Professional Documents
Culture Documents
1 Introduction
X.400 [CCI85] is a CCITT/ISO standard for a message handling system designed to
sit at the application layer of the open system reference model. The system provides
special facilities such as deferred delivery, multiple destination and conversion of data
formats. The reliable transfer service (RTS) is in eect a mini-layer between X.400 and
the underlying layers. The entities above the RTS (the RTS-Users) provide the special
facilities but in this document we are only concerned with the RTS itself.
[But89] models the RTS as two protocol entities (RTS-Servers) co-operating via the
OSI Session layer (see gure 1). A simplied model of the Session layer was assumed
and both RTS servers were modelled as CSP [Hoa85] processes. This structure re
ects
the style of the CCITT X.400 recommendations and the OSI architecture on which the
service is implemented. However, as is pointed out in the conclusion of [But89], this
style of specication does not give a clear description of the end-to-end service provided
to the RTS-Users by a set of RTS-Servers co-operating via the Session layer. In order to
see this we need a thorough understanding of the Session layer, and we need to analyse
the eect of such co-operation. The intended eect was that an RTS-User would be
provided with the facility to open an association with another RTS-User and then be
provided with the facility for the reliable transfer of information back and forth between
both RTS-Users.
In this paper we abstract away from the structure of gure 1 and also generalize the
model to include any number of RTS-Users. The set of RTS-Servers and the Session
1
RTS-User RTS-User
6 6
? ?
RTS-Server RTS-Server
6 6
? ?
Session Layer
layer will be combined into a single agent called the RTS (see gure 2). The RTS will
provide a service to all RTS-Users, namely, the facility to open an association with a
peer RTS-User and then to transfer information reliably. The structure of gure 1 can
then be regarded as a decomposition of the RTS (except of course that we require n
RTS-Servers rather than 2) and such a decomposition would be a stage in the design
process. Architecturally, gure 2 represents the most abstract form that the specication
can take.
In formally specifying the RTS of gure 2 an object-oriented style will be taken.
A formal model in Z [Spi89] of an object called Association will be given. This will
represent a single association between two distinct RTS-Users. It will consist of a state-
space and some operations on that state-space. In specifying the association operations
a constraint-based approach will be taken. A basic state-change for each operation will
be given. Each operation will be further constrained using a set of operation invariants.
These constraints will be used to decree the conditions under which certain state-changes
are permitted. This style allows us to specify dierent constraints separately and no more
than the schema calculus of Z is required in order to combine them.
The RTS will then be specied as a system which manages many such Association
objects. It will be modelled as a CSP process that interacts synchronously with its
environment (the set of RTS-Users). At this stage we will add the constraint that an
association can only exist between two RTS-Users that are linked. This represents the
physical constraints of the network on which the RTS is to be implemented.
A distinction will be made between normal RTS operations (service operations) such
as opening an association or transferring information and RTS management operations
such as creating a new link. The formal specication will allow this distinction to be
very clear. The bulk of this paper is concerned with service operations since the CCITT
recommendations are not at all concerned with management issues.
2
RTS-User1 RTS-User2 RTS-Usern
6 6 6
? ? ?
RTS
The RTS will be specied as a large CSP process. A state-based approach to CSP will
be used. Section 2 gives a state-based specication of the Association object. Section
3 uses this to give a state-based specication of the RTS and discusses how this is then
viewed as the specication of a CSP process. Finally some other unsolved issues are
discussed.
2 Association Object
As already mentioned, the formal object Association is intended to model a single as-
sociation between two distinct RTS-Users. In order to control an association the RTS
must provide both RTS-Users with, in CCITT parlance, a set of service elements (for
example the OPEN service element or the TRANSFER service element). Each service
element has either four or two service primitives (respectively conrmed/unconrmed
service element). With a conrmed service, one RTS-User issues a request resulting in
the peer RTS-User receiving an indication. That peer RTS-User then issues a response
resulting in the original RTS-User receiving a conrmation. An unconrmed service
element only has a request and an indication.
