Académique Documents
Professionnel Documents
Culture Documents
1) . In LIPS, the behaviour of a process is specified through Table 2 . LIPS derived operators
the ordering in time of the process' actions .
Operator and syntax Definition
An input and an output action taking place at gate g are
denoted respectively by g and g; they can be regarded as Exponentiation 1 T :P 1T :P = 1 : IT-1 :p (T > 1)
simple actions. Act, the set of actions, is endowed with a 1' :P = 1 :P
dot product intended to denote the simultaneous Delay SP SP = (1 :SP) + P
occurrence of several actions, e .g. a • b is the action given SP S„P=(1 :S„_1P)+P (n>0)
rise to by the simultaneous occurance of actions a and b . If S OP = P
a and b are simple actions, they are said to be the factors Timeout PO„Q PO„Q=P+1 :(P9 i _ 1 Q) (n>0)
of the compound action a • b . Pe% Q=Q
Owing to its intended meaning, the product must
be commutative and associative . Moreover, the idle common gate g, invisibly to the environment . On the
action 1 maybe regarded as simultaneous with any action, other hand, if Q offers, besides b, an action b1 that does
and accordingly 1 is taken to be the unity for" • ". Finally it not contain the factor g, then g will be a factor of a • b1 .
is assumed that for each action a E Act, there is an inverse Thus, P*Q permits P and Q to use their common gates to
a E Act such that a • a = 1 . The above properties imply communicate invisibly to the environment, but does not
that (Act, • ,1, -) is an abelian group . As suggested by the conceal these gates from the environment .
notation, the simple actions g and g are defined to be the
inverse of each other, and therefore, by a standard Restriction
property of abelian groups, the factors of a are the inverse Given a gate setG, the unary postfix operator\G is defined
of the factors of a . as follows : if P is a process, P\G behaves like the process
LIPS processes are built with operators which can be obtained from P by pruning away any subprocess that
divided into basic and derived, the latter aimed at making starts with an action having at least one factor at a gate
the representation of OSI protocols easier. The semantics in G .
of basic operators is given in Table 1, in terms of inference The combination of product and restriction in (P*Q)\G
rules for the relation -a (P-a -). Q means that process describes the concurrent behaviour of P and Q communi-
P can perform action a and become Q at the next time cating through their common gates, with a subset G of
unit) ; derived operators are defined in Table 2 in terms of these made internal, i .e . concealed from the environ-
the basic ones. An informal introduction is provided ment. This may be better understood from the expansion
below. theorem 10, by which the behaviour of (P*Q)\G can be
expressed in terms of action and choice : let P = Eip i :Pi
Action and Q = Eigi :Qi, then (P*Q)\G = E (pi • qi :((Pi*Qi) I pi • qi
For each action a E Act and process P, (a :P) is the process has no factors at gates in G J where denotes observa-
which performs a, followed, after one time unit, by the tional equivalence (see below) .
behaviour of P.
Process definition
Choice The declaration p : = P, where p is an identifier and P may
If P and Q are processes, P + Q denotes a process offering contain p, makes p a process that can stand for P .
to behave either like P or like Q . Thus, the choice operator Thus, non-terminating behaviour may be represented,
can be used to model non-determinism in process e .g. p : = a :p defines a process p that cyclically performs
behaviour . Note that action binds tighter than choice, so the action a.
that a :P+Q=-(a :P)+Q.
Inaction
Product The inaction process 0 cannot execute any action ; 0 is
P*Q represents the synchronous parallel evolution of 'destructive' with respect to time, in that P*O = 0 for all
processes P and Q . At each time unit P*Q offers the processes P.
actions resulting from the product a • b of any two actions
a and b offered at that time unit by P and Q respectively . Some useful derived operators, based on the four main
Note that if the input g is a factor of a, and the output g is a ones and increasing the suitability of SCCS for protocol
factor of b (or conversely), so that g • g = 1, neither g nor g specification, are presented by Carchiolo et al .9 . Here
will be a factor of a • b . This is interpreted as an instance of attention is restricted to exponentiation, delay and
communication taking place between P and Q at their timeout.
