"Using lightweight modeling to understand Chord" (Pamela Zave; ACM SIGCOMM Computer Communication Review, 42(2):50-57, April 2012) summarizes the results of modeling and analyzing the Chord ring-maintenance protocol with Alloy. The paper proves that no published version of Chord is correct, even when obvious bugs are fixed.
This paper also defines a "best" version obtained by taking the best pieces, including both pseudocode and text, from the three published Chord papers. When the above paper was written I did not know whether the "best" version was correct or not. I have since shown that it is not correct, and also discovered a correct version of Chord, and proved that it is correct. This work is presented in the talk "A correct version of Chord (and how to get it)".
"Experiences with protocol description" (Pamela Zave; 1st International Workshop on Rigorous Protocol Engineering, Vancouver, Canada, October 2011) explains the nature of some of the flaws in the prior informal reasoning about Chord.
The original paper on this work, "Lightweight verification of network protocols: The case of Chord" (Pamela Zave; AT&T Technical Report, January 2010), gives a complete explanation of how to use Alloy to prove that a subset of Chord is correct.
For those who wish to see and compare Alloy models of various versions:
For those who wish to see and compare Promela models (for the Spin model-checker) of various versions: