Specifying Communication Protocols with

Specifying Communication Protocols with Temporal Logic Mohamed Jmaiel Technische Universitat Berlin, Fachbereich Informatik U bersetzerbau und Programmiersprachen Franklinstr. 28/29, Sekr. FR 5-13 D{10587 Berlin email: [email protected]{berlin.de Abstract This paper investigates the usefulness of the usual temporal logic for the speci cation of communication protocols. It will show that a large class of protocol properties cannot be expressed in this logic, and proceed to examine the possibility of extending the usual temporal logic such that it can express desired protocol properties. A speci cation of the Internet Protocol will illustrate the application of the extended logic.

Thi s work has been supported by the German Research Society (DFG) under grant Ho 1257/2.

1

Contents 1 Introduction

2

2 Speci cation of Protocols

3

3 A More \Compositional" Temporal Logic

4

3.1 Indexing Temporal Operators : : : : : : : : : : : : : : : : : : : : : : : : : 3.2 Semantics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3.3 Proof System : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

4 Extension of the Temporal Logic 4.1 4.2 4.3 4.4

Introduction of colors : : Composition of Agents : Extension of Operations Predicate Calculus : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

5 6 8

10 11 13 15 18

5 Speci cation Example: The IP-Protocol

19

6 Conclusion

20

1 Introduction A distributed system consists of a family of components which essentially work independently of each other and interact only in order to exchange data. In order to control the data exchange between the dierent components of a distributed system, we need so-called communication protocols; these provide a set of communication rules which should be respected by the components during a system run. The complexity of distributed systems requires suitable formal techniques for the speci cation and veri cation of the protocols on which they are based. The formal speci cation should be the starting point for any rigorous development of a distributed system. In this paper we investigate the suitability of temporal logic as a formalism for the speci cation of communication protocols. It is widely recognized that temporal logic is an appropriate tool for capturing a wide variety of concurrent-program properties, such as partial correctness, termination, mutual exclusion, and deadlock freedom. This logic has been applied successfully for the speci cation and veri cation of properties of concurrent programs [MP 91] and [Lam 83a]. 2

However, in the area of communication protocols its application has been less successful. On the one hand, temporal logic is not compositional, that is, the speci cation of a large system cannot be deduced from the speci cations of its components. On the other hand, it has been shown in [Koy 87] and [SCFM 84] that a large class of protocol properties cannot be described using temporal logic. The reason is that messages cannot be uniquely identi ed on a stream. Hence, sent messages cannot be uniquely coupled to received messages in a system. In this paper we present a temporal logic for the speci cation of communication protocols that allows composition of speci cations, and enables the description of desired protocol properties. We achieve the compositionality of the logic by indexing temporal operators. The index corresponds to a selected subsystem of the speci ed system. In this way, one system component can be speci ed independently from the others, that is, the system speci cation may contain formulas that must only be satis ed by selected components rather than by all components during a system run. In order to overcome the lack of expressiveness, we extend the semantic model by providing a mechanism that enables the unique identi cation of messages on a stream. We achieve this by \coloring" messages on a single stream by pairwise distinct colors, where colors can be viewed as an abstraction of time stamps. Thus, two messages that are transmitted on the same stream at dierent time points are distinct, even if they have the same content. It becomes apparent, however, that the assumption that messages on a stream will have distinct colors is not sucient for the formulation of certain protocol properties. Generally, the speci cation of a large system requires more than this assumption. Hence, we introduce a hierarchy of congruence classes of colors, which enables us to express desired properties of communication protocols. The paper starts by de ning the class of systems we are dealing with. Then we de ne the temporal logic and the semantics of the speci cation language, as well as a proof system for the propositional part of the logic. In Section 4 the temporal logic is extended step by step, with an illustration in each step of how to overcome the lack of expressiveness. In Section 5 we illustrate the application of the extended model by the speci cation of the Internet Protocol.

