Continued advances in microelectronics have allowed hardware designers to build devices of remarkable size and complexity. With increasing size and complexity, however, it becomes increasingly difficult to ensure that these devices are free of design errors. Exhaustive simulation of even moderately-sized circuits is impossible, and partial simulation offers only partial assurance of correctness.

This is an especially serious problem in safety-critical applications, where failure due to design errors may cause loss of life or extensive damage. In these applications, functional errors in circuit designs cannot be tolerated. But even where safety is not the primary consideration, there may be important economic reasons for doing everything possible to eliminate design errors, and to eliminate them early in the design process. A flawed design may mean costly and time-consuming refabrication, and mass-produced devices may have to be recalled and replaced.

A solution to these problems is one of the goals of formal methods for verification of the correctness of hardware designs—sometimes just called hardware verification. With this approach, the behaviour of hardware devices is described mathematically, and formal proof is used to verify that they meet rigorous specifications of intended behaviour. The proofs can be very large and complex, so mechanized theorem-proving tools are often used to construct them.

Considerable progress has been made in this area in the past few years.

The notion of abstraction plays a central role in making formal proof an effective method for dealing with the problem of hardware correctness. This chapter explains how two important types of abstraction—which will be referred to as abstraction within a model of hardware behaviour and abstraction between models of hardware behaviour—can be expressed in higher order logic.

Abstraction within a model has to do with the way in which the correctness of individual designs is formulated. With the approach to hardware verification introduced in the previous chapter, correctness is stated by a proposition which asserts that some relationship of ‘satisfaction’ holds between the model of a circuit design and a specification of its intended behaviour. This relationship must, in general, be one of abstraction—it must relate a detailed model of an actual design to a more abstract specification of required behaviour. Sections 4.1–4.6 show how this notion of correctness as an abstraction relationship can be formalized in logic and incorporated into the method of hardware verification already introduced.

The second type of abstraction, called abstraction between models, is discussed in section 4.7. Here the concern is not with the correctness of individual designs, but with the relationship between two different collections of specifications for the primitive components used in all designs. One such collection can be an abstraction of another in the sense that it presents a more abstract view of the same primitive components.

This chapter describes the basic techniques for using higher order logic to specify hardware behaviour and to prove the correctness of hardware designs.

The advantages of higher order logic as a formalism for hardware verification are discussed by Gordon in [45] and by Hanna and Daeche in [57, 58]. Higher order logic makes available the results of general mathematics, and this allows one to construct any mathematical tools needed for the verification task in hand. Its expressive power permits hardware behaviour to be described directly in logic; a specialized hardware description language is not needed. In the formulation used here, new constants and types can be introduced by purely definitional means. This allows special-purpose notation for hardware verification to be introduced without the danger associated with postulating ad hoc axioms. In addition, the inference rules of the logic provide a secure basis for proofs of correctness; a specialized deductive calculus for reasoning about hardware behaviour is not required.

Although higher order logic has all these pragmatic advantages, to say that it is the only feasible formalism for hardware verification would be an exaggeration. Some other approaches axe briefly discussed at the end of this chapter. Furthermore, higher order logic does not make traditional hardware description languages (HDLs) obsolete. A major problem with these languages is that they usually lack a formal semantics, which precludes using them to reason about hardware behaviour.

INTRODUCTION

This case study is a formal description of a protocol for a local area network, using the specification language PSF.

One approach to local networking is the ring network. Although various types of rings have been proposed and built, we will study one of the more popular organizations, the token ring network. In such a network, a token circulates around the ring, which can be captured by one of the components. The component guarding the token is allowed to transmit a message.

The protocol specified in this paper is based on the token ring described in [IEEE85b] as an IEEE standard. This description is given partly in informal, natural language and drawings, and partly by means of state transition systems. The intention of this chapter is to apply a Formal Description Technique in order to give a formal specification of the protocol. In contrast to the protocols in the previous chapters, we try to provide a specification, that resembles an existing standard as much as possible.

