Scholarly article on topic 'A Timed Rewriting Logic Semantics for SDL: A Case Study of the Alternating Bit Protocol'

A Timed Rewriting Logic Semantics for SDL: A Case Study of the Alternating Bit Protocol Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Keywords
{}

Abstract of research paper on Computer and information sciences, author of scientific article — L.J. Steggles, Piotr Kosiuczenko

Abstract SDL is an industrial standard formal description technique for telecommunication systems. Despite its wide spread use and industrial importance it lacks at present an adequate formal semantics integrating its static, dynamic, and real-time aspects. Timed Rewriting Logic (TRL) is a new variant of Rewriting Logic, an algebraic formalism which allows the dynamic behaviour of systems to be axiomatised using rewrite rules. In TRL rewrite rules can be labelled with time constraints and this provides a means of reasoning about time elapse in real-time systems. TRL has been used to develop an object-oriented specification language Timed Maude for distributed real-time systems. In this paper we demonstrate the expressive power and versatility of Timed Maude by applying it to the definition of a formal semantics for SDL. The semantics we develop captures in an intuitive way the hierarchical structure of SDL specifications and integrates within one formalism the static and dynamic aspects of an SDL system. We demonstrate and motivate the semantics we develop by considering in detail a case study of the bench mark alternating bit protocol. It is a pleasure to thank U. Hinkel, K. Meinke and M. Wirsing for their helpful comments and advice during the preparation of this paper. We also gratefully acknowledge the financial support of the British Council and DAAD which has made this collaborative work possible.

Academic research paper on topic "A Timed Rewriting Logic Semantics for SDL: A Case Study of the Alternating Bit Protocol"

URL: http://www.elsevier.nl/locate/entcs/volumel5.html 22 pages

A Timed Rewriting Logic Semantics for SDL: A Case Study of the Alternating Bit Protocol

L. J. Steggles

Department of Computing Science, University of Newcastle Newcastle upon Tyne, U. K.

Piotr Kosiuczenko

Institut, für Informatik,

Ludwig-Maximilians-Universität, München, Germany.

Abstract

SDL is an industrial standard formal description technique for telecommunication systems. Despite its wide spread use and industrial importance it lacks at present an adequate formal semantics integrating its static, dynamic, and real-time aspects. Timed Rewriting Logic (TRL) is a new variant of Rewriting Logic, an algebraic formalism which allows the dynamic behaviour of systems to be axiomatised using rewrite rules. In TRL rewrite rules can be labelled with time constraints and this provides a means of reasoning about time elapse in real-time systems. TRL has been used to develop an object-oriented specification language Timed Maude for distributed real-time systems. In this paper we demonstrate the expressive power and versatility of Timed Maude by applying it to the definition of a formal semantics for SDL. The semantics we develop captures in an intuitive way the hierarchical structure of SDL specifications and integrates within one formalism the static and dynamic aspects of an SDL system. We demonstrate and motivate the semantics we develop by considering in detail a case study of the bench mark alternating bit protocol.

1 Introduction.

SDL (Specification and Description Language) is an industrial standard formal description technique (FDT) for real-time distributed systems. It was developed in the early 1970's by the CCITT (renamed to the ITU-T) as a standard language for the description of telecommunication systems. Since

©1998 Published by Elsevier Science B. V.

then it has become increasingly popular as an FDT for industrial real-time systems, due in part to it having both a graphical and textual syntax. Various versions of the language have appeared but we consider only SDL-88 (see [6]) a widely used and supported version of the language. Despite being described as a formal language SDL does not at present have a complete, integrated and usable formal semantics. Given the wide spread industrial use and importance of SDL there is a real need for a natural formal semantics of SDL to be developed which can be used to analyse and verify system specifications. To this end there have been several attempts in the past few years including semantics based on: process algebra [3], temporal logic [14] and duration calculus [17], stream processing functions [5], [10] and [9], With the exception of [9] these semantics focus on different views of SDL and formalize different parts of the language. In our opinion SDL still lacks a formal semantics which integrates within one unifying framework all the main aspects of the language. In this paper we address this shortfall by proposing a natural, integrated formal semantics for SDL based on Timed Rewriting Logic (TEL), TEL (see for example [12]) is a new algebraic formalism for specifying real-time systems, TEL is based on Rewriting Logic (EL) [15], an algebraic formalism which extends standard algebraic specification techniques by allowing the dynamic behaviour of systems to be modelled using rewrite rules. As in EL the idea behind TEL is to define the static and functional aspects of a system using standard algebraic specifications and to then view terms over this specification as system states. The real-time behaviour of the system is then axiomatised by timed rewrite rules which define the possible concurrent state transitions of the system and thus enable us to reason about time elapse in real-time systems, EL has been used to define an object-oriented specification language called Maude which is described in [16], A timed version of Maude has also been developed based on TEL (see for example [12]),

In the following we describe in detail how we can derive a Timed Maude specification which provides a formal model of the intended meaning of an SDL specification. We begin by considering how to use TEL to model basic SDL specifications [2], We then consider modelling some of the more complex features of SDL including decision constructs and saving signals, and in particular, we consider using TEL to model SDL's concept of time and timers. We demonstrate our approach by a detailed case study of constructing a semantic model of the benchmark alternating bit protocol. We use this case study to discuss how our TEL model can be used to simulate and test SDL systems using the Maude rewriting tool. We also investigate how the TEL model can be used to analyse SDL systems and we derive some simple timing properties for the SDL alternating bit protocol system.

