A Correctness Proof of a One-bit Sliding Window Protocol ... - CiteSeerX

A Correctness Proof of a One-bit Sliding Window Protocol in CRL M.A. Bezem and J.F. Groote,

Utrecht University, Department of Philosophy, Heidelberglaan 8, 3584 CS Utrecht, The Netherlands

We model a one-bit sliding window protocol and prove that its external behaviour is a bi-directional buer of capacity 2. The proof is given in CRL, which is a process algebra extended with data. Due to the abundant parallelism in this protocol, the behaviour is quite complicated. The complexity has been mastered by explicitly identifying invariants and foci of cones in the protocol. Both concepts seem promising as tools for the verication of larger and more complex protocols.

1. INTRODUCTION

Sliding window protocols are widely used in data communication networks. These protocols make ecient use of data communication media with long transfer delays. Many data packets may be sent from the sender to the receiver before a data packet is acknowledged. As a consequence there may be many data packets and acknowledgements simultaneously oating around in the protocol. Sliding window protocols have a high degree of parallelism. It is not an easy task to develop correct parallel systems. This gets even harder when the degree of parallelism increases, because then the number of states of the system increases more than proportionally. Mathematical and logical techniques are required to cope with the sheer complexity of such systems too many | even small systems | turn out to be erroneous. A striking example is the third sliding window protocol in 13]. This protocol deadlocks (see 5] and 3] for an explanation). Several techniques have been developed to prove that parallel systems operate correctly, among which there are I/O-automata 9], Hoare Logics 11] and process algebras 1, 8, 10]. The technique adopted in this paper is process algebra in the ACP style 1]. More specically, we are using an extension of process algebra with data which is called CRL 6]. The reason for taking process algebra is that it is designed to deal with parallellism and, in particular, abstraction. It allows for algebraic, semantical and logical approaches. This contrasts with the other techniques. I/O-automata mainly employ the semantical approach and assertional methods are based on Hoare Logic. We think that process algebra has the capability to incorporate the eective aspects of existing formalisms, and to add its own. The current verication provides positive evidence for this standpoint. In this paper we provide a correctness proof for a bidirectional sliding window protocol that has buer size 1. Since only one auxiliary bit is required to ensure reli-

able transmission of data, it is called the One-bit Sliding Window Protocol. Although several verications of onebit sliding window protocols exist 4, 12, 14, 15] this particular verication is interesting for at least three reasons. First, the protocol has been formulated such that the external behaviour of the protocol exactly matches that of a bi-directional buer with capacity 2. We believe that this should be one of the major concerns of a developer of a protocol. Only when a protocol has a `pleasant' external behaviour, it can easily be used within larger systems without introducing unexpected malbehaviour. The internal behaviour of the protocol can of course be rather complicated in order to achieve the external behaviour with optimal use of resources. The external behaviours of the sliding window protocols in 4, 14, 15] are more complicated than the one presented here. Second, the protocol has a high degree of internal parallelism. Most protocols that have been studied in the setting of process algebra have an inherent sequential structure. This includes previous process algebraic verications of the sliding window protocols. As a consequence, the state spaces of these protocols are relatively small. Typically, alternating bit protocols have about 20 states (depending on how states are counted) and this allows for an exhaustive algebraic characterization of the state space. The one-bit sliding window protocol as described in this paper has an estimated number of states of about 10000. In order to cope with this, we use two techniques that we believe to be important for the practice of process algebraic verication. The rst is the use invariants in process algebra with data 2]. The second technique is the identication of structures in the state space of the protocol, called cones and foci. The third reason why we nd the current verication interesting is that it embodies a structure of proof that seems more general, and dierent from existing verications. The description of the protocol is rst expanded

The Computer Journal, Vol. 37, No. 4, 1994

2

M.A. Bezem and J.F. Groote,

to a linear equation, using some ad hoc optimizations wherever possible. In a straightforward way the state space induced by the linear equation is restricted using an invariant. The invariant allows to make convenient substitutions, during the further course of calculations. Then we prove that a slightly adapted version of the bidirectional buer of size 2 is a solution of the obtained linear equation. This reduces to straightforward calculations if a case distinction is made between the states that are focus points of cones, and the states that are not. From the current experiment we have drawn the conclusion that verication of more complicated systems in process algebra is possible, as the current paper provides techniques that enable to characterize properties of state spaces, without the need to give an explicit enumeration of it. Moreover, it hints towards a more modularized approach to protocol verication: nd invariants, identify the focus points and use these to prove the correctness at last. The current verication has been spelled out in some detail in this document, with almost all detailed calculation steps provided. As a consequence the verication is rather lengthy. On the one hand, this is worrysome. As the calculations are long it is hard to obtain the core of the proof of correctness out of the actual proof. On the other hand, there is no real problem in the length of the proof. The calculations are straightforward after the outline of the proof has been provided. Most calculations could have been omitted as they are trivial. We have chosen not to do so, as the kind of calculations is fairly new.

2. THE PROTOCOL AND ITS EXTERNAL BEHAVIOUR We describe the one-bit sliding window protocol (OSWP) in CRL. The language CRL is dened in

6]. It consists of the main process algebra primitives in the style of ACP 1] together with a straightforward extension with data. For an explanation of CRL see for instance 7]. The proof of the correctness of the OSWP is given in the style of 7], but we have additionally listed the axioms that have been used in Appendix A. The data types of a general kind that have been used and that are of a general character have been listed in Appendix B. The overall structure of the OSWP is depicted in Figure 1. There are two unreliable channels that transfer data frames and two S/R components at both sides that send and receive data via the channels. The protocol simultaneously transfers data from left to right and from right to left. We have a standard sort Bool with two elements t and f and the usual boolean operations. The data elements to be transferred are provided by some given sort D. In order to transmit data we require a data type bit which contains two elements e0 and e1 and an invertor inv. Furthermore, we use a data type frame

'$ '$ &% &% Tim

Tim

scl rcl

ra sd

S/R

Channel

QQ4 Q

QQ2Q scl

rcl

S/R

sb rc

Channel

FIGURE 1. The structure of the one-bit sliding window protocol

which contains the elements to be transferred by the data channel. Each frame contains a data element d from D and two bits. The rst bit is the alternating bit which is attached to successive d's, and the second bit is an `piggy backed' acknowledgement. For each data type E there are operations eq : E E ! Bool and if : Bool E E ! E representing, respectively, equality on the data type and if-then-else. sort D bit frame func e0  e1 : bit inv : bit ! bit h  i : D bit bit ! frame dat : frame ! D bit1  bit2 : frame ! bit fdum : frame var d : D b1 b2 : bit rew inv(e0 ) = e1 inv(e1 ) = e0 dat(hd b1  b2 i) = d bit1 (hd b1  b2 i) = b1 bit2 (hd b1  b2 i) = b2 We rst provide an intuitive description of an S/R component. It reads data via gate ra and sends frames via gate s. It receives acknowledgement frames via r4 and it delivers data elements via sb. It continuously receives time-outs from a timer Tim via rcl . The parameters of an S/R component have the following intended meaning. Variable p contains the bit of the last frame sent. Variable q contains the bit of the last frame received. The boolean ready is true i a datum can be read from an outside user, i.e. if its internal buer is free. The boolean rec is true i the receiver does not have a value to be transferred to a receiving instance. The third boolean sts is true in case the protocol should not send a frame into the channel false in case there is a reason to send a frame (after a timeout or after reading a datum to be transmitted). The variable d represents the datum to be transmitted and e the datum which is received. proc P S (ready rec sts:Bool d e:D p q:bit) = d:D ra(d) S (f  rec f  d e inv (p) q ) / ready . +

The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

 / rec . sb(e) S (ready t sts d e p q)+ rcl rec f  d e p q)+ PfS:Db(ready r4 (hf b1  b2 i) b : bit 1 2 (S (eq(b2  p) f  sts d f p inv(q)) /rec^eq(b1  inv(q)). S (eq(b2  p) rec sts d e p q))+  / sts . s(hd p qi) S (ready rec t d e p q) The following equation denes a simple timer. It just generates time-outs all the time. In fact time-outs are not needed in every state of the protocol, but they do never harm. For reasons of simplicity we let the timer generate time-outs independently of the state of the protocol, although this makes the protocol less ecient.

proc Tim = scl Tim The channels are dened as follows. We have chosen for a description where the state of the channel is explicitly recorded using status ags of the type status, as this is convenient in the expansion of the protocol. If the status is read, then the channel can only read a new frame. If the status is del, then the channel must deliver a frame. If the status is choice, then the channel has two options: either to go to the status del, after which the frame in the channel will be delivered, or to go to the status read, which means that the current frame in the channel will be lost.

sort func rew

status read choice del : status eqread eqchoice  eqdel : status ! Bool eqread(read) = t eqread(choice) = f eqread(del) = f eqchoice (read) = f eqchoice (choice) = t eqchoice (del) = f eqdel (read) = f eqdel (choice) = f eqdel (del) = t proc CP(f :frame  st:status) = f :F r(f ) C (f choice) / eqread (st) .  + (i C (f del) + i C (f read)) / eqchoice (st) . + s2 (f ) C (f read) / eqdel (st) .  Combining these elements yields a bi-directional OSWP-protocol.

act

rcl  scl  i r

s c r2  s2  c2  r4  s4  c4 : frame ra rc sb sd : D comm rcl jscl = i rjs = c r2 js2 = c2  r4 js4 = c4 proc OSWP (d1  e1  d2 e2:D p1 p2:Bit) = I@H ( R1 (@H (S (t t t d1  e1 p1  p2 ) k Tim k C (fdum  read))) k R2 (@H (S (t t t d2  e2  p2  p1 ) k Tim k C (fdum  read)))) 0

0

3

where I = fc c2  c4  ig, H = fr2  s2  r4  s4 g, H = fr s rcl  scl g, R1 = fsb ! sdg and R2 = fra ! rc s2 ! s4  r4 ! r2 g. The external behaviour of the protocol should be that of a bidirectional queue DQ of size 2. The data type Queue is specied in Appendix B. proc QP(b:Queue n:nat) = d:D (ra(d) Q(in(d b) n) / size(b) < n .  )+ sd(toe(b)) Q(untoe(b) n) / size(b) > 0 .  0

DQ(b1 b2 :Queue n:nat) = sd sb (Q(b1  n)) k ra rc (Q(b2  n)) f

!

g

f

!

g

The following theorem states the correctness of the onebit sliding window protocol. Theorem 2.1 For all d1 , e1 , d2 , e2 :D, p1 , p2 :Bit

OSWP (d1  e1  d2  e2 p1  p2 ) = DQ(  2) This theorem is repeated and proved as Theorem 8.2.

