Verification of an alternating bit protocol by means of process algebra ...

VERIFICATION OF AN ALTERNATING BIT PROTOC~. BY MEANS OF PROCESS AtGEBRA

J , A , BERGSTRA,

J,W, KLOP

Centre for Mathematics and Cemputer Science P.O.Box 4079, 1009 AB Amsterdam, The Netherlands

We verify a simple verslon o? the alternating bit protocol in the system ACP~ (Algebra of Communicating Processes with silent actions) augmented with Koomenls falr abstraction rule.

INTRODUCTION Let D be a finite set of data. These data are to be transmitted unreliable medium from location protocol

through an

1 to location 2, by means of a transmission

T.

W i t h rl(d) we denote the act of reading datum d at location I, whereas w2(d)

denotes

level)

the act of writing value d at location

specification

of the behavieur

2. The external

(higher

of T is this:

T = de~D rl(d).w2(d).T

From its initial

state T is enabled to read any d e D, thereafter

d at 2 and subsequently A very interesting tocol

return to its initial mechanism

(from [2]). This protocol

to implement T is the alternating

turns out to be sufficiently

serve as a test case for protecol verification [7] and LAMPORT

use of ACP~,

methods

bit pro-

complicated

(see HAILPERN

to

& OWICKI

[8] for instance).

We will present bit protocol),

T will write

state.

a description

in terms of process

and verification algebra.

Algebra of Communicating

of ABP

(the alternating

Our presentation

Processes

makes extensive

with silent actions,

as well

as of ideas by C.J. Koomen from Philips Research. The advantage

of process

algebra

in contrast

temporal

logic and Hoare-style

fication

is done in terms of calculations

ty and liveness

verification

are simultaneously

to techniques

on the protocol

The structure of this note is as follows: of the architecture

of ABP.

2. Axioms and rules of pr0cess algebra. 3. Verification

itself.

dealt with in the equational

process algebra.

1. Explanation

based on

is mainly that the entire veri-

of ABP.

This work was sponsored in part by ESPRIT contract 432 METEOR.

Both safe-

calculus

of

Remark.

It must be said that ABP as explained here is only one of the many

variations on the same theme, and among these a rather simple one. Process algebra is well suited to specify individual protocols;

at p r e s e n t the speci-

fication of classes of protocols is not supported by process algebra.

For

other issues of a philosophical nature we refer to [i0] and [i!].

i. A R C H I T E C T U R E OF ABP

1.1. The protocol can be visualised as follows:

1

2 >

There are four components: S: sender. S reads data d at 1 (d6 D), and communicates the data to channel K until an acknowledgement has been received via channel L. K: data transmission channel. K communicates data in DO u D1

(Di = { d i l d e

D}),

and may communicate these correctly or communicate an error value e. K is supposed to be fair in the sense that it will not produce an infinite consecutive sequence of error outputs. R: receiver. R receives data from K, outputs them at 2 and sends back acknowledgements via L. L: acknowledgement

transmission channel. The task of L is to communicate boolean

values from R to S. The channel L may yield error outputs but is also supposed to be fair. The components S,K,R and L are processes.

The protocol T is d e s c r i b e d by

?M(SlIKIIRIIL)Here

I[ denotes parallel composition and ~H encapsulates S I{KIIBIIL by requiring

that no external processes may interfere in the communications at ports 3,4,5 and 6. In order to obtain an abstract view of the protocol the operator r I is applied, which replaces internal actions

T = ~I~(SII~ILRHLI

I0

(in I) by the silent action r. Thus:

V e r i f i c a t i o n amounts to a proof that this T satisfies the equation

T = d6~D rl(d).w2(d).T

I

1.2. S t r u c t u r e of the com~onents of ABP. 1.2.1. Data and actions. D is the finite set of data that is t o be transmitted by ABP. For d 6 D, dO and dl are new data, o b t a i n e d by appending 0 resp. 1 to d. We write: DO =

{dO I d 6 D t

D1 =

{dlidED}

D = D u DO u D1 u(0,l,e). D

is the set of data that occur as parameter of atomic actions. For t 6 {I, .... 6} there are read and write actions: rt(a),

read a 6 D

wt(a), write a 6 ~

at t at t,

Here t 6 {i ..... 6} is called a port

(or location, but we prefer port).

C o m m u n i c a t i o n takes place at ports only: rt(a) lwt(a ) = j, where j is an internal action. A n o t h e r kind of internal action is i. It corresponds to internal choices made by K and L. The entire alphabet A of proper actions is then as follows: A = {rt(a)

) 1 5 t~6,

The communication function

a &~D}u {wt(a)

.I- :A × A - - > A yields

cept in the case m e n t i o n e d before:

I l~t~6,

a~

~}u{i,j,~}.

$ (deadlock or failure)

ex-

rt(a) lwt(a) = j.

Of course the abstraction operator will introduce M i l n e r ' s silent action ~" and the universe of discourse consists of the processes over A U = A u{