The semantic model we propose demonstrates the expressive power and versatility of TEL and Timed Maude, It utilises Timed Maudes object-oriented features and uses distinct objects to represent the processes, blocks and channels contained within an SDL system. Thus the structure of our se-

mantics corresponds in a very natural way to that of an SDL specification. We also take advantage of Timed Maudes modular structuring mechanisms and each block in an SDL specification results in a corresponding module specification which imports the necessary subblock or process modules. Thus the resulting operational semantics captures in an intuitive way the hierarchical structure of an SDL specification. Our semantics has some key advantages over its predecessors. It integrates together the different views of an SDL specification including abstract data types, process, block and real-time descriptions and thus unifies the static and dynamic aspects within one formalism. It also provides an intuitive and natural formal basis for analysing SDL specifications and has the added advantage of efficient tool support provided by the Maude implementation. In our opinion the unifying approach and the use of a formal object-oriented specification language along with efficient tool support makes the new semantics interesting.

The paper is organised as follows. In Section 2 we introduce the necessary background material on TEL and Timed Maude, Then in Section 3 we present a brief overview of SDL, We consider modelling SDL specifications in Section 4 and demonstrate our ideas with a detailed case study of an SDL specification for the benchmark alternating bit protocol in Section 5, Finally, in Section 6 we make some concluding remarks,

2 Timed Rewriting Logic and Timed Maude.

In this section we briefly introduce Timed Rewriting Logic and its associated object-oriented specification language Timed Maude, For a detailed account of TEL and Timed Maude we refer the interested reader to [12], while for an example of its use see [19]. In the following we assume the reader is familiar with the basic theory of algebraic specification methods (see for example [20]),

2.1 Timed Rewriting Logic.

Rewriting Logic (EL) is an extension of standard algebraic specification techniques which is able to model dynamic system behaviour. In EL the functional and static properties of a system are described by standard algebraic specifications, whereas the dynamic behaviour of the system is modelled using rewrite rules. Terms over a given signature £ represent the global states (or configurations) of a system and rewrite rules model the dynamic transitions between these states. For a detailed introduction to EL see [15].

Timed Rewriting Logic (TEL) extends EL by allowing timing constraints to be added to rewrite rules. Every time dependent rewrite step in the system is labelled with a time stamp and this allows us to reason about time elapse in real-time systems. In TEL time is modelled abstractly by an archimedean monoid [12] and thus time can be modelled by the natural or real numbers.

A timed rewrite rule is a literal written as tl — r —/2. where r e R+ and il,i2 e T(£,JY")S are £ terms of the same sort s. Informally, this means that tl evolves to ¿2 in time r (R+ is the domain of the underlying arehimedean monoid). The basic rules of the rewriting calculus [15] are extended with time labels as follows: transitivity yields the addition of the time elapses; the congruence and replacement rules are modelled by synchronous composition (which allows us to enforce uniform time elapse in all components of a system); and reflexivitv is modelled using a 0-time reflexivitv rule which allows actions to be interleaved (see [12] for a more detailed account),

2.2 Timed Maude.

Timed Maude is an object-oriented real-time specification language which is based on TEL, Timed Maude extends the language Maude [16] by replacing concurrent rewriting with TEL, An object in Maude is represented by a tuple, more precisely by a term, comprising a unique object identifier, the class to which the object belongs and a set of attributes (local state). For example, the term < p : P \ state : S, saved : n > represents an object with object identifier p belonging to the class P. The attribute state has value S and the attribute saved has value n. A message is a term that consists of the message's name, the identifier of the object the message is addressed to and, possibly, parameters (in mixfix notation), A Maude specification or program makes computational progress by rewriting its global state, referred to as its configuration. A configuration is a multiset, or bag, of objects and messages. The sorts Msg of messages and Obj of objects are considered as subsorts of the sort Conf of configurations. Formally, a configuration is a term of the form m,i ® • • • ® nik 0 Oi 0 • • • 0 Oi, where ® is the function symbol for multiset union modelling composition, mi,... ,rnk are messages (terms of sort Msg), and Oi,... ,Oi are objects (terms of sort Obj). For brevity we often omit the symbol ® in configurations, i.e. we write mi... m^ 0\... Oi. The multiset union operator ® is commutative, associative and has an identity null.

Configurations evolve by consuming and producing messages and removing and creating objects. This evolution is specified using timed rewrite rules which have the following general form

mi... mn < Oi : C\ \ attsi > ... < oq : Cq | attsq > — r

< On : C'a | atts'a >...< Oik : C'ik | atts'ik >< o[ : £>i | atts" > ...

< o' : Dp | atts'p > m'l... m{ if Cond

In the above rule the messages mi,..., mn are consumed and the new messages mi,..., m'l are created. Objects occurring only on the left hand side of the rule are deleted, objects occurring only on the right hand side are created, and those on both sides may change their local state. The Boolean expression Cond is an optional rule condition or guard controlling the application of the rule. The rewrite rule takes r time units to be performed.

3 Introduction to SDL.

SDL (Specification and Description Language) is a formal description technique (FDT) for real-time distributed systems. It was developed in the early 1970's by the CCITT as a standard language for the description of telecommunication systems. Since then several versions of the language have evolved, the most recent being an object-oriented version called SDL-92 (see [7] and [8]), This paper is based on SDL-88 [6], an earlier version of the language which is widely used and supported. For an introduction to SDL-88 we recommend [2],

SDL is an FDT providing both a graphical and textual syntax for specifications, An SDL specification describes a system which consists of a number of blocks which communicate with each other and the environment via a number of channels. Each block consists of a number of communicating sub-blocks until, at the lowest level, we have what we refer to as the atomic blocks. Atomic blocks consist only of processes which communicate with each other and the associated block channels via signal routes. Note that a block never contains both processes and sub-blocks. This hierarchical system structure is illustrated in figure 1 where the squares represent blocks and the rounded boxes represent processes. The behaviour of the entire system is derived by combining the behaviour of all the processes in the system.

