Applicant. LLC Service. LAN Segment

Similar documents
Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Configuring GVRP. Introduction to GVRP GARP. How GARP works. GARP messages

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

MRP Timers Maximum attribute registrations. Craig Gunther 03 March 2010

Network Protocol Design and Evaluation

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Design of Internet Protocols:

Network Protocol Design and Evaluation

Computer Aided Verification 2015 The SPIN model checker

Tool demonstration: Spin

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

Siegfried Loer and Ahmed Serhrouchni. Abstract. SPIN is a tool to simulate and validate Protocols. PROMELA, its

MP 6 Modeling in Promela and SPIN

The SPIN Model Checker

Spin: Overview of PROMELA

The Spin Model Checker : Part I/II

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Study of IEEE 802.1p GARP/GMRP Timer Values*

Formal Verification by Model Checking

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Model Requirements and JAVA Programs MVP 2 1

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Lecture 3 SPIN and Promela

The SPIN Model Checker

Spin: Overview of PROMELA

The Spin Model Checker : Part I. Moonzoo Kim KAIST

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

FB(9,3) Figure 1(a). A 4-by-4 Benes network. Figure 1(b). An FB(4, 2) network. Figure 2. An FB(27, 3) network

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

LTL Reasoning: How It Works

Enhancement of Feedback Congestion Control Mechanisms by Deploying Active Congestion Control

T Parallel and Distributed Systems (4 ECTS)

Design and Analysis of Distributed Interacting Systems

SPIN: Introduction and Examples

Supporting IP Multicast for Mobile Hosts. Yu Wang Weidong Chen. Southern Methodist University. May 8, 1998.

Formal Verification of Process Communications in Operational Flight Program for a Small-Scale Unmanned Helicopter

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

INF5140: Specification and Verification of Parallel Systems

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Imi :... Data:... Nazwisko:... Stron:...

SRP AND RESERVATION TYPES CRAIG GUNTHER

Using Spin to Help Teach Concurrent Programming

Configuring MLD. Overview. MLD versions. How MLDv1 operates. MLD querier election

Automated Reasoning. Model Checking with SPIN (II)

Token Ring VLANs and Related Protocols

Token Ring VLANs and Related Protocols

Protocol Independent Multicast (PIM): Protocol Specication. Deborah Estrin. Ching-gung Liu. January 11, Status of This Memo

sequence number trillian:1166_==>_marvin:3999 (time sequence graph)

Configuring IGMP Snooping and MVR

A Tutorial on Model Checker SPIN

GVRP configuration commands

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

The University of Michigan. Ann Arbor, Michigan 48109{2122. fzaher, ashaikh, farnam, ABSTRACT

Fast Retransmit. Problem: coarsegrain. timeouts lead to idle periods Fast retransmit: use duplicate ACKs to trigger retransmission

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Formal Specification and Verification

Chapter 15 Local Area Network Overview

Network Working Group Request for Comments: 2236 Updates: 1112 November 1997 Category: Standards Track

CS477 Formal Software Development Methods / 32

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

EECS 122, Lecture 13. Multicast Delivery. Multicast Delivery. Reasons for Multicast. Why not just Machine Gun? Multicast Example

TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES

1 INTRODUCTION. Time Oriented Protocol Testing Simulator

MINIX 3 Process Analysis

Formal Methods for Software Development

Principles of Protocol Design. MVP10 plan. What is a protocol? Typical SPIN applications. The three parts of a protocol description

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

MLD. MLDv1 (defined in RFC 2710), which is derived from IGMPv2. MLDv2 (defined in RFC 3810), which is derived from IGMPv3.

Network Working Group Request for Comments: 1329 May Thoughts on Address Resolution for Dual MAC FDDI Networks

Configuring IGMP Snooping

TCP over Wireless Networks Using Multiple. Saad Biaz Miten Mehta Steve West Nitin H. Vaidya. Texas A&M University. College Station, TX , USA

Patrick Trentin Formal Methods Lab Class, March 03, 2017

DESIGN AND VALIDATION OF COMPUTER PROTOCOLS

CS477 Formal Software Development Methods / 39

Model-Checking Concurrent Systems

An Enhanced IEEE Retransmission Scheme

Chapter. Managed Switch Software Monitoring. In This Chapter...