3. LINEARIZATION The remainder of this article is devoted to proving Theorem 2.1. In the current section OSWP is related to a linear equation. In the next section we prove some invariant properties. In Section 6. we introduce the notions cone and focus in relation to the OSWP. In Section 7. we show that a bi-directional buer with an idle loop satises the linear equation provided in the current section. This is the longest part of the proof. In the nal Section 8. it is then straightforward to show that the bidirectional buer behaves the same as a bi-directional buer with an idle loop. With this result the proof of Theorem 2.1 follows directly. We rst expand the OSWP protocol. In order to do so, we dene the auxiliary processes D and E . For processes with long parameter lists (typically E below), we use the following notational convention: in a recursive call, we only make explicit those parameters that change with respect to the original call. For example, d=d1 means that d is the new value for parameter d1 , inv(p1 )=p1 means that parameter p1 is inverted. Parameters which are not explicitly shown do not change. proc D(ready rec sts:Bool d e:D p q:bit f :frame  st:status) = @H (S (ready rec sts d e p q) k Tim k C (f st)) 0

E (rdy1  rec1  sts1 :Bool d1  e1 :D p1  q1 :bit f1 :frame  st1 :status rdy2  rec2  sts2 :Bool d2  e2:D p2  q2 :bit f2:frame  st2 :status) = @H ( R1 (D(rdy1  rec1  sts1  d1  e1  p1  q1  f1 st1 )) k R2 (D(rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 ))) Lemma 3.1 For all rdy, rdy1 , rdy2 , rec, rec1 , rec2 , sts, sts1 , sts2 :Bool, d, d1 , d2 , e, e1 , e2 :D, p, p1 , p2 ,

The Computer Journal, Vol. 37, No. 4, 1994

4

M.A. Bezem and J.F. Groote,

q, q1 , q2 :bit, f , f , f1 , f2 :frame , st, st1 , st2 :status the 0

equations in Table 1 hold. Proof Straightforward.

2

4. INVARIANT We dene the following predicate in order to establish some invariant properties between the variables in E . In Section 7. this invariant will be used. The operator : binds stronger than ^, which binds stronger than !. I (rdy d e p q f f ) = (rdy ! eq(bit1 (f ) p)^ eq(p q)^eq(e d)^eq(bit2 (f ) p))^ (:rdy^eq(bit1(f ) p) ! eq(d dat(f )))^ (:rdy^eq(p q) ! eq(bit1(f ) p)^eq(e d))^ (:rdy^eq(bit2(f ) p) ! eq(p q)) To support the intuition that I (rdy1  d1  e2  p1  q2  f1  f2 ) is an invariant of E , consider the following trace of E . Initially, rdy1 is true and p1 equals q2 . After an action ra(d), rdy1 becomes false, d1 becomes d, and p1 is inverted. Via c(hd p1  q1 i) the frame containing d is communicated to the channel. This is marked by eq(bit1 (f1 ) p1 ) ^ eq(d dat(f1 )) becoming true. Via c2 (f1 ) the frame is delivered, at which bit q2 is inverted, thus matching p1 again, and e2 is made equal to d1 . Finally, the receipt of the frame is acknowledged by communicating a frame f2 back, whose acknowledging bit bit2 (f2 ) matches p1 . The invariant describes the increase of the match between corresponding bits and corresponding data during the part of the execution in which rdy1 is false, culminating in a perfect match eq(bit1(f1 ) p1 ) ^ eq(p1  q2 ) ^ eq(e2  d1 )) ^ eq(bit2 (f2 ) p1 ) marking the completion of one cycle in the execution. Thereafter rdy1 can safely be made true, expressing readyness to enter a new cycle while maintaining the invariant. Of course the above description concerns only one direction the other direction is completely symmetric. Lemma 4.1 Both I (rdy1  d1  e2  p1  q2  f1 f2 ) and I (rdy2  d2  e1  p2  q1  f2 f1 ) are invariants of E . Proof We follow the denition of an invariant in

2, Corollary 3.9]. As both invariants are symmetric, we only prove I (rdy1  d1  e2  p1  q2  f1  f2 ) an invariant. So, assume I (rdy1  d1  e2  p1  q2  f1  f2 ). We must verify that the invariant is maintained during the course of the process. The following ve cases are non trivial. The numbers refer to the number of the summand in the denition of E . Most of the summands are conditionals and the condition may be used in the proof of the invariant. However, we only mention conditions that are actually used in the proof below. (1) rdy1 ! I (f  d e2  inv(p1 ) q2  f1  f2 ). As rdy1 , it follows from the invariant that eq(p1  q2 ), 0

0

0

eq(bit1 (f1 ) p1 ) and eq(bit2(f2 ) p1 ). Hence, :eq(bit1 (f1 ) inv(p1 )) and :eq(bit2 (f2 ) inv(p1 )). The invariant I (f  d e2  inv(p1) q2  f1  f2) is a direct

consequence of these three observations. (3) I (eq(bit2 (f2 ) p1 ) d1  e2  p1  q2  f1  f2 ). This invariant of course holds if rdy1 $ eq(bit2 (f2 ) p1 ). So, assume rdy1 $ :eq(bit2 (f2 ) p1 ). Then, as rdy1 ! eq(bit2(f2 ) p1 ) by the invariant, we have :rdy1 . From the invariant it follows that eq(p1  q2 ) and thus, eq(bit1(f1 ) p1 ) and eq(e2  d1 ). Hence I (eq(bit2 (f2 ) p1 ) d1  e2  p1  q2  f1  f2 ) holds. (6) I (rdy1  d1  e2  p1  q2  hd1  p1  q1 i f2 ) follows trivially after substitution. (9) We must show that eq(bit1 (f1 ) inv(q2 )) ! I (rdy1  d1  dat(f1 ) p1  inv(q2 ) f1  f2 ): As eq(bit1 (f1 ) inv(q2 )), it follows that :eq(bit1 (f1 ) q2 ). So, it follows, using the invariant, that :rdy1 , :eq(p1  q2 ) and :eq(bit2 (f2 ) p1 ). Hence, eq(p1  inv(q2 )). So, it follows that eq(bit1 (f1 ) p1 ) and hence, again using the invariant, eq(d1  dat(f1 )). It follows that I (rdy1  dat(f1 ) p1  inv(q2 ) f1  f2 ). (12) I (rdy1  d1  e2  p1  q2  f1  hd2  p2  q2 i). This case follows trivially, after substitution.

2

5. A BI-DIRECTIONAL BUFFER WITH AN IDLE LOOP In this short section we dene a bi-directional two-bit buer B with an idle loop. Using KFAR to eliminate the idle loop, B can easily be seen to be equal to the bi-directional two-bit buer DQ(  2) specifying the external behaviour of the OSWP. On the other hand, B can be proved equal to the OSWP, where the idle loop is used to subsume some internal loops of the OSWP. Thus B is an important auxiliary process that serves as an intermediate between the OSWP and DQ(  2). In the denition of B , buer positions are represented using explicit variables: d1 , e2 represent the buer content from left to right (d2 , e1 the buer from right to left). If a buer contains only one element, this element is present in both parameters d1  e2 (d2  e1 ). proc P B (d1  e2  size1 d2  e1  size2) = d:D ra(d) B (d d 1 d2  e1  size2) Pd:D ra(d) B(d e2  2 d2 e1 size/eq2) (size1 0) . + /eq(size1 1) . + sb(e2 ) B (d1  d1  size1 ; 1 d2  e1  size2) Pd:D rc(d) B(d1  e2 size1 d d 1)/size1 > 0 . + Pd:D rc(d) B(d1  e2 size1 d e1/eq2) (size2 0) . + /eq(size2 1) . + sd(e1 ) B (d1  e2 size1 d2  d2  size2 ; 1)

The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL sd(d) sd(d) rc(d) sd(d) rc(d) sd(d)

F

ra(d) sb(d) ra(d) sb(d)

sb(d)

sb(d)

External actions Non progressing internal actions Progressing internal actions

FIGURE 2. A cone and focus point for the OSWP i B (d1  e2  size1 d2  e1  size2)

/size2 > 0 . +

6. CONES AND FOCI At this point we use an explicit distinction between socalled focus and non focus points of cones. As far as we know these heuristic notions have not been identied anywhere else in the literature. Therefore we explain these notions rst. We should stress that the notion of cones and foci are comparable to notions as invariants and induction hypotheses. They are in general not uniquely determined, and there are often alternatives that also work well. Focus points of a distributed system are specic points in the state space of such a system, where all external behaviour can immediately, i.e. without rst doing internal steps be performed. For the OSWP the focus points are those points where as much as possible of the data has been transferred from the senders to the corresponding receivers, and all received data have been acknowledged. Given the focus points of the protocol, we can divide transitions corresponding to internal behaviour into two classes: those that progress towards a focus point, and those that don't. Generally, nding focus points and a natural distinction between progressing and non progressing internal actions is done simultaneously. A typical example of a progressing internal step in the OSWP is a time-out which causes a lost frame to be retransmitted. A typical example of non progressing internal action is a time-out which causes a frame to be retransmitted that arrived already. A characteristic of a focus point is that in such a state all internal behaviour is non progressing. The cone of a focus point F is the set of states which can be reached in a nite number of

