CSE 555 Protocol Engineering

1
CSE 555Protocol Engineering

• Dr. Mohammed H. Sqalli
• Computer Engineering Department
• King Fahd University of Petroleum Minerals
• Credits Dr. Abdul Waheed (KFUPM)
• Spring 2004 (Term 032)

2
Validation Models
3
Topics (Ch. 5)

• Processes, channels, and variables
• Communicating sequential processes (CSP)
• Control flow
• Modeling timeouts

4
Validation Models

• There are five main elements of a protocol
  definition
• A service specification
• Explicit assumptions about environment
• Protocol vocabulary
• Format definitions
• Procedure rules
• Procedure rules are hardest to specify and design
• Should be complete
• Should be consistent
• PROMELA language used to specify and verify
  procedure rules
• Procedure rules provide a partial description of
  a protocol
• This partial description is called validation
  model

5
PROMELA for Describing Validation Models

• Goal is to model protocols
• To study their structure
• To verify their completeness and logical
  consistency
• Simplifications are needed for description at an
  abstract level
• Avoid implementation details
• No need to describe how a message is encoded,
  transmitted, or stored
• Focus on the design of a complete and consistent
  set of rules for interactions in a distributed
  system
• PROMELA (PROtocol Meta Language)
• A language for specifying system behavior in
  formal validation models
• A validation model defines interactions of
  processes in a distributed system

6
Processes, Channels, and Variables

• Procedure rules described as formal programs for
  an abstract model of a distributed system
• Model has to be
• Simple
• Powerful to represent all types of coordination
  problems in distributed systems
• A validation model can be described in terms of
  processes, message channels, and state variables
• For the purpose of analysis, each of these
  objects may be translated into a FSM.
• Process
• These are global objects
• Channel
• A message passing abstraction
• Represent data that can be global or local to a
  process
• Variable
• Represent data that can be global or local to a
  process

7
Executability of Statements

• Not all PROMELA statements are executable
• This is unlike programming languages
• Statements are same as conditionals
• Statements are either in blocked state or
  executable state
• Statements are executable only when the
  conditions they represent hold
• A process can wait for an event by waiting for a
  statements executability
• Assignment statements to variables are always
  executable
• Executability is the basic means of
  synchronization
• Example
• Instead of writing while (a!b)
• We can write in PROMELA(ab)

8
Variables and Data Types

• Variables have one of two levels of scope
• Global
• Local to a process
• Within each level, objects must be declared
  before they can be referenced
• Example

• When simulated this model produces the output

9
Variables and Data Types (Cont.)

• Variables can be one of 6 data types
• bit, bool, byte, short, int, unsigned, chan,
  mtype, pid
• unsigned can be used to declare a quantity that
  is stored in a user-defined number of bits n,
  with 1 n 32.
• With the exception of short and int, these data
  types can store only unsigned values.
• The precise value ranges of the various types is
  implementation dependent.
• For short, int, and unsigned, the effective range
  matches those of the same types in C programs
  when compiled on the same hardware.
• For byte, chan, mtype, and pid, the range matches
  that of the type unsigned char in C programs.
• The value ranges for bit and bool are always
  restricted to two values.

10
Variables and Data Types (Cont.)

• All variables (global or local), including
  arrays, are by default initialized to 0.
• Variables always have a strictly bounded range of
  possible values.
• E.g., variable w in the last example can only
  contain values from 0 to 7.
• If a value is assigned to a variable that lies
  outside its declared domain, the assigned value
  is automatically truncated.
• E.g., byte a 300 results in the assignment of
  the value 44 (300256).
• Note When such an assignment is performed during
  random or guided simulations, SPIN prints an
  error message to alert the user to the
  truncation. The warning is not generated during
  verification runs, to avoid generating large
  volumes of repetitive output.
• Multiple variables of the same type can be
  grouped behind a single type name.
• E.g., byte a, b3 1, c 4

11
mtype Variables

• Variables of type mtype can hold symbolic values.
• An mtype declaration is typically placed at the
  start of the specification, and merely enumerates
  the names.
• There can be multiple mtype declarations in a
  model, but distinct declarations do not declare
  distinct types.
• None of the names specified in an mtype
  declaration can match reserved words from
  PROMELA, such as init, or short.
• printm can be used to print the symbolic name of
  an mtype variable.
• No more than 255 symbolic names can be declared
  in all mtype declarations combined.
• The SPIN parser flags an error if this limit is
  exceeded.

