Description and Formal Specification of the Link Layer of P1394

S.P. Luttik

Software Engineering (SEN)

SEN-R9706 May 31, 1997
Description and Formal Specification of the Link Layer of P1394

S.P. Luttik

CWI

P.O. Box 94079, 1090 GB Amsterdam, The Netherlands

Programming Research Group, University of Amsterdam,
Kruislaan 403, 1098 SJ Amsterdam, The Netherlands

Email: luttik@cwi.nl

ABSTRACT
We give a formal specification in μCRL of the Link Layer as described in the IEEE Standard P1394 [IEE95] that may serve as a starting point for further verification.

1991 Mathematics Subject Classification: 68M10 Computer networks; 68Q60 Specification and verification of programs

1991 Computing Reviews Classification System: C.2.2 Network Protocols; D.2.1 Requirements/Specifications; D.2.4 Program Verification

Keywords and Phrases: P1394, μCRL, Serial Bus Protocol.

Note: Research supported by the Netherlands Organization for Scientific Research (NWO) under contract SION 612-33-008. Work carried out under project SEN 2.1 Process Specification and Analysis.

1. INTRODUCTION

P1394 is an IEEE Standard describing a “High Performance Serial Bus” [IEE95]. It deals both with the physical requirements and the protocol of the bus. The main feature of P1394 is that it supports two modes of transaction: an asynchronous mode and an isochronous mode.

In asynchronous mode, one party (the sender) can send a message of arbitrary length to some other party (the receiver). Such a message may be sent at an arbitrary moment after the sender has gained access to the bus; the only timing restriction is that the interval during which a node may have access to the bus is bounded. In this mode, the receiver must confirm the receipt of the message by sending an acknowledge.

In isochronous mode the sender is obliged to send messages at fixed rates, and messages are not acknowledged. This service is useful for fast transmission of large amounts of data, if certainty at the side of the sender about the receipt of the data by the receiver is not important, whereas the arrival of the data at a constant rate is (for instance, audio/video data).

We give a specification of part of the P1394 protocol in μCRL [GP94], a formalism based on process algebra (see e.g. [Mil89, BW90]) that has the possibility of including algebraic data descriptions. Our specification serves as a case study in the application of formal methods and forms a starting point for further verification of the protocol.

We specify the behaviour in asynchronous mode of the Link Layer, the middle layer of the three layered protocol, responsible for the construction of packets, the transmission of these over a serial (one bit) line to other parties, and the computation and verification of checksums. Moreover, we specify a Bus-process, describing the external behaviour of the underlying physical components according to P1394, in order to be able to simulate the situation where a number of Link Layers communicate asynchronously.
The rest of this section is devoted to an informative introduction to P1394. In Section 2 we will discuss our specification of the Link Layer protocol and in Section 3 we will explain our specification of a process describing the external behaviour of a number of P1394-compliant Physical Layers connected by a cable. The actual specifications are included as appendices. In Section 4 we will indicate a number of properties that should hold w.r.t. our specification.

### 1.1 The P1394 Protocol

The serial bus architecture is roughly as depicted in Figure 1. It consists of a number of nodes (addressable entities that run their own part of the protocol) connected by a serial line (to which we will refer by the term CABLE in the sequel).

![Serial Bus Architecture Diagram](image)

**Figure 1:** Serial Bus architecture.

The behaviour of each node in asynchronous mode is described by three layers:

1. The Transaction Layer (the upper layer; indicated by TRANS) offers three types of transactions to the application(s) running on the node: applications may want to perform **read transactions** (read data from another node), **write transactions** (write data to another node), and **lock transactions** (have some of its own data processed by another node after which it is transferred back). Such transactions consist of a request and a response; TRANS can both handle ‘concatenated response’ transactions (response follows request immediately) as well as ‘split’ transactions (response not necessarily follows immediately on the request it belongs to).

2. The Link Layer (referred to as **LINK**) is the middle layer. It forms the interface between TRANS and the physical components of the bus (consisting of the ‘Physical Layers’ (PHYS) connected by a serial line (CABLE), together denoted by **BUS**). **LINK** provides two types of services to TRANS:

   **Data request/response:** By means of a ‘**LINK Data request**’ TRANS instructs LINK to send a packet to some particular node or to broadcast a packet to all other nodes. TRANS must react on a packet addressed to it by sending an acknowledge by means of a ‘**LINK Data response**’.

   **Data indication/confirmation:** By means of a ‘**LINK Data indication**’ LINK indicates the arrival of data (either request or response data). The receipt of an acknowledge packet is indicated to TRANS by means of a ‘**LINK Data confirmation**’.

**LINK** divides the stream of packets that it sees on **BUS** into an alternating sequence of ‘subactions’ and ‘subaction gaps’; the latter being time intervals having a specified minimal length during which **CABLE** resides in an idle state (see Figure 2). A subaction either consists of a single packet (in case of a ‘split transaction’, see subaction 1) or of two packets (in case of a ‘concatenated response transaction’, see subaction 2). Within each subaction, a packet is delimited by special
Before a packet can be put on BUS, LINK must first gain access by issuing an arbitration procedure. Moreover LINK must transform the requests of TRANS into a certain packet format, computing and attaching checksums to parts of the data to be transmitted. It also decides whether incoming packets have been received properly by verifying the attached checksums. Every packet that is put on BUS by any of the nodes is received by each LINK; however, only packets addressed to the node that LINK is a part of is forwarded to TRANS. LINK also directs the process of waiting for acknowledgements.

3. The physical connection between a node and the serial line is called the Physical Layer (PHY). It listens to and puts signals on CABLE, measures the lengths of the time intervals during which CABLE resides in an idle state and determines together with the other PHYs which node has control over CABLE (arbitration). It provides the following services to LINK:

**Arbitration request/confirmation**: LINK instructs PHY to start an arbitration procedure by means of a 'PHY Arbitration request'. The result of this procedure (either 'won' or 'lost') is communicated to LINK by means of a 'PHY Arbitration confirmation'.

**Data request/indication**: The Link Layer instructs PHY to put some signal on CABLE by means of a 'PHY Data request'. PHY indicates a signal on CABLE (or information about the status of CABLE) to LINK by means of a 'PHY Data indication'.

**Clock indication**: To notify LINK that it can (and should!) put a signal on CABLE, PHY communicates a 'PHY Clock indication'.

According to [IEEE95] there is also a so-called 'node controller' that can influence each of the three layers. Since in asynchronous mode the rôles of this node controller is restricted to the ability to reset each of the three layers (force them into their initial state), we have left it out of our specification.

2. **Explanation of LINK-Specification**

In [IEEE95], data descriptions of LINK mainly consist of a number of tables, that tables define the lengths of several different streams of bits and how to interpret them as packets.

The operational behaviour of LINK is described by means of an (incomplete) state-transition diagram and some informal text, meant to impose additional restrictions on the states and transitions of this diagram.

We apply some abstractions to the data in our specification and focus on the process part of LINK, which we try to describe as precise as possible. In this section, we will explain some details of our specification of LINK (appendix B). First, we introduce some elementary and auxiliary data types that we need in the specification. Then, we describe a single packet format that is used by LINK to communicate with the LINKs of other nodes, via BUS). Finally, we discuss the process part of the specification.
2.1 Auxiliary Data Types of Link
We need in our specification a sort \( \mathbb{B} \) with constants \( t \) and \( f \), the logical connectives not, or and and, and a function \( \text{if}(x,y,z) \) that chooses between its second and third argument upon the value of \( x \), and an equality relation \( \text{eq}(x,y) \). Moreover, we have a sort \( \mathbb{N} \) of natural numbers, with constructors \( 0 \) and \( \text{succ}(n) \), a ‘less than’-relation \( \text{lt}(n,m) \), and a predicate \( \text{eq}(x,y) \) reflecting the standard equality on naturals.