Fig. 1. The structure of an SDL system specification.

A process can be viewed as an extended finite state machine which works autonomously but concurrently with other processes. Processes communicate with each other by sending and receiving signals and each process has a unique process identification number (pid) which is normally used to address signals. We note that signals sent via signal routes suffer no delay, where as signals sent along channels are assumed to suffer a non-deterministic delay. Each process has an explicit state but can also contain local variables which can influence state transitions. Each process has a single unbounded input queue and all incoming signals from its associated signal routes are placed on this queue in the order they arrive (simultaneous signals are ordered non-deterministieally). States are assumed to be stable positions and state transitions are normally triggered by the consumption of a signal from the processes input queue. If the next input signal does not cause a state transition to occur then it is simply

discarded (referred to as an implicit transition}. During a transition local variables maybe updated. The behaviour of a process can be specified using a graphical notation, summarised in figure 2, which describes state transitions, consumption of input signals, and local variable updates.

^ <state> ^

<sig(p)>

<sig(p)>

<task>

<cond>

State Symbol Input Symbol Output Symbol Task Symbol Decision Symbol

Fig. 2. The main graphical symbols for specifying SDL processes.

In SDL time is represented by two sorts, Time which represents absolute time and Duration representing relative time. Both of these sorts are considered to be copies of the real numbers. In any given SDL system it is assumed that there is an absolute global time which all processes in the system can access via the Now expression (which always evaluates to the current absolute time). However, since SDL is used to model distributed systems it is assumed that no synehonisation of events in different processes can be based on Now. In SDL processes mainly gain access to time via the use of timers. A timer can be set by a process to expire at some absolute time (usually defined using the Now construct). When a timer expires it places a predefined timeout signal on the input queue of the process which created it. Once a timer has been set it is said to be active and it remains active until either it has expired and its timeout signal has been consumed, or it is reset. When a timer is reset any timeout signal it has generated is removed from the processes input queue. We note that setting a timer necessarily involves first resetting the timer. Since a reset removes any existing timeout signals from the process's input queue we know that only one timeout signal from a particular timer can ever be in a process's input queue at any one time.

4 A TRL Semantics for SDL.

In this section we outline a new semantic model for SDL based on TEL. We formulate a general approach to modelling SDL and in particular, consider modelling decision constructs, saved signals, and timers. The approach we develop will be demonstrated in the next section when we consider in detail how to construct a TEL semantics for an SDL specification of the benchmark alternating bit protocol.

An SDL specification can be viewed as consisting of two parts: a static part defining the systems physical structure and data types; and a dynamic part which defines the systems behaviour. The static part of an SDL specification will be modelled using the standard algebraic specification methods provided by Maude. Note that abstract data types in SDL are already defined using algebraic techniques and thus can be straightforwardly coded into Maude. The dynamic part of an SDL specification will be modelled using (timed) rewrite

rules. In this way we integrate both static and dynamic aspects of an SDL system within a single semantic framework.

At the lowest level an SDL specification defines process types which taken collectively specify the overall behaviour of the system. Consider an SDL process type P which can be in states Sl,...,Sn and has local variables xi,..., xm. Then to model P we introduce a new class ProP and a new sort StateP with constants SI,..., Sn. Process P will be modelled in Maude using two objects P®Qp, where P is the process's main body and QP represents the process's input queue, (This division is necessary in order to prevent a process being blocked during communication, as explained below.) The objects have the form

P =< p : ProP | St : Si, Xi : U\,..., xm : urn >, Qp =< p : InQ | Q : q >,

where p is a unique object identifier representing the process's pid, ProP is the class for processes of type P, and InQ is the class for input queues. The attribute St stores the current state Si of process P, each attribute xjt stores the current value Ui of the corresponding variable, and Q stores the current input queue q for the process.

In SDL processes communicate with other processes by sending/receiving signals using signal routes and channels. We do not explicitly represent signal routes within our model. Instead they are implicitly modelled by restricting the allowed communication between objects within the same block. The dynamic behaviour of a process is modelled using rewrite rules. Each possible state transition is modelled using three steps: (i) first we read the next input signal(s); (ii) next we perform any actions on the process's local variables; and (iii) finally we perform the appropriate outputs and enter the final state of the transition. Time is only allowed to pass in step (ii) and this ensures that reading and sending signals does not block the processes involved. As an

Fig. 3. An example of a state transition.

example consider figure 3 in which process PI when in state S and readings signal s can perform a transition to a state S', updating the value of its local variable x to u' and outputing a signal s' to process P2 (assumed to be in the

same block). Lets assume this is the ith possible state transition from state S and that the update takes t time units. Then we model this state transition using two new intermediate states Siti and Sit2 as follows,

(* Step 1: Read input signal to initiate transition *)

< pi : ProPl | St : S > ® < pi : InQ | Q : s.ql > ^ 0 ^

< pi : ProPl | St : Si,i > ® < pi : InQ | Q : ql >,

(* Step 2: Perform updates and allow time to pass *)

< pi : ProPl | St :S ¿,i, x : u > — / —^ C /) 1 : ProPl \ St : Si,2, x : u' >,

(* Step 3: Output signals *)

< pi : ProPl | St : Sh2 > ® < p2 : InQ | Q : q2 > - 0

< pi : ProPl | St : S'> ® <p2 : InQ \ Q : q2.s' > .

