Verification of Ad Hoc Networks with Node and Communication Failures

(1)

HAL Id: hal-00909367

https://hal.inria.fr/hal-00909367

Submitted on 29 May 2017

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Verification of Ad Hoc Networks with Node and

Communication Failures

Giorgio Delzanno, Arnaud Sangnier, Gianluigi Zavattaro

To cite this version:

Giorgio Delzanno, Arnaud Sangnier, Gianluigi Zavattaro. Verification of Ad Hoc Networks with Node

and Communication Failures. 14th International Conference on Formal Methods for Open

Object-Based Distributed Systems (FMOODS) / 32nd International Conference on Formal Techniques for

Networked and Distributed Systems (FORTE), Jun 2012, Stockholm, Sweden. pp.235-250.

�hal-00909367�

(2)

Node and Communi ation Failures

GiorgioDelzanno

1

,ArnaudSangnier

2

,andGianluigiZavattaro

3

1

UniversityofGenova,Italy

2

LIAFA,UnivParisDiderot,SorbonneParis Cité,CNRS,Fran e

3

UniversityofBologna,INRIA-FOCUSResear hTeam,Italy

Abstra t. We investigatetheimpa tofnodeand ommuni ation fail-uresonthe de idability and omplexity ofparametri veri ation ofa formalmodelofadho networks.Westartby onsideringthreepossible typesofnodefailures:intermitten e,restart,and rash.Thenwemove tothree asesof ommuni ationfailures:nondeterministi messageloss, messagelossdueto oni tingemissions,anddete table oni ts. Inter-estingly,weprovethatthe onsideredde isionproblem(rea habilityofa ontrolstate)isde idablefornodeintermitten eandmessageloss(either nondeterministi ordueto oni ts)whileitturnsouttobeunde idable fornoderestart/ rash,and oni tdete tion.

1 Introdu tion

Broad ast ommuni ation is oftenused in networks in whi h individual nodes havenopre ise information abouttheunderlying onne tiontopology(e.g. ad ho wireless networks). As shown in [13,10,11,16,17,4℄, this type of ommuni- ation an naturallybespe iedin modelsin whi hanetwork ongurationis representedasagraphandinwhi hindividualnodesrunaninstan eofagiven proto olspe i ation.Aproto oltypi allyspe ies asequen eof ontrolstates in whi h a node an either send amessage (emitter role), waits for amessage (re eiverrole), or performs anupdate of itsinternal state. Broad ast ommu-ni ation an berepresented hereas a simultaneous update of the state of the emitter node and ofthe statesof its neighbors.This semanti s of broad astis oftentermedsele tive in ontrastwithbroad astmessagesthatsimultaneously rea hallnodesofanetwork.

Alreadyatthislevelofabstra tion,veri ationofadho networkproto ols turns outtobeaverydi ulttask. A formala ountofthis problemis given in[3,4℄, wherethe ontrolstaterea hability problem isprovedtobeunde idable for sele tivebroad ast ommuni ation. The ontrol state rea hability problem onsists in verifying theexisten eofan initialnetwork onguration(with un-knownsizeandtopology)thatmayevolveintoa ongurationin whi hatleast onenodeisinagiven ontrolstate.Ifsu ha ontrolstaterepresentsaproto ol error,then thisproblem naturallyexpresses(the omplementof) asafety veri- ationtaskin asettingin whi hnodeshavenoinformationaprioriaboutthe

(3)

works under the assumption that the underlying network and ommuni ation modelarebothreliable.Thisisaquitestrongassumptionsin eadho networks have several sour es of unreliability: from node failures to oni ts aused by interferen esamongdierenttransmissions.

Inthis paper we study the impa t of node and ommuni ation failures on the ontrol staterea hability problem for ad ho network proto ols. We start ouranalysisbyintrodu ingnodefailuresin amodelofsele tivebroad ast.For this purpose, we onsider an intermittent semanti s in whi h a node an be (de)a tivated at any time. As a rst result, we show that ontrol state rea h-abilitybe omesde idableunder theintermittentsemanti s.De idabilityseems stri tlyrelatedtotheassumptionthatnodeshave annotdire tlytakede isions that depend on the urrent a tivation state(e.g. hange statewhen the node is turned on).We then onsidertworestri ted typesof node failure, i.e., node rash (a node anonly bedea tivated)and node restart(whenit isa tivated, itrestartsin aspe ialrestartstate).Weshowthatforthesetwosemanti s,the veri ationtaskbe omesunde idable.

We onsiderthendierenttypesof ommuni ationfailures.Werst onsider asemanti sinwhi habroad astisnotguaranteedtorea hallneighborsofthe emitternodes(messageloss).Controlstaterea habilityisagainde idableinthis ase.Wethenintrodu easemanti sforsele tivebroad astspe i allydesigned to apturepossible oni tsduring atransmission.Basi ally,atransmissionof abroad astmessageissplitinto twodierentphases:astartingandanending phase.Duringthestartingphase,re eivers onne ted totheemitter movetoa transientstate.Whilebeinginthetransientstate,are eptionfromanothernode generates a oni t. In the ending phasean emitter alwaysmovesto thenext state whereas onne ted re eiversmove to their nextstate only when no on-i tshavebeendete ted.Time-out anbemodeledherebyallowingre eiversto abandonatransmissionatanytime.Inourmodelwealsoallowseveralemitters to simultaneouslystart atransmission. De idability holds only when re eivers ignore orruptedmessagesbyremainingintheiroriginalstate.Moreover,forthe veri ationtaskinthede idablevariantsweshowthatitispossibletoresortto thepolynomialtime rea habilityalgorithmthat wehavepresentedforamodel ofadho networkswithnondeterministi mobilitypresentedin [2℄.

Related Work.Formalmodelsofbroad ast ommuni ationhavebeen onsid-ered in several work in the literature su h as [14,16,17,6,5,8,10,11,12℄. Perfe t syn hronoussemanti sforbroad ast ommuni ationin mobileandadho net-works have been proposed in [14,16,17,5℄. Veri ation problems for broad ast proto olshasbeenstudied inthedierent ontextofhardwareproto ols[6℄.In alltheabovementionedworksatransmissionismodelledas anatomi stepin whi htheemitternodeandthe onne tedre eivernodessimultaneouslyupdate their urrentstate.De idabilityof rea habilityproblemslikethosewe onsider here( overability)isnot onsidered only in the ase ofsyn hronousbroad ast forfully onne tednetworks[6℄.