Furthermore, we have five enumerated types that encode a number of attributes used in the communication between Link and Trans and between Link and Phy:

- The sort \( \text{BOC} \) (for ‘Bus Occupancy Control’) contains two elements: \( \text{release} \) and \( \text{hold} \). It offers Trans the possibility to indicate Link whether a ‘split’ transaction (\( \text{release} \)) or a ‘concatenated response’ transaction (\( \text{hold} \)) is requested. Namely, in the first case Link must release the bus after sending an acknowledge packet, while in the second case the bus must be held to allow the sending of a response packet.

- The sort \( \text{LDI} \) contains the attributes Link must attach to an incoming packet when it forwards it to Trans.

- The sort \( \text{LDC} \) contains the values by which Link informs Trans of the success or failure of a transaction.

- The sort \( \text{PAR} \) contains the two possible arbitration modes\(^1\) by which Link can request Phy to gain access to Cable.

- After Phy has performed the arbitration procedure, a result of either \( \text{won} \) or \( \text{lost} \) (sort \( \text{PAC} \)) is communicated back to Link.

2.2 Packet Formats
The sorts DATA, HEADER, and ACK specify the actual contents of packets. In our specification these three sorts each contain two elements, but this could have been any number of distinct elements, given that there is a function \( \text{crc} \), that maps each element to some checksum in CHECK. It is not really important how such a checksum is computed, but the function \( \text{crc} \) should, of course, have an inverse. We have specified two checksum values: \( \top \) for ‘good crc’ and \( \bot \) for ‘bad crc’. We abstracted here a little bit from the original descriptions in [I.E.E.E.95]. There, the sorts DATA, HEADER, and ACK contain sequences of 128, 112, and 4 bits respectively. Data elements and headers have a 32 bit checksum; acknowledgements have a 4 bit checksum.

In [I.E.E.E.95] a number of asynchronous packet formats are defined for each kind of transaction. These formats are all in line with a general format for asynchronous packets, but differ in length, specific values of some fields of the header, and the presence of one or more data elements. We have specified just a single asynchronous packet format, consisting of a destination (from \( \mathbb{N} \)), a header part (an element from HEADER together with its \( \text{crc} \)) and one data part (an element from DATA and its \( \text{crc} \). The destination and the header part together form the header as described in [I.E.E.E.95]. Actually, the header part should contain all kinds of control fields that are not relevant on Link Layer level.

Every node that is connected to the Cable knows its own identification number and the total number of nodes that are connected to the Cable. If there are \( n \) nodes, then it is assumed that they have identification numbers 0 through \( n - 1 \). Now, if the destination field of a packet contains either of the values 0 through \( n - 1 \), then this is interpreted as the address of the node with this value as identification number. If the destination field has value \( n \), then the packet is considered a broadcast packet, i.e. a packet that is addressed to all nodes (except for the sending node).

As in [I.E.E.E.95], acknowledge packets consist of an acknowledge (code) and an acknowledge checksum (also called ‘parity’), together having a fixed length of 1 byte (i.e. 8 bits). By means of a ‘Link Data

\(^1\)a third possibility is mentioned in [I.E.E.E.95], but that one is not relevant in asynchronous mode.
2. Explanation of Link-Specification

According to [IEE95], LINK should communicate packets via BUS to other LINKs serially, that is, LINK must send one bit as soon as PHY indicates that it is ready to put a new bit on CABLE. Instead, we chose divide packets into signals (from $S$). In this way we obtain a more concise specification, avoiding a number of complications that do not influence LINK’s behaviour. We do make sure that our specification still reflects naturally the serial mechanisms as described in the standard. A signal is either a control signal or a data signal. We distinguish four types of data signals, which are embedded in the sort $S$ by means of the function sig.

**destination signals:** constructed by applying sig to a natural number — ‘getdest’ yields the destination from such a signal;

**header signals:** constructed by sig from a header and a checksum — ‘gethead’ yields the header from such a signal;

**data signals:** constructed by sig from a data part and a checksum — ‘getdata’ and ‘getdcre’ respectively yield the data element and the checksum of such a signal;

**acknowledge signals:** constructed by sig from an acknowledge and a checksum — ‘getack’ yields the acknowledge part of such a signal.

The predicates dest?(s), header?(s), data?(s) and ack?(s) respectively yield t if s is a destination, a header, a data element, or an acknowledge. Furthermore, valid_part(s) and valid_ack(s) equal t if s is a header or an acknowledge signal (respectively) with a checksum value of T.

To simulate the situation of [IEE95] where incoming destinations (consisting of 2 bytes) and acknowledgements (consisting of 1 byte) are distinguished by their length, we have an additional signal that is considered a data signal: dhead. Thus, destinations must be transmitted by means of two signals, dhead and the ‘real’ destination, whereas acknowledgements consist of one signal.

The sort $S$ contains four control signals:

**start:** used to mark the beginning of a packet;

**end, Prefix:** both used to mark the end of a packet; end indicates PHY to release control over CABLE afterwards; Prefix tells PHY not to release control over CABLE;

**subactgap:** is used by PHY to notice LINK that it has detected that CABLE has been idle for some specific amount of time.

The predicate physig? holds when a signal is one of the four control signals; terminator? determines it is start, Prefix, or end; and hda? is t if the signal is either a header signal, a data signal or an acknowledgement signal.

Within LINK, asynchronous packets reside in a buffer that is either empty (void) or contains a quadruple of four signals: a destination header, a destination signal, a header signal and a data signal (see SIG, TUPLE). Acknowledge packets will be represented just by their signal.

2.3 Link Layer Operation

Our specification of the process behaviour of LINK is based on the state machine as depicted in [IEE95, Figure 6-19, Page 174] and the informal explanation it is accompanied by. We have derived process names of the names of the states in the state machine as follows: process LINK$n$ for $0 \leq n \leq 7$ corresponds to state Ln. Each process receives at least three parameters: the total number of nodes that are connected to CABLE, the identification number of the particular node, and a buffer to contain a pending request of TRANS. Each action receives the identification number as its first parameter.

LINK starts as process LINK0 with an buffer that is void; it can either receive a data request from TRANS (LDreq(id, dest, h, d)) or a data indication from PHY (rPInd(id, p)).
At a data request, a packet is constructed from the parameters put into the buffer. Since the buffer then is not void anymore LINK starts a fair arbitration procedure to gain access to BUS (sPareq(id, fair)). If this results in won then the underlying PHY controls CABLE, so LINK enters ‘send mode’ (LINK2req, see below). However, it can also happen that PHY indicates a the arrival of data: the packet is stored in buffer and the data is received first (LINK4).

At a data indication, it must be checked whether the received signal is a start-signal. If it is, then this indicates that some node has control over CABLE and is sending a packet. The incoming packet must be received in ‘receive mode’ (LINK4). However, if the signal was not a start-signal, it may be ignored.

**Send Mode** As soon as it has gained control over CABLE, PHY starts indicating clock signals (pCInd(id)) to notify LINK that it should send a signal. LINK is supposed to respond to every such clock indication and sends the entire packet — delimited by a start- and an end-signal —, one signal at a time (LINK2req).