In the formal model the state-space of an Association consists of two buered chan-
nels (see gure 3). Here the initiator is the RTS-User that issues the OPEN request and
the responder is the peer RTS-User. Both channels carry service tokens between the two
RTS-Users. These channels are logical channels and are intended to model the services
oered by the lower layers of OSI. A request primitive corresponds to writing a request
service token to one end of a channel, and an indication corresponds to reading that
token from the other end of the channel. There is a similar correspondence between re-
sponses/conrmations and writes/reads of response service tokens. Later we will see that
rather than writing and reading values to and from the channels directly, the initiator
and responder interact synchronously with the RTS (CSP interaction). Such interaction
will result in RTS state-changes i.e. writes/reads of channels.
3
Association
- Forward Channel -
Initiator Side Responder Side
Reverse Channel
The state-space of the association object is given in section 2.1. Each service prim-
itive is provided by an operation on this state-space. For example, the OPEN request
primitive is dened by the following operation (conventions used are described later):
OpenRequest
AssociationOperation
fwd h+iopen req
The full list of association operations is given in the appendix. In 2.2 extra constraints
on these operations will be dened using operation invariants. The precise eect of such
constraints will be examined in 2.3.
2.1 Association State-Space
Firstly, the required set of service tokens are specied using a Z free type denition:
ST ::= open req j open resp (Reply )
j transfer (APDU )
j turn please
j turn give
j close req j close resp
Some tokens carry parameters. For example, open resp can carry parameters of type
Reply . A responder can decide to accept or reject an open request by the initiator. The
responders answer is carried in the open resp token so we dene Reply as:
Reply ::= accepted j rejected
A transfer token carries the actual data to be transferred. The type of this parameter
is APDU (Application Protocol Data Unit) which is assumed as a given type:
[APDU ]
To simplify the specication process a history variable is introduced. This records
all writes/reads to the logical channels in the order in which they happen. The history
4
variable is dened as a sequence of history tokens, where history tokens are dened as:
HT ::= write fwd (ST )
j read fwd (ST )
j write rtn (ST )
j read rtn (ST )
The Association state schema has three variables: the forward and return logical
channels (both modelled as sequences) and the history variable:
Association
fwd ; rtn : seq ST
hist : seq HT
The initial value for an association object has empty channels and the null history:
InitialAssociation
Association
fwd = rtn = hi
hist = hi
An unconstrained state-change is dened as:
Association
Association
Association 0
c h?ix =b (c = hx i a c )
0
5
These dene relations between the before state and the after state and are intended to
make the specication easier to read. For transitions which leave a channel unchanged
we use:
c =b (c = c )
0
All the invariants given in this section constrain all operations on Association . Op-
eration invariants have names suxed with \OpInv ". The rst two operation invariants
constrain the type of operations that can be performed on the channels to either writing,
reading or leaving the channel unchanged:
ChannelOpInv 0
Association
9 st : ST
fwd h+ist _ fwd h?ist _ fwd
6
For the moment we say nothing about what should happen to the history variable during
an operation which leaves both channels unchanged. Later an operation will be dened
which resets the history variable to the null trace once an association has been closed.
This operation will leave both channels unchanged.
Notice there is some redundancy in the Association state-space since we ought to
be able to dene both fwd and rtn as functions of the history variable. Dening one
state component in terms of another state component means that we don't have to worry
about consistency between them since we get it for free. However, modelling fwd and rtn
as channels in there own right results in a more intuitively understandable specication.
Consistency between the history variable and the channels is maintained by the above
operation invariant.
Opening Phase
Opening of an association is started by the initiator issuing an open request. This means
an open req is written to the fwd channel which can only happen when the association
is in the closed state. The closed state is dened simply as:
IsClosed
Association
hist = hi
The following operation invariant decrees that an open req can only be written to fwd
when the association is closed:
OpeningOpInv 0
Association
IsClosed ( fwd h+iopen req
A more \literal" interpretation of this constraint on the initiator would be: if the rela-
tionship fwd = fwd a hopen req i holds between the before and after states, then the
0
7
OpeningOpInv 1
Association
8 r : Reply
WaitingOpenResponse ( rtn h+iopen resp (r )
During the exchange phase, the transfer of messages is only ever in one direction.