For brevity we introduce a new notation = t =$> to allow the above three rules to be expressed as a single compound rule:

< pi : ProPl I St : S, x : u > <g> < pi : InQ | Q : s.ql > <g>

< p2 : InQ I Q :q2> = <pl: ProPl \ St : S',x : u' > ®

< pi : InQ I Q : ql > <g> < p2 : InQ \ Q : q2.s' > .

Note we always assume that the above order of input, update and output is followed during a state transition. Any state transition which does not observe this order can be straightforwardly transformed into one that does by simply adding extra temporary states. In order to model the behaviour of processes we also require rules for discarding signals (implicit transitions), and allowing process objects to progress in time. These rules are straightforward to formulate and for brevity are omitted here.

An atomic block B containing processes Pl,...,Pn is modelled by an object

B =<b: Blk | Ps : PI <g> Ql <g> • • • <g> Pn <g> Qn >,

where Blk is the class for blocks, b is a unique block identifier and the attribute Ps stores the current configuration of processes in the block. Communication between blocks occurs along channels which we model explicitly by objects of the form C =< c : Chan \ Q : q >, where Chan is the class for channels, c is a unique object identifier and Q is an attribute storing a queue of signals being transmitted. We have a general reflexivitv rule for channels

< c : Chan \ Q : q > — 1 c : Chan \ Q : q >,

which allows time to pass for channel objects, A general block B consisting of subblocks B1,..., Bn and channels CI,..., Cm is simply modelled by an

appropriate object of type Blk, i.e.

B =< b : Blk | Ps : CI 0 ■ ■ ■ 0 Cm 0 Bl 0 • • • <g> Bn > .

Signals are passed between channels and their associated blocks by formulating appropriate synchronous rewrite rules for communication. For example, suppose in the previous example PI which is in block Bl needs to use a channel C to communicate to P2 which is in a different block. Then we simply replace step (iii) in the above example with the following rule:

< bl : Blk | Ps :< pi : ProPl | St : ~Sia > 0cf > 0 < c : Chan \ Q : ql > - 0 bl : Blk I Ps :< pi : ProPl | St : S' > 0cf > 0 < c : Chan | Q : ql.s' >,

where cf is a variable of type configuration. We note that the transmission of signals from a channel to a process can be modelled in a similar way. The non-deterministic delay associated with sending signals along channels is automatically incorporated by the reflexivitv rule for channels and the non-deterministic nature of applying rewrite rules.

Finally, a system Sys containing at the top level blocks Bl,..., Bn, input channels II,..., I m and output channels 01,..., Ok is simply modelled as a block object

< sys: Blk | Ps : II 0 • • • 0 Im 0 Bl 0 • • • 0 Bn 0 01 0 • • • 0 Ok > .

The system configuration stored in Ps evolves by concurrently applying the rewrite rules derived for the blocks, channels and processes contained within the SDL system,

(Timed) Maude provides a module system that allows a specification to be constructed hierarchically. We use this module system to structure our TEL semantics of SDL; each block has a corresponding Timed Maude object module and subblock modules are imported as required. Thus the Timed Maude module structure of our semantics closely resembles the hierarchical structure of the given SDL system. Given the range of renaming and parameterization operations provided by Maude, the approach also facilitates the reuse of block specifications.

It is straightforward to incorporate many of the more complex features of SDL into this semantic model and as illustrative examples we now consider modelling decision constructs, the save signal construct, and timers within our framework,

4-1 Decision and Save Constructs.

We begin this subsection by considering how to model the two main branching constructs available for choosing between a set of transitions. The first

branching construct we consider is the decision construct which allows transitions to branch depending on some conditional expression. As an example consider the decision construct depicted in figure 4(a), After the process P

( s') ( ^ ) ( S1) ( )

Fig. 4. (a) The decision construct, (b) The any construct.

reads signal s in state S the decision command allows the process to enter state SI if local variable c is greater than 9, or state S2 if c is less than or equal to 9. Let the objects < p : Pro \ St : S, c : n > 0 < p : InQ \ Q : q > represent the process P and its input queue, and assume an equational axiomatisation of the greater than function >: Nat x Nat —Bool. Then assuming the evaluation of the conditional takes t time units we can model the transition using the following (conditional) compound rules:

< p : Pro | St : S > <S> <p: InQ \ 0 : s.q > = I =>

< p : Pro | St : SI, c : n > ® < p : InQ | Q : q > if (n > 9),

< p : Pro | St : S > <S> <p: InQ \ 0 : s.q > = I

< p : Pro | St : S2, c : n > ® < p : InQ | Q : q > if not{n > 9).

Note in the above we treat each of the possible paths through the decision construct as a separate transition which will have its own intermediate states.

The second branching construct SDL provides is called the any construct which allows a non-deterministic choice between a set of possible transitions. An example of such a rule is depicted in figure 4(b). It is straightforward to model the non-deterministic any construct by having a compound rule to represent each possible transition and then using the built in non-determinism of rewriting logic to choose which rule to apply.

In SDL a process normally consumes signals in the order in which they arrive at the input queue and any signal which is not explicitly mentioned as an input in a particular state is simply discarded. However, often it is necessary to store or save signals which would normally be discarded so that they can be used in future states. SDL provides a construct to allow this, referred to as the save construct. An example of the save construct is depicted in figure 5; this specifies a transition from a state S to the state SI if the next signal is si e Sigset, where Sigset is the set of possible input signals. However,

there is a set of signals ss Ç Sigset, ss fl {si} = 0 which we want to save and this is indicated by the save box (slanted rectangle symbol). Let the objects

Fig. 5. An example of the save construct.