The end signal also notifies PHY that LINK has sent all of its packet; it will cease to send clock indications. Upon the value of the destination field, LINK either informs TRANS that a broadcast packet was sent (LDcon(id,broadcast)) properly (LINK0), or it must wait for an acknowledge packet (LINK3).

The acknowledge packet must arrive within some specific amount of time: if a subactgap occurs before an acknowledgement with valid checksum has been received entirely (i.e. up to and including the terminating end signal), then LINK will act as if the acknowledge is missing. Recall that an acknowledge packet can be identified by its length (1 signal). As a start signal arrives, LINK evolves into LINK3ra, expecting an acknowledge signal. If the next signal is indeed a data signal, then LINK receives the terminating end signal (LINK3re), checks the validity of the received acknowledge signal and sends an 'acknowledgement received' (ackrec) to TRANS. On the other hand, if anything goes wrong (for instance, another data signal arrives, there is no terminating end, or the acknowledge packet is not valid), then LINK sends 'acknowledgement missing' (ackmiss) to TRANS. Both in case of failure and in case of success, LINK does wait for an indication of PHY that a 'subaction gap' (subactgap) has occurred, before it returns the initial state (LINKWsa). Of course, if a subaction gap interferes in the above described behaviour, LINK should immediately send an ackmiss and return to its initial state.

**Receive Mode** If LINK receives a start signal is indicated, it enters ‘receive mode’ (LINK4) and expects to see a packet being put on BUS by some other LINK. Asynchronous packets consist of 4 signals, and LINK will receive at least two signals before it can determine whether the packet is addressed to it. If it only receives one signal followed by a terminating end (LINK4rh), then it has received an acknowledge packet, which it should ignore: it will wait for the next subaction gap and return to the initial state (LINKWsa). If the second signal is indeed a destination signal, then it must check whether the incoming packet is either (1) a packet addressed to it, (2) a broadcast packet or (3) a packet destined to some other node.

In the first case it must notify PHY that it wants access to BUS as soon as the packet has been received entirely, in anticipation of sending an acknowledge. It does this by means of an immediate arbitration request sPareq(id, immediate). Broadcast packets, however, should not be acknowledged, so in the second case no such request is needed. In both cases LINK evolves into state LINK4rh; by means of the parameter dest, it can decide whether the incoming packet was broadcast or not. In the third case LINK should completely ignore the packet; it returns to LINK0 at the next subaction gap (LINKWsa).

The third signal is expected to be a header signal (LINK4rh), and the fourth signal should be a data signal (LINK4rh). If the packet is correctly terminated by either an end signal or a Prefix signal, then the packet is indicated to TRANS as either a broadcast packet (LINK4brec), or as a packet that was addressed to this node (LINK4hrec). In both cases the data checksum is verified. Observe that in
the broadcast-case, a packet with invalid data checksum is ignored. In the other case, the packet will have to be acknowledged, so upon a `PHY Arbitration confirmation' of won, LINK evolves into `send acknowledge mode' (LINK5).

Any deviation of the above described procedure will cause LINK to ignore the packet; it will wait for a subaction gap to return to the initial state (LINKWsa). However, an immediate arbitration request will always be followed by a `PHY Arbitration confirmation' of won. In such a case, LINK is granted access to CABLE, although it does not need to send an acknowledgement. Therefore, if the destination signal indicated that the packet was meant for this LINK, the arbitration confirmation must be received and CABLE-control must be terminated immediately by sending an end signal (LINKWsa).

Send Acknowledge Mode While LINK is waiting for TRANS to respond to a data indication with the proper acknowledgement code, it must keep CABLE `busy' by sending a Prefix signal on every clock indication; this is to avoid the occurrence of a subactgap. Depending on the type of the received packet, TRANS may need to issue a so-called `concatenated response' (for instance, the packet was a read request and TRANS immediately wants to send the requested data to the requesting node). By means of a data response (LDreq(id, dest, h, d)) TRANS communicates the proper acknowledgement, as well as one of the values release or hold. The former means that no concatenated response is requested and that, after sending the acknowledge (Link6), LINK may release CABLE and go to its initial state. The latter means that a concatenated response is requested and that LINK should hold CABLE after sending the acknowledgement packet by responding to clock indications by Prefix signals (Link7). Now, LINK already has control over CABLE, so upon a data request it may evolve into `send mode' (LINK2resp) immediately.

3. The Auxiliary Bus Protocol
In order to simulate the interaction of n Link Layers, we have also specified the external the behaviour of n PHYS, connected by CABLE (see appendix C) in the process BUS.

3.1 Tables over B
As an auxiliary data type we need a sort Btable of tables over booleans. It is constructed from \emptyset and btable(n, b, B), where b from B, n from N and B from Btable. For example,

\[ \text{btable}(\text{succ}(0), t, \text{btable}(0, f, \emptyset)) \]

denotes a table over booleans with 3 entries, numbered 0 through succ(succ(0)), and with entries 0 and succ(succ(0)) set to t and succ(0) set to f.

Additionally, a function init(n) that creates a table with n entries (number 0 through n − 1), all initialized to f; a function get(n, B) yields the nth value of B; a function invert(n, B) that updates the nth value of B to not(get(n, B)); a function if(b, B1, B2) that chooses between B1 and B2, and functions zero(B), one(B), and more(B) that return t if either none of the entries, precisely one entry, or more than one entry (respectively) of B has/have the value t, and f otherwise.

Most notably, this sort is used to store information about the specific nodes connected to BUS.

3.2 BUS Operation
Initially, BUS is idle (BUS_IDLE); it knows the number of LINK processes that should communicate with it (n), and administrates in a Btable which LINKs have had control during a `fairness interval' (t).

During each fairness interval, each LINK process is allowed to gain control over BUS by means of a fair arbitration request at most once; it may access BUS more than once as a consequence of an immediate arbitration request. As soon as BUS has been idle for some specific amount of time and some LINK has had access during the running fairness interval (not(zero(t))), an `arbitration reset gap' (arbresgap) occurs, to indicate that every LINK may again be granted access by fair arbitration.
The time interval that Bus must be idle before such an arbresgap may occur should be longer than that of a subactgap.

As soon as some Link requests arbitration (rPAreq(id, astat)), Bus enters 'decision mode': it checks in its table whether the requesting node has or has not had access during the present fairness interval; if not, then Bus confirms by won and evolves into a 'busy state' (BusBusy); otherwise, Bus just responds lost (DECIEIDLE).

In a busy state, it also has to be administrated which nodes have requested immediate arbitration (next), and which node has control over Bus (busy). The fourth parameter keeps track of which nodes have received a bad destination field, and is only present to be able to simulate loss and corruption of data (see the discussion of the Distribute process).

Being in a busy state, Bus may still receive fair arbitration requests, but they will be confirmed by lost. A potential candidate for a response on the packet that is put on Bus must make itself known by an immediate arbitration request, this will be recorded in next. No confirmation is sent, however, until the 'busy node' releases its control.

Furthermore, as long as busy < n some Link process is still wanting to send signals, so the appropriate clock indications must be generated (sP Cind(busy)), and signals must be distributed (Distribute).

The Distribute process recurses over all nodes (as long as lt(i,n)) delivering the requested signal (except if eq(i,busy)). However, to obtain a realistic simulation, we also modelled the potential loss or corruption of signals. We have added a function corrupt to S which changes the checksum field of header signals, data signals, and acknowledge signals to ⊥. Moreover, an extra dummy is used to simulate the situation in which packets with a wrong length are delivered.

