A TLA Solution to the Speci cation and Veri cation of the RLP 1 Retransmission

This paper presents a series of TLA + speciication/implementations that lead to an implementation of the retransmission policy of RLP1, the Radio Link Protocol proposed for TDMA-based digital cellular radio. Both safety and liveness properties are proved for SWPInitial, a very abstract, but formal, speciication of a sliding window protocol. The rest of the work consists of a series of reenements which nally result in a model of RLP1. Each reenement step is formally proved. In all cases the most diicult part of the proof is for liveness. We prove, formally and rigorously, and parametrised by the window size N , that the model of RLP1 obtained from the last reenement step is an implementation of the initial speciication SWPInitial, and thus inherits safety and liveness properties proved for all the higher-level speciications. The speciications are written in TLA + , a formal language based on TLA, and proofs are given in Lamport's hierarchical proof-style. Most proof steps are checked mechanically in Eves.