2 Speci cation of Protocols Our approach makes use of the concepts of agents and channels for the description of distributed systems. A distributed system is viewed as a family of agents (processes) that are able to run independently and communicate with each other via unidirectional channels. Each agent is assigned a nite number of distinctly named input and output channels (ports) over which it receives and delivers messages, respectively. In a system composed of more than one agent, each channel is either a connection between two agents or an external input/output port of an agent, over which it communicates with the system 3

environment. The role of communication protocols is to control the communications between the system agents according to well-de ned communication rules. In this context the speci cation of protocols requires the description of two aspects, namely the network topology of the system and the communication rules. The network topology de nes the architecture of the system, i.e., it describes how the agents are connected to each other. The network may be represented by a graph of the kind depicted in Figure 1. S

X

A

B

Y

R

Z C

Figure 1: A communication net The squares A, B and C stand for agents, while the arrows S , R, X , Y and Z represent channels. Note that channels are conceptual representations of the communications between agents; they do not represent any physical transmission medium. This means that channels are absolutely reliable. In our approach we represent a physical transmission medium by an active agent in order to model its potential of failures. The basic actions that occur in such a network are transmission of messages; their occurrences are expressed by predicates such as (referring to the network in Figure 1) [A rcv m on S ];

[X xmt m];

[B snd m on Z ]; ect:

These predicates constitute the atomic formulas of the speci cation language and their meaning should be intuitively clear. A formal meaning will be given later in connection with temporal logic. We should mention that communications are considered to be synchronous, that means the occurrence of a transmission action requires simultaneous participation of a delivering agent and an accepting agent. We assume therefore the following equalities: [A snd m on X ] [X xmt m] [B rcv m on X ] We use the discipline of temporal logic as the formalism for specifying the communication rules. A protocol speci cation is thus a set of temporal formulas that describe the rules according to which the transmission actions in a given network should occur.

3 A More \Compositional" Temporal Logic Temporal logic is a simple and elegant extension of propositional logic (predicate logic in the case of rst-order temporal logic), yet powerful enough to express interesting properties 4

of distributed systems such as safety and liveness properties. Temporal formulas are constructed from atomic formulas by applying temporal operators and boolean connections. Temporal operators are operators that refer to the past, present, and future. The future operators include (nexttime operator), (always or henceforth operator), (eventually operator) and until (until operator). The past operators include a symmetric counterpart to each of the future operators.

3.1 Indexing Temporal Operators It is generally known that temporal logic in its elementary form is non-modular and noncompositional. Non-compositional means that in order to formulate a temporal property of a system, we must have the complete system before us [BKP 84]. A system component cannot, therefore, be speci ed independently from its environment. In our approach we make this logic compositional by indexing the temporal operators with ( nite) sets of channel names. This enables us to describe subsystems independently, since each subsystem can be characterized by the set of channels that belong to it. Thus a system speci cation may contains formulas which must only be satis ed by selected components, rather than by all components during a system run. For example, the formula M P means that the subsystem M should always satisfy the the property P . The temporal logic obtained is thus compositional, which is very useful for deriving the whole system speci cation from the speci cation of its components. For reasons of greater uniformity, we introduce two supplementary operators r and 4 that refer explicitly to the present. Informally, these operators mean the following:

rM P 4M P

P holds \now" on the subsystem M , if M is active. P holds \now" on M .

We say a subsystem M is active if a transmission action, a receive, or a sending action within the system M is taking place. Note that these operators do not increase the expressive power of the temporal language; they are introduced in order to achieve more structure in the speci cation language. The syntax of the temporal language is given as follows:

If S is a channel name and m is a message, then [S xmt m] and [S xmt ] are atomic

formulas. Every atomic formula is a formula. If P is a formula and M a ( nite) set of channel names, then :P; rM P , 4M P , M P; M P; M P; M P; M P and M P are formulas. 5

If P and Q are formulas and M; N ( nite) sets of channel names, then P _ Q; P ^ Q; P ) Q; P M untilN Q; P M unlessN Q; P M beforeN Q; P M backtoN Q; P M sinceN Q and P M afterN Q are formulas. If P is a formula and x is a message variable, then 8x: P and 9x: P are formulas. We omit the index if it is the set of all channel names in the system. To enhance readability, we prefer to write R [R xmt m] instead of R [ xmt m], although the former contains redundance, since the formula R [R xmt m] can only be satis ed if R is transmitting; the formula R [S xmt m] can never be satis ed. There has been much discussion as to whether past operators increase the expressive power of the temporal language. [LPZ 85] states that past operators do not increase the expressive power of the language whenever we consider linear models of temporal logic, i.e. whenever the past fragment is nite. However, there are some properties of distributed systems such as precedence, which have a more natural expression when past operators are used. [LPZ 85] contains many theoretical results about the usefulness of past operators.