There is a concept called the \turn" and only the agent holding the turn can issue a
message transfer request. The turn-holder can relinquish its possession of the turn by
issuing a turn-give request. Initially the initiator holds the turn. So, the initiator holds
the turn if no turn-give requests have been issued, or if the most recent turn-give event
was a reading of a turn give token from the return channel:
turn give events : PHT
turn give events = f write fwd (turn give ); read fwd (turn give );
write rtn (turn give ); read rtn (turn give ) g
InitiatorHoldsTurn
Association
(hist turn give events ) = hi
_
last (hist turn give events ) = read rtn (turn give )
8
The responder holds the turn whenever the last turn-give event was a reading of a
turn give token from the forward channel:
ResponderHoldsTurn
Association
(hist turn give events ) 6= hi
last (hist turn give events ) = read fwd (turn give )
Here, t s restricts the trace t to those elements in set s .
The next operation invariant constrains the issuing of message transfer requests. The
initiator can only issue a transfer request when the association is open and it holds the
turn. Similarly for the responder:
TransferOpInv
Association
8 a : APDU
IsOpen ^ InitiatorHoldsTurn ( fwd h+itransfer (a )
IsOpen ^ ResponderHoldsTurn ( rtn h+itransfer (a )
A similar operation invariant constrains the issuing of turn-give requests:
TurnGiveOpInv
Association
IsOpen ^ InitiatorHoldsTurn ( fwd h+iturn give
IsOpen ^ ResponderHoldsTurn ( rtn h+iturn give
An RTS-User not holding the turn can request its peer to relinquish the turn by
issuing a turn-please request. Neither the turn-give or the turn-please are conrmed
service elements. So a turn-holder is not obliged to issue a turn-give after receiving a
turn-please indication. In fact a turn-holder can relinquish the turn without ever having
received a turn-please indication. An RTS-User can issue a turn-please request whenever
the association is open and it does not hold the turn:
TurnPleaseOpInv
Association
IsOpen ^ : InitiatorHoldsTurn ( fwd h+iturn please
IsOpen ^ : ResponderHoldsTurn ( rtn h+iturn please
Note that although (InitiatorHoldsTurn ^ ResponderHoldsTurn ) can never be true, the
condition (: InitiatorHoldsTurn ^ : ResponderHoldsTurn ) is logically equivalent to:
(hist turn give events ) 6= hi ^
( last (hist turn give events ) = write fwd (turn give ) _
last (hist turn give events ) = write rtn (turn give ) )
9
This means that neither RTS-User holds the turn when there is a turn give token in
transit in one of the channels.
Closing Phase
An association can only be closed by the initiating RTS-User, and only when that agent
holds the turn. The closing phase is started by the initiator issuing a close request:
ClosingOpInv 0
Association
IsOpen ^ InitiatorHoldsTurn ( fwd h+iclose req
The responder can only issue a close response if it has already read a close req token
from the fwd channel and has not yet issued a close response:
WaitingCloseResponse
Association
read fwd (close req ) 2 ran hist
write rtn (close resp ) 62 ran hist
ClosingOpInv 1
Association
WaitingCloseResponse ( rtn h+iclose resp
10
We now examine the logical eect of the constraints on operations. Consider the
denition of OpenRequest :
OpenRequest
AssociationOperation
fwd h+iopen req
Using the rules of the schema calculus we can show that this is equivalent to the following
schema:
OpenRequest
Association
fwd h+iopen req
ChannelOpInv
UpdateHistoryOpInv
OpeningOpInv
Those invariants not relevant to OpenRequest have been omitted as they are trivially
satised. Continuing with the predicate part we get the equivalence:
, fwd h+iopen req
rtn
8 st : ST fwd h+ist ) hist = hist a hwrite fwd (st )i
0
IsClosed
From this we can calculate the pre-condition of OpenRequest to be:
pre OpenRequest
Association
IsClosed
This denes the conditions under which the OpenRequest operation can happen.
