Tools Overview Contact Us Publications Case Studies Manual Home

PASS Case Studies

Wireless LAN

The IEEE 802.11 Wireless LAN protocol uses a randomized algorithm to avoid collisions on the transmission channel. Further, the wireless medium loses messages with a certain probability. The considered model is parameterized with an exponential back-off counter limit BOFF and a maximal package send time of T mu s. We checked the property: "The maximum probability that either station's back-off counter reaches k" for k=3 and k=6. Increasing BOFF from 5 to 6 leads to an exponential increase in model size and running time in PRISM, while in PASS 1.0 the row is identical for BOFF=5 and BOFF=6. It was observed in [HermannsWZ08] that states with back-off counter higher than three can reach a goal state (via a reset), however they do not lie on paths with maximal probability. Hence refinement never splits blocks with respect to back-offs beyond three which is somewhat similar to the motivating example. It also turns out that the computed lower and upper bounds are precise (lower and upper bound agree). The discrepancy in the number of blocks between PASS 1.0 and PASS is caused by more aggressive qualitative preprocessing before the quantitative analysis.

In addition, we used PASS to compute the minimal reachability probability for reaching a backoff counter value of 6. PASS computed the precise probability. Note that PASS 1.0 does not support minimal reachability.


Similar to the WLAN protocol, the IEEE 802.3 CSMA/CD protocol is parameterized with an exponential back-off counter limit BOFF. We analyzed the properties:

Property Description
p1: Pmax=? [true U s1=4 &s 2=4] "The maximum probability that both stations deliver"
p2: Pmin=? [true U bc1=5 | bc2=5] "The message of any station eventually delivered before 1 backoff"

For both properties, the abstract state space is significantly smaller. Consider property p2. Similar to the WLAN protocol, the size of the abstraction does not change with respect to the size of BOFF. However, the counterexample analysis of PASS 1.0 explores a larger number of paths explored with increasing BOFF. The reason is that for greater values of BOFF, there is more branching in the probabilistic model, thus in the abstraction there are more abstract paths being explored. Refinement for probabilistic game abstraction explores one path per refinement step. Therefore this problem does not arise.

Bounded Retransmission Protocol

The Bounded Retransmission Protocol (BRP) protocol has two parameters: N denotes the length of the file to be transmitted, and MAX denotes the maximal number of retransmissions. We have studied the following properties:

Property Description
p1: Pmax=? [F s=5 & T ] "Eventually the sender does not report a successful transmission"
p4: Pmax=? [F srep!=0 & T & !recv] "Eventually the receiver does not receive any chunk and the sender tried to send a chunk"

As observed in [HermannsWZ08], there is little leeway for abstraction for p1 if precise probabilities are required. The modeled has to be fully reconstructed by refinement.

However, p4 can be analyzed for an infinite parameter range with PASS 1.0: it is an invariant property with respect to the file length N. The constraint N>16 allows us to verify the property for any possible file length greater than 16. While PASS 1.0 computed safe upper bounds, we are able to compute the precise probability. We can thus confirm that the bounds previously computed are tight indeed.

Sliding Window

The sliding window protocol (SW) is the standard protocol with lossy channels over an unbounded domain of sequence numbers. Due to the sequence numbers, the model is infinite and hence there can be no comparison to PRISM. Two properties were checked.

Property Description
gp: Pmax=? [true U sent>expected+2 ] "goodput property"
to: Pmax=? [true U clock >= TIMEOUT] "timeout"

A goodput property which considers the difference between the number of sent and received packages. The goal is to compute probability that the number of sent packages exceeds the number of received packages by a particular constant. PASS 1.0 established that, at any time, the probability of the difference exceeding three is at most three percent for windows size four. Using PASS, we computed the precise probability which is actually smaller than three percent. The second property concerns the probability of a protocol timeout. Here we could also compute the precise probability. The number of blocks used by the game-based tool is significantly smaller than those computed by PASS 1.0. This is because PASS 1.0 unnecessarily unrolled the value domain of timer variable, which the novel tool did not do.

Valid XHTML 1.1 Valid CSS! Powered by PHP