3.2 Semantics The underlying model for our temporal language is based on the concept of events. An event represents the occurrence of a send, receive, or a transmission action of a message during a system run. Looking at the semantic models of distributed systems, we can distinguish two approaches: true concurrency and interleaving semantics. In true concurrency a system run is modelled by a partially ordered set of events; two events that are not comparable in the ordering are said to be concurrent. In interleaving semantics the events in a system run are totally ordered; here concurrency is modelled by nondeterministic interleaving. For some applications interleaving models are suitable for capturing system properties. However, in [Rei 88] it has been claimed that for some applications true concurrency models are relevant to describe system properties which cannot be formulated at the level of interleaving semantics. In this paper we restrict our attention to interleaving semantics for the following reasons. On the one hand, the protocol properties that we want to specify here can be formulated in the interleaving model. On the other hand, we think that the examples studied in the sequel are better understood using linear temporal logic. In the interleaving semantics the behavior of a distributed system is the set of its possible runs, where each run is a sequence of events. The underlying time structure is then a linearly ordered set (E; ) of events, in which each event is considered as an atomic point in time. Since each send or receive action is \equivalent" to a transmission action on the corresponding channel, we may model an event by a pair (S; m) where S is a channel name and m the message. 6

A model M = (Alg; (E; ); ) for our language consists of an algebra Alg, a linearly ordered set (E; ) of events, and an assignment that associates a value to each message variable. The algebra Alg speci es a non-empty set of message values, and assigns constants and functions to the constant and function symbols, respectively. Before giving the semantics of the temporal language we rst introduce some abbreviations. Let (E; ) be a linear order, S a channel name and M be a set of channel names.

ES def = fe 2 E j there exists a message m s.t., e = (S; m)g EM def = S ES S 2M

That is, ES denotes the subset of all those events that concern the channel S , and EM is the corresponding generalization to sets of channels. We denote by M; e j= P the fact that the temporal formula P is valid for the model M at the point e. This leads to the following semantic de nition of the temporal operators:

Present and future operators: M; e j= 4M P i e 2 EM and M; e j= P M; e j= M P i for every e0 2 EM with e0 e; M; e0 j= P M; e j= M P i for the least e0 2 EM with e0 > e; M; e0 j= P M; e j= P M untilN Q i for some e0 2 EN with e e0; M; e0 j= Q and for every e00 2 EM with e e00 < e0; M; e00 j= P The other future operators can be de ned as follows:

rM P , :4M :P e M P , :M :P M P , :M :P P M unlessN Q , M P _ P M untilN Q P M beforeN Q , :Q N unlessM P

Weak present: on M Strong nexttime: on M Eventually: on M Unless, weak until

Past operators: M; e j= M P i for every e0 2 EM with e0 e; M; e0 j= P M; e j= M P i for the greatest e0 2 EM with e0 < e; M; e0 j= P if such e0 exists, otherwise the formula is valid 7

M; e j= P M sinceN Q i for some e0 2 EN with e0 e; M; e0 j= Q and for every e00 2 EM with e0 < e00 e; M; e00 j= P The other past operators can be de ned as follows: e M P , :M :P Strong previous: on M M P , :M :P Sometimes in the past: on M

P M backtoN Q , M P _ P M sinceN Q Backto, weak since P M afterN Q , :Q N backtoM P

Atomic formulas M; e j= [S xmt m] i e = (S; (m)) M; e j= [S xmt ] i there is v 2 D s.t. e = (S; v) A temporal formula is called valid in the model M, denoted by M j= P , if M; e j= P for every e 2 E . P is called valid, denoted by j= P , if M j= P for every model M. The validity of a formula P is thus de ned by requiring that P holds at all time points of all models.

3.3 Proof System In this section we present a sound and complete proof system for the propositional part of the temporal logic. Most of our rules and axioms are indexed versions of the general proof system presented in [LPZ 85]. The proof system also contains axioms concerning the present operators. Moreover, we take all tautologies of the propositional logic and theorems from set theory as axioms. Axioms and theorems from set theory are needed to derive formulas such as M P ) N P , when N is a subset of M . In the following rules the comma \," binds more tightly than the implication " ) " which binds more tightly than the derivability symbol `. For readability reasons we replace in some axioms the formulas M T, M T, and rM F by the formulas (life(M)), (life(M)), and inactive(M), respectively.

Present Part { Rule ( mp)

P; P ) Q ` Q 8

{ Axioms Ax1: Ax2: Ax3: Ax4: Ax5:

All tautologies of the propositional logic. P ) rM P rM P ^ rN P , rM [N P M 4M P , M P for 2 f ; e ; ; e ; r ; 4 g 4M P ) M e M P ^ M e M P As mentioned in Section 3, the operators r and 4 are introduced for technical reasons. Axiom 4 states that they can be eliminated from most formulas.

