Presentation on theme: "PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,"— Presentation transcript:
Protocol Verification Communication Protocols should be checked for correctness, robustness and performance, interoperability etc. These methods reduce the complexity in eliminating ambiguity and preparing more structured protocols. Programs that implement protocols must cope with asynchronous computing programs, hence exhibit extremely complicated behaviour. Protocol verification, verifies correctness of liveness and safety property of a given protocol specification.
Properties of Verification Need to check for correctness of: Safety and Liveness Property
BAD THINGS WILL NOT HAPPEN Non-violation of assertions (operation that take place in a protocol) Invariants(Constant parameters used in a protocol) Example Safety property of ABP: Sender ensures that data with correct seq.no. is sent to the receiver even though the data is lost in channel. Receiver ensures that an ack. Is sent to the sender even if the sent ack is lost in channel. Receiver never delivers two odd packets. Safety Properties
Liveness Properties GOOD THINGS WILL HAPPEN –Termination of protocol –Recurrent property (for non terminating protocol) –Liveness Properties of ABP are: –The protocol terminates correctly. All the seq.msg, with seq no. 0 and 1 have been transmitted and received by the receiver process.
The Alternating Bit Protocol as CFSMs The Alternating Bit Protocol is used to guarantee the correct data delivery between a sender and receiver connected by an error channel that loses or corrupts messages. It got the name since it uses only one additional control bit in the message and this control bit only alternates when the previous message is correctly received.....
The protocol entities are considered to have the following states and transitions: sender: it has two states 0 (transmitting frame with sequence number 0) and 1 (transmitting frame with sequence number 1) receiver: it has two states 0 (expecting frame with sequence number 0) and 1 (expecting frame with sequence number 1) channel: it has four states, 0 (channel contains frame with sequence number 0). 1 (channel contains frame with sequence number 1), A (channel contains an acknowledgement from the receiver), and empty '-' state (channel does not have any data). Verification of ABP
Even under condition of frame and ack. Loss and the protocol returns to its terminator state. Terminator state is a state of a system whose occurrence means all the specified messages have been transmitted and received correctly. Proof of liveness properties
Normal Operation of protocol Transitions are repeated in order over and again. In each cycle two packets are delivered to bring the sender back to initial state of trying to send a new frame with seq no.0, Proof of Safety properties: Handling of lost frames, transition of states are done. Eventually the sender times out and system moves to initial state. Handling of an ack. Transition are states are done to repair the damage caused.
Protocol Validation Definition: Protocol validation is a method of checking whether the interactions of protocol entities or according to the protocol specification. satisfy certain properties or conditions which may be either general or specific to the particular protocol system directly derived from the specifications. Validation sometimes refers to check the protocol specification such that it will not get into protocol design errors like deadlock, unspecified receptions, and livelock errors.
Protocol Design Errors State deadlocks Unspecified receptions Non-executable interactions State ambiguity of a protocol Unboundedness of a protocol Lack of adaptation in a protocol Livelocks
Protocol Design Errors Non-executable interaction: This is design error, if occurs, which may lead to unreachable or unexecutable code in the protocol. Unspecified reception: An incomplete specification of protocol. It causes unspecified reception during its execution. Unboundedness of protocol: Design error causes overflowing of known system limits such as limited capacity of message queues.
State Ambiguity: This is transient error which arbitrarily changes the protocol states. Lack of adaptation: Leads the protocol for huge loss of data, heavy buffer space requirement, high BW requirements, etc., State Deadlock: No further protocol execution is possible. Eg. All process are waiting for conditions that can never be fulfilled. Livelocks: The protocol execution sequences that can be repeated indefinitely often without ever making effective progress.
CFSM: Communicating Finite State Machines C1 C2 +A+A Sender 2 1 -R-R +R+R -A-A Receiver 2 1 CFSM Communicating Finite State Machine Is represented by states and transitions and connected to channels. Here sender machine has two channels: C1 and C2. Channel are assumed to be FIFO. C1 is the outgoing channel for sender. C2 is the incoming channel for sender. When the sending transition of sender fires, It sends the msg in transition label to the outgoing channel. The receiving transition can only occurs if there is a msg of the same type in the head of CFSM’s incoming channel. CFSM 1 -R-R 2 Initial node with double circle, every CSFM only has one initial state State of a CFSM Transition of a CFSM - sign in label sending + sign in label receiving string after sign msg type This transition sends msg R to the CFSM’s outgoing channel. It can also be represented as (1, 2, -R) 1 2
Operation of CFSM C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 current state When the network starts, the current states of both machines are set at their initial states. Receiver at state 1 can not fire the outgoing transition (1, 2, +R) Sender at state 1 can fire the outgoing transition (1, 2, -R), and result in current state of sender changed to 2 and msg R is put in channel C1. C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 R
Operation of CFSM: Step 2 Now sender at state 2 has (2,1,+A) as its outgoing transition. There is no msg A in C2, therefore this receiving transition cannot be fired. It waits. Receiver at state 1 checks its outgoing receiving transition (1,2,+R) and found the msg label matched with the msg in the head of C1. It fires the transition, takes in the msg R (removes from C1) and changes its current state to state 2. C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 R C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1
Operation of CFSM: Step 4 Now sender still at state 2 has (2,1,+A) as its outgoing transition. There is no msg A in C2, therefore this receiving transition cannot be fired. It waits. Receiver at state 2 checks its outgoing sending transition (1,2,-A). It fires the transition, put msg A in C2, and changes its current state to state 2. C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 A
Operation of CFSM: Step 5 Receiver at state 1 checks its outgoing sending transition (1,2,+R). There is no msg R in C1. It waits. Now sender at state 2 has (2,1,+A) as its outgoing transition. There is a msg A in C2, therefore this receiving transition can be fired. It reads in A (remove from C2) and changes state to 1. Now Both machines get back to their initial states. C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 A C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1
C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 What could happen next? In CFSM model, we assume only one transition can be fired in a time. No two simultaneous firing. C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 Sender: (1,2,-R) Receiver: (2,1,-A) R A
What could happen next? Sender cannot move. Receiver can either receive msg R or send msg B. How many msgs can be in C1 for this network? How about C2? C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 -B-B R C1 C2 +A+A Sender 2 1 -R-R +R+R -A-A Receiver 2 1 -B-B R C1 C2 +A+A Sender 2 1 -R-R +R+R -A-A Receiver 2 1 -B-B Receiver: (1,2,+R) Receiver: (1,2,-B) B
What could happen next? Receiving state is a state where all its outgoing transition are all receiving transition. It can not move without msg in its incoming channel. Both machines are at receiving states and channels are empty. This is called deadlock. The network can not progress further. C1 C2 +A+A Sender 2 1 -R-R +R+R -A-A Receiver 2 1
Unspecified Reception Error There is msg B in C2 but sender does not have a receiving transition with msg B. This is called unspecified reception. The network can not progress further. C1 C2 +A+A Sender 2 1 -R-R+R+R -A-A Receiver 2 1 B
Non-executable States and Transitions State 3 of Receiver will never be executed or become the current state. It is called non-executable state. Transitions (2,3,+B) and (3,1,-C) will never be executed. They are called non-executable transitions. How does one know they will never be executed? C1 C2 +A+A Sender 2 1 -R-R +R+R -A-A Receiver 2 1 B 3 -C-C +B+B
Reachability Analysis C1 C2 -R-R +A+A Sender 2 1 +R+R -A-A Receiver 2 1 1 1 E E Sender’s State Channel C1’s content Channel C2’s content Receiver’s State global state/reachable state CFSM 2 1 R E -R-R -B-B 2 1 B E gs0 gsn Global State ID gs2 -B-B Unspecified Reception Receiver do not know how to receive B E: channel empty 2 2 E E +R+R 2 1 E A -A-A +A+A gs1 gs3 gs4 Reachability Graph A process of generating all possible reachable states from the initial global state
Reachability Analysis Starting from initial global state, where channels are empty and machines at their initial state, explore all possible reachable state by firing the possible transitions (and generating global states) from any given reachable state. All deadlock and unspecified reception errors will be captured/marked as individual global state. By examining the number of msgs in the channels we can design the buffer size for the protocol. Can detect non-executable states and transitions by marking those state are touched and transition that are fired during the reachability analysis.
Reachability Analysis Exercise a)Perform the reachability analysis on the Network (M, N). b)What sizes of buffers are needed for the two FIFO channels? c)Are there non-executable states or transitions?
Solution One unspecified reception. Both channels need buffer size of 2. (see gs8 and gs9) No non-executable states and transitions. Since both machines send same types of msgs. We use Machine: to specify which machine fires the transition.
Pros and Cons of Reachability Analysis Advantages: * Easily automated. * Many logical errors can be detected by only examining individual global states in the reachability graph. Disadvantages: * State space explosion problem.(The state space of a system can be very large, or even infinite. Thus, at the outset, it is impossible to explore the entire state space with limited resources of time and memory. ) * Does not work on unbounded protocols. * Many relationships among the protocol state variables, expressing the desirable logical correctness properties of the protocol, are not apparent from simply traversing the reachability graph.