By similar reasoning OpenIndication is equivalent to:
OpenIndication
Association
fwd h?iopen req
rtn
hist = hist a hread fwd (open req )i
0
11
The pre-condition for this operation is simply:
pre OpenIndication
Association
9 fwd : seq ST
0
fwd
rtn
12
We can prove that the following condition on the state is invariant (i.e. always satised):
IsFinished ) fwd = rtn = hi
This means that after the reset operation the association state will satisfy InitialAssociation .
3 RTS
The denition of the Association is now used in the specication of the RTS. Firstly,
the RTS state-space is specied, then the set of operations is given. The operations are
divided up into service operations and management operations. It is then shown how
these can be viewed as the specication of a CSP process.
3.1 RTS State-Space
Each RTS-User needs to be uniquely referenced. Also, since multiple associations be-
tween any two RTS-Users must be allowed, we need to identify associations uniquely
with an extra identier. The following types are introduced:
[RTS User ; Ident ]
A reference to a particular association has three components: the initiator, the responder,
and a unique identier:
AssocRef == RTS User RTS User Ident
The RTS must support associations between any two RTS-Users that are linked. The
RTS state has two components: a function mapping association references to association
objects, and a relation linked . Assume that u , v and i are universally quantied in the
following schema:
RTS
assocs : AssocRef ! 7 7 Association
linked : RTS User $ RTS User
: linked (u ; u )
(u ; v ; i ) 2 dom assocs ) linked (u ; v )
linked (u ; v ) ) 9 i : Ident (u ; v ; i ) 2 dom assocs
(u ; v ; i ) 2 dom assocs
f(u ; v ; i )g C? assocs = f(u ; v ; i )g?
0
C assocs
9 I : PIdent
assocs = assocs [ f(u ; v ; i ) 7! InitialAssociation j i 2 I g
0
15
Note the asymmetry in this operation. The links set up only allow u to initiate associa-
tions with v but not vice versa. To achieve a two-way link we could dene the following
operation:
CreateDoubleLink =b CreateLink o9 (CreateLink [v =u ; u =v ])
BreakLink removes all association objects between u and v from the RTS. Again
there is an asymmetry between u and v :
BreakLink
ManagementOperation
u ; v : RTS User
linked (u ; v )
linked = linked n f(u ; v )g
0
4 Other Issues
4.1 Renement and Decomposition
Renement is the major part of the design process though it is given little space here.
The renement we need is CSP renement based on the notion of simulation. A process
C is a renement of a process A if C exhibits the same observable behaviour as A.
In fact C doesn't have exactly the same observable behaviour as A since we allow for
resolution of any non-determinism in A. But an important point is that C can have
a dierent state structure to A | one that is more concrete and easier to implement.
Another important point is that we can introduce internal events so that we rene down
to a more detailed architecture which re
ects the distributed nature of a communications
network.
Woodcock and Morgan [WM90] dene the notion of forward simulation. This is a
relation between the state-structure of A and the state-structure of C and if it satises
certain conditions then C is said to rene A. Taking the Association object, we can
dene a renement of its state structure as follows:
AssocState ::= closed j opening j open j closing
TurnHolder ::= initiator j responder j neither
ConcreteAssociation
fwd ; rtn : seq ST
ast : AssocState
turn : TurnHolder
Here the history variable has been replaced by ast and turn . A forward simulation
between Association and ConcreteAssociation can be dened such that when viewed as
16
CSP processes they both exhibit the same behaviour (allowing for resolution of non-
determinism).
The RTS will need to be decomposed into a number of sub-processes in order for
it to be implemented on a network of communicating nodes. For example, a rst step
could be to decompose it into a Session Layer and n RTS-Servers (see gures 1 and 2).
If the communications between the subprocesses are hidden and the correct renement
rules are followed then the combination will exhibit the same observable behaviour as
the abstract RTS, remembering that the observable behaviour occurs at the interaction
points between the RTS and the RTS-Users.
4.2 Constraint-Based Specication
The style of specication used to dene the Association object was rstly to dene a
basic set of operations and then to constrain these operations with a set of operations
invariants. The reason for using this style was so that dierent concerns and constraints
could be specied separately and so make the specication easier to read and understand.