Observation and abstraction The receiver R waits for a message at gate d r , and after
Observation means describing a system in terms of its receiving it, processes it for T2 time units, after which the
interaction with the environment, thus abstracting from its message is simultaneously acknowleded at gate a r and
internal characteristics . In general, a specification lang- delivered at m r .
uage should be abstract in order to avoid overspecification,
which imposes unnecessary constraints on implementa- Medium specification :
tions .
Medium : = M1 *M2
Nondeterminism and concurrency M1 : = 8 d 5 : ( M1 + d r : M1)
Two typical aspects of the OSI environment, which M2: = 8 a r :(M2 + 5`s : M2)
should be reflected by the FDT adopted, are nondeter-
minism and concurrency. M1 accepts a message at gate d 5 and either loses it or
Nondeterminism is present whenever the evolution in
delivers it at gate d r . Likewise, M2 accepts an acknowledge-
time of a system is not uniquely determined . It can
ment at gate a r and either loses it or delivers it at gate a 5 .
manifest itself in two forms, external, i .e. the environ-
Note that the channels M1 and M2 are assumed to
ment is offered a choice of possible interactions, and
introduce a propagation delay of one time unit only .
internal, which originates from non-observable decisions
taken internally by the system .
Concurrency is also typical of OSI, owing to resource VERIFICATION
distribution and the need for the simultaneous execution
of several tasks, It should be possible to specify both Protocol verification is aimed at ascertaining that the
synchronous and asynchronous concurrent behaviour .
Probability
M1 }-sd r
The components of an OS1 system are generally charact-
erized by stochastic behaviour (e .g. messages can be lost
M2 *-o r
during transmission on physical channels) . This entails +
that a FDT should include probabilistic features, to permit
performance evaluation of real OSI systems . Figure 1. The use of LIPS as a specification technique
specification of a protocol is complete, correct and The former approach can be takled by a bisimulation
consistent (see Reference 4) . constructor tool, e .g. (for asynchronous behaviour) BI P 1 .
In order to be complete, the specification of a protocol In the latter appraoch, the proof can be performed by
should include, e .g. the reactions to all permitted inputs, equational reasoning (for the case of asynchronous
and all the service options that the protocol is intended to behaviouran example can be found in Reference 20) . The
provide . On the other hand, overspecification is also to be following example deals with a synchronous system .
avoided : the specification of a protocol should not yet lay The example system considered enables a pair of users
down constraints that do not contribute to providing the to communicate : messages input by a user at gate m s are
required service . delivered to the other user at gate m„ unless a failure
Correctness properties of a protocol can be divided occurs, in which case the sending user is notified at gate f.
into safety and liveness properties . Safety properties Thus, the service expected from the system can be
forbid a protocol to enter unacceptable states (something specified in LIPS as :
bad never happens) . Safety is often expressed by
invariants that the protocol should maintain while it is ES: =
engaged in a cycle, or by conditions that must hold when 8m s :1t 1 : (*message input at m s *)
it reaches a terminal state . For a communication system, a ( 1t2 :f:ES (*message lost, hence f is notified *)
typical safety property is that the output sequence should + 1 :16 : Mr : (*message received at m, *)
be a prefix of the input sequence ; other examples are: ( 1t4 :f :ES (*ack lost, hence-f is notified *)
deadlock freedom (the system never enters a state from + 1 : ES (*OK, ready for another transaction *)
which no progress is possible) ; mutual exclusion (at most,
one user is granted a certain resource) ; boundedness (the
In order to provide ES, a sender entity S and a receiver
size of a queue never exceeds some upper bound) ; and
entity R interact, in accordance with a suitable protocol,
partial correctness (a program that terminates computes
via the underlying service represented by the two
the expected function) .
unreliable media M1 and M2 (see Figure 2) .
