

A Comparison of Spin and the muCRL Toolset on HAVi Leader Election Protocol

Y.S. Usenko

Software Engineering (SEN)

SEN-R9917 July 31, 1999

Report SEN-R9917 ISSN 1386-369X

CWI P.O. Box 94079 1090 GB Amsterdam The Netherlands

CWI is the National Research Institute for Mathematics and Computer Science. CWI is part of the Stichting Mathematisch Centrum (SMC), the Dutch foundation for promotion of mathematics and computer science and their applications.

SMC is sponsored by the Netherlands Organization for Scientific Research (NWO). CWI is a member of ERCIM, the European Research Consortium for Informatics and Mathematics.

Copyright © Stichting Mathematisch Centrum P.O. Box 94079, 1090 GB Amsterdam (NL) Kruislaan 413, 1098 SJ Amsterdam (NL) Telephone +31 20 592 9333 Telefax +31 20 592 4199

# A Comparison of Spin and the $\mu$ CRL Toolset on HAVi Leader Election Protocol

Y.S. Usenko
Yaroslav.Usenko@cwi.nl
CWI, P.O. Box 94079, 1090 GB Amsterdam, The Netherlands

#### **ABSTRACT**

This paper describes an attempt to compare two toolsets allowing generation of finite labeled transition systems from underlying concurrent specification languages. The comparison is done on a specification of the leader election protocol from Home Audio/Video interoperability (HAVi) architecture. Some important semantical differences of PROMELA and  $\mu$ CRL are identified, that lead to big differences in size of the state spaces generated for equivalent specifications.

1991 Mathematics Subject Classification: 68Q22; 68Q45; 68Q60 1991 ACM Computing Classification System: D.1.3; D.2.4; D.2.8

Keywords and Phrases:  $\mu$ CRL, SPIN, Tool Comparison, State Space Generation, Specification, Deadlock

Checking.

Note: Work carried out under project SEN 2.1 Process Specification and Analysis.

#### 1. Introduction

With current state of the art in software verification a lot of the analysis methods are based on finite labeled transition systems (FLTS). There is a number of tools to manipulate with them, to check different kind of equivalences and preorder, to find deadlocks, to check modal and temporal properties, to minimize in different ways, etc. Therefore one of the major topics that remains for verification tools supporting concurrent languages is how fast can they generate FLTS, and how large these FLTS are.

It appears that for many completely different concurrent languages FLTS can be generated to describe behavior of specifications. Although not for any specification a FLTS can be generated, it is desirable to be able to do so in cases when it is possible. In this paper we consider two toolsets that allow state space generation—one for algebraic concurrent language  $\mu$ CRL [6], and one for imperative concurrent language PROMELA; and try to compare the state spaces generated by them.

The  $\mu$ CRL toolset [4] has been developed at CWI to support formal reasoning about systems specified in  $\mu$ CRL. It is based on term rewriting and linearization techniques. At the moment it allows to generate state spaces, search for deadlocks, do some optimization for  $\mu$ CRL specifications and simulate them. Spin [8] is one of the fastest and widely used tools for protocol verification. It allows formal analysis of PROMELA specifications, generation of state spaces, and searching for deadlocks.

To make a comparison we consider the leader election protocol from Home Audio/Video interoperability (HAVi) Architecture [7]. Previously this protocol has been specified in PROMELA and LOTOS, and analyzed formally [10]. Here we take a more abstract definition of the protocol to keep the specification relatively simple and free of many implementation details.

The structure of this paper is as follows. First we describe the leader election protocol informally (Section 2). Then we present the specification in  $\mu$ CRL (Section 3) and some details about its

translation to Spin (Section 4). We conclude with results of state space generation by the tools (Section 5). We assume a basic familiarity of the reader with  $\mu$ CRL and PROMELA. Subsection 3.1 contains an overview of  $\mu$ CRL syntax that can also be found for instance in [5]. For more systematic and available introduction to  $\mu$ CRL see [3]. For systematic treatment of ACP style process algebra, which is the basis of  $\mu$ CRL see [1, 2].

## 2. Informal Description

The informal description of the protocol appears on pages 160-162 of [7]. The system consists of a number of Device Control Module Managers (DCMM). Each DCMM process has its own input buffer from which it gets incoming messages. All processes communicate with the Bus process and the Env process representing the environment. In [7] the bus is specified as IEEE P1394 Standard for a "High Performance Serial Bus" (FireWire). There is a formal specification of the Link Layer of IEEE P1394 Standard in  $\mu$ CRL[9]. We do not use this specification because of the complexity reasons. The processes and synchronous communications are presented on Figure 1.



Figure 1: Processes and Communications in the System.

Each DCMM process has its unique ID number by which it can be addressed. The environment may flip (switch on or off) DCMM processes. The Bus observes such changes in the network communicating with the DCMM process that was flipped. It informs all working DCMM processes about changes in the network communicating with their buffers. As the result, the buffers become empty, and deliver the network reset to the corresponding DCMM processes.

The leader election is performed in the following way. After receiving a

NetworkReset(nst) message, a DCMM process has the status information about the network from parameter nst. This status information says which processes are "on" within the network. Each DCMM process uses function il(N, nst) to determine the ID of the initial leader. By comparing this ID with its own ID, the DCMM knows if it is an initial leader or an initial follower. In the former case it behaves as follows.

3. Specification in  $\mu$ CRL

• From each initial follower m it awaits DMCapabilityDeclaration(m, URL) message, from which it knows if the process m has URL capability.

- It uses function f(N, nst, URLs) to determine the ID of the final leader.
- It sends DMLeaderDeclaration(m, fl, URLs) message to each initial follower m. The final leader is the last one to which this message is sent.
- Finally, it communicates with process Env by leader action.

Initial follower m shall behave as follows.

- It keeps sending DMCapabilityDeclaration(m, URL) message to the initial leader until it gets DMLeaderDeclaration(m, fl, URLs) from it.
- Finally, it communicates with process Env by leader action.

After electing a leader DCMM processes inform the environment about the results of the election.

At any moment of the election any DCMM process may be flipped, or it may receive a NetworkReset message. In case a DCMM process was switched on, it awaits for a NetworkReset message. In case of receiving a NetworkReset message it restarts the election procedure. The DCMM processes ignore any unexpected messages. The goal of the election procedure is to elect a final leader. This means that when no network resets occur any more, then each DCMM process will eventually get information about the final leader. And this information is the same for each DCMM process.

## 3. Specification in $\mu$ CRL

The complete  $\mu$ CRL specification can be found in Appendix A. The language appears to be suitable for such kind of specification. The specification could be much shorter if there were libraries of standard data types available. The introduction of generic data types might be useful for this, but it introduces technical problems associated with rewriting. Emulation of generic data types using preprocessor might be considered as an alternative approach. The language allows to improve the specification in several ways, but the current tool support (the linearizer), either does not handle this features or produces results of much bigger complexity.

#### 3.1 Overview of syntax

Starting from a set Act of actions that can be parameterized with data, processes are defined by means of guarded recursive equations and the following operators.

First, there is a constant  $\delta$  ( $\delta \notin Act$ ) that cannot perform any action and is called deadlock or inaction.

Next, there are the sequential composition operator  $\cdot$  and the alternative composition operator +. The process  $x \cdot y$  first behaves as x and if x successfully terminates continues to behave as y. The process x + y can either do an action of x and continue to behave as x or do an action of y and continue to behave as y.

Interleaving parallelism is modeled by the operator  $\|$ . The process  $x \| y$  is the result of interleaving actions of x and y, except that actions from x and y may also synchronize to a communication action, when this is explicitly allowed by a communication function. This is a partial, commutative and associative function  $\gamma: \mathsf{Act} \times \mathsf{Act} \to \mathsf{Act}$  that describes how actions can communicate; parameterized actions a(d) and b(d') communicate to  $\gamma(a,b)(d)$ , provided d=d'. A specification of a process typically contains a specification of a communication function.

To enforce that actions in processes x and y synchronize, we can prevent actions from happening on their own, using the encapsulation operator  $\partial_H$ . The process  $\partial_H(x)$  can perform all actions of x

except that actions in the set H are blocked. So, assuming  $\gamma(a,b) = c$ , in  $\partial_{\{a,b\}}(x \parallel y)$  the actions a and b are forced to synchronize to c.

We assume the existence of a special action  $\tau$  ( $\tau \notin \mathsf{Act}$ ) that is internal and cannot be directly observed. The hiding operator  $\tau_I$  renames the actions in the set I to  $\tau$ . By hiding all internal communications of a process only the external actions remain.

The following two operators combine data with processes. The sum operator  $\sum_{d:D} p(d)$  describes the process that can execute the process p(d) for some value d selected from the sort D. The conditional operator  $\_ \lhd \_ \rhd \_$  describes the *then-if-else*. The process  $x \lhd b \rhd y$  (where b is a boolean) has the behavior of x if b is true and the behavior of y if b is false.

We apply the convention that  $\cdot$  binds stronger than  $\sum$ , followed by  $\neg \triangleleft \neg \triangleright \neg$ , the parallel operators, and + binds weakest.

#### 3.2 Data Types

The sorts  $\mathbb{B}$  and  $\mathbb{N}$  represent booleans and natural numbers respectively. Sort **ABI** is a boolean array with natural indices. It is implemented by keeping the list of indices of elements that are true in ascending order. Sorts *Message* and *Status* are described below. Finally there is an implementation of FIFO queues for *Message* as sort *Queue*. It is used in Buffer process definition.