3. Evaluation of Selected Tree and Mesh based Routing Protocols

ET4254 Communications and Networking 1

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

SWITCHED ETHERNET TESTING FOR AVIONICS APPLICATIONS. Ken Bisson Troy Troshynski

A Multicast User Directory Service for Synchronous Rendezvous Eve M. Schooler Computer Science Department California Institute of Technology Pasadena,

SPIN vs. VIS: A Case Study on the Formal Verification of the ATMR Protocol

Lecture 3: The Transport Layer: UDP and TCP

Transport protocols are of practical. login, le transfer, and remote procedure. calls. will operate on and therefore are generally

Continuous Real Time Data Transfer with UDP/IP

Software Engineering using Formal Methods

NET. A Hardware/Software Co-Design Approach for Ethernet Controllers to Support Time-triggered Trac in the Upcoming IEEE TSN Standards

DRAFT for FINAL VERSION. Accepted for CACSD'97, Gent, Belgium, April 1997 IMPLEMENTATION ASPECTS OF THE PLC STANDARD IEC

Configuring Rapid PVST+

Headend Station. Headend Station. ATM Network. Headend Station. Station. Fiber Node. Station. Station Trunk Splitter.

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

outside policies relayout, migrate commands managers chunks

STP (Spanning Tree Protocol) - Step by Step Configuration Tutorial

Modeling Internet Topology. Kenneth L. Calvert, Georgia Tech. Matthew B. Doar, Ascom Nexion. Ellen W. Zegura, Georgia Tech

Configuring MLD Snooping

Interface The exit interface a packet will take when destined for a specific network.

Transcription:

Verication of Group Address Registration Protocol using PROMELA and SPIN Tadashi Nakatani Fuchu Works, Toshiba Corporation, Japan February 16, 1997 Abstract This paper demonstrates robustness and eectiveness of Group Address Registration Protocol (GARP) by successful use of SPIN(3). GARP is a datalink-level protocol for dynamically joining and leaving multicast groups on a bridged LAN. It is currently in the process of standardization as a part of IEEE P802.1p(1). SPIN is used to very a model of multicast-base LAN described in PROMELA(3). The protocol has been proved to be free from incorrectness such as unspecied receptions and deadlocks. It has also been proved that there is no violation of a temporal claim for membership consistency. SPIN is found to be very powerful and easy to use without much knowledge of the formal verication. GARP is well modeled in PROMELA though it depends heavily on timers and multicasting which are not directly supported by PROMELA. 1 Introduction The multicast protocol has attracted much attention with recent advent of an interactive multi-media communication via a internet, such as web TV. The Group Addresss Registrattion Protocol(GARP) has been proposed to realize multicast interactive multimmedia communications across bridged LANs. The GARP is included in a proposed draft of IEEE P802.1p, 'Standard for Local and Metropolitan Area Networks{Supplement to Media Access Control (MAC) Bridge: Trac Class Expediting and Dynamic Multicast Filtering'. By ssuccessful use of multicast group membership information carried by GARP, bridges can expedite delivery of time critical trac and limit the extent This work was performed while the autor was a visitor at Stanford University, USA 1

of high bandwidth multicast trac within a bridged LAN. This paper applies SPIN verication tool to GARP protocol on a multicastbase LAN such as Ethernet and demonstrates robustnesss and eectiveness of the protocol in dynamically joining and leaving multicast groups on a bridged LAN. The protocol correctness and a temporal claim are proved with several modication of the model in PROMELA. This paper is organized as follows. In section 2, an overview of GARP specication is presented. In section 3, a model of the protocol which is described in PROMELA is introduced. In section 4, the verication process and the result is shown. And section 5 concludes this paper. 2 GARP Specication 2.1 Purpose GARP allows MAC service users to dynamically register (and subsequently, deregister) Multicast group membership information with the bridges attached to the same LAN segment, and for that information to be disseminated across all bridges in the bridged LAN. multicast group membership information indicates that one or more members of a group exist, along with the MAC address associated with the group. 2.2 Protocol Entity Components The GARP protocol entity involves the following component functions. a)applicant function: associated with each end station in a bridged LAN, which allows MAC service user(s) in the end station to dynamically register/de-register multicast group membership. b)regsistrar function: associated with each port of a MAC bridge, which respond to requests for registration/de-registration. c)proxy Applicant function: associated with each port of a MAC bridge, which acts on behalf of all Applicants reachable via the other ports of the bridge in order to propagate their registration/de-registration requirements across the Spanning Tree. d)leave All function: associated with each port of a MAC bridge, which performs a garbage collection function that ensures that all registered information that is no longer in use is removed from the ltering database. 2

