Principles of Protocol Design. MVP10 plan. What is a protocol? Typical SPIN applications. The three parts of a protocol description

Similar documents
Principles of Protocol Design MVP 10A 1


The SPIN Model Checker

The Spin Model Checker : Part I. Moonzoo Kim KAIST

MP 6 Modeling in Promela and SPIN

The Spin Model Checker : Part I/II

Patrick Trentin Formal Methods Lab Class, March 03, 2017

A Tutorial on Model Checker SPIN

CS477 Formal Software Development Methods / 32

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

The Design of a Distributed Model Checking Algorithm for Spin

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Design of Internet Protocols:

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

Lecture 3 SPIN and Promela

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

A PROTOCOL VALIDATOR 13

SPIN: Introduction and Examples

Computer Aided Verification 2015 The SPIN model checker

CS477 Formal Software Development Methods / 39

A Practical approach on Model checking with Modex and Spin

The SPIN Model Checker

LTL Reasoning: How It Works

Using Spin to Help Teach Concurrent Programming

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

INF5140: Specification and Verification of Parallel Systems

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Logical Consistency Validation Tools for Distributed Systems

Process groups and message ordering

On Nested Depth First Search

Model-Checking Concurrent Systems

Formal Specification and Verification

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Network Protocol Design and Evaluation

Revision 6: Red text Incorporate comments from January 5, 2004 conference call. Minor wording changes.

Outline. EEC-484/584 Computer Networks. Data Link Layer Design Issues. Framing. Lecture 6. Wenbing Zhao Review.

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Enhancement of Feedback Congestion Control Mechanisms by Deploying Active Congestion Control

T Parallel and Distributed Systems (4 ECTS)

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Tool demonstration: Spin

Communication Networks

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:

Logic Model Checking

Network Protocol Design and Evaluation

Design and Analysis of Distributed Interacting Systems

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

HSF-SPIN User Manual

Formal Methods for Software Development

The flow of data must not be allowed to overwhelm the receiver

Automated Reasoning. Model Checking with SPIN (II)

1 INTRODUCTION. Time Oriented Protocol Testing Simulator

Beginner s SPIN Tutorial

Software Engineering using Formal Methods

Applicant. LLC Service. LAN Segment

Spin: Overview of PROMELA

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

The learning objectives of this chapter are the followings. At the end of this chapter, you shall

Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. Link Layer. Fundamentals of Communication Networks

SPIN, PETERSON AND BAKERY LOCKS

3. Data Link Layer 3-2

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

Logic Model Checking

file:///c:/users/hpguo/dropbox/website/teaching/fall 2017/CS4470/H...

Formal Verification by Model Checking

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

Introduction to Model Checking

COM-208: Computer Networks - Homework 3

CS510 Advanced Topics in Concurrency. Jonathan Walpole

DLL: Flow Control DLL. Simplex. Fast sender / slow receiver scenario. Various protocols used. Simplified examples implemented in C.

TCP over Wireless PROF. MICHAEL TSAI 2016/6/3

COMPUTER NETWORK. Homework #2. Due Date: April 12, 2017 in class

12 January r1 SAS2: ST_TTS retransmitted DATA frames

10.1 REVIEW QUESTIONS

Formal Modeling for Persistence Checking of Signal Transition Graph Specification with Promela

MINIX 3 Process Analysis

User Datagram Protocol

QUIZ: Longest Matching Prefix

Model Checking with Automata An Overview

Question 1 (6 points) Compare circuit-switching and packet-switching networks based on the following criteria:

Lecture 20 Overview. Last Lecture. This Lecture. Next Lecture. Transport Control Protocol (1) Transport Control Protocol (2) Source: chapters 23, 24

Introduction to Networking. Operating Systems In Depth XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

UNIT IV -- TRANSPORT LAYER

Chapter 3: Transport Layer. Chapter 3 Transport Layer. Chapter 3 outline. Transport services and protocols

Approaches to Building Parallel Machines. Shared Memory Architectures. Example Cache Coherence Problem. Shared Cache Architectures

No book chapter for this topic! Slides are posted online as usual Homework: Will be posted online Due 12/6

Announcements. No book chapter for this topic! Slides are posted online as usual Homework: Will be posted online Due 12/6

SPIN. Carla Ferreira.

