# Washington University in St. Louis [Washington University Open Scholarship](https://openscholarship.wustl.edu/?utm_source=openscholarship.wustl.edu%2Fcse_research%2F606&utm_medium=PDF&utm_campaign=PDFCoverPages)

[All Computer Science and Engineering](https://openscholarship.wustl.edu/cse_research?utm_source=openscholarship.wustl.edu%2Fcse_research%2F606&utm_medium=PDF&utm_campaign=PDFCoverPages) 

**Computer Science and Engineering** 

Report Number: WUCS-92-44

1992-12-01

# Formal Specifications and Design of a Message Router

Christian Creveull and Gruia-Catalin Roman

Formal derivation refers to a family of design techniques that entail the development of programs which are guaranteed to be correct by construction. This paper investigates the possible application of one such technique-- UNITY-style specification refinement-- to industrialgrade problems. The formal specification and design of a message router illustrates the derivation process and helps identify those methodological elements that are likely to contribute to successful use of this technique in industrial environment. Although, the message router cannot be characterized as being industrial-grade, it is a sophisticated problem that pose significant specification and design challenges-- its apparent simplicity is rather... Read complete abstract on page 2.

Follow this and additional works at: [https://openscholarship.wustl.edu/cse\\_research](https://openscholarship.wustl.edu/cse_research?utm_source=openscholarship.wustl.edu%2Fcse_research%2F606&utm_medium=PDF&utm_campaign=PDFCoverPages)

#### Recommended Citation

Creveull, Christian and Roman, Gruia-Catalin, "Formal Specifications and Design of a Message Router" Report Number: WUCS-92-44 (1992). All Computer Science and Engineering Research. [https://openscholarship.wustl.edu/cse\\_research/606](https://openscholarship.wustl.edu/cse_research/606?utm_source=openscholarship.wustl.edu%2Fcse_research%2F606&utm_medium=PDF&utm_campaign=PDFCoverPages)

[Department of Computer Science & Engineering](http://cse.wustl.edu/Pages/default.aspx) - Washington University in St. Louis Campus Box 1045 - St. Louis, MO - 63130 - ph: (314) 935-6160.

This technical report is available at Washington University Open Scholarship: [https://openscholarship.wustl.edu/](https://openscholarship.wustl.edu/cse_research/606?utm_source=openscholarship.wustl.edu%2Fcse_research%2F606&utm_medium=PDF&utm_campaign=PDFCoverPages) [cse\\_research/606](https://openscholarship.wustl.edu/cse_research/606?utm_source=openscholarship.wustl.edu%2Fcse_research%2F606&utm_medium=PDF&utm_campaign=PDFCoverPages) 

# Formal Specifications and Design of a Message Router

Christian Creveull and Gruia-Catalin Roman

#### Complete Abstract:

Formal derivation refers to a family of design techniques that entail the development of programs which are guaranteed to be correct by construction. This paper investigates the possible application of one such technique-- UNITY-style specification refinement-- to industrial-grade problems. The formal specification and design of a message router illustrates the derivation process and helps identify those methodological elements that are likely to contribute to successful use of this technique in industrial environment. Although, the message router cannot be characterized as being industrial-grade, it is a sophisticated problem that pose significant specification and design challenges-- its apparent simplicity is rather deceiving, The main body of the paper consists of a complete formal specification of the router and a series of successive refinements that eventually lead to a trivial construction of a correct UNITY program. Each refinement is accompanied by its design rational and is explained both formally (proofs being included in an appendix) and informally, in a manner accessible to a broad audience. We use this example to make the case that program derivation provides a good basis for introducing rigor in the design strategy, regardless of the degrees of formality one is willing to consider.



School of Engineering & Applied Science

Formal Specification and Design of a Message Router

**Christian Creveuil** Gruia-Catalin Roman

**WUCS-92-44** 

December 1992

Department of Computer Science Washington University Campus Box 1045 One Brookings Drive Saint Louis, MO 63130-4899

#### Abstract

Formal derivation refers to a family of design techniques that entail the development of programs which are guaranteed to be correct by construction. This paper investigates the possible application of one such technique-UNITY-style specification refinement—to industrial-grade problems. The formal specification and design of a message router illustrates the derivation process and helps identify those methodological elements that are likely to contribute to successful use of this technique in an industrial environment. Although, the message router cannot be characterized as being industrial-grade, it is a sophisticated problem that poses significant specification and design challenges—its apparent simplicity is rather deceiving. The main body of the paper consists of a complete formal specification of the router and a series of successive refinements that eventually lead to a trivial construction of a correct UNITY program. Each refinement is accompanied by its design rational and is explained both formally (proofs being included in an appendix) and informally, in a manner accessible to a broad audience. We use this example to make the case that program derivation provides a good basis for introducing rigor in the design strategy, regardless of the degrees of formality one is willing to consider.

Acknowledgments: The first author was supported by the Institut National de la Recherche en Informatique et en Automatique under a postdoctoral grant. The second author was supported in part by the National Science Foundation under the Grant CCR-9015677. The government has certain rights in this material.

The authors thank H. C. Cunningham, K. C. Cox, and J. Y. Plun for their reviews of the manuscript.

Correspondence: All communications regarding this paper should be addressed to

Dr. Gruia-Catalin Roman Department of Computer Science **Washington University** Campus Box 1045 One Brookings Drive Saint Louis, MO 63130-4899

office: (314) 935-6190 secretary: (314) 935-6160 fax: (314) 935-7302

roman@cs.wustl.edu

#### 1. Introduction

Increasing demands for reliable performance provide a strong impetus for the software engineering community to evaluate and adopt formal methods. Formal notations led to the development of specification languages; formal verification contributed to the application of mechanical theorem provers to program checking; and formal derivation-a class of techniques that ensure correctness by construction-has the potential to reshape the way software will be developed in the future. Program derivation is less costly than post-factum verification, is incremental in nature, and can be applied with varying degrees of rigor in conjunction with or completely apart from program verification. More significantly, while verification is tied to analysis and support tools, program derivation deals with the very essence of the design process, the way one thinks about problems and constructs solutions.

In sequential programming, formal derivation enjoys a long standing and prestigious tradition  $[4, 5, 7, 8, 1]$ 15, 16]. By contrast, derivation is a relatively new concern in concurrent programming. Although a clean and comprehensive characterization of the field is difficult to make and is beyond the scope of this paper, three general directions seem to have emerged in the concurrency arena. Constructivist approaches start with simple components having known properties and combine them into larger ones whose properties may be computed. CSP-related efforts [6, 9, 11, 12] appear to favor this approach in part due to the algebraic mindset that characterizes the work on abstract CSP. Specification refinement has been advocated strongly in the work on UNITY [2, 10, 20]. An initial highly-abstract specification is gradually refined up to the point when it contains so much detail that writing a correct program becomes trivial. Program refinement uses a correct program as starting point and alters it until a new program satisfying some additional desired properties is produced. In some of the work on action systems [1], for instance, sequential programs are transformed into concurrent or distributed ones. Mixed specification and program refinement [19] has been used in conjunction with the Swarm model and its proof logic [3, 17, 18].

Encouraged by these recent developments, it is reasonable to pose the question whether program derivation is a viable substitute for current, mostly ad-hoc, methods employed by concurrent system designers. With this aim in mind, our research group has embarked on a number of case studies whose immediate objective is to develop an understanding of how program derivation may be applied to industrial-grade problems. The emphasis is not on tool development but on identifying a design style and associated skills that can be taught effectively and applied productively. We want to show that, given the right model and heuristics, program derivation can be made simple to the point that it can be explained even to the non-specialist.

The message router is one of the program derivation exercises we carried out recently. In the simplest terms, the message router is a device which accepts messages on a number of input lines and delivers them to its output lines. Each message consists of a header, one or more body packets, and a tail. The header contains the packet destination. Packet ordering within a message is preserved, packets belonging to different messages are not interleaved, and messages from the same input line going to the same output line are not reordered. We chose this problem due to its deceiving simplicity. Anyone can understand the basic problem but its formal treatment requires careful attention to detail.

The body of this paper consists of a formal specification of the router problem introduced in Section 2 and a UNITY-style specification refinement process developed in Section 3. The UNITY program is derived from the final specification in Section 4, and Section 5 summarizes the lessons we have learned from this exercise. Appendices provide technical details regarding the proof logic, and the proofs of the refinement steps.

#### 2. Specification of the Router Problem

We first give a brief overview of the UNITY logic, then informally describe the router problem, and finally present the formal specification.

#### 2.1. UNITY Logic

The description we give in this paragraph is intentionally informal and intuitive, in order to allow nonspecialist readers to understand the router specification and design. A more formal description may be found in appendix A.

Before presenting the logic, we need to say a few words about UNITY programs, and especially the way they are executed. A typical UNITY program consists of three sections: a declare section, which contains Pascalstyle declarations of variables; an *initially* section, where all or some of the variables are initialized; an assign section, which is a set of multiple assignment statements. The execution of a UNITY program consists simply in repeating forever the following sequence: select at random a statement in the assign section, and execute it. The only constraint on the selection process is that each statement is chosen infinitely often. The semantics of a UNITY program can then be defined as a set of execution sequences. Each sequence begins with the initial state, as defined in the initially section, and each of the following states is obtained from the previous one by executing a statement.

The UNITY logic is used both as a specification language and as a proof logic. It is composed of several unary and binary operators, which allow to define global properties over the execution sequences. Let  $p$  and  $q$  be two predicates. The list of properties, with their intuitive definition, is given below. Let us note that the program we refer to in the remaining of the paragraph is either the program we want to derive, if the logic is used as a specification language, or the program we want to verify, if the logic is used as a proof logic.

p unless q: this property means that whenever predicate  $p$  holds for a program state,  $p$  continues to hold in the execution sequence at least until g holds. In other words, from a state verifying  $p \wedge \neg a$ , the execution can either stay in this state, or move to a state satisfying  $\alpha$ 



Note that  $p$  unless  $q$  does not require  $q$  to hold; in such a case,  $p$  must hold forever.

stable p: predicate  $p$  is a *stable* predicate if it remains true forever once it becomes true. This property is equivalent to  $p$  unless false.



const p: predicate p is constant if both p and  $-p$  are stable predicates. In other words, p remains true forever if it is initially true, and false forever if it is initially false.



in  $v$  p: predicate  $p$  is invariant if it holds in the initial state, and is stable along any execution sequence.

The four properties described above are *safety* properties, in the sense that they prevent the occurrence of certain state transitions. For instance p unless q disallows the transition from  $p \wedge \neg q$  to  $\neg p \wedge \neg q$ . However, to specify problems, we must also be able to state that some progress is made, i.e., that certain predicates hold at some point in the future. For this, the UNITY logic offers the following properties:

- $p \mapsto q$ : predicate p leads to predicate q if, from a state in which p holds, a state in which q holds is eventually reached.
- p until q: this property is slightly stronger than  $p \mapsto q$ , since it guarantees also that p holds at least until q holds. Its definition is: p unless  $q \wedge p \mapsto q$ .

p ensures q: this last property is strongly related to the text of the program. It states that, whenever  $\bullet$  $p$  holds, it must hold at least until  $q$  holds  $(p \text{ unless } q)$ , and that there must exist a statement in the program that establishes the truth of  $\alpha$ . The ensures property is thus stronger than until, since the truth of  $q$  in the  $until$  case can be established by the execution of more than one statement.

#### 2.2. Description of the Problem

We consider a communication network that connects  $N$  senders of messages to  $M$  receivers via a message router. Each sender is connected to one of the input ports of the router, and each receiver to one of the output ports (Figure 1).



Figure 1. Structure of the system.

Each message is composed of a finite number of packets that can be of three different types: header, body, and tail. The header, which is the first packet of the message, contains the port address of the message destination. Each header is followed by one or more body packets which contain the actual data. Finally, the tail packet marks the end of the message.

The behavior of the router is defined by the following requirements:

- Each packet that is sent must eventually be delivered to the intended receiver.
- The value of the body packets must not be modified, but, for control purposes, the router may modify the value of the header and tail packets.
- Packet ordering within a message must be preserved.
- Messages from the same source going to the same destination must not be reordered.
- Messages from different sources going to the same destination must not be interleaved.
- 2.3. Formal Specification

The system we want to specify is composed of three interacting entities: an input environment (the  $N$ senders), an output environment (the M receivers), and the router. The UNITY formalism offers the possibility to specify those three parts separately, and then to compose the three specifications. However, this implies the use of conditional properties (for instance, assuming that property  $PI$  is true in the input environment, property  $P2$  is true in the router), which make reasoning and understanding more difficult. We believe it is easier to deal with a unique specification describing the behavior of the system in its entirety, without any interaction with the outside world.

To do so, we abstract the senders and the receivers as infinite input and output queues (Figure 2). Initially the input queues contain all the packets that have to be sent, and the output queues, as well as the router, are empty. Each packet in the input and output environments resides at some distinct location, which is a pair of coordinates (row, column). For instance, packets in the input queues have a row coordinate that ranges from 1 to  $N$ , and a column coordinate that ranges from 0 to - $\infty$ .



Figure 2. Abstract structure of the system.

Let us define some notation. Packets are designated by notation  $\tau$ [v], where  $\tau$ , the packet type, is equal to  $h$ ,  $b$ , or  $t$ —header, body, or tail—and  $v$ , the packet value, belongs to some set  $V$ . Each packet is augmented with four auxiliary variables:  $n, m, i$ , and j. These auxiliary variables cannot be used by the program we want to derive, their only purpose is to make the specification and design process easier. Variables n and m, ranging respectively from 1 to N and from  $\hat{1}$  to M, are the addresses of the sender and receiver of the packet (or, in other words, the numbers identifying the source input queue and destination output queue). Variable *i* is the number of the message the packet belongs to. We define the number of the first message sent by each sender to be equal to 1, the number of the second message to be equal to 2, and so on. Finally, variable  $j$  is the packet number, that is the position of the packet within the message. A packet augmented with the auxiliary variables is called a *logical* packet, as opposed to the *physical* packets carried by the network. We use notation  $\tau(n,m,i,j)/v$  to designate a logical packet. Note that the pair  $(n,i)$ —(sender number, message number)—uniquely identifies a message in the system, and that the triple  $(n,i,j)$ —(sender number, message number, packet number)—uniquely identifies a packet.

In the specification, the notation  $\tau(n,m,i,j)/[v]$  is never used. We rather designate logical packets by Greek letters  $(\alpha, \beta, \alpha)$ , and access the packet attributes through several access functions. Function type, applied to a packet, returns the type of the packet  $(\tau)$ . Functions  $src$  and dest return the identity of the source input queue (n) and of the destination output queue (m). The message number (i) and packet number (j) are given by functions mnr and pnr. Finally, we use the functions mid and pid to access the message identifier (i.e., the pair  $(n,i)$ ) and the packet identifier (i.e., the triple  $(n,i,j)$ ). When it is necessary to deal explicitly with the value of a packet, we use the notation  $\sigma[v]$ , where  $\sigma$  represents  $\tau(n,m,i,j)$ .

The location of packets in the system is given by the function  $\Pi$ . Let  $\Lambda$  be the set of logical packets in the router and its environment. Let  $E$  be the set of locations in the environment:

E= $\langle \text{set } p,q : (1 \leq p \leq N \land q \leq 0) \lor (p \geq N+1 \land 1 \leq q \leq M) :: (p,q) \rangle$ .

 $\mathbf{1}$ This is an example of a constructor, a syntactic element which occurs frequently in UNITY notation. The general form of the constructor is:

Let R be the set of locations in the router (the value of R is unknown at this time). Function  $\overline{H}$  is then defined as follows:

$$
\Pi: \Lambda \to E \cup R.
$$

To make the specification easier to read, we use notation  $\alpha \varnothing l$  to mean that packet  $\alpha$  is at location *l*—i.e.,  $\Pi$ . $\alpha=I$  (throughout the paper, the operator "" is used to denote function application). We sometimes add a type designator (h, b, or t) to the variables representing packets. For instance,  $\alpha^h(\omega)$  means that a header packet  $\alpha$  is at location *I:*  $\alpha \ddot{\varphi}$  /  $\land$  type,  $\alpha = h$ . To state the no-reordering and non-interleaving constraints, we define a relation  $\Box$  on packets. Its definition is:

 $\alpha \Box \beta \Leftrightarrow \langle \exists p,q,q': q \leq q \leq 0 :: \alpha \omega(p,q) \wedge \beta \omega(p,q') \rangle \vee$  $\langle \exists p, p', q : N+1 \leq p < p' :: \alpha @ (p,q) \wedge \beta @ (p',q) \wedge \text{src}. \alpha = \text{src}. \beta \rangle \vee$  $\exists p, p', q, q' : q' \leq 0 \land p' \geq N+1 :: \alpha @ (p,q') \land \beta @ (p',q) \land \text{src}.\alpha = \text{src}.\beta$ .

That is,  $\beta$  is ahead of  $\alpha$  according to  $\pi$  iff  $\beta$  is in front of  $\alpha$  in the same input queue, or  $\beta$  is in front of  $\alpha$  in the same output queue and both packets come from the same source, or  $\beta$  is in the output environment,  $\alpha$  is in the input environment, and both packets have the same source.

The top-level specification  $S_0$  is given below. Explanations follow the specification. Any free variable appearing in the UNITY assertions is assumed to be universally quantified over all the elements of its domain.

#### **Message Representation**



#### Message Location in the Environment

in v  $\alpha \omega(p,q) \wedge (p \ge N+1 \vee q \le 0) \wedge \beta \omega(p',q') \wedge (p \ge N+1 \vee q \le 0) \Rightarrow (pid.\alpha = pid.\beta \Leftrightarrow (p,q)=(p',q'))$  $(P5)$ in v  $(\alpha \mathcal{Q}(p,q) \land q \leq 0 \Rightarrow p = \text{src}.\alpha) \land (\alpha \mathcal{Q}(p,q) \land p \geq N+1 \Rightarrow q = \text{dest}.\alpha)$  $(P6)$ 

#### Queue Properties



#### No-Reordering Property

in v  $\alpha \Box \beta \Rightarrow$  pid. $\beta$ <pid. $\alpha$ 



```
(op dummy_variables : range_constraint :: expression )
```
where op is typically a binary, associative, and commutative operator (such as +, \*,  $\wedge$ ,  $\vee$ , written  $\Sigma$ ,  $\Pi$ ,  $\forall$ ,  $\exists$ , respectively). Logically, the constructor creates a multi-set of values  $\{v_1, v_2, ..., v_n\}$  by evaluating the *expression* for every possible instantiation of the dummy variables satisfying the range constraint. The final value of the constructor is obtained by evaluating the expression  $v_1$  op  $v_2$  op ... op  $v_n$ . If the range is empty the zeroelement for the operator is returned. Other frequently used operators are min, max, and set, having the obvious interpretations.

 $(P9)$ 

The first four properties are related to the representation of the messages. Property  $(PI)$  states that messages are properly structured. If  $\alpha$  is a packet at some location in the system, and  $\vec{k}$  is the number of packets of the message  $\alpha$  belongs to, then:

- $k$  is greater than or equal to 3, i.e., each message is composed of at least three packets;
- the packet number of  $\alpha$  is equal to 1 iff  $\alpha$  is a header, ranges strictly from 1 to k iff  $\alpha$  is a body, and is equal to  $k$  iff  $\alpha$  is a tail.

Properties (P2) to (P4) state that packets are neither created nor destroyed, and that the value of body packets may not be modified. Let us for instance explain property (P2). Going back to the definition of const, (P2) means that:

- If the header packet  $\sigma/\nu$  exists initially in the system, it will exist forever, but not necessarily with the same value (existential quantification on  $v$ ).
- If, for any value  $v$ ,  $\sigma$ [v] does not initially exist in the system, then it will never exist.  $\bullet$

Property  $(P4)$  is the symmetric of  $(P2)$  for tail packets. In addition, property  $(P3)$  prevents the value of the body packets to be changed.

Properties (P5) and (P6) specify packet locations in the environment. (P5) states that each packet has a unique location, and that each location contains at most one packet. Property (P6) expresses the requirement that each packet in the input environment resides in its source input queue, and each packet in the output environment resides in its destination output queue.

