Post on 19-Mar-2019
4. File Transfer Protocol
Jean-Raymond Abrial
2009
Purpose of this Lecture 1
- To introduce another example: the file transfer protocol
- To present a number of additional mathematical conventions
- To slighly enlarge the usage of the Proof Obligation Rules
- Example studied in many places, in particular in the following book
- L. Lamport Specifying Systems: The TLA+ Language and Tools
for Hardware and Software Engineers Addison-Wesley 1999
1
An Example: File Transfer Protocol 2
- A file is to be transfered from a Sender to a Receiver
- On the Sender’s side the file is called f
- On the Receiver’s side the file is called g
- At the beginning of the protocol, g is supposed to be empty
- At the end of the protocol, g should be equal to f
2
Requirement Document 3
The protocol ensures the copy of a file fromone site to another one FUN-1
The file is supposed to be made of a sequenceof items FUN-2
The file is send piece by piece betweenthe two sites FUN-3
3
Modeling Approach 4
- Our approach at modeling is one of an external observer
- The observer “sees” the state space first from very far away
- He then approaches the future system and sees more details
- As he approaches he also sees more things happening
4
Development Approach 5
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
5
The Sender and the Receiver: a First View 6
a
b
c
RECEIVER
g
a
b
c
f
SENDER
a
b
c
RECEIVER
g
f
SENDER
INITIAL SITUATION FINAL SITUATION
6
File transfer. The constant part of the state: n and f 7
1
n
a
f
b
c
7
The Initial State 8
carrier sets: D
constants: n, f
axm0 1: n ∈ N
axm0 2: 0 < n
axm0 3: f ∈ 1 .. n → D
variables: g inv0 1: g ∈ N ↔ D
- The carrier set D makes this development generic
8
Reminder of Mathematical Conventions (1) 9
x ∈ S set membership operator
N set of natural numbers: {0, 1, 2, 3, . . .}
a .. binterval from a to b: {a, a + 1, . . . , b}
(empty when b < a)
a 7→ b pair constructing operator
S × T Cartesian product operator
S ⊆ T set inclusion operator
P(S) power set operator
9
Reminder of Mathematical Conventions (2) 10
S ↔ T set of binary relations from S to T
S → T set of total functions from S to T
S 7→ T set of partial functions from S to T
dom(r) domain of a relation r
ran(r) range of a relation r
10
A Binary Relation r from a Set A to a Set B 11
A B
a3a2
a6a7
b1
b3
b4
b5
b6
b2
a5
a1
a4
r
11
A Partial Function F from a Set A to a Set B 12
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F = {a1 7→ b2, a3 7→ b4, a5 7→ b2, a7 7→ b6}
dom (F ) = {a1, a3, a5, a7}
ran (F ) = {b2, b4, b6}
12
A Total Function F from a Set A to a Set B 13
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
dom (F ) = A
13
File Transfer Protocol Initial Events 14
initg :∈ N ↔ D
finalwhen
g = fthen
skipend
- An anticipated event will be updated later and made convergent
progressstatus
anticipatedthen
g :∈ N ↔ Dend
14
Development Approach 15
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
15
First Refinement 16
- The observer comes closer to the future system
- So far he was just seeing the beginning and the end
- Now the observer will see some intermediate moves
- He sees the file being gradually transfered from Sender to Receiver
- But he still has a partial view
16
What the Observer has Seen so far 17
init
final
17
What the Observer will now See 18
init
receive
receive
receive
init
final
final
A new event is introduced: receive
18
File transfer. Event receive 19
b
a
b
c
f
n
1r
a
b
c
b
a
f
n
1
rc
b
a
f
a
r
n
1
c
b
a
f
a
r
c
n
1
receive receive receive
g g g g
- The new variable r lies within the interval 1 .. n + 1
- The variable g is equal to f restricted to its r − 1 first values
19
First Refinement of the Protocol Model: the State 20
- Introducing additional variable r
variables: g, rinv1 1: r ∈ 1 .. n + 1
inv1 2: g = (1 .. r − 1) � f
- g is defined to be the domain restriction of f to 1 .. r − 1
20
More Mathematical Conventions: Restrictions 21
s � r domain restriction operator
s �− r domain subtraction operator
r � t range restriction operator
r �− t range subtraction operator
21
The Domain Restriction Operator 22
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} � F
22
The Domain Subtraction Operator 23
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} �− F
23
The Range Restriction Operator 24
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F � {b2, b4}
24
The Range Subtraction Operator 25
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F �− {b2}
25
The Events 26
initg := ∅r := 1
receiverefines
progressrefines
convergentwhen
r ≤ nthen
h := h ∪ {r 7→ f(r)}r := r + 1
end
finalwhen
r = n + 1then
skipend
- The variant is decreased by the convergent event
variant1: n + 1 − r
26
Development Approach 27
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
27
What the Observer could see of the Initial Model 28