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

TCP = Transmission Control Protocol Connection-oriented protocol Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.

The SpaceWire Transport Protocol. Stuart Mills, Steve Parkes University of Dundee. International SpaceWire Seminar 5 th November 2003

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking

Answers to Sample Questions on Transport Layer

C08a: Data Link Protocols

Tutorial: Design and Validation of Protocols

Model Requirements and JAVA Programs MVP 2 1

Flow control: Ensuring the source sending frames does not overflow the receiver

Transcription:

Principles of Protocol Design MVP10 plan Protocol design principles with examples: Lynch s protocol Tanenbaum protocol 2 Tanenbaum protocol 4 Mutual exclusion in a distributed environment: Lamports algorithm 1 2 Typical SPIN applications Network protocols Embedded systems Control systems What is a protocol? In general: A set of rules for (go) behaviour. In computer systems: A set of rules for component interaction in a distributed system. 3 4 The three parts of a protocol description Protocol semantics: Service description Environment assumptions (Typical problem: incompleteness. Formalisation helps.) Protocol syntax: Message vocabulary (protocol commands) Message format and cing Protocol rules for message exchange (Typical problem: inconsistency and incompleteness. Mels and mel analysis helps.) 5 General Design Guidelines General guidelines.. Build prototype mel and very Validate through testing: Apply mel to identy interesting cases Draw external stimuli from MSC s 6 1

Example: Lynch s protocol Semantics (service & environment): A user may request a file to be transferred and wait for completion The transmission channel is full duplex and error prone No data may be lost. Data may not be reordered. Syntax (vocabulary & cing): V = ack,nack,err Frame = struct messagev;data: Lynch s protocol (rules) 1. If data are correctly d, then ack with next message. 2. If error in data, then nack with next message. 3. If nack or err is d, then re old data (with ack or nack ). 4. Timeout is treated as err (convenient addition). V data 8 7 Lynch protocol (diagram) Ain Aout AtoB1 A BtoA2 AtoB2 B BtoA1 Bout 9 Bin Lynch protocol (mel) mtype = ack, nak, err, next, accept proctype transfer(chan in, out, chin, chout) in?next(o); :: chin?nak (i) -> out!accept(i); chout!ack (o) :: chin?ack (i) -> out!accept(i); in?next(o); chout!ack (o) :: chin?err(i) -> chout!nak (o) :: timeout -> chout!nak (o) proctypebuggy_chan(chan chin,chout) mtype mt; message m; :: chin?mt(m) -> chout!mt(m) :: chin?mt(m) -> chout!err(m) :: chin?mt(m) -> skip 10 Lynch protocol (mel continued) proctype (chan out) :: out!next(0) proctype(chan in) message i; :: in?accept(i) Correct? chan Ain = [2] of mtype, message; chan Aout = [2] of mtype, message; chan Bin = [2] of mtype, message; chan Bout = [2] of mtype, message; chan AtoB1 = [1] of mtype, message; chan AtoB2 = [1] of mtype, message; chan BtoA1 = [1] of mtype, message; chan BtoA2 = [1] of mtype, message; atomic run (Ain); run (Aout); run (Bin); run (Bout); run buggy_ chan (AtoB1,AtoB2); run buggy_ chan (BtoA1,BtoA2); run transfer(ain, Aout, BtoA2, AtoB1); run transfer(bin, Bout, AtoB2, BtoA1) 11 Lynch protocol (mel continued) proctype (chan out) :: out!next(0) -> out!next(1) proctype(chan in) message i,j; :: in?accept(i); in?accept(j); assert(i!= j) Validate lynchnew (depth=50) chan Ain = [2] of mtype, message; chan Aout = [2] of mtype, message; chan Bin = [2] of mtype, message; chan Bout = [2] of mtype, message; chan AtoB1 = [1] of mtype, message; chan AtoB2 = [1] of mtype, message; chan BtoA1 = [1] of mtype, message; chan BtoA2 = [1] of mtype, message; atomic run (Ain); run (Aout); run (Bin); run (Bout); run buggy_ chan (AtoB1,AtoB2); run buggy_ chan (BtoA1,BtoA2); run transfer(ain, Aout, BtoA2, AtoB1); run transfer(bin, Bout, AtoB2, BtoA1) 12 2