#### 3.2.1 Constants

The initial parameters of the protocol are defined as constants. The value of nB determines the capacity of the buffers. We have to limit the capacity, because otherwise the state space may become infinite. The value of initNDCMM is the number of DCMM processes in the system. The value of initNst is the boolean array of size initNDCMM representing the initial network status (which processes are "on" initially). The value of initURLs contains the information on URL capabilities of the DCMM processes. The function il is defined as the minimal ID of a process that is "on". The function fl is the minimal ID of a URL capable process that is on, or the minimal ID of a process that is "on" if all of the URL capable processes are off.

```
map
   nB:\to \mathbb{N}
   initNDCMM:\rightarrow \mathbb{N}
   initNst : \rightarrow \mathbf{ABI}
   initURLs : \rightarrow \mathbf{ABI}
rew
   nB = 2
   initNDCMM = 3
   initNst = seton(0_0, 0)
   initURLs = seton(0\_0, 1)
map
   il: \mathbb{N} \times \mathbf{ABI} \to \mathbb{N}
   fl: \mathbb{N} \times \mathbf{ABI} \times \mathbf{ABI} \to \mathbb{N}
var
   N:\mathbb{N}
   nst, URLs: ABI
   il(N, nst) = if(eq(nst, 0_0), 0, min_on(nst))
   fl(N, nst, URLs) = if(eq(nst, 0_0), 0,
         if(eq(URLs, 0.0), min\_on(nst), min\_on(URLs)))
```

3. Specification in  $\mu$ CRL 5

#### 3.2.2 Messages

The sort *Message* is used to define all messages DCMM processes can receive. The use of abstract data types allows us to define messages having different parameters. However, if we had more types of messages, the definition of the equality predicate *eq* would be much more complex.

```
\begin{array}{l} \textbf{sort} \ \textit{Message} \\ \textbf{func} \\ \textit{NetworkReset} : \textbf{ABI} \rightarrow \textit{Message} \\ \textit{DMCapabilityDeclaration} : \mathbb{N} \times \mathbb{B} \rightarrow \textit{Message} \\ \textit{DMLeaderDeclaration} : \mathbb{N} \times \textbf{ABI} \rightarrow \textit{Message} \\ \textbf{map} \\ \textit{eq} : \textit{Message} \times \textit{Message} \rightarrow \mathbb{B} \end{array}
```

#### **3.2.3** Status

Sort Status is a simple enumerated type to represent statuses in which a DCMM process can be. We could use different  $\mu$ CRL processes for each status, but in this case the two alternatives that are enabled in each status would be repeated in each such process. This could be avoided if we had a disrupt mechanism in  $\mu$ CRL. The drawback of such an approach of having just one process is that we have a lot of parameters in each recursive call, most of which are not used in that status of the DCMM process.

The definition of sort Status is a common way to represent enumerated types in  $\mu$ CRL. One could also use the sort  $\mathbb{N}$  directly and the constructors INIT, etc., as maps to the corresponding naturals. However, such an approach leads to rewriting of the symbolic information to natural numbers, decreasing the readability of the output generated by the tools.

```
sort Status func INIT, LE, LEIF, LEIL, LEILS, AOS, AO : \rightarrow Status map n: Status \rightarrow \mathbb{N} eq: Status \times Status \rightarrow \mathbb{B} rew n(INIT) = 0 \ n(LE) = 1 \ n(LEIF) = 2 \ n(LEIL) = 3 \ n(LEILS) = 4 \ n(AOS) = 5 \ n(AO) = 6 var a,b: Status rew eq(a,b) = eq(n(a),n(b))
```

#### 3.3 Actions and Communication Function

The following actions are used in the specification. The names of the actions have the following intuition. The actions with underscores correspond to "send" actions, the actions without underscores – to "read" actions, and the actions with double underscores – to "communicate" actions. The communication function is defined according to this intuition.

```
comm
                                                                                    _flip
                                                                                             |flip_on
                                                                                                            = __flip
act
   _flip, flip_on, flip_off, __flip
                                                  : N
                                                                                             |flip_off
                                                                                                            = __flip
                                                                                    _flip
   _on, _off, on, off, __on, __off
                                                  : \mathbb{N}
                                                                                             on
                                                                                                            = __on
                                                                                     _on
   _send, send, _rcv, rcv, __send, __rcv
                                                 : \mathbb{N} \times Message
                                                                                     _off
                                                                                             off
                                                                                                            = __off
                                                  : \mathbb{N} \times \mathbf{ABI}
   _reset, reset, __reset
                                                                                   _send
                                                                                             send
                                                                                                            = __send
   _reset_off, reset_off, __reset_off
                                                  : №
                                                                                             rcv
                                                                                    _rcv
                                                                                                            = __rcv
                                                  : \mathbb{N} \times \mathbb{N}
   _leader
                                                                                             reset
                                                                                  _reset
                                                                                                            = __reset
                                                                              _reset_off
                                                                                             |reset_off
                                                                                                            = __reset_off
```

#### 3.4 Processes

#### 3.4.1 DCMM Process

The parameters of the process have the following meaning: St is the status of the process; URL is true if it has URL capabilities; n is the ID of the process; N is the total number of processes in the system, nst is the current network status; wait is the array of processes from which a message is awaited, or the array of processes to which a message still has to be sent; URLs is the array of URL capabilities of other processes, collected by the process; il and fl are the initial and final leader IDs respectively; and  $am\_on$  is true iff the process is on.

```
\begin{split} \mathsf{DCMM}(St:Status,\mathit{URL}:\mathbb{B},n:\mathbb{N},N:\mathbb{N},\mathit{nst}:\mathbf{ABI},\\ \mathit{wait}:\mathbf{ABI},\mathit{URLs}:\mathbf{ABI},\mathit{il}:\mathbb{N},\mathit{fl}:\mathbb{N},\mathit{am\_on}:\mathbb{B}) = \end{split}
```

The following alternatives are enabled in any status of the DCMM process. It can be switched on, if it was off. In this case it communicates with Bus process by on action, and it's status becomes INIT. If the DCMM process is on, it can receive a NetworkReset(nst1) message and change it's status to LE. Or it can be flipped off, communicate with Bus process by off, and change it's status to INIT.

```
\begin{split} & \operatorname{flip\_on}(n) \cdot \operatorname{\_on}(n) \cdot \operatorname{DCMM}(\mathit{INIT}, \mathit{URL}, n, N, 0\_0, 0\_0, 0\_0, 0, 0, \mathbf{t}) \lhd \neg \mathit{am\_on} \rhd \delta \\ & + \\ & \sum_{nst1: \mathbf{ABI}} \operatorname{rcv}(n, \mathit{NetworkReset}(nst1)) \cdot \\ & \operatorname{DCMM}(\mathit{LE}, \mathit{URL}, n, N, nst1, 0\_0, 0\_0, 0, 0, \mathbf{t}) \lhd \mathit{am\_on} \rhd \delta \\ & + \\ & \operatorname{flip\_off}(n) \cdot \operatorname{\_off}(n) \cdot \operatorname{DCMM}(\mathit{INIT}, \mathit{URL}, n, N, 0\_0, 0\_0, 0, 0, \mathbf{t}) \lhd \mathit{am\_on} \rhd \delta \\ & + \\ \end{split}
```

If the status of the DCMM process is LE, the following alternatives may be enabled. In case the DCMM process is the only process in the network that is "on", it declares itself to be the final leader, informs the environment about it, and goes to autonomous operation. In case the DCMM process is not the initial leader, it sends its capabilities to the initial leader, and its status becomes LEIF. In case when none of the two above applies, the DCMM process can receive capability declaration from a process m and then, depending on whether it still has to wait for messages from another processes, its status becomes either LEIL or LEILS. Finally, the DCMM process ignores any leader declaration messages in this status.

```
 \begin{array}{l} (\quad \mathsf{Lleader}(n,n) \cdot \\ \quad \mathsf{DCMM}(AO,\mathit{URL},n,N,\mathit{nst},0\_0,\mathit{upd}(0\_0,n,\mathit{URL}),0,n,\mathbf{t}) \lhd n\_\mathit{on}(\mathit{nst}) = 1 \rhd \delta \\ + \\ \quad \mathsf{\_send}(\mathit{il}(N,\mathit{nst}),\mathit{DMCapabilityDeclaration}(n,\mathit{URL})) \cdot \\ \quad \mathsf{DCMM}(\mathit{LEIF},\mathit{URL},n,N,\mathit{nst},0\_0,0\_0,\mathit{il}(N,\mathit{nst}),0,\mathbf{t}) \lhd \mathit{il}(N,\mathit{nst}) \neq n \rhd \delta \\ + \\ \quad (\sum_{m:\mathbb{N}} \sum_{d:\mathbb{B}} \\ \quad \mathsf{rcv}(n,\mathit{DMCapabilityDeclaration}(m,d)) \cdot \end{array}
```

3. Specification in  $\mu$ CRL 7

```
\begin{split} \mathsf{DCMM}(LEILS, \mathit{URL}, n, N, \mathit{nst}, \mathit{setoff}(\mathit{nst}, n), \mathit{upd}(\mathit{upd}(0 \cdot 0), n, \mathit{URL}), m, d), \\ &0, \mathit{fl}(N, \mathit{nst}, \mathit{upd}(\mathit{upd}(\mathit{nst}, n, \mathit{URL}), m, d)), \mathbf{t}) \\ &\lhd \mathit{n\_on}(\mathit{nst}) = 2 \rhd \\ &\mathsf{rcv}(n, \mathit{DMCapabilityDeclaration}(m, d)) \cdot \\ &\mathsf{DCMM}(\mathit{LEIL}, \mathit{URL}, n, N, \mathit{nst}, \mathit{setoff}(\mathit{setoff}(\mathit{nst}, n), m), \\ &\mathit{upd}(\mathit{upd}(0 \cdot 0, n, \mathit{URL}), m, d), 0, 0, \mathbf{t}) \\ ) \lhd \mathit{il}(N, \mathit{nst}) = \mathit{n} \land \mathit{n\_on}(\mathit{nst}) \neq 1 \rhd \delta \\ &+ \\ &(\sum_{m:\mathbb{N}} \sum_{\mathit{URLs1:ABI}} \mathsf{rcv}(\mathit{n}, \mathit{DMLeaderDeclaration}(m, \mathit{URLs1}))) \cdot \\ &\mathsf{DCMM}(\mathit{LE}, \mathit{URL}, \mathit{n}, N, \mathit{nst}, 0 \cdot 0, 0, 0, 0, \mathbf{t}) \\ ) \lhd \mathit{St} = \mathit{LE} \rhd \delta \end{split}
```

If the status of the DCMM process is *LEIF* it behaves as an initial follower. It can send its capabilities to the initial leader. It can receive a leader declaration. And it ignores any capability declaration messages in this status.

