GREGOR V. BOCHMANNand JAN GECSEI. Departement d'informatique, Universite de Montreal. Montreal, Canada. Verification of communication protocols.
A UNIFIED METHOD FOR THE SPECIFICATION AND VERIFICATION OF PROTOCOLS* GREGOR V. BOCHMANNand JAN GECSEI Departement d'informatique, Universite de Montreal Montreal, Canada
Verification control The two
1.
of
communication
structure parts are
protocols
usually
of
and logical verification of indicates that various for the verification of
of the
same
protocol.
All
known verification techniques derive in some way from two fundamental approaches: the state machine approach [ I, 2] and the programming language approach. [3,4] The first of these has been used when the are such
properties of the protocol as the absence of deadlocks
to be verified or undesired
loops or proper sequencing of operations. The programming language approach is used with properties involving counting and, in general, in cases when the state machine complex (involve
representations would too many states).
state-machine
techniques
use
become
too
It would
seem,
at first,
always
that
there
is
state-machine and to verification.
some
form
another. Thus, attempts between the methodologies
little
It is our belief that the two cation are not independent,but
to the
in the net
communitrans-
we demonstrate how some correctness proofs carried out for the three descriptions.
supported by of Canada.
the
can
associated
with
it an enabling
pred-
some variables of X, and new values to some vari~ of the modeled system is of tokens that reside in values of the variables.
A certain transition t of the system is enabled when all its input places have at least one token (standard
rule
for
Petri
nets)
and
its
enabling
Pt is true. When a~ansition is it may fire, i.e. the corresponding action
At is executed, and the tokens according to the'rules of Petri In the original
model
all
are redistributed nets.
transitions
are assumed to be instantaneous, their' mutual exclusion.
capable aspects
and
which
5 be
model
is intuitively
appealing
of naturally representing some of the systems being 'modeled:
control structure is represented connection of places, transitions ables of the set X
other,
three difIn section
has
~
the
model is widely applicable to the specification and verification of systems of communicating proces ses. In order to show its usefulness, we have a particular system, a 'simple data protocol working over an unreliable
MODEL
icate Pt' depending on an At ' assigning ables of X. The state determined by the number different places and the
semantic structure ables, predicates transitions
approaches to verifirather complemen-
which we present in section 4,.
BASIC
His model is essentially a Petri net [ 7] composed of a set of places and transitions complemented with a set of variables X. Each transition t
tary techniques. In order to benefit maximally from both methods, they should be used together; but it is first necessary to create a model that incorporates both the state machine and programming language formalisms. Such a model is described in sections 2 and 3. We believe that this
*This work has been partly National Research Council
(and generally on three dif-
In arecent paper, Keller [6] has proposed a model, for the representation of parallel programs.
Keller's
their own one from
to establish a bridge may be frustrated by
necessity to pass from one formalism which is not always trivial.
mission medium, for ferent specifications
the
actions
implies
con-
programming This is
partly because both methodologies have established formalism, quite different
THE
predicate enabled,
of reachability analysis, whereas the programming language method relies on proving assertions and invariants [ 5 land normally does not address the question of reachability or termination.
nection between the language approaches
of
the same protocol, each with a different tradeoff between state machine and Verification of partial and full correctness is carried out in terms of the
2.
properties
analysis
of the protocol' s actions. that the two approaches are
ferent descriptions programming aspects. three descriptions.
INTRODUCTION
chosen cation
a state-machine
content suggests
rather complementary. It intro duces a unified model for protocols subsystems) encompassing both aspects. The method is demonstrated
different
The
two parts:
the semantic This paper
not independent but cooperating distant
Experience with design communication protocols techniques are suitable
)
involves
and proving some assertions about traditionally, treated separately.
since
it is
important
by the interand some vari-
is represented by the and actions associated
variwith
parallelism and coordination can be modeled by having several transitions enabled at the same time. rally
3.
THE
The number of tokens in the model is genenot limited. EXTENDED
MODEL
In Keller's model each variable can, in principle, be affected by all transitions in the system. For the description of distributed systems which consist of several communicating subsystems located at different points in space, it seems to be natural that local variables of a given subsystem can only be affected by the transitions of that subsystem. We therefore extend Keller's model to include the possibility of having several disjoint subsystems and some means of communication between them as follows.
