|
1 chapter \<open>Isabelle Verification of a protocol using IOA\<close> |
|
2 |
|
3 theory Overview |
|
4 imports IOA.IOA |
|
5 begin |
|
6 |
|
7 section \<open>The System\<close> |
|
8 |
|
9 text \<open> |
|
10 The system being proved correct is a parallel composition of 4 processes: |
|
11 |
|
12 Sender || Schannel || Receiver || Rchannel |
|
13 |
|
14 Accordingly, the system state is a 4-tuple: |
|
15 |
|
16 (Sender_state, Schannel_state, Receiver_state, Rchannel_state) |
|
17 \<close> |
|
18 |
|
19 |
|
20 section \<open>Packets\<close> |
|
21 |
|
22 text \<open> |
|
23 The objects going over the medium from Sender to Receiver are modelled |
|
24 with the type |
|
25 |
|
26 'm packet = bool \<times> 'm |
|
27 |
|
28 This expresses that messages (modelled by polymorphic type \<open>'m\<close>) are |
|
29 sent with a single header bit. Packet fields are accessed by |
|
30 |
|
31 hdr<b,m> = b |
|
32 mesg<b,m> = m |
|
33 \<close> |
|
34 |
|
35 |
|
36 section \<open>The Sender\<close> |
|
37 |
|
38 text \<open> |
|
39 The state of the process "Sender" is a 5-tuple: |
|
40 |
|
41 1. messages : 'm list (* sq *) |
|
42 2. sent : bool multiset (* ssent *) |
|
43 3. received : bool multiset (* srcvd *) |
|
44 4. header : bool (* sbit *) |
|
45 5. mode : bool (* ssending *) |
|
46 \<close> |
|
47 |
|
48 |
|
49 section \<open>The Receiver\<close> |
|
50 |
|
51 text \<open> |
|
52 The state of the process "Receiver" is a 5-tuple: |
|
53 |
|
54 1. messages : 'm list (* rq *) |
|
55 2. replies : bool multiset (* rsent *) |
|
56 3. received : 'm packet multiset (* rrcvd *) |
|
57 4. header : bool (* rbit *) |
|
58 5. mode : bool (* rsending *) |
|
59 \<close> |
|
60 |
|
61 |
|
62 section \<open>The Channels\<close> |
|
63 |
|
64 text \<open> |
|
65 The Sender and Receiver each have a proprietary channel, named |
|
66 "Schannel" and "Rchannel" respectively. The messages sent by the Sender |
|
67 and Receiver are never lost, but the channels may mix them |
|
68 up. Accordingly, multisets are used in modelling the state of the |
|
69 channels. The state of "Schannel" is modelled with the following type: |
|
70 |
|
71 'm packet multiset |
|
72 |
|
73 The state of "Rchannel" is modelled with the following type: |
|
74 |
|
75 bool multiset |
|
76 |
|
77 This expresses that replies from the Receiver are just one bit. |
|
78 |
|
79 Both Channels are instances of an abstract channel, that is modelled with |
|
80 the type |
|
81 |
|
82 'a multiset. |
|
83 \<close> |
|
84 |
|
85 |
|
86 section \<open>The events\<close> |
|
87 |
|
88 text \<open> |
|
89 An `execution' of the system is modelled by a sequence of |
|
90 |
|
91 <system_state, action, system_state> |
|
92 |
|
93 transitions. The actions, or events, of the system are described by the |
|
94 following ML-style datatype declaration: |
|
95 |
|
96 'm action = S_msg ('m) (* Rqt for Sender to send mesg *) |
|
97 | R_msg ('m) (* Mesg taken from Receiver's queue *) |
|
98 | S_pkt_sr ('m packet) (* Packet arrives in Schannel *) |
|
99 | R_pkt_sr ('m packet) (* Packet leaves Schannel *) |
|
100 | S_pkt_rs (bool) (* Packet arrives in Rchannel *) |
|
101 | R_pkt_rs (bool) (* Packet leaves Rchannel *) |
|
102 | C_m_s (* Change mode in Sender *) |
|
103 | C_m_r (* Change mode in Receiver *) |