- If the signal is a destination signal, then this signal may get invalid in Bus (second summand of Distribute). However, if this happens, then the header checksum (which comes with the next signal) is no longer valid. Therefore, it is recorded in the table destfault to which nodes invalid destinations have been distributed.

- Any signal, except for header signals which should have a corrupted checksum according to the above, may be delivered correctly (the first summand of Distribute).

- If the signal to be delivered is either a header signal, a data signal or an acknowledge signal, then it may be delivered corrupted (third summand) or it may not be delivered at all (fourth summand).

- If the signal to be delivered is a data signal, then the packet may be extended by sending a dummy-signal immediately after the data signal.

After Distribute has distributed the signal to every node, it checks whether the distributed signal was a terminating end. Namely, if it is then the present 'busy node' no longer requires access to Bus and BusBusy is called with n, instead of busy. It should be tested whether there is some node that has requested immediate arbitration request by examining next. If this is not the case then a subactgap is distributed to all nodes (SubactionGAP) and Bus returns to idle (BusIDLE). However, if some of the entries of next have value t, then control over the Bus must go to some other node (Resolve).

The Resolve process sends arbitration confirmations (won) and a clock indication to all nodes that requested immediate arbitration. As long as there is more than one node (more(Next)) having control over Bus there is a conflict situation. Terminating end signals must be received from Link processes (Resolve2), until there is only one Link having access to Bus. Then, a data request is received from this node and if it is not an end signal, this signal is distributed to all other nodes; this particular node becomes the 'busy node'. However, if the received signal is indeed an end signal, then no LINK has control over the Bus anymore, so a subactgap is distributed to all Link processes, after which Bus becomes idle again (BusIDLE).
4. Correctness Properties

In this section we formulate some properties we expect to hold for our specifications of Link and Bus (see also appendix D).

We will denote by $P_{1394}(n)$ the process consisting of $n$ Link Layers numbered 0 through $n-1$ running in parallel with the specification of Bus, assuming that the ‘send actions’ $sPDind, sPDreq, \ldots$ can only happen when they communicate with their corresponding ‘read actions’ $rPDind, rPDreq, \ldots$ and that only the services provided by the Link Layers to the respective Transaction Layers are visible. That is, if we assume that $I$ and $H$ represent the following sets of actions:

$$I \overset{\text{def.}}{=} \{ PDind, PDreq, PAcon, PAreq, \}$$
$$H \overset{\text{def.}}{=} \{ rPDind, sPDind, rPDreq, sPDreq, rPAcon, sPAcon, rPAreq, sPAreq, rPCon, sPCon \}$$

then $P_{1394}(n) \overset{\text{def.}}{=} \tau_I \circ \partial_H(Bus(n) || Link(n,0))$.

The following requirements should hold in our specification for every $n \geq 1$:

- “$P_{1394}(n)$ is deadlock free”. That is, it has no trace that ends in a deadlock. Of course, as soon as one of the Links exhibits a deadlock, then $P_{1394}(n)$ will also eventually enter a deadlock situation, since subactgaps can no longer be communicated to this process. In real implementations such deadlocks can be resolved by the node controllers: they can reset every layer.

- “Between the occurrence of two ‘subaction gaps’ at most two asynchronous packets have travelled over the Bus”. This can be verified by checking that in any trace of $\partial_H(Bus(n) || Link(n,0))$ at most two LDcon actions take place.

- “If a LDreq action at node $0 < i < n$ occurred and node $i$ communicates a PAreq each time it receives a subactgap signal (and before an arbresgap occurs), it also eventually does a LDcon”. Since timing is absent in our specification we need the extra proviso that the PAreq occurs before the arbresgap. In real implementations timers must make sure that this is the case.

- “Every PAreq with parameter immediate is followed by a a matching PAcon with parameter won” in any trace of $\partial_H(Nodes(n))$”.

- “Between two arbitration reset gaps no node receives a PAcon with parameter won upon a PAreq with parameter fair more than once.”
A. Link Data

\textbf{sort } \mathbb{B} \\
\textbf{func} \ t, f : \to \mathbb{B}

\begin{align*}
\textbf{func } \text{and} : & \mathbb{B} \times \mathbb{B} \to \mathbb{B} & \textbf{func } \text{or} : & \mathbb{B} \times \mathbb{B} \to \mathbb{B} & \textbf{func } \text{not} : & \mathbb{B} \to \mathbb{B} \\
\textbf{if} & : \mathbb{B} \times \mathbb{B} \times \mathbb{B} \to \mathbb{B}
\end{align*}

\begin{align*}
\textbf{var} & \ b : \mathbb{B} & \textbf{var} & \ b : \mathbb{B} & \textbf{var} & \ b_1, b_2 : \mathbb{B} \\
\textbf{rew} & \text{and}(t,b) = b & \textbf{rew} & \text{or}(t,b) = t & \textbf{rew} & \text{not}(f) = t \\
& \text{and}(b,t) = b & & \text{or}(b,t) = t & & \text{not}(t) = f \\
& \text{and}(b,f) = f & & \text{or}(b,f) = b & & \text{if}(t,b_1,b_2) = b_1 \\
& \text{and}(f,b) = f & & \text{or}(f,b) = b & & \text{if}(f,b_1,b_2) = b_2
\end{align*}

\textbf{sort } \mathbb{N} \\
\textbf{func} \ 0: \to \mathbb{N} \\
\text{succ} : \mathbb{N} \to \mathbb{N}

\begin{align*}
\textbf{func} & \text{eq} : \mathbb{N} \times \mathbb{N} \to \mathbb{B} & \textbf{func} & \text{lt} : \mathbb{N} \times \mathbb{N} \to \mathbb{B} \\
\textbf{var} & \ n, m : \mathbb{N} & \textbf{var} & \ n, m : \mathbb{N} \\
\textbf{rew} & \text{eq}(0,0) = t & \textbf{rew} & \text{lt}(0,0) = f \\
& \text{eq}(\text{succ}(n),0) = f & & \text{lt}(\text{succ}(n),0) = f \\
& \text{eq}(0,\text{succ}(n)) = f & & \text{lt}(0,\text{succ}(n)) = t \\
& \text{eq}(\text{succ}(n),\text{succ}(m)) = \text{eq}(n,m) & & \text{lt}(\text{succ}(n),\text{succ}(m)) = \text{lt}(n,m)
\end{align*}

\textbf{sort } \text{DATA} \\
\textbf{func} \ d_1, d_2 : \to \text{DATA} \\
\text{crc} : \text{DATA} \to \text{CHECK}

\begin{align*}
\textbf{rew} & \text{crc}(d_1) = T & \textbf{rew} & \text{crc}(h_1) = T \\
& \text{crc}(d_2) = T & & \text{crc}(h_2) = T
\end{align*}

\textbf{sort } \text{ACK} \\
\textbf{func} \ a_1, a_2 : \to \text{ACK} \\
\text{crc} : \text{ACK} \to \text{CHECK}

\begin{align*}
\textbf{rew} & \text{crc}(a_1) = T & \textbf{rew} & \text{eq}(\bot, \bot) = t \\
& \text{crc}(a_2) = T & & \text{eq}(T, T) = t \\
& & & \text{eq}(\bot, T) = f \\
& & & \text{eq}(T, \bot) = f
\end{align*}