TOKEN RING NETWORK, AN INTRODUCTION

A ring consists of a collection of ring interfaces connected by point-to-point links that form a circle, as shown in Figure 7.1. Point-to-point links involve a well-understood and field-proven technology. Due to the sequential ordering of the stations attached to a ring, a ring-based protocol is in general fair in the sense that each station eventually will get control of the ring. In a token ring, each station has a known upper bound on channel access. The ring network standardized in [IEEE85b] is called a token ring and in this section we will take a closer look on what this is.

INTRODUCTION

The Amoeba Distributed Operating System uses a Transaction Protocol for the communication between different processes running under the supervision of the Operating System. A transaction is a basic form of information exchange between two processes, consisting of a request followed by a reply. Contrary to a Connection Oriented Protocol a Transaction Protocol does not establish a permanent (logical) connection between two communicating processes. For each transaction a connection is built up. As soon as the transaction is finished the connection is broken. The choice of a Transaction Protocol in favour of a Connection Oriented Protocol is based on the observation that in a distributed operating system most communications within a network do not imply massive data transport during a long time. As a result the overhead costs of building up and maintaining a permanent connection between two processes will be (too) high.

In the Amoeba Operating System transactions take place between a Client process and a Server process. A Client process sends a request to the network. This request can be answered by a Server process with a reply. In order to increase the performance and the fault tolerance of the operating system several Server processes may provide the same service. When a specific Server crashes or is temporarily busy another one can take over its task.

As in all communication protocols, acknowledgements are needed for reliable communications. In the Amoeba Transaction Protocol, abbreviated to ATP in the sequel, an acknowledgement message from Client to Server is used to report the reception of a reply. The reply itself serves as an acknowledgement of the reception of a request.

AIM AND SCOPE

An important reason why formal description techniques are not appreciated as widely as wished by the developers of such techniques, is that people who actually design and implement software have relatively little knowledge of formal methods. The acceptance of formal techniques not only depends on the existence of techniques that are easy to understand and easy to use, but also on the training of potential users. This implies that there is a need for text books and case-studies. We think that a collection of formal specifications in a restricted area of application may help to get a better understanding of the use of formal techniques. Although the method we use is well suited for formal verification, we concentrate on the act of specification. A first requirement for a formal correctness proof is a formal specification.

We restrict ourselves in this book to a collection of specifications concerning one application area, the field of communication protocols. Although this seems to be an area with a relatively high acceptance of formal techniques, most of the protocols that are actually in use are specified in natural language, if ever specified otherwise than by the actual implementation. Even well-known and accepted standards, such as the token ring protocol, do not have a rigorous formal definition. Informal specifications in this area may lead to misinterpretations and, thus, to different implementations that will not be able to work together. Formal techniques are especially needed for communication protocol design, since these protocols describe distributed systems which have a high degree of non-determinism.

INTRODUCTION

Sliding Window Protocols are used to provide reliable data communication between two computers in a network environment. A Sliding Window Protocol is connection oriented: a logical connection between the computers is established before data are transferred. Establishing a connection is not part of a Sliding Window Protocol. The connection is supposed to be a point-to-point connection without an intermediate network station. Sliding Window Protocols are situated in the Data Link Layer of the ISO OSI layer model.

In Tanenbaum ([Tan89]) three Sliding Window Protocols are presented. In this chapter a formal specification of these protocols is given. In the remainder of this section we give a general and informal description of a Sliding Window Protocol. In sections 4.2 to 4.4 the different Sliding Window Protocols are introduced and specified in PSF. The communication between Host processes and a Sliding Window Protocol is specified in section 4.5.

GENERAL DESCRIPTION OF A SLIDING WINDOW PROTOCOL

A Sliding Window Protocol (SWP) manages the communication on a point-to-point connection between two computers in a network at the Data Link Layer level in the OSI terminology. A SWP is a full-duplex protocol. This means that data can be transmitted simultaneously from station <I>A to station <I>B and vice versa. On both sides a SWP process is active, taking care of correct transmission. A SWP process contains a sending and a receiving part, managing outgoing and incoming data respectively. As we shall see in the sequel, these parts are not fully separated.

The specifications in this book are the result of a number of case studies performed by researchers from the Programming Research Group at the University of Amsterdam. The primary goal was to study the use of the techniques developed by the Programming Research Group for the specification of real-life protocols. From the pool of available case studies we made a selection that focuses on communication protocols, which we present in an order well suited for use in education. We hope that this book provides a first step towards a methodology for the design of communication protocols using PSF.

The following people have contributed to this book: Jacob Brunekreef, Henrik Jacobsson, Sjouke Mauw, Gert Veltink and Jos van Wamel.

Other people have helped in initiating and creating this book. The editors would like to express their gratitude for their help in various ways to Jan Bergstra, Jacob Brunekreef, Bob Diertens, Casper Dik, Hans Kamps, Hans Mulder and Jos van Wamel.

INTRODUCTION

In this chapter we will focus on the specification language used throughout this book: PSF (Process Specification Formalism). We will discuss the mathematical origins of PSF as well as its syntax and semantics. The language itself will be clarified by using a running example, which gets more complicated as new language features are introduced. Apart from giving specifications in PSF we will also describe the implementations that make up the so-called PSF-Toolkit, such as the term rewriting system and the simulator.

The PSF-Toolkit also embodies a collection of frequently used specifications in the form of the PSF standard library. In this chapter we will explain which modules are part of the library and how they can be used. A full listing of the relevant modules from the PSF standard library can be found in Appendix A.

ACP

Before we turn our attention to PSF, we will give some information on ACP (Algebra of Communicating Processes). ACP is the theoretical foundation for the process part of PSF, and deserves some explanation as such.

The development of ACP was started in 1982 by J.A. Bergstra and J.W. Klop, at the Centre for Mathematics and Computer Science in Amsterdam. Compared with other concurrency theories like CCS, CSP and Petri Nets, ACP is most closely allied to CCS. The main difference between ACP and the other approaches is the way in which the semantics is treated.

Most formalisms, like CCS, CSP and Petri Nets are based on one specific model of concurrency. ACP, however, is a theory based on algebraic methods. The theory is defined by a set of axioms.

INTRODUCTION

In this chapter specifications of three simple protocols are given in the formalism of PSF. The main goal is to make the reader familiar with the way the formal description technique PSF can be used for the specification of communication protocols. For this reason we specify protocols which are, in technical terms, not hard to understand.

The communication protocols specified in this chapter are the Alternating Bit Protocol (ABP), the Positive Acknowledgement with Retransmission Protocol (PAR-Protocol), and the Concurrent Alternating Bit Protocol (CABP), which is a more complicated version of the ABP.

The three protocols have in common that they follow a simplex scheme, which means that there is only one sender and one receiver and that the data flows in one direction. Moreover, the protocols handle just one data element at a time. These two restrictions make the protocols behave externally as one-element buffers.

The simple protocols considered have an interesting history in the theories of concurrency. Many different specifications and verifications can be found in the literature. Our specifications of the simple protocols are based on existing specifications in ACP that were made for mathematical analysis.

The ABP as specified in this chapter has been verified algebraically in the formalism of ACP. The PAR-Protocol has also been specified and verified by means of ACP but a special operator was needed to specify some restrictions on the communication between the timer process and the sender process: the priority operator. We present a version without priorities which is very similar to this specification. This is because priorities cannot be specified in PSF.

SIGNALS

When describing the behaviour of a real-time process, we may wish to include instantaneous observable events that are not synchronisations. These signals may make it easier to describe and analyse certain aspects of behaviour, providing useful reference points in a history of the system. For example, an audible bell might form part of the user interface to a telephone network, even though the bell may ring without the cooperation of the user. This is incompatible with our existing view of communication.

In some cases, suitable environmental assumptions will allow us to describe such behaviour within the existing timed failures model. However, if we intend that these signals should be used to trigger other events or behaviours, then we must extend our semantic model to include an element of broadcast communication: some output events may occur without the cooperation of the environment.

In our model, signal events will occur as soon as they become available, and will propagate through parallel combination. A process may ignore any signal â performed by another process, unless it is waiting to perform the corresponding synchronisation a. If this is the case, then both â and a will occur. Of these, only the signal will be observed outside the parallel combination; it makes no sense to propagate a synchronisation.