## Verification of a leader election protocol --- formal methods applied to IEEE 1394 (1997)

Venue: | IEEE 1394. Formal Methods in System Design |

Citations: | 28 - 7 self |

### BibTeX

@TECHREPORT{Devillers97verificationof,

author = {Marco Devillers and David Griffioen and Judi Romijn and Frits Vaandrager},

title = {Verification of a leader election protocol --- formal methods applied to IEEE 1394},

institution = {IEEE 1394. Formal Methods in System Design},

year = {1997}

}

### Years of Citing Articles

### OpenURL

### Abstract

The IEEE 1394 high performance serial multimedia bus protocol allows several components to communicate with each other at high speed. In this paper we present a formal model and verification of a leader election algorithm that forms the core of the tree identify phase of the physical layer of the 1394 protocol. We describe the algorithm formally in the I/O automata model of Lynch and Tuttle, and verify that for an arbitrary tree topology exactly one leader is elected. A large part of our verification has been checked mechanically with PVS, a verification system for higher-order logic.

### Citations

1541 |
Distributed Algorithms
- Lynch
- 1996
(Show Context)
Citation Context ...nd verified our abstract version of the 1394 leader election algorithm, Nancy Lynch pointed out to us that essentially the same algorithm is described informally in her book on Distributed Algorithms =-=[Lyn96, p501]-=-. Clearly, the algorithm was conceived independently by the designers of 1394 and by Lynch. As a consequence, an alternative way to look at our paper is that we provide a formal proof of a result clai... |

472 | An introduction to Input/Output automata
- Lynch, Tuttle
- 1989
(Show Context)
Citation Context ... all 0si ! n, (v i ; v i+1 ) 2 E, and (4) no vertex occurs more than once in the sequence. In Figure 5, the protocol is specified as an I/O automaton TIP using a standard precondition/effect notation =-=[LT89]-=-. For each link e=(v; w), the source v is denoted source(e), the target w is denoted target(e), and the reverse link (w; v) is denoted e \Gamma1 . For each node v, from(v) gives the set of links with ... |

306 | Formal verification for fault-tolerant architectures: Prolegomena to the design of PVS
- Owre, Rushby, et al.
- 1995
(Show Context)
Citation Context ...I/O automata model of Lynch and Tuttle [LT89, Lyn96]. In Section 3, we sketch the mathematical verification, and also discuss the mechanization using PVS, a theorem prover based on higher-order logic =-=[ORSH95]-=-. We end with some conclusions in Section 4. 2. Description of the protocol 3 2. Description of the protocol In this section we first describe the tree-identify phase of the IEEE 1394 protocol informa... |

97 | The syntax and semantics of CRL - Groote, Ponse - 1994 |

89 | Powerful techniques for the automatic generation of invariants - Bensalem, Lakhnech, et al. - 1996 |

81 | How to write a proof
- Lamport
- 1995
(Show Context)
Citation Context ...oofs often result in a lot of bookkeeping work, small faults are easily introduced. For that reason, we used a series of L A T E Xmacros that support the structured proof style as advocated by Lamport=-=[Lam93]-=-. The handwritten proofs are obtainable at the URL http://www.cs.kun.nl/~marcod/1394.html. We used PVS to check the proofs of the invariants and the weak-refinement mapping, i.e. the results of Theore... |

56 | Proof-checking a data link protocol - Helmink, Sellink, et al. - 1993 |

43 |
Forward and backward simulations I: untimed systems
- Lynch, Vaandrager
- 1995
(Show Context)
Citation Context ... most one ROOT-action. Theorem 2 Let r 2 states(TIP) ! states(SPEC ) be the function defined by the state predicate: SPEC :done , 9 v TIP :root[v] Then r is a weak refinement mapping (in the sense of =-=[LV95]-=-) from TIP to SPEC . In order to prove Theorem 2, it suffices to show that r satisfies the following conditions: (1) the start state of TIP is mapped onto the start state of SPEC , (2) for every reach... |

30 | Mechanical verification of timed automata: A case study
- Archer, Heitmeyer
- 1996
(Show Context)
Citation Context ...ariants and the weak-refinement mapping, i.e. the results of Theorem 1, Theorem 2 and Lemma 5. The PVS specification and proof files can also be obtained at the above URL. In our experience, see also =-=[AH96]-=-, it is much faster to check invariants with the PVS system then to prove them by hand. The PVS system takes care of the bookkeeping, and trivial steps in the proof are often done automatically. Durin... |

29 | formal veri for fault-tolerant architectures: Prolegomena to the design of PVS - Owre, Rushby, et al. - 1995 |

24 | Root contention in IEEE 1394 - Stoelinga, Vaandrager - 1999 |

22 | I/O automata in Isabelle/HOL - Nipkow, Slind - 1995 |

20 | der Zwaag. The tree identify protocol of - Shankland, van - 1998 |

16 | Verification of the link layer protocol of the IEEE-1394 serial bus (FireWire): An experiment with E-LOTOS - Sighireanu, Mateescu - 1999 |

14 | Traces of I/O-automata in Isabelle/HOLCF - MÃ¼ller, Nipkow - 1997 |

12 | Data Re Model-Oriented Proof Methods and their Comparison, volume 47 of Cambridge Tracts - Roever, Engelhardt - 1998 |

10 | The Verified Incremental Design of a Distributed Spanning Tree Algorithm: Extended Abstract - Hesselink - 1999 |

9 | Mechanical veri of timed automata: A case study - Archer, Heitmeyer - 1998 |

5 | Normed simulations - Grioen, Vaandrager - 1998 |

5 | UNITY in Diversity: A Strati Approach to the Veri of Distributed Algorithms - Vos - 2000 |

4 | A mechanical proof of Segall's PIF algorithm - Hesselink - 1997 |

3 | Description and formal speci of the Link layer of P1394 - Luttik - 1997 |

3 | Visual abstraction for temporal veri - Manna, Browne, et al. - 1998 |

2 | Towards mechanical veri of parts of the IEEE P1394 serial bus - Kuhne, Hooman, et al. - 1997 |

2 | A Verification Environment for I/O Automata Based on Formalized Meta-Theory - Mueller - 1998 |

2 | A timed veri of the ieee 1394 leader election protocol - Romijn - 1999 |

1 | Mechanical veri of distributed algorithms in higher-order logic - Chou - 1995 |

1 | Possibly in sequences: A comparative case study - Devillers, Grioen, et al. - 1997 |