\textbf{sort } \text{CHECK} \\
\textbf{func} \ \bot, T : \to \text{CHECK} \\
\text{eq} : \text{CHECK} \times \text{CHECK} \to \mathbb{B}

\begin{align*}
\textbf{rew} & \text{eq}(\bot, \bot) = t & \textbf{rew} & \text{eq}(T, T) = t \\
& \text{eq}(\bot, T) = f & & \text{eq}(T, \bot) = f
\end{align*}

\textbf{sort } \text{$S$} \\
\textbf{func} \ \text{sig} : \mathbb{N} \to \text{$S$} \\
\text{sig} : \text{HEADER} \times \text{CHECK} \to \text{$S$} \\
\text{sig} : \text{DATA} \times \text{CHECK} \to \text{$S$} \\
\text{sig} : \text{ACK} \times \text{CHECK} \to \text{$S$} \\
\text{start, end} : \to \text{$S$} \\
\text{Prefix, subactgap} : \to \text{$S$} \\
\text{dhead, dummy} : \to \text{$S$}
\textbf{func} start?, end?: \quad \mathbb{S} \to \mathbb{B} \\
\text{prefix?, sagap?}: \quad \mathbb{S} \to \mathbb{B} \\
\textbf{var} n: \mathbb{N} \\
\text{h: HEADER} \\
\text{d: DATA} \\
a: \text{ACK} \\
c: \text{CHECK} \\
\textbf{rew} \quad \text{start?(start)} = t \quad \text{end?(end)} = t \quad \text{prefix?(Prefix)} = t \quad \text{sagap?(subactgap)} = t \\
\text{start?(end)} = f \quad \text{end?(start)} = f \quad \text{prefix?(start)} = f \quad \text{sagap?(start)} = f \\
\text{start?(Prefix)} = f \quad \text{end?(Prefix)} = f \quad \text{prefix?(end)} = f \quad \text{sagap?(end)} = f \\
\text{start?(subactgap)} = f \quad \text{end?(subactgap)} = f \quad \text{prefix?(subactgap)} = f \quad \text{sagap?(Prefix)} = f \\
\text{start?(dhead)} = f \quad \text{end?(dhead)} = f \quad \text{prefix?(dhead)} = f \quad \text{sagap?(dhead)} = f \\
\text{start?(dummy)} = f \quad \text{end?(dummy)} = f \quad \text{prefix?(dummy)} = f \quad \text{sagap?(dummy)} = f \\
\text{start?(sig(n))} = f \quad \text{end?(sig(n))} = f \quad \text{prefix?(sig(n))} = f \quad \text{sagap?(sig(n))} = f \\
\text{start?(sig(h,c))} = f \quad \text{end?(sig(h,c))} = f \quad \text{prefix?(sig(h,c))} = f \quad \text{sagap?(sig(h,c))} = f \\
\text{start?(sig(d,c))} = f \quad \text{end?(sig(d,c))} = f \quad \text{prefix?(sig(d,c))} = f \quad \text{sagap?(sig(d,c))} = f \\
\text{start?(sig(a,c))} = f \quad \text{end?(sig(a,c))} = f \quad \text{prefix?(sig(a,c))} = f \quad \text{sagap?(sig(a,c))} = f \\
\textbf{func} \quad \text{dest?, header?:} \quad \mathbb{S} \to \mathbb{B} \\
\text{data?, ack?:} \quad \mathbb{S} \to \mathbb{B} \\
\textbf{var} n: \mathbb{N} \\
\text{h: HEADER} \\
\text{d: DATA} \\
a: \text{ACK} \\
c: \text{CHECK} \\
\textbf{rew} \quad \text{dest?(sig(n))} = t \quad \text{header?(sig(h,c))} = t \quad \text{data?(sig(d,c))} = t \quad \text{ack?(sig(a,c))} = t \\
\text{dest?(sig(h,c))} = f \quad \text{header?(sig(n))} = f \quad \text{data?(sig(n))} = f \quad \text{ack?(sig(n))} = f \\
\text{dest?(sig(d,c))} = f \quad \text{header?(sig(d,c))} = f \quad \text{data?(sig(h,c))} = f \quad \text{ack?(sig(h,c))} = f \\
\text{dest?(sig(a,c))} = f \quad \text{header?(sig(a,c))} = f \quad \text{data?(sig(a,c))} = f \quad \text{ack?(sig(a,c))} = f \\
\text{dest?(start)} = f \quad \text{header?(start)} = f \quad \text{data?(start)} = f \quad \text{ack?(start)} = f \\
\text{dest?(end)} = f \quad \text{header?(end)} = f \quad \text{data?(end)} = f \quad \text{ack?(end)} = f \\
\text{dest?(Prefix)} = f \quad \text{header?(Prefix)} = f \quad \text{data?(Prefix)} = f \quad \text{ack?(Prefix)} = f \\
\text{dest?(subactgap)} = f \quad \text{header?(subactgap)} = f \quad \text{data?(subactgap)} = f \quad \text{ack?(subactgap)} = f \\
\text{dest?(dhead)} = f \quad \text{header?(dhead)} = f \quad \text{data?(dhead)} = f \quad \text{ack?(dhead)} = f \\
\text{dest?(dummy)} = f \quad \text{header?(dummy)} = f \quad \text{data?(dummy)} = f \quad \text{ack?(dummy)} = f \\
\textbf{func} \quad \text{physig?, terminator?:} \quad \mathbb{S} \to \mathbb{B} \\
\textbf{var} s: \mathbb{S} \\
\textbf{rew} \quad \text{physig?(s)} = \\
\quad \text{or(start?(s),}
\quad \text{or(end?(s),or(prefix?(s),sagap?(s))}) \\
\quad \text{terminator?(s) = or(end?(s),prefix?(s))} \\
\textbf{func} \quad \text{hda?:} \quad \mathbb{S} \to \mathbb{B} \\
\textbf{var} s: \mathbb{S} \\
\textbf{rew} \quad \text{hda?(s)} = \\
\quad \text{or(header?(s),or(data?(s),ack?(s)))}
func valid_hpart, valid_ack: S \rightarrow B

var n: N
  h: HEADER
  d: DATA
  a: ACK
  c: CHECK

rew valid_ack(sig(a,c)) = eq(c, T)
  valid_hpart(sig(h,c)) = eq(c, T)
  valid_hpart(sig(h,c)) = f
  valid_ack(start) = f
  valid_ack(end) = f
  valid_ack(subactgap) = f
  valid_hpart(dhead) = f

rew getdest(sig(n)) = n
  gethead(sig(h,c)) = h
  getdata(sig(d,c)) = d
  getack(sig(a,c)) = a
  corrupt(sig(h,c)) = sig(h, ⊥)
  corrupt(sig(d,c)) = sig(d, ⊥)
  corrupt(sig(a,c)) = sig(a, ⊥)

var n: N
  h: HEADER
  d: DATA
  a: ACK
  c: CHECK

sort SIG_TUPLE

func quadruple: S × S × S × S \rightarrow SIG_TUPLE
  → SIG_TUPLE
  π_1, π_2, π_3, π_4: SIG_TUPLE \rightarrow S
  void?: SIG_TUPLE \rightarrow B

var x1, x2, x3, x4: S

rew \pi_1(quadruple(x1,x2,x3,x4)) = x1
  \pi_2(quadruple(x1,x2,x3,x4)) = x2
  \pi_3(quadruple(x1,x2,x3,x4)) = x3
  \pi_4(quadruple(x1,x2,x3,x4)) = x4
  void?(void) = t
  void?(quadruple(x1,x2,x3,x4)) = f
sort PAC
func won, lost: PAC → PAC
  eq: PAC × PAC → B
rew eq(won, won) = t
    eq(lost, lost) = t
    eq(won, lost) = f
    eq(lost, won) = f