The usual approach when specifying a system in Z is to give a state-space, an initialisa-
tion and a set of operations and then to prove that the system satises certain constraints
(safety properties). In this way the constraints are implicit in the specication.
Another approach is to start explicitly with the set of constraints and regard this as
the specication of the system. From this an initialisation and a set of operations can
be derived. Unity [CM88] takes such an approach. Constraints are specied in Unity
logic which are conditions on an implicit Unity program. An example of a statement in
Unity logic is
p unless q
Here p and q are conditions on the state and \p unless q " means that p must remain
true at least as long as q is not satised. This is dened in terms of a condition on the
actions of the implicit Unity program:
p ^ : q ) wp (act ; p _ q ); for all act in program.
Unity has an associated set of theorems which allows us to prove more properties
given a basic set of properties. Also, renement can be performed at the property level
rather than rening each individual action. A problem with Unity when it comes to
specifying communications systems though is that it only really deals with the notion of
state and not with the notion of observable events.
The approach taken in this document lies somewhere between the two approaches
just mentioned. What are needed are some theorems which would allow us to prove
certain properties (e.g. state invariants, operation invariants) given other properties
rather than having to reason about them using the denitions of the actions. It would
also be useful to be able to reason about renements at the property level rather than
at the individual action level.
However, unlike in Unity where a purely constraint-based approach is taken, it will
still be necessary to give a set of basic state-changes corresponding to the observable
17
events of the system. These could be further constrained in a manner similar to that
demonstrated in this document.
5 Conclusions
An abstract specication in Z of the X.400 RTS has been presented. An object ori-
ented style was used, where association objects where rst specied, and then the RTS
was specied such that it manipulated these objects. The specication is clear and
unambiguous, and independent of implementation details.
References
[But89] M.J. Butler. Formal techniques applied to the X.400 Reliable Transfer Service.
M.Sc. thesis, Programming Research Group, University of Oxford, 1989.
[CCI85] CCITT. Message handling systems. Recommendations X.400 - X.430. Red
Book VIII.7, CCITT, Geneva, 1985.
[CM88] K. Mani Chandy and J. Misra. Parallel Program Design { A Foundation.
Addison{Wesley, 1988.
[Hoa85] C.A.R. Hoare. Communicating Sequential Processes. Prentice{Hall, 1985.
[Spi89] J.M. Spivey. The Z Notation - A Reference Manual. Prentice{Hall, 1989.
[WM90] J.C.P. Woodcock and C.C. Morgan. Renement of state-based concurrent sys-
tems. In Proceedings VDM '90, Kiel, April 1990.
A. Appendix
Association Operations
A.1 OPEN Service Element
OpenRequest
AssociationOperation
fwd h+iopen req
OpenIndication
AssociationOperation
fwd h?iopen req
18
OpenResponse
AssociationOperation
r ? : Reply
rtn h+iopen resp (r ?)
OpenConrm
AssociationOperation
r ! : Reply
rtn h?iopen resp (r !)
ResponderTransferRequest
AssociationOperation
a ? : APDU
rtn h+itransfer (a ?)
InitiatorTransferIndication
AssociationOperation
a ! : APDU
rtn h?itransfer (a !)
ResponderTransferIndication
AssociationOperation
a ! : APDU
fwd h?itransfer (a !)
19
ResponderTurnPleaseRequest
AssociationOperation
rtn h+iturn please
InitiatorTurnPleaseIndication
AssociationOperation
rtn h?iturn please
ResponderTurnPleaseIndication
AssociationOperation
fwd h?iturn please
ResponderTurnGiveRequest
AssociationOperation
rtn h+iturn give
InitiatorTurnGiveIndication
AssociationOperation
rtn h?iturn give
ResponderTurnGiveIndication
AssociationOperation
fwd h?iturn give
20
CloseIndication
AssociationOperation
fwd h?iclose req
CloseResponse
AssociationOperation
rtn h+iclose resp
CloseConrm
AssociationOperation
rtn h?iclose resp
21