4. file transfer protocol - university of...
TRANSCRIPT
![Page 1: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/1.jpg)
4. File Transfer Protocol
Jean-Raymond Abrial
2009
![Page 2: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/2.jpg)
Purpose of this Lecture 1
- To introduce another example: the file transfer protocol
- To present a number of additional mathematical conventions
- To slighly enlarge the usage of the Proof Obligation Rules
- Example studied in many places, in particular in the following book
- L. Lamport Specifying Systems: The TLA+ Language and Tools
for Hardware and Software Engineers Addison-Wesley 1999
1
![Page 3: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/3.jpg)
An Example: File Transfer Protocol 2
- A file is to be transfered from a Sender to a Receiver
- On the Sender’s side the file is called f
- On the Receiver’s side the file is called g
- At the beginning of the protocol, g is supposed to be empty
- At the end of the protocol, g should be equal to f
2
![Page 4: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/4.jpg)
Requirement Document 3
The protocol ensures the copy of a file fromone site to another one FUN-1
The file is supposed to be made of a sequenceof items FUN-2
The file is send piece by piece betweenthe two sites FUN-3
3
![Page 5: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/5.jpg)
Modeling Approach 4
- Our approach at modeling is one of an external observer
- The observer “sees” the state space first from very far away
- He then approaches the future system and sees more details
- As he approaches he also sees more things happening
4
![Page 6: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/6.jpg)
Development Approach 5
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
5
![Page 7: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/7.jpg)
The Sender and the Receiver: a First View 6
a
b
c
RECEIVER
g
a
b
c
f
SENDER
a
b
c
RECEIVER
g
f
SENDER
INITIAL SITUATION FINAL SITUATION
6
![Page 8: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/8.jpg)
File transfer. The constant part of the state: n and f 7
1
n
a
f
b
c
7
![Page 9: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/9.jpg)
The Initial State 8
carrier sets: D
constants: n, f
axm0 1: n ∈ N
axm0 2: 0 < n
axm0 3: f ∈ 1 .. n → D
variables: g inv0 1: g ∈ N ↔ D
- The carrier set D makes this development generic
8
![Page 10: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/10.jpg)
Reminder of Mathematical Conventions (1) 9
x ∈ S set membership operator
N set of natural numbers: {0, 1, 2, 3, . . .}
a .. binterval from a to b: {a, a + 1, . . . , b}
(empty when b < a)
a 7→ b pair constructing operator
S × T Cartesian product operator
S ⊆ T set inclusion operator
P(S) power set operator
9
![Page 11: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/11.jpg)
Reminder of Mathematical Conventions (2) 10
S ↔ T set of binary relations from S to T
S → T set of total functions from S to T
S 7→ T set of partial functions from S to T
dom(r) domain of a relation r
ran(r) range of a relation r
10
![Page 12: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/12.jpg)
A Binary Relation r from a Set A to a Set B 11
A B
a3a2
a6a7
b1
b3
b4
b5
b6
b2
a5
a1
a4
r
11
![Page 13: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/13.jpg)
A Partial Function F from a Set A to a Set B 12
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F = {a1 7→ b2, a3 7→ b4, a5 7→ b2, a7 7→ b6}
dom (F ) = {a1, a3, a5, a7}
ran (F ) = {b2, b4, b6}
12
![Page 14: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/14.jpg)
A Total Function F from a Set A to a Set B 13
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
dom (F ) = A
13
![Page 15: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/15.jpg)
File Transfer Protocol Initial Events 14
initg :∈ N ↔ D
finalwhen
g = fthen
skipend
- An anticipated event will be updated later and made convergent
progressstatus
anticipatedthen
g :∈ N ↔ Dend
14
![Page 16: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/16.jpg)
Development Approach 15
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
15
![Page 17: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/17.jpg)
First Refinement 16
- The observer comes closer to the future system
- So far he was just seeing the beginning and the end
- Now the observer will see some intermediate moves
- He sees the file being gradually transfered from Sender to Receiver
- But he still has a partial view
16
![Page 18: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/18.jpg)
What the Observer has Seen so far 17
init
final
17
![Page 19: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/19.jpg)
What the Observer will now See 18
init
receive
receive
receive
init
final
final
A new event is introduced: receive
18
![Page 20: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/20.jpg)
File transfer. Event receive 19
b
a
b
c
f
n
1r
a
b
c
b
a
f
n
1
rc
b
a
f
a
r
n
1
c
b
a
f
a
r
c
n
1
receive receive receive
g g g g
- The new variable r lies within the interval 1 .. n + 1
- The variable g is equal to f restricted to its r − 1 first values
19
![Page 21: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/21.jpg)
First Refinement of the Protocol Model: the State 20
- Introducing additional variable r
variables: g, rinv1 1: r ∈ 1 .. n + 1
inv1 2: g = (1 .. r − 1) � f
- g is defined to be the domain restriction of f to 1 .. r − 1
20
![Page 22: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/22.jpg)
More Mathematical Conventions: Restrictions 21
s � r domain restriction operator
s �− r domain subtraction operator
r � t range restriction operator
r �− t range subtraction operator
21
![Page 23: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/23.jpg)
The Domain Restriction Operator 22
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} � F
22
![Page 24: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/24.jpg)
The Domain Subtraction Operator 23
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} �− F
23
![Page 25: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/25.jpg)
The Range Restriction Operator 24
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F � {b2, b4}
24
![Page 26: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/26.jpg)
The Range Subtraction Operator 25
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F �− {b2}
25
![Page 27: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/27.jpg)
The Events 26
initg := ∅r := 1
receiverefines
progressrefines
convergentwhen
r ≤ nthen
h := h ∪ {r 7→ f(r)}r := r + 1
end
finalwhen
r = n + 1then
skipend
- The variant is decreased by the convergent event
variant1: n + 1 − r
26
![Page 28: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/28.jpg)
Development Approach 27
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
27
![Page 29: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/29.jpg)
What the Observer could see of the Initial Model 28
init
final
28
![Page 30: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/30.jpg)
What the Observer could see of first Refinement 29
init
receive
receive
receive
init
final
final
29
![Page 31: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/31.jpg)
What the Observer will now See 30
init
receive
receive
receive
init
send
send
send
receive
receive
receive
init
final
final
final
30
![Page 32: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/32.jpg)
A More Accurate Version (1) 31
a
b
c
RECEIVER
a
r
SENDER RECEIVER
s
r
send
s a
31
![Page 33: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/33.jpg)
A More Accurate Version (2) 32
a
b
c
a
b
c
SENDER RECEIVER
a
s
SENDER RECEIVER
receive
s
r
r
32
![Page 34: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/34.jpg)
Initial Situation 33
a
b
c
f
d
r
n
s
g
33
![Page 35: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/35.jpg)
Send 34
a
b
c c
b
a
f f
s
n
d d
a
r r
n
s
g g
34
![Page 36: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/36.jpg)
Receive 35
a
b
c c c
b b
aa
f f f
s
n
s
n
d d d
a a
r
r
ar
n
s
g g g
35
![Page 37: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/37.jpg)
Send 36
a
b
c c c
b b
aa
f f f
s
n
s
n
d d d
a a
r
r
a
f
a
b
csn
d
b
a
r
r
n
s
g g g g
36
![Page 38: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/38.jpg)
Receive 37
a
b
c c
b
a
f f
d d
b
a
r
a
b
b
r
n sn s
g g
37
![Page 39: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/39.jpg)
Send 38
a
b
c c c
b b
aa
f f f
n
d d d
c
a
b
a
r
a
b
b
r
n s
r
b
s
n s
g g g
38
![Page 40: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/40.jpg)
Receive 39
a
b
c c c
b b
aa
f f f
n
d d d
c
a
f
a
b
c
d
a
b
a
r
a
b
b
r
n s
r
b
n
s
b
c
r
c
s
n s
g g g g
39
![Page 41: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/41.jpg)
Sender and Receiver 40
Data Channel
Ack. Channel
ReceiverSender
s, d
r
40
![Page 42: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/42.jpg)
Second Refinement: the State 41
- We introduce an additional variable s, and a data item d
carrier sets: D
constants: n, f, d0
variables: g, r, s, d
inv2 1: s ∈ 1 .. n + 1
inv2 2: s ∈ r .. r + 1
inv2 3: d ∈ D
inv2 4: s = r + 1 ⇒ d = f(r)
axm2 1: d0 ∈ D
41
![Page 43: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/43.jpg)
Second Refinement: the Events 42
initg := ∅s := 1r := 1d := d0
sendwhen
s = rs 6= n + 1
thend, s := f(s), s + 1
end
receivewhen
s = r + 1then
h := h ∪ {r 7→ d}r := r + 1
end
finalwhen
r = n + 1then
skipend
42
![Page 44: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/44.jpg)
Development Approach 43
- Initial model: The file is transmitted in one shot (FUN1 and FUN2)
- First refinement: The file is transmitted gradually (FUN3)
- Second refinement: The two agents are separated
- Third refinement: Towards an implementation
43