(4)

andtheinstantinwhi hthetransmissionendshavebeen onsideredinatimed semanti s[10,11℄inwhi heverymessagehasanasso iatednon-zerotransmission time,orinformofnon-atomi transitions(startandendphasearekeptdistin t) asin[12℄.Inalltheseapproa hesabroad ast ommuni ationissplitintoseveral phases to model s enarios in whi h dierent transmission periods of dierent emitters overlap. Following [12℄ in the present paper we onsider an untimed semanti sforexpli itlyrepresenting oni ts.Dierentlyfromothermodels,our semanti sallowsmultiple nodesto starta ommuni ationin the sameinstant, amodelthatseems loserto reals enarios.

In[3,4℄wehavestudiedde isionproblemsforveri ationofmodelsofadho networkswithsee tivebroad ast ommuni ationwithperfe tsemanti sandno oni ts.Inthispaperweliftourstudiestounreliablenetworksand ommuni a-tionmodelsand onsidersemanti sforbroad ast ommuni ationwith oni ts. Communi ationfailures (e.g.messagelossandinsertion)are ommonly onsid-ered when fa ing veri ation problems for ommuni ation proto ols as in the ase of unreliableFIFO hannels [1℄. Dierently from works like [1℄, we evalu-ate herethe impa tof ommuni ationfailures ina ommuni ationmodel with broad ast ommuni ationrestri tedtoneighbournodesandinwhi h rea habil-ityisformulatedforaninitial ongurationwitharbitrarysizeandtopology.

2 Ad Ho Networks

Denition1. A

Q

-graphis alabeledundire tedgraph

γ = hV, E, Li

, where

V

isanitesetof nodes,

E ⊆ V × V

isasymmetri relationrepresenting anite set of edges, and

L

is a labeling fun tion from

V

to a set of labels

Q

(in our settingtheyrepresent ontrol states).

Weuse

L(γ)

torepresentallthelabelspresentin

γ

(i.e.theimageofthefun tion

L

).Thenodesbelongingtoanedgeare alledtheendpointsoftheedge.Foran edge

hu, vi

in

E

, weusethenotation

u ∼

γ

v

andsay thattheverti es

u

and

v

areadja entto ea hotherin thegraph

γ

.Weomit

γ

,and simplywrite

u ∼ v

, whenitismade learbythe ontext.

A ongurationisa

Q

-graphandweassumethat ea h nodeofthegraphis apro essthat runsa ommonpredenedproto ol denedbya ommuni ating automaton with a nite set

Q

of ontrol states. Communi ation is a hieved via sele tive broad ast:the ee t of a broad astis lo al to thevi inity of the sender.Theinitial ongurationisanygraphinwhi hallthenodesarelabeled byaninitial ontrolstate.Notethatevenif

Q

isnite,thereareinnitelymany possible ongurations(the numberof

Q

-graphs). Wenextformalizetheabove intuition.

Denition2. Apro ess isatuple

P = hQ, Σ, R, Q

0 i

, where

Q

isanitesetof ontrol states,

Σ

isanite alphabet,

R ⊆ Q × ({τ } ∪ {!!a, ??a | a ∈ Σ}) × Q

is the transitionrelation,and

Q

0 ⊆ Q

isasetof initial ontrolstates.

(5)

Thelabel

τ

representsthe apabilityofperformingan internala tion, andthe label

!!a

(

??a

) represents the apability of broad asting (re eiving) amessage

a ∈ Σ

.For

q ∈ Q

and

a ∈ Σ

,wedenetheset

R

a

(q) = {q

′

_{∈ Q | hq, ??a, q}

′

_{i ∈ R}}

whi h ontainsstatesthat an be rea hed from thestate

q

when re eivingthe message

a

.

Thenetwork semanti s asso iated to apro ess

P = hQ, Σ, R, Q

0 i

is given bythetransition system

AHN (P) = hC, ⇒, C

0 i

, where

C

is thesetof

Q

-graphs (network ongurations),

C

0

istheset of

Q

0

-graphs(initial ongurations),and

⇒⊆ C × C

isthetransitionrelationdenedasfollows:for

γ = hV, E, Li

,wehave

γ ⇒ γ

′

i

γ

′

_{= hV, E, L}

′

_i

andoneofthefollowing onditionsholds: Lo al:

∃v ∈ V

s.t.

(L(v), τ, L

′

_{(v)) ∈ R}

,and

L(u) = L

′

_(u)

forall

u

in

V \ {v}

; Broad ast:

∃v ∈ V

s.t.

(L(v), !!a, L

′

_{(v)) ∈ R}

and for every

u ∈ V \ {v}

, we have:

if

u ∼ v

and

R

a

(L(u)) 6= ∅

(

u

an re eive

a

),then

L

′

_{(u) ∈ R}

a

(L(u))

,

L(u) = L

′

_(u)

,otherwise.

Anexe utionin

AHN (P)

isasequen e

γ

0 γ

1 . . .

su hthat

γ

0 ∈ C

0

and

γ

i

⇒ γ

i+1

for

i ≥ 0

.Weuse

⇒

∗

todenotethereexiveandtransitive losureof

⇒

. Observethatabroad astmessage

a

sentby

v

isdeliveredonlytothesubset of neighbors interested in it; su h a neighbor

u

has then to update its state withanewstatetakenfrom

R

a

(L(u))

.Alltheothernodes(in ludingneighbors notinterestedin

a

)simplyignorethemessage.Alsonoti ethat thetopologyis stati ,i.e.,thesetofnodesandedgesremainun hangedduring anexe ution.

As an exampleof an ad ho network and of its semanti s, onsider a pro- ess onsisting of the following rules:

(A, τ, C)

,

(C, !!m, D)

,

(B, ??m, C)

, and

(A, ??m, C)

. As shown in Figure 1, starting from a onguration with only

A

and

B

nodes,an

A

noderstmovesto

C

andthensends

m

tohis/herneighbors. Inturn,theyforwardthemessage

m

totheirneighbors,andso on.

A

B

A

B

⇒

C

A

B

A

B

⇓

D

C

B

C

A

B

∗

_⇐

D

Fig.1.Exampleofnormalexe ution

Thenetworksemanti sformalizedbythetransitionsystem

⇒

assumesxed topology. Formally, if

γ ⇒ γ

′

then

γ = hV, E, Li

and

γ

′

_{= hV, E, L}

′

_i

(6)

wehave formalized also nondeterministi mobility as follows. Given a pro ess

P = hQ, Σ, R, Q

0 i

themobilenetworksemanti sisgivenbythetransitionsystem

MAHN (P) = hC, , C

0 i

,where

C

and

C

0

areasinthedenitionof

AHN (P)

and

⊆ C × C

isthetransitionrelationdenedasfollows:for

γ = hV, E, Li

,wehave

γ γ

′

i

γ

′

_{= hV, E}

′

_{, L}

′

_i

andone ofthefollowing onditionsholds: State transition:

γ ⇒ γ

′

; Mobility:

E

′

_{⊆ V × V}

and

L

′

_{= L}

.

Observethat all the transitions of the original

AHN (P)

transition system arein ludedbythestatetransitionrule,whilethemobilityruleaddstransitions that modifytheedgesarbitrarilywhilepreservingthelabelingfun tion.

2.1 Safety Analysis: the Control State Rea hability Problem

Following [3,4℄ we onsider de ision problems related to veri ation of safety properties.Weremarkthatinourformulationthesizeandtopologyoftheinitial ongurationsisnotxedapriori.Theproblemthatwe onsideris ontrolstate rea hability ( over) denedasfollows:

Input: A pro ess

P = hQ, Σ, R, Q

0 i

with

AHN (P) = hC, ⇒, C

0 i

and a ontrol state

q ∈ Q

.

Output: Yes,if

∃γ ∈ C

0

and

γ

′

_{∈ C}

s.t.

γ ⇒

∗

_γ

′

and

q ∈ L(γ

′

₎

; no,otherwise. If

q

representsanerrorstate, over amountsat he kingwhetherthere exists aninitial onguration(amongtheinnitelymanypossibleones)from whi ha onguration ontaininganodeintheerrorstateisrea hable.

In[3℄,weprovethefollowingresult. Theorem 1. over isunde idable.

Inthefollowingwewillalso onsider over forthemobilenetwork seman-ti s: in that ase thetransitions

γ γ

′

will be takeninto a ountinstead of

γ ⇒ γ

′

.In[3℄wehaveprovedthat overturnsoutto bede idablewith spon-taneous(i.e.non-deterministi )mobility.Indeed,inthis settingthetopologyof the network annot be exploited to build stru tures that ould be applied to model anunboundedstorage. Inamorere entwork [2℄,wehave hara terized its omplexity.

Theorem 2. over for mobilead ho networks is Ptime- omplete.

Wewillalsostudy dierentsemanti sforadho networksand wewill on-sider overforthesesemanti s.However,sometimesthelabelledgraphs repre-sentingthe ongurationswill havemoreinformation in theirlabels thanonly the ontrol stateof the pro ess, for these ases, over will orrespond to the rea habilityofa ongurationinwhi hthereexistsanodewhoselabel ontains thedesired ontrolstate.

(7)

3.1 IntermittentNodes

Westart ouranalysis from asemanti variantthat modelsintermittent nodes. Wemodifythenetworksemanti s byusing aag,whi his setto

A

[resp.to

D

℄ todenote ana tive[resp.dea tivated℄ node.

Denition3. Given apro ess

P = hQ, Σ, R, Q

0 i

, an i- ongurationisa

(Q ×

{A, D})

-graphandan initial i- ongurationisa

(Q

0 × {A, D})

-graph.

We use

C

int

[resp.

C

int

0

℄ to denote the set of i- ongurations [resp. initial i- ongurations℄asso iatedtoapro essdenition

P

.Givenapro ess

P = hQ, Σ,

R, Q

0 i

, the semanti s of the orresponding ad ho network with intermittent nodes isgivenbythe transitionsystem

AHN

i

(P) = hC

int

_{, 99K, C}

int

0 i

where the transition relation

99K⊆ C

int

_{× C}

int

is dened as follows:for

γ = hV, E, Li

, we have

γ 99K γ

′

i

γ

′

_{= hV, E, L}

′

_i

andoneofthefollowing onditionsholds: Lo al:

∃v ∈ V

s.t.

L(v) = hq, Ai

,

L

′

_{(v) = hq}

′

_{, Ai}

,

(q, τ, q

′

_{) ∈ R}

,and

L(u) = L

′

_(u)

forall

u

in

V \ {v}

; Broad ast:

∃v ∈ V

s.t.

L(v) = hq, Ai

,

(q, !!a, q

′

_{) ∈ R}

,

L

′

_{(v) = hq}

′

_{, Ai}

, and for every

u

in

V \ {v}

: if

u ∼ v

and

L(u) = hq

′′

_{, Ai}

and

R

a

(q

′′

_{) 6= ∅}

,then

L

′

_{(u) = hq}

′′′

_{, Ai}

with

q

′′′

_{∈ R}

a

(u)

;

L(u) = L

′

_(u)

,otherwise. Intermitten e:

∃v ∈ V

s.t.

L(v) = hq, Ai

[resp.

L(v) = hq, Di

℄,

L

′

_{(v) = hq, Di}

[resp.

L(v) = hq, Ai

℄, and

L(u) = L

′

_(u)

forall

u

in

V \ {v}

.

Notethat thetransitionrelationisdened as inthepreviousse tionwithonly two dieren es: the transitions already present in the previous denition now apply only to a tive nodes (i.e. those with the ag

A

); additional transitions allowonenodetomovefromthea tivetothepassivestate,andvi eversa.We denoteby

99K

∗

thereexiveandtransitive losureof

99K

.

Anexampleofadho networkproto olandofitssemanti sundernode inter-mitten e, onsider the followingproto ol:

(A, !!m, D)

,

(C, !!m, D)

,

(B, ??m, C)

, and

(A, ??m, C)

.AsshowninFigure2,thetop-leftnodeisinitiallydea tivated. Itthena tivates,sendsamessage,andonlya tiveneighborsrea t,andso on.

We now prove that over is Ptime- omplete also for ad ho networks withintermittentnodes.Thisresultfollowsfromathe orresponden ebetween

AHN

i

(P)

and

MAHN (P)

formalizedbythefollowingproposition.

Proposition1. Consider apro ess denition

P

and a ontrol state

q

. A on-guration

γ

s.t.

q ∈ L(γ)

isrea hablefromaninitial onguration in

AHN

i

(P)

ifand onlyif a onguration

γ

′

s.t.

q ∈ L(γ

′

₎

isrea hable from an initial on-gurationin

MAHN (P)

.

(8)

A, D

A, A

B, D

A, A

B, D

99K

A, A

B, D

A, A

B, D

↓

D, A

C, A

B, D

A, A

B, D

L99

D, A

B, D

C, A

B, D

Fig.2.Exampleofexe utionwithintermittentnodes

Proof. Westartfromtheonlyifpart.Considertheinitialstate

γ

0 = hV, E, L

0 i

and the exe ution

γ

0 99K

∗

_γ

in

AHN

i

(P)

with

q ∈ L(γ)

. A similar exe u-tion an be reprodu ed also in

MAHN (P)

. Consider the initial onguration

γ

′

0 = hV, E, L

′

0 i

with, for every

v ∈ V

,

L

′

0 (v) = q

v

assuming

L

0 (v) = hq

v

, Ai

or

L

0 (v) = hq

v

, Di

. Considernowthefollowingexe ution

γ

′

0 ∗

γ

′

onstru ted from the aboveexe ution

γ

0 99K

∗

_γ

as follows. All the Lo al and Broad ast transitions are faithfully reprodu ed, while theIntermitten e transitions are mimi kedbyaMobilitytransition:in aseofdea tivationofonenodethe Mo-bilitytransitiondis onne tssu hnodefromitsneighbors,whilein aseofnode a tivation theMobility transitionrestores thepreviouslyremovededges.It is easytoseethat

q ∈ L(γ

′

₎

.

We now move to the if part. Consider the initial state

γ

′

0 = hV

′

, E

′

, L

′

0 i

and the exe ution

γ

′

0 ∗

γ

′

in

MAHN (P)

with

q ∈ L(γ

′

₎

. A similar exe u-tion an be reprodu ed also in

AHN

i

(P)

. Consider the initial onguration

γ

0 = hV

′

, E, L

0 i

with

E = V

′

_{× V}

′

(i.e.

γ

0

is a omplete graph) and, for ev-ery

v ∈ V

′

,

L

0 (v) = hq

v

, Ai

assuming

L

′

0 (v) = q

v

. Consider now the following exe ution

γ

0 99K

∗

_γ

onstru tedfrom theaboveexe ution

γ

′

0 ∗

γ

′

as follows. All theLo altransitionsarefaithfully reprodu ed;theBroad ast transitions arereprodu edbyaproto olthatrstdea tivatesthenodesthatarenot neigh-bors of the emitter in the orresponding mobile network exe ution, then the broad ast a tionsis mimi ked, and then the previouslydea tivated nodes are re-a tivated;theMobilitytransitionsarenotreprodu ed.Itiseasytoseethat

q ∈ L(γ)

.

⊓

⊔

Asasimple orollaryoftheabovePropositionandTheorem2weobtainthe following.

Theorem 3. over for ad ho networks with intermittent nodes is Ptime- omplete.

3.2 Node Crash and Restart

We now onsider twovariantsof thesemanti s with intermitten e.In therst one, modelling node rash,nodes an only be dea tivated. In the se ond one,

(9)

agivenspe ialstate.

Givenpro ess

P

,itstransitionsystemwithnode rashdenotedby

AHN

cr

(P)

, isdened as thetransitionsystem

AHN

i

(P)

where theIntermitten e transi-tionsarerepla edbythefollowingCrashtransitions:

Crash:

∃v ∈ V

s.t.

L(v) = hq, Ai

,

L

′

_{(v) = hq, Di}

, and

L(u) = L

′

_(u)

forall

u

in

V \ {v}

.

Notethatwiththissemanti s,nodesthathavebeenturnedo(ordea tivated) annotbea tivatedagain.

Thevariant with restartrequires the indi ation of the restartstate in the pro ess. So a pro ess

P = hQ, Σ, R, Q

0 , q

r

i

now in ludes a restart state

q

r

∈

Q

. Thetransition system

AHN

r

(P)

with noderestartfor

P

, is dened as the transition system

AHN

i

(hQ, Σ, R, Q

0 i)

where the Intermitten e transitions arerepla edbythefollowingRestarttransitions:

Restart:

∃v ∈ V

s.t.

L(v) = hq, Ai

[resp.

L(v) = hq, Di

℄,

L

′

_{(v) = hq, Di}

[resp.

L

′

_{(v) = hq}

r

, Ai

℄and

L(u) = L

′

_(u)

forall

u

in

V \ {v}

.

Inthis ase,besidesthetransitionsturning onodes,there arealsotransitions thatturnononenodeby hangingitsinternalstatetotherestartstate

q

r

.The followingtheoremthenholds.

Theorem 4. over withnode rash[resp. withnode restart℄ isunde idable. Proof. Theproofis byredu tion from theunde idability of over for adho networks(Theorem 1). Werst onsiderthe model withnode rash.Let

P

be apro ess.Itistrivialto seethata omputationleadingto a ongurationthat exposes the ontrol state

q

in

AHN (P)

has a orresponding omputation in

AHN

cr

(P)

(inwhi hnoCrashtransitionisperformed).

Considernow a omputation in

AHN

cr

(P)

leadingto a onguration that exposes the ontrol state

q

. It is not restri tive to assume that the state

q

is exposed by anode that did not rash during the omputation (we an always onsiderthelaststepin

q

beforethenode rashes).Considernowa omputation in

AHN (P)

thatperformsthesameLo alandBroad asttransitions(butnot theCrashtransitions).Itiseasytoseethatthenodesthatdidnot rashduring the omputationin

AHN

cr

(P)

areinthesamestatealsointhe omputationof

AHN (P)

. Hen e also thelatter omputation leadsto a ongurationexposing the ontrolstate

q

.

Theunde idability anbeprovedasin[3℄wherewepresenthowtotranslate atwo ounter ma hine (a Turing powerfulformalism) into aproto ol

P

forad ho network without failures. Su h proto ol

P

should be slightly modied as followsto work also under intermitten e. Let

P = hQ, Σ, R, Q

0 i

; the modied proto olisdenedas

P

′

_{= hQ}

′

_{, Σ}

′

_{, R}

′

_{, {q}

0 }, q

0 i

where

q

0 ∈ Q

/

and

R

′

isobtained from

R

by addingthefollowingrules:

(q

0 , !!init, q

′

0 )

and

(q

′

0 , τ, q)

forall

q ∈ Q

0

and

(q, ??init, q

err

)

forall

q ∈ Q

and thisassuming that

q

′

0 , q

err

∈ Q

′

\ Q

.The idea of this en oding is that the unique initial state and the restartstate are

(10)

proto ol

P

,ifitgoesto

q

′

0

itsendsallhisneighbors(whi hareinstatebelonging to

Q

)intothedeadlo kstate

q

err

.Thisensuresthatifanodeisturnedoandis rea tivated,it annotplayaroleinthesimulationoftheproto ol

P

by

P

′

.

⊓

⊔

4 Communi ation Failures

4.1 Message Loss

Thersttypeof failures orresponds tonondeterministi messageloss:whena messageisbroad asted,someofthere eivers ouldnotre eiveit.

Apro ess

P

isdenedasusual.The orrespondingtransitionsystem

AHN

l

(P)

isdenedas

AHN (P)

wheretheBroad asttransitionsarerepla edbythe fol-lowingMessagelosstransitions:

Messageloss:

∃v ∈ V

s.t.

(L(v), !!a, L

′

_{(v)) ∈ R}

andforevery

u ∈ V \ {v}

if

u ∼ v

and

R

a

(L(u)) 6= ∅

(re eptionof

a

in

u

isenabled),then

L

′

_{(u) ∈}

R

a

(L(u))

or

L

′

_{(u) = L(u)}

,

L(u) = L

′

_(u)

,otherwise.

The main dieren e with the transition system

AHN (P)

is that during the performan e of a broad ast, some of the potential re eivers ould remain in their internal state. This is similar to what happens in the model with inter-mittentnodeswhenone isdea tivated.Startingfromthisobservationitiseasy toshowthatthereexistsa omputationleadingtoa ongurationthatexposes the ontrol state

q

in

AHN

l

(P)

ithere existsa orresponding omputationin

AHN

i

(P)

.Fromthis onsideration,wededu ethefollowingtheorem.

Theorem 5. overforadho networkswithmessagelossis Ptime- omplete. Proof. Consider a pro ess denition

P

. As in Theorem 3 we show that there exists an exe ution in

AHN

l

(P)

leading to a onguration exposing the on-trol state

q

if and only if there exists an exe ution in

AHN

i

(P)

leading to a ongurationexposing

q

.

Consider an exe ution leading to a onguration that exposes the ontrol state

q

in

AHN

l

(P)

.Ithasthefollowing orrespondingexe utionin

AHN

i

(P)

: itissu ienttomimi Broad asttransitionsbyexe utingbeforethebroad ast asequen eofIntermitten etransitions thatswit h othenodesthatdonot re eivethemessage,andbyperformingafterthebroad asttheIntermitten e transitionsonthesamenodes.

Considernowanexe utionin

AHN

i

(P)

leadingto a ongurationthat ex-posesthe ontrolstate

q

. This exe ution an bemimi kedin

AHN

l

(P)

simply byassuming thatthe nodesthat aredea tivated duringaspe i phaseofthe exe utionin

AHN

i

(P)

,losethemessagesthatarebroad astedin thatphasein the orrespondingexe utionin

AHN

l

(P)

.

⊓

⊔

(11)

The se ond type of failures we onsider orresponds to transmission oni ts. Here we onsider oni ts duetothe ontemporaneousemissionof messages:if anode has(at least two) neighbors that ontemporaneouslybroad ast a mes-sage,thensu hanodeisunableto orre tlyre eivetheemittedmessages.The modeling of this phenomenon requires a signi ant modi ation of the formal semanti s.Firstof allweneedtointrodu eanotionofinternalstate.

InternalState.Theinternalstateofanodeis hara terizedbythe urrentstate a ordingtothepro essbehavior,andbytwoadditionalagsindi atingwhether thenodeis urrentlyemittingorre eivingamessage.Formally,givenapro ess

P = hQ, Σ, R, Q

0 i

wedenethe set ofstates

S =

[q, x, y] | q ∈ Q, x ∈ {⊥} ∪

Σ, y ∈ {⊥, rcv, cnfl}

. The eld denoted with

x

representswhether the node is or is not in a transmission state (

⊥

means no transmission, while

a ∈ Σ

denotes transmission of message

a

). The eld

y

represents whether the node is not re eiving (

⊥

) or it is urrently re eiving orre tly a message (

rcv

) or there eptionhasbeendamageddueto a oni t(

cnfl

). Theinitialstatesare dened as follows:

S

0 = {[q, ⊥, ⊥] | q ∈ Q

0 }

. Noti ethat nodesin their initial stateareneitherre eivingnoremitting.

Thenotationbasedontriplesisusefultosimplifythedenitionofthesemanti s. Inthegureswealsouseamore ompa tnotationwithoutdistin tionbetween transmissionandre eptionstate,e.g.,

[q, ⊥, ⊥]

issimpliedas

q

,

[q, a, ⊥]

as

[q, a]

,

[q, ⊥, rcv]

as

[q, rcv]

,et .

NetworkSemanti s.Thesemanti sofapro ess

P = hQ, Σ, R, Q

0 i

with oni ts isgivenbythetransitionsystem

AHN

co

(P) = hC

co

_{, ⇒, C}

co

0 i

where

C

co

istheset of

S

-graphsandtheset ofinitial ongurations

C

co

0

isthesetof

S

0

-graphs. Beforegivingtheformaldenitionofthetransitionrelation

⇒

⊆ C

co

_×C

co

,we denethefun tion

emitter

whi hasso iatestoa

S

-graph

γ = hV, E, Li

andtoa node

u ∈ V

,theset

emitter(γ, u) = {v | u ∼ v

and

L(v) = [q, a, y]

forsome

a ∈

Σ

and

y ∈ {⊥, rcv, cnfl}}

ofnodesadja entto

u

in

γ

whi h arein a transmis-sionstate.

Givena onguration

γ = hV, E, Li

,wehavethat

γ ⇒ γ

′

i

γ

′

_{= hV, E, L}

′

_i

andone ofthefollowing onditionsholds:

Lo al/Time-out:

∃v ∈ V

s.t.

L(v) = [q, ⊥, y]

,

y ∈ {⊥, cnfl, rcv}

,

(q, τ, q

′

_{) ∈}

R

,

L

′

_{(v) = [q}

′

_{, ⊥, ⊥]}

,and

L(u) = L

′

_(u)

forall

u ∈ V \ {v}

;

Start broad ast:

∃v

1 , . . . , v

l

∈ V

s.t.

∪

j∈{1...l}

emitter(γ, v

j

) = ∅

,

L(v

i

) =

[q

i

, ⊥, ⊥]

,

(q

i

, !!a

i

, q

′

i

) ∈ R

,

L

′

_(v

i

) = [q

i

′

, a

i

, ⊥] ∀i ∈ {1 . . . l}

andthefollowing onditionshold:

∀u ∈ V \ {v

1 , . . . , v

l

}

s.t.

u ∼ v

i

forsome

i ∈ {1 . . . l}

and

L(u) = [r, ⊥, y]

with

y ∈ {rcv, ⊥}

wehave:

•

if

y = rcv

then

L

′

_{(u) = [r, ⊥, cnfl]}

;

•

if

y = ⊥

and

u 6∼ v

j

∀j ∈ {1 . . . l} \ {i}

then

L

′

_{(u) = [r, ⊥, rcv]}

;

•

if

y = ⊥

and

u ∼ v

j

for some

j ∈ {1 . . . l} \ {i}

then

L

′

_{(u) =}

(12)

L(u) = L

′

_(u)

otherwise; End broad ast:

∃ v ∈ V

s.t.

L(v) = [q, a, ⊥]

,

L

′

_{(v) = [q, ⊥, ⊥]}

andwehave:

∀u ∈ V

s,t.

u ∼ v

and

L(u) = [r, ⊥, y]

, with

y ∈ {rcv, cnfl}

, and

emitter(γ, u) = {v}

wehave:

•

if

y = rcv

and

∃ r

′

s.t.

(r, ??a, r

′

_{) ∈ R}

then

L

′

_{(u) = [r}

′

_{, ⊥, ⊥]}

;

•

if

y = rcv

and

6 ∃ r

′

s.t.

(r, ??a, r

′

_{) ∈ R}

or

y = cnfl

then

L

′

_{(u) =}

[r, ⊥, ⊥]

;

L(u) = L

′

_(u)

otherwise.

Thelo alrulemodelsinternalandtime-outsteps(anodenon-deterministi ally de ides to abandon a transmission). In the start rule we sele t a set of node that have the apability of sending abroad astand he k that no other node in theirvi inityis urrentlytransmitting.Thesele tedemitterssimultaneously start transmitting.Re eiving nodes onne ted to a singleemitter moveto the

rcv

state,andtothe

cnfl

statein aseof onne tionwithmorethanoneemitter (e.g.asele tednodeandanemitterthatstartedtransmittinginapreviousstep). In theending rule anemitter movesto its nextstate.A re eiver onne ted to su hanodemovestothenextstateonlyifitisstillinthe

rcv

state(no oni ts o urredin betweenthestartandendphases).

As an exampleof ad ho networks and of its semanti s in themodel with oni ts, onsiderthepro ess

(S, !!m, T ), (R, ??m, Q)

,andtheexe utionin Fig-ure3. Intheinitial ongurationwehavethree sendersin state

S

(

a, b, c

from left to right), and three re eivers in state

R

(

d, e, f

from left to right). Nodes

a

and

b

an simultaneouslystart transmitting

m

, sin e no other node is ur-rentlytransmittingin theirvi inity.Node

d

simultaneouslymovesto a oni t state(itis onne tedtobothemitters),whilenode

e

movestoare eptionstate. When

c

startstransmitting

m

(againtherearenootheremittersinitsvi inity), node

e

is for ed to enter a oni t state, whereas node

f

goes to a re eption state. When

a

stops transmitting,

d

goesba kto the original state(a oni t o urred).Ifnow

c

stops transmitting,

f

re eivesthemessageandmovestoits nextstate

Q

(no oni tso urred). Finallywhen

b

stopstransmitting,

e

goes ba k to the original state (a oni t o urred). Other possible exe utions are obtained,e.g.,bysele tingonlyoneofthenodes

a, b

forstartingatransmission (the other nodehasto remainsilentsin eit is onne tedto ana tiveemitter) andbynondeterministi allyallowingre eivernodestoabandonatransmission.

Theorem 6. over for adho networkswith oni ts is Ptime- omplete. Proof. Considerapro ess

P

.Followingourusualproofte hnique,weshowthat there existsanexe utionin

AHN

co

(P)

leadingto a ongurationexposing the ontrolstate

q

ifandonly ifthereexistsanexe utionin

AHN

i

(P)

leadingtoa ongurationexposing

q

.

Itiseasytoseethata omputationleadingtoa ongurationthatexposesthe ontrolstate

q

in

AHN

co

(P)

hasa orresponding omputationin

AHN

i

(P)

:the Lo altransitionsarefaithfullyreprodu ed,theStartbroad asttransitionsare notmimi ked,andtheEndbroad ast transitionsaresimulatedviaaproto ol

(13)

S

a

S

b

S

c

R

d

R

e

R

f

⇒

T, m

a

T, m

b

S

c

R, cnfl

d

R, rcv

e

R

f

⇒

T, m

a

T, m

b

T, m

c

R, cnfl

d

R, cnfl

e

R, rcv

f

T

a

T

b

T

c

R

d

R

e

Q

f

⇔

T

a

T, m

b

T

c

R

d

R, cnfl

e

Q

f

⇔

T

a

T, m

b

T, m

c

R

d

R, cnfl

e

R, rcv

f

Fig.3.Exampleofexe utionwith oni ts

that rst turns o the nodes that donot re eivethe messageor that dete ta oni t, thenexe utesthebroad ast,andthenturnsonthesamenodes.

Itismore omplextoshowthata omputationin

AHN

i

(P)

that leadstoa ongurationthat exposesthe ontrolstate

q

an bereprodu edin

AHN

co

(P)

. Werstassume,withoutlossofgenerality,thatin thepro ess

P

there isat least one state with an outgoingbroad ast transition whi h is rea hablefrom an initialstate

q

0 ∈ Q

0

doingonly internal steps.If this isnot the ase, there is no ommuni ationin thesystemand theanalysis of over an betrivially doneby he kingwhetherthetargetstate

q

isrea hablefrom aninitialstatein theautomatondeningthepro essbehaviordoingonlyinternalsteps.Consider nowthe omputationin

AHN

i

(P)

thatleadstoa ongurationthatexposesthe ontrolstate

q

.Let

γ

0

betheinitial ongurationinthe onsidered omputation, and let

loss(u)

be the number of messages that the node

u

loses during the omputationwhenitwasturnedo.

Wenowshowtheexisten eofaninitial ongurationin

AHN

co

(P)

ableto reprodu esu h omputation.Thisinitial onguration ontains

γ

0

plusasetof additionalnodesusedtogenerate oni ts.