Properties  $(PI)$  and  $(PS)$  specify that the input rows and output columns are queues.  $(PI)$  states that packets are sent in the order they are queued, i.e., a packet cannot be sent if there are packets in front of it in the queue; considering packet  $\beta$  in its input queue, and packet  $\alpha$  behind  $\beta$  in the same queue,  $\alpha$  must stay behind  $\beta$  as long as  $\beta$ is in the input queue. Property  $(PS)$  states that packets received in the output queues can only appear behind the packets already present in the queues. A way to specify it is to say that, considering two packets  $\alpha$  and  $\beta$ , if  $\alpha$  is in its output queue and  $\beta$  is not ahead of  $\alpha$  in the queue, then it will never be.

The no-reordering and non-interleaving constraints are expressed by properties  $(PS)$  and  $(PIO)$ . Initially, the packets in the input environment are queued in the order they have to be sent-i.e., the packets with the lexicographically smallest identifiers are in the first positions of the queues. This means that if packet  $\beta$  is ahead of  $\alpha$  ( $\alpha \in \beta$ ),  $\beta$  's pid is smaller that  $\alpha$ 's one. To express the no-reordering constraint, we have to state that this relation is invariant all along the execution, as expressed by property  $\overline{(\overline{P2})}$ . The non-interleaving requirement is specified by property (P10). Considering three packets  $\alpha$ ,  $\beta$ , and  $\delta$  such that  $\delta$  is ahead of  $\beta$  which is ahead of  $\alpha$ , if  $\alpha$  and  $\delta$  belong to the same message,  $\beta$  must also belong to the same message.

The first ten properties are all safety properties. The only progress requirement is stated by property  $(PI1)$ . Each packet  $\sigma$ [v] in the input environment must eventually reach the output environment, but not necessarily with the same value.

#### 3. Router Design

The specification  $S_{\theta}$  is composed of input/output properties of the router, but never mentions the router itself. The reason is that we were only interested in specifying what the router is supposed to do (i.e., deliver messages from its input to its output with some no-reordering and non-interleaving constraints), and not how it is actually doing it. Consequently,  $S_0$  can lead to many different solutions for the router design. We describe one of these solutions in this section.

Our design process entails several refinement steps. The objective of these steps is to gradually give a more and more detailed description of the router, up to the point where a UNITY program can be derived trivially from the specification. To be correct, each refined specification must imply the specification of the previous step. We start with a brief overview of the refinement steps.

Refinement 1. In the first refinement, we define the general topology of the router as a grid of  $N \times M$ switches. The Ninput lines and Moutput lines are thus extended inside the router. Each switch can receive packets from its left neighbor on the row or its bottom neighbor on the column, and can route them either to its right neighbor on the row or to its upper neighbor on the column, depending on the destination of the packets. So, to move from its source row to its destination column, each packet first travels along the row (one switch at a time) until it reaches the destination column, and then just moves up the column (also one switch at a time).

Refinement 2. The second refinement provides additional details about the behavior of each single switch, by defining the mechanism that prevents messages from being interleaved along the columns. We will see that this can be done by associating two mutually exclusive signals—turn and up—with each switch. Signal turn prevents messages to move through the switch along the column when a message is currently passing through the switch from the row to the column, and the other way around for signal up.

Refinement 3. In the third refinement, we specify further the behavior of the switches by introducing a strong fairness constraint, which prevents more than one message to pass through a switch on the column (from the row to the column) when another message is waiting on the row (on the column).

Refinement 4. At this point in the design, each switch on the rows makes the decision to route messages either to the next switch on the row, or to the next switch on the column, by comparing the message destination to the number of the column it is located at. This implies that each switch has to know its location. The purpose of the fourth refinement is to eliminate this knowledge by using the value of the header packets. We will make the value of each header packet decreased by one each time the packet passes through a switch along the row. Since the value is initially equal to the destination column, this implies that a message will have to take a turn when the value is equal to 1.

Refinement 5. The fifth refinement deals with the execution control we impose on the switches. A possible choice is to have the switches running asynchronously, another choice is to have them working in a synchronous way. We chose the more realistic asynchronous behavior. Since each location can contain at most one packet, this implies that a packet will not be able to move to the next location, unless it is empty.

Refinement 6. Finally, the last refinement step is the transformation of the leads-to properties into ensures properties. As we said earlier in the paper, ensures properties are strongly related to the text of the program, which implies that we can easily derive assignment statements from them.

#### 3.1. Refinement 1: Definition of the Router Topology

The router we are designing consists of a NxM grid of switches. As an example, a three-sender fourreceiver router is depicted in Figure 3.



Figure 3. Internal structure of a three-sender four-receiver router

The location of each switch in the grid is given by the pair  $(p,q)$  where p is the row number, and q the column number. Each switch  $(p,q)$  contains two registers—a row and a column register—and an arbitration element (Figure 4). We identify the location of the row register by the triple  $(p,q,0)$ , and the location of the column register by  $(p,q,1)$ . The function of the arbitration element is to handle the movement of the packets showing up in the row and column registers, in order to avoid interleaving of messages on the columns. Its design will be the subject of refinement 2.



Figure 4. Internal structure of switch  $(p,q)$ .

The packet movement inside the router is defined as follows: from the row register of switch  $(p,q)$ —i.e., location  $(p,q,0)$ —a packet moves to the row register of switch  $(p,q+1)$ —i.e., location  $(p,q+1,0)$ —if q is not the destination column, or to the column register of switch  $(p+1,q)$ —i.e., location  $(p+1,q,1)$ —if q is the destination column. Once it has reached its destination column, a packet just goes up, one location at a time.

Let us now give some definitions and notation. To make the location spaces inside and outside the router uniform, and thus make the specification simpler, we redefine environment locations  $(p,q)$  to be triples  $(p,q,0)$  in the input queues, and triples  $(p,q,l)$  in the output queues. The previous set E of environment locations is thus refined into the following set  $E'$ :

E'= $\langle \text{set } p,q,r:(1 \leq p \leq N \land q \leq 0 \land r=0) \lor (p \geq N+1 \land 1 \leq q \leq M \land r=1) :: (p,q,r) \rangle.$ 

The definition of  $R$ , the set of locations inside the router, is:

 $R \equiv \langle set \ p,q,r : 1 \leq p \leq N \land 1 \leq q \leq M \land 0 \leq r \leq 1$ :  $(p,q,r)$ .

The location function  $\Pi$  is refined into the function  $\Pi'$ :

 $\Pi': \Lambda \to E' \cup R$ 

and the relation between  $\Pi$  and  $\Pi'$  is given by the following coupling invariant:

 $\forall \alpha, p, q, r, :: p \le N \land q \ge 1 \land 0 \le r \le 1 \Rightarrow [\Pi, \alpha = (p, q, r) \Leftrightarrow \Pi', \alpha = (p, q, r)]$  $q \leq 0 \Rightarrow [\Pi, \alpha = (p,q) \Leftrightarrow \Pi', \alpha = (p,q,0)]$  $\boldsymbol{\wedge}$  $p \geq N+1 \Rightarrow \overline{[\Pi, \alpha = (p,q)]} \Leftrightarrow \Pi'.\alpha = (p,q,1)]$ .  $\hat{v}$ 

We now use  $\alpha \mathcal{Q}(p,q,r)$  to mean  $\Pi' \alpha = (p,q,r)$ , and we introduce the notation  $(p,q,r) \times (p',q',r')$  to mean:

$$
(p'=p \land q'=q+1 \land r=r'=0) \lor (p'=p+1 \land q'=q \land r'=1).
$$

The operator "»" relates valid pairs of consecutive locations. Location  $(p,q,0)$  is thus in relation with  $(p,q+1,0)$  and  $(p+1,q,1)$ , and location  $(p,q,1)$  is in relation with  $(p+1,q,1)$ . The relation  $\overline{\phantom{a}}$  is refined into the relation  $\overline{\phantom{a}}$ . Its definition is:

 $\alpha \leq \beta \Leftrightarrow \langle \exists p,q,q': q \leq q' :: \alpha @ (p,q,0) \wedge \beta @ (p,q',0) \rangle \vee$  $\langle \exists p,p',q : p < p' :: \alpha @ (p,q,1) \wedge \beta @ (p',q,1) \wedge src. \alpha = src. \beta \rangle \vee$  $\langle \exists p, p', q, q' : q' \leq q :: \alpha @ (p,q',0) \wedge \beta @ (p',q,1) \wedge \text{src}.\alpha = \text{src}. \beta \rangle.$ 

9

 $(P9.1)$ 

That is,  $\beta$  is ahead of  $\alpha$  according to  $\prec$  iff  $\beta$  is in front of  $\alpha$  on the same row, or  $\beta$  is in front of  $\alpha$  on the same column and both packets come from the same source, or  $\beta$  is on its column,  $\alpha$  is on its row at the left of  $\beta$ , and both packets have the same source. The refined specification  $S_I$  is the following:

#### Message Representation

Properties (P1), (P2), (P3) and (P4).

#### Message Location



#### No-Reordering Property

 $\mathbf{inv} \alpha \prec \beta \Rightarrow \text{pid}.\beta \leq \text{pid}.\alpha$ 

#### Non-Interleaving Property

in v  $\alpha \leq \beta \leq \delta$   $\land$  mid. $\alpha = mid.$  $\delta \Rightarrow mid.$  $\beta = mid.$  $\alpha$  $(P10.1)$ 

#### Packet Movement in the Environment

 $\sigma[v]\omega(p,q,r) \wedge (p \geq N+1 \vee q \leq 0)$ until  $\langle \exists p', q', r' : (p,q,r) \omega(p',q',r') : \sigma[v]\omega(p',q',r') \rangle$  $(P11.1)$ 

#### Packet Movement inside the Router

#### $\sigma[v]\mathcal{Q}(p,q,r) \wedge p \leq N \wedge q \geq 1$  until  $\langle \exists v', p', q', r' : (p,q,r) \mathcal{Q}(p',q',r') : \sigma[v'] \mathcal{Q}(p',q',r') \rangle$  $(PI1.2)$

Properties (P5), (P6), (P9), (P10), and (P11) of specification  $S_0$ , which define properties of the packets in the environment, have been extended to the entire system. Property  $(P5.1)$  specifies that each packet in the environment or the router has a unique location, and that each location contains at most one packet. Property (P6.1) defines the set of locations packets are allowed to be at. Each packet can only be located in the source input row or the destination output column, but cannot move beyond the destination column on the row, and below the input row on the column. Property  $(P9.1)$  states that packets remain ordered according to their identifiers, and  $(P10.1)$  specifies that messages are not interleaved. Finally, property (P11), which states that every packet in the input eventually moves to the output, has been refined into two progress properties, one for the environment, and the other one for the router. Property (P11.1) states that each packet in the environment eventually moves to the next location, as defined by the operator "»". Since it is an *until* property,  $(PII.1)$  also specifies that packets cannot move anywhere but to the next location. Property (P11.2) is quasi symmetrical to  $(PII.\hat{I})$  for packets inside the router. The only difference is that packet values are allowed to change.

**Proof Obligations.** We need to show that each property of  $S_0$  is implied by  $S_1$ . Note that even though properties  $(PI)$  to  $(P4)$  are not syntactically modified, the definition of the function  $\omega$  has changed, which implies that these properties also need to be verified.

Proof Outline. The formal proof of each of the refinement steps can be found in appendix B. In the proof outline sections, we just give an intuitive explanation in order to convince the reader of the validity of the refinements.

The proof of properties  $(PI)$ - $(P6)$  and  $(P9)$ - $(PI0)$  is straightforward. Each property is directly implied by the corresponding property in  $S_I$  and the coupling invariant.

The proof that packets are sent in the order they are queued (property  $(P7)$ ) follows from the fact that packets in the input queues move one location at a time (property  $(PII.1)$ ), and that each location can contain at most one packet (property  $(P5.1)$ ). This implies that packets cannot pass each other, and hence that they can only be sent in the order they are queued.

The proof of  $(PS)$ —packets in the output queues can only appear behind the packets already present in the queues— is a bit more complicated. We need to show that, considering two packets  $\alpha$  and  $\beta$ , if  $\alpha$  is in its output queue and  $\beta$  is not ahead of  $\alpha$  in the queue, then it will never be. Three cases are possible. If  $\beta$  does not exist in the

system, then it will never be ahead of  $\alpha$  since packets cannot be created (properties (P2)-(P4)). If  $\beta$  exists in the system, but its destination column is different from the destination column of  $\alpha$ , then it will also never be ahead of  $\alpha$  since a packet in the output environment can only reside in its destination column. The final case is  $\beta$  existing in the system with the same destination column as  $\alpha$ . In this case, the only way for  $\beta$  to move ahead of  $\alpha$  is to overtake it, which is not possible, as stated above.

Finally, the fact that packets in the input eventually move to the output (property  $(PI1)$ ) can be proved from  $(P11.1)$  and  $(P11.2)$  by a double application of the induction principle. We can first show that a packet in the input environment eventually moves to its destination column, by using the distance between the destination column and the position of the packet in the row as the metric. This distance decreases by one with each move. We can also prove that a packet on the destination column inside the router eventually moves to the output environment. The metric in this case is the distance between row  $N+1$  and the position of the packet in the column; it also decreases by one with each move. The truth of  $(PI1)$  follows from the transitivity of leads-to.

#### 3.2. Refinement 2: Arbitration Element Refinement

The role of the arbitration element is to route out of the switch the packets showing up in the row and column registers. The main problem is to avoid the interleaving of messages passing through the switch on the column and from the row to the column. To solve this problem, we introduce two mutually exclusive signals—turn and up—whose purpose is to regulate the movement of packets at the intersection of the row and the column (Figure 5). When the signal turn is on—which implies that up is off—the paths from location  $(p, q, 0)$  to location  $(p, q+1, 0)$ , and from  $(p,q,1)$  to  $(p+1,q,1)$  are broken. Packets can only move from location  $(p,q,0)$  on the row to location  $(p+1,q,1)$  on the column. When the signals turn and up are off, packets can only move through the switch along the row. Finally, when the signal up is on—which implies that turn is off—packets can simultaneously move through the switch along the row and along the column.



Figure 5. Possible states of the arbitration element.

The turn and up signals are initially false, and are triggered by the arrival of header packets in the row and column registers. The turn signal is eventually set when a header packet whose destination column is equal to  $q$ shows up at location  $(p,q,0)$ . The signal remains on as long as the tail of the same message has not showed up, and is turned off as the tail moves through the switch. The policy associated with the  $up$  signal is symmetrical. Let us mention that we do not impose any priority between the row and column registers. That is, when two headers (going to the same location  $(p+1,q,1)$ ) are in the row and column registers at the same time, the choice of which signal to be turned on is non-deterministic.

We define the predicate  $tum(p,q)$  to mean that the *turn* signal in switch  $(p,q)$  is on, and  $up(p,q)$  to mean that the up signal in switch  $(p,q)$  is on. We also define a two-parameter function message. The expression message.1.1' is interpreted to mean that there is a message in the system whose head is at location  $I$ , and tail at location  $I'$ . Formally:

message.l.l' =  $\langle \exists \alpha, \beta : \text{mid}.\alpha = \text{mid}. \beta : \alpha^h \omega \rangle \wedge \beta^t \omega \rangle$ .

The refined specification  $S_2$  is the following:

#### Message Representation

Properties (P1), (P2), (P3), and (P4).

#### Message Location

Properties (P5.1) and (P6.1).

#### No-Reordering and Non-Interleaving Properties

Properties (P9.1) and (P10.1).

#### **Signal Properties**



#### Packet Movement in the Environment

Property (P11.1).

#### Packet Movement inside the Router



The safety properties of the switch signals are described by  $(P12)-(P21)$ . The fact that the two signals are mutually exclusive is expressed by  $(PI2)$ . The meaning of invariant  $(PI3)$  is illustrated in Figure 6. If a message is in transit through the switch  $(p,q)$  along the row—i.e., the header is past the switch, either still on the row or already on the destination column, and the tail has not passed the switch yet—then the turn signal is off.



Figure 6. The turn signal is off when a message is in transit through the switch along the row.

As depicted in Figure 7, invariant (P14) states that, if a message is in transit through the switch  $(p, q)$  from the row to the column—i.e., the header is past the switch on the column, and the tail is still on the row—then the turn signal is on.





Invariant (P15) is symmetric to (P14) for the up signal. It states that, if a message is in transit through the switch  $(p,q)$  along the column—i.e., the header is past the switch on the column, and the tail is either on the column and has not moved through the switch yet, or is still on the source row—then the up signal is off.



Figure 8. The up signal is on when a message is in transit through the switch along the column.

Invariants (P16) and (P17) further specify that when the turn signal (up signal) is on, there must exist a message in transit through the switch from the row to the column (on the column). Note that, as opposed to  $(PI4)$ and (P15), properties (P16) and (P17) provide for the case where the header of the message is still in the row register (column register) of the switch. The reason is that, when a header is in the row or column register, the proper signal is first turned on, and only in a subsequent step the packet is allowed to move.

Properties (P18) and (P19) state that once a signal is turned on, it remains on until the header moves. This prevents signals from being turned on and off repeatedly while the header of the message is still waiting in the row or in the column register. Finally, properties (P20) and (P21) express the fact that signals are turned off at the same time the tail of the message moves through the switch.

The movement of the packets inside the router is now described by properties (P11.2.1)-(P11.2.7). As in the previous specification, packets can only move to the next location (property  $(PI1,2.1)$ ). Properties  $(PI1.2.2)$ and (P11.2.3) specify the movement of the packets along the rows. The former states that a header packet at location  $(p,q,0)$ , with q different from the destination column, eventually moves to the next location on the row. The latter states that the body and tail packets showing up at location  $(p,q,0)$  eventually move to the next location on the row if the signal turn is off, i.e., if it has not be turned on by the header of the message. Properties  $(PI1.2.4)$  and (P11.2.5) deal with the movement of the packets from the row to the column. The turn signal in switch  $(p,q)$  is eventually turned on after the arrival of a header packet whose destination column is  $q$ (property (P11.2.4)). Once the

signal has been turned on, packets are allowed to move to location  $(p+1,q,1)$  on the column (property (P11,2,5)). Properties (P11.2.6) and (P11.2.7) are symmetric to (P11.2.4) and (P11.2.5) for the up signal.

**Proof Obligations.** The only change brought to specification  $S_I$  is the refinement of (P11.2) into (P11.2.1)-(P11.2.7). So we only need to show that  $S_2$  implies (P11.2).

**Proof Outline.** The unless part of  $(PI1.2)$  is equivalent to  $(PI1.2.1)$ . To prove the leads-to part, we need to show that every packet inside the router eventually moves to the next location. The movement on the rows is implied by properties (P11.2.2), (P11.2.3), and invariant (P13). Property (P11.2.2) directly states that the header of each message will eventually move to the next location. The movement of the remaining packets of the message is guaranteed by  $(PI1.2.3)$  when the turn signal is off, which is implied by invariant  $(PI3)$ . The movement from the row to the column is implied by properties  $(PI1.2.4)$ ,  $(PI1.2.5)$ , and invariant  $(PI4)$ . The movement of the header packets follows from the transitivity of leads-to applied to (P11.2.4) and (P11.2.5). The movement of the nonheader packets is guaranteed by  $(PI1.2.5)$  when the turn signal is on, which is implied by  $(PI4)$ . The proof of the movement on the columns follows similarly from (P11.2.6), (P11.2.7), and (P15).

#### 3.3. Refinement 3: Introduction of a Fairness Constraint

At this point in the design, packets are guaranteed to move through the switches without being interleaved on the columns, but no property in the specification constrains the arbitration elements to behave fairly. Consider for instance the case where  $n$  consecutive messages going to the same destination  $q$  have been sent by the same sender p. Suppose that when the first of these messages arrives at switch  $(p,q)$ , another message is waiting on the column for moving up through the switch. Then a possible scenario is to have the  $n$  messages on the row moving through the switch up to the column, before the message on the column is allowed to do so, thus blocking all the messages behind it. A symmetric problem occurs when a message is waiting on the row, while several messages are passing through the switch along the column.