Liveness properties demand that the protocol should
Individually, S, R, M1 and M2 have been introduced
eventually enter a desirable state (something good
and formally specified in the previous section . The global
eventually happens) . Examples of liveness properties are :
behaviour of the system is defined by :
the ability to recover from failure, e .g. to get back to a
normal state after a perturbation (self-synchronization);
B: = (S*M1 *M2*R)\G
termination (for programs intended to terminate) ; the
absence of livelocks (unproductive cycles), e .g. due to where G is the set of internal gates 3ds ,as ,d,a,} . By applying
erroneous scheduling or to critical message transmission the expansion theorem, we can derive the following
timings (tempo-blocking) ; and the requirement that a expression for B :
protocol should achieve its goal within a finite time, or at
least eventually . Eventual provision of a service may be B ((S m 5 :1 Tl :d s :S1)*M1 *M2*R)\G
acceptable when components such as communication Sm s :(((1 T1 :ds :S1)*M1*M2*R)\G
channels are faulty but fair, in that they may misbehave for • S m s : 1 T1 :
any finite time but not forever. ( ( (ds :S1) _
Consistency means that the service offered (needed) • (Sd s :(Ml +d, :M1))
by the protocol should conform to that expected • M2*R
(provided) by the upper (lower) layer. Of course, as a by- )\G
product of consistency verification, several correctness
properties may be established, e .g. if the expected service • S m s :1
:
71 :1 :((S1 *(M1 + d, :M1)*M2*R)\G)
1T1
is non-terminating, consistency with it implies deadlock- • S ms + 1
freedom . ( (((a s :S) AT(-f:S))*M1 *M2*R)\G
Several approaches to protocol verification exist in the + ( ((a, :S) 0 T (1 :S))
literature, in relation to different kinds of specification * (ff :M1)
techniques. Assertive specification is more adequate * M2
for proving selected correctness properties, whereas * S d,:1 T2
:6,-_m,) : R
the behavioural/constructive approach is preferable for )\G
proving overall consistency . A behavioural approach
: i T1+1 .
based on the observation equivalence of Milner does • Sm
not permit the study of liveness ; this can, however, be ( 1Y:((f:S)*M1 *M2*R)\G
treated by integrating the behavioural approach with + 1:
temporal logic18, 19
. ( ((as :S)0T- 1(T:S))
The aspect of protocol verification considered in this • M1
paper is consistency between the service offered by the • 8a, :(M2_+ a s :M2)
protocol of a layer, and the service expected by the upper
• 1T2 :(a, •m ,) :R
layer. In the spirit of LIPS, this consistency is established )\G
by proving observation equivalence between the com-
T1+1 .
position of the entities performing the protocol with the • Sm :1
underlying service, and the specification of the expected ( 1~:f:8
service . This equivalence can be proved in two ways : first + 1 :1 T2 :m, :
by finding a suitable bisimulation relation, in accordance ( ((as : S) 07_72_2(f :S))
with the definition of observation equivalence 9; or • M1
second, by applying the algebraic laws of SCCS . • (M2 +a, : M2)
Service provided
M s f mr
l
Figure 2 . Communication system Figure 3 . Transition graph and tree of the process p
one of the actions offered, which will take him to a new the sender . The throughput TH is then equal to the
node, or to back up to some ancestor node . When the message length L divided by the transfer time T(TH = LIT) .
simulated process is made up of components, the A generalization of this scenario is that in which the
simulator shows which components perform which system can perform non-deterministic choices . In this
actions at which gates, including the pairs of inverse case there are two possibilities:
actions that match to produce an idle action 1 .
Some implementation notes are worth making . The 1 The observer does not know the probability associ-
core of the simulator, not surprisingly, is an algorithm der ated with each action .
that computes the relation -ate . As a Prolog program is 2 The observer knows the probability of each choice
ultimately a collection of axioms and rules, and -a--* is involved in the performance evaluation .
