4. File Transfer Protocol - University of...

4. File Transfer Protocol

Jean-Raymond Abrial

2009

Purpose of this Lecture 1

- To introduce another example: the file transfer protocol

- To present a number of additional mathematical conventions

- To slighly enlarge the usage of the Proof Obligation Rules

- Example studied in many places, in particular in the following book

- L. Lamport Specifying Systems: The TLA+ Language and Tools

for Hardware and Software Engineers Addison-Wesley 1999

1

An Example: File Transfer Protocol 2

- A file is to be transfered from a Sender to a Receiver

- On the Sender’s side the file is called f

- On the Receiver’s side the file is called g

- At the beginning of the protocol, g is supposed to be empty

- At the end of the protocol, g should be equal to f

2

Requirement Document 3

The protocol ensures the copy of a file fromone site to another one FUN-1

The file is supposed to be made of a sequenceof items FUN-2

The file is send piece by piece betweenthe two sites FUN-3

3

Modeling Approach 4

- Our approach at modeling is one of an external observer

- The observer “sees” the state space first from very far away

- He then approaches the future system and sees more details

- As he approaches he also sees more things happening

4

Development Approach 5

- Initial model: The file is transmitted in one shot (FUN1 and FUN2)

- First refinement: The file is transmitted gradually (FUN3)

- Second refinement: The two agents are separated

- Third refinement: Towards an implementation

5

The Sender and the Receiver: a First View 6

a

b

c

RECEIVER

g

a

b

c

f

SENDER

a

b

c

RECEIVER

g

f

SENDER

INITIAL SITUATION FINAL SITUATION

6

File transfer. The constant part of the state: n and f 7

1

n

a

f

b

c

7

The Initial State 8

carrier sets: D

constants: n, f

axm0 1: n ∈ N

axm0 2: 0 < n

axm0 3: f ∈ 1 .. n → D

variables: g inv0 1: g ∈ N ↔ D

- The carrier set D makes this development generic

8

Reminder of Mathematical Conventions (1) 9

x ∈ S set membership operator

N set of natural numbers: {0, 1, 2, 3, . . .}

a .. binterval from a to b: {a, a + 1, . . . , b}

(empty when b < a)

