We give here another example of a ground term algebra with recognizers. It is the list structure of the programming language LISP ([McC62]).
Definition 5.22 Suppose Σ = ({nil, cons}, {≈, nil?, cons?}) is a signature, such that nil is of arity zero and cons is of arity two. We define lists over Σ as below:
• D = List = Term(Σ) is the set of all lists, identified below: List ::= nil | cons(List, List)
• the constructors nil :→ List and cons : List × List → List are the functions in this structure, in which
nil := nil cons(l, l′) := cons(l, l′)
• ≈ is the syntactical equality on List.
• nil? and cons? represent the recognizers, for which the two following properties hold: nil?(t) = ( true if t = nil false otherwise, and cons?(t) = (
true if t = cons(s, w) for some s, w ∈ List false if t = nil.
Example 5.23 Here are some terms in this structure: nil
cons(nil, nil)
cons(nil, cons(nil, nil))
cons(cons(nil, nil), cons(nil, nil))
Below there are two examples where we apply our decision procedure to formulas on list structures.
5.6 Conclusion 105 Example 5.24 φ = {{nil?(x), cons?(x)}} is a tautology.
To show that φ is a tautology, we only need to prove that its negation ¬φ is unsatisfiable. Using φ’s CNF and DeMorgan’s rules we get that
¬φ = {{¬nil?(x)}, {¬cons?(x)}}. LISP has only two function symbols nil and cons, hence regarding Example 5.21, ¬φ is unsatisfiable. Therefore φ itself is a tautology.
Consider a formula like φ := ∀x, y : cons(u, v) 6≈ cons(x, y). We can not express φ in ground term algebra as cons(u, v) 6≈ cons(x, y) since GDPLL(cons(u, v) 6≈ cons(x, y)) is SAT, while φ is unsatisfiable. Using recognizers we can express it by an equivalent formula ψ = ¬cons?(cons(u, v)). Below we show that ψ is unsatisfiable.
Example 5.25 ψ = {{¬cons?(cons(u, v))}} is unsatisfiable. tr(¬cons?(cons(u, v)))) = {nil?(cons(u, v)))} so
ψktr(¬cons?(cons(u,v)))= {{nil?(cons(u, v)))}}.
Also tr(nil?(cons(u, v))) = {nil ≈ cons(u, v)}, hence TR(ψ) = {{nil ≈ cons(u, v)}} which is unsatisfiable.
5.6
Conclusion
In this chapter we extended the decision procedure of Chapter 4 to the theory of ground term algebras with recognizers. Recognizers are mostly used in theorem provers, for declaration of datatypes. Moreover in the LISP programming language, they are used in list structures.
Our method is based on transforming a formula with recognizers to one without recognizers. We do this in a way that the formula in the end includes possibly some few (finite number) more literals. This way the growth factor is linear. The CNF obtained after transformations can then be decided by the GDPLL algorithm. Adding destructors also to the theory can be a future work.
Part II
Verification of Protocols
6
Mechanical Verification of a Two-Way Sliding
Window Protocol
6.1
Introduction
A sliding window protocol [CK74] (SWP) ensures successful transmission of messages from a sender to a receiver through a medium, in which messages may get lost. Its main characteristic is that the sender does not wait for an incoming acknowledgement before sending next messages, for optimal use of bandwidth. Many data communica- tion systems include a SWP, in one of its many variations.
In SWPs, both the sender and the receiver maintain a buffer. In practice the buffer at the receiver side is often much smaller than at the sender side, but here we make the simplifying assumption that both buffers can contain up to n messages. By providing the messages with sequence numbers, reliable in-order delivery without duplications is guaranteed. The sequence numbers can be taken modulo 2n (and not less, see [Tan81] for a nice argument). The messages at the sender are numbered from i to i + n (modulo 2n); this is called a window. When an acknowledgement reaches the sender, indicating that k messages have arrived correctly, the window slides forward, so that the sending buffer can contain messages with sequence numbers i+k to i+k+n (modulo 2n). The window of the receiver slides forward when the first element in this window is passed on to the environment.
We consider a two-way SWP, in which both parties can both send and receive data elements from each other. One way of achieving full-duplex data transmission is to have two separate communication channels and use each one for simplex data traffic (in different directions). Then there are two separate physical circuits, each with a forward channel (for data) and a reverse channel (for acknowledgements). In both cases the bandwidth of the reverse channel is almost entirely wasted. In effect, the 109
110 6 Mechanical Verification of a Two-Way Sliding Window Protocol
user is paying for two circuits but using the capacity of one. A better idea is to use the same circuit in both directions. Each party maintains two buffers, for storing the two opposite data streams. In this two-way version of the SWP, an acknowledgement that is sent from one party to the other may get a free ride by attaching it to a data element. This method for efficiently passing acknowledgements and data elements through a channel in the same direction, which is known as piggybacking, is used broadly in transmission control protocols, see [Tan81]. The main advantage of piggybacking is a better use of available bandwidth. The extra acknowledgement field in the data frame costs only a few bits, whereas a separate acknowledgement would need a header and a checksum. In addition, fewer frames sent means fewer ‘frame arrived’ interrupts.
The main motivations for the current research are: (1) to provide a mechanised correctness proof of the most complicated version of the SWP in [Tan81], including the piggybacking mechanism; and (2) to gain experience in extending an existing PVS formalisation, namely the one from [FGP+04].
The structure of the proof is as follows. First, we linearize the specification, meaning that we get rid of parallel operators. Moreover, communication actions are stripped from their data parameters. Then we eliminate modulo arithmetic, using an idea from Schoone [Sch91]. Finally, we apply the cones and foci technique, to prove that the linear specification without modulo arithmetic is branching bisimilar to a pair of FIFO queues of capacity 2n and 2n2. The lemmas for the data types, the invariants, the transformations and the matching criteria have all been checked using PVS. The PVS files are available via http://homepages.cwi.nl/~vdpol/piggybacking.html. The remainder of this chapter is set up as follows. Section 6.2 introduces the process part of µCRL. In Section 6.3, the data types needed for specifying the SWP and its external behaviour are presented. Section 6.4 features the µCRL specifications of the two-way SWP with piggybacking, and its external behaviour. In Section 6.5, three consecutive transformations are applied to the specification of the SWP, to linearize the specification, eliminate arguments of communication actions, and get rid of modulo arithmetic. In Section 6.6, properties of the data types and invariants of the transformed specification are formulated; their proofs are in the appendix. In Section 6.7, it is proved that the three transformations preserve branching bisimilarity, and that the transformed specification behaves as a pair of FIFO queues.