When is enabled in , it may occur , leading to the marking defined by: Other properties may be specific to the protocol, such as the number of messages stored in a receive buffer never goes above a predefined limit. With a formal, executable model of a protocol, state space analysis is well-suited to automatically proving a desired set of protocol properties. Seven subpages model details of: For example, from the results in Table 1 when , incrementing results in an additional consecutive frame and ACK, thereby an additive increase in the state space size.

To overcome these limitations, by analysing trends in autosra state space results and closer inspection of the CPN, observations on the desired properties are made without generating the complete set of state spaces.

However there is a specific case, delayed ACKs, when this is not true unless the sending rate is limited. In addition, only the basic ISO-compliant frame types are modelled as opposed to the optional extended frames. This is a well-known problem in any acknowledgment-based protocol [ 11 ].

The interactions are referred to as service primitives and the set of possible orderings of service primitives is the service language.

To support manual validation of the model against the specification, the naming scheme for CPN elements follows that used in the specification. Using formal analysis techniques, the models enabled flexxray verification of FrTp for selected configurations.

The CPN model uses transitions to model the delivery of service primitives between FrTp and PduR the transitions are highlighted with thick borders in Figure 6. As the focus is only on functional properties of the protocol not performancemodelling the reception of a frame in a nondeterministic manner allows our analysis to consider how FrTp behaves when errors occur in the FlexRay communication bus.


For example, a CPN ML query function was written to check if all terminal markings are one of eitheror. The header includes the block size: Another promising technique to alleviate the state explosion problem is to utilise the sweep-line method [ 36 ].

With there are even more possible interleavings with three CFs, leading it an even larger increase in state space size. This section outlines the design of the model, and presents part of the CPN.

Let a place and a nonnegative integer be given. FrTp uses a go-back-N uatosar mechanism: Ideally the protocol language and desired service language shall be equivalent. Currently there are no closed form equations for the state space size in these cases. The selected state space analysis provides increased confidence that FrTp is error-free. Coloured Petri nets and state space analysis has been used to prove the FrTp protocol, under selected configurations, is deadlock-free and conforms to the flexra specification when transferring a single PDU from sender to receiver.

Again, with a formal model of auosar protocol, as well as the desired service language, state space analysis combined with language theory can be applied to verify that the sequence of service primitives allowed by the protocol faithfully refines that of the service language.

Number of consecutive frames allowed to be sent before flow control received. The key decisions and their justifications are described below.


Once the bytes received equals the bytes expected the data can be delivered to the receiver PDU Router. Property 1 Absence of deadlocks.

An identical formula is obtained for the number of arcs,except. Seven subpages model details of: Our decision to focus on the core features of FrTp first is part of the incremental approach to protocol verification. State space and language analysis has been applied to prove the desired properties of FrTp for selected sets of input parameter values, as well as make other observations on its behaviour. CPNs are selected as the formal modelling language as they: For there is only one CF, however withtwo CFs are sent, and an increased state space results because of both the extra frame as well as the possible interleavings between the transitions modelling transfer of the two CFs.

The authors would like to thank the anonymous reviewers for their many helpful suggestions for improving this paper. Proof of the conjectures, which requires detailed manual analysis of the CPN model using for example techniques applied in [ 29 ], is left for future work. Different frame types are used in FrTp.