a 7→ b pair constructing operator

S × T Cartesian product operator

S ⊆ T set inclusion operator

P(S) power set operator

9


S ↔ T set of binary relations from S to T

S → T set of total functions from S to T

S 7→ T set of partial functions from S to T

dom(r) domain of a relation r

ran(r) range of a relation r

10

A Binary Relation r from a Set A to a Set B 11

A B

a3a2

a6a7

b1

b3

b4

b5

b6

b2

a5

a1

a4

r

11

A Partial Function F from a Set A to a Set B 12

A B

a3a2

a6

a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

F = {a1 7→ b2, a3 7→ b4, a5 7→ b2, a7 7→ b6}

dom (F ) = {a1, a3, a5, a7}

ran (F ) = {b2, b4, b6}

12

A Total Function F from a Set A to a Set B 13

A B

a3a2

a6

a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

dom (F ) = A

13

File Transfer Protocol Initial Events 14

initg :∈ N ↔ D

finalwhen

g = fthen

skipend

- An anticipated event will be updated later and made convergent

progressstatus

anticipatedthen

g :∈ N ↔ Dend

14






15

First Refinement 16

- The observer comes closer to the future system

- So far he was just seeing the beginning and the end

- Now the observer will see some intermediate moves

- He sees the file being gradually transfered from Sender to Receiver

- But he still has a partial view

16

What the Observer has Seen so far 17

init

final

17

What the Observer will now See 18

init

receive

receive

receive

init

final

final

A new event is introduced: receive

18

File transfer. Event receive 19

b

a

b

c

f

n

1r

a

b

c

b

a

f

n

1

rc

b

a

f

a

r

n

1

c

b

a

f

a

r

c

n

1

receive receive receive

g g g g

- The new variable r lies within the interval 1 .. n + 1

- The variable g is equal to f restricted to its r − 1 first values

19

First Refinement of the Protocol Model: the State 20

- Introducing additional variable r

variables: g, rinv1 1: r ∈ 1 .. n + 1

inv1 2: g = (1 .. r − 1) � f

- g is defined to be the domain restriction of f to 1 .. r − 1

20

More Mathematical Conventions: Restrictions 21

s � r domain restriction operator

s �− r domain subtraction operator

r � t range restriction operator

r �− t range subtraction operator

21

The Domain Restriction Operator 22

A B

a3a2

a6

a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

{a3, a7} � F

22

The Domain Subtraction Operator 23

A B

a3a2

a6a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

{a3, a7} �− F

23

The Range Restriction Operator 24

A B

a3a2

a6a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

F � {b2, b4}

24

The Range Subtraction Operator 25

A B

a3a2

a6a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

F �− {b2}

25

The Events 26

initg := ∅r := 1

receiverefines

progressrefines

convergentwhen

r ≤ nthen

h := h ∪ {r 7→ f(r)}r := r + 1

end

finalwhen

r = n + 1then

skipend

- The variant is decreased by the convergent event

variant1: n + 1 − r

26






27

What the Observer could see of the Initial Model 28

init

final

28

What the Observer could see of first Refinement 29

init

receive

receive

receive

init

final

final

29

What the Observer will now See 30

init

receive

receive

receive

init

send

send

send

receive

receive

receive

init

final

final

final

30

A More Accurate Version (1) 31

a

b

c

RECEIVER

a

r

SENDER RECEIVER

s

r

send

s a

31

A More Accurate Version (2) 32

a

b

c

a

b

c

SENDER RECEIVER

a

s

SENDER RECEIVER

receive

s

r

r

32

Initial Situation 33

a

b

c

f

d

r

n

s

g

33

Send 34

a

b

c c

b

a

f f

s

n

d d

a

r r

n

s

g g

34

Receive 35

a

b

c c c

b b

aa

f f f

s

n

s

n

d d d

a a

r

r

ar

n

s

g g g

35

Send 36

a

b

c c c

b b

aa

f f f

s

n

s

n

d d d

a a

r

r

a

f

a

b

csn

d

b

a

r

r

n

s

g g g g

36

Receive 37

a

b

c c

b

a

f f

d d

b

a

r

a

b

b

r

n sn s

g g

37

Send 38

a

b

c c c

b b

aa

f f f

n

d d d

c

a

b

a

r

a

b

b

r

n s

r

b

s

n s

g g g

38

Receive 39

a

b

c c c

b b

aa

f f f

n

d d d

c

a

f

a

b

c

d

a

b

a

r

a

b

b

r

n s

r

b

n

s

b

c

r

c

s

n s

g g g g

39

Sender and Receiver 40

Data Channel

Ack. Channel

ReceiverSender

s, d

r

40

Second Refinement: the State 41

- We introduce an additional variable s, and a data item d

carrier sets: D

constants: n, f, d0

variables: g, r, s, d

inv2 1: s ∈ 1 .. n + 1

inv2 2: s ∈ r .. r + 1

inv2 3: d ∈ D

inv2 4: s = r + 1 ⇒ d = f(r)

axm2 1: d0 ∈ D

41

Second Refinement: the Events 42

initg := ∅s := 1r := 1d := d0

sendwhen

s = rs 6= n + 1

thend, s := f(s), s + 1

end

receivewhen

s = r + 1then

h := h ∪ {r 7→ d}r := r + 1

end

finalwhen

r = n + 1then

skipend

42






43

Some Ideas for a Third Refinement? 44

sendwhen

s = rs 6= n + 1

thend := f(s)s := s + 1

end

receivewhen

s = r + 1then

g := g ∪ {r 7→ d}r := r + 1

end

inv2 2: s ∈ r .. r + 1

44

Third Refinement: Sending Parities (1) 45

a

b

c

RECEIVER

a

r

SENDER RECEIVER

s

r

send

parity(s) a

45

Third Refinement: Sending Parities (2) 46

a

b

c

a

b

c

SENDER RECEIVER

a

s

SENDER RECEIVER

receive

s

r

parity(r)