We want to prevent such undesirable behaviors by imposing a strong fairness constraint on the arbitration elements. No more than one message must pass through a switch from the row to the column (along the column), while another message is waiting on the column (on the row). Figures 9 and 10 describe a simple mechanism implementing this requirement. In the first case—a message  $m<sub>2</sub>$  is waiting on the column while another message  $m_l$  is moving from the row to the column (Figure 9)—the solution is to turn the up signal on as the tail of  $m_l$  is passing through the switch. Since the specification guarantees that the up signal cannot not be turned off before the head of  $m_2$  moves (property (P21), no other message will be able to move from the row to the column.



Figure 9. No more than one message can move from the row to the column, while another one is waiting on the column.

In the second case—a message  $m_2$  is waiting on the row while another message  $m_1$  is moving along the column (Figure 10)—the solution is to turn the *turn* signal on as the tail of  $m<sub>1</sub>$  is passing through the switch.



Figure 10. No more than one message can move along the column, while another one is waiting on the row.

Formally, this refinement entails the addition of two new properties describing the preceding behaviors. The refined specification  $S_3$  is:

#### Message Representation

Properties (P1)-(P4).

#### **Message Location**

Properties (P5.1) and (P6.1).

#### No-Reordering and Non-Interleaving Properties

Properties (P9.1) and (P10.1).

#### **Signal Properties**

Properties (P12)-(P21).  $\alpha^{\text{t}}\omega(p,q,0) \wedge q \geq 1 \wedge \text{turn}(p,q) \wedge \beta^{\text{h}}\omega(p,q,1)$  unless  $-\alpha^{\text{t}}\omega(p,q,0) \wedge \text{up}(p,q)$  $(P22)$  $\alpha^t \omega(p,q,1) \wedge p \le N \wedge \text{up}(p,q) \wedge \beta^h \omega(p,q,0) \wedge q = \text{dest}\,\beta$ unless  $-\alpha^t \omega(p,q,1) \wedge \text{turn}(p,q)$  $(P23)$ 

#### Packet Movement in the Environment

Property (P11.1).

#### Packet Movement inside the Router

Properties (P11.2.1)-(P11.2.7).

The proof of the refinement is trivial since the specification  $S_3$  includes all the properties of  $S_2$ .

#### 3.4. Refinement 4: Refinement of the Header Values

A shortcoming of the design at this point is that switches need to know their location in the grid to route the packets. This knowledge appears in properties  $(PI1.2.2)$  and  $(PI1.2.4)$ , which state that when a header packet shows up in a row register, the switch either routes the packet to the next location on the row if the number of the column is different from the packet destination  $(P11.2.2)$ , or sets the turn signal if the number of the column is equal to the packet destination ((P11.2.4)).

The purpose of the fourth refinement is to eliminate this knowledge by making the value of each header decreased by one, each time the packet moves through a switch along the row. Since the value is initially equal to the number of the destination column, switches can now make the decision to route the header packets to the next location on the row when the header value is different from 1, and to set the turn signal when the header value is equal to 1. The location knowledge is not needed anymore. The refined specification  $S<sub>4</sub>$  is:

#### Message Representation

Properties (P1)-(P4).

#### **Message Location**

Properties (P5.1) and (P6.1).

#### No-Reordering and Non-Interleaving Properties

Properties (P9.1) and (P10.1).

#### **Signal Properties**

Properties (P12)-(P23).

#### **Header Value Invariant**

in v  $\sigma[v]^h$  (0,q,r)  $\land$  q  $\geq$  1  $\Rightarrow$  v=dest,  $\sigma[v]$ -q+1

 $(P24)$ 

#### Packet Movement in the Environment

Property (P11.1).

#### Packet Movement inside the Router

Property (P11.2.1).



The value of the header packets is constrained by the invariant  $(P24)$  which states that, along the rows inside the router, the value is decreased by one with each move, and that it remains constant once the packet has reached the destination column. The movement of the packets inside the router is trivially refined by properties  $(PI1.2.2.1)$ - $(PI1.2.7.1)$ .

**Proof Obligations.** We need to show that properties  $(PI1.2.1)$ - $(PI1.2.7)$  are implied by  $S<sub>A</sub>$ .

Proof Outline. The proof is straightforward. Properties (P11.2.3), (P11.2.5), (P11.2.6), and (P11.2.7) are directly implied by the corresponding refined properties (P11.2.3.1), (P11.2.5.1), (P11.2.6.1), and (P11.2.7.1). To prove that  $(P11.2.2)$  and  $(P11.2.4)$  are implied by  $(P11.2.2.1)$  and  $(P11.2.4.1)$ , we only need to show:

in v  $\sigma[v]^h$  ( $\omega(p,q,0) \wedge q \geq 1 \Rightarrow (q = dest, \sigma[v] \Leftrightarrow v = 1)$ )

which is trivially implied by the invariant  $( P24)$ .

#### 3.5. Refinement 5: Switches Work in an Asynchronous Way

The last design decision concerns the execution control we impose on the switches. Between the two possible choices—either synchronous behavior, or asynchronous behavior—we chose the more realistic asynchronous behavior. Since each location can contain at most one packet, this means that, before routing a packet to the next location, a switch must first check whether this location is empty. Note that, in the case of a synchronous behavior, this constraint would not have been needed, since two consecutive packets have to move synchronously in this case.

Let us define the predicate *empty@(p,q,r)* to mean that location  $(p, q, r)$  does not contain any packet:

empty@(p,q,r) =  $\langle \forall \alpha :: \neg \alpha @ (p,q,r) \rangle$ .

A way to specify the asynchronous behavior is to state that each packet inside the router must leave an empty location behind it when it moves:

 $\alpha(\omega(p,q,r) \wedge p \leq N \wedge q \geq 1$  unless empty $\omega(p,q,r)$ .

This forces the switches to wait for the next location to be emptied, before routing a packet. The refined specification S<sub>S</sub> contains all the properties of  $S_4$  plus the previous one. The proof of the refinement is therefore straightforward.

Message Representation

Properties (P1)-(P4).

#### **Message Location**

Properties (P5.1) and (P6.1).

#### No-Reordering and Non-Interleaving Properties

Properties (P9.1) and (P10.1).

#### **Signal Properties**

Properties (P12)-(P23).

Header Value Invariant

Property (P24).

#### Packet Movement in the Environment

Property (P11.1).

#### Packet Movement inside the Router

Property (P11.2.1). Properties (P11.2.2.1)-(P11.2.7.1).  $\alpha \omega(p,q,r) \wedge p \leq N \wedge q \geq 1$  unless empty  $\omega(p,q,r)$ .

 $(P25)$ 

#### 3.6. Refinement 6: Transformation of the Leads-to Properties into Ensures Properties

This last refinement is not motivated by a design decision. The motivation here is to transform the specification into a form that can be directly translated into program text, i.e., introduce ensures properties expressing atomic transformations. The progress properties are property  $(PI1.1)$  specifying the packet movement in the environment, and properties  $(PI1.2.2.1)$ - $(PI1.2.7.1)$  expressing the packet movement inside the router. Since we are only interested in the design of the message router, we will not transform the environment property  $(PII, I)$ into an ensures property. We will just make sure that it is satisfied when deriving the program. However, to make it more explicit, we can split it into two properties, one for the input queues and the other one for the output queues:



Let us now focus on properties (P11.2.2.1)-(P11.2.7.1). The simplest way to transform a leads-to property into an ensures property is to directly replace " $\rightarrow$ " by "ensures", and to see if the resulted property can be satisfied in an atomic transformation. By applying this method on  $(PI1, 2, 2, 1)$ , we get:

σ[v]<sup>h</sup>@(p,q,0) ∧ q≥1 ∧ v≠1 ensures σ[v-1]@(p,q+1,0).

This property cannot be satisfied in an atomic transformation since the next location may be busy at the time. This suggests the following property:

$$
\sigma[v]^n \mathcal{Q}(p,q,0) \wedge q \ge 1 \wedge v \ne 1 \wedge \text{empty} \mathcal{Q}(p,q+1,0) \text{ ensures } \sigma[v-1] \mathcal{Q}(p,q+1,0) \tag{P11.2.2.1.1}
$$

which can easily be satisfied in an atomic step. In the same way, we get from  $\langle P11,2,3,1 \rangle$ :

 $\sim 10$ 

$$
\alpha[v]^{\tau}(\mathcal{Q}(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge \neg turn(p,q) \wedge empty(\mathcal{Q}(p,q+1,0)) \text{ ensures } \sigma[v](\mathcal{Q}(p,q+1,0)).
$$
 (P11.2.3.1.1)

The transformation of the properties  $(PI1.2.5.1)$  and  $(PI1.2.7.1)$  is slightly more complicated. We need to separate the cases where packets stay inside the router ( $p<$ N) or move from the router to the output environment  $(p=\overline{N})$ . In the former case, we can transform the properties in the same way we did before. We get:

$$
\sigma[v] @ (p,q,0) \land q \ge 1 \land p < N \land turn(p,q) \land empty @ (p+1,q,1) \text{ ensures } \sigma[v] @ (p+1,q,1) \tag{P11.2.5.1.1}
$$

and:

$$
\sigma[v] @ (p,q,1) \wedge p < N \wedge up(p,q) \wedge empty @ (p+1,q,1) \text{ ensures } \sigma[v] @ (p+1,q,1). \tag{P11.2.7.1.1}
$$

Since we do not require that locations outside the router be emptied before packets move, properties  $(PI1.2.5.1)$  and  $(P11.2.7.1)$  with p equal to N, can simply be transformed into:

$$
\sigma[v]\omega(N,q,0) \wedge q \ge 1 \wedge \text{turn}(N,q) \text{ ensures } \sigma[v]\omega(N+1,q,1)
$$
\n
$$
(P11.2.5.1.2)
$$

and:

$$
\sigma[v] @ (N,q,1) \wedge up(N,q) \text{ ensures } \sigma[v] @ (N+1,q,1). \tag{P11.2.7.1.2}
$$

This implies that packets moving out of the router are allowed to simultaneously push forward all the packets in the output queues.

Let us now concentrate on property (P11.2.4.1). A direct transformation into an ensures property:

$$
\sigma[v]^n \textcircled{D}(p,q,0) \land v=1 \text{ ensures } \sigma[v] \textcircled{D}(p,q,0) \land \text{turn}(p,q)
$$

is not possible because the turn signal cannot be set when a message is currently passing through the switch along the column, i.e., when the up signal is on. This suggests the following transformation:

 $\sigma[v]^h \textcircled{D}(p,q,0) \wedge v=1 \wedge \neg up(p,q)$  ensures  $\sigma[v] \textcircled{D}(p,q,0) \wedge \text{turn}(p,q)$ .

This is however not yet satisfactory. Consider the case where a header packet with value 1 is in the row register, the up and turn signals are off, and another header packet is in the column register. It is easy to see that the up signal cannot be turned on without invalidating the *unless-part* of the previous property. This means that we need to find a mechanism preventing the up signal to be turned on in this case. Even though it is possible to do it, we do not want to establish any priority between the two signals, in order to have a non-deterministic behavior. The solution to this problem is to transform  $(PI1.2.4.1)$  in the following way:

$$
\sigma[v]^n \mathcal{Q}(p,q,0) \wedge v = 1 \wedge \neg up(p,q) \text{ ensures } (\sigma[v]\mathcal{Q}(p,q,0) \wedge \text{turn}(p,q)) \vee \text{up}(p,q) \tag{P11.2.4.1.1}
$$

which allows the up signal to be turned on. A similar transformation on  $(PI1.2.6.1)$  leads to:

$$
\sigma[v]^n \textcircled{p,q,l} \land p \leq N \land \neg \text{turn}(p,q) \text{ ensures } (\sigma[v] \textcircled{q}(p,q,l) \land \text{up}(p,q)) \lor \text{turn}(p,q). \tag{P11.2.6.1.1}
$$

The final and complete specification  $S<sub>6</sub>$  is:

#### Message Representation

 $\mathbf{A}$ 



#### Message Location

$$
\mathbf{inv} \alpha \omega(p,q,r) \wedge \beta \omega(p',q',r') \Rightarrow (\text{pid}.\alpha = \text{pid}.\beta \Leftrightarrow (p,q,r)=(p',q',r'))
$$
\n
$$
\mathbf{inv} \alpha \omega(p,q,r) \Rightarrow (p=\text{src}.\alpha \wedge q \leq \text{dest}.\alpha \wedge r=0) \vee (p>\text{src}.\alpha \wedge q = \text{dest}.\alpha \wedge r=1)
$$
\n
$$
(P5.1)
$$

#### No-Reordering Property



#### Non-Interleaving Property

#### in v  $\alpha \leq \beta \leq \delta$   $\land$  mid. $\alpha = mid.\delta \Rightarrow mid.\beta = mid.\alpha$  $(P10.1)$

#### **Signal Properties**



**Proof Obligations.** We need to show that properties  $(PI1.2.1.1)-(PI1.2.7.1)$  are implied by  $S_6$ .

Proof Outline. The proof that packets inside the router eventually move to the next location—properties  $(P11.2.2.1)$ ,  $(P11.2.3.1)$ ,  $(P11.2.5.1)$ , and  $(P11.2.7.1)$ —can be decomposed into three cases: packet movement along the columns, from the rows to the columns, and finally along the rows. The movement along the columns can be proved by induction on the row number. The base case is established by the property (P11.2.7.1.2) which directly implies the packet movement from the upper locations  $(N, q, 1)$  to the output queues. Since a packet leaves an empty location behind it when it moves, the base case and the property  $(PI1.2.5.1.1)$  allow us to prove that packets at locations (N-1,q,1) will move to locations (N,q,1), and so on, down to row 1.

Packet movement from the row N to the output environment is directly implied by  $(PI1.2.5.1.2)$ . For p between 1 and N-1, we have just proved that packets along the columns are guaranteed to move to the next location. This implies that locations along the columns will eventually be emptied, and thus, according to (P11.2.5.1.1), that packets at their turning switches will eventually move to their destination columns.

The packet movement along the rows can be proved by induction on the column number. We know that packets at the right end of the rows (locations  $(p, M, 0)$ ) are necessarily at their turning switches. They will thus move to the columns and leave empty locations behind them. This will allow packets at locations  $(p, M-1, 0)$  to move to locations  $(p, M, 0)$  (properties  $(PI1.2.2.1.1)$  and  $(PI1.2.3.1.1)$ ), and so on, down to column 1.

Finally, we need to prove that the proper signals are eventually turned on when header packets show up in the registers (properties  $(PII.2.4.1)$  and  $(PII.2.6.1)$ ). From  $(PII.2.4.1.1)$  we know that the turn signal will eventually be turned on, unless the up signal is turned on. In this case, the fairness property  $(P23)$  assures that the turn signal will also be turned on, as the tail of the message moving along the column will pass through the switch. The proof of  $(PI1.2.6.1)$  is symmetrical.

#### 4. Derivation of a Program from the Specification

The final step of the design consists of writing the program text. We first define the types and data structures used in the program, and then derive the program statements from the progress properties of the final specification.

#### 4.1. Types and Data Structures of the Program

We define the type *packet* to be the Cartesian product between  $(h, b, t)$  and the set V of all the possible packet values. If p is a variable of type packet, we use the notation  $p.1$  to access the type, and  $p.2$  to access the value. The grid of  $N \times M$  switches is implemented by a 3-dimensional array:

switch : array[1..N,1..M,0..1] of packet 
$$
\cup
$$
 { $\perp$ }

such that switch[p,q,0] represents the row register of switch  $(p,q)$  and switch[p,q,1] the column register. When a register does not contain any packet, we assume that its value is equal to  $\perp$ . We define functions header, body, tail, empty, and val in the following way:

header. $(p,q,r)$  = (switch[p,q,r].1=h),  $body.(p,q,r) = (switch[p,q,r],1=b).$  $tail(p,q,r)$  $=$  (switch[p,q,r], 1=t),  $empty(p,q,r) = (switch[p,q,r]=\bot),$  $val.(p,q,r)$  $=$  switch[p,q,r].2.

We also define the function  $dec_{val}$  which accepts a header packet  $(h, v)$  as argument and returns the packet  $(h, v-1)$ . The switch signals turn and up are implemented by two Boolean arrays:

 $turn, up : array[1..N,1..M]$  of Boolean

and the  $N$ input queues and  $M$  output queues are represented by two arrays of sequences of packets:

input :  $array[1..N]$  of sequence of packet, output : array[1..M] of sequence of packet.

We suppose that the output queues are initially empty, and that the input queues contain all the packets that have to be sent. Finally, we use the following operations on sequences:

- $h \, \mathrm{d} \cdot \mathrm{s} = \text{head element of the sequence } \mathrm{s}.$
- $1.5$  $\equiv$  tail sequence of the sequence s,
- $(s; x)$  = sequence obtained by appending the element x at the end of the sequence s,

 $nil.s = s is an empty sequence.$ 

#### 4.2. Program Text

Let us first briefly describe the UNITY program notation. As we stated at the beginning of the paper, a typical UNITY program consists of a declare section, which contains Pascal-style declarations of variables; an

initially section, where all or some of the variables are initialized; and an assign section, which is a set of multiple assignment statements separated by the operator "[]". The statements may be of the form:

 $var_list := exp_list$ 

or may be conditional:

var\_list<sub>1</sub> := exp\_list<sub>1</sub> if bexp<sub>1</sub> ~ exp\_list<sub>2</sub> if bexp<sub>2</sub> ~ ...

Several statements may be composed with the parallel bar to form a bigger statement:

statement  $\parallel$  statement  $\parallel$  ...

Finally, it is possible to generate a list of statements by using the following constructor:

(dummy\_variables: range\_constraint: statement).

The program derived from the specification is as follows (we omitted the *declare* section):

Program Message Router

initially

 $\langle \mathbf{p}, \mathbf{q} : 1 \leq p \leq N \land 1 \leq q \leq M$ : switch $[p,q,0]$ , switch $[p,q,1]$ , turn $[p,q]$ , up $[p,q] := \bot$ ,  $\bot$ , false, false)

assign

 $\mathbf l$ 

II

f

[Packet movement from the input to the router: property (P11.1.1)]  $\langle \nabla p : 1 \leq p \leq N$ : switch[p,1,0], input[p] := hd.input[p], tl.input[p] if empty.(p,1,0)  $\land \neg$ nil.input[p]

{Packet movement along the rows: properties (P11.2.2.1.1) and (P11.2.3.1.1)}

 $\langle \mathbb{I} \rangle$  p,q : 1 \le \sq \sq \smaths \sq \smaths

switch[p,q,0], switch[p,q+1,0] :=

 $\perp$ , dec\_val.switch[p,q,0] if header.(p,q,0)  $\wedge$  val.(p,q,0) $\neq$ 1  $\wedge$  empty.(p,q+1,0)  $\sim$ 

- $\perp$ , switch[p,q,0] if  $(body.(p,q,0)) \vee tail.(p,q,0)) \wedge \neg turn[p,q] \wedge empty.(p,q+1,0))$
- [Packet movement from the rows (<N) to the columns: properties (P11.2.5.1.1), (P20), and (P22)]  $\mathbf I$  $\langle \mathbb{I} \rangle$  p,q : 1 Sp < N  $\wedge$  1 Sq  $\leq M$  ::

switch[p,q,0], switch[p+1,q,1] :=  $\perp$ , switch[p,q,0] if turn[p,q]  $\land$  -empty.(p,q,0)  $\land$  empty.(p+1,q,1) tum[p,q] := false if tum[p,q]  $\land$  tail.(p,q,0)  $\land$  empty.(p+1,q,1)

```
up[p,q] := true if turn[p,q] \wedge tail.(p,q,0) \wedge empty.(p+1,q,1) \wedge header.(p,q,1))
```
{Packet movement from row N to the output: properties (P11.2.5.1.2), (P20), and (P22)} I (∥ q : 1≤q≤M ::

switch[N,q,0], output[q] :=  $\perp$ , (output[q]; switch[N,q,0]) if turn[N,q]  $\land \neg empty(N,q,0)$  $turn[N,q] := false$  if  $turn[N,q] \wedge tail.(N,q,0)$ 

- $up[N,q] := true$  if  $turn[N,q] \wedge tail.(N,q,0) \wedge header.(N,q,1))$
- {Packet movement along the columns inside the router: properties (P11.2.7.1.1), (P21), and (P23)} H  $\langle \mathbb{I} \rangle$  p,q : 1 \sp \cdot \right \

switch[p,q,1], switch[p+1,q,1] :=  $\perp$ , switch[p,q,1] if up[p,q]  $\land \neg \text{empty}(p,q,1) \land \text{empty}(p+1,q,1)$ I  $up[p,q] := false$  if  $up[p,q] \wedge tail(p,q,1) \wedge empty(p+1,q,1)$ I turn[p,q] := true if up[p,q]  $\land$  tail.(p,q,1)  $\land$  empty.(p+1,q,1)  $\land$  header.(p,q,0)

$$
\land \text{ val.(p,q,0)=1} \rangle
$$

{Packet movement from the columns to the output: properties (P11.2.7.1.2), (P21), and (P23)} {[ գ ։ 1≤զ≤M ։։

switch[N,q,1], output[q] :=  $\perp$ , (output[q]; switch[N,q,1]) if up[N,q]  $\wedge$  -empty, (N,q,1)

 $up[N,q] := false$  if  $up[N,q] \wedge tail(N,q,1)$ 

$$
\text{turn}[N,q] := \text{true} \text{ if } \text{up}[N,q] \wedge \text{tail}(N,q,1) \wedge \text{header}(N,q,0) \wedge \text{val}(N,q,0) = 1
$$

- I  $\{Signal \ changes: Properties (P11.2.4.1.1) \ and (P11.2.6.1.1)\}\$
- $\langle \parallel p,q : 1 \leq p \leq N \land 1 \leq q \leq M : \text{turn}[p,q] := \text{true if } -\text{turn}[p,q] \land \neg \text{up}[p,q] \land \text{header.(p,q,0)} \land \text{val.(p,q,0)} = 1 \rangle$
- $\mathbb I$  $\langle \parallel p,q : 1 \leq p \leq N \land 1 \leq q \leq M :: up[p,q] := true \text{ if } \neg up[p,q] \land \neg turn[p,q] \land header.(p,q,1) \rangle$

end

I

Initially, all the row and column registers are empty, and the *turn* and up signals are off. The packet movement in the input queues (property (PI1.1.1)) is implemented by the first statement of the assign section. As long as there exists an input queue that is not empty, its head element is removed and assigned to the first register on the row, if it is empty. This implies that all the packets in the queue simultaneously move forward from one position.

