IEEE 802.11 Wireless LAN

mcpta 1.1

Please note: The syntax of the examples presented here is not compatible with current versions of mcpta. The mcpta download includes updated model files.

Wireless networks based on the IEEE 802.11 family of standards use the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol to manage access to the wireless medium and reduce the number of collisions. This aspect has been investigated in a PRISM case study that uses a manually generated model with the digital clocks semantics. We reimplement it in Modest, which gives us the opportunity to compare the performance of the PRISM code generated by mcpta to that of a hand-written model.

Modelling

In the original PRISM case study, the channel and the station models are given as both PTA and PRISM code. The PTA for the stations is relatively complex, so we make use of the standard transformation from PTA to Modest.

The model's main parameters are BCMAX, the maximum value of the backoff counter, and TTMAX, the maximum transmission time for the wireless communication.

Click to expand

// Modest model of IEEE 802.11 Wireless LAN
action send, send1, send2;
action finish, finish1, finish2;
action success, success1, success2;
action bck, bck1, bck2;
action coll1, coll2;

const int BCMAX = 2;

// Parameters for the physical layer
const int ASLOT = 1;
const int DIFS = 3; // due to scaling can be non-deterministically either 2 or 3
const int VULN = 1; // due to scaling can be non-deterministically either 0 or 1
const int TTMAX = 315; // scaling up // 25 for deadlines & expected
const int TTMIN = 4; // scaling down
const int ACK_TO = 6;
const int ACK = 4; // due to scaling can be non-deterministically either 3 or 4
const int SIFS = 1; // due to scaling can be non-deterministically either 0 or 1

// packet status
// 0: nothing sent
// 1: sending correctly
// 2: sending garbled
int c1 limit [0..2]; // first station's packet
int c2 limit [0..2]; // second station's packet


// Properties
// Probabilistic reachability
const int K = 2;
// "with probability 1, eventually both stations have sent their packet correctly"
property P_1 = P(<> did(success1) && did(success2)) >= 1.0;
// "the maximum probability that either station's backoff counter reaches K"
property P_max = Pmax(<> did(bck1) || did(bck2));

// Time-bounded probabilistic reachability
const int DEADLINE = 100;
// "the minimum probability of both stations correctly
//  delivering their packets within time DEADLINE"
property D_and = Pmin(<> did(success1) && did(success2) && time <= DEADLINE);
// "the minimum probability of either station correctly
//  delivering its packet within time DEADLINE"
property D_or = Pmin(<> (did(success1) || did(success2)) && time <= DEADLINE);
// "the minimum probability of station 1 correctly
//  delivering its packet within time DEADLINE"
property D_1 = Pmin(<> did(success1) && time <= DEADLINE);

// Expected reachability
// "the maximum expected time until both stations correctly deliver their packets"
property E_and = Tmax(did(success1) && did(success2));
// "the maximum expected time until either station correctly delivers its packet"
property E_or = Tmax(did(success1) || did(success2));
// "the maximum expected time until station 1 correctly delivers its packet"
property E_1 = Tmax(did(success1));


process Channel()
{
   do {
      :: finish1 {= c1 = 0 =}
      :: finish2 {= c2 = 0 =}
      :: send1 {= c1 = min(c2 + 1, 2), c2 = min(c2 + c2, 2) =}
      :: send2 {= c1 = min(c1 + c1, 2), c2 = min(c1 + 1, 2) =}
   }
}

process Sender(int id limit [1..2])
{
   clock x;
   int status limit [0..2];
   int bc limit [0..BCMAX];
   int backoff limit [0..pow(2, BCMAX + 4) - 1];

   process SENSE()
   {
      invariant(x <= DIFS)
      alt {
         :: when(x == DIFS || x == DIFS - 1) {= x = 0 =};
            VULN()
         :: when(c1 + c2 > 0) urgent(c1 + c2 > 0) {= x = 0 =};
            WAIT_FREE()
      }
   }

   process VULN()
   {
      invariant(x <= VULN)
      when(x == VULN || x == VULN - 1) send {= x = 0 =};
      TRANSMIT()
   }

   process TRANSMIT()
   {
      invariant(x <= TTMAX)
      alt {
         :: when(id == 1 && x >= TTMIN) finish {= x = 0, status = c1 =};
            TEST_CHAN()
         :: when(id == 2 && x >= TTMIN) finish {= x = 0, status = c2 =};
            TEST_CHAN()
      }
   }

   process TEST_CHAN()
   {
      urgent
      alt {
         :: when(c1 + c2 > 0) tau;
            WAIT_FREE()
         :: when(c1 + c2 == 0 && status == 2) tau;
            NO_ACK()
         :: when(c1 + c2 == 0 && status == 1) tau;
            SEND_ACK()
      }
   }

   process SEND_ACK()
   {
      invariant(x <= SIFS)
      when(x == SIFS || x == SIFS - 1) send {= x = 0 =};
      ACK()
   }

   process ACK()
   {
      invariant(x <= ACK)
      when(x == ACK || x == ACK - 1) finish {= x = 0 =};
      urgent success // DONE
   }

   process NO_ACK()
   {
      invariant(x <= ACK_TO)
      when(x == ACK_TO) {= x = 0 =};
      WAIT_DIFS()
   }

   process WAIT_FREE()
   {
      when(c1 + c2 == 0) urgent(c1 + c2 == 0) {= x = 0 =};
      WAIT_DIFS()
   }

   process WAIT_DIFS()
   {
      invariant(x <= DIFS)
      alt {
         :: when((x == DIFS || x == DIFS - 1))
            {= backoff = DiscreteUniform(0, pow(2, bc + 4) - 1),
               bc = min(bc + 1, BCMAX), x = 0 =};
            // The following line is only for reachability properties
            urgent alt { :: when(bc == K) bck :: when(bc != K) tau };
            BACKOFF()
         :: when(c1 + c2 > 0) urgent(c1 + c2 > 0) {= x = 0 =};
            WAIT_FREE()
      }
   }

   process BACKOFF()
   {
      invariant(x <= ASLOT)
      alt {
         :: when(x == ASLOT && backoff == 0) {= x = 0 =};
            VULN()
         :: when(x == ASLOT && backoff > 0) {= backoff = backoff - 1, x = 0 =};
            BACKOFF()
         :: when(c1 + c2 > 0) urgent(c1 + c2 > 0) {= x = 0 =};
            WAIT_FREEII()
      }
   }

   process WAIT_FREEII()
   {
      when(c1 + c2 == 0) urgent(c1 + c2 == 0) {= x = 0 =};
      WAIT_DIFSII()
   }

   process WAIT_DIFSII()
   {
      invariant(x <= DIFS)
      alt {
         :: when(x == DIFS || x == DIFS - 1) {= x = 0 =};
            BACKOFF()
         :: when(c1 + c2 > 0) urgent(c1 + c2 > 0) tau;
            WAIT_FREEII()
      }
   }

   SENSE()
}


par {
   :: Channel()
   :: relabel {send, finish, success, bck}
      by {send1, finish1, success1, bck1} Sender(1)
   :: relabel {send, finish, success, bck}
      by {send2, finish2, success2, bck2} Sender(2)
}

In the case of the station model, the probabilistic branching induced by the exponential backoff process is hidden in the assignment backoff = DiscreteUniform(0, 2^bc+4−1). In the PRISM language, this has to be represented by a lengthy guarded command for every possible value of 2^bc+4−1, which amounts to 150 lines of code the equivalent of which mcpta generates automatically.

Properties

The following properties have been checked using the Modest model of the Wireless LAN:

Probabilistic reachability properties

P_≥1: with probability 1, eventually both stations have sent their packet correctly
P(<> did(success1) && did(success2)) >= 1.0
(P_max): the maximum probability that either station’s backoff counter reaches K
P_max(<> did(bck1) || did(bck2))

Expected-time reachability properties

(E_∧): the maximum expected time until both stations correctly deliver their packets
T_max(did(success1) && did(success2))
(E_∨): the maximum expected time until either station correctly delivers its packet
T_max((did(success1) || did(success2)))
(E₁): the maximum expected time until station 1 correctly delivers its packet
T_max(did(success1))

Probabilistic time-bounded reachability properties

(D_∧): the minimum probability of both stations correctly delivering their packets within time DEADLINE
P_min(<> did(success1) && did(success2) && time <= DEADLINE)
(D_∨): the minimum probability of either station correctly delivering its packet within time DEADLINE
P_min(<> (did(success1) || did(success2)) && time <= DEADLINE)
(D₁): the minimum probability of station 1 correctly delivering its packet within time DEADLINE
P_min(<> did(success1) && time <= DEADLINE)

Results and Performance

We checked the properties for BCMAX = 2, TTMAX = 315 (i.e. 15750 µs, for the probabilistic reachability properties) and TTMAX = 25 (i.e. 1250 µs, for the expected-time and probabilistic time-bounded reachability properties). DEADLINE was 100, i.e. 5000 µs. We used PRISM 3.3 with the "sparse" engine, which performed best.

Results

The following table lists the model-checking results for the properties we checked. We obtained the same results from the Modest model and the model from the PRISM case study.

	`K` = `BCMAX` = 2, `TTMAX` = 15750 μs, no deadline	`K` = `BCMAX` = 2, `TTMAX` = 1250 μs, `DEADLINE` = 5000 µs
P_≥1	true	true
P_max	0.184	0.184
E_∧	n/a	6280 μs
E_∨	n/a	4206 μs
E₁	n/a	5586 μs
D_∧	n/a	0.0
D_∨	n/a	0.816
D₁	n/a	0.132

State-space size

The following table compares the number of states in the underlying MDP for the different parameter and property combinations on the Modest model and the model from the PRISM case study, as reported by PRISM:

	Modest	PRISM
Standard	116 280	447 872
Expected	31 026	170 632
Deadlines	1 850 590	5 227 058

Performance

The following table lists the model-checking time and memory usage for the Modest model and the model from the PRISM case study, as reported by PRISM. All runs were performed on an Intel Core Duo T9300 (2.5 GHz) system. MC refers to the model construction time.

	Modest		PRISM
MC	7 s	-	16 s	-
P_≥1	23 s	n/a	30 s	n/a
P_max	5 s	2969 kB	6 s	11025 kB
MC	1 s	-	1 s	-
E_∧	5 s	2457 kB	9 s	11973 kB
E_∨	3 s	2355 kB	7 s	11754 kB
E₁	4 s	2457 kB	8 s	11863 kB
MC	14 s	-	26 s	-
D_∧	24 s	46080 kB	19 s	128202 kB
D_∨	19 s	62259 kB	24 s	135559 kB
D₁	23 s	56832 kB	26 s	132994 kB