction can be performed 14

by the composition of pattern instances. The history of construction can be recorded and can guide the veri cation. Several successful experiments have been performed already in connection with these approaches. They also proved the high usefulness of the tool described.

References [1] M. Abadi and L. Lamport. The Existence of Re nement Mappings. Theoretical Computer Science, 82(2):253{284, May 1991. [2] B. Alpern and F. B. Schneider. De ning Liveness. Information Processing Letters, 21:181{185, 1985. [3] CCITT. SG VII: Recommendation X.25 Layer 3, contribution com VII-144-E edition, 1987. [4] CCITT. SG X: Recommendation Z.100: Speci cation and Description Language SDL, contribution com X-R 15-E edition, 1987. [5] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veri cation of nitestate concurrent systems using temporal logic speci cations. ACM Transactions of Programming Languages and Systems, 8(2):244{263, Apr. 1986. [6] E. M. Clarke and O. Grumberg. The model checking problem for concurrent systems with many similar processes. In H. B. B. Banieqbal and A. Pnueli, editors, Temporal Logic in Speci cation, number 398 in Lecture Notes in Computer Science, pages 202{212, Altrincham, UK, Apr. 1987. Springer Velag Berlin, Heidelberg, New York. [7] C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis. Memory ecient algorithms for the veri cation of temporal properties. Formal Methods in System Design, (1):275{288, 1992. [8] J.-C. Fernandez and L. Mounier. \On the y" veri cation of behavioural equivalences and preorders. Number 575 in Lecture Notes in Computer Science, pages 181{191, Berlin Heidelberg, 1992. Springer-Verlag. [9] G. Graw. Interpretationen von Spezi kationen verteilter Systeme in TLA+. Diploma thesis, Universitat Dortmund, Informatik IV, D-44221 Dortmund, Sept. 1993.

15

[10] P. Herrmann. Veri kation von Sicherheits- und eingeschrankten Lebendigkeitseigenschaften. Technical Note Dok-TLA-93/29, Universitat Dortmund, Informatik IV, D-44221 Dortmund, Jan. 1993. [11] P. Herrmann and H. Krumm. Kompositionale Spezi kation und Veri kation von Hochleistungs-Protokollen. In M. Zitterbart and B. Heinrichs, editors, Proceedings of the GI-Arbeitstreen: Architektur und Implementierung von Hochleistungs-Kommunikationssystemen, Karlsruhe, Jan. 1994. to appear; in German. [12] R. Hojati, R. K. Brayton, and R. P. Kurshan. BDD-based debugging of designs using language containment and fair ctl. In C. Courcoubetis, editor, Computer Aided Veri cation, number 697 in Lecture Notes in Computer Science, pages 41{58, Elounda, Greece, June 1993. Springer Velag Berlin, Heidelberg, New York. [13] G. J. Holzmann. Algorithms for automated protocol veri cation. Software | Practice and Experience, 18(2):137{161, Feb. 1988. [14] G. J. Holzmann. Algorithms for automated protocol veri cation. AT&T Technical Journal, pages 32{44, Jan. 1990. [15] ISO. ESTELLE: A formal description technique based on an extended state transition model, international standard iso/is 9074 edition, 1987. [16] ISO. LOTOS: Language for the temporal ordering speci cation of observational behaviour, international standard iso/is 8807 edition, 1987. [17] C. Jard and T. Jeron. On-line model-checking for nite linear temporal logic speci cations. In J. Sifakis, editor, Automatic Veri cation Methods for Finite State Systems, number 407 in Lecture Notes in Computer Science, pages 189{ 196. Springer-Verlag, Oct. 1989. [18] R. P. Kurshan. Analysis of discrete event coordination. In J. W. de Bakker, W. P. de Roever, and G. Rozenberg, editors, Stepwise Re nement of Distributed Systems - Models, Formalisms, Correctness, number 430 in Lecture Notes in Computer Science, pages 414{453. Springer Verlag, 1990. [19] L. Lamport. The Temporal Logic of Actions. Technical Report 79, DEC Digital Systems Research Center, Palo Alto, May 1991. Research Report. [20] L. Lamport. TLA+: Syntax and Semantics. to appear, preliminary version, DEC Digital Systems Research Center, Palo Alto, Feb. 1992. Research Report.

16

[21] A. Mester and H. Krumm. Entwurf verteilter Anwendungen mit TLA. In O. Drobnik and K. Geihs, editors, Proceedings of the GI-Arbeitstreen: Entwicklung und Management verteilter Anwendungssysteme, Frankfurt, Oct. 1993. in German. [22] A. Schimice. Rechnergestutzte Prufung der Verfeinerungen von Kommunikationssystemen. Diploma thesis, Universitat Dortmund, Informatik IV, D44221 Dortmund, May 1991. [23] M. Stange and T. Kraatz. Ein Werkzeug zur automatischen Veri kation verteilter Systeme per On-the-Fly Model-Checking in TLA. Diploma thesis, Universitat Dortmund, Informatik IV, D-44221 Dortmund, Sept. 1993. [24] A. S. Tanenbaum. Computer Networks. Prentice-Hall, second edition, 1989. [25] M. Y. Vardi. Uni ed veri cation theory. In H. B. B. Banieqbal and A. Pnueli, editors, Temporal Logic in Speci cation, number LNCS 398, pages 202{212, Altrincham, UK, Apr. 1989. Springer Velag Berlin, Heidelberg, New York. [26] P. Wolper. On the relation of programms and computations to models of temporal logic. In H. B. B. Banieqbal and A. Pnueli, editors, Temporal Logic in Speci cation, number 398 in Lecture Notes in Computer Science, pages 75{123, Altrincham, UK, Apr. 1989. Springer Velag Berlin, Heidelberg, New York. [27] P. Wolper and D. Leroy. Reliable hashing without collision detection. In C. Courcoubetis, editor, Computer Aided Veri cation, number 697 in Lecture Notes in Computer Science, pages 59{70, Elounda, Greece, June 1993. Springer Velag Berlin, Heidelberg, New York. [28] P. Za ropulo, C. H. West, H. Rudin, D. D. Cowan, and D. Brand. Towards analyzing and synthesizing protocols. IEEE Transactions on Communications, 28(4):651{661, Apr. 1980.

17