![Page 45: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/45.jpg)
Some Ideas for a Third Refinement? 44
sendwhen
s = rs 6= n + 1
thend := f(s)s := s + 1
end
receivewhen
s = r + 1then
g := g ∪ {r 7→ d}r := r + 1
end
inv2 2: s ∈ r .. r + 1
44
![Page 46: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/46.jpg)
Third Refinement: Sending Parities (1) 45
a
b
c
RECEIVER
a
r
SENDER RECEIVER
s
r
send
parity(s) a
45
![Page 47: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/47.jpg)
Third Refinement: Sending Parities (2) 46
a
b
c
a
b
c
SENDER RECEIVER
a
s
SENDER RECEIVER
receive
s
r
parity(r)
46
![Page 48: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/48.jpg)
About Parities 47
axm3 1: parity ∈ N → {0, 1}
axm3 2: parity(0) = 0
axm3 3: ∀ x · ( x ∈ N ⇒ parity(x + 1) = 1 − parity(x) )
thm3 1: ∀ x, y ·
x ∈ Ny ∈ Nx ∈ y .. y + 1parity(x) = parity(y)
⇒x = y
47
![Page 49: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/49.jpg)
Third Refinement: the State 48
carrier sets: D
constants: n, f, parity
variables: g, s, r, d, p, q
inv3 1: p = parity(s)
inv3 2: q = parity(r)
axm3 1: parity ∈ N → {0, 1}
axm3 2: parity(0) = 0
axm3 3: ∀ x ·
x ∈ N⇒parity(x + 1) = 1 − parity(x)
48
![Page 50: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/50.jpg)
Third Refinement: the Events 49
initg := ∅s := 1r := 1p := 1q := 1d := d0
finalwhen
r = n + 1then
skipend
sendwhen
p = qs 6= n + 1
thend := f(s)s := s + 1p := 1 − p
end
receivewhen
p 6= qthen
g := g ∪ {r 7→ d}r := r + 1q := 1 − q
end
49
![Page 51: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/51.jpg)
What we Have Learned in this Lecture 50
- More mathematical conventions
- How to write a model
- What kind of things we have to prove
- How the proof can help finding invariants
- Many things can be done by tools
- A small theory of parities
50
![Page 52: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/52.jpg)
Gradual Observation of the Intended System 51
init
receive
receive
receive
init
send
send
send
receive
receive
receive
init
final
final
final
51
![Page 53: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/53.jpg)
Reminder of Mathematical Conventions (1) 52
x ∈ S Set membership operator
N set of Natural Numbers: {0, 1, 2, 3, . . .}
a .. bInterval from a to b: {a, a + 1, . . . , b}
(empty when b < a)
a 7→ b pair constructing operator
S × T Cartesian product operator
S ⊆ T set inclusion operator
P(S) power set operator
52
![Page 54: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/54.jpg)
Reminder of Mathematical Conventions (2) 53
S ↔ T Set of binary relations from S to T
S → T Set of total functions from S to T
S 7→ T Set of partial functions from S to T
dom(r) Domain of a relation r
ran(r) Range of a relation r
53
![Page 55: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/55.jpg)
Reminder of Mathematical Conventions (3) 54
s � r domain restriction operator
s �− r domain subtraction operator
r � t range restriction operator
r �− t range subtraction operator
54
![Page 56: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/56.jpg)
A Binary Relation r from a Set A to a Set B 55
A B
a3a2
a6a7
b1
b3
b4
b5
b6
b2
a5
a1
a4
r
55
![Page 57: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/57.jpg)
A Partial Function F from a Set A to a Set B 56
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F = {a1 7→ b2, a3 7→ b4, a5 7→ b2, a7 7→ b6}
dom (F ) = {a1, a3, a5, a7}
ran (F ) = {b2, b4, b6}
56
![Page 58: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/58.jpg)
A Total Function F from a Set A to a Set B 57
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
dom (F ) = A
57
![Page 59: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/59.jpg)
The Domain Restriction Operator 58
A B
a3a2
a6
a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} � F
58
![Page 60: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/60.jpg)
The Domain Subtraction Operator 59
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
{a3, a7} �− F
59
![Page 61: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/61.jpg)
The Range Restriction Operator 60
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F � {b2, b4}
60
![Page 62: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/62.jpg)
The Range Subtraction Operator 61
A B
a3a2
a6a7
b1
F
b3
b4
b5
b6
b2
a5
a1
a4
F �− {b2}
61
![Page 63: 4. File Transfer Protocol - University of Southamptondeploy-eprints.ecs.soton.ac.uk/114/1/sld.ch4.file.pdf · An Example: File Transfer Protocol 2 - A file is to be transfered from](https://reader030.vdocument.in/reader030/viewer/2022021615/5c90916409d3f2213e8c795a/html5/thumbnails/63.jpg)
Structure of a Model 62
- List of Carrier Sets (identifiers)
- List of Constants (identifiers)
- List of Axioms (predicates built on sets and constants)
- List of Variables (identifiers)
- List of Invariants (predicates built on sets, constants, and variables)
- List of Events
62