indeed defined in Table 1 by such a collection, der can be
straightforwardly encoded . Viewing a process definition LIPS, as presented so far, enables us to formalize only the
p: = P as a binary predicate' : = 'with arguments p and P first case. Though we can calculate the time needed to
leads to an efficient and natural Prolog representation of cover a given path, we cannot compute the average
LIPS process definitions . Further assets that accrue from transfer time T m or, consequently, the throughput
the use of Prolog are its built-in parser and backtracking TH = LIT, Only specific cases can be evaluated, e .g. the
mechanism . The latter plays a fundamental role in worst and best cases. In order to cope also with the
computing the transition graph, and in permitting efficient second case, viz. stochastic behaviour, recourse must
back-up in the exploration of the transition tree . be made to the Extended Language LIPS (ELLIPSe) . This
On top of the basic tree traversal functionalities is characterized by a new notion of action, denoted by
described, the simulator provides masking, environment- a {n), and meaning that an action at gate a has a probability
driven simulation and property checking. n of being observed . Accordingly, if P is defined by
Masking is particularly useful for highlighting the only P : = a{n1) : Q1 + b{n2) : Q2, then 0 + n2 = 1 must
or the few transition tree paths that represent the purpose hold . Note that probabilities can be ascribed not only to
of a process, e .g. the main objective of the ISO transport actions, but also to process transitions, by the notations
layer is to provide a data transfer service which is not easily np(Q) and np(Q) for path J . The former denotes the
recognized in the transition tree, where it appears amidst probability that process P becomes Q, and the latter the
the complex behaviour brought about by the protocol's probability that P becomes Q by following a particular
abort features. In the LIPS simulator these can be path], e .g . the probabilities associated with the processes
neutralized by masking the processes that describe shown in Figure 4 are :
them .
Environment-driven simulation enables a process to be np(Q) for path a :b = 70 n2
simulated in the presence of a given environment, which np(R) for path a :d = n1 n4
is also formally specified by a LIPS process. Thus, in order np(S) for path c :e = n3 n5
to simulate P in the presence of an environment Env with np(R) for path c :f = n3 n6
which it shares the gates G, one simulates the process
(P*Env)\G . Finally, property checking consists in ascert- The probabilities that a compound process P*Q becomes
aining that a given property is not violated by the action some derived process are also easy to work out, e .g. if:
path incrementally constructed while traversing the
transition tree . Properties are specified by Prolog predi- P : = a{n a ) : Pa + b{n b ) : Pb
cates which can be easily interfaced with the traversal Q := c{n c ) : Q c + d{nd) : P d
routines .
then:
nP*Q(Pa * P c) = na n c
PERFORMANCE ANALYSIS nP*Q(Pb * Pd) = nbnd
nP*Q(Pa * Pd) = h a nd
Two main performance indices are used to characterize nP*Q(Pb * Pc) = nbn c
communication systems : transfer time and throughput.
Transfer time measures the 'speed' at which messages are The above extensions to LIPS allow us to evaluate the
transferred between two points of the system ; throughput performance requirements of OSI systems . This can briefly
characterizes a communication system in terms of the be further illustrated in a typical case dealing with the
number of messages or bits crossing a given interface in a transmission of variable-length messages through an
time unit. unreliable medium . An evaluation of this situation can be
The LIPS approach to the description of communica- made on the basis of the following assumptions :
tion systems permits both these parameters to be
calculated ; given a LIPS process it is possible to work out • the message length L is variable ; and
the time needed for a message to pass from one gate to
another (i .e. the intergate transfer time), and the number 1
of messages (orbits) passing through a given gate in a time
unit (i.e. the gate throughput). 2
• the timeout is chosen so that retransmission is avoided 4 Sajkowski, M 'Protocol verification techniques :
for the range of messages analyzed ; status quo and perspective' Proc. 5th IFIP Workshop
on Protocol Specification Testing and Verification
then <Tm >, the average transmission time, can be North-Holland, The Netherlands (1984)
expressed as : 5 Venkatraman, R C and Piatkowski, T 'A formal
L2 comparison of formal protocol specification tech-
niques' Proc. 5th IFIP Workshop on Protocol Specifi-
<T m > = n(L)Tm (L)
L cation Testing and Verification North-Holland, The
Netherlands (1985)
where 6 Piatkowski, T F 'The state of the art in protocol
engineering' Proc . SIGCOMM '86, ACM Comput
• L1 is the length of the shortest message ; Commun. Rev. Vol 16 No 3 (1986)
• L2 is the length of the longest message ; 7 Information Processing Systems - Open Systems
• n(L) is the probability that a message has length L ; Interconnection 'ESTELLE - a formal description tech-
• T m (L) is the average transfer time for a message of nique based on an extended state transition model'
length L . ISO/TC97/SC21/DP9074, ISO, Geneva, Switzerland
(1987)
Note that L1 and L2 are fixed, because they characterize 8 Information Processing Systems - Open Systems
the system under study, n(L) is assumed known, and, as Interconnection 'LOTOS - a formal description tech-
demonstrated by Carchiolo et at 21 , Tm (L) can be calcu- nique based on the temporal ordering of the
lated symbolically from the LIPS specifications of the observational behaviour' ISO/TC97/SC21/DP8807,
interacting processes that make up the system (e.g. ISO, Geneva, Switzerland (June 1985)
sender, receiver and medium in Figure 2) . From < Tm > it is 9 Carchiolo, V, Di Stefano, A, Faro, A and Pappalardo,
then possible to calculate the throughput : G ECCS and LIPS: two languages for OSI specification
and verification Internal Report, Instituto di Infor-
TH = <L>/<T,> matica e Telecomunicazioni, University di Catania,
Catania, Italy (1986)
where <L> is the average message length .