sort LDC
func ackrec: ACK → LDC
  ackmiss, broadsent: → LDC

sort BOC
func release, hold: → BOC
  eq: BOC × BOC → B
rew eq(release, release) = t
    eq(hold, hold) = t
    eq(hold, hold) = f
    eq(hold, release) = f

sort PAR
func fair, immediate: → PAR
  eq: PAR × PAR → B
rew eq(fair, fair) = t
    eq(immediate, immediate) = t
    eq(fair, immediate) = f
    eq(immediate, fair) = f

sort LDI
func good, broadrec: HEADER × DATA → LDI
dcrc_err: HEADER → LDI

B. Link Layer

act LDbeg: N × N × HEADER × DATA
LDcon: N × LDC
LDind: N × LDI
LDres: N × ACK × BOC
sPDreq, rPDind: N × S
sPAreq: N × PAR
rPAcon: N × PAC
rPCind: N

proc LINK0(n:N, id:N, buffer:SIG_TUPLE) =
  \(\sum\)\(dest::N,\)
  \(\sum\)\(h::HEADER,\)
  \(\sum\)\(d::DATA,\)
  \(\sum\)\(ldreq(id, dest, h, d) \cdot \)
  LINK0(n, id, quadruple(dhead, sig(dest), sig(h, crc(h)), sig(d, crc(d)))))
  \(\cdot\) void?(buffer) \(\triangleright\) sPDreq(id, fair) \(\triangleright\) LINK1(n, id, buffer)
  \(\cdot\) \(\sum\)\(p::S, rPDind(id, p) \cdot (\text{LINK4}(n, id, buffer) \triangleq \text{start}(p) \triangleright\text{LINK0}(n, id, buffer))\)

LINK1(n:N, id:N, p:SIG_TUPLE) =
  rPAcon(id, won) \cdot LINK2req(n, id, p) + rPAcon(id, lost) \cdot LINK0(n, id, p)

LINK2req(n:N, id:N, p:SIG_TUPLE) =
  \(\cdot\) rPCind(id) \cdot
  sPDreq(id, start) \cdot rPCind(id) \cdot sPDreq(id, p1(p)) \cdot rPCind(id) \cdot sPDreq(id, p2(p)) \cdot rPCind(id) \cdot sPDreq(id, end) \cdot
  (LDcon(id, broadsent) \cdot LINK0(n, id, void) \triangleq \text{eq}(getdest}(p2(p), n) \triangleright\text{LINK3}(n, id, void)\)
\text{LINK3}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}) = \\
\sum(p : \mathbb{S}, \hspace{1cm} rPDind(id,p) \cdot \\
\text{LINK3}(n,id,buffer) \triangleq \text{prefix}(p) \triangleright \\
\text{LINK3}_{\text{RA}}(n,id,buffer) \triangleq \text{start}(p) \triangleright \\
(LDcon(id,ackmiss) \cdot \text{LINK0}(n,id,buffer) \triangleq \text{sagap}(p) \triangleright \\
LDcon(id,ackmiss) \cdot \text{LINKWSA}(n,id,buffer,n)))

\text{LINK3}_{\text{RA}}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}) = \\
\sum(a : \mathbb{S}, \hspace{1cm} rPDind(id,a) \cdot \\
(LDcon(id,ackmiss) \cdot \text{LINK0}(n,id,buffer) \triangleq \text{sagap}(a) \triangleright \\
LDcon(id,ackmiss) \cdot \text{LINKWSA}(n,id,buffer,n)) \triangleq \text{physig}(a) \triangleright \text{LINK3}_{\text{RE}}(n,id,buffer,a))

\text{LINK3}_{\text{RE}}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}, a : \mathbb{S}) = \\
\sum(e : \mathbb{S}, \hspace{1cm} rPDind(id,e) \cdot \\
(LDcon(id,ackrec(getack(a))) \cdot \text{LINKWSA}(n,id,buffer,n)) \triangleq \text{valid}(a,\text{terminator}(e)) \triangleright \\
(LDcon(id,ackmiss) \cdot \text{LINK0}(n,id,buffer) \triangleq \text{sagap}(e) \triangleright \\
LDcon(id,ackmiss) \cdot \text{LINKWSA}(n,id,buffer,n)))

\text{LINK4}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}) = \\
\sum(dh : \mathbb{S}, \hspace{1cm} rPDind(id,dh) \cdot \\
(\text{LINK0}(n,id,buffer) \triangleq \text{sagap}(dh) \triangleright \text{LINKWSA}(n,id,buffer,n)) \triangleq \text{physig}(dh) \triangleright \\
\text{LINK4}_{\text{DH}}(n,id,buffer,n)))

\text{LINK4}_{\text{DH}}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}) = \\
\sum(dest : \mathbb{S}, \hspace{1cm} rPDind(id,dest) \cdot \\
((\text{spAreq(id,immediate)} \cdot \text{LINK4}_{\text{DH}}(n,id,buffer,id) \triangleq \text{eq}(\text{getdest}(dest),id)) \triangleright \\
\text{LINK4}_{\text{DH}}(n,id,buffer,n) \triangleq \text{eq}(\text{getdest}(dest),n) \triangleright \text{LINKWSA}(n,id,buffer,n)) \triangleq \text{dest}(dest) \triangleright \text{LINK0}(n,id,buffer) \triangleq \text{sagap}(\text{dest}) \triangleright \text{LINKWSA}(n,id,buffer,n)))

\text{LINK4}_{\text{DH}}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}, dest : \mathbb{N}) = \\
\sum(h : \mathbb{S}, \hspace{1cm} rPDind(id,h) \cdot \\
((\text{LINK4}_{\text{RD}}(n,id,buffer,dest,h) \triangleq \text{valid}_0part(h) \triangleright \text{LINKWSA}(n,id,buffer,dest)))

\text{LINK4}_{\text{RD}}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}, dest : \mathbb{N}, h : \mathbb{S}) = \\
\sum(d : \mathbb{S}, \hspace{1cm} rPDind(id,d) \cdot \text{LINK4}_{\text{RE}}(n,id,buffer,dest,h,d) \triangleq \text{data}(d) \triangleright \text{LINKWSA}(n,id,buffer,dest))