Example: Tanenbaums protocol 2 Semantics (service & environment): The protocol must offer an acknowledged connectionoriented service. The connection is simplex (one-way). The transmission channel is full duplex and error prone No data may be lost. Data may not be reordered. Syntax (vocabulary & cing): V = ack,data Frame = struct messagev;data: Tanenbaums protocol 2 (rules) 1. Receiver protocol unit: If data are correctly d, then ack to er (and deliver data to the receiving user). 2. Sender protocol unit: If ack is d, then get the next frame from the ing user, and transmit it to the r via the channel. 3. Sender protocol unit: Retransmit the current frame at timeout. V data 14 13 Tanenbaum 2 protocol (diagram) Ain A BtoA2 AtoB1 AtoB2 B BtoA1 Bout 15 Tanenbaum 2 mel mtype = ack,data, next, accept proctype er2(chan in, chin, chout) :: in?next(o); chout!data(o); :: chin?ack (i); break :: timeout -> chout!data(o) proctypebuggy_chan(chan chin,chout) mtype mt; message m; :: chin?mt(m) -> chout!mt(m) :: chin?mt(m) -> skip proctypereader2(chan out, chin, chout) :: chin?data(i) -> out!accept(i); chout!ack (o) 16 Tanenbaum protocol 2 (correctness check) proctype (chan out) :: out!next(0) -> out!next(1) proctype(chan in) message i,j; :: in?accept(i); in?accept(j); assert(i!= j) chan Ain = [2] of mtype, message; chan Bout = [2] of mtype, message; chan AtoB1 = [1] of mtype, message; chan AtoB2 = [1] of mtype, message; chan BtoA1 = [1] of mtype, message; chan BtoA2 = [1] of mtype, message; atomic run (Ain); run (Bout); run buggy_ chan (AtoB1,AtoB2); run buggy_ chan (BtoA1,BtoA2); run er2(ain, BtoA2, AtoB1); run reader2(bout, AtoB2, BtoA1) 17 Verying data-independant protocols Question: How many dferent values must be sent via a data independent protocol in order to prove absence of loss and reordering? Answer (Wolper 85): 3 dferent values suffice! (More precisely: one more than the number of dferent values in the correctness formulation in our case two). 18 3

Revised Tanenbaum 2 mel mtype = ack,data, next, accept, white, red, blue proctype er2(chan in, chin, chout) :: in?next(o); chout!data(o); :: chin?ack (i); break :: timeout -> chout!data(o) proctypebuggy_chan(chan chin,chout) mtype mt; message m; :: chin?mt(m) -> chout!mt(m) :: chin?mt(m) -> skip proctypereader2(chan out, chin, chout) :: chin?data(i) -> out!accept(i); chout!ack (o) 19 Revised Tanenbaum 2 correctness check proctype (chan out) mtype sent=white; :: :: sent = white; out!next(sent) :: sent = red; out!next(sent); break ; :: sent = white; out!next(sent) :: sent = blue; out!next(sent); break Validate tan2 (depth=50) proctype(chan in) mtype rcvd = white; :: :: in?accept(rcvd); :: (rcvd==white) -> skip :: (rcvd==red) -> break :: (rcvd==blue) -> assert(0) fi ; :: in?accept(rcvd); :: (rcvd==white) -> skip :: (rcvd==red) -> assert(0) :: (rcvd==blue) -> break fi 20 Example: Tanenbaums protocol 4 Semantics (service & environment): The protocol must offer an acknowledged connectionoriented service. The connection is duplex (two-way). The transmission channel is full duplex and error prone No data may be lost. Data may not be reordered. Syntax (vocabulary & cing): V = ack Frame = struct messagev; s_seq; ack_no; data: Tanenbaums protocol 4 (rules) 1. Each entity maintains two 0/1 counters s_seq (next sequence number) and r_seq (expected sequence number from peer entity). 2. At timeout: re current output as (ack,s_seq,1-r_seq,data). 3. At (ack,s,a,data) from network: 1. Accept data s=r_seq and update r_seq. 2. Get next data item, a=s_seq and update s_seq. 4. Send current output as (ack,s_seq,1-r_seq,data). V s a data 22 21 Tanenbaum protocol 4 (diagram) Ain Aout A BtoA2 AtoB1 AtoB2 B BtoA1 Bout 23 Bin Tanenbaum protocol 4 mel mtype = ack, next, accept, white,red, blue proctype transfer(chan in, out, chin, chout) byte s_seq=0, r_ seq=0, s, r; in?next(o); chout!ack(s_seq,1-r_seq,o); :: chin?ack(s,r,i) -> :: s==r_ seq -> out!accept(i); r_seq = 1 -r_seq :: else skip fi; :: r==s_seq -> in?next(o); s_seq=1-s_seq :: else skip fi :: timeout -> chout!ack(s_seq,1-r_seq,o) :: chout!ack(s_seq,1-r_seq,o) 24 4