|
104 | C_r_s (* Change round in Sender *) |
|
105 | C_r_r ('m) (* Change round in Receiver *) |
|
106 \<close> |
|
107 |
|
108 |
|
109 section \<open>The Specification\<close> |
|
110 |
|
111 text \<open> |
|
112 The abstract description of system behaviour is given by defining an |
|
113 IO/automaton named "Spec". The state of Spec is a message queue, |
|
114 modelled as an "'m list". The only actions performed in the abstract |
|
115 system are: "S_msg(m)" (putting message "m" at the end of the queue); |
|
116 and "R_msg(m)" (taking message "m" from the head of the queue). |
|
117 \<close> |
|
118 |
|
119 |
|
120 section \<open>The Verification\<close> |
|
121 |
|
122 text \<open> |
|
123 The verification proceeds by showing that a certain mapping ("hom") from |
|
124 the concrete system state to the abstract system state is a `weak |
|
125 possibilities map` from "Impl" to "Spec". |
|
126 |
|
127 hom : (S_state * Sch_state * R_state * Rch_state) -> queue |
|
128 |
|
129 The verification depends on several system invariants that relate the |
|
130 states of the 4 processes. These invariants must hold in all reachable |
|
131 states of the system. These invariants are difficult to make sense of; |
|
132 however, we attempt to give loose English paraphrases of them. |
|
133 \<close> |
|
134 |
|
135 |
|
136 subsection \<open>Invariant 1\<close> |
|
137 |
|
138 text \<open> |
|
139 This expresses that no packets from the Receiver to the Sender are |
|
140 dropped by Rchannel. The analogous statement for Schannel is also true. |
|
141 |
|
142 \<forall>b. R.replies b = S.received b + Rch b |
|
143 \<and> |
|
144 \<forall>pkt. S.sent(hdr(pkt)) = R.received(hdr(b)) + Sch(pkt) |
|
145 \<close> |
|
146 |
|
147 |
|
148 subsection \<open>Invariant 2\<close> |
|
149 |
|
150 text \<open> |
|
151 This expresses a complicated relationship about how many messages are |
|
152 sent and header bits. |
|
153 |
|
154 R.header = S.header |
|
155 \<and> S.mode = SENDING |
|
156 \<and> R.replies (flip S.header) \<subseteq> S.sent (flip S.header) |
|
157 \<and> S.sent (flip S.header) \<subseteq> R.replies header |
|
158 OR |
|
159 R.header = flip S.header |
|
160 \<and> R.mode = SENDING |
|
161 \<and> S.sent (flip S.header) \<subseteq> R.replies S.header |
|
162 \<and> R.replies S.header \<subseteq> S.sent S.header |
|
163 \<close> |
|
164 |
|
165 |
|
166 subsection \<open>Invariant 3\<close> |
|
167 |
|
168 text \<open> |
|
169 The number of incoming messages in the Receiver plus the number of those |
|
170 messages in transit (in Schannel) is not greater than the number of |
|
171 replies, provided the message isn't current and the header bits agree. |
|
172 |
|
173 let mesg = <S.header, m> |
|
174 in |
|
175 R.header = S.header |
|
176 \<Longrightarrow> |
|
177 \<forall>m. (S.messages = [] \<or> m \<noteq> hd S.messages) |
|
178 \<Longrightarrow> R.received mesg + Sch mesg \<subseteq> R.replies (flip S.header) |
|
179 \<close> |
|
180 |
|
181 |
|
182 subsection \<open>Invariant 4\<close> |
|
183 |
|
184 text \<open> |
|
185 If the headers are opposite, then the Sender queue has a message in it. |
|
186 |
|
187 R.header = flip S.header \<Longrightarrow> S.messages \<noteq> [] |
|
188 \<close> |
|
189 |
|
190 end |