46

About Parities 47

axm3 1: parity ∈ N → {0, 1}

axm3 2: parity(0) = 0

axm3 3: ∀ x · ( x ∈ N ⇒ parity(x + 1) = 1 − parity(x) )

thm3 1: ∀ x, y ·

x ∈ Ny ∈ Nx ∈ y .. y + 1parity(x) = parity(y)

⇒x = y

47

Third Refinement: the State 48

carrier sets: D

constants: n, f, parity

variables: g, s, r, d, p, q

inv3 1: p = parity(s)

inv3 2: q = parity(r)

axm3 1: parity ∈ N → {0, 1}

axm3 2: parity(0) = 0

axm3 3: ∀ x ·

x ∈ N⇒parity(x + 1) = 1 − parity(x)

48

Third Refinement: the Events 49

initg := ∅s := 1r := 1p := 1q := 1d := d0

finalwhen

r = n + 1then

skipend

sendwhen

p = qs 6= n + 1

thend := f(s)s := s + 1p := 1 − p

end

receivewhen

p 6= qthen

g := g ∪ {r 7→ d}r := r + 1q := 1 − q

end

49

What we Have Learned in this Lecture 50

- More mathematical conventions

- How to write a model

- What kind of things we have to prove

- How the proof can help finding invariants

- Many things can be done by tools

- A small theory of parities

50

Gradual Observation of the Intended System 51

init

receive

receive

receive

init

send

send

send

receive

receive

receive

init

final

final

final

51


x ∈ S Set membership operator

N set of Natural Numbers: {0, 1, 2, 3, . . .}

a .. bInterval from a to b: {a, a + 1, . . . , b}

(empty when b < a)

a 7→ b pair constructing operator

S × T Cartesian product operator

S ⊆ T set inclusion operator

P(S) power set operator

52


S ↔ T Set of binary relations from S to T

S → T Set of total functions from S to T

S 7→ T Set of partial functions from S to T

dom(r) Domain of a relation r

ran(r) Range of a relation r

53


s � r domain restriction operator

s �− r domain subtraction operator

r � t range restriction operator

r �− t range subtraction operator

54

A Binary Relation r from a Set A to a Set B 55

A B

a3a2

a6a7

b1

b3

b4

b5

b6

b2

a5

a1

a4

r

55

A Partial Function F from a Set A to a Set B 56

A B

a3a2

a6

a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

F = {a1 7→ b2, a3 7→ b4, a5 7→ b2, a7 7→ b6}

dom (F ) = {a1, a3, a5, a7}

ran (F ) = {b2, b4, b6}

56

A Total Function F from a Set A to a Set B 57

A B

a3a2

a6

a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

dom (F ) = A

57

The Domain Restriction Operator 58

A B

a3a2

a6

a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

{a3, a7} � F

58

The Domain Subtraction Operator 59

A B

a3a2

a6a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

{a3, a7} �− F

59

The Range Restriction Operator 60

A B

a3a2

a6a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

F � {b2, b4}

60

The Range Subtraction Operator 61

A B

a3a2

a6a7

b1

F

b3

b4

b5

b6

b2

a5

a1

a4

F �− {b2}

61

Structure of a Model 62

- List of Carrier Sets (identifiers)

- List of Constants (identifiers)

- List of Axioms (predicates built on sets and constants)

- List of Variables (identifiers)

- List of Invariants (predicates built on sets, constants, and variables)

- List of Events

62

4. File Transfer Protocol - University of...

Documents

Transcript of 4. File Transfer Protocol - University of...