Future Part { Rules

(Next-Gen) ( -Int) { Axioms

FAx1: FAx2: FAx3: FAx4: FAx5: FAx6: FAx7: FAx8: Past Part { Rules

(PreGen) ( -Int) { Axioms

PAx1: PAx2: PAx3: PAx4: PAx5: PAx6: PAx7: PAx8:

P ` M P Q ) rM P; Q ) Q ` Q ) M P

e M P ) M P M P ^ life(M) ) e M P M (P ) Q) ) (M P ) M Q) M P , (rM P ^ (inactive(M) ) M P )) M P ) (rM P ^ M M P ) M (P ) Q) ) (M P ) M Q) M P ) P M unlessN Q P M unlessN Q , 4M Q _ (rM P ^ (P M unlessN Q)) P ` M P Q ) rM P; Q ) Q ` Q ) M P

e M P ) M P M P ^ life(M) ) e M P M (P ) Q) ) (M P ) M Q) M P , (rM P ^ (inactive(M) ) M P )) M P ) (rM P ^ M M P ) M (P ) Q) ) (M P ) M Q) P M backtoN Q , 4M Q _ (rM P ^ (P M backtoN Q)) F

The niteness of the past can be shown by the Axiom PAx8, which states that the initial point is always reachable. 9

The proof system presented above is sound with respect to the semantics given in the last section. Note that the temporal language presented here does not increase the expressive power of the logic presented in [LPZ 85]. It can be shown trivially that both languages have the same expressive power, that is, each formula can be transformed to an equivalent formula in the language of [LPZ 85] and vice versa. Hence, each valid formula can be derived using the complete proof system presented in [LPZ 85]. The completeness of our proof system can be proven by showing that each rule and axiom in the proof system presented in [LPZ 85] can be deduced from our rules and axioms, and that can be done trivially. The completeness of our proof system is thus established.

4 Extension of the Temporal Logic The speci cation of communication protocols is based on the description of the behavior of the agents constructing the distributed system. As mentioned in Section 2, an agent is viewed as a black box that receives and sends messages on its input and output channels, respectively; such agents are often called message passing systems. A simple example is a transmission medium that receives messages on its input channel and sends them on its output channel. The external behavior of an agent is characterized by the stream of received messages, the stream of sent messages, and their relation in time. In order to specify an agent using temporal logic, we have to formulate its desired properties by a set of temporal formulas. Many investigations established the fact that there are some inexpressiveness problems when the so-called message passing systems are speci ed using temporal logic. It has been proved that there is a large class of properties of message passing systems that cannot be expressed using rst-order temporal logic. In a study of message passing systems by Koymans ([Koy 87]), it has been found that the class of transmission mediums that satisfy the properties

that the medium does not create messages, neither by creating \new" messages, nor

by duplicating them, and that any received message should be eventually sent,

cannot be speci ed by a nite set of temporal formulas. Analogous results have been reached by Sistla et al. ([SCFM 84]), namely that unbounded buers cannot be speci ed using linear temporal logic. Most analyses, such as [Koy 87] and [Lam 83b], show that the cause of this inexpressiveness is that it is impossible to couple each message sent by an agent to a unique message received by that agent. This is because messages cannot be uniquely identi ed on in nite streams. Hence, it appeared that the expressiveness of the speci cation language could only be increased by extending the logic. Most attempts overcome the logic's inexpressiveness by assuming unique identi cation of messages on a stream, as done in [Koy 87] and [Pnu 92]. 10

This is achieved by indexing the messages on a stream with a natural number which serves as a unique identi cation of messages on a stream. For some applications this may be sucient to enable the expression of the desired properties. We will show that for a large class of protocol properties this assumption is not sucient. As mentioned in Section 2, we are not only interested in the speci cation of isolated agents, but also in the development of large systems by combining agents. Moreover, we are interested in a speci cation language by which we can describe the potential failures of agents, such as the possibility of losing messages, duplicating them, or permuting them. We will show that the development of such systems requires more than the assumption of unique identi cation of messages on a stream. In this section we present a general framework for the development of communication protocols. We achieve the unique identi cation of messages on a stream by using \colors", which represent conceptual time stamps. In order to increase the expressiveness of our logic, we assume the existence of a set of colors satisfying a series of properties that will be introduced in the following. We investigate the properties that we are interested in, and show which characteristics the set of colors should have.