12
Arrays

• Variables can be declared as arrays
• Examplebyte stateN
• It declares an array of N bytes, accessed as for
  examplestate0 state3 5state32/nwher
  e n can be a constant or a variable
• Index of an array
• Any expression that determines a unique integer
  value
• Valid range of an index will be from 0 to N-1
• An index outside of this range will cause a
  runtime error
• Only one-dimensional arrays of variables are
  supported
• Possible to define multidimensional arrays by
  using structure definitions

13
Data Structures

• PROMELA has a mechanism for introducing new types
  of record structures of variables. E.g., Field
  and Record
• This mechanism allows for an indirect way of
  declaring multidimensional arrays.
• A two-dimensional array can be created. E.g.,
  Array
• This creates a data structure of sixteen
  elements, that can be referenced as ai.elj

14
Process Types

• A process has
• A type name (i.e., process type) - declaration
• Instantiations (i.e., processes) - executions
• All processes are defined through proctype
  declaration
• Example a process with one local variable named
  stateproctype A() byte state state 3
• The process type is named A
• Body may consist of local variables or channel
  declarations and statements
• Statements are separated by (separator) or
  -gt (causal relationship)
• No statement terminator
• Example byte state 2 / global variable /
  proctype A() (state1) -gt state 3proctype
  B() state state 1
• Processes of type B are executable and terminates
  without delay
• Processes of type A are delayed until variable
  state contains required value

15
The Initial Processes

• PROMELA needs something like main() in C
• A proctype definition only declares process
  behavior
• How to execute it?
• It uses a process of type init, which is
  comparable to main() or
• It uses active proctype to instantiate a process
  once
• Initially only these processes are executed
• Process of type init
• It Does not have to be declared explicitly in a
  PROMELA specification
• Processes declared using active proctype
• Examples PROMELA equivalent of C hello world
  program
• init printf(hello world\n)
• active proctype hello() printf(hello world\n)
  
• Output
• spin hello.pml
• hello world
• 1 process created

16
The Initial Processes (Contd)

• The init process can
• Initialize global variables
• Create message channels
• Instantiate other processes using run
• Using init process to run other processes
• Example init run A() run B()
• Two processes will run concurrently with init
• The run statement is executable and returns a
  positive result only if the process of a given
  type can be instantiated
• It is unexecutable and returns 0 if process
  cannot be instantiated, e.g., due to too many
  processes
• Value returned by run is a run-time process
  number or pid
• Number of processes and channels is bounded
• PROMELA models only finite state systems

17
proctype Process

• We can create multiple instantiations of a given
  proctype.
• Each running process has a unique process
  instantiation number (pid).
• A pid is always non-negative, and assigned in
  order of creation, starting at zero for the first
  created process.
• Each process can refer to its own pid via the
  predefined local variable _pid.
• The two processes print the value of their pid
  and then terminate.
• Process execution is asynchronous
• The two output lines are in numeric order here
• It could have been the opposite.
• Note By default, during simulation runs, SPIN
  arranges for the output of each active process to
  appear in a different column the pid number is
  used to set the number of tab stops used to
  indent each output line produced by a process.
  (can be suppressed by using he option T (i.e.,
  spin T)

18
Passing Parameters to a Process

• Example
• proctype A (byte state short set)
• (state 1) -gt state set
• init run A(1, 3)
• Parameter passing is by value
• Parameter values cannot be passed to the init
  process, or to processes that are instantiated as
  active proctype.
• If these active proctype processes have formal
  parameters, they are treated as local variables
  initialized to zero.
• Valid parameter types
• Basic data types
• Message channels
• Invalid parameters
• Arrays
• Process types