Datebase Bridge LLC Service Registrar Leave All Filtering Proxy Applicant GARP Protocol Entity Proxy Applicant Registrar Leave All End Station MAC User GARP Protocol Entity Applicant End Station MAC User GARP Protocol Entity Applicant LLC Service LLC Service LLC Service LAN Segment Figure 1: GARP Protocol Entity Components 2.3 Overview of Protocol Operation GARP protocol exchanges take place between GARP protocol entities which comunicate by means of LLC type 1 services. 2.3.1 Initial membership registration An Applicant state machine participates in GARP protocol exchanges a MAC service user in that Applicant station signals the intent to join a Group. Registration as a Group member is achieved by the Applicant state machine sending a GARP Join PDU to the GARP address. The Applicant will then wait for a time period, JoinTime, to see whether any other Applicant on the segment registers membership of the same Group(s); so, the Applicant takes no further action, not, the Applicant sends a further Join PDU. In either case, the Applicant considers itself to have joined the Group(s) after issuing the rst Join PDU. 2.3.2 Registrar response to registration Any Registrar in receipt of a GARP Join PDU responds to it by updating the contents of its Filtering Database in a manner consistent with the information received. If the Join PDU indicates specic Group memberships which are currently not represented in the Filtering Database, the necessary entries are 3

created. If the information received represents an updating of existing entries in the Filtering Database, the entries are updated appropriately. 2.3.3 Applicant initiated de-registration De-registration as a Group member occurs when the MAC service user in an Applicant station signals the intent to leave a Group. De-registration is achieved by the Applicant state machine sending a GARP Leave PDU to the GARP address. At that point, the Applicant state machine considers that, from its own point of view, registration has terminated. Any Applicant that see a Leave PDU that species a Group of which they wish to remain a member, respond by sending a Join PDU for that Grouup. Their subsequent behavior is as for initial registration. 2.3.4 Registrar response to de-registration Any Registrar that receives a GARP Leave PDU for a Group that it considers to be registered on its Port, will wait for a time period, LeaveTime, to see whether any Applicant re-registers membership of the Group. If a Join PDU is seen, the Registrar considers the Group to be registered, and takes no further action. If another Leave PDU for the same Group is seen during LeaveTime, the timer is re-started with its initial value. On timer expiry, the Registrar issues a Leave PDU for the group concerned, and waits for a further LeaveTime. If the group is again not re-registered, the Registrar considers the Group to have been de-registered, and removes the relevant Port information from the Filtering Database entry. 2.3.5 Bridge initiated de-registration At regular time intervals, the LeaveAllTime, the Leave All state machine attempts to force de-registration for all MAC addresses currently registered in its ltering database for a given Port, by issuing a GARP Leave PDU. Any Applicant stations that do not wish particular de-registrations to occur respond in the manner indicated in Applicant initiated de-registration. This procedure has the eect of conrming registrations that are still alive, and garbage-collecting any registrations for which there are no longer any active participants on the LAN. The subsequent behavior of the Registrar state machine is as for Applicant initiated de-registration. 4

3 Modeling 3.1 Model Systems The system congured with 1 Bridge, 2 End Stations, and 1 LAN Segment was selected as a simple but enough general Basic Model System. Bridge LAN Segment End Station1 End Station2 Figure 2: Basic Model System 3.2 Modeling of Functions The following functions were modeled one function by one process. (End Station) Applicant*, LLC Service, MAC Service User (Bridge) Proxy Applicant*, Registrar*, Leave All*, LLC Service Functions marked with '*' are the components of GARP protocol entity, the others are a tester(mac Service User) and environment(llc Service). The following points were especially considered when processes were designed. 1)Message Queues GARP PDUs are multicasted via a shared access LAN like Ethernet. It seems reasonable to model packet inputs to LLC Service and packet outputs from LLC Service with synchronous message queues(6). Output queues from LLC Service Process is designed to have size(1) to model receiver station's buer while input 5