5

progressing internal steps and that, the closer to F , the more external behaviour is possible. Note that cycles of progressing internal actions should be excluded as otherwise not every progressing internal step would bring one closer to the focus point. Note furthermore that all points in the cone of F must be weakly bisimulation equivalent. In Figure 2 we have depicted a focus point F of the OSWP and its corresponding cone. Note the increase in possible external behaviour while progressing towards focus point F in Figure 2: rst received data can be delivered (sb(d) sd(d)), and in a later stage also new data can be read (ra(d) rc(d)). For the OSWP we characterize the focus points using the following focus condition FC. We provide some intuition rst, restricting attention to one direction. The protocol is in a focus point in one of the following three situations: no datum neither left nor right, no datum left but a datum right, a datum left as well as right. Note that a datum left and no datum right is excluded in a focus point. In that case the protocol must rst send the datum from the sender to the receiver. In all three situations we must exclude any progressing internal steps, for which we will use sts1 and st1 . Ignoring sts1 and st1 rst, we get rdy1 ^eq(p1  q2 )^rec2 rdy1 ^eq(p1  q2 )^:rec2 :rdy1 ^:eq(p1  q2 )^:rec2 By the invariant rdy1 ! eq(p1  q2 ), so the disjunction of the three conjunctions above simplies to: rdy1 _(:eq(p1  q2 )^:rec2 ) The values of the variables sts1 , sts2 , st1 and st2 in focus points are not very essential. If sts1 = f , this means that a timer signalled that a retransmission should take place. Dispatching the retransmission is considered as `progress'. So, handing over a frame to, the channel and delivering the frame at the receivers are considered progressing internal actions. Consequently, the states where sts1 = f or st1 6= read cannot be focus points. Only if st1 = read and sts1 = t no remaining message need to be transferred at the receiver and so we additionally require that in a focus point st1 = read and sts1 = t. Doing the same for st2 and sts2 , the focus points are those points satisfying the following focus condition FC : FC =(:rec2 _rdy1 )^(:eq(p1  q2 )_rdy1 )^ (:rec1 _rdy2 )^(:eq(p2  q1 )_rdy2 )^ eqread (st1 )^eqread(st2 )^sts1 ^sts2 . Now that we have established the focus condition, we make the distinction between progressing and non progressing transitions explicit. In the case of the OSWP, all transitions labelled by actions c c2  c4 are progressing transitions. Transitions labelled by i (time-outs) can be both progressing and non progressing. Action i is non progressing if it represents the loss of a datum

The Computer Journal, Vol. 37, No. 4, 1994

6

M.A. Bezem and J.F. Groote,

in a channel, or a time-out when there is nothing to retransmit. In all other cases i is progressing. Assume a condition C distinguishes between states in which a transition i is progressing and states in which not. The idea is then to write i : : : = i : : : / C .  + i : : : / :C . . Now the rst i on the right hand side labels progressing transitions and the the second i labels non progressing transitions. The rst i will below be renamed to i to stress that this i will be hidden in the sequel. The other i's will be hidden in the last part of the calculation. Actually, we use i : : : = i : : : + i : : : / :C .  for technical convenience. Given the distinction between progressing and non progressing transitions, we will dene in the next section a partial abstraction by which progressing transitions are replaced by  's. It is important to note that in every state one can do only nitely many progressing steps before arriving at a focus point. We prepare the partial abstraction by dening a process F (see Table 2) which results from E by replacing actions c c2  c4 and i labelling progressing transitions by c  c2  c4 and i , respectively. The partial abstraction  c c2 c4 i F will be used in the next section. Note that the i 's etc. are no silent steps but visible actions. Dene R = fc ! c c2 ! c2  c4 ! c4  i ! ig. The following lemma simply states that undoing the replacements in F yields E and that c c2  c4 do not occur any longer in F . Lemma 6.1 Let rdy1 , rdy2 , rec1 , rec2 , sts1 , sts2 :Bool, d1 , d2 , e1 , e2 :D, p1 , p2 , q1 , q2 :bit, f1 , f2 :frame , st1 , st2 :status. We have E (rdy1  rec1  sts1  d1  e1 p1  q1  f1 st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 ) = R (F (rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 )),  cc2c4 (F (rdy1  rec1  sts1  d1  e1  p1  q1  f1 st1  rdy2  rec2  sts2  d2  e2  p2 q2  f2 st2 )) = F (rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2 p2  q2  f2 st2 ). f

g

f

g

Proof As mentioned above the i 's etc. are no silent steps but visible actions. Hence the recursion equations dening E and F are trivially guarded. Now the rst part of the lemma follows immediately using RSP. The second part is obvious since c c2  c4 do not occur in F

2

7. MAIN LEMMA USING A PARTIAL ABSTRACTION The most substantial step in the correctness proof of the one-bit sliding window protocol is provided by the following lemma. It states, roughly, that the partial abstraction  c c2 c4 i F equals the buer B from Section 5., provided that the invariant and the focus condition are taken into account. This lemma is a direct application of the Concrete Invariant Corollary which has f

g

been dened in 2]. The proof of the lemma is lengthy. This has two reasons. The rst one is that all calculations are spelled out in detail. Actually, the proof of this lemma becomes an easy exercise, once the recursion equation for X is provided and is shown guarded, provided the reader has some skill in process algebraic calculations. As we think that most readers are not skilled in this respect, we provide the full proof. Another reason for the length of the proof is a more serious one, and seems to be inherent to protocols. The description of the expanded protocol requires 14 lines. The recursion equation for X necessarily resembles this equation. When showing that certain terms are a solution for X , terms get a size which is proportional to the dening equation for X . Every calculation step requires repeating these large terms. Therefore, the proof becomes lengthy. Before providing the lemma, we stress once more the fact that we use both the focus condition and the invariant in this lemma. Lemma 7.1 For all rdy1 , rdy2 , rec1 , rec2 , sts1 , sts2 :Bool, d1 , d2 , e1 , e2 :D, p1 , p2 , q1 , q2 :bit, f1, f2 :frame , st1 , st2 :status it holds that I (rdy1  rec1  d1  e2  p1  q2  f1  f2  st1 )^ I (rdy2  rec2  d2  e1  p2  q1  f2  f1  st2 ) implies B (d1  if (rec2  d1  e2) det(rdy1 _eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq(p2  q1 ) rec1 ) /FC . B (d1  if (rec2  d1  e2 ) det(rdy1_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1) det(rdy2 _eq(p2  q1 ) rec1 )) is equivalent to  c c2 c4 i (F (rdy1  rec1  sts1  d1  e1  p1 q1  f1  st1  rdy2  rec2  sts2 d2  e2  p2  q2  f2  st2 ))). where func det : Bool Bool ! Nat rew det(t t) = 0 det(t f ) = 1 det(f  t) = 1 det(f  f ) = 2 f

g

Proof This fact is proven using the Invariant Corollary from 2, Corollary 3.9]. Let X be the process operator corresponding to recursion equation in Table 3. The only dierence with the dening equations of E and F is that the i 's etc. have become silent steps  . As a consequence, X has the same invariants as E , in particular I (rdy1  rec1  d1  e2  p1  q2  f1  f2  st1 )^ I (rdy2  rec2  d2  e1  p2  q1  f2  f1  st2 ) is an invariant of X according to Lemma 4.1.

The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

C (f read) = C (f  read). D(rdyPrec sts d e p q f st) = d:D ra(d) D(f  rec f  d e inv (p) q f st) / rdy .  + P/ rec . sb(e) D(rdy t sts d e p q f st)+ f :Db1 b2 :bit r4 (hf b1  b2 i) (D(eq (b2  p) f  sts d f p inv (q ) f st) /rec^eq(b1  inv(q)) . D(eq(b2  p) rec sts d e p q f st))+ i D(rdy rec f  d e p q f st)+ (i D(rdy rec sts d e p q f del) + i D(rdy rec sts d e p q f read)) / eqchoice (st) . + c(hd p qi) D(rdy rec t d e p q hd p qi choice) / eqread (st)^:sts . + s2 (f ) D(rdy rec sts d e p q f read) / eqdel (st) .  E (rdy1P  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 ) = d:D ra(d) E (f =rdy1  f =sts1  d=d1  inv (p1 )=p1 ) / rdy1 .  +  / rec1 . sd(e1 ) E (t=rec1 )+ c4 (f2 )(E (eq(bit2 (f2 ) p1 )=rdy1  f =rec1  dat(f2 )=e1  inv(q1 )=q1  read=st2 ) /rec1 ^eq(bit1(f2 ) inv(q1 )) . E (eq(bit2 (f2 ) p1 )=rdy1  read=st2 )) / eqdel (st2 ) . + i E (f =sts1 )+ (i E (del=st1) + i E (read=st1 )) / eqchoice (st1 ) . + (t=sts1  hd1  p1  q1 i=f1  choice=st1) / eqread (st1 )^:sts1 . + Pc(hdd:D1 rcp1(dq)1iE)(Ef =rdy 2  f =sts2  d=d2  inv (p2 )=p2 ) / rdy2 .  +  / rec2 . sb(e2) E (t=rec2 )+ c2 (f1 ) (E (read=st1  eq(bit2 (f1 ) p2 )=rdy2  f =rec2  dat(f1 )=e2  inv(q2 )=q2 ) /rec2 ^eq(bit1(f1 ) inv(q2 )) . E (read=st1  eq(bit2 (f1 ) p2 )=rdy2 )) / eqdel (st1 ) . + i E (f =sts2 )+ (i E (del=st2) + i E (read=st2 )) / eqchoice (st2 ) . + c(hd2  p2  q2 i) E (t=sts2  hd2  p2  q2 i=f2  choice=st2) / eqread (st2 )^:sts2 .  0

TABLE 1. Properties of C , D and E

proc P F (rdy1  rec1  sts1  d1  e1  p1 q1  f1 st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 ) =

d:D ra(d) F (f =rdy1  f =sts1  d=d1  inv (p1 )=p1 ) / rdy1 .  +  / rec1 . sd(e1 ) F (t=rec1 )+ c4 (F (eq(bit2 (f2 ) p1 )=rdy1  f =rec1  dat(f2 )=e1 inv(q1 )=q1  read=st2 ) /rec1 ^eq(bit1 (f2 ) inv(q1 )) . F (eq(bit2 (f2 ) p1 )=rdy1  read=st2 )) / eqdel (st2 ) . + i F (f =sts1)+ i F (f =sts1 ) / ((:eq(p1  q2 )^rec2 )_(eq(p2  q1 )^:rdy2 ))^eqread(st1 )^sts1 . + (i F (del=st1) + i F (read=st1 )) / eqchoice(st1 ) . + Pc F (t=sts1  hd1  p1  q1 i=f1  choice=st1) / eqread (st1 )^:sts1 . + d:D rc(d) F (f =rdy2  f =sts2  d=d2  inv (p2 )=p2 ) / rdy2 .  +  / rec2 . sb(e2 ) F (t=rec2 )+ c2 (F (read=st1  eq(bit2(f1 ) p2 )=rdy2  f =rec2  dat(f1 )=e2 inv(q2 )=q2 ) /rec2 ^eq(bit1 (f1 ) inv(q2 )) . F (read=st1  eq(bit2(f1 ) p2 )=rdy2 )) / eqdel (st1 ) . + i F (f =sts2)+ i F (f =sts2 ) / ((:eq(p2  q1 )^rec1 )_(eq(p1  q2 )^:rdy1 ))^eqread(st2 )^sts2 . + (i F (del=st2) + i F (read=st2 )) / eqchoice(st2 ) . + c F (t=sts2  hd2  p2  q2 i=f2  choice=st2) / eqread (st2 )^:sts2 . 

TABLE 2. The denition of process F

The Computer Journal, Vol. 37, No. 4, 1994

7

8

M.A. Bezem and J.F. Groote,

We have the following three proof obligations: First we must show that X is convergent. Note that, due to the replacement of i 's by 's, this fact does not follow from the guardedness of the recursion equations dening E and F . Second, we must show that the term

rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 : fc c2 c4 i g (F (rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 )) satises the recursion equation of X , for all values of

the parameters satisfying the invariant. Third, we must show that the parameterised process BFC = rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1 

rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 : B (d1  if (rec2  d1  e2 ) det(rdy1 _eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq(p2  q1 ) rec1 )) /FC . B (d1  if (rec2  d1  e2 ) det(rdy1_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq(p2  q1 ) rec1 )) satises the recursion equation of X , for all values of

the parameters satisfying the invariant. The second point follows straightforwardly by applying the hiding axioms, without using the invariant. The rst and third point will be dealt with in the Appendices C and D.

8. FINAL CALCULATIONS

In this section we rst show how B and the bidirectional queue DQ are related. We use an auxiliary process R for this purpose. Then we collect all obtained results into the proof of Theorem 2.1 (=Theorem 8.2). Dene the following process proc R(d e n) =Q( 2) / eq(n 0) . + Q(in(e ) 2) / eq(n 1) . + Q(in(d in(e )) 2) / eq(n 2) . . Lemma 8.1 d1 d2 e1 d2 :D size1 size2:Nat fsd!sbg (R(d1  e2 size1)) k fra!rcg(R(d2  e1  size2)) = fig (B (d1  e2  size1 d2  e1  size2) For

all

,

,

,

and

,

we have

.

Proof We show that both sides of the equation satisfy the following guarded recursive specication. Y (d1  eP 2  size1  d2  e1  size2 ) = d:D ra(d) Y (d d 1 d2  e1  size2) Pd:D ra(d) Y (d e2 2 d2 e1 size/eq2) (size1 0) . + /eq(size1 1) . + sb(e2 ) Y (d1  d1  size1 ; 1 d2  e1  size2)

Pd:D rc(d) Y (d1 e2 size1 d d 1)/size1 > 0 . + Pd:D rc(d) Y (d1 e2 size1 d e1/eq2) (size2 0) . + /eq(size2 1) . + sd(e1 ) Y (d1  e2  size1 d2  d2  size2 ; 1) /size2 > 0 . . First we show that

d1  e2  size1 d2  e2 size2: fsd!sbg (R(d1  e2  size1)) k fra!rcg(R(d2  e1  size2)) satises the above specication of Y . The proof is in Table 4. It follows immediately with KFAR that

d1  e2  size1 d2  e1 size2:

fig (B (d1  e2  size1 d2  e1 size2))

also satises the specication of Y . Theorem 8.2 d1 d2 e1 e2 :D For all

,

,

,

and

2 p1 p2 :bit ,

it follows that

OSWP (d1  e1  d2  e2 p1  p2 ) = DQ(  2): Proof We collect all results that we have obtained until now (see Table 5). 2 Acknowledgements. The authors are partly supported by the Netherlands Computer Science Research Foundation (SION) with nancial support of the Netherlands Organization for Scientic Research (NWO).

REFERENCES 1] J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts in Theoretical Computer Science 18. Cambridge University Press, 1990. 2] M.A. Bezem and J.F. Groote. Invariants in process algebra with data. Technical Report 98, Logic Group Preprint Series, Utrecht University, 1993. 3] J.J. Brunekreef. A formal specication of three sliding window protocols. Technical Report P9102, Programming Research Group, University of Amsterdam, 1991. 4] R.A. Groenveld. Verication of a sliding window protocol by means of process algebra. Report P8701, Programming Research Group, University of Amsterdam, 1987. 5] J.F. Groote. Process Algebra and Structured Operational Semantics. PhD thesis, University of Amsterdam, November 1991. 6] J.F. Groote and A. Ponse. The syntax and semantics of CRL. Technical Report CS-R9076, CWI, Amsterdam, December 1990. 7] J.F. Groote and A. Ponse. CRL: A base for analysing processes with data. In E. Best and G. Rozenberg, editors, Proceedings 3rd Workshop on Concurrency and Compositionality, Goslar, GMD-Studien Nr. 191, pages 125{130. Universitat Hildesheim, May 1991.

The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

X (rdy1P rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 ) = d:D ra(d) X (f =rdy1  f =sts1  d=d1  inv (p1 )=p1 ) / rdy1 .  +  / rec1 . sd(e1 ) X (t=rec1)+ (X (eq(bit2 (f2 ) p1 )=rdy1  f =rec1  dat(f2 )=e1  inv(q1 )=q1  read=st2 ) /rec1 ^eq(bit1(f2 ) inv(q1 )) . X (eq(bit2(f2 ) p1 )=rdy1  read=st2 )) / eqdel (st2 ) . + i X (f =sts1)+ X (f =sts1 ) / (:eq(p1  q2 )^rec2 )_(eq(p2  q1 )^:rdy2 )^eqread (st1 )^sts1 . + ( X (del=st1) + i X (read=st1)) / eqchoice (st1 ) . + 1  hd1  p1  q1 i=f1  choice=st1 ) / eqread (st1 )^:sts1 .  + PXd:(Dt=sts rc(d) X (f =rdy2  f =sts2  d=d2  inv(p2 )=p2 ) / rdy2 . +  / rec2 . sb(e2 ) X (t=rec2 )+ (X (read=st1  eq(bit2 (f1 ) p2 )=rdy2  f =rec2  dat(f1 )=e2  inv(q2 )=q2 ) /rec2 ^eq(bit1(f1 ) inv(q2 )) . X (read=st1 eq(bit2 (f1 ) p2 )=rdy2 )) / eqdel (st1 ) . + i X (f =sts2)+ X (f =sts2 ) / (:eq(p2  q1 )^rec1 )_(eq(p1  q2 )^:rdy1 )^eqread (st2 )^sts2 . + ( X (del=st2) + i X (read=st2)) / eqchoice (st2 ) . + X (t=sts2  hd2  p2  q2 i=f2  choice=st2) / eqread (st2 )^:sts2 . 

TABLE 3. The dening equation for the process X

Pfsd!sbg (R(d1  e2  size1)) k fra!rcg(R(d2  e1  size2)) = 2))) / eq (size1 0) .  + Pdd::DD rara((dd))((ffsdsd!!sbsbggQQ((inin((ddin)(e2)2 k))f ra2)!krcgf(raR!(drc2g (eR1(size d2  e1  size2)) / eq(size1 1) . + sd(e2 ) (fsd!sbg Q( 2)) k fra!rcg (R(d2  e1  size2))) / eq(size1 1) . + sd 2 ))) / eq (size1  2) .  + P(e2)ra((fdsd) !(sbfsdgQ!(sbing(Qd(1in ()d 2)))k2)fkra!frarc!g(rcRg((dR2(de12 size e  size / eq(size1 0) . + 1 Pdd::DD ra(d)(fsd!sbg Q(in(d in(e2 )) 2) k fra!rcg(R(d2 e21))) size 2)) / eq (size1  1) .  + sd(e2 ) (fsd!sbg Q( 2)) k fra!rcg (R(d2  e1  size2))) / eq(size1 1) . + 2 ))) / eq (size1  2) .  = Psd(de:D2)ra((fdsd) !(sbfsdgQ!(sbing((dR1(d)d 2))1))kkfrafra!!rcrcgg(R(R(d(d22 ee11 size size (size1 0) . + Pd:D ra(d)(fsd!sbg R(d e2 2)) k fra!rcg(R(d2 e1 size22)))))//eqeq(size 1  1) .  + sd ( e ) (  R ( d  d  size ; 1)) k  ( R ( d  e  size ))) / size 2 1 1 1 2 1 2 f sd ! sb g f ra ! rc g Pd:D ra(d) (fsd!sbg (R(d d 1)) k fra!rcg(R(d2 e1 size2))) / eq(size11 0)> .0)+. + P ra(d)(fsd!sbg R(d e2 2)) k fra!rcg(R(d2 e1 size2)) / eq(size1 1) . + d:D sd(e2 ) (fsd!sbg R(d1  d1  size1 ; 1)) k fra!rcg(R(d2  e1  size2))) / size1 > 0) . 

TABLE 4. Part of the proof of Lemma 8.1

The Computer Journal, Vol. 37, No. 4, 1994

9

10

M.A. Bezem and J.F. Groote,

DQ(  2) = fsd!sbg (Q( 2)) k fra!rcg (Q( 2)) = fsd!sbg (R(d1  d1  0)) k fra!rcg(R(d2  d2  0)) Lemma = 8:1 Lemma 7:1 fig (B (d1  d1  0 d2  d2  0)) = (since both FC and the invariant hold for the parameters of F ) fig ( fc c2 c4 i g (F (t t t d1  e1  p1  p2 hd1  p1  p2 i read t t t d2  e2  p2  p1  hd2  p2  p1 i read))) = fic c2 c4 i c2 c4 cg(F (t t t d1  e1  p1 p2  hd1  p1  p2 i read t t t d2  e2  p2  p1  hd2  p2  p1 i read)) = I (R (F (t t t d1  e1  p1  p2  hd1  p1  p2 i read t t t d2  e2  p2  p1  hd2  p2  p1 i read)) = I (E (t t t d1  e1  p1  p2  hd1  p1  p2 i read t t t d2  e2  p2  p1  hd2  p2  p1 i read)) = I (@H (R1 (@H (S (t t t d1  e1  p1  p2 ) k Tim k C (hd1  p1  p2 i read))) k R2 (@H (S (t t t d1  e1  p2 p1 ) k Tim k C (hd2  p2  p1 i read))))) Lemma = 3:1 I (@H (R1 (@H (S (t t t d1  e1  p1  p2 ) k Tim k C (fdum  read))) k R2 (@H (S (t t t d2  e2  p2 p1 ) k Tim k C (fdum  read))))) = OSWP (d1  e1  d2  e2  p1  p2 ). 0

0

0

0

TABLE 5. Proof of Theorem 8.2 8] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall International, Englewood Clis, 1985. 9] N.A. Lynch and M.R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proceedings of the 6th Annual ACM Symposium on Principles of Distributed Computing, pages 137{151, August 1987. A full version is available as MIT Technical Report MIT/LCS/TR-387. 10] R. Milner. Communication and Concurrency. Prentice-Hall International, Englewood Clis, 1989. 11] S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. Acta Informatica, 6(4):319{340, 1976. 12] A.A. Schoone. Assertional Verication in Distributed Computing. PhD thesis, Utrecht University, 1991. 13] A.S. Tanenbaum. Computer networks. Prentice-Hall International, Englewood Clis, 1981. 14] F.W. Vaandrager. Verication of two communication protocols by means of process algebra. Report CSR8608, CWI, Amsterdam, 1986. 15] J.J. van Wamel. A study of a one bit sliding window protocol in ACP. In Proceedings of the Second Workshop on Protocol Verication, Mierlo, The Netherlands. Technische Universiteit Eindhoven, 1992.

APPENDIX A We list the axioms that we have used in the Tables 6 to 9. These are the axioms of CRL1 -algebras 2], together with some laws for true concurrency, the principle KFAR, Milner's rst and second -laws and some laws to handle data. Furthermore we have assumed the Recursive Denition Principle (RDP, every recursion equation has at least one solution) and the Recursive Specication Principle (RSP, every guarded recursion equation has at most one solution). The latter principle is also used in the form of CL-RSP from 2]. In the tables, x y z range over processes, a b are actions c d

represent either   or an action a(d), p q range over functions from data to processes, D is an arbitrary data type and d represents an element of D.

APPENDIX B Below we list the axioms dening the standard data types that we use. We start with the booleans, then dene the standard functions eq and if and end with the natural numbers and queues.

8.1. Booleans sort Bool func  :! Bool : : Bool ! Bool ^ : Bool  Bool ! Bool _ : Bool  Bool ! Bool var b : Bool rew : = t f

t

f

:f = t t^b = b f ^b = f t_b = t f _b = b

The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

A1 A2 A3 A4 A5 A6 A7

x+y =y+x x + (y + z ) = (x + y) + z x+x =x (x + y )  z = x  z + y  z (x  y)  z = x  (y  z ) x+ =x x =

T1 x  = x T2  x + x =  x

SUM1 SUM3 SUM4 SUM5 SUM11

d:D x = x p = p + p(d) d:D (p(d) + q(d)) = p + q d:D (p(d)  z ) = (p)  z (8d 2 D p(d) = q(d)) ! p = q

B1 B2 C1 C2

:(t = f ) :(b = t) ! b = f z / t . z0 = z z / f . z0 = z0

TABLE 6. Axioms for pCRL (pico CRL)

SUM6 SUM7 SUM8 SUM9 SUM10 CM1 CM2 CM3 CM4 CM5 CM6 CM7 CM8 CM9

8

d:D (p(d) k z ) = (p) k z < (a b)(d) if d = e and d:D (p(d)jz ) = (p)jz CF a(d)jb(e) = :

(a b) dened d:D (@H (p(d))) = @H (p)  otherwise d:D ( I (p(d))) = I (p) d:D (R (p(d))) = R (p) CD1 jx =  CD2 xj =  x k y = x k y + y k x + xjy CT1 jx =  ck x = c x CT2 xj =  c  x k y = c  (x k y ) (x + y) k z = x k z + y k z DD @H () =  c  xjd = (cjd)  x DT @H ( ) = cjd  x = (cjd)  x D1 @H (a(d)) = a if a 2= H c  xjd  y = (cjd)  (x k y) D2 @H (a(d)) =  if a 2 H (x + y)jz = xjz + yjz D3 @H (x + y) = @H (x) + @H (y) xj(y + z ) = xjy + xjz D4 @H (x  y) = @H (x)  @H (y)

TABLE 7.

TID TIT TI1 TI2 TI3 TI4

CRL axioms for the encapsulation operator and the merges

I ( ) =  I( ) = I (a(d)) = a(d) I (a(d)) = I (x + y ) = I (x) + I (y ) I (x  y ) = I (x)  I (y )

TABLE 8.

RD R () =  RT R ( ) = if a 2= I R1 R (a(d)) = R(a)(d) if a 2 I R3 R (x + y) = R (x) + R (y) R4 R (x  y) = R (x)  R (y)

CRL axioms for the hiding and renaming operators

The Computer Journal, Vol. 37, No. 4, 1994

11

12

M.A. Bezem and J.F. Groote,

8.2. The functions eq and if

For every data type we assume the functions eq and if available. The axioms that are listed here are essentially used in the expansions. Assume some arbitrary data type E . We have func eq : E  E ! Bool if : Bool  E  E ! E var d1  d2 : E rew if (t d1  d2 ) = d1 if (f  d1  d2 ) = d2 eq(d1  d1 ) = t if (eq(d1  d2 ) d1  d2 ) = d2 The following lemma is crucial in the verication Lemma 8.3 d1 d2 :D eq(d1  d2 ) = t $ d1 = d2 For all

,

we have that

.

8.3. Natural numbers First we specify some elementary sorts and functions. We use inx notation wherever we nd it convenient to do so. Moreover, we write n m for (n m) = t. Idem for , > and m = n S (m) n < m = S (n) m 1 = S (0) 2 = S (1)

8.4. The data type Queue sort queue func  :! queue in : D  queue ! queue size : queue ! nat

toe : queue ! D untoe : queue ! queue var d e : D b c : queue rew size() = 0 size(in(d b)) = S (size(b)) toe(in(d ) = d toe(in(d in(e b))) = toe(in(e b)) untoe() =  untoe(in(d )) =  untoe(in(d in(e b))) = in(d untoe(in(e b)))

APPENDIX C We start with an exhaustive list, in order of appearance, of the unguarded recursive calls of process X (rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 ) followed by the condition under which the call may take place. RC1 X (eq(bit2(f2 ) p1 )=rdy1  f =rec1  dat(f2 )=e1 inv(q1 )=q1  read=st2 ) rec1 ^eq(bit1 (f2 ) inv(q1 ))^eqdel (st2 ) RC2 X (eq(bit2(f2 ) p1 )=rdy1  read=st2 ) :(rec1 ^eq(bit1(f2 ) inv(q1 )))^eqdel (st2 ) RC3 X (f =sts1 ) (:eq(p1  q2 )^rec2 )_(eq(p2  q1 )^:rdy2 )^

eqread(st1 )^sts1

RC4 X (del=st1) eqchoice (st1 ) RC5 X (t=sts1 hd1  p1  q1 i=f1  choice=st1) eqread (st1 )^:sts1 RC6 X (read=st1  eq(bit2(f1 ) p2 )=rdy2  f =rec2  dat(f1 )=e2  inv(q2 )=q2 ) rec2 ^eq(bit1 (f1 ) inv(q2 ))^eqdel (st1 ) RC7 X (read=st1  eq(bit2(f1 ) p2 )=rdy2 )) :(rec2 ^eq(bit1(f1 ) inv(q2 )))^eqdel (st1 ) RC8 X (f =sts2 ) (:eq(p2  q1 )^rec1 )_(eq(p1  q2 )^:rdy1 )^

The Computer Journal, Vol. 37, No. 4, 1994

eqread(st2 )^sts2

13

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

RC9 X (del=st2) eqchoice (st2 ) RC10 X (t=sts2  hd2  p2  q2 i=f2  choice=st2) eqread (st2 )^:sts2 The conditional recursive calls RC1{10 dene a directed graph on the state space of X . If this graph does not contain an innite path, then a guarded recursive call must occur after a nite number of unguarded ones. Hence the convergence of X in the sense of 2] is equivalent to the well-foundedness of the graph.