Namely,we onne ttoea hnode

u

oftheinitial onguration

loss(u)

addi-tional nodes

N oise(u)

: ea hnodein

N oise(u)

is onne tedonlywithits orre-spondingnode

u

.

Ea hnode

u

simulatesthe behaviorof the orrespondingnode in the om-putationin

AHN

i

(P)

.Thenodes in

N oise(u)

areinitially inthestate

q

0

.The simulationofthetransitionsinthe omputationin

AHN

i

(P)

isasfollows.First ofall,foreverynode

u

we onsiderlo altransitionsfornodesin

N oise(u)

instate

q

0

leadingthem to astate readyto performa broad ast.Thenthe transitions aresimulatedasfollows.

Lo altransitionsarefaithfullyreprodu ed. Intermitten etransitionsarenotmimi ked.

Tosimulate Broad ast transitions performed byone node, say

v

, we pro- eedasfollows:wepartitionthepotentialre eiversin twogroups,(i)those that a tually re eive the message and (ii) those that do not re eive it as theyareturned o.Forea hnode

u

in group(ii)wetakeanatta kernode

(14)

n ∈ N oise(u)

readytostartatransmissionandlet

n

performaStart broad- asttransition.Simultaneouslynode

u

movestothe

rcv

-state.Node

v

per-formsthenabroad ast(itexe utesboththeStartandtheEndbroad ast transitions).Sin e

u

and

v

are onne ted,

u

dete tsa oni tingtransmission andmovestothe

cnfl

-state.Finally,node

n

endsthetransmission. Note that the nodes orresponding to (i) re eive the broad astmessages, whilethose orrespondingto(ii)donotre eiveit,duetothe oni t gener-atedbytheinterferringtransmissionsgeneratedbytheatta kernode

n

. Byassumption on the ardinalityof

N odes(u)

, therefore an atta k an be ex-e uted everytime node

u

isswit hed o in the omputation with intermittent

semanti s.

⊓

⊔

4.3 Coni t dete tion

Wenowdeneavariantofthesemanti sinorderto apturethenotionof oni t dete tion.Infa t,eventhoughanodethatre eivesoverlappingsignalemissions is unable to re onstru t the emitted messages,it an inferthat (at least) two neighbors have ontemporaneouslyemittedtheirmessages.This an be onsid-eredinourmodelofadho networksbyadding oni tdete tiontransitionsto thepro esses.Su htransitions anbeexe utedbynodesattheendofare eive phase during whi h more than one neighbor has performed a broad ast. For-mally,weslightlymodifythedenitionoftheInternalStateandoftheNetwork Semanti softhepreviousse tion.

Internal State. The new denition of

P

is as usual with the unique dieren e that we an havetransitionsoftheform

(q, ρ, q

′

₎

in

R

,representing oni t de-te tion(where

ρ

isanewsymbol).

NetworkSemanti s.Givenapro ess

P

,thetransitionsystem

AHN

cd

(P)

hara -terizingthesemanti swith oni tdete tionisdenedas

AHN

co

(P)

ex eptthat theEnd broad ast transitionsarerepla edby thefollowingEnd broad ast II transitions:

End broad ast II:

∃v ∈ V

s.t.

L(v) = [q, a, ⊥]

,

L

′

_{(v) = [q, ⊥, ⊥]}

andwehave:

∀u ∈ V

s.t.

u ∼ v

,

L(u) = [r, ⊥, y]

,with

y ∈ {rcv, cnfl}

,and

emitter(γ, u) =

{v}

:

•

if

y = rcv

and

∃r

′

s.t.

(r, ??a, r

′

_{) ∈ R}

then

L

′

_{(u) = [r}

′

_{, ⊥, ⊥]}

;

•

if

y = cnfl

and

∃r

′

s.t.

(r, ρ, r

′

_{) ∈ R}

then

L

′

_{(u) = [r}

′

_{, ⊥, ⊥]}

;

•

if

y = rcv

and

6 ∃r

′

s.t.

(r, ??a, r

′

_{) ∈ R}

, or

y = cnfl

and

6 ∃r

′

s.t.

(r, ρ, r

′

) ∈ R

, then

L

′

_{(u) = [r, ⊥, ⊥]}

;

L(u) = L

′

_(u)

otherwise.

Asanexampleof adho networks andof itssemanti s with oni t dete -tion, onsiderthe pro ess

(S, !!m, T ), (R, ??m, Q), (R, ρ, Er)

, and theexe ution inFigure4.It onsistsofthesamestepsasthoseinFigure3uptoendingphases of broad astmessages.Re eiverthatdete t a oni tmovehereto thespe ial

(15)

Er

states.Note that inthestepfrom thefourthto thefth ongurationonly the node in the leftmost down orner dete ts a oni t. The other re eiver

R

is onne tedto twodierentemitters, soitwill applythedete tiononlyinthe nextstep.

S

R

⇒

d

T, m

S

R, cnfl

R, rcv

R

⇒

d

T, m

R, cnfl

R, rcv

d

T

Er

Q

⇔

d

T

T, m

T

Er

R, cnfl

Q

⇔

d

T

T, m

Er

R, cnfl

R, rcv

Fig.4.Exampleofexe utionwith oni tdete tions(indi atedas

⇒

d)

Theorem 7. overfor ad ho networkswith oni tdete tion isunde idable. Proof. Theproofis byredu tion from theunde idability of over for adho networkswithnoderestart(Theorem4).Considerapro ess

P = hQ, Σ, R, Q

0 , q

r

i

foradho networkswithnoderestart(

q

r

beingtherestartstate).Considernow thepro ess

P

′

_{= hQ ∪ {q}

i

}, Σ, R

′

, Q

0 i

,foradho networkswith oni t dete -tion,denedas

P

withthefollowingadditionaltransitions:forea hnode

q ∈ Q

wehaveatransitionlabeledwith

ρ

leadingtotheadditionalstate

q

i

,fromwhi h thereis onlyoneoutgoingtransitionlabeledwith

τ

leadingtotherestartstate

q

r

.