\text{LINK4}_{\text{RE}}(n : \mathbb{N}, id : \mathbb{N}, buffer : \text{SIG\_TUPLE}, dest : \mathbb{N}, h : \mathbb{S}, d : \mathbb{S}) = \\
\sum(e : \mathbb{S}, \hspace{1cm} rPDind(id,e) \cdot \\
((\text{LINK4}_{\text{RE}}(n,id,buffer,h,d) \triangleq \text{eq}(\text{dest},id) \triangleright \text{LINK4}_{\text{RE}}(n,id,buffer,h,d) \triangleq \text{terminator}(e) \triangleright \text{LINKWSA}(n,id,buffer,dest)))
\[
\begin{align*}
\text{LINK4}_{\text{DRec}}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}, h: \text{S}, d: \text{S}) &= \\
\quad \text{LDInd}(\text{id}, \text{good}(\text{gethead}(h), \text{getdata}(d))) \cdot \text{rPAcon}(\text{id}, \text{won}) \cdot \text{LINK5}(n, \text{id}, \text{buffer}) \\
&\quad \langle \text{eq}(\text{getcrc}(d), T) \rangle \\
&\quad \text{LDInd}(\text{id}, \text{drc\_err}(\text{gethead}(h))) \cdot \text{rPAcon}(\text{id}, \text{won}) \cdot \text{LINK5}(n, \text{id}, \text{buffer})
\end{align*}
\]
\[
\begin{align*}
\text{LINK4}_{\text{BRec}}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}, h: \text{S}, d: \text{S}) &= \\
\quad \text{LDInd}(\text{id}, \text{broadcast}(\text{gethead}(h), \text{getdata}(d))) \cdot \text{LINK0}(n, \text{id}, \text{buffer}) \langle \text{eq}(\text{getcrc}(d), T) \rangle \\
&\quad \text{LINK0}(n, \text{id}, \text{buffer})
\end{align*}
\]
\[
\begin{align*}
\text{LINK5}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}) &= \\
&\quad \sum(a: \text{ACK}, \sum(b: \text{BOC}, \text{LDreq}(\text{id}, a, b)) \cdot \text{LINK6}(n, \text{id}, \text{buffer}, \text{sig}(a, \text{crc}(a), b))) \\
&\quad + \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \text{Prefix}) \cdot \text{LINK5}(n, \text{id}, \text{buffer})
\end{align*}
\]
\[
\begin{align*}
\text{LINK6}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}, p: \text{S}, b: \text{BOC}) &= \\
&\quad (\text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \text{start}) \cdot \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, p)) \\
&\quad (\text{rPCind}(\text{id}) \\
&\quad \langle \text{sPDreq}(\text{id}, \text{end}) \rangle \cdot \text{LINK0}(n, \text{id}, \text{buffer}) \langle \text{eq}(\text{b}, \text{release}) \rangle \\
&\quad \langle \text{spDreq}(\text{id}, \text{Prefix}) \rangle \cdot \text{LINK7}(n, \text{id}, \text{buffer}))
\end{align*}
\]
\[
\begin{align*}
\text{LINK7}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}) &= \\
&\quad \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \text{Prefix}) \cdot \text{LINK7}(n, \text{id}, \text{buffer}) \\
&\quad + \langle \sum(\text{dest}: \text{N}, \\
&\quad \sum(h: \text{HEADER}, \\
&\quad \sum(d: \text{DATA}, \\
&\quad \text{LDreq}(\text{id}, \text{dest}, h, d) \\
&\quad \text{LINK2}_{\text{resp}}(n, \text{id}, \text{buffer}, \text{quadruple}(\text{dhead}, \text{sig}(\text{dest}), \text{sig}(h, \text{crc}(h)), \text{sig}(d, \text{crc}(d)))))) \rangle
\end{align*}
\]
\[
\begin{align*}
\text{LINK2}_{\text{resp}}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}, p: \text{SIG\_TUPLE}) &= \\
&\quad (\text{rPCind}(\text{id}) \\
&\quad \langle \text{sPDreq}(\text{id}, \text{start}) \rangle \cdot \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \pi_1(p)) \cdot \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \pi_2(p))) \\
&\quad (\text{rPCind}(\text{id}) \\
&\quad \langle \text{sPDreq}(\text{id}, \pi_3(p)) \rangle \cdot \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \pi_4(p)) \cdot \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \text{end})) \\
&\quad (\text{LDcom}(\text{id}, \text{broadcast}) \cdot \text{LINK0}(n, \text{id}, \text{buffer}) \langle \text{eq}(\text{getdest}(\pi_2(p), n) \rangle \langle \text{LINK3}(n, \text{id}, \text{buffer}) \rangle)
\end{align*}
\]
\[
\begin{align*}
\text{LINKWSA}(n: \text{N}, \text{id}: \text{N}, \text{buffer}: \text{SIG\_TUPLE}, \text{dest}: \text{N}) &= \\
&\quad \langle \sum(p: \text{S}, \text{rPInd}(\text{id}, p) \cdot \text{LINK0}(n, \text{id}, \text{buffer}) \langle \text{sagap}(p) \rangle \langle \text{LINKWSA}(n, \text{id}, \text{buffer}, \text{dest}) \rangle \rangle \\
&\quad + (\text{rPAcon}(\text{id}, \text{won}) \cdot \text{rPCind}(\text{id}) \cdot \text{sPDreq}(\text{id}, \text{end}) \cdot \text{LINK0}(n, \text{id}, \text{buffer}) \langle \text{eq}(\text{dest}, \text{id}) \rangle \langle \delta \rangle)
\end{align*}
\]

C. Bus

sort Btable

func \emptyset: Btable \rightarrow Btable

btable: N \times B \times Btable \rightarrow Btable
\textbf{func} \quad \text{init} \colon \mathbb{N} \rightarrow \text{Btable} \quad \textbf{func} \quad \text{zero, one, more} \colon \text{Btable} \rightarrow \mathbb{B}

\text{invert} : \mathbb{N} \times \text{Btable} \rightarrow \text{Btable}

\text{get} : \mathbb{N} \times \text{Btable} \rightarrow \mathbb{B}

\text{if} : \mathbb{B} \times \text{Btable} \times \text{Btable} \rightarrow \text{Btable}

\textbf{var} \quad n, m : \mathbb{N}

b : \mathbb{B}

bt1, bt2 : \text{Btable}

\textbf{rew}

\begin{align*}
\text{init}(0) &= \emptyset \\
\text{init}(\text{succ}(n)) &= \text{btable}(n, \text{finit}(n)) \\
\text{invert}(n, \emptyset) &= \emptyset \\
\text{invert}(n, \text{btable}(m, b, bt1)) &= \\
& \quad \text{if}(\text{eq}(n, m), \text{btable}(m, \text{not}(b), bt1), \\
& \quad \quad \text{btable}(m, b, \text{invert}(n, bt1))) \\
\text{get}(n, \text{btable}(m, b, bt1)) &= \\
& \quad \text{if}(\text{eq}(n, m), b, \text{get}(n, bt1)) \\
& \quad \text{if}(t, bt1, bt2) = bt1 \\
& \quad \text{if}(f, bt1, bt2) = bt2
\end{align*}

\textbf{act}

rP\text{Areq} : \mathbb{N} \times \text{PAR}

rPD\text{req}, sP\text{Acon} : \mathbb{N} \times \mathbb{S}

sP\text{Cind} : \mathbb{N}

\text{arbresgap}

\text{losesignal}

\textbf{proc}

\begin{align*}
\text{BusIdle}(n \colon \mathbb{N}, t \colon \text{Btable}) &= \\
& \quad \sum_{i \colon \mathbb{N}} \left( \sum_{\text{astat} \colon \text{PAR}} \left( \text{rPAreq}(id, \text{astat}) \cdot \text{DECIDE} \text{IDLE}(n, t, id, \text{astat}) \right) \right) \\
& \quad + \text{arbresgap} \cdot \text{BusIdle}(n, \text{init}(n)) \not< \text{not}(\text{zero}(t)) \triangleright \delta
\end{align*}

\text{DECIDE} \text{IDLE}(n \colon \mathbb{N}, t \colon \text{Btable}, id \colon \mathbb{N}, \text{astat} \colon \text{PAR}) =

\begin{align*}
& (sP\text{Acon}(id, \text{won}) \cdot \text{BusBusy}(n, \text{invert}(id, t), \text{init}(n), \text{init}(n), id) \not< \text{not}(\text{get}(id, t)) \triangleright \not> \\
& (sP\text{Acon}(id, \text{lost}) \cdot \text{BusIdle}(n, t))
\end{align*}