< p : Pro | St : S, SQ : qO > ® < p : InQ \ Q : q > represent the process in question, where SQ is an additional attribute used to store a queue of saved signals (SQ is initially empty). Then we can model the save command using the following rules:

(i) first we have a compound rule to axiomatise what happens if the next signal is si (assuming the transition takes t time units)

< p : Pro | St : S, SQ : qO > <g> < p : InQ | Q : sl.q > = t =>

< p : Pro | St : SI, SQ : empty > ® < p : InQ | Q : qO.q >;

(ii) next for each s e ss we have a rule to save s in the save queue

< p : Pro | St : S, SQ : qO > <g> < p : InQ \ Q : s.q> - 0 ->•

< p : Pro | St : S, SQ : qO.s > ® < p : InQ | Q : q >;

(iii) finally we have the standard discard rule for each signal s e Sigset such that s ^ {si, s2} U ss.

4-2 Time and Timers.

To simplify our discussion of time we choose to use discrete time in the sequel and thus we think of the sorts Time and Duration as being the natural numbers. In fact, as discussed in [3], there are a number of strong reasons motivating the choice of discrete time. (For a treatment of dense time within the Maude framework we refer the interested reader to [12].)

In practice the global time which is available in SDL systems is only used to set timers to expire in some relative time via the Now construct. For this reason we have chosen not to explicitly model a global time but instead to allow timers to act as counters which produce a timeout signal after a specified period of time [12]. We model timers using objects of the form

< tm : Tm \ time : t, P : p, TO : b >, 11

where tm is of sort Timer (a subsort of both Old and Signal) and Tm is the class of timer objects. In the above object timer tm has t time units left before it outputs a timeout signal tm to it's creating process p. The attribute TO indicates if a timeout signal has been sent (needed since a timer remains active after sending a timeout signal). The names of the timers which are currently active for a process P are stored within the process using an additional attribute TS (we will see in the next section that this extra information is needed to axiomatise the resetting of timers). To make use of this queue of active timers we introduce two auxiliary functions: Active : Timer x Que —Bool which uses TS to tell us if a timer is active; and Rem : Timer x Que —Que which removes a timer signal from a queue of signals or timers.

The following are general rules which model the passage of time for timers, what happens when a timer expires, and the passage of time once a timeout signal has been sent by a timer,

< tm : Tm | time :t + r> — r —>•< tm : Tm | time :t>,

< tm : Tm \ time : 0, P : p, TO : False > ® < p : InQ | Q : q > — 0 —

< tm : Tm \ time : 0, P : p, TO : True > ® < p : InQ | Q : q.tm >,

< tm : Tm \ time : 0, TO : True > — r tm : Tm \ time : 0, TO : True > .

We demonstrate how we model the use of timers in the next section in a Timed Maude specification of the alternating bit protocol,

5 Case Study of The Alternating Bit Protocol.

In this section we demonstrate the TEL semantic model for SDL outlined in the previous section by considering a case study of the well-known benchmark alternating bit protocol [1]. We begin with an informal introduction to the alternating bit protocol and by presenting an SDL specification for it. We then consider how the various SDL constructs contained in this example can be formalised using TEL, and present a TEL semantics for part of the SDL specification. We conclude by considering how the TEL model we construct can be used to analyse the timing properties of the alternating bit protocol,

5.1 An SDL Specification of the Alternating Bit Protocol.

The alternating bit protocol is a simple data link protocol designed to allow reliable communication over an unreliable physical layer [1]. We assume that the unreliable physical layer can lose messages but that it does not corrupt or rearrange them. The idea behind the protocol is simple; the sending and receiving processes use a single bit (0 or 1) to check that a message has been successfully transmitted across the unreliable physical layer. The sender transmits its next message plus its current check bit value to the receiver and then waits for an acknowledgement. On receiving an acknowledgement

containing the correct check bit the sender may assume its message has been received and so flips its check bit value and sends the next message. However, if the sender doesn't receive an acknowledgement within a set time limit or receives an acknowledgement with the wrong check bit, it assumes the message has been lost and resends it. On receiving a message with the correct check bit the receiver sends an acknowledgement with the check bit to the sender and then flips its check bit. If the check bit is wrong then the receiver assumes its last acknowledgement has been lost and resends it using the previous check bit value. To specify the alternating bit protocol using SDL we

Fig. 6. SDL system specification for the alternating bit protocol.

begin with a system specification AltBit, pictured in figure 6, which contains two atomic blocks: the ABP block which represents the protocol layer; and the UPL block representing the unreliable physical transmission layer. The ABP block communicates with the environment via two channels IN and OUT, and communication between the two blocks is achieved via four channels: CI, C2, C3 and C4, Each atomic block contains two processes which define their behaviour; block UPL contains processes PI and P2, and block ABP contains processes ABP1 and ABP2, For brevity we only present the SDL specification of process ABP1 and ABP2, pictured in figures 7 and 8, which respectively perform the task of the sender and receiver (as detailed above),

5.2 Constructing the TRL model.

In this subsection we now consider how to apply the approach introduced in Section 4 to construct a Timed Maude specification which represents the intended semantics of the alternating bit protocol specification described above. We begin at the lowest level by modelling the processes, we then model their associated atomic blocks, and finally define a block to represent the complete SDL alternating bit protocol system.

As an example we consider the atomic block ABP and its processes ABP1 and ABP2, To model these processes we introduce two new classes ABP1 and ABP2 and the following process object bodies (with associated input queue

Fig. 7. SDL Specification of process ABP1 (Sender).