Werstshowthatgivena omputationin

AHN

r

(P)

leadingtoa ongura-tionthat exposesthe ontrol state

q

, thereexists a orresponding omputation in

AHN

cd

(P

′

₎

.AsinTheorem6wemakethenonrestri tiveassumptionthatin thepro ess

P

there isat leastone statewith anoutgoingbroad asttransition whi h is rea hablefrom an initial state

q

0 ∈ Q

0

doingonly internal steps.Let

γ

be theinitial ongurationof the onsidered omputation in

AHN

r

(P)

. For ea hnode

u

in

γ

wedenotewith

restart(u)

thenumberofrestartsperformedby

u

duringthe omputation.Wenowshowtheexisten eofaninitial onguration

γ

′

of

AHN

cd

(P

′

₎

from whi h the omputation is simulated. The onguration

γ

′

isas

γ

withthedieren ethat ea h node

u

hasexa tly

restart(n) × 2

addi-tional neighborsthat areusedtogenerate oni ts. Theseadditionalnodesare onne tedonlytothe orrespondingnode

u

.Thesimulationofthe omputation pro eeds as follows. Atthe beginning theadditionalnodes in state

q

0

perform thelo altransitionsleadingthemtoastatereadytoperformabroad ast.Then thesimulationstarts.

(16)

Atransitionthatdea tivatesthenode

u

issimulatedviathefollowing proto- ol:twooftheadditionalnodes onne tedto

u

performaStartbroad ast transition and then exe ute the End broad ast II.Due to the emission oni t,thenode

u

movestotheinternalstate

q

i

.

Atransitionthata tivatesthenode

u

isreprodu edbyaninternaltransition fromthestate

q

i

of

u

to therestartstate

q

r

.

Finally, Broad ast transitions are mimi ked byperforming in sequen ea StartandanEnd broad ast II transition.

We now show that a omputation in

AHN

cd

(P

′

₎

leading to a onguration thatexposesthe ontrolstate

q

hasa orresponding omputationin

AHN

r

(P)

. In the simulated omputation the Lo al transitions are reprodu ed faithfully, the Start broad ast transitions arenot mimi ked, whileEnd broad ast II transitionsaresimulatedbythefollowingproto ol.

Assumethatthenodethat ompletesitssignalemissionintheEnd broad- ast II transition is

u

, and let

a

bethe emitted message.The neighbors of

u

abletore eive

a

anbepartitionedinthreegroups:

(i)thosethat orre tlyre eivemessage

a

,

(ii)those that perform a oni t dete tiontransition during theexe ution oftheEnd broad ast IItransition,

and(iii)thosethat donot hange theirinternalstatebe ausetheyarestill undertheee tofanothersignalemission.

The simulation of the transition in

AHN

r

(P)

pro eeds as follows. The nodes, orresponding to thosein (ii) and (iii),that are not urrently rashedperform aCrashtransition, thentheBroad ast transitionisexe uted. Noti ethat at the end of this proto ol the nodes in (ii) are in the intermediary state

q

i

in the omputation in

AHN

cd

(P

′

₎

, while they are rashed in the orresponding omputationin

AHN

r

(P)

.TheLo altransitionsthatmovethenodesformthe state

q

i

to

q

r

arereprodu edin

AHN

r

(P)

byRestart transitions.

⊓

⊔

5 Con lusion

In thispaperwe have ompareddierenttypesof semanti s formodelling un-reliability in proto ols based on broad ast ommuni ation. The omparison is basedonthestudyofde idabilityandunde idabilityofthe overabilityproblem (rea hability of a network with at least a node in anerror state for an initial onguration of unknown size and shape). Coverability is ommonly used to formulateviolationsofpropertieslikemutualex lusion(andmoreingeneralto lo allyreasononerrorsgeneratedbyaxedsetofpro essesindependentlyfrom the global onguration).Coverabilityturns outto be unde idable for models in whi h individual nodes havespe ial transition to the dete t theo urren e of a failure (e.g. rash with restart, oni t dete tion). Removing this feature from the model ompletely hange the orresponding expressive power, often making overabilityde idable.De idabilityresultsareobtainedbymeansof re-du tionto a overabilityin amodel withspontaneousmovement,forwhi h we

(17)

to investigatethe impa tof nodeand ommuni ationfailures in ri her models of broad ast ommuni ation that ould beused to model for instan e routing strategyortimedivision proto ols.

Referen es

1. Abdulla,P.A.,Jonsson,B.:Verifyingprogramswithunreliable hannels.Inf. Com-put.127(2):91101(1996)

2. Delzanno,G.,Sangnier,A.,Traverso,R.,Zavattaro,G.: Rea habilityProblemsin MobileAdHo Networks.Te hni alreportavailableonarXiv.

3. Delzanno,G., Sangnier,A.,Zavattaro, G.: Parameterizedveri ationofAdHo Networks.CONCUR'10:313327

4. Delzanno,G.,Sangnier,A.,Zavattaro,G.: OnthePowerofCliquesinthe Param-eterizedveri ationofAdHo Networks.FOSSACS'11:441455

5. Ene, C., Muntean, T.: A broad ast based al ulusfor Communi ating Systems. IPDPS'01:149

6. Esparza,J.,Finkel,A.,Mayr,R.:Ontheveri ationofBroad astProto ols.LICS '99:352359

7. Fehnker,A.,vanHoesel, L.,Mader, A.:Modellingand veri ationofthe LMAC proto olforwirelesssensornetworks.IFM'07:253272

8. Godskesen,J.C.: A al ulusforMobileAdHo Networks.Coordination'07:132 150

9. Ladner, R. E.: The ir uit value problem is logspa e omplete for P. SIGACT News:1820,1977

10. Merro, M.: Anobservational theoryfor Mobile AdHo Networks.Inf. Comput. 207(2):194208(2009)

11. Merro,M.,Ballardin,F.,Sibilio,E.ATimedCal ulusforWirelessSystemsFSEN '09:228-243, 2010.

12. Lanese,I.,Sangiorgi,D.:Anoperationalsemanti sfor a al ulusforwireless sys-tems.TCS,411(19):1928-1948(2010)

13. Nanz, S., Hankin,C.: A Frameworkfor se urity analysis ofmobile wireless net-works.TCS, 367(12):203-227(2006)

14. Prasad, K.V.S.: A Cal ulus of Broad asting Systems. SCP, 25(23): 285327 (1995).

15. Saksena,M.,Wibling,O.,Jonsson,B.:Graphgrammarmodelingandveri ation ofAdHo RoutingProto ols.TACAS'08: 1832

16. Singh,A.,Ramakrishnan,C.R.,Smolka,S.A.:Apro ess al ulusforMobileAd Ho Networks.COORDINATION'08:296314

17. Singh, A.,Ramakrishnan, C.R., Smolka,S.A.: Query-Basedmodel he king of AdHo NetworkProto ols. CONCUR'09:603619