A system S (i.e. parallel program) is composed of . Each a nurnber of subsystems SI' S2' ... ,S subsystem, separately, is modeled by thg forrnalism of the previous section. If the set of variables of subsystem S. is called X. (the local variables of Si)' then the predic~tes and actions (calIed local actions) of the subsystem Xi only refer to these local variables. For the interaction of different subsystems, each subsystem may contain certain distantly initiated actions. Like the local actions, they may assign new values to the local variables; however, they are not associated with a given transition of the subsystem. Distantly initiated aciions are executed some finite time after they have been --initiated by a distant subsystem; this is done by the execution of an initiating statement in a local action of the distant subsystem. The initiating subsystem may pass value parameters for the execution of the distantly initiated action. All actions in a subsystem are executed in mutual exclusion; This form of interaction between subsystems seems to capture the essential properties of subsystem comrnunication through the exchange of messages. In fact, the initiation of an action in a distant subsystem corresponds to the sending of a message (the action parameters are the message content), and the execution of the distantly initiated action corresponds to the receiving of the message by the distant subsystem. . We note that the state of the system, at a given instant in time when no action is being executed, is given by the states of all subsystems., Le. their token distribution and variable values, and the set of distant action initiations which have not yet been executed. The latter set can be understood as the state of the "cornrnunication medium", or the messages "in trans i t". . We also remark that the set of variables X. together with all actions defined in S. cofistitute an abstract data type with mutual exclU§ion of the actions. [8]
The SENDERwaits for an acknowledge message before the next data message is sent. The protocol recovers from transmission errors detected by a redundancy check, and from lost messages through a time-out mechanism in the SENDER. In both cases, retransmission of the data message occurs. 4.1
One-place
(a)
Place
diagram
Initial
state
-
00
(b)
Variables:
(c)
Actions enabling predicate
Send
ackfnone v tout=true
(a)
if
-
exp=l;
(b)
Variables:
(c)
Actions
as t h ree-place
d'escrlptlon .
Same as three-place
enabling predicate
Receive
seqnb*none
description
action
if seqnb=exp+l (mod2) then use(data); exp:=exp+l (mod2); end; INITIATE (transA, seqnb:=none;
(PI:
(0,1)
4.2
Six-place
(a)
Place
,P2 :
. . .)
exp);
same as three-place description
i
description
diagrams Al
Dl
E.A .TI ..
DO
I
seqnb:none
Transition
(lIC:F.NDER E,Al' T I Initial
7(jQ . clock
in to
ack=seq then begin new(data); seq:= seq+l(mod2); end;
C8:) IRECEIVER Receive
Place diagram Initial state
New I
In contrast to [10] we suppose data transfer one direction only, from the SENDERsubsystem the RECEIVERsubsystem.
description
action
1 same
transA(p:(O,l)) Cl ock
4. EXAMPLES
It is a point-to-point protocol using the cornmunication medium alternatively in both directions.
Clock
INITIATE (transD,seq,data); ack:=none; time:=to; tout :=false;
transD
The protocol we use is essentially the "alternating bit" protocol of Bartlett [ 10] which can be summarized as folIows:
CB:) Send
Same as three-place
Transiti on
by the primitive INITIATE < name, PI' , Pk> appearing as a statement in a local action, which specifies the name of a unique distantly initiated action and k parameter values. We note that the initiating action does not wait for the completion of the initiated action, and that the order of execution of several distantly initiated actions may be different from the order in which they were initiated.
In this section we show the flexibility of the extended model by giving three descriptions of the same protocol: the first and second rninirnizing the number of places and variables respectively, and the third having a certain balance between them.
SENDERI
seq=l ;ack=l
For the specification of the variable declarations, predicates and actions of a subsystem, we use a notation close to the prograrnming language Pascal. [ 9] Ini tiation of a distant -action can be -ächii:",7ed
...
I
description
'D 1 /-
!New
state:
- tokens
in 1,7
Use 0
Al
-
token in 3
- seqnb=none
(b)
Variables: same as in three-state description except that seq and exp are no longer needed as a consequence. of the "unfolded" pI ace diagrams .
(c)
Actions: There would empty) associated with not include a detailed analogous to those of
be an action (possibly each transition. We do list, since they are the 3-place description.