queues to LLC Service Process are rendezvous. 2)Lossy LLC Service Process To model packet losses 'on the wire', LLC Servic Process forwards a message from a sender process to 0-2 receiver process(es) undeterminently. 3)Timeouts (Proxy) Applicant, Registrar, and Leave All state machines have timers. As PROMELA does not have a way to describe quantitative timer, 'empty' of message queues is used to represent timeouts(7). And timer-ags which represents timer is running or stopping are introduced. 4)End labels To identy deadlocks correctly, end labels are attached to the message waiting states of (Proxy) Applicant, Registrar, and LLC Service processes. 5)Unspecied receptions To identy unsigned receptions correctly, 'assertion(0)'s are placed where unspecied messages may be received. 6)Unbalanced MAC Service User Processes To suppress the number of states as well as to maintain enough generality, two MAC Service User Processes don't have to be symmetrical. All processes described in PROMELA are provided in Appendix A. 4 Verication 4.1 Running Environment H/W: Pentiam-120, Mem > 100MB S/W: Linux 2.0.24, SPIN 2.9.3, XSPIN 2.9.1 4.2 State Properties First, the state properties, that is, the absenses of unspecied receptions, unreached codes and deadlocks was proved. The rst run was performed at supertrace mode modeling non-messageoverow, that is, message send operation is executable only the target channel is non-full. Soon SPIN detected a deadlock and showed the senario to the deadlock and the nal states of each process. 6

Bridge Registrar Process leave join leave Leave All Process leave all LLC Service Process join Applicant Process 1 Applicant Process 2 End Station 1 End Station 2 indicating stop points of each process Figure 3: Deadlock in Non-Message-Overow-Model The reason of this deadlock is LLC Service Process and Registrar Process are trying to send messages simultaneously when both channels between the processes are full. In a real system, bridges and end stations have enough buers and packets are rarely dropped. But it can happen theoretically. So the model was modied to Message-Overow-Model. In Message-Overow-Model, messages can be discarded only when messages try to get into full queues from LLC Service Process. (The other queues are still synchronous because they are congured as rendezvous queues.) In this time, SPIN found no assertion violations, no deadlocks, and no unreached codes. But the state coverage was not enough(hash factor = 5.25). To reduce complexity without losing generality, the verication was performed for the following two models seperately. 1)1 Bridge(1 Registrar), 2 End Stations(2 Mac Service Users, 2 Applicants), 7

1 LAN Segment(1 LLC Service) 2)1 Bridge(1 Registrar, 1 Leave All), 1 End Stations(1 Mac Service User, 1 Applicant), 1 LAN Segment(1 LLC Service) In both cases, SPIN proved that the protocol has no assertion violations(i.e. unspecied receptions) and no deadlocks with acceptable state coverages (hash factors: 14.4, 213) In the case 1, all codes were reached. 4.3 Temporal Claim The most important requirement of GARP is that there are no membership inconsistencies between Bridges and End Stations. The membership consistency means If at least one member exists in a LAN, the Bridge must recognize it as soon as possible (at least eventually) The claim was expressed as follows using the temporal logic. [](p!<>([]q)) p: (MAC User Process1 ends) q: (Registrar Process state is not OUT) where Process1 was modied to only send ReqJoin message once. Then this claim was transformed to 'Never Claim' of PROMELA using XSPIN. Before verying this claim, Leave All Process which performs garbage collection periodically was removed from the model. Considering the above requirement 'as soon as possible', we should not depend on it at rst. Also LLC Service was modied so as not to lose packets 'on the wire' because it is obvious there are cases that violates the claim without the modication. (Queue overows modeling buer overows of receivers are still possible) SPIN found a violation of the claim but it's in an unrealistic senario. The senario: Applicant1 retrieves messages from the queue so late and causes message losses.(the senario is presented in Appendix B of this paper as a exapmle of Sequence Message Chart.) Increase the number of messages which the queues from LLC Service Process can buer. (1!3) SPIN proved there is no violation of the temporal claim with high coverage (hash factor = 64.2). 8

5 Conclusion It has been proved with SPIN that GARP is free from incorrectness such as unspecied reception, deadlocks, and unreached codes. Besides it was also proved there is no violation of a temporal claim for membership consistency. SPIN was found to be very powerful and easy to use without much knowledge of the formal verication. GARP was well modeled in PROMELA though it depends heavily on timers and multicasting which are not directly supported by PROMELA. GARP is designed to be used in a multi-segment bridged LAN though this paper veried the single-segment LAN model. Therefore the future work is to very a multi-segment LAN model. Moreover the protocol is being changed signicantly. So it is also necessary to very the new version of GARP. Acknowledgments I wish to thank Professor David Cheriton of Stanford University who let me work on the protocol. I am grateful to G.J.Holzmann and other contributers to SPIN who made my rst experience of the formal verication a pleasant one. References (1) IEEE P802.1p Standard for Local and Metropolitan Area Networks - Supplement to Media Access Control (MAC) Bridges: Trac Class Expediting and Dynamic Multicast Filtering (Draft4), September 1996 (2) D.R.Cheriton, S.E.Deering, and K.J.Duda, Ethernet Group Membership Protocol (EGMP) Draft RFC, October 1995 (3) G.J.Holzmann, Design and Validation of Computer Protocols, Prentice Hall, 1991 (4) G.J.Holzmann, Basic Spin Manual, Technical Report, AT&T, Bell Laboratories, 1994 (5) G.J.Holzmann, What's new in SPIN Version 2.0, Technical Report, AT&T, Bell Laboratories, August 1996 (6) H.E.Jensen, K.G.Larsen, and A.Skou, Modeling and Analysis of a Collision 9