4.1 Introduction of colors In this section we introduce colors and show which roles they play in the speci cation of communication protocols. As mentioned above, colors serve for the unique identi cation of messages on a stream. From now on a message is viewed as a colored data element. We assume the existence of enough colors to guarantee that each data element can take an in nite number of colors. It should be stressed that colors are conceptual time stamps, which are available only at the semantical level, and do not in uence the functional behavior of agents. Hence, colors are introduced in order to provide a semantical model that enables us to describe interesting protocol properties. Accordingly, colors are not data types, which will be implemented in the protocols. From now on an agent can send and receive only colored messages. Viewed from this aspect, the speci cation of an agent is now decomposed into two parts. The rst part describes how messages should be colored on each of the streams. The second part describes the proper behavior of that agent. We illustrate this by the speci cation of a reliable (perfect) transmission medium.

Example 4.1 [Reliable Medium]

A reliable transmission medium is an agent that has an input channel and an output channel and should satisfy the following properties: Messages cannot be created, neither by creating \new" messages, nor by sending duplicates of received messages. Every received message should eventually be sent. 11

S

Transmission Medium

R

In order to formulate the desired properties of this agent, we assume that the messages on the input stream S are distinctly colored. We formulate this assumption with the formula [S xmt m] ^ [S xmt m0] ) m 6 m0 where m 6 m0 means that m and m0 have distinct colors. Obviously, if the messages on the input stream S are distinctly colored, then so should be the messages on the output stream R. This is formulated by [R xmt m] ^ [R xmt m0] ) m 6 m0 Following these two assumptions, the most important property of a reliable transmission medium, that it does not create messages, can be speci ed by [R xmt m] ) [S xmt m] This formula describes a safety property of the medium and is also a typical precedence property, since it claims that a message is always received before it is sent. These kind of properties (precedence) are best formulated using past operators. The second property of the transmission medium is a liveness property, claiming that any received message will eventually be sent. This can be expressed by [S xmt m] ) [R xmt m] A transmission medium is considered perfect if it additionally preserves the order of the received messages. This means that the messages on the stream R have the same order as those on the stream S . This property is a safety property, and it can be formulated by [R xmt m] before [R xmt m0] ) ([S xmt m] before [S xmt m0]) The speci cation given above ensures that the transmission medium behaves like the identity on streams of messages.

12

4.2 Composition of Agents Distributed systems are often composed of more than one component. The development of distributed systems requires a compositional and modular speci cation language. the compositionality enables us to derive the speci cation of a composed system from the speci cation of its components. The temporal logic presented in Section 3 is compositional. However, we will show that the inexpressiveness of the logic cannot be overcome by assuming unique identi cation whenever we have to describe systems that are composed of more than one agent. In this section we discuss how we should extend our logic, such that we can formulate the desired properties of a system comprising more than one component. We think this can best be explained by an example. The properties of the transmission medium presented in the last section are desirable, but they are not always feasible. In the world of distributed systems, transmission mediums are less reliable because of physical failures. Generally, a transmission medium may create, duplicate, lose, or permute messages. We aim at a speci cation language in which we can express such properties. The speci cation of unreliable systems enables us to capture their failures and to eliminate them using appropriate protocols. The following example illustrates the speci cation of an unreliable transmission medium.

Example 4.2 [Unreliable Medium]

We specify an agent Duplicate that has an input channel S and an output channel R. S

Duplicate

R

The behavior of Duplicate should satisfy the following requirements: Messages may be duplicated, but they cannot be created. Each message received should eventually be sent. We assume the unique identi cation of messages on the stream S , i.e. all messages are distinctly colored. [S xmt m] ^ [S xmt m0] ) m 6 m0 We achieve the speci cation of the property claiming that messages may be duplicated by assuming that on the stream R at most two messages may have the same color. [R xmt m] ^ ([R xmt m0] ^ [R xmt m00]) ) (m 6 m0 _ m 6 m00) The properties claiming that Duplicate does not create \new" messages, and that each message received should eventually be sent, can be formulated as in the last section. 13

In the following we want to combine the agent speci ed above with the perfect transmission medium presented in Section 4.1 by identifying the output channel of Duplicate with the input channel of the transmission medium, as represented by the following graph. S

Duplicate

R

Transmission Medium

U

As shown in the last section, the desired behavior of a perfect transmission medium can only be achieved if the messages on its input stream are uniquely identi ed. Unfortunately, the messages on the stream R do not satisfy this requirement, since the agent Duplicate may send a message twice. Hence, the unique identi cation of messages alone does not enable us to express properties of composite systems. We need, therefore, to extend the logic. We assume the existence of a congruence relation on the set of colors, such that there are in nitely many congruence classes and each class contains an in nite number of colors. This relation can be translated to the set of messages, which are now colored data elements. This leads to the following congruence relations on the set of messages:

m m0 m m0 m = m0 m = m0

= def = def = def = def

m and m0 have the same color m and m0 have congruent colors m and m0 have congruent colors and the same content m and m0 are identical (color and content)