Process ABP2

( Start )

Q Input ^

MD(D,B)

Bt:=flip(Bt)

Dcl Bt, B Bit; N D Data;

^ Choice ^

Yes No

PDout(D)

MD(Ack,Bt)

Bt:=flip(Bt)

MD(Ack,Bt)

Choice Input Input

Fig. 8. SDL Specification of process ABP2 (Receiver), objects Q1 and Q2)

ABP1 =< ol : ABP1 | St : 51, TS : ts, SQ :qO,D: dl, B : 61, Bt : 62 >,

ABP2 =< o2 : ABP2 | St : S2, D : ,12. B : 63, Bt : 64 >,

where ol and o2 are unique pids. The attributes D,B,Bt represent local variables; attribute TS has been added to store the current list of active timers for ABP1 and SQ is the attribute needed to implement the save construct (see Section 4,1), Next we need to introduce a block object to model each block in the specification. Following on with our example we will have a block object to model the atomic block ABP

< abp : Blk | Ps : ABP1 <g> Q1 <g> ABP2 <g> Q2 > .

Each possible state transition in the system will be modelled by an appropriate compound rewrite rule (as described in the previous section). Again continuing our example, consider process ABP1 and its state transition from state input when it receives a PDin(d) signal. We model this transition as follows:

< ol : ABP1 | St : input, D : dl, Bt : b > <g> < ol : InQ | Q : PDin{d).q > = 1 => < ol : ABP1 | St : transmit, D :d,Bt : flip(b) > ®

< ol : InQ | Q : q > .

Note that we have allocated an upper bound time constraint of one time unit on this transition (as we do for all transitions in this example). This has been chosen arbitrarily but in practice a value would be given according to the timing properties of the transmission medium used.

Following this approach we can derive a Timed Maude semantics for the SDL specification of the alternating bit protocol. For brevity we present only the Timed Maude module modelling the atomic block ABP, The specification makes use of three predefined Timed Maude modules: Bit, Data and SDL-Base. The Bit module simply axiomatises the type Bit with constants 0 and 1, and function flip : Bit Bit which flips a bit value. The module Data specifies a sort for data elements and contains a distinguished constant Ack. The final module SDLBa.se is assumed to contain the fundamental sort, class, function definitions, and rules which have been formulated in the previous sections for modelling SDL specifications. These modules are straightforward to define and so for brevity have been omitted,

omod ABPBlock is Protecting Bit, Data. Extending SDLBase.

Sorts StateABPI, StateABP2.

Constants

ol,o2 : PId. TOut : Timer.

start, input, transmit, setT, wait : StateABPl.

input, transmit, setT, waiti, wait2, waii3 : StateABPl. start, input, choice, input, choicei, choice2 : StateABP2. abp, in, out, cl, c2, c3, c4 : 0/<i,

Functions

MD : Data x Bit —Signame. PDin : Data —Signame. PDout : Data —Signame.

Classes

^BPi I 5i : StateABPl, TS : Que, SQ : Que, D : Daia, B : Bit, Bt : Bit. ABP2 | Sf : StateABP2, D : Data, B : Bit, Bt : Bit.

Variables

d : Data. 6,61,62,63 : Bit. bl : Bool, t, tl : Time, q, qO, q 1, g2, tq : Que, c/ : Con/,

(* Rules for Process ABP1 *)

(* Start -> Input: Initial transition which sets attribute Bt to 0 *)

< ol : ^BPi | Sf : start, Bt : 6 > - 1 ol : ABP1 \ St : input, Bt : 0 > .

(* Input -> Transmit: PDin signal read so flip bit and store data *)

< ol : ABP1 | Sf : input, D : dl, Bt : 6 > <g> < ol : JnQ | Q : PDin{d).q > = 1 < ol : ^BPi | St : transmit, D : d, Bt : flip(b) > <g>

< ol : InQ | Q : q > .

(* Input -> Input: Discard rule for MD signal *)

< ol : ABP1 | Sf : mjmf, D : dl, Bt : 6 > ® < ol : InQ | Q : MD(d, bl).q > - 0 ^ < ol : ABP1 | Sf : input, D : dl, Bt : 6 > <g> < ol : InQ | Q :q> .

(* Transmit -> SetT: Transmit signal MD *)

< abp : Blk | Ps :< ol : ABP1 \ St : transmit, D : d, Bt : 6 > ®cf > <g>

< c2 : Cftan | Q :q> = 1 < abp : Blk \ Ps :< ol : ABP1 \ St : setT, D : d,Bt :b> ®cf > <g> < c2 : Chan | Q : q.MD{d, 6) > .

(* SetT -> Wait: Set timer TOut: 2 Cases *) (* Case 1: Timer is already active *)

< ol : ABP1 | St : setT, TS : ts > ® < ol : InQ | Q : q > - 0

< ol : ABP1 | St : setT, TS : ts > ® < ol : InQ | Q : Rem(TOut,q) >

if Active(TOut,ts) = True.

< al : ABP1 | St : setT > <g> < TOut : Tm \ time : tl,P : ol, TO : bl > - 1 ol : ^BPi | 5i : waii > ® < TOut : Tm \ time :T,P : al, TO : False > .

(* Case 2: Timer is inactive so create timer object *)

< ol : ABP1 | St : setT, TS : ts > ^ 1 ol : ABP1 \ St : watt, TS : ts. TOut > ® < TOut : Tm \ time : T, P : ol, TO : False >

if Active(TOut,ts) = False.

(* Wait -> Transmit: Time out signal TOut read so remove timer *)

< ol : ABP1 | St : watt, SQ : qO, TS : ts > ® < ol : InQ | Q : TOut.q > ®

< TOut : Tm | P : ol > = 1 =£-< ol : ABP1 \ St : transmit, SQ : empty, TS : Rem (TOut, ts) > <g> < ol : InQ | Q : qO.q > .