The second statement takes care of the packet movement along the rows. It was trivially derived from the properties  $(PI1.2.2.1.1)$  and  $(PI1.2.3.1.1)$ .

The movement from the lower rows (below row  $N$ ) to the columns is realized by the third statement, which consists of three components. The first component was trivially derived from the progress property (P11.2.5.1.1). The second component makes sure that the turn signal is turned off when the tail of the message is passing through the switch. It was suggested by the safety property (P20), or more precisely by the conjunction of  $(P20)$  and (P11.2.5.1.1). The third component, which was derived from the conjunction of (P22) and (P11.2.5.1.1), makes sure that the up signal is turned on when the tail of the message is passing through the switch and a header packet is waiting in the column register. The packet movement along the columns inside the router (fifth statement) was derived from the properties  $(P11.2.7.1.1)$ ,  $(P21)$ , and  $(P23)$  in a similar way.

The movement of the packets from the upper locations inside the router-either on the rows (fourth statement) or on the columns (sixth statement)—is achieved by just appending the outgoing packet at the end of the output queue. Note that this implies that packets simultaneously move forward from one position in the output queue, and thus satisfies the property  $(PII.1.2)$ .

Finally, the properties  $(PI1.2.4.1.1)$  and  $(PI1.2.6.1.1)$ , specifying that the turn or up signals are turned off when a header packet shows up in the row or column registers, suggested the last two statements. To be complete, we also need to show that each statement preserves the safety and invariant properties of the specification. We omit the proofs here since they can be verified easily using the program text.

#### 5. Conclusion

This paper presents the formal derivation of a message router. The refinement method is that of UNITY. Although UNITY-style formal derivations have appeared in print before, the questions addressed by this case study are different and the lessons learnt bear careful scrutiny and further investigation. Others have been concerned with the issue of whether formal derivation can be applied successfully to sophisticated problems, such as the router. We are intrigued by the possibility that careful management of the refinement process may render formal derivation capable of supporting industrial-grade applications. Most of our effort went not into the router derivation per se but. in fine tuning the derivation process. In earlier sections we described the ultimate outcome of this study, a series of refinements and their motivation. Now we turn our attention to those elements of the derivation process that have been instrumental in shaping the specification style and the derivation strategy.

Early on we observed that it is better to specify and reason about a closed system-i.e., a system and its environment—rather than an open one. In the latter case, conditional properties make specifications more complex and proofs more difficult. In the router example, we have been able to specify a closed system by representing the input and output environments as infinite input and output queues, with the input queues initially containing all the packets that had to be sent. The unified formal treatment of the system and its environment reduced complexity without compromising the desire to separate concerns, the two types of properties were simply identified as addressing distinct issues. Naturally, only system properties were refined while the environmental properties were left unchanged.

Another critical element is the formulation of the top-level specification. On one hand, it should be as general as possible so as not to restrict prematurely the range of possible designs; on the other hand, it ought to make the refinements simple. The former is achievable by focusing the top-level specification on input/output properties alone while the latter is facilitated by selecting the "right" notation. For instance, by identifying packet locations in the environment as pairs of coordinates (row, column) the refinement of the router as a grid of switches became very natural. One does not stumble upon appropriate notation. Experience, exploration, and some looking ahead can provide the required insight. Derivation papers are often criticized for fortuitous early decisions which seem to indicate that the authors already have seen the final solution. Such objections are valid only if one claims that the nature of the specification dictates (in some mechanistic way) the next refinement step. True design,

however, never makes such pretense. Looking ahead and backtracking are part of the method. Insights gained from considering various alternatives ultimately lead—relatively early in the process—to the notation we adopted and to the choice of auxiliary variables:  $n$  (source row),  $m$  (destination column),  $i$  (message number), and  $j$  (packet number). The selection of auxiliary variables was one of the key decisions we had to make; it enabled simple formulation of many central properties such as those involving message location, no-reordering, and non-interleaving. Note, for instance, that using the destination column variable in the early stages of the design allowed us to deal with the value of the header packets only in the fourth refinement.

The scope of the individual refinements is another issue affecting the ease with which the derivation can be explained to others and verified formally. As expected, small refinements proved helpful in both respects. They also seem to help the designer avoid premature commitments. The refinement process can be viewed as a tree, where internal nodes represent specifications, and leafs represent programs. The more internal nodes, the more leafs at the bottom of the tree. This conservative strategy leads to a broader exploration of alternatives and a decrease in the likelihood that not all implications of each design decision are well understood and considered.

Finally, we discovered that it was relatively easy to separate the formal treatment of the proofs from the refinement process itself. We spent a lot of investigation time on choosing the right top-level specification, the right notation and auxiliary variables, and the right sequence of refinements. During all this time, we came up with different solutions, but we hardly ever felt the need to formally verify the correctness of the refinements we generated—only at the end of the design, when all the design decisions were set, we generated the required formal proofs for each refinement step. This made us conclude that the refinement process is sufficiently intuitive to allow a rigorous design methodology to proceed without the burden of unnecessary and cumbersome proofs. This also means that design and verification can actually be carried out by different people. People with synthetic skills could focus their energy on the design while people with strong analytical skills could deal mostly with the proofs, often without even requiring an understanding of the design details. These observations strengthen our belief that formal methods may soon play an important role in the development of industrial-grade software systems.

#### References

- $[1]$ Back, R. J. R., and Sere, K., "Stepwise Refinement of Parallel Algorithms," Science of Computer Programming, vol. 13, no. 2-3, pp. 133-180, 1990.
- $[2]$ Chandy, K. M., and Misra, J., Parallel Program Design: A Foundation, Addison-Wesley, New York, NY, 1988.
- $[3]$ Cunningham, H. C., and Roman, G.-C., "A UNITY-Style Programming Logic for a Shared Dataspace Language," IEEE Transactions on Parallel and Distributed Systems, vol. 1, no. 3, pp. 365-376, 1990.
- $[4]$ Dijkstra, E. D., A Discipline of Programming, Prentice-Hall, Englewood Cliffs, NJ, 1976.
- Dijkstra, E. W., and Fiejen, W. H. J., A Method of Programming, Addison-Wesley, Wokingham, England,  $[5]$ 1988.
- Ebergen, J. C., and Hoogerwoord, R. R., "A Derivation of a Serial-Parallel Multiplier," Science of [6] Computer Programming, vol. 15, pp. 201-215, 1990.
- Gries, D., The Science of Programming, Springer-Verlag, New York, NY, 1981.  $[7]$
- Gries, D., and Prins, J., "A New Notion of Encapsulation," ACM SIGPLAN NOTICES, vol. 20, no. 6,  $[8]$ pp. 131-139, 1985.
- $[9]$ Hoogerwoord, R. R., "A Calculational Derivation of the CASOP Algorithm," Information Processing Letters, vol. 36, pp. 297-299, 1990.
- $[10]$ Knapp, E., "An Exercise in the Formal Derivation of Parallel Programs: Maximum Flows in Graphs," ACM Transactions on Programming Languages and Systems, vol. 12, no. 2, pp. 203-223, 1990.
- Lengauer, C., "A Methodology for Programming with Concurrency: the Formalism," in Science of  $[11]$ Computer Programming, North-Holland, vol. 2, pp. 19-52, 1982.
- Lengauer, C., and Hehner, E. C. R., "A Methodology for Programming with Concurrency: an Informal  $[12]$ Presentation," in Science of Computer Programming, North-Holland, vol. 2, pp. 1-18, 1982.
- Misra, J., "General Conjunction and Disjunction Rules for unless," Dept of CS, The University of Texas at  $[13]$ Austin, Austin, TX 78712, Notes on UNITY 01-88, 1988.
- Misra, J., "Stable Conjunction," Dept of CS, The University of Texas at Austin, Austin, TX 78712, Notes  $[14]$ on UNITY 21-90, 1990.
- Morgan, C. C., "The specification statement," ACM TOPLAS, vol. 10, pp. 403-419, 1988.  $[15]$
- $[16]$ Morris, J. M., "Laws of data refinement," Acta Informatica, vol. 26, pp. 287-308, 1989.
- Roman, G.-C., and Cunningham, H. C., "Mixed Programming Metaphors in a Shared Dataspace Model of  $[17]$ Concurrency," IEEE Transactions on Software Engineering, vol. 16, no. 12, pp. 1361-1373, 1990.
- Roman, G.-C., and Cunningham, H. C., "Reasoning about Synchronic Groups," in Research Directions in  $[18]$ High-Level Parallel Programming Languages, J. P. Banâtre, D. L. Métayer, Eds., Springer-Verlag, New York, NY, vol. 574, pp. 21-38, 1992.
- $[19]$ Roman, G.-C., Wilcox, C. D., and Plun, J. Y., "On Deriving Distributed Programs from Formal Specifications of Functional Requirements and Architectural Constraints," 12th International Conference on Distributed Computing Systems., pp. 494-501, 1991.
- $[20]$ Staskauskas, M., "A Formal Specification and Design of a Distributed Electronic Funds-Transfer Network." IEEE Transactions on Computers, vol. 37, no. 12, pp. 1515-1528, 1988.

#### A. FORMAL DEFINITION OF THE UNITY LOGIC OPERATORS

The definition of the UNITY operators is based on the Hoare triple:

 $[p]s[q]$ 

which means that, starting in a state satisfying the precondition  $p$ , the execution of the statement s ends in a state satisfying the postcondition  $q$ . Let F be a UNITY program, F assign be the assign the section of F, and INIT a predicate denoting the initial state of  $F$ . The UNITY operators are formally defined in the following way:

• punless  $q = \langle \forall s : s \in F \text{.} \text{assign} :: \{p \land \neg q\} \text{ s } \{p \lor q\} \rangle.$ 

Whenever the predicate  $p$  holds for a program state, it continues to hold at least until  $q$  holds.

stable  $p = \langle \forall s : s \in F \text{.} \rangle$  and  $\langle p \rangle$  is  $\langle p \rangle$  = p unless false.

The predicate  $p$  is a *stable* predicate if it remains true forever once it becomes true.

• const  $p =$  stable  $p \wedge$  stable  $\neg p$ .

The predicate  $p$  is *constant* if it remains true forever if it is initially true, and false forever if it is initially false.

inv  $p = (INIT \Rightarrow p) \land stable p$ .

The predicate  $p$  is *invariant* if it holds in the initial state, and is stable all along the execution.

p ensures  $q = p$  unless  $q \wedge \exists s : s \in F$  assign ::  $\{p \wedge \neg q\}$  s  $\{q\}$ .

Whenever  $p$  holds, it must hold at least until  $q$  holds  $(p \text{ unless } q)$ , and there must exist a statement in the program that establishes the truth of  $q$ 

 $p \mapsto q$ .

The assertion  $p \mapsto q$  (pleads to  $q$ ) is true iff it can be derived by a finite number of applications of the following inference rules:

| p                                                       | ensures q                   |                |
|---------------------------------------------------------|-----------------------------|----------------|
| $p \mapsto q$                                           | $q \mapsto r$               | (transitivity) |
| $p \mapsto r$                                           | (transitivity)              |                |
| $\langle \forall m : m \in W :: p(m) \mapsto q \rangle$ | for any set W (disjunction) |                |

#### **B. FORMAL PROOFS OF THE REFINEMENTS**

We give here the proofs of the first, second, and sixth refinement. The proofs of the other refinements, which are trivial, have been done in the body of the paper. We sometimes give numbers to properties, using the following conventions: numbers (DP1), (DP2), ... are used for properties that are derived from the specifications; numbers (Q1), (Q2), ... are used for intermediate properties that have to be proved; numbers (R1), (R2), ... are finally used for results that have been proved. The numbering starts from 1 at each new refinement proof. Finally, let us mention that the UNITY theorems that we use below are listed in appendix C.

#### B.1. Proof of Refinement 1

We need to show that specification  $S_I$  implies specification  $S_0$ , i.e., properties (P1) through (P11).

Proof of Property (P1) ▼

Although properties  $(PI)$  through  $(PI)$  are not syntactically changed in the refinement, the definition of the function @ has changed, which implies that they need to be verified. To avoid confusion, we call them  $(P'1)$ ,  $(P'2)$ , (P'3), and (P'4) in  $S_1$ , and we explicitly use functions  $\Pi$  and  $\Pi'$  in the formulas. The property (P1) is:

$$
\mathbf{in} \mathbf{v} \langle \exists \mathbf{l} : \Pi.\alpha = \mathbf{l} \rangle \land \mathbf{k} = \langle \sum \beta, \mathbf{l} : \Pi.\beta = \mathbf{l} \land \text{mid.} \beta = \text{mid.} \alpha : \mathbf{l} \rangle
$$
\n
$$
\Rightarrow \qquad k \geq 3 \land (\text{pnr.}\alpha = \mathbf{l} \Leftrightarrow \text{type.}\alpha = \mathbf{h}) \land (\mathbf{l} < \text{pnr.}\alpha < \mathbf{k} \Leftrightarrow \text{type.}\alpha = \mathbf{b}) \land (\text{pnr.}\alpha = \mathbf{k} \Leftrightarrow \text{type.}\alpha = \mathbf{t}). \tag{P1}
$$

Let's show that  $(P'1)$  is equivalent to  $(P1)$ . For this, we need to show:

$$
\langle \exists l :: \Pi'.\alpha = l \rangle \Leftrightarrow \langle \exists l :: \Pi.\alpha = l \rangle \tag{Q1}
$$

and

```
\langle \sum \beta, l : \Pi', \beta = l \land \text{mid.} \beta = \text{mid.} \alpha :: 1 \rangle = \langle \sum \beta, l : \Pi, \beta = l \land \text{mid.} \beta = \text{mid.} \alpha :: 1 \rangle.(Q2)
```
#### Proof of Property (Q1)

 $\langle \exists 1 :: \Pi'.\alpha = I \rangle$ 

and the state of

 $\Leftrightarrow$  {definition of E' and R}

- $\exists p,q,r : 1 \leq p \leq N \land 1 \leq q \leq M \land 0 \leq r \leq 1 :: \Pi'.\alpha=(p,q,r)$
- $\vee$   $\langle \exists p,q : 1 \leq p \leq N \land q \leq 0 : \Pi', \alpha = (p,q,0) \rangle$
- $\vee$   $\langle \exists p,q : p \ge N+1 \land 1 \le q \le M :: \Pi'.\alpha=(p,q,1) \rangle$

```
\Leftrightarrow {coupling invariant}
```
- $\langle \exists p,q,r : 1 \leq p \leq N \land 1 \leq q \leq M \land 0 \leq r \leq 1 :: \Pi.\alpha = (p,q,r) \rangle$
- $\vee$  ( $\exists p,q$ :  $1 \leq p \leq N \wedge q \leq 0$ :  $\Pi.\alpha=(p,q)$ )
- $\vee$   $\langle \exists p,q : p \geq N+1 \land 1 \leq q \leq M : \Pi, \alpha = (p,q) \rangle$
- $\Leftrightarrow$  {definition of E and R}

 $\langle \exists l :: \Pi.\alpha = l \rangle$ .

#### Proof of Property (O2)

 $\langle \Sigma \beta, l : \Pi'.\beta = l \land mid.\beta = mid.\alpha :: 1 \rangle$ 

- (definition of  $E'$  and  $R$ )  $=$ 
	- $\langle \Sigma \beta, p, q, r, : 1 \leq p \leq N \land 1 \leq q \leq M \land 0 \leq r \leq 1 \land \Pi'. \beta = (p, q, r) \land mid. \beta = mid. \alpha :: 1 \rangle$
	- +  $\langle \Sigma \beta, p, q : 1 \leq p \leq N \land q \leq 0 \land \Pi', \beta = (p,q,0) \land mid, \beta = mid, \alpha :: 1 \rangle$
	- +  $\langle \sum \beta, p, q : p \ge N+1 \rangle \setminus 1 \le q \le M \wedge \Pi$ .  $\beta = (p,q,1) \wedge \text{mid} \beta = \text{mid} \alpha :: 1$
- {coupling invariant}  $\equiv$ 
	- $\langle \Sigma \beta, p, q, r, : 1 \leq p \leq N \land 1 \leq q \leq M \land 0 \leq r \leq 1 \land \Pi, \beta = (p,q,r) \land mid, \beta = mid, \alpha :: 1 \rangle$
	- $\langle \sum \beta, p, q : 1 \leq p \leq N \land q \leq 0 \land \Pi, \beta = (p,q,0) \land \text{mid.} \beta = \text{mid.} \alpha :: 1 \rangle$  $+$
	- +  $\langle \sum \beta, p, q : p \ge N+1 \land 1 \le q \le M \land \Pi, \beta = (p,q,1) \land \text{mid.} \beta = \text{mid.} \alpha :: 1 \rangle$

```
= {definition of E and R}
```
 $\langle \Sigma \beta, 1 : \Pi, \beta = 1 \land \text{mid} \beta = \text{mid} \alpha :: 1 \rangle$ .

The proofs of properties  $(P2)$ ,  $(P3)$ , and  $(P4)$  are similar.

**V** Proof of Property (P5)

In the environment, each packet has a unique location, and each location contains at most one packet: in v  $\alpha \omega(p,q) \wedge (q \leq 0 \vee p \geq N+1) \wedge \beta \omega(p',q') \wedge (q' \leq 0 \vee p \geq N+1) \Rightarrow (pid.\alpha = pid.\beta \Leftrightarrow (p,q)=(p',q')).$  $(T5)$ 

Let us start from property  $(PS.1)$ :

#### $\Box$

 $\Box$ 

in v  $\alpha \omega(p,q,r) \wedge \beta \omega(p',q',r') \Rightarrow (pid.\alpha=pid.\beta \Leftrightarrow (p,q,r)=(p',q',r'))$ 

 $\Rightarrow$  {predicatecalculus}

inv  $\alpha \omega(p,q,r) \wedge [(r=0 \wedge q \le 0) \vee (r=1 \wedge p \ge N+1)] \wedge \beta \omega(p',q',r') \wedge [(r=0 \wedge q \le 0) \vee (r=1 \wedge p \ge N+1)]$  $(pid.\alpha=pid.\beta \Leftrightarrow (p,q,r)=(p',q',r'))$ 

 $\Rightarrow$  {coupling invariant}

in v  $\alpha \omega(p,q) \wedge (q \leq 0 \vee p \geq N+1) \wedge \beta \omega(p',q') \wedge (q' \leq 0 \vee p' \geq N+1) \Rightarrow (pid.\alpha = pid.\beta \Leftrightarrow (p,q)=(p',q')).$ 

The truth of  $(P6)$  can easily be derived from  $(P6.1)$  in the same way.