10 Milner, R 'Calculi for synchrony and asynchrony'
Theor. Comput Sci. Vol 25 (July 1983)
CONCLUSION 11 Milner, R A Calculus of Communication Systems
LCNS 92 Springer-Verlag, FRG (1980)
The applicability of the behavioural language LIPS to the 12 Apt, K R, Frances, N and De Roever, P A 'A proof
design of OSI systems has been shown . LIPS has a formal system for communicating sequential processes'
semantics, and provides a unique framework in which to ACM Trans . Prog. Lang. Syst Vol 2 (July 1980)
treat both synchronous and asynchronous systems . The 13 Levin, G M and Gries, D 'A proof technique for
complexity of OSI systems requires that each design step commuicating sequential processes' Acta Inf. Vol 15
(viz. specification, verification, simulation and perform- (1983)
14 Pnueli, A 'The temporal semantics of concurrent
ance evaluation) should be supported by automated
tools. The development of such tools is under way, with programs' Theor. Comput Sci. Vol 13 (1981)
the objective of embedding LIPS and ELLIPSe into a 15 Schwartz, R, Melliar-Smith, M and Vogt, F 'An
Prolog environment. Further studies are planned to interval logic for higher level temporal reasoning' Proc .
extend LIPS to cover the verification of divergent 3rd IFIP Workshop on Protocol Specification Testing
processes' 6, and to enhance the suitability of ELLIPSe for and Verification North-Holland, The Netherlands
stochastic performance evaluation . (1983)
16 Brookes, S D, Hoare, C A R and Roscoe, A W 'A
theory of communicating sequential processes'] . Ass.
ACKNOWLEDGEMENTS Comput. Mach. Vol 31 (July 1984)
17 Reisig, W Petri nets: an introduction Springer-
Giuseppe Pappalardo's work has been supported by the Verlag, FRG (1985)
Royal Signals and Radar Establishment of the UK Ministry 18 Carchiolo, V and Pappalardo, G 'CCS as a specifi-
of Defence . cation and verification technique : a case study and a
comparison with temporal logic' Proc. Pacific Comput
Commun. '85 North-Holland, The Netherlands
REFERENCES (1986)
19 Gustavsson, R and Parrow, ) 'Modelling distributed
1 Carchiolo, V and Faro, A 'A tool for the automated systems in an extension of CCS with infinite experi-
verification of ECCS specifications of OSI protocols' ments and temporal logic' Proc. 4th IFIP Workshop
Proc. Symposium on Discrete Event Syst IIASA, on Protocol Specification Testing and Verification
Sopron, Hungary (1987) North-Holland, The Netherlands (1985)
2 Pappalardo, G 'Experiences with a verification and 20 Carchiolo, V, Faro, A, Mirabelle, 0, Pappalardo, G
simulation tool for behavioural Languages' Proc . 7th and Scollo, G 'A LOTOS specification of the PROWAY
IFIP Workshop on Protocol Specification Testing and highway service' IEEE Trans . Comput Vol C-35 No 11
Verification North-Holland, The Netherlands (1987) (November 1986)
3 Bochmann, G and Sunshine, C 'Formal methods in 21 Carchiolo, V, Faro, A and Malgeri, M 'Performance
communication protocol design' IEEE Trans. Commun. analysis of interacting parallel systems using LIPS'
Vol COM-28 No 4 (1980) Proc. Chip Edmonton, Canada (1988)