'

RC4-

choice (st1 ) :sts1

eq

-

RC6,7

eq

read (st1 ) sts1

RC3 eq

?

read (st1 ) :sts1

RC6

&

$ % %

del (st1 ) :sts1

eq

RC5

RC7

?

choice (st1 ) sts1

eq

RC4

?

del ( 1 )

eq

st

 sts1

FIGURE 3. An abstraction of the graph dened by RC3{7

The proof of the well-foundedness of the graph is greatly simplied by the following decomposition. Observe that the parameters rdy1  rec1  q1  st2  sts2  f2 are aected only by the recursive calls RC1,2,8{10. Symmetrically, parameters rdy2  rec2  q2  st1  sts1  f1 are aected only by RC3{7. Observe furthermore that all other parameters either are not aected by any recursive call (the pi 's), or do not occur in any condition (the di 's, ei 's and dat(fi )'s). Unfortunately, these two sets of recursive calls are not completely independent of each other: q2 occurs in conditions of RC1,2,8{10, and, symmetrically, q1 in conditions of RC3{7. There is no other overlap. For a moment we restrict ourselves to the acyclicity of one component, or rather subgraph, namely the one dened by RC3{7. It is helpful to partition the state space in six classes determined by the pair (st1  sts1). In all classes but two (those with eqdel (st1 )) there is at most one recursive call possible. If eqread(st1 ) ^ sts1 then at most RC3 is possible, bringing us in the class eqread(st1 ) ^ :sts1 . Now only RC5 is possible, bringing us in the class eqchoice (st1 ) ^ sts1 . If eqchoice (st1 ), then RC4 brings us to eqdel (st1 ), in which

either RC6 or RC7 is possible, depending on the boolean rec2 ^eq (bit1 (f1 ) inv (q2 )). Here we have the possibility of a loop, since as well RC6 as RC7 brings us back to eqread (st1 ). The situation is depicted in the Figure 3. It should be remarked that this gure represents an abstraction of the graph on the state space. Transitions in the state space correspond by projection with transitions in the gure, but the cycles in the gure do not correspond to cycles or innite paths in the original graph. On the contrary: by taking the conditions into account the cycles in the gure are used to exclude innite paths in the original graph. Inspection of RC6 shows that the left loop in Figure 3 can occur only once: only in case rec2 , and after RC6, by f =rec2 , we have :rec2 for once and for all (no other recursive call aects rec2 ). By symmetry RC1 can also occur only once. Furthermore, RC5 is on both the left and the right loop in Figure 3. The right loop via RC7 is a bit more complicated. We rst make the following observation. After recursive call RC5, by hd1  p1  q1 i=f1 , we have eq(bit1(f1 ) p1 ) for once and for all. In this situation, the condition of RC7 implies :(rec2 ^eq(p1  inv(q2 ))). This means that in the condition of RC3 the disjunct (eq(p2  q1 )^:rdy2 ) must be true to enable this recursive call. However, by eq(bit2(f1 ) p2 )=rdy2 in RC7, looping would be prevented if eq(bit2(f1 ) q1 ). We are now in a position to complete our argument. Assume the original graph contains an innite path, say P . Then either innitely many recursive calls RC3{7, or innitely many recursive calls RC1,2,8{10 are executed along P . Let us assume innitely many calls RC3{7, as the other case is fully symmetric. Recall that RC1 is executed at most once. As RC5 has innitely many occurrences along P , we may choose an occurrence of RC5 after which no RC1 occurs in P . Since RC1 is the only call which aects q1 , q1 does not change after the abovementioned occurrence of RC5, and we have both eq(bit1(f1 ) p1 ) and eq(bit2(f1 ) q1 ) for once and for all. As also RC6 is executed at most once along P , we must encounter an occurrence of RC7 after the abovementioned occurrence of RC5. Now we arrive at a contradiction using the argument from the previous paragraph. It follows that the original graph cannot contain an innite path. There exists a function from the state space to natural numbers which decreases along the paths. This follows from the results above. Conversely, given such a function, it follows that the graph does not contain an innite path. We give such a function below. The reader can easily verify that it has the desired property. To nd such a function is not so easy. The function below is bounded by 28, which means that the graph does not contain any path longer than that. Let (x1  x2  x3  x3  x4  x4 )i abbreviate if (eqread (sti ) if (stsi  x1  x2 ) if (eqchoice (sti ) if (stsi  x3  x3 ) if (stsi  x4  x4 ))) 0

0

The Computer Journal, Vol. 37, No. 4, 1994

0

0

14

M.A. Bezem and J.F. Groote,

Dene g (rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1  rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 )

by

if (rec1  8 0)+ if (rec2  8 0)+ if (rec2 ^:eq(p1  q2 ) if (eq(bit1 (f1 ) p1 ) (4 3 2 5 1 4)1 (4 3 6 5 5 4)1) if (eq(bit2 (f1 ) q1 ) (if (:rdy2 ^eq(p2  q1 ) 4 0) 3 2 5 1 4)1 (4 3 6 5 5 4)1))+ if (rec1 ^:eq(p2  q1 ) if (eq(bit1 (f2 ) p2 ) (4 3 2 5 1 4)2 (4 3 6 5 5 4)2) if (eq(bit2 (f2 ) q2 ) (if (:rdy1 ^eq(p1  q2 ) 4 0) 3 2 5 1 4)2 (4 3 6 5 5 4)2))

APPENDIX D We must show that the term B

= rdy1  rec1  sts1  d1  e1  p1  q1  f1  st1 

rdy2  rec2  sts2  d2  e2  p2  q2  f2  st2 : B (d1  if (rec2  d1  e2 ) det(rdy1 _eq (p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) /FC .  B (d1  if (rec2  d1  e2 ) det(rdy1_eq (p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 ))

satises the recursion equation of X , for all values of the parameters satisfying the invariant. This fact is proven by distinguishing between the cases F C and :F C . Since   =  and a  = a for any action a, the case distinction between F C and :F C is irrelevant for calculating the right hand side of the equation, and shall therefore be ignored. First assume I (rdy1  d1  e2  p1  q2  f1  f2 ) and I (rdy2  d2  e1  p2  q1  f2  f1 ) and F C . The calculation is exhibited in Table 10 Inspection of the resulting term in Table 10 indeed shows that B matches the right hand side of the dening equation of X provided F C . Note that at () in Table 10 we use that F C and the invariant imply:

Now assume I (rdy1  d1  e2  p1  q2  f1  f2 ) and I (rdy2  d2  e1  p2  q1  f2  f1 ) and :F C . The expansion from Table 11 uses the auxiliary calculations from Tables 14,15 and 16. Recall that x  y if and only if x = y + z for some z . The rst summand of the right hand side of the equation in Table 11 can now be justied using the axiom  x =  x + x, which implies  x =  x + y for any x  y. Note that we used rdy1 $ ((rdy1 ^rec2 )_(rdy1 ^(:rec2 ))). The second summand is justied using the same technique and the calculation below the other summands are either trivial or follow by symmetry. The calculation proceeds by proving the right hand side of the equation in Table 11 equal to the term in Table 12, for which we use that :F C is equivalent to eqdel (st1 )_eqdel (st2 )_ eqchoice (st1 )_eqchoice (st2 )_ (eqread (st1 )^:sts1 )_(eqread (st2 )^:sts2 )_ (((:eq(p1  q2 )^rec2 )_(eq(p2  q1 )^:rdy2 ))^ eqread (st1 )^sts1 )_ (((:eq(p2  q1 )^rec1 )_ (eq(p1  q2 )^:rdy1 ))^eqread (st2 )^sts2 ) Finally we prove the terms from Tables 12 and 13 are equal, using that the invariant implies: eq (bit2 (f2 ) p1 )_eq (p1  q2 ) = rdy1 _eq (p1  q2 ). eq (bit1 (f2 ) inv (q1 )) ! :rdy2 ^:eq (p2  q1 ). eq (bit1 (f2 ) inv (q1 )) ! if (f  d2  dat(f2 )) = if (t d2  e1 ). eq (bit1 (f2 ) inv (q1 )) ! det(rdy2 _eq (p2  inv (q1 )) f ) = det(rdy2 _eq (p2  q1 ) t).

rdy1 = eq (p1  q2 ), rdy2 = eq (p2  q1 ), eq (det(rdy1  rec2 ) 1) = rdy1 ^:rec2 , eq (det(rdy2  rec1 ) 1) = rdy2 ^:rec1 .

Furthermore we use at () and below the following trivial consequences of the denition of det: det(rdy1  rec2 ) > 0 = :rec2 , det(rdy2  rec1 ) > 0 = :rec1 , det(rdy2  f ) ; 1 = det(rdy2  t), det(rdy1  f ) ; 1 = det(rdy1  t), eq (det(rdy1  rec2 ) 0) = rdy1 ^rec2 , eq (det(rdy2  rec1 ) 0) = rdy2 ^rec1 .