In order to specify the composed system, we modify the speci cation of Duplicate such that we achive unique identi cation of messages on the stream R, without modifying the behavior of Duplicate. The intended speci cation is obtained by replacing each equality (on colors) in the speci cation of Duplicate by the congruence relation introduced, and by adding a temporal formula which states that messages on the stream R are distinctly colored. This leads to the following speci cation. (1) (2) (3) (4) (5)

[S xmt m] ^ [S xmt m0] ) m 6 m0 [R xmt m] ^ ([R xmt m0] ^ [R xmt m00]) ) (m 6 m0 _ m 6 m00) [S xmt m] ) [R xmt m0] ^ m = m0 [R xmt m] ) [S xmt m0] ^ m = m0 [R xmt m] ^ [R xmt m0] ) m 6 m0

The speci cation of the system composed of the agent Duplicate and the perfect transmission medium can now be obtained trivially by the conjunction of both speci cations, where in the speci cation of the transmission medium we substitute each occurrence of S 14

by R and each occurrence of R by U respectively. The compositionality of our temporal logic guarantees the consistency of the resulting speci cation. The principle of introducing new congruence relations on the set of colors can be applied whenever the properties of a system to be speci ed cannot be expressed. Generally, we assume the existence of (say n) 1 n congruence relations on the set of colors, which should form an inclusion chain, i.e., for all 1 i n ? 1 the i + 1-th congruence relation is included in the i-th relation. Moreover, we assume that each congruence class w.r.t the i-th relation contains in nitely many classes w.r.t. the i + 1-th congruence relation. By translating this relation to the set of colored messages as done above, we obtain a hierarchy of colors. Using this hierarchy, we are able to specify any combination of message passing systems.

4.3 Extension of Operations Agents are active system components which, in addition to sending and receiving data, can perform internal operations on data. In the context of communication protocols, an operation may be the composition of messages from individual pieces, splitting packets into frames, selecting fragments from messages. In this section we deal with agents that may perform operations on messages. Actually, these operations are de ned on data and not on colored messages. Since in our extended model we deal with agents that send and receive colored messages, we have to extend these operations to the set of colored messages. Note that it is not necessary to give a precise extension of each operation, rather we only have to give a characterization of an extension that enables us to specify our protocols in a simple way using a purely temporal formalism. In the following we show which properties should be satis ed by the extension of an operation. For this purpose we specify an agent Split that receives packets, splits each of them into two frames, and sends the frames stemming from the same packet consecutively.

Example 4.3 [Split]

The agent Split is a transmission medium that performs a split operation (say sp) on received messages before it sends them. This agent has an input channel S and an output channel R. S

Split

R

The unique requirement on the behavior of Split is that the frames of a received packet must eventually be sent consecutively. To specify the behavior of this agent we need two congruence relations on the set of colored messages, and , such that . First we assume the unique identi cation of messages on 15

the input stream S , that is, all received packets must be non-congruent w.r.t. . [S xmt p] ^ [S xmt p0] ) p 6 p0 The frames on the stream R are viewed as pairs, where the content of each pair corresponds to the frames of a single packet. We assume that any two frames of two distinct pairs are non-congruent w.r.t. . This is formulated by [R xmt fr] ^ R [R xmt fr0] ) fr 6 fr0 Under these assumptions and if for any packet p, sp(p) = (sp1(p); sp2(p)), we formulate the requirement claiming that the frames of a received packet must eventually be sent consecutively by [S xmt p] ) ([R xmt sp1 (p)] ^ R [R xmt sp2(p)]) The above formula does not ensure the unique correspondence between a packet and its frames. In order to couple a packet with its frames we have to assume that a packet and its frames are congruent w.r.t. ; this is formulated by (sp1(p) p) ^ (sp2(p) p) Since we are aiming for speci cations that are purely temporal, we will assume that each operation satis es the property that any message has congruent colors with its image. That is, an operation should preserve the congruence class of its arguments. The combination of such an agent with the perfect transmission medium requires that all frames on the stream R are uniquely identi ed; in this case they have to be non-congruent w.r.t. . This leads to the addition of the following formula. [R xmt fr] ^ [R xmt fr0] ) fr 6 fr0 In order to avoid inconsistency in this speci cation, we have to assume that the frames of any packet are non-congruent w.r.t. .