Validate smallnew Depth 10000, no endstates checked Tananbaum protocol 4 mel (correctness check) chan Ain = [0] of mtype, message; chan Aout = [0] of mtype, message; chan Bin = [0] of mtype, message; chan Bout = [0] of mtype, message; chanatob1 = [0] of mtype, byte,byte,byte; chanatob2 = [0] of mtype, byte,byte,byte; chanbtoa1 = [0] of mtype, byte,byte,byte; chanbtoa2 = [0] of mtype, byte,byte,byte; atomic run (Ain); run (Aout); run (Bin); run (Bout); run buggy_ chan(atob1,atob2); run buggy_ chan(btoa1,btoa2); run transfer(ain, Aout, BtoA2, AtoB1); 25 run transfer(bin, Bout, AtoB2, BtoA1) LTL verication of Tanenbaum 4 We want to very the order preservation property of the protocol. Illegal behaviour: No red frame is d before a blue frame. In LTL!rr U rb. We check that no execution contains this behaviour (very small-ltl) 26 Supertrace algorithm Supertrace algorithm The problem: Given M bytes of memory, how can we search the state space using precisely M bytes? Basic idea: Use the M bytes as a hash-table of investigated states. Allocate 1 bit per entry (actually 2 bits are used). Cut-off the search, when a hash conflict is met. cut-off 0 1 0 1 27 28 Supertrace coverage Example: buffered Tanenbaum 4 Hash factor: ratio between table size and the number of stored values (number of set bits). Empirical evidence: Hash factor close to 100 gives more than 99.9% coverage of state space. Hash factor > 10 gives more than 90% coverage of state space. Conclussions: All mel erros can be found. Correct mels can almost be veried 29 chan Ain = [0] of mtype, message; chan Aout = [0] of mtype, message; chan Bin = [0] of mtype, message; chan Bout = [0] of mtype, message; chanatob1 = [1] of mtype, byte,byte,byte; chanatob2 = [1] of mtype, byte,byte,byte; chanbtoa1 = [1] of mtype, byte,byte,byte; chanbtoa2 = [1] of mtype, byte,byte,byte; Validate medium4 (depth 100000, state space = 1000) 30 5

Result of supertrace analysis (Spin Version 3.4.12 -- 18 December 2001) + Partial Order Reduction Bit statespace search for: never-claim - (none specied) assertion violations + cycle checks - (disabled by -DSAFETY) invalid endstates - (disabled by -E flag) State-vector 156 byte, depth reached 93393, errors: 0 1.22816e+07 states, stored 1.08697e+07 states, matched 2.31513e+07 transitions (= stored+matched) 7 atomic steps hash factor: 10.9284 (expected coverage: >= 98% on avg.) (max size 2^27 states) Stats on memory usage (in Megabytes): 1965.050 equivalent memory usage for states (stored*(state-vector + overhead)) 33.554 memory used for hash-array (-w27) 2.800 memory used for DFS stack (-m100000) 36.969 total actual memory usage 31 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback