protocol converter validation through deductive inference: a case study

Case study

Protocol converter validation through deductive inference: a case study

Subir Das, P. Dhar*

Department of Electronics and Electrical Engineering, Indian Institute of Technology, Kharagpur 721-302, India

Received 25 October 1996; accepted 28 October 1997

Abstract

To ensure the correctness of any algorithm or procedure which generates a protocol converter, one may follow different approaches ofprotocol validation. This paper describes the protocol validation through deductive inference which is based on a list of statementsof properties, axioms and rules for inferring the statements from the axioms. As an example, we have chosen the protocol convertergenerated by the protocol complementation approach (Das, S. PhD thesis, Indian Institute of Technology, 1996; Das and Dhar, ComputerCommunication, 1997).q 1998 Elsevier Science B.V.

Keywords:Protocol converter; Protocol validation; Specification

1. Introduction

A communication system functions properly and can beimplemented faithfully only when its communicationprotocols are specified unambiguously. In other words, themost important thing is that the protocols must be shownto be correct. Verification or validation [1] is the process ofshowing the correctness of a protocol. Verification andvalidation are often used interchangeably. According toSunshine [2], protocol verification is a demonstration thatthe interactions of the communicating entities, based ontheir protocol specification and the specification of theservices provided by the layer below, satisfy the servicespecification, whereas protocol validation refers to themore limited analysis that the protocol specification satisfiesa number of general correctness properties that are essentialto all, or nearly all protocols. The general correctnessproperties include Completeness, Freedom from deadlock,Freedom from livelock, Absence of tempo-blocking loops,Freedom from channel overflow, Freedom from unspecifiedreceptions and Termination [1].

The approaches to protocol validation heavily depend onthe models used for specification. There are mainly twoways to ensure the correctness of the protocol behaviour:(i) Reachability Analysisand (ii) Deductive Inference(orProgram Proofs). The former is based on exhaustivelyexploring all the possible interactions of the communicatingprotocol entities within a layer [3–6], whereas the latter is

based on a list of statements of properties, e.g. safety andliveness or progress properties, and a list of axioms andrules for inferring the statements from the axioms [7–9].

The reachability analysis was first proposed by West et al.[10,11] and later improved by a number of researchers[3,12,13]. It analyzes the reachability of the various globalstate generated by perturbing the initial global state. Theglobal state of the protocol system is specified by a jointdescription of the states of the CFSMs and queues. IfGdenotes the set of all possible global statesg0, the portionof the graph that is reachable fromg0 is referred to asthe reachability graph or reachability tree. The reachabilityanalysis constructs this reachability graph, by successivelyexploring all reachable global states from the initial globalstate. However, the construction of the reachablity treeoften encounters the state explosion problem in which thesize of the global state graph grows exponentially withthe protocol complexity, though many researchers [14,15]have proposed the reduced reachability analysis to over-come the state explosion problem. In fact, for complexprotocols, this technique becomes too complicated for acomplete generation and examination of all reachable globalstates [1].

The deductive inference is however free from state explo-sion problems because it depends on a list of statements ofproperties. The safety properties describe what a system isallowed to do and liveness properties describe what it mustdo [9]. This motivates us to examine a protocol converter,generated by complementation approach [9,16–18] throughseveral properties and theorems.

Computer Communications 21 (1998) 686–692

0140-3664/98/$19.00q 1998 Elsevier Science B.V. All rights reservedPII S0140-3664(98)00118-2

* Corresponding author. Email: [email protected]

The rest of this paper is organized as follows. Section 2presents some basic definitions and design methodologyin brief, while Section 3 describes several properties andtheir basis. Section 4 gives different theorems along withtheir proof and Section 5 concludes the paper.

2. Definitions

This section presents formal definitions of some basicterms in protocol converter research and converter designmethodology [9,17] for the completeness of the paper.

2.1. Model of protocol

A protocol P〈P1, P2, …, Pn〉 is a quadruple

〈SNi , M( þ =¹ )

ij , dij , qi 〉whereN is a positive integer which represents the numberof processes,Si is a nonempty finite set, i.e. set of statesof processi, i [ [1, N], Mij is the finite message set withMii

empty for all i, i [ [1, N], Mij represents the messages thatcan be sent from processi, i [ [1, N], to j, j [ [1, N]. dij is apartial function mapping for eachi and j

Si 3 M( þ =¹ )ij → Si andSi 3 M( þ =¹ )

ji → Si

andqi is the initial state of the processi.d(S, 6 X) is the state entered after a process transmits

or receives messageX in the stateS. The prefixed ‘þ ’means receiving a message and ‘¹ ’ means sending amessage.Si always refers to a state in processi, i.e. toa member ofSi. Similarly Xij refers to member ofMij , i.e.a message can be sent from processi to processj.

Consider the example protocolP〈P1, P2〉 of Fig. 1 inwhich N ¼ 3, S¼ð0;1;2Þ, i ¼ 1, j ¼ 2, M ¼ (X3, X1, X2),

d(0, ¹ X3) ¼ 1, d(1, þ X1) ¼ 2, d(O, þ X3) ¼ 1, andso on…, qi ¼ 0. The functiond i j is defined only for sixargument pairs, because there are six arcs in the example.An undefineddij value isd(0, þ X1), d(1, þ X2, þ X1).

The transition functiond can be extended to a sequenceXof message in the usual way; namely,

d(S, F) ¼ S

whereF denotes empty sequence.

d(S, XY) ¼ [d(d(S, X), Y)]

whereX andYare messages and message sequence, respec-tively. The message sequence or path can also be defined asPath(P) ¼ Yl 'd(X, q0) whereq0 is the initial state.

2.1.1. Global stateA global state (G) of a protocolP¼ 〈P0, P1, …, Pn〉 is

defined by the list of the states of each CFSM and the currentmessage content of each channel. It is represented byG¼ 〈S, C〉, whereS is a N tuple of states〈S1, S2, …, SN〉and C is a N2 tuple 〈C11, C12, …, C1N, C21, …, CNN〉,where eachCij is a sequence of messages fromMij. A globalstate transitiondg(S, X) ¼ G is a partial function obtainedfrom (global set3 message set) to global state set whereX[ Mi. A global stateG9 is said to followG overX denotedby G → X → G9 if the following conditions are satisfied:

• if X is a sending message thenX is added to the queuesand CFSMFi changes its state bydg(S, X), or

• if X is a receiving message thenX, in the head of thequeue, is received and CFSMFi changes its state bydg(S, X),

• otherwise CFSMFi changes its state by (S, X).

The Transition functiondg may be extended by its usualway.

dg(S, F) ¼ S

whereF denotes empty sequence.

dg(S, XY) ¼ dg(dg(S, X), Y)

whereX andY have their usual meaning.A global message sequence or path can also be defined as

follows:

Gpath(P) ¼ Yl 'dg(X, q̄0)

whereq̄0 is the initial global state.

2.1.2. Executable transitionA transition at stateS for eventj is executable if there

exists a reachable global state〈〈S1, S2, …, SN〉,〈C12, …, Cij , …〉〉 with S¼ Si or S¼ Sj and ifj is a receivetransition, þ X, thenCij ¼ XY for some sequenceY.

2.1.3. Deadlock freeA deadlock state is a stable global stateG¼ 〈S, F〉 ¼

〈〈S1, S2, …, SN〉, 〈F1, F2, …, FN〉〉 of protocol P whereFig. 1. Examples of protocols.

687S. Das, P. Dhar/Computer Communications 21 (1998) 686–692

S1, S2, …, SN are states of CFSMsP1, P2, …;PN of ProtocolP andF represents an empty channel. So if queues betweentwo CFSMs are both empty and neither of the two CFSMscan send a message to the other, after a global state ofG,the global state is called a deadlock state. If no reachableglobal state ofG is a deadlock state, the protocol is said tobe deadlock free.

2.1.4. Unspecified receptionA reception of a messageX at stateS is called an

unspecified reception if there exists a reachable globalstate 〈〈S1, S2, …, SN〉, 〈C12, …, Cij

…, 〉〉 with S¼ Si andCij ¼ XY for some sequenceY and both d(Si , þ X)and d(Si, ¹ Y) are unspecified for any messageY ;i andj, i Þ j. A protocolP is said to be unspecified reception freeif every reachable state ofF is unspecified reception free.

2.1.5. Livelock freeA global stateG ¼ 〈S, C〉 of a protocol is a livelock state

if there is no deadlock state or unspecified reception andneither of the two CFSMs can receive a message evenif the queues between two CFSMs are both empty. If noreachable global state ofG is a livelock state, the protocolis said to be livelock free.

2.1.6. TraceA trace t is a sequence of zero or more messages in a

CFSMF along a finite path beginning at the initial state. Atrace represents a possible behaviour of a CFSM, i.e. basi-cally the executable sequence of events ofF. A traceconsisting of zero messages or events is called a null traceF. An event is a trace of only one element. The set of alltraces in a GFSMF is denoted byT whereT # (M*); whereM* is the finite sequence of a message set. A trace may beeither simple or composite depending upon whether theelements of a trace are from the same CFSM or from twoCFSMs. A trace constructed from the event set of a singleCFSM (F) is called a simple trace. A composite tracetc for aproduct machine (F1 3 F2) is a finite non-null sequence oftraces from the trace sets, i.e. fromMp

1 andMp2.

2.2. Design methodology

The gateway design throughprotocol complementationisperformed in a number of steps, known ascomplementationrules [9]. The rules are simple and easy to apply to the statetransition graphs of the given protocol CFSMs, since theyhave been described through different algorithms. If CFSMspecifications of two protocolsP〈Ps, Pr 〉 andQ〈Qs, Qr〉 aregiven, then the construction of converter takes place inthe following steps:

1. Analysis of the given protocols to find out the translationrules, i.e. the syntax and semantics of the protocols.

2. Construction of CFSMs for protocol complementa-tion and finally the converter for given protocols are

performed using the algorithmComplementation. Ituses three high level algorithms. They are:

• Construction of complemented CFSMs using algorithmComplement. It uses another algorithm calledProject.

• Construction of protocol for the new virtual layer andhence the converter from the complemented machinesusing algorithmCombine.

• Verification of the converter for error free communica-tion using algorithmTest.

Therefore, the complementation process makes use ofanalysis of the protocols and algorithmComplementation.The Complementationalgorithm uses three other algo-rithms, e.g. Complement, Combine, and Test, as statedearlier. The first task of the algorithm is to analyze thegiven protocols. By analysis we mean the derivation ofmessage relationships. In a nutshell, we call it the syntaxand semantics of protocols. Emphasis will be given tofind out the related significant messages which imple-ment the common functions. The functionally similartypes of messages may be put to a set called matchedpair set.

The algorithm Complementis applied after obtainingthe correct semantic specifications. It uses the algorithmProject to derive the complemented CFSMs forPr andQs. The algorithmProject first projects the related signifi-cant messages (i.e. traces) or transitions onto each other.This is followed by the projection of remaining traces.From the set of allowed sequence of message exchangesthe traces are constructed in a FIFO order. So the domainof message sequences of the complemented machines arelimited to the allowed message sets.

The algorithmProject starts from the initial state of astate spaceD, which is the union of state spaces of twogiven protocols and traverses from one state to anotherstate. If the trace does not encounter a related message,then it starts from another state. If it fails after a fewiterations, the protocols are declared to have total hardmismatch. Once the projection is over, the semantics ofthe complemented protocols may also be constructed.

Algorithm Combine then constructs the compositestate machine by combining the set of allowed sequencesfrom two complemented machines. The similar states incomposite CFSM may be merged into a single state. Thisgenerates the refined composite CFSM. Once the refinedCFSM is formed, algorithmTestverifies whether the con-verter is free from deadlocks, livelocks and unspecifiedreceptions.

3. Properties

Property 1. It is given that protocolsP¼ 〈Ps, Pr〉 andQ¼

〈Qs, Qr〉 are safe and cyclic. If there exist complementedmachinesPr 9 and Qs9 then Pr 9 and Qs9 contain all thesemantics of protocolsP andQ.

688 S. Das, P. Dhar/Computer Communications 21 (1998) 686–692

Basis. This is a safety property of algorithmComple-ment. Algorithm Complementconstructs complementedmachinesPr 9 and Qs9 from protocol CFSMsP and Q. Apartials transition functiondD is defined as follows:dD(SPr 9, t1) ¼ Si or Sj if dPr

(SPr, t1) ¼ Si ∨ dQs

(SQs, t1) ¼

Sj . Similarly, dD(SQs9, t1) ¼ Sj ∨ Si iff dQs

(SQs, t1)

¼ Sj ∨ dPrðSPr

, t1) ¼ Si in Pr andQs. Therefore, the com-plemented machines contain all the semantics without anysacrifice.

Property 2. It is given that protocolsP ¼ 〈Ps, Pr〉 andQ¼ 〈Qs, Qr〉 are safe and cyclic. If there exist complementedmachinesPr 9 and Qs9 then Pr 9 and Qs9 are semanticallycorrect.

Basis. This is also a safety property of algorithmComplementand it follows directly from Property 1. Thesame can also be derived as follows: the protocolPr 9 andQs9 are semantically correct if

TD, Pr¼ T(Pr 9)

TD, Qs¼ T(Qs9)

whereTD, PrandTD, Qs

denote the set of all allowed traces inD, T(Pr 9) andT(Qs9) denote the set of allowed traces in thecomplemented protocols.

Property 3. It is given that protocolsP ¼ 〈Ps, Pr〉 andQ¼ 〈Qs, Qr〉 are safe and cyclic. If there exists a converterRPQ for protocol Z ¼ 〈Ps, RPQ, Qr〉 then RPQ contains allthe semantics of protocolsP andQ.

Basis.This is a safety property of algorithmComplemen-tation. Algorithm Complementationconstructs compositemachineRPQ from protocolP and Q. A partial transitionfunction is defined as follows:

dD(SRPQ, t1) ¼ Sk iff dPr 9(SPr 9, t1) ¼ Sk ∧ dQs

9(SQs9, t1) ¼ Sk

So this definition ensures that every state inP and Q isconsidered and all outgoing transitions are fully defined.ThereforeRPQ preserves the original sequence of transitionsin P and Q because the projection due to the algorithmComplementationof any sequence of messages inD overRPQ contains the same relative sequence of messages as in

Pr 9 or Qs9. Therefore, the composite machine contains allthe semantics without any sacrifice.

Property 4. It is given that protocolsP ¼ 〈Ps, Pr〉 andQ¼ 〈Qs, Qr〉 are safe and cyclic. If there exists a converterRPQ for protocolZ ¼ 〈Ps, RPQ, Qr〉 thenRPQ is semanticallycorrect.

Basis. This is also a safety property of algorithmComplementationand it follows directly from Property 3.The same can be derived as follows. The protocolRPQ issemantically correct if

TD, Pr 9 ¼ T(RPQ)

TD, Qs9 ¼ T(RPQ)

whereTD, Pr 9 andTD, Qs9 denote the set of all allowed tracesin D which is obtained through projection onPr, andQs.TRPQ

denotes the set of allowed traces inRPQ.

Property 5. It is given that protocolsP ¼ 〈Ps, Pr〉 andQ¼ 〈Qs;Qr 〉 are safe and cyclic. If there exists a converterRPQ for protocolZ ¼ 〈Ps, RPQ, Qr〉 thenRPQ is safe, i.e. freefrom deadlocks, unspecified receptions and livelocks.

Basis.This is a progress property of algorithmComple-mentation. If P9, Q9 andRPQ9 are unsafe of safe protocolsP, Q and RPQ, respectively, then we will show thatP ∧ Q ⇒ RPQ for all the unsafe conditions given below:

Unspecified receptions: Protocol RPQ has unspecifiedreceptions if eitherP or Q or bothP andQ have unspeci-fied receptions.RPQ may have unspecified receptions inglobal stateG〈Si ;Sk, Sj〉 because there may exist a messageXp at the head of the message queue betweenPs andRPQ, (Fig. 2) and RPQ is not specified to receive it,i.e. 'dRPQ

(Sk, 6 XQ) but hdRPQ(Sk, 6 XP), XQ [ MQ,

XP [ MP. This condition is true ifhdPr(Si , þ XP) which

implies unsafe protocolP9, i.e. Z9 ⇒ P9. Similarly, we canprove thatZ9 ⇒ Q9. Hence,Z9 ⇒ P9 ∨ Q9.

Livelocks: A livelock condition in global stateG〈Si , Sk, Sj〉means that onlyPs andRPQ or Qr andRPQ will have pro-gress property from a global stateSk in RPQ with emptychannel betweenRPQ and Qr (Fig. 2) and Ps and RPQ,respectively. So ifhdRPQ

(Sk, 6 XP), XP [ MP, then thereexists a livelock betweenPs and RPQ. This condition is

Fig. 2. Protocol converter configuration.


true if hdPr(Si , 6 XP) which implies unsafe protocolP9,

i.e. RPQ9 ⇒ Q9. Hence,RPQ9 ⇒ P9 ∨ Q9.Deadlocks: A deadlock condition in global state

G〈Si ;Sk;Sj 〉 means that all channels are empty and thereexists no sends from any machine. So inRPQ if stateSk issuch thathdRPQ

(Sk, 6 XP), XP [ MP andhdRPQ(Sk, 6 XQ),

XQ [ MQ, then there exists a deadlock in stateSk. So thiscondition is true if hdPr

(Si , 6 XP) and hdQs(Sj , 6 XQ)

which implies unsafe protocolP9 ∧ Q9, i.e. Z9 ⇒ P9 ⇒Q9. SinceP9 ∧ Q9 → P9 ∨ Q9. Hence,RPQ9 ⇒ P9 ∨ Q9.

Property 6. It is given that protocolsP ¼ 〈Ps, Pr〉 andQ¼ 〈Qs;Qr 〉 are safe and cyclic. If protocolZ¼ 〈Ps, RPQ, Qr〉then protocolZ is cyclic.

Basis. This is also a progress property of algorithmComplementation. It follows directly from Property 3.

Property 7. It is given that protocolsP¼ 〈Ps, Pr〉, Q ¼

〈Qs, Qr〉 and Z ¼ 〈Ps, RPQ, Qr 〉, where RPQ is a CFSMconverter derived from protocolH ¼ 〈Pr 9 ∪ Qs9〉 then

(i) TRPQ# Tp

RPQ# Tp

H

(ii) TRPQ¼ TH # Tp

RPQ# Tp

H whereTRPQis the set of all

allowed message exchanges in CFSMRPQ, TpRPQ

is theset of all allowed messages or traces in CFSMRPQ, TH

is the set of all allowed message exchanges in CFSMH andTp

H is the set of all allowed messages or tracesin CFSMH.

Basis. The syntax of the protocol defines the set ofallowed sequence of messages and the semantics definesthe set of allowed message exchanges. So the relationTRPQ

# TpRPQ

directly follows from the definition of syntaxand semantics. SinceRPQ is derived from H, RPQ is asubCFSM (Theorem 1) ofH and TRPQ

# TpH holds. So the

first condition follows directly from the above definitions.Since all possible message sequences inH are constructed

from TpH and the set of all allowed traces is combined to

form RPQ, it follows thatTRPQ¼ TH # Tp

H. AlsoTRPQ# Tp

RPQ,

i.e. the set of all allowed message exchanges is a subset ofallowed traces. SoTRPQ

¼ TH # TpRPQ

# TpH and it proves the

second condition.

Property 8. Algorithm Complementationterminates:Basis. The termination of algorithmsComplement,

Combineand Test implies the termination of algorithmComplementation[9].

The termination of algorithmComplementimplies thetermination of algorithmProject. Since algorithmProjectconsists of a finite number of steps and each step requiresa finite number of operations for projection of allowedmessages to form complemented CFSMsPr 9 and Qs9 andcontains no loops, the algorithm terminates.

Algorithm Combine constructs the composite statemachineRPQ from the allowed sequence of messages ofcomplemented CFSMsPr 9 and Qs9 with the algorithm

Project. The algorithm requires a finite number of stepsbecause it constructs the state machine from a finite messageset. Hence, it terminates.

Algorithm Testconsists of examining the states and tran-sitions in machineRPQ for possible error conditions, e.g.unspecified receptions, deadlocks and livelocks. Thesethree conditions are verified by the following manner.

First it compares all states inRPQ andH to detect recep-tions present inH but not in RPQ, i.e. missing receptions.This test terminates because the worst case complexity is ofthe order of O(nt), wherent represents the number of transi-tions in RPQ. Secondly, it examines possible self loops orcycles only due to messagesMP(MQ) with nonempty inputchannels. This also terminates because the complexity is ofthe order ofO(max{nPr

þ nQs} ), where (nPr

þ nQs) repre-

sents the total number of transitions in protocolsPr andQs. Finally, it examines for states with no outgoing transi-tions and nonempty input channels and the complexity isof the order ofO(SRPQ

). Since all the above tests require afinite number of operations, test for unspecified receptionsterminates.

The algorithm tests the deadlock condition by examiningthe states with no outgoing transitions with empty inputqueues. Since this requires a finite number of operationsO(SRPQ

), this test terminates.To test the livelock it examines all possible self loops

or cycles with transition only due to messagesMP andMQ

with empty queues. The worst case complexity isO(max{nPr

þ nQs} ), where nPr

þ nQsrepresents the total

number of transitions in protocolsPr and Qs. Thereforethis test also terminates.

4. Theorems

Theorem 1. If there exists at least one common func-tion between the protocols, it is possible to constructPr 9,Qs9 andH ¼ 〈Pr 9 ∪ Qs9〉 provided protocols P¼ 〈Ps, Pr〉 andQ¼ 〈Qs, Qr 〉 are given.

Proof. The proof of the theorem follows from the defini-tion of Complementation. According to it, the allowedmessage exchanges in protocolP should be the subset ofthe same in protocolQ, i.e. Tp , TQ.

If it does not exist then the projection of whole setof transitions onto another protocol occurs, known assubstitution, which contradicts the definition ofComple-mentation. So there must be one common function betweenthe protocols.

Theorem 2. If protocols P¼ 〈Ps, Pr 〉, Q¼ 〈Qs;Qr 〉,H ¼ 〈Pr 9 ∪ Qs9〉 are given, andZ ¼ 〈Ps, RPQ, Qr〉, whereRPQ is a CFSM converter, thenRPQ is a subCFSM ofH.

Proof. The proof of the theorem is sufficient if we canprove that there exists at least one transition inH which isnot present inRPQ.


SupposeXPr[ Pr 9, XQs

[ Qs9. Let Sk9 be a state inH.If 'dPr

(Si , þ XPr) ¼ Si1 and 'dQs

(Sj , ¹ XQs) ¼ Sj1, then

'dH(Sk9, þ XPr) ¼ Si1 or Sj1 and 'dH(Sk9, ¹ XQs

) ¼ Sj1 orSi1. Now if Sk9 is a legal state, a valid message sequenceor trace can be constructed as follows:

t U 〈Sk9, þ XPr, Si1, or Sj1, ¹ XQs

, Sj1 or Si1〉

Here the transition¹ XQsmay never be selected from state

Sk9. SoRPQ will not have this transition and hence it provesthe theorem.

Theorem 3. If protocolsZ ¼ 〈Ps, RPQ, Qr〉, whereRPQ isa CFSM converter, are given, then the following twoconditions are equivalent:

(i) RPQ is free from deadlocks;(ii) there is at least one outgoing transition from eachstate inRPQ.

Proof. To prove (i)⇒ (ii): let G〈Si , Sk, Sj 〉 be a globalstate inZ. Now if Z is free from deadlocks inG then thefollowing statements must be false:

(a) all channels are empty;(b) there exist no sends from any CFSM in the globalstateG. If (b) is false then the condition (ii) is satisfiedirrespective of (a), but if (a) is false and (b) is true thenthe queue is not empty, which is not a deadlock condi-tion. Suppose the queue is in betweenP andRPQ (Fig. 2)and it cannot be emptied, then no further state changecan occur. This results to an unspecified reception.If there are no unspecified receptions, condition (a)may be achieved by emptying the queue. So there isat least one outgoing transition from each state inRPQ

and hence (i)⇒ (ii).

To prove (ii) ⇒ (i): if there exists at least one transitionfrom RPQ then 'dRPQ

(Sk, 6 XP) or 'dRPQ(Sk, 6 XQ). If

'dD(Sk, ¹ XP) or 'dRPQ(Sk, ¹ XQ) then obviously (ii)⇒

(i). If 'dRPQ(Sk, þ XP) or 'dD(Sk, þ XQ), then it implies

that queues are not empty which is a deadlock free condi-tion. So if every state inRPQ has some outgoing transitions,then there will be no deadlocks. Thus, (i); (ii).

Theorem 4. If protocolsZ ¼ 〈Ps, RPQ, Qr〉, whereRPQ isa CFSM converter, are given, then the following twoconditions are equivalent:

(i) RPQ is free from livelocks;(ii) RPQ has no cycles with transitions fromPr(Qs) only.

Proof. To prove (i) ⇒ (ii): let G〈Si ;Sk, Sj〉 be a globalstate inZ. Now if Z is free from livelocks inG then thefollowing statements must be false:

(a) CPsRPQ¼ CRPQPs

¼ l;(b) there are no send transitions fromPs to RPQ or RPQ

to Ps. If (b) is false then the condition (ii) is satisfiedirrespective of (a), but if (a) is false and (b) is true andif there are no unspecified receptions we may progress

emptying the queue betweenPs andRPQ. Since it con-sists of messages fromPr, this implies the condition (ii)and there is no livelock implies thatRPQ has no cyclesdue toQs only. Similarly we can prove that there isno livelock betweenRPQ to Qr. Thus, (i)⇒ (ii).

To prove (ii) ⇒ (i): we will prove this following anegative approach. Let there be a livelock betweenPs andRPQ. Then condition (b) implies thathdPs

(Si9, ¹ XP9)andhdRPQ

(Sk, ¹ XP). Condition (a) implies thathdPs(Si9,

þ Xp9) and hdRPQ(Sk, þ XP). Thus, if Z has to progress,

then all transitions are due toQs only, considering thatZhas no deadlock or unspecified reception. So there exists acycle inQs. Thus, (ii)⇒ (i). Hence, (i); (ii).

Theorem 5. If protocols P¼ 〈Ps, Pr 〉, Q¼ 〈Qs, Qr〉,H ¼ 〈Pr 9 ∪ Qs9〉 are given, andZ ¼ 〈Ps, RPQ, Qr〉, whereRPQ is a CFSM converter, then the following two conditionsare equivalent:

(i) Z is free from unspecified receptions;(ii) (a) executable receptions from corresponding statesin RPQ andH are the same;(b) there exist no cycles with transitions fromP (Q)only with nonempty queueCRPQQr

(CPsRPQ);

(c) there exist no states with outgoing transitions andnonempty input queues.

Proof. To prove (i) ⇒ (ii): from Theorem 2, we getSRPQ

# SH. Now we will see under what conditions unspe-cified receptions may occur inRPQ due to protocolP. Pro-tocol Z is free from unspecified receptions if,; state inHwith some messageXP at the head of the channel queueCPsRPQ

, 'dH(Si , þ XP) or 'dRPQ(Sk, ¹ XP9) (Fig. 2) which

implies that the condition (i) is true. Similarly for protocolQ. So if Z is free from unspecified receptions, then thecorresponding states inRPQ andZ have the same receptions.Thus, (i)⇒ (ii)(a).

If H is free from unspecified receptions andhdH(Si , þ XP) with nonempty input queues, then'dRPQ

(Sk, ¹ XP9) which leads to a stateSk9 where thereception þ XP may be dequeued from the channel. If theComplementationalgorithm does not produceSk9, then itresults to an unspecified reception inZ such that boththe above conditions are not possible. This implies a cyclewith transitions inQs only. Thus, (i)⇒ (ii)(b).

If Z is safe and'dH(Si , þ XP) is not specified in stateSi

of CFSM H for both þ XP and þ XQ with nonemptyqueues, then 'dRPQ

(Sk, ¹ XP9) must eventually bespecified for both the messages. However, if theComple-mentationalgorithm does not produce such states, thenRPQ

will have a state with no outgoing transitions with nonemptyqueues betweenPs and RPQ and RPQ and Qr. Thus, (i) ⇒(ii)(c). Hence, (i)⇒ (ii).

To prove (ii) ⇒ (i): let us assumeP and Q are safeprotocols. SoPr andQs can easily be considered as unspeci-fied reception free. Now ifRPQ satisfies the followingcondition: ;Sk : Sk [ SRPQ

, X [ XH if 'dH(Sk, þ X) then


'dRPQ(Sk, þ X) ¼ Sk9 : Sk9 [ SRPQ

, i.e. RPQ is free fromunspecified receptions ifSRPQ

¼ SH or H specifies that existsdH(Si , þ XP) in every state with nonempty input queues.Thus (ii)(a)⇒ (i).

From Theorem 2, we getSRPQ# SH . If condition ii(a) is

true in RPQ then given a stateS in RPQ with messageXP atthe head of the queue, if'dH(Si , þ XP) is not specified inH,then the algorithm must be able to select states which even-tually dequeuesXP. The only way we may reach such a stateis, if RPQ does not contain cycles with transition that belongto Qs. This implies freedom from unspecified receptions.Thus, (ii) ⇒ (i)

The unspecified receptions can only be present if thealgorithm does not select transitions leading to'dRPQ

(Sk, ¹ XP9) whenever'dH(Si , þ XP) is not specifiedin both P andQ. This implies that there are states with nooutgoing transitions with nonempty input queues. Equiva-lently, absence of such a state inRPQ implies unspecifiedreceptions free. Thus, (ii)(c)⇒ (i). Hence, (ii)⇒ (i). Thus,(i) ; (ii).

Theorem 6. If protocolsP¼ 〈Ps, Pr 〉, Q ¼ 〈Qs, Qr〉, andsome common functionality to begin with are given, thereexists an algorithm which decides whether a converterexists or not for the given protocols.

Proof. The protocol converter exists if it satisfies thefollowing conditions:

(i) H ¼ 〈Pr 9 ∪ Qs9〉;(ii) TRPQ

# TpRPQ

# TpH ;

(iii) Z ¼ 〈Ps, RPQ, Qr 〉 satisfiesTD, Pr 9 ¼ T(RPQ), TD,Qs9 ¼ T(RPQ). From Theorem 1, we see that if thereexists at least one common function between the pro-tocols,H can be constructed. SinceZ is derived fromH ¼ 〈Pr 9 ∪ Qs9〉, andD is the upper bound of the statespaceZ, conditions (ii) and (iii) are satisfied. Now fromTheorem 2, we knowTRPQ

# TpRPQ

# TpH and the

algorithm terminates in a finite number of steps. Free-dom from deadlocks, livelocks and unspecified recep-tions are proved in Theorems 3, 4 and 5. Since theexistence of the above conditions are obvious, thereexists an algorithm for converter generation for thegiven protocols.

5. Conclusion

This paper presents the validation of an example protocolconverter generated by theprotocol complementationapproach [9,17]. Several properties and theorems provideus the assurance that the algorithms perform as desired. Itstated conditions under which the resulting converter wouldbe free from errors. Therefore, it is proved that the

complementation algorithm provides a sufficient conditionfor finding a useful converter.

As stated earlier, deductive inference has several advan-tages over reachability analysis. Hence, to ensure thecorrectness it can be applied to any algorithm or procedurewhich generates or designs a protocol converter. We arguethat deductive inference provides better confidence ratherthan reachability analysis in validating a converter untiland unless an automated validation toolbox is available.

Acknowledgements

Research reported herein was supported by the Council ofScientific and Industrial Research (CSIR), Governementof India.

References

[1] M.T. Liu, Protocol engineering, in: M.C. Yovits (Ed.), Advances inComputer, vol. 29, Academic Press, New York, 1989, pp. 79–195.

[2] C.A. Sunshine, Formal techniques for protocol specification andverification, IEEE Comp. Magazine 12 (9) (1979) 20–27.

[3] S.T. Voung, D.D. Cowan, Reachability analysis of protocols withFIFO channels, Proc. ACM SIGCOMM, ACM, 1983, pp. 49–57.

[4] M.G. Gouda, Y.T. Yu, Protocol validation by maximal progress stateexploration, IEEE Trans. Commun. COM-32 (1) (1984) 94–97.

[5] S.S. Lam, A.U. Shankar, Protocol verification via projections, IEEETrans. Soft. Engg. 10 (SE-4) (1984) 325–342.

[6] M.G. Gouda, J.Y. Han, Protocol validation by fair progress stateexploration, Comp. Net. and ISDN Systs. 9 (1985) 353–361.

[7] M. Rajagopal, Protocol conversion: an algorithmic approach, PhDthesis, Georgia Institute of Technology, August 1990.

[8] M. Rajagopal, R.E. Miller, Synthesizing a protocol converterfrom executable protocol traces, IEEE Trans. Comp. C-404 (1991)487–499.

[9] S. Das, Design and implementation of protocol converters, PhD thesis,Indian Institute of Technology, June 1996.

[10] H. Rudin, C.H. West, P. Zafiropulo, Automated protocol validation:one chain approach, Comp. Nets. 2 (4) (1978) 373–380.

[11] C.H. West, General techniques for communication protocol valida-tion, IBM J. Res. and Dev. 22 (7) (1978) 394–404.

[12] G.V. Bochmann, C.A. Sunshine, Formal methods in communicationprotocol design, IEEE Trans. Commun. COM-28 (4) (1980) 624–631.

[13] M.G. Gouda, Y.T. Yu, Synthesis of communicating machines withguaranteed progress, IEEE Trans. Commun. COM-32 (7) (1984)864–865.

[14] D. Saha, Formal protocol conversion in computer networks, PhDthesis, Indian Institute of Technology, Kharagpur, India, June 1992.

[15] J.R. Zaho, G.V. Bochmann, Reduced reachability analysis ofcommunication protocols: a new approach, Prot Spec, Test andVerif, North Holland, 1986, pp. 245–254.

[16] J. Chang, M.T. Liu, An approach to protocol complementation forinternetworking, Proc. ICSI, April 1990, pp. 205–211.

[17] S. Das, P. Dhar, Design of simplified protocol converters throughprotocol complementation, Computer Communication, 20 (7)(1997) 528–534.

[18] P.W. King, Formalization of protocol engineering concepts, IEEETrans. Comput. C-40 (4) (1991) 387–403.


protocol converter validation through deductive inference: a case study

Documents