A mechanically proved and incremental development of IEEE 1394

The IEEE 1394 tree identify protocol illustrates the adequacy of the event-driven approach used together with the B Method . This approach provides a complete framework for developing mathematical models of distributed algorithms. A speci c development is made of a series of more and more re ned models. Each model is made of a number of static properties (the invariant), and of a dynamic parts (the guarded events). The internal consistency of each model as well as its correctness with regards to its previous abstraction are proved with the proof engine of Atelier B, which is the tool associated with B. In the case of IEEE 1394 , the initial model is very primitive: it provides the basic properties of the graph (symmetry, acyclicity, connectivity), and its dynamic parts essentially contains a single event which elects the leader in one shot. Further re nements introduce more events, showing how each node of the graph non-deterministically participates to the leader election. At some stage in the development, message passing is introduced. This raises a speci c potential contention problem, whose solution is given. The last stage of the re nement completely localize the events by making them taking decision based on local data only.