4.3
Three-place
(a)
Place
description
diagram
D
New
!SENDER
Initial A-
I
state:
-
tokens
-
seq
in 1,4
Actions
( c) transition New
= 1
action
enabling predicate true
meaning
new(data);seq:=seq+l(mod2);
get new data user
2 E,A.,
D
(b)
Variables
s eq:
(0, 1)
ack:
-D
~
true
Clock
transmi (seq,
INITIATE(transD,seq,data); ack:=none;time:=to taut :=false;
;
(O,l,error,none)
acknowledge receiver
data:
. . .
data to 'mitted
taut:
boolean
time-out occurred
time:
int eger
timer
ack=seq
reception of expected acknowledge
A,c
ack=seq+l (mod2) ack=error
reception of wrong acknowledge
E
error
T
tout=true
Clock
true
from
be trans-
distantly
has
initiated transA
timeout curred time:=time-l;if then tout:=true
timer
time=O ;
action (p: (0,1))
CO\ll1t
...,
loss
diagram
I
RECEIVER
Ini tia1 Use
D*
!2
(b)
Variables
exp:
(0,1)
seqnb:
data:
(O,l,error,none)
. . .
I
state
-
token
-
exp
-
seqnb
=
in
received edge
has
oc-
action
depending on the transmission medium, one of the following will occur: acknow1edge ceived
erroneous:ack:=error;
Place
in
acknowl
case transmission of correct : ack :=p;
(a)
t message data)
A= ~feaning sequence number of message sent in this cyc1e
from
erroneous tion
-
re-
recep-
message
lost
Actions
( c) transition
action
enabling predicate
meaning
3
1
= none
Meaning
opposi te of expected sequence number of message received in this cycle sequence number of received message data in received message
Use
true
use(data);exp:=exp+1(mod2);
give
!2
true
INITIATE (transA, seqnb :=none;
transmit ( (exp) 1 edge)
D,..
seqnb=exp+1 (mod2)
;
reception of message with expectec sequence number
D=
seqnb=exp
;
reception of message with wrang sequence number
E
seqnb=error
;
error in message
distantly transD
initiated (p 1: (0,1)
action ;P2: . . .)
case (
exp);
transmission
data
to
user
message acknow-
received
depending transmission
on the me-
dium, one fo1lowing occur:
of the will
of
correct:seqnb:=P1;
message
received
data:=P2; erroneous:.
10ss
"
seqnb:= error
erroneous tion message
recep-
lost
4.4
Comments
The purpose strate that
of the places
preceding examples is to demonand variables are complementary
means of representing the state of communicating 'subsystems. The correctnessproofs outlined in the f following section are based on both aspects of the
formalism we use.
----
to
us at this point whether this power is useful in modeling communication protocols. The idea of using finite state machines and variables for protocol description is not new; [11 ] however, our also a means for describing leads to a unified proof
be
in operating
5.
transD
are.
clear
also
that
the
concept
of
We have assumed that chosen such that the only
occur
after
siderations in this
section
how
the
behavior, partial and full correctness of the global system. Of course these properties are not mutually independent; rally, are necessary
however, conditions
the time-out delay time-out transition
a transmission
liveness
.mission
and
cyclic
behavior
of partial
correctness
expressed
by the
=
PI : Producer-sequence say
that
the
sender
[ 5 ] will
We
show
is
complete
i
receiver.seqnb
predicates and actions of the sender defined such that after the execution 0
! D*
tr
can
Q
and
the first four, genefor the last one.
tions and distantly initiated actions cuted, and some assertions on program
ledge
~
We can conclude from fig. 1 that the constraints mentioned above do not introduce any deadlock (each state has a successor) and that the system shows a cyclic behavior such as expected for a data trans-
best derived from an analysis of possible transitions of the global system i.e. the reachability analysis. [1,2] This in turn requires taking into account the control structures of each subsystem, certain constraints on the order in which transi-
Verification
the
modeling
technique described previously can be used for the verification of different properties of a protocol such as absence of deadlocks, liveness, cyclic
Deadlock-freeness,
by
sender respectively, system.
This clearly depends on the execution speeds and delays of the different transitions and distantly activated actions. We have not included these con-
systems.
demonstrate
(only)
receiver and state of the
dis-
can serve equally for communication systems such or communicating processes
VERIFICATION
We
initiated
sitions of the on the initial
tantly initiated actions modeling of more general as the datagram service,
of the 1.
system respectively ahd, possibly, by a distantly initiated action not yet executed. The details of deriving such diagrams have been presented elsewhere. [2] Briefly, it is based on the control structure of the subsystems, on the constraints mentioned above, on the fact that the actions transA and
methodology. It should
We can now determine the possible transitions global system as shown in the diagram of fig.
Each stat~ action of the global system is characterlzed by the actlve places plI and p12 (containing a token) of the sender and receiver sub-
We note, however that in these examples the full power of Petri nets is not used; it is not clear
approach incorporates communications, which
constraint holds for the receiver. We also see that the time-out transition 'can only occur after the timer has been set by transition 0 and t clock 0 transitions have occurred.