 $\blacktriangledown$ Proof of Property (P7)

Packets are sent in the order they are queued:

 $\langle \exists q,q': q \leq 0 :: \alpha @ (p,q) \wedge \beta @ (p,q') \rangle$  unless  $\neg (\exists q': q' \leq 0 :: \beta @ (p,q') \rangle$ .  $(P7)$ 

From  $(P11.1)$ ,  $(P6.1)$ , and the definition of "»", we easily get:

 $\alpha \omega(p,q,0) \wedge q \leq 0$  unless  $\alpha \omega(p,q+1,0) \wedge q \leq 0$ 

#### and

 $\beta\omega(p,q',0) \wedge q' \leq 0$  unless  $\beta\omega(p,q'+1,0) \wedge q' \leq 0$ .

By applying the conjunction rule, and restricting q to be smaller than  $q'$ , we get:

 $\alpha \omega(p,q,0) \wedge \beta \omega(p,q',0) \wedge q < q' \leq 0$ unless  $[(\alpha \circ (\mathbf{p}, \mathbf{q}, 0) \wedge \beta \circ (\mathbf{p}, \mathbf{q}'+1, 0)) \vee (\alpha \circ (\mathbf{p}, \mathbf{q}+1, 0) \wedge \beta \circ (\mathbf{p}, \mathbf{q}', 0)) \vee (\alpha \circ (\mathbf{p}, \mathbf{q}+1, 0) \wedge \beta \circ (\mathbf{p}, \mathbf{q}'+1, 0))] \wedge \mathbf{q} < \mathbf{q}' \leq 0$ 

 $\Rightarrow$  {consequence weakening}  $\alpha \omega(p,q,0) \wedge \beta \omega(p,q',0) \wedge q < q' \leq 0$ unless  $\exists \pi, \pi': \pi \leq \pi' \leq 1 \land \neg(\pi = q \land \pi' = q') :: \alpha @(p, \pi, 0) \land \beta @(p, \pi', 0)$ 

 $\Leftrightarrow$  {each location contains at most one packet (property (P5.1)}  $\alpha \omega(p,q,0) \wedge \beta \omega(p,q',0) \wedge q < q' \leq 0$ unless  $\langle \exists \pi, \pi' : \pi \langle \pi \rangle \leq 1 \land \neg(\pi = q \land \pi' = q') :: \alpha @(p, \pi, 0) \land \beta @(p, \pi', 0) \rangle$ 

- $\Leftrightarrow$  {each packet has a unique location (property (P5.1)}  $\alpha \omega(p,q,0) \wedge \beta \omega(p,q',0) \wedge q < q' \leq 0$ unless  $\neg(\alpha \omega(p,q,0) \wedge \beta \omega(p,q',0)) \wedge (\exists \pi,\pi : \pi \leq 1 :: \alpha \omega(p,\pi,0) \wedge \beta \omega(p,\pi',0))$
- $\Leftrightarrow$  [introducing quantification on g and g' and naming the predicates]  $\langle \forall q,q': q \leq 0 :: P(q,q') \text{ unless } \neg P(q,q') \land \langle \exists \pi,\pi': \pi \leq 1 :: P(\pi,\pi') \rangle \rangle$
- $\Rightarrow$  {corollary of the general disjunction rule}  $\langle \exists q,q': q \leq q' \leq 0 :: P(q,q') \rangle$ unless  $\langle \forall q,q': q \leq q' \leq 0 :: \neg P(q,q') \rangle \wedge \langle \exists q,q': q \leq q' \leq 1 :: P(q,q') \rangle$
- $\Rightarrow$  {predicate calculus + consequence weakening}  $\langle \exists q,q': q \leq Q :: P(q,q') \rangle$  unless  $\langle \exists q : q < 1 :: P(q,1) \rangle$
- $\Rightarrow$  {unfolding P+ consequence weakening}  $\langle \exists q,q': q\leq q \leq 0 :: \alpha @ (p,q,0) \wedge \beta @ (p,q',0) \rangle$  unless  $\beta @ (p,1,0)$  $\Rightarrow$  {consequence weakening: each packet has a unique location}

```
\langle \exists q,q': q \leq q' \leq 0 :: \alpha \omega(p,q,0) \wedge \beta \omega(p,q',0) \rangleunless \neg \langle \exists q': q' \leq 0 :: \beta \omega(p,q',0) \rangle
```

```
\Leftrightarrow {coupling invariant}
```

```
(P7).
```
#### Proof of Property (P8)



We first prove some properties that will be useful along the demonstration.

#### Derived Property 1

Packets on the rows can only move to their destination column:



#### Proof of Property (DP1)

From the unless part of  $(P11.1)$  and  $(P11.2)$ , and the definition of "»", we get:  $\sigma'[\nu']@(p',q',0) \wedge q = dest \sigma'[\nu'] \wedge q' \neq q$  unless  $\langle \exists \nu' :: \sigma'[\nu''] \textcircled{0} (p',q'+1,0) \rangle$ 

 $\Rightarrow$  {consequence weakening: each packet has a unique location}  $\sigma'[v']@(p',q',0) \wedge q = dest \sigma'[v'] \wedge q' \neq q \text{ unless } \neg \sigma'[v']@(p',q',0) \wedge \langle \exists v'', q' :: \sigma'[v']@(p',q'',0) \rangle.$  $(R1)$ 

From  $(PI1.2)$  and the definition of " $\nu$ ", we also get:

 $\sigma'[\nu']@(p',q,0) \wedge q = dest \sigma'[\nu']$ unless  $\langle \exists v'': \sigma'[\nu'']@(p'+1,q,1) \wedge p'+1 \le N+1 \rangle$ 

 $\Rightarrow$  {consequence weakening: each packet has a unique location}  $\sigma'$ [v']@(p',q,0)  $\land$  q=dest. $\sigma'$ [v'] unless  $\neg \sigma'$ [v']@(p',q,0)  $\land$   $\exists$ v'',p'' : p'' $\leq N+1$  ::  $\sigma'$ [v'']@(p'',q,1) $\rangle$ 

- $\Rightarrow$  {simple disjunction with *(R1)*}  $\sigma'[\nu']@ (p', q', 0) \wedge q = dest \sigma'[\nu']$ unless  $\neg \sigma' [v'] \textcircled{e}(p', q', 0) \land (\exists v'', q'' :: \sigma' [v''] \textcircled{e}(p', q'', 0)) \lor (\exists v'', p'' :: p'' \le N+1 :: \sigma' [v''] \textcircled{e}(p'', q, 1)))$
- $\Rightarrow$  {corollary of the general disjunction rule on  $v', p', q$ }  $\langle \exists v', p', q' :: \sigma'[v'] \textcircled{a}(p', q', 0) \wedge q = dest \sigma'[v'] \rangle$ unless  $\langle \forall v',p',q'::\neg\sigma'[v'] \textcircled{a}(p',q',0)\rangle \land (\langle \exists v',p',q':: \sigma'[v'] \textcircled{a}(p',q',0)\rangle \lor \langle \exists v',p':p'\leq N+1::\sigma'[v'] \textcircled{a}(p',q,1)\rangle)$

 $\Rightarrow$  {predicate calculus + consequence weakening}  $\langle \exists v', p', q' :: \sigma'[v'] \mathcal{Q}(p', q', 0) \land q = dest \sigma'[v'] \rangle$ unless  $\langle \exists v', p' : p' \le N+1 :: \sigma'[v'] \mathcal{Q}(p', q, 1) \rangle$ .

#### $\Box$

#### Derived Property 2

Packets stay in the output environment forever, once they reach it: stable  $\exists p : p \geq N+1 :: \sigma[v] \omega(p,q,1)$ .

 $(DP2)$ 

#### Proof of Property (DP2)

From  $(PI1.1)$  and the definition of " $\nu$ ", we get:

 $\sigma[v]\omega(p,q,1) \wedge p \geq N+1$  unless  $\sigma[v]\omega(p+1,q,1) \wedge p \geq N+1$ 

- $\Rightarrow$  {consequence weakening: each packet has a unique location}  $\sigma[v]\omega(p,q,1) \wedge p \geq N+1$  unless  $\neg \sigma[v]\omega(p,q,1) \wedge p \geq N+1 \wedge {\exists p': p \geq N+2 :: \sigma[v]\omega(p',q,1)}$
- $\Rightarrow$  {corollary of the general disjunction rule on p}  $\langle \exists p : p \ge N+1 : \sigma[v] \mathcal{Q}(p,q,1) \rangle$ unless  $\langle \forall p : p \ge N+1 : \neg \sigma[v] \mathcal{Q}(p,q,1) \rangle \wedge \langle \exists p : p \ge N+2 : \sigma[v] \mathcal{Q}(p,q,1) \rangle$

 $\Leftrightarrow$  [predicatecalculus]

 $\langle \exists p : p \ge N+1 : \sigma[v] \mathcal{Q}(p,q,1) \rangle$  unless false.

To prove  $(P11)$ , we are going to show :

$$
\mathbf{stable} \langle \exists p : p \geq N+1 :: \sigma[v] \mathcal{Q}(p,q,1) \land \neg(\exists p' : p' > p :: \sigma'[v'] \mathcal{Q}(p',q,1)) \rangle \tag{Q3}
$$

which, according to the coupling invariant, is equivalent to  $(PI1)$ . Since each packet has a unique value, the second conjunct is equivalent to:

 $\neg(\exists v',p': p>p :: \sigma'[v']@(p',q,1))$ 

 $\Leftrightarrow$  [predicatecalculus]

 $\neg(\exists v',p':p'>p::\sigma'[v']@(p',q,1)) \wedge (\neg(\exists v',p',q',r'::\sigma'[v']@(p',q',r')) \vee \langle \exists v',p',q',r'::\sigma'[v']@(p',q',r'))\rangle$ 

 $\Leftrightarrow$  {predicatecalculus}

$$
\neg(\exists v',p',q',r'\ ::\ \sigma'[v']\textcircled{p'} ,q',r')\rangle \lor (\neg(\exists v',p':p'>p ::\ \sigma'[v']\textcircled{p'} ,q,1)\rangle \land \langle \exists v',p',q',r' ::\ \sigma'[v']\textcircled{p'} ,q',r')\rangle).
$$

The second disjunct is equivalent to:

 $\neg \langle \exists v', p', q', r' : p' \rangle p \land q' = q \land r' = 1 :: \sigma'[v'] \textcircled{\scriptsize{\textcircled{\tiny\it p}}}, q', r') \rangle \land \langle \exists v', p', q', r' :: \sigma'[v'] \textcircled{\scriptsize\it p'}, q', r') \rangle$ 

- $\Leftrightarrow$  {predicatecalculus}  $\langle \exists v', p', q', r' : \neg(p' \geq p \wedge q' = q \wedge r' = 1) :: \sigma'[v'] \textcircled{\scriptsize{\textcircled{\tiny\it p', q', r'}}}) \rangle$
- $\Leftrightarrow$  {predicatecalculus}  $\langle \exists v', p', q', r' : \neg (p' > p \land q' = q \land r' = 1) :: \sigma'[v'] \textcircled{a}(p', q', r') \land (\text{dest.}\sigma'[v'] \neq q \lor \text{dest.}\sigma'[v'] = q) \rangle$
- $\Leftrightarrow$  {dest.  $\sigma'$ [v'] $\neq q \Rightarrow \neg (q'=q \land r'=1)$  + predicate calculus}  $\langle \exists v', p', q', r' :: \sigma'[v'] \textcircled{a}(p', q', r') \wedge \text{dest.}\sigma'[v'] \neq q \rangle$  $\vee \langle \exists v', p', q' :: (\sigma'[v'] \mathcal{Q}(p', q', 0) \wedge \text{dest.}\sigma'[v'] = q) \vee (\sigma'[v'] \mathcal{Q}(p', q, 1) \wedge p' \leq p))$

So, the second conjunct of property  $(Q3)$  is equivalent to:



To prove  $(Q3)$ , it is sufficient to show:



Proof of Property  $(Q4)$ 

From  $(P2)$ ,  $(P3)$ ,  $(P4)$ , and the definition of const, we get:

 $\neg \langle \exists v', p', q', r' :: \sigma'[v'] \textcircled{\(\phi', q', r')\rangle}$  unless false

 $\Rightarrow$  {simple disjunction with (DP2)}

 $\langle \exists p : p \ge N+1 :: \sigma[v] \textcircled{g}(p,q,1) \rangle \wedge \neg(\exists v', p', q', r' :: \sigma'[v'] \textcircled{g}(p', q', r'))$ unless false

 $\Leftrightarrow$  {predicatecalculus}

 $(Q4)$ .

 $\Box$ 

Proof of Property (Q5)

From  $(P2)$ ,  $(P3)$ ,  $(P4)$ , and the definition of *const*, we get:  $\langle \exists v', p', q', r' :: \sigma'[v'] \omega(p', q', r') \rangle$  unless false

 $\Box$ 



 $\hat{\beta}$ 



 $\Rightarrow$  {stable conjunction +  $\forall v, v' :: dest. \sigma[v] = dest. \sigma[v'])$ }  $\sigma[v] @ (p,q,0) \wedge \text{dest.} \sigma[v] - q = d \mapsto \langle \exists v' :: \sigma[v'] @ (p,q+1,0) \wedge \text{dest.} \sigma[v'] - (q+1) = d-1 \rangle \vee \langle \exists v' :: \sigma[v'] @ (p+1,q,1) \rangle$ 

 $30<sub>o</sub>$ 

 $\hat{\boldsymbol{\theta}}$ 

 $\Rightarrow$  {general disjunction on v and  $\phi$ }  $\langle \exists v,q :: \sigma[v](\omega(p,q,0)) \wedge \text{dest.}\sigma[v] - q = d \rangle$  $\mapsto$  $\langle \exists v,q :: \sigma[v] \mathcal{Q}(p,q,0) \land \text{dest.}\sigma[v] - q = d - 1 \rangle \lor \langle \exists v,q :: \sigma[v] \mathcal{Q}(p+1,q,1) \rangle$  $\Rightarrow$  {induction principle}  $\langle \exists v,q :: \sigma[v]\omega(p,q,0) \rangle \mapsto \langle \exists v,q :: \sigma[v]\omega(p+1,q,1) \rangle$  $\Rightarrow$  (implication rule + transitivity of leads-to)  $(Q7)$ . Proof of Property (O8) From  $(PI1.2)$ , we get:  $\sigma[v] @ (p,q,1) \wedge p \leq N \mapsto \langle \exists v' :: \sigma[v'] \text{ @ } (p+1,q,1) \wedge p+1 \leq N \rangle \vee \langle \exists v' :: \sigma[v'] \text{ @ } (N+1,q,1) \rangle$  $\Rightarrow$  {stable conjunction}  $\sigma[v]\omega(p,q,1) \wedge p \le N \wedge N-p=d$  $\mapsto$  $\langle \exists v' :: \sigma[v'] \textcircled{a}(p+1,q,1) \land p+1 \le N \land N-(p+1)=d-1 \rangle \lor \langle \exists v' :: \sigma[v'] \textcircled{a}(N+1,q,1) \rangle$  $\Rightarrow$  {general disjunction on v, p, and q}  $\langle \exists v, p, q : p \le N : \sigma[v] \omega(p,q,1) \wedge N-p=d \rangle$  $\mapsto$  $\langle \exists v, p, q : p \leq N :: \sigma[v] \textcircled{a}(p, q, 1) \land N-p=d-1 \rangle \lor \langle \exists v, q :: \sigma[v] \textcircled{a}(N+1, q, 1) \rangle$  $\Rightarrow$  {induction principle}  $\langle \exists v, p, q : p \leq N :: \sigma[v] \omega(p,q,1) \rangle \mapsto \langle \exists v, q :: \sigma[v] \omega(N+1,q,1) \rangle$  $\Rightarrow$  {implication rule + transitivity of leads-to}  $(Q8)$ . The truth of  $(PI1)$  for p equal to N follows directly from  $(Q7)$ .  $\sigma[v] @ (N,q,0) \wedge q \leq 0 \mapsto (\exists v', q' :: \sigma[v'] \textcircled{a}(N+1,q',1))$  $\Rightarrow$  {coupling invariant}  $\sigma[v]\omega(N,q) \wedge q \leq 0 \mapsto \langle \exists v', p', q' : p' \geq N+1 :: \sigma[v']\omega(p', q') \rangle.$ For  $p$  smaller than  $N$ , we have (property  $(Q7)$ ):  $\sigma[v]\omega(p,q,0) \wedge p \in N \wedge q \leq 0 \mapsto \langle \exists v', p', q' : p' \leq N :: \sigma[v']\omega(p', q', 1) \rangle$  $\Rightarrow$  {transitivity with (Q8)}  $\sigma[v]\omega(p,q,0) \wedge p\langle N \wedge q \leq 0 \mapsto \langle \exists v', p', q' : p' \geq N+1 :: \sigma[v']\omega(p', q', 1) \rangle$  $\Leftrightarrow$  {coupling invariant}  $\sigma[v]\omega(p,q) \wedge p\ll N \wedge q\leq 0 \mapsto \langle \exists v',p',q': p\geq N+1 :: \sigma[v']\omega(p',q')\rangle.$ 

#### B.2. Proof of Refinement 2

We first need to show several derived properties.

#### Derived Property 1

If a non header packet is in the row register of a switch  $(p,q)$  and q is not the destination column, a message is in transit through the switch along the row:

 $\textbf{inv } \sigma[v]^T \textcircled{p}. q, 0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq \text{dest } \sigma[v] \Rightarrow \langle \exists p'. q'. r', q'': q'' \leq q < q':: \text{message}. (p'. q'. r'). (p, q'', 0)). \text{ (DP1)}$ 

 $\Box$ 

 $\Box$ 

Proof of Property (DP1)

Let us first prove:

inv  $\sigma[v]^T \otimes (p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest \cdot \sigma[v] \Rightarrow (\exists \alpha,p',q',r'; \text{ mid.}\alpha = mid. \sigma[v] \wedge q < q'; \alpha h \otimes (p',q',r'))$ . (O1) Since messages are properly structured (property  $(PI)$ ), we have:

in v  $\sigma[v]^{\tau}(\omega(p,q,0) \wedge \tau \neq h \Rightarrow (\exists \alpha,p',q',r': mid.\alpha = mid.\sigma[v]::\alpha^h(\omega(p',q',r'))$ 

 $\Rightarrow$  {predicatecalculus} in v  $\sigma[v]^T \mathcal{Q}(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest.\sigma[v] \Rightarrow {\exists \alpha, p', q', r': mid.c = mid.\sigma[v] :: \alpha^h \mathcal{Q}(p', q', r')}$ 

 $\Leftrightarrow$  {packets reside either on the source row or on the destination column}

in v  $\sigma[v]^T \omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest \sigma[v]$ 

$$
\langle \exists \alpha, q': mid. \alpha = mid. \sigma[v] :: \alpha^h @ (p,q',0) \rangle \lor \langle \exists \alpha, p', q': mid. \alpha = mid. \sigma[v] \land q' = dest. \alpha :: \alpha^h @ (p',q',1) \rangle
$$

 $\Rightarrow$  {packets are ordered according to their identifiers, and the header packet has the smallest identifier}

in v  $\sigma[v]^T \omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest \sigma[v]$ 

 $\langle \exists \alpha, q'; \text{mid}.\alpha = \text{mid}.\sigma[v] \land q \leq q'; d^{\text{mid}}(\alpha, q', 0) \rangle$  $\Rightarrow$  {packets from the same message have the same destination}

in v  $\sigma[v]^T \omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest \sigma[v]$ 

$$
\overrightarrow{a}
$$

 $\langle \exists \alpha, q': mid.\alpha = mid.\sigma[v] \land q \prec q': : \alpha^h \omega(p,q',0) \rangle \lor \langle \exists \alpha, p', q': mid.\alpha = mid.\sigma[v] \land q \prec q': : \alpha^h \omega(p',q',1) \rangle$ 

 $\Rightarrow$  {predicatecalculus}

 $(Q1)$ .

Let us now prove:

```
in v \sigma[v]^{\tau}\omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest \sigma[v] \Rightarrow \langle \exists \beta, q'': mid. \beta = mid. \sigma[v] \wedge q'' \leq q:: \beta^{\tau}\omega(p,q'',0)\rangle.(Q2)
```
If  $\sigma$ [v] is a tail packet, (Q2) is trivially true. Let us prove (Q2) for body packets. Since messages are properly structured, we have:

in v  $\sigma[v]^b \omega(p,q,0) \Rightarrow \langle \exists \beta,p'',q'',r'' : mid.\beta = mid.\sigma[v] :: \beta^t \omega(p'',q'',r'')\rangle$ 

 $\Rightarrow$  {predicatecalculus}

 $\Rightarrow$ 

in v  $\sigma[v]^b \omega(p,q,0) \wedge q \ge 1 \wedge q \neq dest \sigma[v] \Rightarrow (\exists \beta, p'', q'', r'' : mid \beta = mid \sigma[v] :: \beta^1 \omega(p'', q'', r'') )$ 

 $\Leftrightarrow$  {packets reside either on the source row or on the destination column}

in v  $\sigma[v]^b$ @(p,q,0)  $\land$  q≥1  $\land$  q≠dest. $\sigma[v]$ 

 $\langle \exists \beta, q'' : mid. \beta = mid. \sigma[v] :: \beta^t \mathcal{Q}(p,q'',0) \rangle \vee \langle \exists \beta, p'', q'' : mid. \beta = mid. \sigma[v] \wedge q'' = dest. \beta :: \beta^t \mathcal{Q}(p'',q'',1) \rangle$ 

 $\Leftrightarrow$  {the identifier of the tail packet is greater than the identifiers of the other packets of the message}

in v  $\sigma[v]^b$ @(p,q,0)  $\land$  q  $\geq$  1  $\land$  q  $\neq$  dest  $\sigma[v]$ 

 $\langle \exists \beta, q^* : mid \beta = mid \sigma[v] \land pid \beta > pid \sigma[v] :: \beta^t \omega(p,q'',0) \rangle$ 

 $\vee$   $\langle \exists \beta, p'', q'' : mid, \beta = mid, \sigma[v] \wedge q'' = dest, \beta \wedge pid, \beta > pid, \sigma[v] :: \beta^t \omega(p'', q'', 1) \rangle$ 

 $\Leftrightarrow$  {from the rows to the columns, packets are ordered according to their identifiers (property (P9.1)}

in v  $\sigma[v]^b \omega(p,q,0) \wedge q \ge 1 \wedge q \neq dest \sigma[v] \Rightarrow \langle \exists \beta, q^* : mid.\beta = mid.\sigma[v] \wedge q^* \le q :: \beta^t \omega(p,q^*,0) \rangle.$ 

The truth of  $(DPI)$  finally follows from the conjunction of  $(Q1)$  and  $(Q2)$ .

#### Derived Property 2

If a non header packet is in the row register of its turning switch, a message is in transit through the switch from the row to the column:

inv  $\sigma[v]^T \omega(p,q,0) \wedge \tau \neq h \wedge q = dest.\sigma[v] \Rightarrow \langle \exists p', q' : p' > p \wedge q' \leq q :: message.(p', q, 1).(p,q', 0) \rangle.$  $(DP2)$ 

#### Derived Property 3

 $\mathbf{r}$  and  $\mathbf{r}$  and  $\mathbf{r}$ 

in Li

If a non header packet is in the column register of a switch  $(p,q)$ , a message is in transit through the switch along the column:

$$
\text{inv } \sigma[v]^{t} \otimes (p,q,1) \wedge \tau \neq h \wedge p \leq N
$$
\n
$$
\Rightarrow \qquad (\text{DP3})
$$
\n
$$
\langle \exists p', p'', q'', r'' : p' \geq p \wedge (p'' < p \vee (p'' = p \wedge r'' = 1)) \text{ :: message.}(p', q, 1) \cdot (p'', q'', r'') \rangle.
$$

Let us now focus on the proof of the refinement, i.e., the proof that  $S_2$  implies property (P11.2).

$$
\sigma[v]\mathcal{Q}(p,q,r) \wedge p \leq N \wedge q \geq 1 \text{ until } \langle \exists v', p', q', r' : (p,q,r) \mathcal{P}(p',q',r') :: \sigma[v'] \mathcal{Q}(p',q',r') \rangle. \tag{P11.2}
$$

The unless part of  $(PI1.2)$  is equivalent to  $(PI1.2.1)$ . The proof of the leads-to part can be decomposed in three steps:

- Packet movement along the rows:  $\bullet$  $\sigma[v]\omega(p,q,0) \wedge q \geq 1 \wedge q \neq dest.\sigma[v] \mapsto {\exists v' :: \sigma[v']\omega(p,q+1,0)}.$  $(Q3)$
- Packet movement from the rows to the columns:  $\bullet$  $\sigma[v] @ (p,q,0) \wedge q = dest \sigma[v] \mapsto (\exists v' :: \sigma[v'] @ (p+1,q,1)).$  $(Q4)$
- Packet movement along the columns:  $\sigma[v]\omega(p,q,1) \wedge p \le N \mapsto \langle \exists v' :: \sigma[v']\omega(p+1,q,1) \rangle.$  $(QS)$

The leads-to part of  $(PI1.2)$  can then be derived from  $(Q3)$ ,  $(Q4)$ , and  $(Q5)$  by applying the simple disjunction rule.

Proof of Property (Q3)

For header packets, (Q3) is equivalent to (P11.2.2). For non header packets, we have:  $\sigma[v]^T \textcircled{D}(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest.\sigma[v]$ 

 $\Rightarrow$  (property (DP1))

 $\sigma[v]^T \textcircled{e}(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge \langle \exists p', q', r', q'': q'' \leq q < q': \text{message.}(p', q', r').(p,q'', 0) \rangle$ 

 $\Rightarrow$  {invariant (P13)}

```
\sigma[v]^{\tau} @ (p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge \neg \text{turn}(p,q)
```
 $\mapsto$  {property (P11.2.3)}  $\langle \exists v': \sigma[v'] \omega(p, q+1, 0) \rangle.$  Proof of Property  $(Q5)$ 

For header packets,  $(Q5)$  follows from the transitivity of leads-to applied to properties  $(PI1.2.4)$  and (P11.2.5). For non header packets, we have:

 $\sigma[v]^{\tau}\omega(p,q,0) \wedge \tau \neq h \wedge q = \text{dest.}\sigma[v]$ 

- $\Rightarrow$  {property (DP2) + dest.  $\sigma/v \geq 1$ }  $\sigma[v]^T \omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge \langle \exists p', q' : p' > p \wedge q' \leq q :: \text{message}.(p',q,1). \omega(p,q',0) \rangle$
- $\Rightarrow$  {invariant (P14)}  $\sigma[v]^{\tau}(\omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge \text{turn}(p,q))$
- $\mapsto$  [property (P11.2.5)]  $\langle \exists v': \sigma[v'] \langle \varnothing(p+1,q,1) \rangle.$

The proof of (Q6), based on properties (P11.2.6), (P11.2.7), (P15), and (DP3), is symmetrical.

#### B.3. Proof of Refinement 6

We must show that  $S_6$  implies properties (P11.2.2.1)-(P11.2.7.1) specifying the packet movement inside the router. We are first going to show the packet movement along the columns, and then use that result to show the packet movement at the turning switches and along the rows.

### Proof of Properties  $(P11.2.6.1)$  and  $(P11.2.7.1)$

We are going to prove the packet movement along the columns:

$$
\alpha \textcircled{p,q,1} \land p \leq N \land \text{up}(p,q) \mapsto \alpha \textcircled{q}(p+1,q,1) \tag{P11.2.7.1}
$$

and the fact that headers on the columns eventually turn the up signal on:

$$
\alpha^h \textcircled{a}(p,q,1) \land p \leq N \mapsto \alpha \textcircled{a}(p,q,1) \land \text{up}(p,q)
$$
\n
$$
\tag{P11.2.6.1}
$$

by induction on the row number  $p$ . However, to prove that each property is true for the row  $p$ , we need to know that both are true for the row  $p+1$ . This implies that  $(PI1.2.7.1)$  and  $(PI1.2.6.1)$  must be proved simultaneously in the same inductive proof.

Let us first say a few words about  $(PI1.2.6.1)$ . The refined property  $(PI1.2.6.1.1)$  states that, when a header is waiting on the column and the signal turn is off, either the up or the turn signal will be turned on:

 $\alpha^h \omega(p,q,1) \wedge p \le N \wedge \neg \text{turn}(p,q)$  ensures  $(\alpha^h \omega(p,q,1) \wedge \text{up}(p,q)) \vee \text{turn}(p,q)$ 

 $\Rightarrow$  {conjunction with  $\alpha^h \mathcal{Q}(p,q,1)$  unless  $\langle \exists \alpha': pid \alpha': pid \alpha :: \alpha^h \mathcal{Q}(p+1,q,1) \rangle$ }  $\alpha^h \omega(p,q,1) \wedge p \leq N \wedge \neg \text{turn}(p,q)$ ensures

 $(\alpha^h@(p,q,1)\wedge up(p,q))\vee (\alpha^h@(p,q,1)\wedge turn(p,q))\vee (\langle \exists \alpha': pid.\alpha:=pid.\alpha::\alpha'^h@(p+1,q,1)\rangle \wedge turn(p,q))$ 

 $\Rightarrow$  {property (P6.1)  $\Rightarrow$ src. $\alpha \leq p + \text{src.} \alpha' = \text{src.} \alpha$ }

```
\alpha^h(\omega(p,q,1)) \wedge p \leq N \wedge \neg \text{turn}(p,q)ensures
(\alpha^h \textcircled{a}(p,q,1) \wedge \text{up}(p,q)) \vee (\alpha^h \textcircled{a}(p,q,1) \wedge \text{turn}(p,q)) \vee (\exists \alpha': \text{src}.\alpha' < p :: \alpha^h \textcircled{a}(p+1,q,1)) \wedge \text{turn}(p,q))
```

```
\Rightarrow {messages are properly structured}
```

```
\alpha^h@(p,q,1) \land p\leqN\land \negturn(p,q)
ensures
(\alpha^h \omega(p,q,1) \wedge \text{up}(p,q)) \vee (\alpha^h \omega(p,q,1) \wedge \text{turn}(p,q))v (\exists \alpha', \beta', p', q', r' : mid.\beta' = mid.\alpha' \land p' < p :: \alpha'^{h}(\widetilde{\phi}(p+1,q,1) \land \beta'^{t}(\mathcal{Q}(p',q',r')) \land tum(p,q))
```

$$
\Leftrightarrow \quad \{\text{invariants } (PI5) \text{ and } (PI2)\}
$$

 $\alpha^h$ @(p,q,1)  $\land$  p $\leq N \land \neg$ turn(p,q) ensures ( $\alpha^h$ @(p,q,1)  $\land$  up(p,q))  $\lor$  ( $\alpha^h$ @(p,q,1)  $\land$  turn(p,q)).

 $\Box$ 

To prove  $(P11.2.6.1)$ , we thus only need to show that when a header is waiting on the column and the signal turn is on, the up signal will eventually be turned on:

$$
\alpha^{\underline{h}} \textcircled{p}, q, 1) \land p \leq N \land \text{turn}(p, q) \mapsto \alpha^{\underline{h}} \textcircled{p}, q, 1) \land \text{up}(p, q).
$$
\n
$$
(O1)
$$

Informally, the truth of  $(QI)$  is based on the fact that, if the signal turn is on, a message is currently taking its turn through the switch  $(p,q)$  and, according to the fairness property  $(P22)$ , when the tail of the message will pass through the switch, the up signal will be turned on. To prove it formally, we need to show some intermediate results.

#### Definition

We define predicate  $tail_{p,q} \mathcal{Q}(p,q',0)$  to be true iff a message is taking its turn (or waiting for taking its turn) through the switch  $(p,q)$ , and the tail of the message is at location  $(p,q',0)$ .

 $tail_{p,q} @ (p,q',0)$  $\langle \exists \alpha, \beta, p' : \text{dest.}\alpha = q \land \text{mid.}\alpha = \text{mid.}\beta : \beta^{\text{t}}\omega(p,q',0) \land (\alpha^{\text{h}}\omega(p,q,0) \lor \alpha^{\text{h}}\omega(p',q,1)) \rangle.$ 

#### Derived Property 1

The tail of the message turning through the switch  $(p,q)$  can only move one location at a time along the

row:

$$
tail_{p,q} @ (p,q',0) \wedge q' < q \text{ unless } tail_{p,q} @ (p,q'+1,0).
$$
 (DP1)

### Proof of Property (DP1)

Property (DP1) follows from the three properties below, which can be derived from  $(PI1.2.1)$ :

$$
\langle \exists v :: \sigma[v]^h @ (p,q,0) \land q = dest \sigma[v] \rangle \text{ unless } \langle \exists v, p' :: \sigma[v]^h @ (p',q,1) \rangle
$$
\n
$$
\langle \exists v, p' :: \sigma[v]^h @ (p',q,1) \rangle \text{ unless false}
$$
\n
$$
\langle \exists w :: \sigma[v]^h @ (p,q',0) \land q' < dest \sigma'[w] \rangle \text{ unless } \langle \exists w :: \sigma'[w]^t @ (p,q'+1,0) \rangle.
$$
\n
$$
\langle \exists w :: \sigma'[w]^t @ (p,q',0) \land q' < dest \sigma'[w] \rangle \text{ unless } \langle \exists w :: \sigma'[w]^t @ (p,q'+1,0) \rangle.
$$

By applying the cancellation rule on  $(R1)$  and  $(R2)$ , we get:

 $\langle \exists v, p' :: (\sigma[v]^h \textcircled{e}(p,q,0) \vee \sigma[v]^h \textcircled{e}(p',q,1)) \wedge q = \text{dest.} \sigma[v] \rangle$ unless false

 $\Rightarrow$  {conjunction with (R3) and restricting  $\sigma'[w]$  to belong to the same message as  $\sigma[v]$ }  $\langle \exists v,w,p'::\sigma'[w]^t \omega(p,q',0) \wedge (\sigma[v]^h \omega(p,q,0) \vee \sigma[v]^h \omega(p',q,1)) \wedge q' < q \wedge q = dest \sigma[v] \wedge mid \sigma'[w] = mid \sigma[v]$ unless

 $\langle \exists v, w, p' :: \sigma'[w]^{\dagger} \textcircled{p}, q' + 1, 0 \rangle \land (\sigma[v]^{\dagger} \textcircled{p}, q, 0) \lor \sigma[v]^{\dagger} \textcircled{p}, q, 1) \land q = \text{dest.} \sigma[v] \land \text{mid.} \sigma'[w] = \text{mid.} \sigma[v]$ 

 $\Rightarrow$  {general disjunction on  $\sigma$  and  $\sigma'$ + consequence weakening}

 $\langle \exists \alpha, \beta, p' : q = dest \alpha \land mid, \beta = mid \alpha :: \beta^t \omega(p,q',0) \land (\alpha^h \omega(p,q,0) \lor \alpha^h \omega(p',q,1)) \rangle \land q' < q$ unless

 $\langle \exists \alpha, \beta, p': q = dest.\alpha \land mid.\beta = mid.\alpha :: \beta^t \omega(p,q'+1,0) \land (\alpha^h \omega(p,q,0) \lor \alpha^h \omega(p',q,1)) \rangle$ 

 $\Leftrightarrow$  {definition of *tail<sub>p,q</sub>*}

```
(DP1).
```
 $\Box$ 

#### Derived Property 2

The signal  $turn(p,q)$  stays on until the tail of the message turning through the switch  $(p,q)$  shows up: turn(p,q) unless turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q,0).  $(DP2)$ 

## Proof of Property (DP2)

From (P11.2.1), we can easily derive:



#### Derived Property 3

If a non header packet is in the row register of a switch  $(p,q)$  and q is not the destination column, the signal  $tum(p,q)$  is off:

$$
\text{inv } \alpha^{\tau} @ (p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq \text{dest } \sigma[v] \Rightarrow \neg \text{turn}(p,q). \tag{DP3}
$$

Proof of Property (DP3)

In the proof of the second refinement, we have showed that when a non header packet  $\alpha$  is in the row register of a switch  $(p,q)$  and q is not the destination column, there exists a message in transit through the switch along the row:

inv  $\alpha^T \omega(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge q \neq dest \sigma[v] \Rightarrow {\exists} p', q', r', q'': q'' \leq q < q':: \text{message.}(p', q', r').(p,q'', 0)).$  $(R6)$ 

This property is still valid since none of the properties used to prove it has been refined. The validity of (DP3) follows from  $(R6)$  and invariant  $(P13)$ .  $\Box$ 

In the same way, we can easily prove the properties  $(DP4)$  and  $(DP5)$  below:

#### Derived Property 4

 $\overline{a}$ 

If a non header packet is in the row register of its turning switch, the signal  $\lim_{\alpha}$  ( $\lim_{\alpha}$ ) is on:

$$
\mathbf{inv} \ \alpha^1 \omega(p,q,0) \wedge \tau \neq \mathbf{h} \wedge \mathbf{q} = \mathbf{dest}.\alpha \Rightarrow \mathbf{turn}(p,q). \tag{DP4}
$$

#### Derived Property 5

If a non header packet is in the column register of a switch  $(p,q)$ , the signal  $up(p,q)$  is on:

inv  $\alpha^T \omega(p,q,1) \wedge \tau \neq h \wedge p \leq N \Rightarrow \text{up}(p,q)$ .  $(DP5)$ 

#### Derived Property 6

Assuming that packets are guaranteed to move from the row to the column when the signal turn is on:

 $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge \text{turn}(p,q) \mapsto \text{empty} \omega(p,q,0)$ 

all the packets residing inside the router between the switch  $(p,q)$  and the tail of the turning message will eventually move:

turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q  $\land$   $\beta$ @(p,q'',0)  $\land$  q'≥1  $\land$  q'≤q''≤q  $\mapsto$  empty@(p,q'',0). (DP6)

Proof of Property (DP6)

We are going to show (DP6) by induction on  $q$ .

Base case: q"=q

The hypothesis of (DP6) implies:

 $\beta\omega(p,q,0) \wedge q \geq 1 \wedge \text{turn}(p,q) \mapsto \text{empty}\omega(p,q,0)$ 

 $\Rightarrow$  {implication rule + transitivity of leads-to} turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q  $\land$   $\beta$ @(p,q,0)  $\land$  q≥1  $\mapsto$  empty@(p,q,0).

#### Induction Hypothesis

 $\text{turn}(p,q) \wedge \text{tail}_{p,q}(\mathcal{Q}(p,q',0)) \wedge q' < q \wedge \beta(\mathcal{Q}(p,q''+1,0)) \wedge q''+1>1 \wedge q' < q''+1 \leq q \mapsto \text{empty}(\mathcal{Q}(p,q''+1,0)).$ 

#### **Induction Step**

Let us show:

turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q'<q  $\wedge$   $\delta$ @(p,q'',0)  $\wedge$  q'≥1  $\wedge$  q'≤q''<q  $\mapsto$  empty@(p,q'',0).