init
final
28
What the Observer could see of first Refinement 29
init
receive
receive
receive
init
final
final
29
What the Observer will now See 30
init
receive
receive
receive
init
send
send
send
receive
receive
receive
init
final
final
final
30
A More Accurate Version (1) 31
a
b
c
RECEIVER
a
r
SENDER RECEIVER
s
r
send
s a
31
A More Accurate Version (2) 32
a
b
c
a
b
c
SENDER RECEIVER
a
s
SENDER RECEIVER
receive
s
r
r
32
Initial Situation 33
a
b
c
f
d
r
n
s
g
33
Send 34
a
b
c c
b
a
f f
s
n
d d
a
r r
n
s
g g
34
Receive 35
a
b
c c c
b b
aa
f f f
s
n
s
n
d d d
a a
r
r
ar
n
s
g g g
35
Send 36
a
b
c c c
b b
aa
f f f
s
n
s
n
d d d
a a
r
r
a
f
a
b
csn
d
b
a
r
r
n
s
g g g g
36
Receive 37
a
b
c c
b
a
f f
d d
b
a
r
a
b
b
r
n sn s
g g
37
Send 38
a
b
c c c
b b
aa
f f f
n
d d d
c
a
b
a
r
a
b
b
r
n s
r
b
s
n s
g g g
38
Receive 39
a
b
c c c
b b
aa
f f f
n
d d d
c
a
f
a
b
c
d
a
b
a
r
a
b
b
r
n s
r
b
n
s
b
c
r
c
s
n s
g g g g
39
Sender and Receiver 40
Data Channel
Ack. Channel
ReceiverSender
s, d
r
40
Second Refinement: the State 41
- We introduce an additional variable s, and a data item d
carrier sets: D
constants: n, f, d0
variables: g, r, s, d
inv2 1: s ∈ 1 .. n + 1
inv2 2: s ∈ r .. r + 1
inv2 3: d ∈ D
inv2 4: s = r + 1 ⇒ d = f(r)
axm2 1: d0 ∈ D
41
Second Refinement: the Events 42
initg := ∅s := 1r := 1d := d0
sendwhen
s = rs 6= n + 1
thend, s := f(s), s + 1
end
receivewhen
s = r + 1then
h := h ∪ {r 7→ d}r := r + 1
end
finalwhen
r = n + 1then
skipend
42
Development Approach 43
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
43
Some Ideas for a Third Refinement? 44
sendwhen
s = rs 6= n + 1
thend := f(s)s := s + 1
end
receivewhen
s = r + 1then
g := g ∪ {r 7→ d}r := r + 1
end
inv2 2: s ∈ r .. r + 1
44
Third Refinement: Sending Parities (1) 45
a
b
c
RECEIVER
a
r
SENDER RECEIVER
s
r
send
parity(s) a
45
Third Refinement: Sending Parities (2) 46
a
b
c
a
b
c
SENDER RECEIVER
a
s
SENDER RECEIVER
receive
s
r
parity(r)
46
About Parities 47
axm3 1: parity ∈ N → {0, 1}
axm3 2: parity(0) = 0
axm3 3: ∀ x · ( x ∈ N ⇒ parity(x + 1) = 1 − parity(x) )
thm3 1: ∀ x, y ·
x ∈ Ny ∈ Nx ∈ y .. y + 1parity(x) = parity(y)
⇒x = y
47
Third Refinement: the State 48
carrier sets: D
constants: n, f, parity
variables: g, s, r, d, p, q
inv3 1: p = parity(s)
inv3 2: q = parity(r)
axm3 1: parity ∈ N → {0, 1}
axm3 2: parity(0) = 0
axm3 3: ∀ x ·
x ∈ N⇒parity(x + 1) = 1 − parity(x)
48
Third Refinement: the Events 49
initg := ∅s := 1r := 1p := 1q := 1d := d0
finalwhen
r = n + 1then
skipend
sendwhen
p = qs 6= n + 1
thend := f(s)s := s + 1p := 1 − p
end
receivewhen
p 6= qthen
g := g ∪ {r 7→ d}r := r + 1q := 1 − q
end
49
What we Have Learned in this Lecture 50
- More mathematical conventions
- How to write a model
- What kind of things we have to prove
- How the proof can help finding invariants
- Many things can be done by tools
- A small theory of parities
50
Gradual Observation of the Intended System 51
init
receive
receive
receive
init
send
send
send
receive
receive
receive
init
final
final
final
51
Reminder of Mathematical Conventions (1) 52
x ∈ S Set membership operator
N set of Natural Numbers: {0, 1, 2, 3, . . .}
a .. bInterval from a to b: {a, a + 1, . . . , b}
(empty when b < a)
a 7→ b pair constructing operator
S × T Cartesian product operator
S ⊆ T set inclusion operator
P(S) power set operator
52
Reminder of Mathematical Conventions (2) 53
S ↔ T Set of binary relations from S to T
S → T Set of total functions from S to T
S 7→ T Set of partial functions from S to T
dom(r) Domain of a relation r
ran(r) Range of a relation r
53
Reminder of Mathematical Conventions (3) 54
s � r domain restriction operator
s �− r domain subtraction operator
r � t range restriction operator
r �− t range subtraction operator
54
A Binary Relation r from a Set A to a Set B 55
A B
a3a2
a6a7
b1
b3
b4
b5
b6
b2
a5
a1
a4
r
55
A Partial Function F from a Set A to a Set B 56
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F = {a1 7→ b2, a3 7→ b4, a5 7→ b2, a7 7→ b6}
dom (F ) = {a1, a3, a5, a7}
ran (F ) = {b2, b4, b6}
56
A Total Function F from a Set A to a Set B 57
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
dom (F ) = A
57
The Domain Restriction Operator 58
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} � F
58
The Domain Subtraction Operator 59
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} �− F
59
The Range Restriction Operator 60
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F � {b2, b4}
60
The Range Subtraction Operator 61
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F �− {b2}
61
Structure of a Model 62
- List of Carrier Sets (identifiers)
- List of Constants (identifiers)
- List of Axioms (predicates built on sets and constants)
- List of Variables (identifiers)
- List of Invariants (predicates built on sets, constants, and variables)
- List of Events
62