If the status of the DCMM process is LEIL, it behaves as initial leader. It can receive a capability declaration from process m and then, depending on if this was the last message it was waiting for, its status becomes LEIL or LEILS. The DCMM process ignores any leader declarations in this state.

```
\begin{split} (\sum_{m:\mathbb{N}} \sum_{d:\mathbb{B}} & \operatorname{rcv}(n, DMCapabilityDeclaration(m, d)) \cdot \\ & \operatorname{DCMM}(LEILS, \mathit{URL}, n, N, \mathit{nst}, \mathit{setoff}(\mathit{nst}, n), \mathit{upd}(\mathit{URLs}, m, d), \\ & 0, \mathit{fl}(N, \mathit{nst}, \mathit{upd}(\mathit{URLs}, m, d)), \mathbf{t}) \\ & \lhd n\_\mathit{on}(\mathit{wait}) = 1 \land \mathit{wait}[m] \rhd \\ & \operatorname{rcv}(n, \mathit{DMCapabilityDeclaration}(m, d)) \cdot \\ & \operatorname{DCMM}(\mathit{LEIL}, \mathit{URL}, n, N, \mathit{nst}, \mathit{setoff}(\mathit{wait}, m), \mathit{upd}(\mathit{URLs}, m, d), 0, 0, \mathbf{t}) \\ & + \\ & (\sum_{m:\mathbb{N}} \sum_{\mathit{URLs1:ABI}} \operatorname{rcv}(n, \mathit{DMLeaderDeclaration}(m, \mathit{URLs1}))) \cdot \\ & \operatorname{DCMM}(\mathit{LEIL}, \mathit{URL}, n, N, \mathit{nst}, \mathit{wait}, \mathit{URLs}, 0, 0, \mathbf{t}) \\ ) \lhd \mathit{St} = \mathit{LEIL} \rhd \delta \\ & + \end{split}
```

If the status of the DCMM process is LEILS, it informs initial followers about the final leader. If the final leader has to be informed, it is informed the last. Any message is ignored by the process in this state. After informing the last initial follower, the status of the process becomes AOS.

If the status of the DCMM process is AOS, it informs the environment about the result of the election, and its status becomes AO. If the status of the DCMM process is AO, it performs a  $\tau$  loop. This is an abstraction of autonomous behavior of the process.

```
\begin{split} & \mathsf{Lleader}(n, \mathit{ft}) \cdot \mathsf{DCMM}(AO, \mathit{URL}, n, N, \mathit{nst}, 0\_0, \mathit{URLs}, 0, \mathit{ft}, \mathbf{t}) \lhd \mathit{St} = \mathit{AOS} \rhd \delta \\ & + \\ & \tau \cdot \mathsf{DCMM}(AO, \mathit{URL}, n, N, \mathit{nst}, 0\_0, \mathit{URLs}, 0, \mathit{ft}, \mathbf{t}) \lhd \mathit{St} = \mathit{AO} \rhd \delta \end{split}
```

#### 3.4.2 Environment

In  $\mu$ CRL it is not necessary to specify the environment explicitly. The reactive system is described by its interaction with the environment. Everything else within the system may be abstracted from. However, for verification or testing purposes some assumptions about the environment have to be made. This can be done by specifying the assumed environment as a process, and putting it in parallel with the system.

In our particular case, the environment may flip DCMM processes in the system, any number of times, and then stop. But it cannot stop when all of the DCMM are "off".

```
\begin{split} &\mathsf{Env}(N:\mathbb{N}, nst: \mathbf{ABI}) = \sum_{m:\mathbb{N}} \\ & (\quad \mathsf{\_flip}(\mathsf{m}) \cdot \mathsf{Env}(N, reverse(nst, m)) \\ & + \mathsf{\_flip}(\mathsf{m}) \cdot \delta \lhd n\_on(reverse(nst, m)) > 0 \rhd \delta \\ &) \lhd N > m \rhd \delta \end{split}
```

#### 3.4.3 Bus

The bus can observe changes in the network configuration and inform the active processes about these changes. It is specified with the help of two processes. Process Bus can communicate with a DCMM process by action on or off to observe that a process was flipped. Process Bus1 is used to reset buffers of all active processes in no particular order.

```
\begin{split} & \operatorname{Bus}(N:\mathbb{N}, nstat: \mathbf{ABI}) = \\ & \sum_{m:\mathbb{N}} \operatorname{on}(m) \cdot \operatorname{Bus1}(N, seton(nstat, m), seton(nstat, m)) \\ + \\ & \sum_{m:\mathbb{N}} \operatorname{off}(m) \cdot \operatorname{\_reset\_off}(m) \cdot \\ & (\operatorname{Bus}(N, setoff(nstat, m)) \lhd n \operatorname{\_on}(nstat) = 1 \rhd \\ & \operatorname{Bus1}(N, setoff(nstat, m), setoff(nstat, m))) \\ & \operatorname{Bus1}(N:\mathbb{N}, nstat: \mathbf{ABI}, wait: \mathbf{ABI}) = \\ & \sum_{m:\mathbb{N}} \operatorname{\_reset}(m, nstat) \cdot (\operatorname{Bus}(N, nstat) \lhd n \operatorname{\_on}(wait) = 1 \rhd \\ & \operatorname{Bus1}(N, nstat, setoff(wait, m))) \lhd wait[m] \rhd \delta \end{split}
```

4. Translation to PROMELA 9

#### **3.4.4** Buffer

Process Buffer is a FIFO queue of capacity nB that can be reset in two different ways. It can receive a message if it is not full, or send a message if it is not empty. It can communicate with the Bus by action reset or reset\_off. In the first case it clears its message queue, and puts the network reset message in it. In the second case it just clears the queue.

```
\begin{split} & \mathsf{Buffer}(N:\mathbb{N},n:\mathbb{N},q:QMes) = \\ & \quad (\sum_{mes:Message} \mathsf{send}(n,mes) \cdot \mathsf{Buffer}(N,n,add(q,mes))) \lhd nB > size(q) \rhd \delta \\ & + \\ & \quad \mathsf{\_rcv}(n,first(q)) \cdot \mathsf{Buffer}(N,n,remfirst(q)) \lhd \neg is \_empty(q) \rhd \delta \\ & + \\ & \quad \sum_{nst1:\mathbf{ABI}} \mathsf{reset}(n,nst1) \cdot \mathsf{Buffer}(N,n,add(\langle \rangle,NetworkReset(nst1))) \\ & + \\ & \quad \mathsf{reset\_off}(n) \cdot \mathsf{Buffer}(N,n,\langle \rangle) \end{split}
```

#### 3.5 System

The whole system consists of several processes in parallel. First three pairs of DCMM and Buffer processes are composed. Then they are merged together, and merged with the Bus process. Finally the Env is merged to the system.

```
\begin{split} \mathsf{SYSTEMDCMM}(N:\mathbb{N}, nstat: \mathbf{ABI}, \mathit{URLs}: \mathbf{ABI}) = \\ & \partial_{\{\mathit{flip},\mathit{flip\_on},\mathit{flip\_on}\mathit{flip\_off}\}}(\\ & \tau_{\{\mathit{\_on},\mathit{\_off},\mathit{\_reset\_,reset\_off}\}} \circ \partial_{\{\mathit{\_on},\mathit{on},\mathit{\_off},\mathit{off},\mathit{\_reset},\mathit{\_reset\_,off},\mathit{reset\_,off}\}}(\\ & \tau_{\{\mathit{\_send}\}} \circ \partial_{\{\mathit{\_send},\mathit{send}\}}(\\ & \tau_{\{\mathit{\_rev}\}} \circ \partial_{\{\mathit{\_rev},\mathit{rev}\}}(\\ & \mathsf{DCMM}(\mathit{INIT}, \mathit{URLs}[0], 0, N, 0\_0, 0\_0, 0\_0, 0, 0, nstat[0]) \parallel \mathsf{Buffer}(N, 0, \langle \rangle))\\ & \parallel \tau_{\{\mathit{\_rev}\}} \circ \partial_{\{\mathit{\_rev},\mathit{rev}\}}(\\ & \mathsf{DCMM}(\mathit{INIT}, \mathit{URLs}[1], 1, N, 0\_0, 0\_0, 0\_0, 0, nstat[1]) \parallel \mathsf{Buffer}(N, 1, \langle \rangle))\\ & \parallel \tau_{\{\mathit{\_rev}\}} \circ \partial_{\{\mathit{\_rev},\mathit{rev}\}}(\\ & \mathsf{DCMM}(\mathit{INIT}, \mathit{URLs}[2], 2, N, 0\_0, 0\_0, 0\_0, 0, nstat[2]) \parallel \mathsf{Buffer}(N, 2, \langle \rangle))\\ & ) \parallel \mathsf{Bus}(N, nstat)\\ & ) \parallel \mathsf{Env}(N, nstat)\\ & ) \parallel \mathsf{Env}(N, nstat)\\ & ) \end{split}
```

The system is initialized in the following way. init SYSTEMDCMM(initNDCMM, initNst, initURLs)

# 4. Translation to PROMELA

PROMELA – the underlying language of SPIN is a C-like imperative concurrent nondeterministic language. It has no explicit parallel operator, but has a process creation mechanism. Communication can happen via explicitly defined channels. It may be either synchronous or asynchronous. It is possible to pass data values during the communication. There are loops and goto statements. Nondeterminism is modeled by the following construction:

```
if
:: <alternative 1>
:: <alternative 2>
...
:: <alternative n>
fi
```

If an alternative starts with a blocking statement then it is disabled. The blocking statements are send and read statements in cases when synchronous communication is not possible, and any expressions with value 0. Each process may have local variables. Shared variables are also allowed. To minimize state space and interleavings special constructions like atomic{<block>} and d\_step{<block>} are allowed. Atomic sequences do not interleave with other processes executions. Sequences within d\_step are considered to be one statement. No transfers of control to or from, as well as communications are allowed within d\_step. The source code of the PROMELA specification can be found in Appendix B. We tried to do the translation preserving the semantics as close as possible. Some of the crucial details of the translation are described below.

#### 4.1 Abstract Data Types

There is no support for specifying abstract data types in PROMELA. There is built-in support for arrays, structures and enumerated data types though. Operations on data types can be encoded as macro definitions or inline functions. Computations may be done within atomic or d\_step blocks, that allow to consider long deterministic computations as one step.

#### 4.2 Conditions and Nondeterminism

The semantics of PROMELA conditional operator is slightly different from semantics of conditions in  $\mu$ CRL. In PROMELA conditions are statements and represent transitions to another states by their execution. In  $\mu$ CRL conditions are of a different kind than actions. They do not represent transitions to another state, but conditions under which such transitions are possible.

Therefore we cannot just translate  $\mu$ CRL expression of the form

```
\begin{split} \mathsf{X}(d) &= \mathsf{\_a}(d) \cdot \mathsf{X}(d) \lhd d < 5 \rhd \delta + \\ \mathsf{\_b}(d) \cdot \mathsf{X}(d) \lhd d < 7 \rhd \delta \text{ to} \end{split} \begin{split} \mathsf{X}: \\ &\text{if} \\ &:: \ \mathsf{d} < 5 \ \text{->} \ \mathsf{a!d}; \ \mathsf{goto} \ \mathsf{X}; \\ &:: \ \mathsf{d} < 7 \ \text{->} \ \mathsf{b!d}; \ \mathsf{goto} \ \mathsf{X}; \\ &\text{fi}; \end{split}
```

because we get different semantic behavior. For instance, if d < 5 and there is another process Y willing to communicate with our process via channel b, then one of the possible executions in SPIN leads to a deadlock. Namely, when condition d < 5 is evaluated to true, and process X is waiting for communication via a, while Y is waiting for communication via b. In  $\mu$ CRL no execution leads to a deadlock in this case. So the semantically sound translation in this case could be:

In general case to make a correct translation we need first to make all conditions in each state of  $\mu$ CRL process disjoint. Disjointness means that at most one condition can be true for any parameter values. It is always possible to make all conditions disjoint in  $\mu$ CRL, however instead of n conditions in the original process we may get up to  $2^n-1$  conditions. In the worst case instead of one state with n conditions in  $\mu$ CRL we get an equivalent process in PROMELA with  $2^n$  different states.

5. State Space Generation 11

#### 4.3 Parameterized Nondeterminism and Value-Passing Communication

In value-passing communication of  $\mu$ CRL read and send actions are dual. This is due to commutativity of communication function  $\gamma$ . The value-passing mechanism is based on matching parameter values:  $\mathbf{a}(e_1)|\mathbf{b}(e_2)=\gamma(\mathbf{a},\mathbf{b})(e_1)$  if  $eq(e_1,e_2)$ . That is why both read and send actions can be parameterized by arbitrary expressions. In PROMELA value-passing communication is done differently. Send statement  $\mathbf{a}!e_1$  means that the value of  $e_1$  is put to the channel  $\mathbf{a}$ . Read statement  $\mathbf{a}?m$  means that a value is read from channel  $\mathbf{a}$  and assigned to variable m.

Another problem of translation is non-bounded and parameterized nondeterminism possible in  $\mu$ CRL. Consider the following process equation.

 $\mathsf{X}(d:N) = \sum_{n:N} \mathsf{a}(n,d) \cdot \mathsf{X}(g(n,d)) \lhd n \leq d \rhd \delta$  Here the set of possible alternatives depends on the value of d. Assuming that  $\mathsf{a}$  is not a read action, we can translate this process equation to PROMELA in the following way:

```
X:
    n=0;
TEMP:
    if
    :: n<=d -> a!n,d; atomic{d_step{g(n,d)}; goto X;}
    :: n<d -> atomic{n=n+1; goto TEMP}
    fi
```

In this case we again have increase of state space which is linear in the number of alternatives in a state of the  $\mu$ CRL process.

For the case with read action a the translation is performed in the following way:  $X(d:D) = \sum_{n:N} \mathsf{a}(n,d) \cdot \mathsf{X}(g(n,d)) \lhd b(d) \rhd \delta$ 

```
X:
b(d) -> a[d]?n; atomic{d_step{g(n,d)}; goto X}
```

Here we assume that a is an array of channels indexed by elements of D. If D is an infinite set, we cannot define such an array in PROMELA. The corresponding send action should also look as a[d]!e, not as a!d, e.

We can only transform equations where predicate b does not depend on n. This is due to the fact that it is not possible to analyze the value to be read from a channel before actually reading it. We can achieve similar to  $\mu$ CRL matching in communication by using arrays of channels. But this can only be done for bounded set of values. If we want to pass values from unbounded domains we need to use the original value passing mechanism of PROMELA.

# 5. State Space Generation

Spin and  $\mu$ CRL toolset were used to generate the entire state spaces and search for deadlocks for specifications in PROMELA and  $\mu$ CRL respectively. Unfortunately it is not possible to get the state transition system as an output of Spin. Therefore it is not possible to compare the generated state spaces. The following results were obtained by considering systems with two or three DCMM processes and different buffer sizes. State spaces for four DCMM processes was not possible to generate by either toolset. In case with three DCMM processes we could not get the state space analyzed by Spin. The results of state space generation are presented in Table 1.

The command line arguments for both tools are given in Table 2. The parameter <depth> was 30000 for systems with 2 DCMMs, and 50000000 for 3 DCMMs.

From this we can conclude that Spin generates states faster, but the resulting transition system has more states. The results shown above cannot be interpreted as a direct comparison of state space

Table 1: Results of state space generation.

|         | Spin                        | $\mu { m CRL}$             |
|---------|-----------------------------|----------------------------|
| 2 DCMMs | states: 128,807             | states: 3,842              |
| Buffer  | transitions: 187,343        | transitions: 13,460        |
| size 2  | elapsed time: 15.5s         | elapsed time: 14.6s        |
|         | actual memory used          | total memory used: 6.8Mb   |
|         | for states: 8.6Mb           |                            |
|         | total actual memory         |                            |
|         | used: 4.2Mb                 |                            |
| 2 DCMMs | states: 208,223             | states: 7,292              |
| Buffer  | transitions: 301,598        | transitions: 26,048        |
| size 5  | elapsed time: 29,2s         | elapsed time: 24.9s        |
|         | actual memory used          | total memory used: 7.1Mb   |
|         | for states: 12.2Mb          |                            |
|         | total actual memory         |                            |
|         | used: 6.9Mb                 |                            |
| 3 DCMMs | states: >47,291,200         | states: 3,136,289          |
| Buffer  | transitions: $>78,622,800$  | transitions: 18,248,754    |
| size 2  | elapsed time: >8h:04m:22.6s | elapsed time: 5h:49m:24.2s |
|         | actual memory used          | total memory used: 155Mb   |
|         | for states: $>1,665.1$ Mb   |                            |
|         | total actual memory         |                            |
|         | used: $>5,621.3$ Mb         |                            |

Table 2: Command line arguments.

| Spin                        | $\mu \mathrm{CRL}$                            |
|-----------------------------|-----------------------------------------------|
| \$ spin -av HAVi.spin       | <pre>\$ mcrl -regular -tbfile HAVI.mcrl</pre> |
| \$ cc -64 -w -o pan         | \$ instantiator -i HAVi.mcrl                  |
| -D_POSIX_SOURCE-DMEMCNT=35  |                                               |
| -DSAFETY -DXUSAFE -DNOFAIR  |                                               |
| -DCOLLAPSE -g pan.c         |                                               |
| \$ ./pan -m <depth></depth> |                                               |

generation capabilities of Spin and  $\mu$ CRL toolset due to the differences in the underlying languages. However, the PROMELA specification was optimized to use many of its features that do not exist in  $\mu$ CRL. Some of such features were not deployed for several reasons. The unless statement has unclear semantics when used in combination with synchronous communication. An attempt to use channels with nonzero capacity as storage instead of arrays lead to 250% increase of the state space. The trick to use 3 channels instead of 1 to achieve conditional synchronous communication was not tried, and will be tried in the future.

The results may look misleading due to the fact that the PROMELA code was derived from  $\mu$ CRL code instead of being written directly from the informal description. However, a native PROMELA specification of the same protocol was analyzed in [10]. The model is quite different, as it employs most of the PROMELA communication primitives, but the sizes of state spaces were comparable to the ones presented here.

It is also quite difficult to analyze the correspondence between the two specifications presented here. Possibly a better comparison could be achieved using much smaller protocols available in the literature. However, the choice for HAVi leader election protocol was due to the fact that it is a

protocol some industrial groups are interested in now, and are going to use it in the future.

## Acknowledgments

Thanks go to Dragan Boshnachki and Judi Romijn for carefully reading and commenting on PROMELA specification and the rest of the paper, as well as to Jan Bergstra, Jan Friso Groote and Andre van Delft for helpful discussions.

#### References

- J.C.M. Baeten and C. Verhoef. Concrete process algebra. In S. Abramsky, D. Gabbay, and T.S.E. Maibaum, editors, *Handbook of Logic in Computer Science*, Vol 4, chapter 2. Oxford University Press, 1994.
- [2] J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts in Theoretical Computer Science 18, Cambridge University Press, 1990.
- [3] Jan Friso Groote. The syntax and semantics of timed  $\mu$ CRL. Technical Report SEN-R9709, CWI, Amsterdam, June 1997.
- [4] Jan Friso Groote and Bert Lisser. Tutorial and reference guide for the  $\mu$ CRL toolset version 1.0. Technical report, CWI, 1999. To appear, available from URL http://www.cwi.nl/~mcrl/mutool.html.
- [5] J.F. Groote, F. Monin, and J. Springintveld. A computer checked algebraic verification of a distributed summation algorithm. Technical Report 97-14, Dept. of Mathematics and Computing Science, October 1997.
- [6] J.F. Groote and A. Ponse. The syntax and semantics of μCRL. In A. Ponse, C. Verhoef, and S.F.M. van Vlijmen, editors, Algebra of Communicating Processes 1994, pages 26–62. Workshop in Computing Series, Springer-Verlag, 1995.
- [7] Grundig, Hitachi, Matsushita, Philips, Sharp, Sony, Thomson, Toshiba. Specification of the Home Audio/Video Interoperability (HAVi) Architecture, November 19 1998. Version 1.0 beta. Available from URL http://www.havi.org/.
- [8] G.J. Holzmann. The model checker SPIN. *IEEE Transactions on Software Engineering*, 23(5):279–295, May 1997.
- [9] Bas Luttik. Description and formal specification of the link layer of P1394. In Ignac Lovrek, editor, *Proceedings of the 2nd International Workshop on Applied Formal Methods in System Design*. University of Zagreb, Croatia, June 18-19 1997.
- [10] J.M.T. Romijn. Model checking the HAVi leader election protocol. Technical Report SEN-R9915, CWI, Amsterdam, 1999.

# A. $\mu$ CRL Source<sup>1</sup>

```
Constants, Parameters
 \bar{3}
    4
    \mathtt{map}
 5
       nB:->NAT
                            \% Limit for Buffer capasity
 6
       init.NDCMM:->NAT
                            \% Initial Number of processes
       initNst:->ABI
                            % Initial Network status
 8
                            % Initial URL processes status
       initURLs:->ABI
 9
10
       nB=2
\frac{11}{12}
       initNDCMM=3
       initNst=seton(0_0,0)
13
       initURLs=seton(0_0,1)
14
\frac{15}{16}
      il: NAT#ABI->NAT
      fl: NAT#ABI#ABI->NAT
17
    var
18
19
20
21
22
23
24
25
26
27
28
29
30
      N: NAT
      nst, URLs: ABI
      il(N,nst)=if(eq(nst,0_0),0,min_on(nst))
                                                %Minimal on
      fl(N,nst,URLs)=if(eq(nst,0_0),0,
                                                %Minimal URL on or minimal
                       if(eq(URLs,0_0),min_on(nst), %on if there is no URL.
                        min_on(URLs)))
    \frac{31}{32}
     T,F: -> Bool
    map
\frac{33}{34}
     and: Bool#Bool
      or: Bool#Bool
35
36
     if: Bool#Bool#Bool -> Bool
37
     eq: Bool#Bool
38
    var
39
     b,b1,b2: Bool
40
    rew
41
     and(T,b)=b
                    and(b,T)=b
\frac{12}{43}
      and(b,F)=F
                    and(F,b)=F
      or(T,b)=T
                    or(b,T)=T
44
      or(b,F)=b
                    or(F,b)=b
45
     not(F)=T
                    not(T)=F
46
      if(T,b1,b2)=b1
                    if(F,b1,b2)=b2
47
                    eq(F,T)=F
      eq(F,F)=T
      eq(T,F)=F
                    eq(T,T)=T
49
50
    51
52
    53
54
55
    sort NAT
    func
      0:
                -> NAT
56
            NAT -> NAT
      x2p1:
57
      _x2p0: NAT -> NAT
58
59
     x2p0:
            NAT
                       -> NAT
\tilde{60}
            NAT#NAT
                       -> Bool
      eq:
61
      1,2,3,4,5,6:
                       -> NAT
6\overline{2}
      succ:
            NAT
                       -> NAT
6\overline{3}
            NAT#NAT
      gt:
                       -> Bool
64
            Bool#NAT#NAT -> NAT
      if:
65
    var
66
     n,m: NAT
67
    rew
      x2p0(0)=0
68
69
      x2p0(x2p1(n))=x2p0(x2p1(n))
      x2p0(_x2p0(n))=_x2p0(_x2p0(n))
```

 $<sup>^{1}</sup>$ Note that the source code can also be obtained from http://www.cwi.nl/~ysu/sources/HAVi or by contacting the author.

A. µCRL Source<sup>1</sup>

```
71
72
73
74
75
76
77
78
81
82
83
84
85
87
88
           eq(0,0)=T
          eq(x2p1(n),0)=F
          eq(0,x2p1(n))=F
          eq(_x2p0(n),0)=F
           eq(0, x2p0(n))=F
           eq(x2p1(n), x2p0(m))=F
           eq(_x2p0(n),x2p1(m))=F
          eq(_x2p0(n),_x2p0(m))=eq(n,m)
          eq(x2p1(n),x2p1(m))=eq(n,m)
          1=x2p1(0) 2=_x2p0(1)
           3=x2p1(1) 4=_x2p0(2)
          5=x2p1(2) 6=_x2p0(3)
          succ(0)=x2p1(0)
          succ(x2p1(n))=x2p0(succ(n))
           succ(x2p0(n))=x2p1(n)
 89
90
           gt(0,n)=F gt(x2p1(n),0)=T gt(_x2p0(n),0)=T
 91
92
93
94
95
           \mathtt{gt}(\mathtt{x2p1}(\mathtt{n})\,\mathtt{,\_x2p0}(\mathtt{m}))\mathtt{=}\mathtt{not}(\mathtt{gt}(\mathtt{m},\mathtt{n}))
          gt(_x2p0(n),x2p1(m))=gt(n,m)
          gt(x2p1(n),x2p1(m))=gt(n,m)
 96
          gt(_x2p0(n),_x2p0(m))=gt(n,m)
 97
 98
           if(T,n,m)=n if(F,n,m)=m
99
100
        101
                  ABI (Bool array with NAT indices)
102
        103
        sort ABI
104
105
              0_0
                                        ->ABI
106
                       : ABI#NAT
              add
                                        ->ABI
107
        map
108
                       : ABI#NAT
                                        ->ABI
              rem
109
              upd
                       : ABI# NAT#Bool->ABI
110
              n_on
                      : ABI
                                        ->NAT
111
              min_on : ABI
                                        ->NAT
112
              setoff : ABI#NAT
                                        ->ABI
113
              seton : ABI#NAT
                                        ->ABI
114
              reverse: ABI#NAT
                                        ->ABI
                      : ABI#NAT
                                        ->Bool
              acc
116
                       : ABI#ABI
                                        ->Bool
              eq
117
              if
                       : Bool#ABI#ABI->ABI
118
        var
119
              n,m:NAT
120
121
              abi,abi1:ABI
              b1.b2:Bool
\frac{122}{123}
        rew
              rem(0 \ 0.n)=0 \ 0
\frac{124}{125}
              \texttt{rem}(\texttt{add}(\texttt{abi},\texttt{m})\,,\texttt{n}) = \texttt{if}(\texttt{gt}(\texttt{m},\texttt{n})\,,\texttt{add}(\texttt{abi},\texttt{m})\,,\texttt{if}(\texttt{eq}(\texttt{n},\texttt{m})\,,\texttt{abi}\,,\texttt{add}(\texttt{rem}(\texttt{abi},\texttt{n})\,,\texttt{m})))
\frac{126}{127}
              upd(0_0,n,F)=0_0
              upd(0_0,n,T)=add(0_0,n)
\frac{127}{128}
\frac{128}{129}
              upd(add(abi,m),n,F)=rem(add(abi,m),n)
              \label{eq:condition} \texttt{upd(add(abi,m),n,T)=if(gt(m,n),add(add(abi,m),n),}
130
131
                                                    if(eq(n,m),add(abi,m),add(upd(abi,n,T),m)))
132
133
134
135
136
137
138
139
              \verb"n_on(0_0)=0 n_on(add(abi,n))=\verb"succ(n_on(abi))"
              \min_{0} on(0_0) = 0 \min_{0} (add(abi,n)) = n
              seton(abi,n)=upd(abi,n,T) setoff(abi,n)=upd(abi,n,F)
              reverse(abi,n)=upd(abi,n,not(acc(abi,n)))
140
141
142
143
              acc(0 0.n)=F
              acc(add(abi,m),n)=if(gt(m,n),F,if(eq(m,n),T,acc(abi,n)))
               eq(0_0,0_0)=T eq(0_0,add(abi,n))=F eq(add(abi,n),0_0)=F
144
              eq(add(abi,n),add(abi1,m))=and(eq(n,m),eq(abi,abi1))
145
              if(T,abi,abi1)=abi if(F,abi,abi1)=abi1
```

```
147
148
     149
            Messages
150
     151
     sort Message
152
     func
\begin{array}{c} 153 \\ 154 \end{array}
         NetworkReset
                             : ABI
                                      -> Message
          DMCapabilityDeclaration : NAT#Bool -> Message
155
         DMLeaderDeclaration
                             : NAT#ABI -> Message
156
     map
157
          eq:Message#Message->Bool
158
     var
159
         n.m:NAT
160
         abi,abi1:ABI
161
         b1,b2:Bool
162
163
          eq(NetworkReset(abi),NetworkReset(abi1))=eq(abi,abi1)
164
         eq(DMCapabilityDeclaration(n,b1),DMCapabilityDeclaration(m,b2))
165
           =and(eq(n,m),eq(b1,b2))
166
          eq(DMLeaderDeclaration(n,abi),DMLeaderDeclaration(m,abi1))
167
           =and(eq(n,m),eq(abi,abi1))
168
          eq(NetworkReset(abi),DMCapabilityDeclaration(n,b1))=F
169
          eq(NetworkReset(abi),DMLeaderDeclaration(n,abi1))=F
170
          eq(DMCapabilityDeclaration(n,b1),NetworkReset(abi))=F
171
          eq(DMCapabilityDeclaration(n,b1),DMLeaderDeclaration(m,abi))=F
          eq(DMLeaderDeclaration(n,abi),NetworkReset(abi1))=F
173
          eq(DMLeaderDeclaration(n,abi),DMCapabilityDeclaration(m,b1))=F
175
     176
177
      178
     sort Status
179
180
       INIT,LE,LEIF,LEIL,LEILS,AOS,AO:->Status
181
     map
182
       n:Status->NAT
183
       eq:Status#Status->Bool
184
185
      n(INIT)=0 n(LE)=1 n(LEIF)=2 n(LEIL)=3 n(LEILS)=4 n(AOS)=5 n(AO)=6
186
     var a,b:Status
187
     rew eq(a,b)=eq(n(a),n(b))
188
189
     190
     %%%
            Actions
191
     192
     act
193
     _flip, flip_on, flip_off, __flip:NAT
194
     _on, _off, on, off, __on, __off:NAT
195
     _send, send, _rcv, rcv, __send, __rcv:NAT#Message
196
     _reset, reset, __reset:NAT#ABI
197
      _reset_off, reset_off, __reset_off:NAT
198
     _leader:NAT#NAT
199
200
     \overline{201}
            Communication Function
202
     203
     comm
204
     _flip|flip_on=__flip
205
     _flip|flip_off=__flip
206
     _on|on=__on
\bar{207}
     _off|off=__off
208
     _send|send=__send
\frac{1}{209}
     _rcv|rcv=__rcv
\overline{210}
     _reset|reset=__reset
\overline{2}\overline{1}\overline{1}
      _reset_off|reset_off=__reset_off
212
213
     214
     %%%
            DCMM Process
                                                          %%%
\overline{2}\overline{1}\overline{5}
     216
\tilde{2}\tilde{1}\tilde{7}
     DCMM(St:Status, URL:Bool, n:NAT, N:NAT, nst:ABI, wait:ABI, URLs:ABI,
218
          il:NAT, fl:NAT, am_on:Bool)=
\bar{2}19
       {\tt flip\_on(n).\_on(n).DCMM(INIT,URL,n,N,0\_0,0\_0,0\_0,0,0,T)}
\frac{210}{220} 221
         <|not(am_on)|>delta
\frac{221}{222}
       sum(nst1:ABI,rcv(n,NetworkReset(nst1)).DCMM(LE,URL,n,N,nst1,0_0,0_0,0,0,T))
```

A. μCRL Source<sup>1</sup>

```
\frac{223}{224}
             <|am_on|>delta
225
          flip off(n). off(n).DCMM(INIT.URL.n.N.O 0.0 0.0 0.0.0.F)
\bar{2}\bar{2}\ddot{6}
             <|am_on|>delta
\overline{2}\overline{2}\overline{7}
\bar{2}\bar{2}\dot{8}
\frac{1}{229}
         \frac{1}{230}
               <|eq(n_on(nst),1)|> delta
\frac{230}{231}
             _send(il(N,nst),DMCapabilityDeclaration(n,URL)).
233
234
                 DCMM(LEIF,URL,n,N,nst,0_0,0_0,il(N,nst),0,T)
               <|not(eq(il(N,nst),n))|> delta
\frac{1}{235}
\bar{2}36
             ( sum(m:NAT,sum(d:Bool,(
\frac{237}{238}
                   rcv(n,DMCapabilityDeclaration(m,d))
                      239
240
241
242
                        fl(N,nst,upd(upd(nst,n,URL),m,d)),T)
                 <|eq(n_on(nst),2)|>
                    rcv(n,DMCapabilityDeclaration(m,d))
                      DCMM(LEIL,URL,n,N,nst,setoff(setoff(nst,n),m),
243
                        upd(upd(0_0,n,URL),m,d),0,0,T))))
\bar{2}44
            ) < | \operatorname{and}(\operatorname{eq}(\operatorname{il}(\mathbb{N},\operatorname{nst}),\operatorname{n}),\operatorname{not}(\operatorname{eq}(\operatorname{n\_on}(\operatorname{nst}),1))) | > \operatorname{delta}
245
246
             \verb"sum"(m:NAT, \verb"sum"(URLs1:ABI, \verb"rcv"(n, DMLeaderDeclaration"(m, URLs1))))".
\frac{5}{247}
                 DCMM(LE,URL,n,N,nst,0_0,0_0,0,0,T)
248
249
         )<|eq(St,LE)|>delta
250
251
         ( _send(il,DMCapabilityDeclaration(n,URL)).
\overline{252}
                 DCMM(LEIF, URL, n, N, nst, 0_0, 0_0, i1, 0, T)
253
254
            sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1)).
\frac{254}{255}
                 DCMM(AOS,URL,n,N,nst,O_0,URLs1,0,m,T)))
257
258
259
             sum(m:NAT,sum(d1:Bool,rcv(n,DMCapabilityDeclaration(m,d1)))).
                 DCMM(LEIF, URL, n, N, nst, 0_0, 0_0, i1, 0, T)
         )<|eq(St,LEIF)|>delta
260
261
262
         ( sum(m:NAT,sum(d:Bool,(
263
               rcv(n,DMCapabilityDeclaration(m,d)).
264
                 DCMM(LEILS, URL, n, N, nst, setoff(nst, n), upd(URLs, m, d), 0, f1(N, nst, upd(URLs, m, d)), T)
265
              <|and(eq(n_on(wait),1),acc(wait,m))|>
266
267
               rcv(n,DMCapabilityDeclaration(m,d)).
                 DCMM(LEIL,URL,n,N,nst,setoff(wait,m),upd(URLs,m,d),0,0,T))))
268
269
             sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1)))).
\frac{270}{271}
                 DCMM(LEIL, URL, n, N, nst, wait, URLs, 0, 0, T)
         )<|eq(St,LEIL)|>delta
272
273
\frac{274}{275}
         ( sum(m:NAT.(
                 \_{\tt send(m,DMLeaderDeclaration(fl,URLs))}\,.
\bar{2}76
                   DCMM(LEILS,URL,n,N,nst,setoff(wait,m),URLs,0,f1,T)
\bar{2}77
               <|and(not(eq(m,fl)),gt(n_on(wait),1))|> delta
\overline{278}
279
                 _send(m,DMLeaderDeclaration(f1,URLs)).
280
                   DCMM(AOS,URL,n,N,nst,0_0,URLs,0,f1,T)
\overline{281}
               <|eq(n_on(wait),1)|> delta
282
                        )<|acc(wait,m)|>delta)
283
284
            \verb|sum(m:NAT,sum(URLs1:ABI,rcv(n,DMLeaderDeclaration(m,URLs1))))|.\\
\frac{1}{285}
                 DCMM(LEILS,URL,n,N,nst,wait,URLs,0,f1,T)
286
\bar{2}87
             \verb|sum(m:NAT,sum(d1:Bool,rcv(n,DMCapabilityDeclaration(m,d1)))||.
288
289
                 DCMM(LEILS,URL,n,N,nst,wait,URLs,0,f1,T)
         )<|eq(St,LEILS)|>delta
290
\frac{1}{291}
          _leader(n,fl).DCMM(AO,URL,n,N,nst,O_O,URLs,O,fl,T)
292
             <|eq(St,AOS)|>delta
29\bar{3}
\overline{294}
          tau.DCMM(AO,URL,n,N,nst,O_O,URLs,O,f1,T)
\frac{1}{295}
             <|eq(St,AO)|>delta
296
\frac{1}{297}
        298
        %%%
```

```
299
     300
     Env(N:NAT,nst:ABI)=sum(m:NAT,(_flip(m).Env(N,reverse(nst,m))
301
                             +_flip(m).delta<|gt(n_on(reverse(nst,m)),0)|>delta
302
                             )<|gt(N,m)|>delta)
303
304
     305
            Bus Process
306
     307
     Bus(N:NAT,nstat:ABI)=
308
       sum(m:NAT,on(m).Bus1(N,seton(nstat,m),seton(nstat,m)))
309
310
311
312
       sum(m:NAT,off(m)._reset_off(m).
         (Bus(N, setoff(nstat, m)) < |eq(n_on(nstat), 1)| >
         Bus1(N,setoff(nstat,m),setoff(nstat,m))))
313
314
     Bus1(N:NAT,nstat:ABI,wait:ABI)=
\begin{array}{c} 3\overline{15} \\ 3\overline{16} \end{array}
       \verb"sum"(m:NAT,\_reset(m,nstat).(Bus(N,nstat)<|eq(n_on(wait),1)|>
                       Bus1(N,nstat,setoff(wait,m)))<|acc(wait,m)|>delta)
\frac{317}{318}
     319
            Message Queues
320
     \begin{array}{c} 321 \\ 322 \\ 323 \end{array}
     sort QMes
     func empty
                             -> QMes
         add
                 : QMes#Message -> QMes
324
325
     map first
                             -> Message
                 : QMes
326
         remfirst : QMes
                             -> QMes
327
         is_empty : QMes
                             -> Bool
328
                 : QMes
                             -> NAT
         size
329
     var
330
         mes1,mes2:Message
331
         q: QMes
332
333
         first(add(empty,mes1))=mes1
334
         first(add(add(q,mes2),mes1))=first(add(q,mes2))
335
         remfirst(add(empty,mes1))=empty
336
         remfirst(add(add(q,mes2),mes1))=add(remfirst(add(q,mes2)),mes1)
         is_empty(empty)=T
338
         is_empty(add(q,mes1))=F
339
         size(empty)=0
340
         size(add(q,mes1))=succ(size(q))
341
342
     343
     %%%
            Buffer Process
344
     345
     proc
\frac{346}{347}
     Buffer(N:NAT,n:NAT,q:QMes)=
       \verb|sum|(mes:Message,send(n,mes).Buffer(N,n,add(q,mes)))| < | gt(nB,size(q))| > delta|
348
349
       \verb| \_rcv(n,first(q)).Buffer(N,n,remfirst(q)) < |not(is\_empty(q))| > delta| \\
350
351
       sum(nst1:ABI,reset(n,nst1).Buffer(N,n,add(empty,NetworkReset(nst1))))
352
3\overline{5}\overline{3}
      reset_off(n).Buffer(N,n,empty)
354
355
     356
     357
358
     SYSTEMDCMM(N:NAT,nstat:ABI,URLs:ABI)=
359
     encap({_flip,flip_on,flip_off},
360
       361
       encap({_on,on,_off,off,_reset,reset,_reset_off,reset_off},
362
          hide({__send},encap({_send,send},
363
            (hide({__rcv},encap({_rcv,rcv},
\frac{364}{365}
              DCMM(INIT,acc(URLs,0),0,N,0_0,0_0,0_0,0,0,acc(nstat,0))||
             Buffer(N,0,empty))))
366
             11
367
            (hide({__rcv},encap({_rcv,rcv},
368
             DCMM(INIT,acc(URLs,1),1,N,0_0,0_0,0_0,0,0,acc(nstat,1))||
369
              Buffer(N,1,empty))))
370
371
            (hide({__rcv},encap({_rcv,rcv},
              DCMM(INIT,acc(URLs,2),2,N,0_0,0_0,0_0,0,0,acc(nstat,2))||
              Buffer(N,2,empty))))
          ))
```

B. PROMELA Source<sup>2</sup>

## B. PROMELA Source<sup>2</sup>

```
#define initNDCMM 3
      #define nB 2
 \bar{3}
      typedef ABI {bool a[initNDCMM]};
      mtype = {NetworkReset, DMCapabilityDeclaration, DMLeaderDeclaration};
      typedef Message {mtype MTYPE; byte NN; bool URL; ABI NST};
      chan on = [0] of {byte};
      chan off = [0] of {byte};
      chan send[initNDCMM] = [0] of {Message};
chan rcv[initNDCMM] = [0] of {Message};
10
11
12
      chan reset[initNDCMM] = [0] of {ABI};
13
      chan reset_off[initNDCMM] = [0] of {bit};
14
      chan flip[initNDCMM] = [0] of {bit};
      chan leader = [0] of {byte, byte}
16
17
      chan env = [0] of \{ABI\}
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
      chan bus = [0] of {ABI} /* Due to the technical restrictions of spin we
      cannot pass arrays as parameters for processes. So we use these channels to
      pass nst to Env and Bus */
      /* inlines use and sideeffect variable _i
      (assumed that it is defined as byte) */
      /* copies N first elements of array B
      to the corresponding elements of A */
inline array_assign(A, B, N)
      { _i=0; do
               :: _i<N -> A.a[_i]=B.a[_i]; _i=_i+1
               :: else break
               od; _i=0;}
      /* m := minimal m s.t. A[m].
      0 if all elements of A are false */
      inline array_min_true(A, N, m)
36
37
38
39
      { _{i=0}; do
               ::(_i<N) -> if
                             :: !A.a[_i] -> _i=_i+1
                             :: else -> break
40
                            fi:
41
               ::else ->
                           break
42
43
44
45
46
47
48
49
50
51
52
53
               od; m = (_i==N \rightarrow 0 : _i); _i=0;}
      /* n_on := number of true elements of A */
      inline array_n_true(A, N, n_on)
      { n_on=0; _i=0; do
                         ::(_i<N) \rightarrow n_on=(A.a[_i]->n_on+1:n_on);_i=_i+1
                         ::else -> break
                        od; _i=0;}
      /* assign false to N first elements of A*/
      inline array_false(A, N)
      { _i=0; do
               ::(_i<N) -> A.a[_i]=false; _i=_i+1
55
56
               ::else -> break
               od; _i=0;}
57
      #define NETWORK_RESET_WAIT_URLS rcv[n]?NetworkReset,_,ib,nst;\
      \verb|atomic{d_step{array_false(wait,N);array_false(URLs,N);}||}
```

 $<sup>^2</sup>$ Note that the source code can also be obtained from http://www.cwi.nl/~ysu/sources/HAVi or by contacting the author.

```
60
       il=0;fl=0;m=0;n_on=0};goto LE}
 61
 62
       #define NETWORK_RESET_URLS rcv[n]?NetworkReset,_,ib,nst;\
      atomic{d_step{array_false(URLs,N);\ill=0;fl=0;m=0;n_on=0);goto LE}
 6\overline{3}
 64
 65
 66
       #define NETWORK_RESET rcv[n]?NetworkReset,_,ib,nst;\
 67
       \verb|atomic{d_step{il=0;fl=0;m=0;n_on=0};goto LE}| \\
 68
 69
       #define FLIP_OFF_NST_WAIT_URLS flip[n]?1;off!n;\
 70
71
72
73
74
75
76
77
78
80
81
82
83
84
       \verb|atomic{d_step{array_false(nst,N);array_false(wait,N);array_false(URLs,N);}|\\
       il=0;fl=0;m=0;n_on=0;am_on=false);goto INIT}
       #define FLIP_OFF_NST_URLS flip[n]?1;off!n;\
       \verb|atomic{d_step{array_false(nst,N);array_false(URLs,N);}|}
       il=0;fl=0;m=0;n_on=0;am_on=false};goto INIT}
       #define FLIP_OFF_NST flip[n]?1;off!n;\
       \verb|atomic{d_step{array_false(nst,N);}|\\
       il=0;fl=0;m=0;n_on=0;am_on=false);goto INIT}
       #define FLIP_OFF flip[n]?1;off!n;\
       atomic{d_step{il=0;fl=0;m=0;n_on=0;am_on=false};goto INIT}
       bool ib; hidden ABI iabi;
 85
86
       87
              DCMM Process
 88
       89
       proctype DCMM(bool URL; byte n, N; bool _am_on)
 90
       { bool am_on; ABI nst, wait, URLs;
 91
          byte il,fl,m,n_on; bool d; byte _i;
 92
 93
          d_step{ am_on=_am_on; array_false(nst,N); array_false(wait,N);
 94
                  array_false(URLs,N); i1=0; f1=0; m=0; n_on=0; d=false; _i=0;}
 95
       INIT:
 96
         if
 97
         :: !am_on -> flip[n]?1; on!n; atomic {am_on=true; goto INIT}
 98
         :: am_on -> if
 99
                      :: NETWORK_RESET
100
                      :: FLIP_OFF
101
                      fi;
102
         fi;
103
104
       LE:
105
         atomic{
           \label{lem:d_step} $$d_step{array_min_true(nst,N,il);} /* il calculation */
106
107
108
           :: il==n -> d_step{array_assign(wait,nst,N); wait.a[n]=false;
109
                              URLs.a[n]=URL; i1=0;} goto LEIL;
110
           :: else
111
           fi;}
112
113
       LE1:
114
115
             send[i1]!DMCapabilityDeclaration(n,URL,iabi); goto LEIF
116
             rcv[n]?DMLeaderDeclaration,_,ib,iabi; goto LE1;
             rcv[n]?DMCapabilityDeclaration,_,ib,iabi; goto LE1;
117
118
             NETWORK RESET
         ::
119
             FLIP_OFF_NST
         ::
120
         fi:
\frac{120}{121}
\frac{121}{122}
       LEIF:
122
123
124
125
126
127
128
         if
             send[il]!DMCapabilityDeclaration(n,URL,iabi); goto LEIF
             \verb"rcv[n]?DMLeaderDeclaration,fl,ib,URLs; goto AOS"
             rcv[n]?DMCapabilityDeclaration,_,ib,iabi; goto LEIF
         ::
             NETWORK_RESET
             FLIP_OFF_NST
129
130
131
132
         fi:
       LEIL:
         atomic{d_step{array_n_true(wait,N,n_on);}
133
       LEIL1:
134
135
           :: n_on==0 -> d_step{array_assign(wait,nst,N);
```

B. PROMELA Source<sup>2</sup>

```
136
                                                       wait.a[n]=false:
137
138
                                                        array_min_true(nst,N,fl);
139
                                                       array_min_true(URLs,N,m); /* final leader calculation */ fl=(m==0->fl:m); m=0;}
140
141
142
                                                        goto LEILS;
143
                      :: else
144
145
                      fi;}
146
147
             LETI.2:
                  if
148
                  :: rcv[n]?DMCapabilityDeclaration,m,d,iabi;
149
                           \verb|atomic{d_step{n_on=(wait.a[m]->n_on-1:n_on);}|\\
\frac{150}{151}
                              wait.a[m]=false; URLs.a[m]=d; m=0; d=false); goto LEIL1; }
                          rcv[n]?DMLeaderDeclaration,_,ib,iabi; goto LEIL2;
\frac{152}{153}
                  :: NETWORK_RESET_WAIT_URLS
                  :: FLIP_OFF_NST_WAIT_URLS
154
                  fi:
155
\begin{array}{c} 156 \\ 157 \end{array}
                  \verb|atomic{m=0; d=wait.a[f1]; wait.a[f1]=false; /* final leader is informed the last */ leade
158
159
             LEILS1:
160
161
                      :: (m==N && d) -> d_step{m=f1; d=false;}
162
                      :: (m==N && !d) -> m=0; goto AOS;
163
                      :: (m<N && !wait.a[m]) -> m=m+1; goto LEILS1;
164
                      :: else
165
                      fi;}
166
167
             LEILS2:
168
                 if
169
                          send[m]!DMLeaderDeclaration(f1,false,URLs); wait.a[m]=false; goto LEILS1;
170
                          rcv[n]?DMLeaderDeclaration,_,ib,iabi; goto LEILS2;
                          rcv[n]?DMCapabilityDeclaration,_,ib,iabi; goto LEILS2;
171
                  ::
172
                          NETWORK_RESET_WAIT_URLS
                  ::
\frac{173}{174}
                          FLIP_OFF_NST_WAIT_URLS
                  ::
                 fi;
 175
176
              AOS:
177
178
                 if
                            leader!n,fl; goto AO;
                  ::
179
                            NETWORK_RESET_URLS
                  ::
180
                            FLIP_OFF_NST_URLS
                  ::
181
                 fi;
182
183
             AO:
184
                 if
185
                            NETWORK_RESET_URLS
                 ::
186
                            FLIP_OFF_NST_URLS
                  ::
187
                            goto AO;
                  ::
188
                 fi;
189
             }
190
191
              192
                              Bus Process
193
             194
             proctype Bus(byte N)
195
              { ABI nst, wait; byte m, n_on, n_on_wait; byte _i;
196
197
                  d_step{array_false(nst,N); array_false(wait,N); m=0; n_on=0; _i=0;}
198
                  bus?nst:
199
                  {\tt d\_step\{array\_n\_true(nst,N,n\_on);}\}
200
\frac{201}{202}
             Bus_:
                  if
\frac{202}{203}\frac{204}{204}
                  :: n_on==0 \rightarrow on?m; atomic{d_step{nst.a[m]=true; m=0; n_on=1;} goto Bus1}
                  :: else -> if
205
                                         ::
                                                 on?m; atomic{d_step{nst.a[m]=true; m=0; n_on=n_on+1;} goto Bus1}
206
                                         ::
                                                 off?m; reset_off[m]!1; atomic{d_step{nst.a[m]=false; m=0; n_on=n_on-1;} goto Bus1}
\frac{500}{207}
                                         fi:
\bar{208}
                  fi;
\frac{209}{210}
             Bus1:
\overline{2}\overline{1}\overline{1}
                  atomic{
```

```
\begin{array}{c} 212 \\ 213 \end{array}
            if
            :: (m==N) -> m=0; goto Bus_;
214
            :: (m<N && !nst.a[m]) -> m=m+1; goto Bus1;
\bar{2}\bar{1}\bar{5}
            :: else
\bar{2}16
            fi:}
\overline{217}
218
         reset[m]!nst; atomic{m=m+1; goto Bus1};
219
220
\overline{221}
       #define BUFFER_RESET reset[n]?nst;atomic{d_step{queue_clean(nIn);\
\overline{222}
       {\tt queue[0].MTYPE=NetworkReset; array\_assign(queue[0].NST,nst,N);} \\
\bar{2}\bar{2}\bar{3}
       array_false(nst,N);nIn=1}; goto Buffer_}
\frac{224}{225}
       \verb|#define BUFFER_RESET_OFF reset_off[n]?1; \\ \\ \\
\frac{226}{226}
       atomic{d_step{queue_clean(nIn); nIn=0}; goto Buffer_}
\frac{221}{228}
\frac{228}{229}
        /* inlines below use and sideeffect variable _j
       (assumed that it is defined as byte) */
230
231
232
        /* shifts queue[1..nIn-1] to queue[0..nIn-2]
        (if nIn<=1 does nothing) */
233
       inline queue_shift()
234
235
236
237
238
       { _j=1; do
                 ::_j<nIn-> queue[_j-1].MTYPE=queue[_j].MTYPE;
                              queue[_j-1].NN=queue[_j].NN;
                              queue[_j-1].URL=queue[_j].URL;
                              array_assign(queue[_j-1].NST,queue[_j].NST,N);
\tilde{2}\tilde{3}9
                              _j=_j+1
240
                  ::else->break
\bar{2}41
           od; _j=0;}
242
243
       /* assignes default values to queue elements */
\overline{2}44
       inline queue_clean(NNN)
245
       { _j=0; do
246
247
                 :: _j<NNN -> queue_clean_element(_j); _j=_j+1
                 :: else break
248
                 od; _j=0;}
249
\frac{250}{251}
       /* assignes default value to an element */
       inline queue_clean_element(el)
252
       { queue[el].MTYPE=NetworkReset;
252 \\ 253 \\ 254
         queue[el].NN=0;
         queue[el].URL=false;
\frac{255}{256}
         array_false(queue[e1].NST,N);}
257
       258
       %%%
                Buffer Process
                                                                                 %%%
       259
260
       proctype Buffer(byte n, N)
261
       { byte nIn,_i,_j; Message queue[nB]; ABI nst;
262
263
         d_step{nIn=0; array_false(nst,N); queue_clean(nB); _i=0; _j=0;}
264
265
       Buffer_:
\bar{2}66
         if
\overline{267}
         :: (nIn<nB && nIn>0) ->
268
               if
269
               :: send[n]?queue[nIn];
\bar{270}
                   atomic{nIn=nIn+1; goto Buffer_};
271
               :: rcv[n]!queue[0];
\overline{272}
                   \verb|atomic{d_step{queue_shift(); nIn=nIn-1;}|}
\frac{272}{274}
                      queue_clean_element(nIn);} goto Buffer_}
               :: BUFFER_RESET
275
276
277
278
279
280
               :: BUFFER_RESET_OFF
               fi;
          :: (nIn==nB) -> if
                           :: rcv[n]!queue[0];
                                atomic{d_step{queue_shift(); nIn=nIn-1;
                                queue_clean_element(nIn);} goto Buffer_}
\frac{281}{282}
                                BUFFER_RESET
                           ::
                               BUFFER_RESET_OFF
\frac{1}{283}
                           fi:
284
          :: (nIn==0) ->
                          if
285
                           ::
                                send[n]?queue[nIn]; atomic{nIn=1; goto Buffer_}
\bar{2}86
                                BUFFER_RESET
                                BUFFER_RESET_OFF
```

B. PROMELA Source<sup>2</sup>

```
288
                      fi:
\frac{289}{289}
       fi;
290
     }
\bar{2}91
292
      \bar{293}
             Env Process
\frac{1}{294}
      295
      \verb"proctype Env(byte N)"
\bar{296}
      { ABI nst; byte n_on,j; byte _i;
\bar{297}
\frac{1}{298}
       d\_step\{j=0;\ n\_on=0;\ array\_false(nst,N);\_i=0\}
\frac{1}{299}
       env?nst;
300
     Env_:
301
       if
302
303
       :: flip[j]!1;
          atomic \{ \ d\_step \{ nst.a[j] = !nst.a[j]; \ j=0; \ array\_n\_true(nst, \mathbb{N}, n\_on); \}
304
305
                 if
                 :: n_on=0; goto Env_;
\frac{306}{307}
                 :: (n_on!=0) \rightarrow d_step\{n_on=0; array_false(nst,N);\} goto Env_End;
                 fi;
308
               }
309
        :: leader?_,_; atomic{j=0; goto Env_;}
310
       :: (j<(N-1)) -> atomic{j=j+1; goto Env_;}
311
312
     Env_End:
313
      leader?_,_; goto Env_End;
314
315
316
      317
318
319
      320
321
      { ABI nst, URLs; byte j; byte _i;
322
323
       atomic{
         d_step{ array_false(nst,initNDCMM); array_false(URLs,initNDCMM);
324
                nst.a[0]=true; URLs.a[1]=true; j=0;}
\frac{325}{326}
         :: j<initNDCMM -> run DCMM(URLs.a[j],j,initNDCMM,nst.a[j]);
327
                         run Buffer(j,initNDCMM); j=j+1;
328
         :: else break;
329
330
331
         od; j=0;
         run Bus(initNDCMM); run Env(initNDCMM);
       bus!nst; env!nst;
```