The Computer Journal, Vol. 37, No. 4, 1994

2

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

KFAR T+ R+

p(d) = i p(d) + y !  fig (p(d)) =  fig (y ) I (I 0 (x)) = I I 0 (x) I (R (x)) = I 0 (x) if R(I 0 ) I

SC1 SC3 SC4 SC5

(x k y) k z = x k (y k z ) xjy = y jx (xjy)jz = xj(yjz ) xj(y k z ) = (xjy ) k z )

TABLE 9. Some extra axioms needed in the verication

(

B d1  if

Pd D Pd D :

:

(

)

() (

Pd D Pd D :

:

ra d B d



d 

eq p  q

 rec

 rec

()

()

rc d

B d 

B d 

rec  d  e

rec  d  e

 det rdy

/det rdy  rec

rec  d  e

 det rdy

rec  d  e

() (

:

ra d B d if

:

ra d B d if

(

(

B d1  if

(t

rc d

:

rc d

B d1  if

(

/rdy2

() (

B d1  if

B d1  if

(

i B d1  if

(

(

 rec

 d d

 rec

 d

rec  d  e



. 

 rec

 rec

 d  d  det rdy

eq p  q

 rec

d 

eq p  q

 rec

)

(

)

(

_eq(p2 q1 ) rec1 ))

)

(

)

(

)

(

_eq(p2 q1 ) rec1 ))

(

rec1  d2  e1  det rdy2

rec1  d2  e1  det rdy2

_eq(p1 q2 ) t) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 ))

)

(

_eq(p1  p2 ) rec2 ) d if (rec1  d e1 ) det(f  rec1 ))

)

(

_eq(p1  q2 ) rec2 ) d if (rec1  d e1 ) det(f  rec1 ))

)

(

_eq(p1 q2 ) rec2 ) d2  if (t d2  e1 ) det(rdy2_eq(p2  q1 ) t))

(

_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 )) =

rec2  d1  e2  det rdy1 rec2  d1  e2  det rdy1

^:rec1 . +

rec2  d1  e2  det rdy1

)

 rec

(

:rec1 . +

/

eq p  q

)

^rec1 . +

(

/rdy2

( ) (

sd e1

eq p  q

 d1  e2  det rdy1

() (

:



eq p  q

 det rdy

^:rec2 . +

)

 det rdy

. 

^rec2 . +

:rec2 . +

/

 rec

. 

rec2  d e2  det f  rec2  d2  if

/rdy1

( ) (



rec2  d e2  det f  rec2  d2  if

/rdy1

() (

>

eq p  q

rec  d  e

eq p  q

 rec

 det rdy

. 

eq p  q

 det rdy

 rec

. 

d 

 rec

eq p  q



>

 det rdy

eq p  q

/eq det rdy

B d1 

(

rec  d  e

/eq det rdy

eq p  q

. 

rec  d  e

eq p  q

rc d



 rec

eq p  q

(

P

rec  d  e

 det rdy

 rec

/det rdy

i B d1  if

Pd D Pd D

eq p  q

/eq det rdy

( ) (

sb e2

rec  d  e

B d1  d  det rdy

sd e1

Pd D Pd D

d 

/eq det rdy1

()

_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 )) =

1 2 if ( 1 2 1 ) ( 2_ ( 2 1 ) 1 )) ( ( _ ( 1 2 ) 2 ) 0) + ( if ( 2 1 2 ) 2 2 if ( 1 2 1 ) ( 2_ ( 2 1 ) 1 )) ( ( 1_ ( 1 2 ) 2 ) 1) + ( 1_ ( 1 2 ) 2 ) ; 1 2 if ( 1 2 1 ) ( 2_ ( 2 1 ) 1 )) 1 ( 1_ ( 1 2) 2) 0 + ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) 1) ( ( 2_ ( 2 1 ) 1 ) 0) + ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) if ( 1 2 1 ) 2) ( ( 2_ ( 2 1 ) 1 ) 1) + if ( ( 1_ ( 1 2 ) 2 ) 2 2 ( 2_ ( 2 1 ) 1 ) ; 1) 2 1 2) ( 2 1) 0 + ( 1_ ( 1 2 ) 2 ) 2 2 1 2) if ( ( 2_ ( 2 1 ) 1 )) =( ) 1 2 1)

ra d B d d

( ) (

sb e2

(

rec2  d1  e2  det rdy1

rec2  d1  e2  det rdy1

d:D ra(d) B (d if (rec2  d e2 ) det(f _eq(inv (p1 ) q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 ))

+ 1 ( ) ( 1 if (t 1 2 ) ( 1_ ( 1 2 ) t) 2 if ( 1 2 1 ) ( 2_ ( 2 1 ) 1 ))+ d:D ( ) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) if ( 1 1 ) (f _ ( ( 2 ) 1 ) 1 )) + 2 ( 1 ) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) 2 if (t 2 1 ) ( 2_ ( 2 1 ) t))+ 1 ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) 2 if ( 1 2 1 ) ( 2_ ( 2 1 ) 1 )).

P

/rdy

 / rec2 . sb e2 rc d

B d 

/rdy

 / rec

iB d 

. sd e

. 

B d 

 det rdy

 det rdy

eq p  q

eq p  q



d 

 rec

 d

rec  d  e

rec  d e

 det rdy  det

eq p  q

eq inv p

 rec

q

 rec

. 

B d 

rec  d  e

d e

rec  d  e

rec  d  e

 det rdy

 det rdy

eq p  q

 rec

eq p  q d 

 rec

d 

rec  d  e

d e

 det rdy

 det rdy

eq p  q

TABLE 10. Calculation in the case FC The Computer Journal, Vol. 37, No. 4, 1994

eq p  q

 rec



15

16

M.A. Bezem and J.F. Groote,

(

 B d1  if

Pd D

(

)

(

rec2  d1  e2  det rdy1

( 2 2) ( _ ( ( 1) ( 1 2 1) ( 2_ ( 2 ( 1) ( 1 if ( 2 1 2 ) ( 1_ 1 ( 2_ ( 2 1 ) ))+ 2 2 ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) Pd:D ( ) ( 21 ifif (( 12 21 12)) (( 21__ (( 21 if ( ( _ ( ( 2) 1 1) ( 2 ) ( 1 1 ( 1_ ( 1 2 ) ) 2 ( 2_ ( 2 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 2 if ( 1 2 1) :

() (

_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 )) =

ra d B d if

 / rec

. sd e

 det f

rec  d e

d2  if

rec  d  e

B d 

rec  d  e

d  d  det rdy

 B d 

rec  d  e

rc d

)

 rec



))+ ) 1 ))

)

))+

)

))+

)

)) =(

B d 

rec  d  e

 det rdy

eq p  q2  rec2 

rec  d e

 det f

B d  d  det rdy

rec  d  e

rec  d  e d 

rec  d  e

 det rdy

rec  d  e

 det rdy

rec  d  e

)

) ) 1)

eq p  q1  rec1

. sb e

/ rdy1 . 

+

t

eq p  q

 det rdy

d 

iB d 

(

eq p1  q2  rec2 

rec  d  e

d 

 B d 

) ))

d 

d

 / rec

eq p  q1  rec1

 det rdy

eq p  q

 det rdy

) )

 q2  rec2 

eq inv p

 det rdy

eq inv p

eq p  q

 det rdy

eq p  q

 det rdy eq p  q

 det rdy

q

t 

 rec

eq p  q1  rec1

 rec



eq p  q1  rec1

 rec



eq p  q1  rec1

/ rdy2 . 

+

)

TABLE 11. First expansion of B in the case :FC

The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

Pd D

( 2 2) ( _ ( ( 1) 2) 2) ( 1 2 1 ) ( 2_ ( 2 1 ) 1 )) + 1 ( 1 ) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) 1 ( 2_ ( 2 1 ) ))+ 2 2 ( ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) 2 if ( 1 2 1) ( 1 )) 1^ ( 1( 2) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 ))) del ( 1 ) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 ))+ 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) 2 if ( 1 2 1) ((: ( 1 2 )^ 2 )_( ( 2 1 )^: 2 ))^ read( 1 )^ 1 ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) choice ( 1) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) choice ( 1) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) Pd:D ( ) ( 21 ifif (( 12 21 12)) (( 21__ (( 21 12)) 12))) read( 1)^: if ( ( 2 ) 1 ) 1 )) + 1 1) _ ( 1 ( 2) ( 1 1 ( 1_ ( 1 2) ) 2 ( 2_ ( 2 1 ) 1 ))+ 2 if ( 1 2 1) ( ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) 2 if ( 1 2 1) ( 2 )) 2^ ( 1( 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 ))) del ( 2 ) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 ))+ 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1 ( 1 2 ) 2 ) ( 2 ( 2 1 ) 1 )) 2 if ( 1 2 1) ((: ( 2 1 )^ 1 )_( ( 1 2 )^: 1 ))^ read ( 2 )^ 2 + ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) choice ( 2) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) choice ( 2) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 )) read ( 2 )^: 2 if ( 1 2 1) :

() (

ra d B d if

 / rec

. sd e

 det f

rec  d e

d2  if

rec  d  e

B d 

rec  d  e

d  d  det rdy



B d 

rec  d  e d 

/rec

rec  d  e

B d 

rec  d  e

d 

rec  d  e

/

 B d 

eq p  q

rec  d  e d 

iB d 

rec  d  e

rec  d  e d 

 B d 

rec  d  e

eq p  q

 rec

eq

rdy

 rec

eq p  q

 rec

rec  d  e

rec  d  e

eq p  q

 rec

eq inv p

rec  d  e

rec

rec  d  e d 

rec  d  e d 

rec  d  e d 

 det rdy

 inv q

/ eq

st

. 

 rec

/ eq

st

. 

 det rdy

 rec

 det rdy

. 

 rec

eq p  q

 det rdy eq p  q

 det rdy eq p  q eq

 rec

rec  d  e

+

 det rdy eq p  q

 det rdy

eq p  q

 det rdy

 rec



 rec

/ eq

st

. 