sp1(p) 6 sp2(p) The most important requirement on the extension is that the image (by the original operation) of the content of a colored message is the same as the content of its image by the extended operation. 16

In the example studied above we have characterized the extension of the split operation to the set of colored messages by three properties. Generally, any extension of the original algebra operations should satisfy properties similar to those detailed in the above example. In the following we generalize these three properties. We assume that for the speci cation of a system we have a set of n congruence relations on the set of colored messages 1; 2 ; : : :; n, as de ned in Section 4.2, which form the inclusion chain nn?1 : : : 1. Let f now be an operation de ned on the sets of data with the arity (l; k). For each of the congruence relations i we assign to the function f a function fbi de ned on the corresponding sets of colored data and satisfying the following properties: Let a1; : : : ; al, b1; : : :; bk be colored data with fbi (a1; : : : ; al) = (b1; : : : ; bk ). Generally, the arguments a1; : : : ; al are received messages on the input channels (it may be one channel) of an agent, and the image components b1; : : :; bk are messages to be sent on the output channels of that agent.

In order to couple sent messages with received messages, we expect that the components of an image are congruent w.r.t. i with at least one argument, for example the rst. ^k j =1

a1 i bj

The components of an image must be pairwise non-congruent w.r.t. i+1; in this way we avoid inconsistency in our speci cations if the unique identi cation on the output stream is required.

8m; j; 1 m; j k : (bj i+1 bm) ) j = m We assume also that each extension of a function should preserve the data part of a colored message.

f (Content (a1); : : :; Content (al)) = (Content (b1); : : : ; Content (bk )) Assuming the properties introduced above, we can specify our systems using the extension by colors without any complications, preserving the consistency of speci cations, and applying a purely temporal formalism. An extended model now consists of a colored algebra, an assignment, and a sequence of events, where each event is viewed as a pair containing a channel name and a colored message. A colored algebra arises from an algebra when the algebra data is colored and the algebra operations are extended to the corresponding sets of colored data.

17

4.4 Predicate Calculus Based on the extended semantics we now present in this section the predicate part of the proof system given in Section 3.3. Assuming we have n congruence relations 1; : : : ; n on the set of colored messages, we then have the following rule and axioms:

Quanti er Rule P ) Q ` P ) 8 x:Q if there are no free occurrences of x in P

Quanti er Axioms

QAx0: QAx1: QAx2: QAx3:

:9 x:P , 8 x::P 8 x:P (x) ) P (t) if t is substitutable for x in P 8 x: P ) 8x:P 8 x: P ) 8x:P

We say t is substitutable for x in P if its substitution for all free occurrences of x in P does not introduce a new bound occurrences of variables. Equivalence Axioms

CAx1: CAx2: CAx3: CAx4:

t t for any term t and for all 2 f1; : : :; ng t1 t2 ^ t2 t3 ) t1 t3 for all 2 f1; : : : ; ng t1 t2 ) t2 t1 for all 2 f1; : : :; n g t1 i+1 t2 ) t1 i t2

Congruence Axioms

Let fbi be an extension of an operation f with the arity (m; l), and fbji (t1; : : :; tm) be the j -th component of fbi (t1; : : :; tm); we then have the following axioms:

OAx1: OAx2: OAx3:

Vl fbi (t ; : : : ; t ) t m i 1 k 1 k=1 fbki (t1; : : :; tm) i+1 fbji(t1; : : : ; tm) ) j = k i (fbi gbi)(t) i f g (t)

\

18

5 Speci cation Example: The IP-Protocol In this section we illustrate the application of the extended temporal logic for communication protocols by the speci cation of the Internet Protocol (short IP). We will show that the model, based on the hierarchy of colors, is suitable for the description of dierent system properties, such as loss of messages, duplication of messages, or preservation of ordering. The Internet Protocol is viewed as an unreliable transmission medium with a unique input channel S and output channel R. S

R

IP

The Internet Protocol has the following properties:

Messages may be lost, duplicated, or permuted, but they cannot be created. The IP must not lter out some speci c messages forever. For the speci cation of the IP behavior, we need at least two congruence relations on the set of colors, and , such that . The translation of these two congruence relations on the set of colored messages yields the following congruence relations:

m m0 m m0 m m0 m ' m0

u

= def = def = def = def

m and m0 have congruent colors w.r.t. m and m0 have congruent colors w.r.t. m and m0 have the same content and m m0 m and m0 have the same content and m m0

First we assume that the messages on the stream S and on R are pairwise non-congruent w.r.t. . Following this assumption, the requirement claiming that IP can only send what is has received (no creation), is formulated by f] [R xmt m] ) S [S xmt m where f m denotes any message, which is '-congruent with m. Messages that are congruent w.r.t. ' are considered to be \identical". Note that in the above formula we have written m ' m0 and not m m0, otherwise IP could send at most one message for each received message, and hence we violate the property that IP can duplicate messages.

u

19

The next property we expect from IP is that it cannot lter a speci c message forever, this means, if a message has been \in nitely" received, it must eventually be sent. Since messages that are '-congruent are considered \identical", we formulate this property by f] ) R [R xmt m] S [S xmt m These two formulas ensure that messages can neither be created nor ltered forever, but they may be lost, duplicated, or permuted. If we want to prevent messages being permuted, we should add the following formula to the speci cation of IP: f] before [S xmt ne ]) [R xmt m] before [R xmt n] ) ([S xmt m m denotes any message which is -congruent with m. where f

u

6 Conclusion We have extended the linear temporal logic in order to express properties of communication protocols. We have shown that the inexpressiveness problems of linear temporal logic in specifying protocols are caused by the inability to uniquely identify messages on an in nite stream. In some applications, such as in [Koy 87] and [Pnu 92], the unique identi cation of messages on streams was achieved by indexing the messages of a stream with natural numbers. We have shown that by using natural numbers as unique identi cation we do not overcome all inexpressiveness problems, especially if we consider the properties of composed systems. We have extended our semantical model by introducing a hierarchy of congruence classes of colors that serve to uniquely identify of messages on streams. This extension does actually increase the expressive power of the logic, while not complicating the description of protocol properties. We should point out that the use of colored messages is not a restrictive assumption, since colors are only introduced at the semantical level, and they are not intended to be implemented. Colors are introduced in order to achieve a simple and elegant speci cation of communication protocols.

Acknowledgements

I am grateful to Peter Pepper for comments and helpful discussions. Special thanks also to Niamh Warde for correcting and improving the English in this paper.

References [Bro 88]

M. Broy, Requirement and Design Speci cation for Distributed Systems. In: F.H. Vogt (ed): Concurrency 88. Lecture Notes in Computer Science Vol. 335, 33-62, Berlin: Springer 1988. 20

[EM 85] [Hoa 85] [Koy 87] [Kro 87] [Lam 83a] [Lam 83b] [LPZ 85] [MP 91] [BKP 84] [Pnu 92] [Rei 88] [SCFM 84] [Wol 81]

H. Ehrig, B. Mahr, Fundamentals of Algebraic Speci cation 1. EATCS Monographs on Theoretical Computer Science. Berlin: Springer 1985. C.A.R. Hoare, Communicating Sequential Processes. Prentice Hall International, 1985 R. Koymans, Specifying Message Passing and Time-Critical Systems with Temporal Logic. Lecture Notes in Computer Science Vol 651, Berlin: Springer 1992. F. Kroger, Temporal Logic. Berlin: Springer 1987. L. Lamport, What Good is Temporal Logic. Proccedings of IFIP Congress, Paris 1983. Amsterdam: North-Holland, pp. 657-668. L. Lamport, STL/SERC Problems. Proccedings of a Tutorial and Workshop, Cambridge University, September 1983, Lecture Notes in Computer Science Vol. 207, Berlin: Springer 1985. O. Lichtenstein, A. Pnueli, L. Zuck. Teh Glory of the Past. Proccedings of the Workshop on Logics of Programs 85, Lecture Notes on Computer Science Vol 193, pp. 196-218, Berlin: Springer 1985. Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems. Springer 1991. H. Barringer, R. Kuiper, and A. Pnueli, Now you may Compose Temporal Speci cations. Procceding of the 16th ACM Symposium on Theory of Computing, 1984, pp. 51-63. A. Pnueli, System Speci cation and Re nement in Temporal Logic. Lecture Notes on Computer Science Vol. 652, Berlin: Springer 1992. W. Reisig, Temporal Logic and Causality in Concurrent Systems. Proceedings of CONCURRENCY 88, Hamburg. Lecture Notes in Computer Science, Springer 1988. A.P. Sistla, E.M. Clarke, N. Francez, Y. Gurevich, Can Message Buers be Characterized in Linear Temporal Logic?. Information and Control, Volume 63, pp. 88-112, 1984. P. Wolper, Temporal Logic Can Be More Expressive. Proceedings of the 22nd Symposium on Foundations of Computer Science, Nashville, TN, Oct. 1981.

21