Investigating a File Transmission Protocol using CSP and B

1
Investigating a File Transmission Protocol using
CSP and B

• Neil Evans, Steve Schneider, Helen Treharne
• Royal Holloway, University of London

2
CSP B Philosophy

• Use existing tool support to develop and analyse
  systems with complex state and control (event)
  requirements
• FDR for analysing control aspects (CSP)
• B Toolkit for analysing operations on state
• Morgans CSP semantics of action systems provides
  a formal link between the two worlds

3
The Language of CSP B

• Controllers are defined using a sequential subset
  of CSP
• Communication channels link controllers
• Machine channels call (non-blocking) operations
  in the B machines
• CSP events may be augmented with assertions
  during verification

An event
matches
4
Bounded Retransmission Protocol
SENDER
MEDIUM
RECEIVER

• SENDER accepts arbitrary length files from its
  environment
• File components are sent within structured
  PACKETS over a lossy MEDIUM
• RECEIVER passes the file components of each
  packet to its environment
• Both SENDER and RECEIVER also pass status
  information to the environment

5
Modelling the Protocol
req
conf
ind
ind_err
trans
rec
MEDIUM
SenderCtrl PROCESS
ReceiverCtrl PROCESS
recack
sendack
SENDER MACHINE
RECEIVER MACHINE

• SENDER MACHINE handles the file components and
  packet construction
• A variation on the alternating bit protocol is
  used to determine fresh packets
• RECEIVER MACHINE contains an operation to
  compare bits
• Retransmissions and bounded behaviour are
  controlled by timeouts

6
Modelling the Protocol (cont.)
req
conf
ind
ind_err
trans
rec
MEDIUM
SenderCtrl PROCESS
ReceiverCtrl PROCESS
recack
sendack
dec
abort
dec
SENDER MACHINE
RECEIVER MACHINE

• Time cannot be modelled directly using this
  approach
• Synchronisation channels are used to model
  timeouts
• Retransmissions occur only when messages are
  lost by the MEDIUM
• Both the SENDER and the RECEIVER abort a
  transmission at the same time

7
The Flow of Control

8
The Flow of Control (Cont.)

• In contrast, the receivers controller consists
• of three sub-processes
• ReceiveCtrl when nothing has been sent to the
  receiver
• ReceivePacket1 when a partial file transfer is
  in progress
• ReceivePacket2 awaiting the first packet of a
  new file, but it is prepared to accept
  retransmissions of the last packet

9
Operations with Preconditions

• Both get_packet and advance require the file
  stored in the Sender machine to be non-empty. The
  operation dec requires the number of
  retransmissions to be positive

10
Formal Analysis

Pi
Pi1
Mi
Mi1

• Consistency means that each controller Pi never
  calls a machine operation in Mi outside its
  precondition. All other results are dependent on
  consistency!
• Deadlock freedom of a system holds if Pi is
  deadlock free shown in FDR
• Livelock freedom of a system in which all
  internal events (aInt) are hidden can be shown by
  showing that Pi \ aInt is livelock free
• Abstract CSP specifications can be used to check
  a systems external behaviour

11
Formal Analysis (Cont.)

• In order to prove properties using FDR, it is
  usually necessary to augment controller processes
  with state information
• It might also be necessary to constrain the
  messages passed on channels by adding assertions
  to controller events
• Once the property has been verified all
  augmentations can be removed
• All such modifications must be done so that
  consistency is maintained

12
Proof of Consistency

• Each process body is translated into an
  equivalent sequence of B operations
• A control loop invariant (CLI) is constructed so
  that
• The CLI is established after initialisation
• Each (translated) process body maintains the
  invariant
• This is comparable to Floyds method for
  analysing program loops

13
Example the buffer properties of the Bounded
Retransmission Protocol

14
The Augmented Sender Controller

15
The Augmented Sender Controller (Cont.)

16
The Augmented Sender Controller (Cont.)

17
Livelock Freedom of the BRP

• Intuitively, the bounded nature of the protocol
  tells us that the formal model of the BRP should
  be livelock free
• We need to augment the Sender controller process
  with the length of the file and the number of
  retransmissions one of these values strictly
  decreases with each recursive call
• We cannot use diverging assertions. However, a
  theoretical result allows us to replace them with
  blocking assertions as long as consistency is
  maintained

18
Conclusions

• We have seen how to combine a state-based
  formalisation with an event-based formalisation
• Modelling a system involves separating
  state-based concerns from event-based (control)
  concerns
• Verification requires us to move from CSP into B
  (consistency) and from B into CSP (livelock,
  trace/failures refinement)
• Interesting relationships between the two worlds
  emerge from the verification process