+



rdy

 det rdy

sts1 . 

st

 rec

eq p  q

eq p  q

rec  d  e

/ eq



/ rdy

eq p  q

eq p  q

 det rdy

+



eq p  q

 det rdy

rec  d  e

+

.

eq p  q

rec  d  e

rec  d  e

 rec

 det rdy

rec  d  e

+

t 

 rec

 det rdy

rec  d  e

+



eq p  q

eq p  q

rec  d  e

d 

d 

f

q

eq p  q

 det rdy

 det rdy

eq bit

rec  d  e

eq p  q

f

. 

 rec

 rec

rec  d e

sts



 rec

B d  d   det rdy

st



eq p  q

 B d 

 B d 

eq p  q

. 

 rec

eq p  q

d 

iB d 

 det rdy

st



 det rdy

B d 

/

eq p  q

 rec

 det rdy

d 

 B d 

eq p  q

/ eq



rec  d  e

/rec

iB d 

 det rdy



 rec

rec  d  e

. sb e

B d 

 rec

 rec

d 

d 



eq p  q

eq p  q

eq p  q

 det rdy

. 



 rec

B d  d

 / rec

 det rdy

rec  d  e

rc d

 det rdy

 det rdy

/ rdy

 rec



eq p  q

 det rdy

eq p  q

rec



.

eq p  q

 det rdy

 rec

 det rdy

rec  d  e

rec  d  e

eq p  q

eq p  q

 det rdy

rec  d  e

d 

 B d 

 rec

t

 det rdy

 inv q

 det rdy

 rec

eq p  q

rec  d  e

d 

iB d 

f

q

eq p  q

 det rdy

eq p  q

 det rdy

eq bit

eq inv p

 det rdy

st

sts

. 



 rec

/ eq

st

. 

 rec

/ eq

st

. 

 rec

/ eq



eq p  q

 rec



 rec

eq p  q

 rec

 rec

 rec

+ +



eq p  q

st

sts2 . 

=(

TABLE 12. Further calculation using :FC

The Computer Journal, Vol. 37, No. 4, 1994

)

17

18

M.A. Bezem and J.F. Groote,

Pd D

( 2 2) ( _ ( ( 1) 2) 2) ( 1 2 1) ( 2_ ( 2 1) 1) + 1 ( 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) 1 ( 2_ ( 2 1 ) ))+ 2 if ( 2 1) ( ( 1 if ( 2 1 2 ) ( ( 2( 2 ) 1 )_ ( 1 2 )) 2 ) ( 2 )) ( 2 _ ( 2 ( 1 )) )) 2 if ( 2 ( 1 )) 1^ ( 1( 2) ( 1 if ( 2 1 2 ) ( ( 2( 2 ) 1 )_ ( 1 2 ) 2 ) ( 2_ ( 2 1 ) 1 ))) 2 if ( 1 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 ))+ 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) 2 if ( 1 2 1) ((: ( 1 2 )^ 2 )_( ( 2 1 )^: 2 )) + ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) choice ( 1 ) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) choice ( 1 ) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) Pd:D ( ) ( 21 ifif (( 12 21 12)) (( 22__ (( 21 12)) 12))) read( 1)^: + ( _ ( ( 2 ) 1 ) 1 )) 2 if ( 1 1) 2 ( 2 ) ( 1 if ( 1 2 ) ( 1_ ( 1 2 ) ) 2 ( 2 _ ( 2 1 ) 1 ))+ 2 if ( 1 2 1) ( ( 1 if ( 1 ( 1 )) ( 1_ ( 1 ( 2 )) ) ( ( 2 ( 1 ) 2 )_ ( 2 1 )) 1 )) 2 if ( 1 2 1) ( 2 )) 2^ ( 1( 1) ( 1 if ( 2 1 if ( 2 1 2 )) ( 1_ ( 1 2 ) 2 ) ( ( 2( 1 ) 2 )_ ( 2 1 ) 1 )) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 ))+ 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) 2 if ( 1 2 1) ((: ( 2 1 )^ 1 )_( ( 1 2 )^: 1 )) + ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) choice ( 2 ) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) choice ( 2 ) 2 if ( 1 2 1) ( 1 if ( 2 1 2 ) ( 1_ ( 1 2 ) 2 ) ( 2 _ ( 2 1 ) 1 )) read ( 2 )^: 2 if ( 1 2 1) :

() (

ra d B d if

 / rec

. sd e

B d 

rec  d  e

B d 

rec  d  e

eq bit

/rec

B d 

rec  d  e d 

 B d 

 B d 

rec  d  e d 

iB d 

d 

/ eq

st

. 

eq p  q

 rec

 rec

/ eq

st

. 

 rec

 rec

 det f

rec  d e

t d  e

B d 

rec  d  e

f  d  dat f

rec  d  e

 det eq bit

d 

 det rdy

 det rdy

rec  d  e

eq p  q

rec  d  e d 

d 

d 

 det rdy

rec  d  e

 det rdy

 det rdy

rec  d  e

eq p  q

eq p  q

rec  d  e

/ eq

st

sts1 . 

+



 rec

/ rdy

. 

t 

 rec

f 

p

eq p  q

 rec

 det rdy f

 rec

eq p  q

 rec

eq p  q

 det rdy

eq p  q

 rec

 rec



del (st1 ) .  +

/ eq

 rec



eq p  q

 rec

rdy

. 



 rec

eq p  q

 rec

eq p  q

p



eq p  q

 det rdy

 det rdy

rec  d  e

eq p  q

rec

 det rdy

rec  d  e

 det eq bit

eq p  q

rec  d  e

f

+

.

rec  d  e

rec  d  e

 det rdy

rec  d  e

eq p  q

eq p  inv q

 inv q

rec  d 

rec  d  e

/

f

q

eq p  q

 det rdy

 det rdy

eq bit

eq inv p

 det rdy

+



eq p  q

d 

 B d 

 rec



eq p  q

d 

iB d 

eq p  q

 rec

 det rdy

B d 

 B d 

. 



 det rdy

d 

 B d 

 rec

rec  d  e

/rec

iB d 

 rec

rdy

rec  d  e

. sb e

B d 

eq p  q

del (st2 ) . +

/ eq

 rec

eq p  q

 det rdy



 rec



d 

d 



eq p  q

 rec

eq p  q



eq p  q

 det rdy

eq p  q

B d  d 

 / rec

p

eq p  q

eq p  q

 det rdy

f

 rec

 det rdy

rec

rec  d  e

rec  d  e

rc d

eq p  q

 det rdy



f

 det rdy

 rec

 det rdy

rec  d  e

rec  d  e

 B d 

eq p  q

 det rdy

. 



.

rec  d  e

eq p  q

 rec

eq p  inv q

rec  d 

 det rdy

/ rdy

 rec

t

eq p  q

 det eq bit

rec  d  e

/

p



eq p  q

eq p  q

f

 inv q

rec  d  e

d 

 rec

 det rdy

 det rdy

rec  d  e

 rec

rec  d  e

d 

iB d 

f

q

eq p  q

 det rdy

 det rdy

 det eq bit

f  d  dat f

d 

eq inv p

 det rdy

rec  d  e

t d  e

d 



 det f

rec  d e

d2  if

 rec

/ eq

st

. 

 rec

/ eq

st

. 

 rec

/ eq



eq p  q

 rec

+ +



eq p  q

st

sts2 . 

TABLE 13. Further calculations using the invariant

P(d D Pd D Pd D P dD Pd D

_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 ))  ) ( _eq(p2 q1 ) rec1 )) /eq (det(rdy1 _eq (p1  q2 ) rec2 ) 0) .  = ra(d) B (d if (rec2  d e2 ) 1 d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) /(rdy1 _eq (p1  q2 ))^rec2 ) .   ra(d) B (d if (rec2  d e2 ) 1 d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) /rdy1 ^rec2 .  = ra(d) B (d if (rec2  d e2 ) det(f  t) d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) /rdy1 ^rec2 .  = (since rdy1 ! :eq (inv (p1 ) q2 ) by the invariant) ra(d) B (d if (rec2  d e2 ) det(f _eq (inv (p1 ) q2 )) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) / rdy1 ^rec2 .  .

B d1  if

: :

:

:

:

( 2 1 2) () ( 1 rec  d  e

ra d

B d d

(

 det rdy1

 d2  if

(

rec1  d2  e1  det rdy2

TABLE 14. Auxiliary calculation 1 The Computer Journal, Vol. 37, No. 4, 1994

A Correctness Proof of a One-bit Sliding Window Protocol in CRL

P( dD Pd D Pd D Pd D P

_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 ))  ) 2 d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 )) : /eq (det(rdy1 _eq (p1  q2 ) rec2 ) 1) .   : ra(d) B (d if (rec2  d1  e2 ) 2 d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) /eq (det(rdy1 _eq (p1  q2 ) rec2 ) 1)^:rec2 .  = ra(d) B (d if (rec2  d e2 ) 2 d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) : /(rdy1 _eq (p1  q2 ))^:rec2 .   : ra(d) B (d if (rec2  d e2 ) 2 d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) y /rdy1 ^:rec2 .  = d:D ra(d) B (d if (rec2  d e2 ) det(f _eq(inv(p1 ) q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2 _eq (p2  q1 ) rec1 )) /rdy1 ^:rec2 .  .

B d1  if

( 2 1 2) () ( (

(

 det rdy1

rec  d  e

ra d B d if

rec2  d1  e2 

TABLE 15. Auxiliary calculation 2

_eq(p1  q2 ) rec2 ) d2  if (rec1  d2  e1 ) det(rdy2_eq(p2  q1 ) rec1 ))  ( _eq(p1 q2 ) rec2 ) d2  d2  det(rdy2_eq(p2  q1 ) rec1 )) ; 1) /det(rdy2 _eq (p2  q1 ) rec1 )) > 0 .  = sd(e1 ) B (d1  if (rec2  d1  e2 ) det(rdy1 _eq (p1  q2 ) rec2 ) d2  d2  det(rdy2 _eq (p2  q1 ) rec1 )) ; 1) /:(rdy2 _eq (p2  q1 ))_:rec1 .   sd(e1 ) B (d1  if (rec2  d1  e2 ) det(rdy1 _eq (p1  q2 ) rec2 ) d2  d2  det(rdy2 _eq (p2  q1 ) rec1 )) ; 1) /:rec1 .  =  / rec1 . sd(e1 ) B (d1  if (rec2  d1  e2 ) det(rdy1 _eq (p1  q2 ) rec2 ) d2  d2  det(rdy2 _eq (p2  q1 ) t)).

( ( ( ) (

B d1  if

sd e1

)

(

rec2  d1  e2  det rdy1

B d1  if

(

)

rec2  d1  e2  det rdy1

TABLE 16. Auxiliary calculation 3

The Computer Journal, Vol. 37, No. 4, 1994

19