(* Wait -> Input or Transmit: MD(Ack,b) signal read so 2 Choices *) (* Choice 1: -> Input: Bt equals input b so reset timer TOut: 2 Cases *)

< ol : ABP1 | St : watt, TS : ts, SQ : qO, B : bl, Bt:b2>®

< ol : InQ | Q : MD(Ack,b).q > = 1 < ol : ABP1 \ St : input, TS : ts, SQ : empty, B : b, Bt : 62 > <g> < ol : InQ | Q : qO.q >

if (62 = 6) A Active( TOut, ts) = False.

< ol : ABP1 | St : wait, TS : ts, SQ : qO, B : 61, Bt : 62 > <g> < ol : InQ | Q : MD(Ack, b).q>® < TOut : Tm \ time : t, P : al, TO : bl > = 1

< al : ABP1 | St : input, TS : Rem(TOut,ts), SQ : empty, B : 6, Bt : 62 > ®

< ol : InQ | Q : qO.Rem(TOu,t, q) > if (62 = 6) A Active(TOut,ts) = True,

(* Choice 2: -> Transmit: Bt not equal to input b so retransmit *)

< ol : ABP1 | St : wait,SQ : qO, B : 61, Si : 62 > <g> < ol : JnQ | Q : MD(Ack,b).q > = 1 < ol : ^BPi | Sf : transmit, SQ : empty, B : b, Bt : 62 > <g> < ol : InQ | Q : gO.g > (62 # 6).

(* Wait -> Wait: PDin signal read so save *)

< ol : ABP1 | St : wait, SQ : qO > <g> < ol : InQ | Q : PDin(d).q > ^ 0 ^

< ol : ABP1 | St : wait, SQ : qO.PDin(d!) > <g> < ol : InQ | Q :q> .

(* Transmit data from channel CI to process ABP1 *)

< c 1 : Chan | Q : MD(d,b).ql > <g> < abp : Blk | Ps :< ol : InQ | Q : q > ®cf > - 0 ^ < cl : Chan | Q \ ql > ® < abp \ Blk \ Ps :< al : InQ | Q : q.MD(d, 6) > ®c/ > .

(* Transmit data from channel IN to process ABP1 *)

< in : Chan \ Q : PDin(d).ql > <g> < abp : Blk \ Ps :< al : InQ \ Q : q >

®cf > ^ 0 ^ < in : Chan \ Q : ql > <g> < abp : Blk \ Ps :< ol : InQ \ Q : q.PDin(d) > ®cf > .

(* Rules for Process 2 *)

(* Start -> Input: Initial transition which sets Bt to 0 *)

< a,2 : ABP2 \ St : start, Bt : b > - 1 a,2 : ABP2 \ St : input, Bt : 0 > .

(* Input -> Choice: MI) signal read so flip Bt *)

< a,2 : ABP2 \ St : input, D : dl, B : 61, Bt : b > <g> < a,2 : InQ | Q : MD(d, b'2).q > = 1 => < „2 : ABP2 \ St : choice, D : d, B : 62, Bt : flip(b) > <g> < a,2 : InQ | Q :q> .

(* Choice -> Input: Make choice depending on Bt and B *) (* Choice 1: Bt equals B so output data and acknowledgement *)

< abp : Blk | Ps :< a,2 : ABP2 \ St : choice, D : d, B : 61, Bt : 62 > ®cf > ®

< out : Chan | Q : q > ® < c4 : Chan | Q : ql > = 1 =$- < abp : Blk \ Ps :

< a,2 : ABP2 | St : input, D : d, B : 61, Bt : 62 > ®c/ > <g> < owi : Chan | Q : q.PDout(d) > <g> < c4 : Chan \ Q : ql.MD(Ack,b2) > if (62 = 61).

(* Choice 2: Bt not equal to B so flip Bt and output old acknowledgement *)

< abp : Blk | Ps :< o2 : ABP2 | Sf : choice, B : 61, Bt : b2 > ®cf > ® < c4 : Chan | Q : q > = 1 < abp : Blk \ Ps :< a,2 : ABP2 \ St : input, B : 61, Bt : flip(b2) >®cf>® < c4 : Chan \ Q : q.MD(Ack,flip(b2)) > if (62 # 61).

(* Transmit data from channel C3 to process ABP2 *)

< c3 : Chan | Q : MD{d,b).ql > <g> < abp : Blk | Ps :< o2 : InQ | Q : q > ®cf > - 0 ^ < c3 : Chan | Q : ql > <g> < abp : Blk | Ps :< o2 : InQ | Q : q.MD(d,b) > ®c/ > .

5.3 Analysing the TRL model.

The above Timed Maude specification provides a precise and natural formal semantics for the SDL specification of the alternating bit protocol. The specification can be simulated using the efficient software implementation of the Maude language (see [18] for an account of modelling TRL in RL) and this allows us to rapidly prototype and test the SDL system. (Note other efficient rewrite engines were considered, such as ELAN [4], but the Maude tool was chosen because it is closer to our semantics and has a very efficient prototype implementation.) The specification also provides a basis for analysing the SDL specification; for example, it is natural to want to investigate timing properties of the SDL system and in particular, to consider what constitutes a lower bound for the timer expiration time T. The simple timing diagram shown below in figure 9 can be easily extracted from the Maude specification. It shows that under "perfect" conditions (i.e. no message loss) it takes at

least 10 units of time for the sender to receive an acknowledgement for a sent message (under the timing constraints we have specified). This represents a lower bound for the timer, i.e. T must be greater than or equal to 9 for the protocol to work correctly (under normal fairness assumptions).

Time *

Fig. 9. Time graph for sending a message in perfect conditions.