= sender.data
for proving
the partial
and
full correctness. Assertion ASl follows from the fact that when ack = 0 or 1 in place 3 then the action transA must have been executed since the sender uses
has
the
entered
value
place
of exp
as
3.
However,
an, effective
the
receiver
parameter
for
initializing
the
action
t~sA
and
the
receiver
could not have done any further transition (see fig. 1) thus leaving the variable exp unchanged. The
assertion
Now
we
ASZ
define
the
can
be
shown
following
similarly.
global
predicates:
(as above)
PI
: Producer-sequence=Consumer-sequence
Pz
: Producer-sequence=Consumer-sequence sender.data(where the " " means
I
~f~ Q(~r~.,
concate-
I
nation)
=
P3 : sender.seq ind
establish
I : (P inducti6n
the
A P3) over
receiver.exp invariant
assertion
q'P~q~
Initially (PI A P3) holds, which implies I. Suppose now that I holds in some given state of the system; we have to show that I also hulds after one of'the subsystems has executed a transition or a distantly activated action. We note that the distantly
activated
actions
do not
affect
the
following
in
respect
similar
arguments
to the
arguments
show
that
I
execution
of the
apply
the
for
CPI"
P 3) ho1ds
Fig. Z.
Possible system
for the procedure an assertion Q
We now
consider
statement that Q'
that for execution
proving of the
definition, associated
t~is is a'complete correctness of the Now,
in order
state, which protocol.
5.4
to demonstrate
we have to show that cated above is live.
disto P3)
the
or
1
receiver.exp
=
0 or
1
receiver.seqnb= sender.seq A
I
is the
=
sender.data
same
as before.
only
one place.
This
implies,
in particular,
Verification
of the
six-place
protocol
The .verification follows similar lines as for the one-
and three-place
of possible the diagram
partial
descriptiäns.
transitions of fig. 3.
The
analysis
of the global system yields The only assertion used is
ASz: "receiver token in p lace 1 or-4 ~ receiver .data= sender .data" and corresponds
its
full
the
description.
des cript ion
implies that 1. Therefore
implies
=
0
: receiver.seqnb
invariant
three-place
,
mentioned above, the invariant I holds when the sender is in place
the
tially
with the transition N~ shows that (PZ A I P3) holds after the execution of Ne~, whiCh implles that I holds, too. Therefore I is invariant in respect to the transition N~. , As P
respect
that the proof of the liveness of the cornplete sender state is not as clear as in the case of
I
This action
global
We note that the diagram of possible transitions for the global system does not contain much information in this case, since each subsystem has essen-
ment, where Q' is obtained from Q by substitudata" for each occurrence ting "Producer-sequence in Q. of the
=
receiver.data and
"new (data)", it is sufficient to prove holds before the execution of the state-
of "Producer-sequence" together with the form
with
: sender.ack
ASZ
tnew (data)} Q
n~, which means to hold after the
states
sender.ack
~
data
of the
Ne~;
Producer-sequence
,
ho1ds
description,
Use.
of the transiP3 holds when I, this im-
~
Producer-sequence
transitions (three-place
tinguishing
ASi
Q
3)
is invariant
transition
1.
CP 2"'P I
predi-
transition
From ASl' and the enabling predicate tion in the sender follows that a token is in place 1. Together with plies that PI holds in place the axiomatic definition [5 ]
*
I
cates PI' P Z -,or P 3' neither do the transitions, except the Ne~ transltion of the sender and the Use ~, transition of the receiver. The
[qr~qr ~ Use *
v (PZ AI P3)' which is proved by the number of transitions executed.
to
correctness, assertion
the complete sender state indiThis can be seen from fig. Z
ASZ
of the
three-place
description.
is no invariant,but either PI or P
There
hold de-
which shows the diagram of possible transitions of the global system, where, in contrast to fig. I, we
pending on the places of the sender ana receiver tokens (see fig. 3). From this follows that the sender is in a complete state when a token is in
distinguish
place
the
ted by a " = (indicated by
")
states
for
which
P~
holds
(indica-
and those for which, P3 holds a " * "). The .transition diagram
shows that the state < 1,3> - , corresponding to the complete state of the sender, lies on the main
transitions
A=
and
D* will
never
be blocked
We note
that
the
of fig.
one
description twice, once
loop which is always followed when the transmission medium works correctly. We note that in this case the
1 or 4.