Avoidance Protocol using SPIN and UPPAL, In Proceedings of SPIN96 (7) P.Kars, Formal Methods group, Experience using Spin and Promela in the Design of a Storm Surge Barrier control System, In Proceedings of SPIN95 A GARP Model in PROMELA ------------ for the Basic Model ----------------------- * PROMELA Validation Model * GARP(Global Denitions) #dene N_APL 2 number of applicants #dene N_RGS 1 number of registrar #dene N_LVAL 1 number of leaveall #dene true 1 #dene false 0 #dene out 1 #dene lanx 2 #dene in 3 #dene vanx 4 #dene out_reg 1 #dene awt_rjin 2 #dene lv_imm 3 #dene in_reg 4 mtype = { reqjoin, reqleave, join, leave, leaveall chan user_to_appl[n_apl] = [0] of { byte ; chan appl_to_llc[n_apl] = [0] of { byte ; chan llc_to_appl[n_apl] = [1] of { byte ; chan regist_to_llc[n_rgs] = [0] of { byte ; chan llc_to_regist[n_rgs] = [1] of { byte ; 10

chan leaveall_to_llc[n_lval] = [0] of { byte ; chan llc_to_leaveall[n_lval] = [1] of { byte ; byte r_state; * PROMELA Validation Model * GARP(main) #include "denes" #include "macuser" #include "macuser1" #include "llc" #include "applicant" #include "registrar" #include "leaveall" init { atomic { run macuser(0); run macuser1(1); run llc(); run applicant(0); run applicant(1); run registrar(0); run leaveallpro(0) * PROMELA Validation Model * GARP(MAC Service User) proctype macuser(byte n) { do :: user_to_appl[n]!reqjoin :: user_to_appl[n]!reqleave :: break od 11

* PROMELA Validation Model * GARP(MAC Service User 1) proctype macuser1(byte n) { :: user_to_appl[n]!reqjoin :: user_to_appl[n]!reqleave :: skip * PROMELA Validation Model * GARP(LLC Service) proctype llc() { byte type; endidle: do :: atomic { appl_to_llc[0]?type -> :: llc_to_appl[1]!type; llc_to_regist[0]!type :: llc_to_appl[1]!type :: llc_to_regist[0]!type :: skip lose message :: atomic { appl_to_llc[1]?type -> :: llc_to_appl[0]!type; llc_to_regist[0]!type :: llc_to_appl[0]!type :: llc_to_regist[0]!type :: skip lose message 12

:: atomic { regist_to_llc[0]?type -> :: llc_to_appl[0]!type; llc_to_appl[1]!type :: llc_to_appl[0]!type :: llc_to_appl[1]!type :: skip lose message :: atomic { leaveall_to_llc[0]?type -> :: llc_to_appl[0]!type; llc_to_appl[1]!type :: llc_to_appl[0]!type :: llc_to_appl[1]!type :: skip lose message od * PROMELLA Validation Model * GARP(Applicant) proctype applicant(byte n) { bool jointimer; byte type, state; state = out; endidle: do :: user_to_appl[n]?type -> event from macuser :: (type == reqjoin) -> :: (state == out) -> jointimer = true; appl_to_llc[n]!join; state = lanx :: (state == lanx) ignore :: (state == in) ignore 13