\text{BusBusy}(n \colon \mathbb{N}, t \colon \text{Btable}, \text{next} \colon \text{Btable}, \text{destfault} \colon \text{Btable}, \text{busy} \colon \mathbb{N}) =

\begin{align*}
& ((sP\text{Cind}(\text{busy}) \cdot \sum_{p \colon \mathbb{S}} \text{rPDreq}(\text{busy}, p) \cdot \text{Distribute}(n, t, \text{next}, \text{destfault}, \text{busy}, p, 0)) \\
& \quad \not< \text{lt}(\text{busy}, n) \triangleright (\text{SUBACTION} \text{GAP}(n, t, 0) \not< \text{zero}(\text{next}) \triangleright \text{RESOLVE}(n, t, \text{next}, 0)) \\
& \quad + \sum_{j \colon \mathbb{N}} (\text{rPAreq}(j, \text{fair}) \cdot \text{sP\text{Acon}(j, \text{lost}) \cdot \text{BusBusy}(n, t, \text{next}, \text{destfault}, \text{busy})) \\
& \quad + \sum_{j \colon \mathbb{N}} \quad \text{rPAreq}(j, \text{immediate}) \\
& \quad (\text{BusBusy}(n, t, \text{invert}(j, \text{next}), \text{destfault}, \text{busy}) \not< \text{not}(\text{get}(j, \text{next})) \triangleright \delta))
\end{align*}

\text{SUBACTION} \text{GAP}(n \colon \mathbb{N}, t \colon \text{Btable}, i \colon \mathbb{N}) =

\text{BusIdle}(n, t) \not< \text{eq}(i, n) \triangleright sP\text{Dind}(i, \text{subactgap}) \cdot \text{SUBACTION} \text{GAP}(n, t, \text{succ}(i))

\text{RESOLVE}(n \colon \mathbb{N}, t \colon \text{Btable}, \text{next} \colon \text{Btable}, i \colon \mathbb{N}) =

\begin{align*}
& (((sP\text{Acon}(i, \text{won}) \cdot sP\text{Cind}(i) \cdot \text{RESOLVE}(n, t, \text{next}, \text{succ}(i))) \not< \text{get}(i, \text{next}) \triangleright \\
& (\text{Resolve}(n, t, \text{next}, \text{succ}(i))) \\
& \quad \not< \text{lt}(i, n) \triangleright \text{RESOLVE}2(n, t, \text{next}))
\end{align*}
\[\text{RESOLVE2}(n \in N, t : \textbf{Btable}, \text{next} : \textbf{Btable}) =
\begin{array}{l}
\left( \sum_{j \in N} (rPDreq(j, \text{end}) \cdot (\text{RESOLVE2}(n, t, \text{invert}(j, \text{next})) \wedge \text{get}(j, \text{next}) \wedge \delta)) \wedge \text{more}(\text{next}) \right) \\
+ \sum_{j \in N}
\end{array}
\]

\[\begin{array}{l}
+ rPDreq(j, p) \\
\wedge (\text{SUBACTION} \text{GAP}(n, t, 0) \wedge \text{end}?(p) \Rightarrow \text{DISTRIBUTE}(n, t, \text{init}(n), \text{init}(n), j, p, 0)))
\end{array}\]

\[\text{DISTRIBUTE}(n \in N, t : \textbf{Btable}, \text{next} : \textbf{Btable}, \text{destfault} : \textbf{Btable}, \text{busy} : \textbf{N}, p : \textbf{S}, i : \textbf{N}) =
\begin{array}{l}
\left( \sum_{j \in N} (sPDind(i, p) \cdot \text{DISTRIBUTE}(n, t, \text{next}, \text{destfault}, \text{busy}, p, \text{succ}(i))
\right.
\wedge \text{or}(\text{not}(\text{header}?(p)), \text{not}(\text{get}(i, \text{destfault}))) \wedge \delta)
+ \left( \sum_{j \in N}
\end{array}
\]

\[\begin{array}{l}
+ sPDind(i, \text{sig}(\text{dest}))) \cdot \text{DISTRIBUTE}(n, t, \text{next}, \text{invert}(i, \text{destfault}), \text{busy}, p, \text{succ}(i))
\wedge \text{dest}?(p) \wedge \delta)
+ (sPDind(i, \text{corrupt}(p)) \cdot \text{DISTRIBUTE}(n, t, \text{next}, \text{destfault}, \text{busy}, p, \text{succ}(i)) \wedge \text{hda}?(p) \wedge \delta)
+ \text{(losignal} \cdot \text{DISTRIBUTE}(n, t, \text{next}, \text{destfault}, \text{busy}, p, \text{succ}(i)) \wedge \text{hda}?(p) \wedge \delta)
+ (sPDind(i, p) \cdot sPDind(i, \text{dummy}) \cdot \text{DISTRIBUTE}(n, t, \text{next}, \text{destfault}, \text{busy}, p, \text{succ}(i))
\wedge \text{data}?(p) \wedge \delta)
+ \text{(rPAreq}(i, \text{immediate}) \cdot
\begin{array}{l}
+ \text{(DISTRIBUTE}(n, t, \text{invert}(i, \text{next}), \text{destfault}, \text{busy}, p, j) \wedge \text{not}(\text{get}(i, \text{next})) \wedge \delta))
\wedge \text{not}(\text{eq}(i, \text{busy})) \wedge \text{DISTRIBUTE}(n, t, \text{next}, \text{destfault}, \text{busy}, p, \text{succ}(i))
\wedge \text{lt}(i, n) \wedge
\begin{array}{l}
\text{(BUS} \text{BUSY}(n, t, \text{next}, \text{destfault}, n) \wedge \text{end}?(p) \Rightarrow \text{BUS} \text{BUSY}(n, t, \text{next}, \text{destfault}, \text{busy}))
\end{array}
\end{array}\]

\text{D. P1394}

\text{act } \text{PDind}, \text{PDreq} : N \times S
\text{PAcon} : N \times \text{PAC}
\text{PAreq} : N \times \text{PAR}
\text{PCind} : N

\text{comm } rPDind | sPDind = PDind
rPDreq | sPDreq = PDreq
rPAcon | sPAcon = PAcon
rPAreq | sPAreq = PAreq
rPCind | sPCind = PCind

\text{proc } \text{LINK}(n \in N, i \in N) = (\text{LINK0}(n, i, \text{void}) \parallel \text{LINK}(n, \text{succ}(i)) \wedge \text{lt}(\text{succ}(i), n) \Rightarrow \text{LINK0}(n, i, \text{void})

\text{BUS}(n \in N) = \text{BUS} \text{IDLE}(n, \text{init}(n))

\text{P1394}(n \in N) =
\begin{array}{l}
\tau((\text{PDind}, \text{PDreq}, \text{PAcon}, \text{PAreq}, \text{PCind}, \text{arbregap}, \text{losesignal}), \\
\delta((\text{rPDind}, \text{sPDind}, \text{rPDreq}, \text{sPDreq}, \text{rPAcon}, \text{sPAcon}, \text{rPAreq}, \text{sPAreq}, \text{rPCind}, \text{sPCind}), \\
\text{BUS}(n) \parallel \text{LINK}(n, 0)))
\end{array}\]
Acknowledgements
Thanks to Hubert Garavel, Jan Friso Groote and Mihaela Sighireanu for a number of comments that led to improvements and simplifications of both the specification and its explanation. I would also like to thank Judi Romijn for useful discussions on the IEEE Standard.

References