From the property  $(PI1.2.1)$ , we get:

 $\delta \omega(p,q^n,0) \wedge q^n$  <dest.  $\delta$  unless  $\langle \exists \delta': \text{pid.} \delta := \text{pid.} \delta :: \delta' \omega(p,q^n+1,0) \rangle$ 

- $\Rightarrow$  {conjunction with  $\beta \mathcal{Q}(p,q''+1,0) \wedge q''+1<1$  unless empty $\mathcal{Q}(p,q''+1,0)$  (property (P25)}  $\delta\omega(p,q'',0) \wedge 1 \leq q'' < \text{dest.} \delta \wedge \beta\omega(p,q''+1,0)$  unless  $\delta\omega(p,q'',0) \wedge q'' < \text{dest.} \delta \wedge \text{empty}(\omega(p,q''+1,0)$
- $\Rightarrow$  {PSP with induction hypothesis} turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q  $\land$   $\delta$ @(p,q'',0)  $\land$  1≤q''<dest. $\delta \land$  q'≤q''<q  $\land$   $\beta$ @(p,q''+1,0)  $\delta\omega(p,q",0) \wedge q''$ <dest. $\delta \wedge \text{empty} \omega(p,q''+1,0)$

```
\Rightarrow {general disjunction on \beta}
       turn(p,q) \wedge tail<sub>p,q</sub>@(p,q',0) \wedge q'<q \wedge \delta@(p,q'',0) \wedge 1≤q''<dest.\delta \wedge q'≤q''<q \wedge --empty@(p,q''+1,0)
      \mapsto\delta\omega(p,q'',0) \wedge q''<dest.\delta \wedge \text{empty}\omega(p,q''+1,0).
```
From the fact that messages are not interleaved, we can deduce that  $\delta$  belongs to the message that is taking its turn, which implies that  $\text{dest}\,\delta$  is equal to  $q$ . Since we have  $q'', the expression  $q''<\text{dest}\,\delta$  can be dropped from$ the left-hand side. Furthermore, from the fact that messages are properly structured, we can deduce that  $\delta$  cannot be a header packet. So the last property is equivalent to:

```
turn(p,q) \land tail<sub>p,q</sub>@(p,q',0) \land q'<q \land \delta@(p,q'',0) \land q'≥1 \land q'≤q''<q \land \negempty@(p,q''+1,0)
       \mapsto\delta^{\tau} \omega(p,q'',0) \wedge \tau \neq h \wedge q'' < dest. \delta \wedge \text{empty} \omega(p,q''+1,0)\Rightarrow [Property (DP3)]
       turn(p,q) \land tail<sub>p,q</sub>@(p,q',0) \land q'<q \land \delta@(p,q'',0) \land q''≥1 \land q'≤q''<q \land --empty@(p,q''+1,0)
       \mapsto\delta^{\tau} \textcircled{a}(p,q",0) \wedge \tau \neq h \wedge \neg \text{turn}(p,q") \wedge \text{empty} \textcircled{a}(p,q"+1,0)\Rightarrow {transitivity with (P11.2.3.1.1)}
       turn(p,q) \land tail<sub>p,q</sub>@(p,q',0) \land q'<q \land \delta@(p,q'',0) \land q''≥1 \land q'≤q''<q \land \negempty@(p,q''+1,0)
       \mapsto\delta \omega(p,q'+1,0)\Rightarrow {PSP with \delta\mathcal{Q}(p,q'',0) \wedge q'' \geq 1 unless empty\mathcal{Q}(p,q'',0) (property (P25)}}
       turn(p,q) \land tail<sub>p,q</sub>@(p,q',0) \land q'<q \land \delta@(p,q'',0) \land q''≥1 \land q'≤q''<q \land --empty@(p,q''+1,0)
                                                                                                                                                                          (R7)empty\omega(p,q",0).
```
To complete the proof, we now need to show that  $\delta$  will eventually move when the next location is empty. From  $(PI1.2.3.1.1)$ , we get:

 $\delta^{\tau} \textcircled{a}(p,q'',0) \wedge \tau \neq h \wedge q'' \geq l \wedge \neg \text{turn}(p,q'') \wedge \text{empty} \textcircled{a}(p,q''+1,0) \mapsto \delta \textcircled{a}(p,q''+1,0)$ 

 $\Rightarrow$  {PSP with  $\delta\omega(p,q'',0) \wedge q'' \ge 1$  unless empty  $\omega(p,q'',0)$ }  $\delta^{\tau}\textcircled{a}(p,q",0) \wedge \tau \neq h \wedge q' \geq 1 \wedge \neg \text{turn}(p,q'') \wedge \text{empty}(\textcircled{a}(p,q''+1,0) \mapsto \text{empty}(\textcircled{a}(p,q'',0))$   $\Leftrightarrow$  [implication rule + transitivity of leads-to]

turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q'<q  $\wedge$   $\delta^{\tau}$ @(p,q'',0)  $\wedge$   $\tau \neq h$   $\wedge$  1 $\leq$ q''<dest. $\delta$   $\wedge$  q' $\leq$ q''<q  $\wedge$   $\neg$ turn(p,q'')  $\land$  empty@(p,q<sup>n</sup>+1,0)  $\rightarrow$ empty $@$  $(p,q",0)$  $\Leftrightarrow$  [property *(DP3)*} turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q  $\land$   $\delta^{\mathsf{T}}$ @(p,q'',0)  $\land$   $\uparrow \neq$ h  $\land$  1 ≤q''<dest. $\delta \land$  q'≤q''<q  $\land$  empty@(p,q"+1,0)  $\mapsto$ 

empty $@$ (p,q",0)

- $\Leftrightarrow$  {messages are not interleaved and properly structured  $\Rightarrow$   $\tau \neq h \land \text{dest.} \delta = q$ } turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q'<q  $\wedge$   $\delta$ @(p,q'',0)  $\wedge$  q'≥1  $\wedge$  q'≤q''<q  $\wedge$  empty@(p,q''+1,0)  $\mapsto$ empty@ $(p,q",0)$
- $\Rightarrow$  {disjunction with (R7)} turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q'<q  $\wedge$   $\delta$ @(p,q'',0)  $\wedge$  q'≥1  $\wedge$  q'≤q''<q  $\mapsto$  empty@(p,q'',0).

 $\Box$ 

#### Derived Property 7

Assuming that packets are guaranteed to move from the row to the column when the signal turn is on :  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge \text{turn}(p,q) \mapsto \text{empty} \omega(p,q,0)$ 

the tail of the turning message will eventually move to the next location :

$$
turn(p,q) \land tail_{p,q} @ (p,q',0) \land q' < q \mapsto turn(p,q) \land tail_{p,q} @ (p,q'+1,0).
$$
 (DP7)

#### Proof of Property (DP7)

The proof can be decomposed into two cases:  $q' \le 0$  and  $q \ge 1$ . In the first case, we get from (P11.1).

 $\langle \exists \beta : \beta^{\dagger} \omega(p,q',0) \rangle \wedge q' \leq 0 \mapsto \langle \exists \beta : \beta^{\dagger} \omega(p,q'+1,0) \rangle$ 

 $\Leftrightarrow$  {implication rule + transitivity of leads-to} turn(p,q)  $\land$   $\langle \exists \beta : : \beta^t \omega(p,q',0) \rangle \land q \leq 0 \mapsto \langle \exists \beta : : \beta^t \omega(p,q'+1,0) \rangle.$  $(R8)$ 

By applying the conjunction rule on (DP1) and (DP2), we get:

```
turn(p,q) \land tail<sub>p,q</sub>@(p,q',0) \land q'<q
       unless
       turn(p,q) \land tail<sub>p,q</sub>@(p,q'+1,0)
       \vee (turn(p,q) \wedge tail<sub>p,q</sub>@(p,q,0) \wedge tail<sub>p,q</sub>@(p,q',0))
       \vee (turn(p,q) \wedge tail<sub>p,q</sub>@(p,q,0) \wedge tail<sub>p,q</sub>@(p,q'+1,0))
\Leftrightarrow {messages are not interleaved}
```
turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q'<q unless turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q'+1,0)

 $(R9)$ 

 $\Rightarrow$  {PSP with (R8)} turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$   $\langle \exists \beta : : \beta^{\dagger} \textcircled{p}, q, \langle 0 \rangle \rangle \land q \leq 0 \land q' < q$  $\mapsto$  $(\text{turn}(p,q) \wedge \text{tail}_{p,q} @ (p,q',0) \wedge \langle \exists \beta :: \beta^t @ (p,q'+1,0) \rangle) \vee (\text{turn}(p,q) \wedge \text{tail}_{p,q} @ (p,q'+1,0))$ 

 $\Leftrightarrow$  {definition of *tail<sub>p,Q</sub>* + messages are not interleaved and properly structured} turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q' $\leq$ 0  $\wedge$  q' $\lt q \mapsto$ turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q'+1,0).

In the second case  $(q \geq l)$ , we can deduce from (DP6).

turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q  $\land$   $\beta$ <sup>t</sup>@(p,q',0)  $\land$  q'≥1  $\mapsto$  empty@(p,q',0)

- $\Rightarrow$  {general disjunction on  $\beta$  + definition of *tail<sub>p.d</sub>*} turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  1≤q'<q  $\mapsto$  empty@(p,q',0)
- $\Rightarrow$  {PSP with (R9)} turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  1≤q'<q  $\mapsto$  turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q'+1,0).

#### Derived Property 8

Assuming that packets are guaranteed to move from the row to the column when the signal turn is on:  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge \text{turn}(p,q) \mapsto \text{empty} \omega(p,q,0)$ 

a tail is guaranteed to show up in the row register of the turning switch:

turn(p,q)  $\mapsto$  turn(p,q)  $\wedge$   $\langle \exists \beta : : \beta^{\dagger}(\omega(p,q,0)) \rangle$ .

#### Proof of Property (DP8)

Let us start from (DP7):

turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q  $\mapsto$  turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q'+1,0)

 $\Leftrightarrow$  {predicatecalculus}

 $\mapsto$ 

turn(p,q)  $\land$  tail<sub>p,q</sub>@(p,q',0)  $\land$  q'<q

 $(\text{turn}(p,q) \wedge \text{tail}_{p,q} @ (p,q'+1,0) \wedge q'+1 < q) \vee (\text{turn}(p,q) \wedge \text{tail}_{p,q} @ (p,q,0))$ 

- $\Rightarrow$  {stable conjunction}
	- turn(p,q)  $\wedge$  tail<sub>p,q</sub>@(p,q',0)  $\wedge$  q'<q  $\wedge$  q-q'=d  $\mapsto$

 $(\text{turn}(p,q) \wedge \text{tail}_{p,q} @ (p,q+1,0) \wedge q+1 < q \wedge q-(q+1)=d-1) \vee (\text{turn}(p,q) \wedge \text{tail}_{p,q} @ (p,q,0))$ 

 $\Rightarrow$  {general disjunction on q}

turn(p,q)  $\land$   $\langle \exists q': q' < q :: tail_{p,q} \textcircled{a}(p,q',0) \land q-q' = d \rangle$  $\mapsto$ 

 $(turn(p,q) \wedge \langle \exists q': q' < q :: tail_{p,q} \textcircled{a}(p,q',0) \wedge q - q' = d-1 \rangle) \vee (turn(p,q) \wedge tail_{p,q} \textcircled{a}(p,q,0))$ 

- $\Rightarrow$  {induction principle} turn(p,q)  $\land$   $\langle \exists q': q' \prec q :: \text{tail}_{p,q}(\mathcal{Q}(p,q',0)) \rightarrow \text{turn}(p,q) \land \text{tail}_{p,q}(\mathcal{Q}(p,q,0))$
- $\Leftrightarrow$  {reflexivity of leads-to} turn(p,q)  $\land$   $\langle \exists q': q \leq q :: tail_{p,q} \textcircled{e}(p,q',0) \rangle \mapsto$  turn(p,q)  $\land$  tail<sub>p,q</sub> $\textcircled{e}(p,q,0)$
- $\Rightarrow$  {turn(p,q)  $\Rightarrow$   $\exists q': q \leq q :: tail_{p,q} \text{ or } (p,q',0)$ } (invariant (P16)) + definition of tail  $p,q \text{ or } (p,q,0)$ } tum(p,q)  $\mapsto$  tum(p,q)  $\wedge \langle \exists \beta : : \beta^{\dagger} \omega(p,q,0) \rangle$ .

We are now able to prove properties (P11.2.7.1) and (Q1), by induction on p. Let us rename them  $T_1(p)$ and  $T_2(p)$ :

 $T_1(p) = \alpha \omega(p,q,1) \wedge p \le N \wedge \text{up}(p,q) \mapsto \alpha \omega(p+1,q,1)$  $T_2(p) = \alpha^h \omega(p,q,1) \wedge p \le N \wedge \text{turn}(p,q) \mapsto \alpha^h \omega(p,q,1) \wedge \text{up}(p,q).$ 

Base case: p=N

The validity of  $T_1/N$ .

 $\Box$ 

(DP8)

 $\Box$ 



### **Induction Hypothesis**

Let us suppose  $T_I(p+1)$ .

```
\alpha @(\mathrm{p+1,q,1}) \wedge \mathrm{p+1} \mathop{\leq N} \wedge \mathrm{up}(\mathrm{p+1,q}) \mapsto \alpha @(\mathrm{p+2,q,1})
```

```
and T_2(p+1).
```

```
\alpha^h @ (\mathrm{p+1,q,1}) \wedge \mathrm{p+1 \leq N} \wedge \mathrm{turn}(\mathrm{p+1,q}) \mapsto \alpha^h @ (\mathrm{p+1,q,1}) \wedge \mathrm{up}(\mathrm{p+1,q}).
```
To prove  $T_I(p)$  and  $T_Z(p)$ , we will need the following property:

```
\lnotempty@(p+1,q,1) \land p+1\leqN \mapstoempty@(p+1,q,1).
```
Let us call it  $T_3(p+1)$ , and let us prove that it is implied by  $T_1(p+1)$  and  $T_2(p+1)$ . The property  $T_2(p+1)$ , along with the following property we derived from (P11.2.6.1.1):

 $\alpha^h \omega(p+1,q,1) \wedge p+1 \leq N \wedge \neg \text{turn}(p+1,q)$ ensures  $(\alpha^{h} \omega (p+1,q,1) \wedge \text{up}(p+1,q)) \vee (\alpha^{h} \omega (p+1,q,1) \wedge \text{turn}(p+1,q)).$ 

implies:

 $\alpha^h \omega_{(p+1,q,1)} \wedge p+1 \leq N \mapsto \alpha^h \omega_{(p+1,q,1)} \wedge \text{up}(p+1,q)$ 

 $\Rightarrow$  {transitivity with  $T_I(p+1)$ }

```
\alpha^{h} \omega_{p+1,q,1} \land p+1\leqN \mapsto \alpha \omega_{p+2,q,1}.
```

```
Furthermore, from T_I(p+1) we also get:
```
 $\alpha^{\tau}(\omega(p+1,q,1) \wedge \tau \neq h \wedge p+1 \leq N \wedge \text{up}(p+1,q) \mapsto \alpha(\omega(p+2,q,1))$ 

 $\Leftrightarrow$  {property (DP5)}

 $\alpha^{\tau}(\omega(p+1,q,1)) \wedge \tau \neq h \wedge p+1 \leq N \mapsto \alpha(\omega(p+2,q,1)).$ 

```
So, we have proved:
```
 $\alpha \omega(p+1,q,1) \wedge p+1 \le N \mapsto \alpha \omega(p+2,q,1)$ 

- $\Rightarrow$  {PSP with  $\alpha \mathcal{Q}(p+1,q,1) \wedge p+1 \leq N$  unless empty $\mathcal{Q}(p+1,q,1)$ }  $\alpha \omega(p+1,q,1) \wedge p+1 \leq N \mapsto \text{empty}(\omega(p+1,q,1))$
- $\Rightarrow$  {general disjunction on  $\alpha$ }  $T_3(p+1)$ .

#### Induction Step

Let us prove  $T_1(p)$  (for  $p < N$ ). From the fact that a packet can move to the next location only if this location is empty, we can easily prove:

```
\alpha \omega(p,q,1) \wedge p \le N \wedge \text{up}(p,q) \wedge \text{-empty} \omega(p+1,q,1)unless
\alpha \omega(p,q,1) \wedge p \ll N \wedge \text{up}(p,q) \wedge \text{empty} \omega(p+1,q,1)
```
 $\Rightarrow$  {PSP with  $T_3(p+1)$ }

```
\alpha \omega(p,q,1) \wedge p \ll N \wedge \text{up}(p,q) \wedge \text{—empty}(\rho+1,q,1) \mapsto \alpha \omega(p,q,1) \wedge p \ll N \wedge \text{up}(p,q) \wedge \text{empty}(\rho+1,q,1)
```
We also know, from  $(PI1.2.7.1.1)$ :

 $\alpha \omega(p,q,1) \wedge p \le N \wedge \text{up}(p,q) \wedge \text{empty} \omega(p+1,q,1) \mapsto \alpha \omega(p+1,q,1)$ 

 $\Rightarrow$  {transitivity of leads-to + disjunction with the previous property}  $\alpha \omega(p,q,1) \wedge p \langle N \wedge \text{up}(p,q) \mapsto \alpha \omega(p+1,q,1)$ 

As in the base case, to prove  $T_2(p)$  for  $p \lt N$ , we first need to prove the following property:

 $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \mapsto \text{empty} \omega(p,q,0).$ 

From the fact that a packet can move to the next location only if this location is empty, and by using the PSP theorem with  $T_3(p+1)$  we get:

 $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{-empty} \omega(p+1,q,1)$  $\mapsto$ 

 $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{empty} \omega(p+1,q,1)$ 

- $\Rightarrow$  {transitivity of leads-to + disjunction with (P11.2.5.1.1)}  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \mapsto \alpha \omega(p+1,q,1)$
- $\Rightarrow$  {PSP with  $\alpha \mathcal{Q}(p,q,0) \wedge q \ge 1$  unless empty $\mathcal{Q}(p,q,0)$ }  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \mapsto \text{empty} \omega(p+1,q,0).$

We can now prove  $T_2(p)$ . In the same way we proved  $(R11)$  in the base case, we have:

 $\alpha^h \omega(p,q,1) \wedge p \ll N \wedge \text{turn}(p,q) \mapsto \alpha^h \omega(p,q,1) \wedge p \ll N \wedge \text{turn}(p,q) \wedge (\exists \beta :: \beta^t \omega(p,q,0)).$  $(R13)$ 

In the same way we proved  $(R12)$ , we get:

 $\beta^{\dagger}\omega(p,q,0) \wedge p < N \wedge \text{turn}(p,q) \wedge \alpha^{\dagger}\omega(p,q,1)$  unless  $\alpha^{\dagger}\omega(p,q,1) \wedge \text{up}(p,q)$ 

 $\Rightarrow$  {PSP with  $\beta^t \omega(p,q,0) \wedge p \lt N \wedge q \ge 1 \wedge \text{turn}(p,q) \wedge \text{empty} \omega(p+1,q,1) \mapsto \beta^t \omega(p+1,q,1)$  (P11.2.5.1.1)}  $\beta^t \omega(p,q,0) \wedge p \le N \wedge \text{turn}(p,q) \wedge \alpha^h \omega(p,q,1) \wedge \text{empty } \omega(p+1,q,1) \mapsto \alpha^h \omega(p,q,1) \wedge \text{up}(p,q).$ 

We can also easily prove:

```
\beta^{\dagger}\omega(p,q,0) \wedge p \ll N \wedge \text{turn}(p,q) \wedge \alpha^{\dagger}\omega(p,q,1) \wedge \text{--empty}\omega(p+1,q,1)جسر
 \beta^{\dagger} \omega(p,q,0) \wedge p \ll N \wedge \text{turn}(p,q) \wedge \alpha^{\dagger} \omega(p,q,1) \wedge \text{empty} \omega(p+1,q,1)
```
- $\Rightarrow$  {transitivity of leads-to + disjunction with the previous property}  $\beta^{\text{t}}\omega(p,q,0) \wedge p \ll N \wedge \text{turn}(p,q) \wedge \alpha^{\text{h}}\omega(p,q,1) \mapsto \alpha^{\text{h}}\omega(p,q,1) \wedge \text{up}(p,q)$
- $\Rightarrow$  {general disjunction on  $\beta$  + transitivity with (R13)}  $\alpha^h \omega(p,q,1) \wedge p \in N \wedge \text{turn}(p,q) \mapsto \alpha^h \omega(p,q,1) \wedge \text{up}(p,q).$

#### $\blacktriangledown$ Proof of Property (P11.2.5.1)

Packets eventually move from the row to the column when the signal turn is on:

 $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge \text{turn}(p,q) \mapsto \alpha \omega(p+1,q,1).$ 

The truth of (P11.2.5.1) for p=N is directly implied by (P11.2.5.1.2). Let us prove it for  $p \lt N$ . From the fact that a packet can move to the next location only if it is empty, we get:

```
\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{-empty}(\rho+1,q,1)unless
\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{empty} \omega(p+1,q,1)
```
 $\Rightarrow$  {PSP with  $\neg$  *empty@(p+1,q,1)*  $\land$  *p+1*≤N  $\rightarrow$  *empty@(p+1,q,1)* (property  $T_3(p+1)$ )}  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{-empty} \omega(p+1,q,1)$  $\mapsto$  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{empty} \omega(p+1,q,1).$ 

We also know, from  $(PI1.2.5.1.1)$ :

 $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \wedge \text{empty}(\omega(p+1,q,1) \mapsto \alpha \omega(p+1,q,1)$ 

 $\Rightarrow$  {transitivity of leads-to + disjunction with the previous property}  $\alpha \omega(p,q,0) \wedge q \geq 1 \wedge p \leq N \wedge \text{turn}(p,q) \mapsto \alpha \omega(p+1,q,1).$ 

```
\nabla Proof of Property (P11.2.4.1)
```
Headers with value 1 along the row eventually turn the *turn* signal on:

 $\sigma[v]^h \omega(p,q,0) \wedge v=1 \mapsto \sigma[v]^h \omega(p,q,0) \wedge \text{turn}(p,q)$ .  $(P11.2.4.1)$ 

The refined property  $(PII.2.4.1.1)$  states that, when a header is waiting at its turning switch and the signal  $up$  is off, either the *turn* or the  $up$  signal will eventually be turned on:

 $\sigma[v]^h \textcircled{a}(p,q,0) \wedge v=1 \wedge \neg up(p,q)$  ensures  $(\sigma[v]^h \textcircled{a}(p,q,0) \wedge tum(p,q)) \vee up(p,q)$ .

In the same way we did for the property  $(PI1.2.6.1.1)$ , we can prove that this implies:

 $\sigma[v]^h \omega(p,q,0) \wedge v=1 \wedge \neg up(p,q)$  ensures  $(\sigma[v]^h \omega(p,q,0) \wedge \text{turn}(p,q)) \vee (\sigma[v]^h \omega(p,q,0) \wedge \text{up}(p,q)).$ 

 $(P11.2.5.1)$ 

So, to prove  $(PI1.2.4.1)$ , we only need to show that when a header is waiting at its turning switch and signal up is on, the turn signal will eventually be turned on:

$$
\sigma[v]^n \mathcal{Q}(p,q,0) \wedge v = 1 \wedge up(p,q) \mapsto \sigma[v]^n \mathcal{Q}(p,q,0) \wedge tum(p,q).
$$
 (2)

As in the proof of  $(P11.2.6.1)$ , we need several intermediate results.

#### Definition

We define predicate  $tail'_{p,q} \mathcal{Q}(p',q',r')$  to be true iff a message is passing (or waiting for passing) through the switch (p,q) along the column, and the tail of the message is at location  $(p,q,r)$ .

tail'<sub>D,Q</sub>@(p',q',r')  $\langle \exists \alpha, \beta, p": p" \geq p \wedge (p' < p \vee (p' = p \wedge r' = 1)) \wedge mid.\alpha = mid.\beta :: \beta^t @ (p', q', r') \wedge \alpha^h @ (p'', q, 1)\rangle.$ 

#### Derived Property 9

The signal up(p,q) stays on until the tail of the message passing through the switch  $(p,q)$  along the column shows up:

up(p,q) unless up(p,q)  $\wedge$  tail'<sub>D,q</sub>@(p,q,1).

#### Derived Property 10

 $\frac{1}{2}$ 

When the signal  $up(p,q)$  is on, a tail is guaranteed to show up in the column register of the switch  $(p,q)$ .

$$
up(p,q) \mapsto up(p,q) \land \langle \exists \alpha :: \alpha^t @ (p,q,1) \rangle.
$$
 (DP10)

The proof of  $(DP9)$  is symmetrical to the proof of  $(DP2)$ . The proof of  $(DP10)$  is based on the same steps as the proof of (DP8). However, it is slightly more complicated, since the tail of the message can either still be on the source row, or already on the column. So, to move to the switch  $(p, q)$ , the tail may have to first travel along the row up to its turning switch, and then move up the column. Let us also remark that, unlike (DP8), the property (DP10) is not a conditional property. We do not need to assume that packets at location  $(p,q,1)$  will eventually move to the next location when signal up is on, since it is implied by the property (P11.2.7.1) we have proved early on.

Let us now focus on the proof of property  $(Q2)$ . From  $(P11.2.1)$ ,  $(P6.1)$ , and invariant  $(P24)$ , we can deduce:

 $\sigma[v]^h \textcircled{e}(p,q,0) \wedge v=1$  unless  $\sigma[v]^h \textcircled{e}(p+1,q,1) \wedge \text{src}.\sigma[v]=p$ 

- $\Rightarrow$  {invariant (P14) + messages are properly structured}  $\sigma[v]^h \textcircled{D}(p,q,0) \wedge v=1$  unless  $\sigma[v]^h \textcircled{D}(p+1,q,1) \wedge \text{turn}(p,q)$
- $\Rightarrow$  {conjunction with (DP9) + turn and up are mutually exclusive}  $σ[v]^h@(p,q,0) ∧ v=1 ∧ up(p,q)$ unless  $σ[v]^h@(p,q,0) ∧ v=1 ∧ up(p,q) ∧ tail<sup>t</sup><sub>p,q</sub>@(p,q,1)$
- $\Rightarrow$  (PSP with (DP10) + definition of tail'p,q)  $\sigma[v]^h @ (p,q,0) \wedge v = 1 \wedge up(p,q) \mapsto \sigma[v]^h @ (p,q,0) \wedge v = 1 \wedge up(p,q) \wedge \langle \exists \alpha :: \alpha^t @ (p,q,1) \rangle.$  $(R15)$

## Furthermore, from (P11.2.1) and (P21), we get:

 $\alpha^t @ (p,q,1) \wedge p \leq N \wedge up(p,q)$  unless  $\langle \exists \alpha': pid.\alpha'=pid.\alpha :: \alpha'{}^t @ (p+1,q,1) \rangle \wedge \neg up(p,q)$ 

 $\Rightarrow$  {conjunction with (R14)+ consequence weakening}  $\alpha^t @ (p,q,1) \wedge p \leq N \wedge up(p,q) \wedge \sigma[v]^h @ (p,q,0) \wedge v=1$  unless  $\sigma[v]^h @ (p,q,0) \wedge \neg up(p,q)$  (DP9)

 $(R14)$ 

 $\Rightarrow$  {conjunction with  $\alpha^l \mathcal{Q}(p,q,1) \wedge p \le N \wedge up(p,q) \wedge \sigma[v]^h \mathcal{Q}(p,q,0)$  unless turn(p,q) (property (P23))}  $\alpha^{\mathfrak{t}}(\varpi(p,q,1) \wedge p \leq N \wedge \mathrm{up}(p,q) \wedge \sigma[v]^h \varpi(p,q,0) \wedge v = 1$  unless  $\sigma[v]^h \varpi(p,q,0) \wedge \mathrm{turn}(p,q)$ .  $(R16)$ 

When  $p$  is equal to  $N$ ,  $(R16)$  is equivalent to:

 $\alpha^{\text{t}}\textcircled{e}(N,q,1) \wedge \text{up}(N,q) \wedge \sigma[v]^h \textcircled{e}(N,q,0) \wedge v=1$  unless  $\sigma[v]^h \textcircled{e}(N,q,0) \wedge \text{turn}(N,q)$ 

- $\Rightarrow$  {PSP with  $\alpha^t \mathcal{Q}(N,q,1) \wedge up(N,q) \mapsto \alpha^t \mathcal{Q}(N+1,q,1)$  (property (P11.2.7.1.2)}  $\alpha^t@(N,q,1)\wedge up(N,q)\wedge \sigma[v]^h@(N,q,0)\wedge v=1\mapsto turn(N,q)\wedge \sigma[v]^h@(N,q,0)$
- $\Rightarrow$  {general disjunction on  $\alpha$  + transitivity with (R15)}  $\sigma[v]^h \textcircled{D}(N,q,0) \wedge v=1 \wedge up(N,q) \mapsto \sigma[v]^h \textcircled{D}(N,q,1) \wedge turn(N,q).$

When  $p$  is smaller than  $N$ , ( $R16$ ) is equivalent to:

 $\alpha^t @ (p,q,1) \wedge p < N \wedge \text{up}(p,q) \wedge \sigma[v]^h @ (p,q,0) \wedge v = 1 \text{ unless } \sigma[v]^h @ (p,q,0) \wedge \text{turn}(p,q)$ 

 $\Rightarrow$  {PSP with  $\alpha^t \mathcal{Q}(p,q,1) \wedge p \ll N \wedge up(p,q) \wedge empty \mathcal{Q}(p+1,q,1) \mapsto \alpha^t \mathcal{Q}(p+1,q,1)$  (property (P11.2.7.1.1))}  $\alpha^t @ (p,q,1) \wedge p \lt N \wedge up(p,q) \wedge \sigma[v]^h @ (p,q,0) \wedge v=1 \wedge empty @ (p+1,q,1) \mapsto \sigma[v]^h @ (p,q,0) \wedge turn(p,q).$ 

We can also easily prove:

 $\alpha^t \textcircled{a}(p,q,1) \wedge p \text{N} \wedge \text{up}(p,q) \wedge \sigma[v]^h \textcircled{a}(p,q,0) \wedge v = 1 \wedge \text{—empty} \textcircled{a}(p+1,q,1)$  $\mapsto$ 

 $\alpha^t \textcircled{a}(p,q,1) \wedge p \lt N \wedge \text{up}(p,q) \wedge \sigma[v]^h \textcircled{a}(p,q,0) \wedge v=1 \wedge \text{empty} \textcircled{b}(p+1,q,1)$ 

- $\Rightarrow$  {transitivity of leads-to + disjunction with the previous property}  $\alpha^t@ (p,q,1) \wedge p< N \wedge \mathrm{up}(p,q) \wedge \sigma[v]^h @ (p,q,0) \wedge v=1 \mapsto \sigma[v]^h @ (p,q,0) \wedge \mathrm{turn}(p,q)$
- $\Rightarrow$  {general disjunction on  $\alpha$  + transitivity with (R15)}  $\sigma[v]^h \textcircled{D}(p,q,0) \wedge v=1 \wedge p \ll N \wedge up(p,q) \mapsto \sigma[v]^h \textcircled{D}(p,q,0) \wedge turn(p,q).$
- **Proof of Properties (P11.2.2.1) and (P11.2.3.1)**  $\blacktriangledown$

We will show that header packets whose value is different from 1 eventually move to the next location on the row:  $\pi$  above  $\sim$ 

$$
O(Y) \oplus (p,q,U) \land Y \neq 1 \land q \geq 1 \mapsto \sigma[v-1]^h \textcircled{a}(p,q+1,0) \tag{P11.2.2.1}
$$

and that non header packets eventually move to the next location on the row when signal turn is off:

$$
\alpha^{\tau} \textcircled{a}(p,q,0) \land \tau \neq h \land q \geq 1 \land \neg \text{turn}(p,q) \mapsto \alpha^{\tau} \textcircled{a}(p,q+1,0)
$$
\n
$$
\text{for } \alpha = \text{then } \alpha \text{ is odd.} \tag{P11.2.3.1}
$$

by induction on the column number  $q$ . Since, from location  $(p,M,0)$ , packets can only move to the column, the

Base Case: q=M-1

Let us first show (P11.2.2.1). From the fact that a packet can move to the next location only if it is empty, we can easily prove:

 $\sigma[v]^h \omega(p,M-1,0) \wedge v \neq 1 \wedge \text{--empty} \omega(p,M,0)$  unless  $\sigma[v]^h \omega(p,M-1,0) \wedge v \neq 1 \wedge \text{empty} \omega(p,M,0).$  $(R17)$ 

From the two packet movement properties (P11.2.4.1) and (P11.2.5.1) we have just proved, we can easily derived that packets at their turning switch eventually move to the next location:

 $\alpha \omega(p,q,0) \wedge q = \text{dest.}\alpha \mapsto \text{empty} \omega(p,q,0).$ 

Since packets at the right end of the rows are necessarily at their turning switch, we have:

 $\alpha \omega(p,M,0) \mapsto \text{empty}\omega(p,M,0)$ 

الموارد والمستقل والمستند والمنافر المتوارد المواقع المصر المراكبين

```
\Rightarrow {general disjunction on \alpha}
               \lnot empty@(p,M,0) \mapsto empty@(p,M,0)
       \Rightarrow {PSP with (R17)}
              \sigma[v]^h \omega(p,M-1,0) \wedge v \neq 1 \wedge \text{—empty} \omega(p,M,0) \mapsto \sigma[v]^h \omega(p,M-1,0) \wedge v \neq 1 \wedge \text{empty} \omega(p,M,0).We also know, from (P11.2.2.1.1):
              \sigma[v]^h \omega(p,M-1,0) \wedge v \neq 1 \wedge \text{empty} \omega(p,M,0) \mapsto \sigma[v-1]^h \omega(p,M,0)\Rightarrow {transitivity of leads-to + disjunction with the previous property}
              \sigma[v]^h@(p,M-1,0) \land v≠1 \mapsto \sigma[v-1]^h@(p,M,0).
              Let us now show (P11.2.3.1). We can easily prove:
              \alpha^{\tau}(\omega(p,M-1,0) \wedge \tau \neq h \wedge \neg \text{turn}(p,M-1) \wedge \neg \text{empty}(\omega(p,M,0))unless
              \alpha^{\tau}(\omega(p,M-1,0) \wedge \tau \neq h \wedge \neg \text{turn}(p,M-1) \wedge \text{empty}(\omega(p,M,0))\Rightarrow {PSP with (R18)}
              \alpha^{\tau} \textcircled{a}(p,M-1,0) \wedge \tau \neq h \wedge \neg \text{turn}(p,M-1) \wedge \neg \text{empty} \textcircled{a}(p,M,0)\mapsto\alpha^{\tau}(\omega(p,M-1,0) \wedge \tau \neq h \wedge \neg \text{turn}(p,M-1) \wedge \text{empty}(\omega(p,M,0)).We also know, from (PI1.2.3.1.1):
              \alpha^{\tau} \omega(p,M-1,0) \wedge \tau \neq h \wedge \neg \text{turn}(p,M-1) \wedge \text{empty} \omega(p,M,0) \mapsto \alpha^{\tau} \omega(p,M,0)\Rightarrow {transitivity of leads-to + disjunction with the previous property}
              \alpha^{\tau}(\omega(p,M-1,0) \wedge \tau \neq h \wedge \neg \text{turn}(p,M-1) \mapsto \alpha^{\tau}(\omega(p,M,0)).
```
#### Induction Hypothesis

Let us suppose:

 $\sigma[v]^h \omega(p,q+1,0) \wedge v \neq 1 \wedge q+1 > 1 \mapsto \sigma[v-1]^h \omega(p,q+2,0)$  $\alpha^{\tau} \omega(p,q+1,0) \wedge \tau \neq h \wedge q+1>1 \wedge \text{min}(p,q+1) \mapsto \alpha^{\tau} \omega(p,q+2,0).$ 

From these two properties we can easily prove:

 $\alpha \omega(p,q+1,0) \wedge 1 < q+1 < \text{dest.}\alpha \mapsto \text{empty} \omega(p,q+1,0).$ 

We also know:

 $\alpha \omega(p,q+1,0) \wedge q+1 = \text{dest.}\alpha \mapsto \text{empty}\omega(p,q+1,0).$ 

So, we have:

 $\alpha \omega(p,q+1,0) \wedge q+1>1 \mapsto \text{empty}\omega(p,q+1,0)$ 

 $\Rightarrow$  {general disjunction on  $\alpha$ }  $\lnot$ -empty@(p,q+1,0)  $\land$  q+1>1  $\mapsto$  empty@(p,q+1,0).

**Induction Step** 

The proofs of:

 $\sigma[v]^h \omega(p,q,0) \wedge v \neq 1 \wedge q \geq 1 \mapsto \sigma[v-1]^h \omega(p,q+1,0)$  $\alpha^{\tau} \textcircled{a}(p,q,0) \wedge \tau \neq h \wedge q \geq 1 \wedge \neg \text{turn}(p,q) \mapsto \alpha^{\tau} \textcircled{a}(p,q+1,0)$ 

are identical to the proofs of the base case. We just have to replace  $M-1$  by  $q$  and use (R19) instead of (R18).

 $(R18)$ 

 $(R19)$ 

#### THEOREMS ABOUT UNLESS, ENSURES, AND LEADS TO  $\mathbf{C}$ .

The theorems are listed without any proofs. They can be found in [2] and in the notes 01-88 and 21-90 on UNITY [13, 14].

C.1. Theorems about Unless

Consequence Weakening

Conjunction and Simple Conjunction

p unless q, p' unless q'<br>  $(p \land p)$  unless  $(p \land q) \lor (p' \land q) \lor (q \land q)$  $\frac{p \text{ unless } q, p' \text{ unless } q'}{p \land p' \text{ unless } q \lor q'}$ 

**Stable Conjunction** 

p unless q, stable b  $p \wedge b$  unless  $q \wedge b$ 

Disjunction and Simple Disjunction

p unless q, p' unless q'<br>  $(\mathbf{p} \vee \mathbf{p})$  unless  $(-\mathbf{p} \wedge \mathbf{q}) \vee (-\mathbf{p}' \wedge \mathbf{q}) \vee (\mathbf{q} \wedge \mathbf{q})$ 

 $\frac{p \text{ unless } q, p' \text{ unless } q'}{p \vee p' \text{ unless } q \vee q'}$ 

General Disjunction and Corollary

$$
\frac{\langle \forall i :: p.i \text{ unless } q.i \rangle}{\langle \exists i :: p.i \rangle \text{ unless } \langle \forall i :: \neg p.i \lor q.i \rangle \land \langle \exists i :: q.i \rangle}
$$
\n
$$
\frac{\langle \forall i :: p.i \text{ unless } \neg p.i \land q.i \rangle}{\langle \exists i :: p.i \rangle \text{ unless } \langle \forall i :: \neg p.i \rangle \land \langle \exists i :: q.i \rangle}
$$

Cancellation

<u>. Verste behandelse et hekkelske konkrekken bestander av sommen verromer te verromer von vormer av av andre ver</u>

punless q, q unless r  $\overline{p \vee q}$  unless r

 $\overline{1}$ 

Conjunction

punless q, p' ensures q'<br>  $(p \land p)$  ensures  $(p \land q) \lor (p' \land q) \lor (q \land q)$ 

C.3. Theorems about Leads to

Implication

 $p \rightarrow q$  $p \mapsto q$ 

Reflexivity

 $p \mapsto p$ 

Stable Conjunction

$$
\frac{p \mapsto q, \text{ stable } b}{p \land b \mapsto q \land b}
$$

General Disjunction

$$
\frac{\langle \forall m : m \in W : : p(m) \mapsto q(m) \rangle}{\langle \exists m : m \in W : : p(m) \rangle \mapsto \langle \exists m : m \in W : : q(m) \rangle} \quad \text{for any set W}
$$

Progress-Safety-Progress (PSP)

 $\frac{p \mapsto q, r \text{ unless } b}{p \wedge r \mapsto (q \wedge r) \vee b}$ 

**Induction Principle** 

 $\sim$ 

Let  $(W, \prec)$  be a well-founded set, and M a function from the program state to W. We have:

 $\frac{\langle \forall m\,:\,m\,\in\,\operatorname{W}\,:\,p\,\wedge\,\operatorname{M=m}\,\mapsto\, (p\,\wedge\,\operatorname{M}\!\operatorname{\prec}\! m)\,\vee q\rangle}{p\,\mapsto q}$