19
Spawning Other Processes

• Any running process can instantiate other PROMELA
  processes by using run.
• A disadvantage it often creates one process more
  than strictly necessary (i.e., the init process).
• For simulation, this would not matter much.
• In system verification, the system descriptions
  are kept at a minimum avoiding all unnecessary
  elements (i.e., use active proctype)

20
Spawning Other Processes (Cont.)

• Other processes can be spawned from any process
  using run
• Not limited to the init process
• Processes do not behave like functions.
• Each process, no matter how it is created,
  defines an asynchronous thread of execution that
  can interleave its statement executions in
  arbitrary ways with other processes.

21
Process Termination and Process Death

• Process termination and process death are two
  distinct events in PROMELA.
• A process terminates when it reaches the end
  of its code.
• A process can only die and be removed as an
  active process if all processes that were
  instantiated later than this process have died
  first.
• Processes can terminate in any order, but they
  can only die in the reverse order of their
  creation.
• When a process has terminated, it can no longer
  execute statements, but will still be counted as
  an active process.
• Its pid number remains associated with this
  process and cannot be reused for a new process.
• When a process dies, it is removed from the
  system and its pid can be reused for another
  process.

22
provided clause

• A process cannot take any step unless its
  provided clause evaluates to true.
• The provided clauses used in this example force
  the process executions to alternate, producing an
  infinite stream of output.
• An absent provided clause defaults to the
  expression true.
• The use of provided clauses can disable some of
  SPINs most powerful search optimization
  algorithms.

23
Synchronization Problems

• Potential synchronization problems due to
  concurrent processes
• Deadlocks
• Races

24
Example of Synchronization Problems

• Consider the following system of two processes
  sharing access to the global variable state
• byte state 1
• proctype A() (state 1) -gt state state 1
  
• proctype B() (state 1) -gt state state 1
  
• init run A() run B()
• Case 1
• One of the two processes terminates before the
  other
• Other process blocks forever on the state1
  condition
• Case 2
• Both processes pass condition simultaneously
• Both processes terminate but the final value of
  variable state is unpredictable
• Could be 0, 1, or 2

25
How To Solve Synchronization Problems

• Many possible solutions have been proposed
• Do not use global variables
• Use of special instructions
• Guarantee indivisible (atomic) sequence of test
  and set instructions on a shared variables
• Dekkers mutual exclusion algorithm (1962)
• Petersons mutual exclusion algorithm (1981)
• Dekkers algorithm grants mutually exclusive
  access to a shared variable using 3 global state
  variables
• Exclusive access to an arbitrary critical section
  in the code

26
Dekkers Algorithm in PROMELA

• Three global variables
• x, y, t
• Synchronize conditions
• Line 11 and 18
• This algorithm can be executed repeatedly
• Algorithm is independent of the speeds of the two
  processes
• PROMELA can avoid atomic test-and-set sequence
  using atomic sequences

27
Atomic Sequences

• A sequence of statements enclosed in parenthesis
  can be prefixed with keyword atomic
• An atomic sequence is one that is executed as
• One indivisible unit
• Non-interleaved with any other processes
• An error occurs if any statement other than the
  first in an atomic sequence blocks
• Executing process aborts in that case

28
Atomic Sequences An Example

• Example re-written with atomic sequences
• byte state 1
• proctype A() atomic (state 1) -gt state
  state 1
• proctype B() atomic (state 1) -gt state
  state 1
• init run A() run B()
• Final value of state is either 0 or 2
• Depending on which process is executed first

29
Atomic Sequences Another Example

• Atomic sequences can be used to restrict the
  amount of interleaving among processes
• Reduces complexity of the validation model
• Does not alter the behavior in any way
• Body of a process can be re-written as atomic
• Usually easy to identify such statements that can
  be re-written as atomic sequences
• Example
• proctype nr(short pid, a, b)
• int res
• atomic res (aab)/2a
• printf(result d d\n, pid, res)
• init run nr(1,1,1) run nr(1,2,2) run
  nr(1,3,2)