(
the
diagram Z, except
of
fig.
that
3 is equivalent
for the
each state in fig. 2 is replicated for the value of seq = 0 and once
proof of the liveness of the complete sender as weIl as the essential part of the "partial rectness" proof.
5.3
6.
The
Verification description verification
of the
follows
three-place
description.
ding
and
to ASl
ASZ
are
one-place
the The
same
protocol
lines
assertions
as
for
the
correspon-
for
seq = 1. We see that in this case [12] the reachability analysis that yields fig. 3 provides the
(see ASl and ASZ)' Therefore the complete sender state is live as long as there is no permanent malfunction of the transmission medium.
\
to
six-place
state, cor-
CONCLUSIONS
We have shown that the two complementary approaches of state machine models and the use of variables can be combined into a unified method for the specification and verification of systems of cooperating subsystems. Our unified model includes also the con-
REFERENCES
P2 holds
PI holds
A l,E,T
"""
qt:
E,T
1fl~
I
-
[1]
P .~I. ~1erlin, A methodology for the design and implementation of communication protocols, IEEE Transactions on Comm., Vol. COM-24, 1976, 614-621.
[2]
G.V. Bochmann, Finite state description of communication protocols, Publication # 236,
j!l 7
J
3]
lQl
I'"
E
~
k
I
I
Dl'E
-
t
--Use1- - tuse-D
-
I
ID,
E
!~l
I
-
[9]
report,
fQl
j
kinson,
[12 ]
PI holds
Pz holds v
)
Fig. 3.
Possible system
transitions (six-place
cept of distantly initiated be useful for modeling the tems
through
We have giving simple
the
exchange
demonstrated
of the
global
description)
actions, which seems to communication of subsysof messages.
the
flexibility
of the
three different specifications protocol. We believe that the
model
by
for the same model can also
provide a natural description of more complex protocols. For example, the opening and closing of connections are usually described by astate machine model,
whereas
the
data
transfer
phase
is described
by a program model with variables. [4] With our model, both aspects could be described in a unique specification. For
the
verification,
the
complement one another. in the previous vides assertions
two
aspects
of our
model
As shown in the example
.
sections, the program aspect profor correctness proofs, whereas the
state machine aspect provides useful the former and facilitates the proof absence of deadlocks.
information of liveness
for or (
There is clearly a tradeoff between the complexity of the state machine and program aspects of the specification,
as can
be
seen,
for
example,
from
the
comparison of the one-place and six-place descriptions. Since reachability analysis of state machines seems to be more amenable to algorithmic methods
than
verifying
(and
finding)
sertions, the above tradeoff may implications for future automated col verification.
and
condi-
on Concurrent June 1970.
1969. A.S. Danthine,
Verlag, Berlin, 1974. Scantlebury and P.T. Wil-
on reliable
of the
J.
p. 7, 1975. user manual
Bremer,
transport
full-duplex
trans~
links, CACM 12, 260,
-
An
axiomatic
protocol
des-
of
Cyclades, Professional Conference on Computer Networks and Teleprocessing, TH Aachen, March 1976.
--L New I
~
Ao,E,T
A note
R.A.
SE-I, Pascal
mission over half-duplex
!~
I
Springer
Bartlett,
cription
T
CACM, 7, 1976, 371-384. and F. Commoner, Events
on Software Engineering, K. Jensen and N. Wirth, and
[11 ]
'"I
imple-
B.H. Liskov and S..N. Zi11es, Specification techniques for data abstractions, IEEE Trans.
[10] K.A.
I
and
Proc. Fourth Data ACMjIEEE, 1975.
programs, A.W. Holt
[8 ]
r T! ~
E,T
verification
[7]
D -0 ~
Logical
Montreal,
.tions, in Project Mac conference Systems and Parallel Computation,
,E
0
Bochmann,
de
[6]
--
I
G.V.
Univ.
N.V. Stenning, A data transfer protocol, Computer Networks 1 1976, 99-110. C.A.R. Hoare, An axiomatic basis for computer programming, CACM, 12, 1969. R.M. Keller, Formal verification of Parallel
[5 ]
d'Informatique, 1976.
mentation of protocols, Communications Symposium
[4] Tr
Dep. July
program
as-
have important methods of proto-
G.V. Bochmann, Communication protocols and error recovery procedures, Proc. ACM Interprocess Communications Op. Syst. Review, Vol.
Workshop, March 1975. 9, No. 3, 45-50.