6 Concluding Remarks.

In this paper we have presented a comprehensive formal semantics for SDL based on Timed Rewriting Logic. This new semantics has a number of key advantages over its predecessors, including: a natural correspondence between the structure of the semantics and the corresponding SDL constructs; integration of the static and dynamic views of an SDL specification within a single unifying formalism; and the associated support tools for simulation. The semantics we have presented also provides valuable insight into the formal description technique SDL. It demonstrates that TEL and its associated object-oriented specification language Timed Maude is a natural and expressive formalism which is well suited to specifying and reasoning about real-time dynamic systems. Coupled with the tool support provided by the Maude system, TEL can be seen as an effective formal framework in which to design and develop complex real-time systems.

In future work we intend to consider extending our semantics to the object-oriented features of SDL-92 [8] making further use of Maude's object-oriented features. Though our semantics allows us to describe real-time systems, its operational style makes it difficult to express more complex real-time requirements. It therefore may be reasonable to consider in future work combining our approach with temporal logic (see [14] and [17]) and to consider extending the SDL syntax accordingly. Finally we note that SDL specifications are closely related to message sequence charts (MSCs) [11]. In future work we intend to investigate the relationship between these two real-time FDTs using the formal semantics presented in this paper and the work developed in [13].

1 ABP1 I 1 PI 1 1 P2 1 1 ABP2 1

. ... Set m ' "TimerTOut"'

.......ID("d,"b).......

MD(d,b)

MD(Ack"b) PDout(d)

MD(Ack,b)

_______~

Acknowledgement

It is a pleasure to thank U, Hinkel, K, Meinke and M, Wirsing for their helpful comments and advice during the preparation of this paper. We also gratefully acknowledge the financial support of the British Council and DAAD which has made this collaborative work possible.

References

[1] K. A. Bartlett, R. A. Scantlebury and P. T. Wilkinson. A Note on Reliable Full-Duplex Transmission over Half-Duplex Links. Communications of the ACM, 12(5):260-261, 1969.

[2] F. Belina and D. Hogrefe. The CCITT Specification and Description Language SDL. Computer Networks and ISDN Systems, 16:311-341, 1989.

[3] J. A. Bergstra and C. Middelburg. Process Algebra Semantics ^pSDL. In: Proc. of ACP '95, The Second Workshop on Algebra of Communicating Process, Eindhoven University of Technology, Department of Mathematics and Computing Science, pages 309-346, Report No. 95-14, 1995.

[4] P. Borovansky, C. Kirchner, H. Kirchner, P.-E. Moreau and M. Vittek. ELAN: A Logical Framework Based on Computational Systems. In: J. Meseguer (ed), 1st Int. Workshop on Rewriting Logic and its Applications, Electronic Notes in Theoretical Computer Science, Vol. 4, 1996.

[5] M. Broy. Towards a formal foundation of the specification and description language SDL. Formal Aspects of Computing, 3:21-57, 1991.

[6] CCITT. Recommendation Z. 100 - Functional Specification and Description Language (SDL), BLUE BOOK, Fascile X.l and X.5, Volume X. International Telecommuncation Union, 1988.

[7] CCITT. Revised Recommendation Z. 100 - CCITT Specification and Description Language (SDL), COM X R 26, Geneva, May 1992.

[8] O. Faergemand and A. Olsen. Introduction to SDL-92. Computer Networks and ISDN Systems, 26:1143-1167, 1994.

[9] U. Hinkel. A formal semantics for SDL based on FOCUS. Ph. D. Thesis, Technical University Munich, 1998. (In preparation.)

[10] E. Holz and K. Stolen. An Attempt to Embed a Restricted Version of SDL as a Target Language in Focus. In: D. Hogrefe and S. Leue (eds), Formal Description Techniques VII, Chapman and Hall, 1995.

[11] ITU-TS Recommendation Z.120. Message Sequence Charts (MSC). ITU-TS, Geneva, 1996.

[12] P. Kosiuczenko and M. Wirsing. Timed rewriting logic with an application to object-based specification. Science of Computer Programming, 28:225-246, 1997.

[13] P. Kosiuczenko. Time in Message Sequence Charts: A Formal Approach. Proceedings of EuroPar '91, LNCS 1300, Springer-Verlag, 1997.

[14] S. Leue. Specifying Real-Time Requirements for SDL Specifications - A Temporal Logic-Based Approach. Procs. of 15th Int. Symp. on Protocol Specification, Testing, and Verification, Chapman and Hall, 1995.

[15] J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96:73-155, 1992.

[16] J. Meseguer. A logical theory of concurrent objects and its realization in the Maude language. In: G. Agha, P. Wegner and A. Yonezawa (eds), Research Directions in Concurrent Object-Oriented Programming, MIT Press, 1993.

[17] S. Mork, J. Godskesen, M. Hansen and R. Sharp. A Timed Semantics for SDL. In R. Gotzhein and J. Bredereke (eds), Formal Description Techniques IX, Chapman and Hall, 1996.

[18] P. Olveczky and J. Meseguer. Specifying Real-Time Systems in Rewriting Logic. Electronic Notes in Theoretical Computer Science, 4:283-308, 1996.

[19] P. Olveczky, P. Kosiuczenko, and M. Wirsing. Steamboiler specification problem: an algebraic object-oriented solution. In: J. R. Abrial, E. Boerger, H. Lnagmaack (Eds.), Formal Methods for Industrial Applications, Lecture Notes in Computer Science 1165, Springer-Verlag, 1996.

[20] M. Wirsing. Algebraic specification. In: J. van Leeuwen (ed) Handbook of Theoretical Computer Science, Vol. B, pages 675-788, North Holland, Amsterdam, 1990.