:: (state == vanx) ignore :: else -> assert(0) protocol violation :: (type == reqleave) -> :: (state == out) ignore :: (state == lanx) -> jointimer = false; appl_to_llc[n]!leave; state = out :: (state == in) -> appl_to_llc[n]!leave; state = out :: (state == vanx) -> jointimer = false; appl_to_llc[n]!leave; state = out :: else -> assert(0) protocol violation :: else ignore :: llc_to_appl[n]?type-> event from llc :: (type == join) -> :: (state == out) ignore :: (state == lanx) -> jointimer = false; state = in :: (state == in) ignore :: (state == vanx) -> jointimer = true; state = lanx :: else -> assert(0) protocol violation :: (type == leave) (type == leaveall) -> :: (state == out) ignore :: (state == lanx) -> jointimer = true; state = vanx :: (state == in) -> jointimer =true; 14

state = vanx :: (state == vanx) -> jointimer = true; :: else -> assert(0) protocol violation :: else ignore :: empty(user_to_appl[n]) && empty(llc_to_appl[n]) && (jointimer == true) -> jointimer expired :: (state == lanx) -> jointimer = false; appl_to_llc[n]!join; state = in :: (state == vanx) -> jointimer = false; appl_to_llc[n]!join; state = in :: else -> assert(0) protocol violation od * PROMELLA Validation Model * GARP(Registrar) proctype registrar(byte n) { bool leavetimer, member_exist; byte type; r_state = out_reg; endidle: do :: llc_to_regist[n]?type -> event from llc :: (type == join) -> :: (r_state == out_reg) -> member_exist = true; 15

r_state = in_reg :: (r_state == awt_rjin) -> leavetimer = false; r_state = in_reg :: (r_state == lv_imm) -> leavetimer = false; r_state = in_reg :: (r_state == in_reg) ignore :: else -> assert(0) protocol violation :: (type == leave) (type == leaveall) -> :: (r_state == out_reg) ignore :: (r_state == awt_rjin) -> leavetimer = true :: (r_state == lv_imm) -> leavetimer = true :: (r_state == in_reg) -> leavetimer = true; r_state = awt_rjin :: else -> assert(0) protocol violation :: else ignore :: empty(llc_to_regist[n]) && (leavetimer == true) -> leavetimer expired :: (r_state == awt_rjin) -> regist_to_llc[n]!leave; r_state = lv_imm :: (r_state == lv_imm) -> leavetimer = false; member_exist = false; r_state = out_reg :: else -> assert(0) protocol violation od * PROMELLA Validation Model * GARP(Leave All) 16

proctype leaveallpro(byte n) { bool leavealltimer; byte type, state; leavealltimer = true; leavealltimer on do :: llc_to_leaveall[n]?type ignore :: empty(llc_to_leaveall[n]) && (leavealltimer == true) -> leavealltimer expired leaveall_to_llc[n]!leaveall od ------------ for the temporal claim ----------------------- * PROMELA Validation Model * GARP(main) #include "denes" #include "macuser1" #include "macuser2" #include "llcnoloss" #include "applicant" #include "registrar" #include "leaveall" byte pid; init { atomic { pid =(run macuser1(0)); run macuser2(1); run applicant(0); run applicant(1); run llcnoloss(); run registrar(0); 17

* Formula As Typed: [](p-><>([]q)) * The Never Claim Below Corresponds * To The Negated Formula!([](p-><>([]q))) * (formalizing violations of the original) #dene p (macuser1[pid]@user1_end) #dene q (r_state!= out_reg) never {!([](p-><>([]q))) T0_init: :: (1) -> goto T0_init :: ((p)) -> goto T0_S3 :: (! ((q)) && (p)) -> goto accept_s3 ; accept_s3: :: (1) -> goto T0_S3 ; T0_S3: :: (1) -> goto T0_S3 :: (! ((q))) -> goto accept_s3 ; accept_all: skip * PROMELA Validation Model * GARP(MAC Service User1) proctype macuser1(byte n) { atomic { user_to_appl[n]!reqjoin; user1_end: skip 18

* PROMELA Validation Model * GARP(MAC Service User2) proctype macuser2(byte n) { :: user_to_appl[n]!reqjoin :: user_to_appl[n]!reqleave :: skip ; :: user_to_appl[n]!reqjoin :: user_to_appl[n]!reqleave :: skip * PROMELA Validation Model * GARP(LLC Service no loss) proctype llcnoloss() { byte type; endidle: do :: appl_to_llc[0]?type -> llc_to_appl[1]!type; llc_to_regist[0]!type :: appl_to_llc[1]?type -> llc_to_appl[0]!type; llc_to_regist[0]!type :: regist_to_llc[0]?type -> llc_to_appl[0]!type; llc_to_appl[1]!type od B Exapmle of Message Sequence Chart 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback