Modeling and analysis of communication and cooperation protocols using petri net based models

419 Modeling and Analysis of Communication and Cooperation Protocols Using Petri Net Bas;ed Models 1. I n t r o d u c t i o n Michel Diaz Laboratoir...

Download PDF

2MB Sizes 22 Downloads 104 Views

Report

PDF Reader
Full Text

419

Modeling and Analysis of Communication and Cooperation Protocols Using Petri Net Bas;ed Models 1. I n t r o d u c t i o n

Michel Diaz Laboratoire d'Automatique et d'Analyse des Syst~mes du C.N.R.S., 7, avenue du Colonel Roche, 31400 Toulouse, France

Numerous modeling approaches exist to formally describe protocols such as: state machines, Petri nets, abstract data types, high level languages, temporal logic. This paper deals with one of them, Petri nets including related models. It presents the most important classes of nets, gives their analysis possibilities and shows how they can be used to model and analyze communication and cooperation protocols. Kevwords: protocols, specification, validation, Petri nets.

Michel Diaz received the Doctorat de 36me Cycle in 1969 and the Doctorat d'Etat in 1974 in electrical engineering and computer science from the University of Toulouse, Toulouse, France. Presently, he is with the Centre National de la Recherche Scientifique (C.N.R.S., the French National Council for Scientific Research) at the Laboratoire d'Automatique et d'Analyse des Syst~mes, Toulouse, France. He has published several papers in fault-tolerant computing, communication protocols and distributed system design. His research interests include the specification, implementation, and validation of the software in distributed systems. He is the Head of the Research Team Software and Communication at the L.A.A.S.

Present c o m p u t e r systems must account for the actual d i s t r i b u t i o n and o r g a n i z a t i o n of people, functions a n d e q u i p m e n t s a n d processors having to strongly interact in global activity. The p r o b l e m is to perfectly u n d e r s t a n d the requirements, express them a n d t r a n s f o r m the resulting d o c u m e n t s into a correct i m p l e m e n t a t i o n . F r o m the previous point, it is assumed that the design of the system u n d e r investigation follows a system d e v e l o p m e n t m e t h o d o l o g y consisting of the following m a i n steps: requirements, specification, i m p l e m e n t a t i o n , testing. Perhaps the most i m p o r t a n t step concerns the expression and v a l i d a t i o n of the system specification. In this step, it is necessary to select a model. This is a quite difficult task because of the n u m b e r of p a r a m e t e r s to be a c c o u n t e d for and because the different a p p r o a c h e s for specification are usually not well related. Fig. 1 a t t e m p t s to give a synthetic view of the possible a p p r o a c h e s which can be used as a s u p p o r t for specification a n d verification. In d i s t r i b u t e d systems, interactions are fundam e n t a l a n d we say that two sets of p r o t o c o l s generally exist: a) s t a n d a r d protocols, (ISO, C C I q ~ , E C M A ,

SEQt~NTIAL MACHINES

~ SEQUENTIAL

l COMB I NATIONAL CIRCUITS

North-Holland Publishing Company Computer Networks 6 (1982) 419-441 0376-5075/82/0000-0000/$02.75

~,. "~

LANGUA~S

I TYPES

~. "%,

I ABSTRACT DATA TYPES

,

I

~

....

~E IATIONAL RATA BASES

Fig. 1. System specification and complexity in the (CONTROL x DATA) domain. © 1982 N o r t h - H o l l a n d

420

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

etc.) which primarily concern communication protocols, b) specific protocols, which depend on the structure of the hardware, the particulars of the functions, etc.; they primarily concern cooperation protocols. The point is that if formal specification and verification are of high interest in standard protocols, formal specification and verification are also important, even fundamental, for specific protocols because the number of people involved is generally much lower and the time spent for their validation is much shorter. Protocol specification and validation have been recognized as an important field in computer networks for a number of years [6,7]. The connections which exist between specification, validation and the OSI model [109] are given in [2-4]. In fact numerous modeling approaches now exist [8], e.g. state machines, state programs, Petri nets, transition systems, temporal logic, data type languages. The purpose of the present paper is to give the more salient features which result from Petri nets and related models. Petri nets have been used for a few years now to specify and analyze concurrent systems. Although still under investigation, some quite interesting results exist and some significant applications have been conducted. It seems that protocols should be an important area of application of nets; from [5], it is the aim of this paper to develop and explain the connections that exist between nets and protocols. Section 2 is devoted to the presentation of different classes of nets. Four classes, the ones that seem to be the most promising, are given: Place-Transition (P1-Tr) nets, Place-Coloured (PI-C1) nets, Predicate-Transition (Pr-Tr) nets and Predicate-Action (Pr-Ac) nets. Section 3 gives the main approaches that can be used to analyze these nets. General validations and specific validations are considered: boundedness and liveness in the former case, invariants in the latter. Some possible methodologies for easily verifiable design are also discussed. Section 4 presents some examples of application of nets to protocol design and validation. Their salient features are illustrated. Comments about the characteristics of Petri nets vis-a-vis other approaches are also given.

2. Petri Net Based Models

Petri introduced his nets, constituted of places and transitions [33], to synchronize the activities of parallel automata. Subsequently a number of interesting extensions have been developed to address the limitations that occur when applying the nets to real-life complex systems. The result is that there exists now a variety of models and languages based on Petri nets. In this paper a limited number of classes had to be selected; the following set will therefore be presented: i) place-transition nets (PI-Tr nets), known as Petri nets,

ii) place-coloured nets (P1-C1 nets), iii) predicate-transition nets ( P r - T r nets), iv) predicate-action (Pr-Ac nets). Other classifications and discussions concerning the differences are given in [16,17]. Another possible class is given in Section 3.3. At this point, it has to be noted that another graphical model is being developed at UCLA, the UCLA control flow model, a biological directed graph which has the same descriptive power as Petri nets. It is of interest because this graph has been used as the first graphic tool to model and validate communication protocols; this model will be illustrated in one example in the next section and the work conducted using both Petri nets and the UCLA flow models will be considered together in the following sections. 2.1. Place-Transition nets - Petri nets

Petri nets can be introduced as a strong extension of sequential automata. Let us consider Fig. 2a; it gives the description of a 3 state sequential automaton. Let us select one arc, for example the one going from state a to state b: it is drawn as given in Fig. 2b. (left part). The drawing of such an arc can be slightly modified by adding a bar, called a "transition", which represents the possible occurrence of an event causing the machine to go from state a to state b; the corresponding are is given in Fig. 2b (right part). This representation used for each arc leads to the lowest class of Petri nets, called "state machines", for which every transition has only one input state, called "place ", and one ouput state, also called "place". The difference between places and states, not obvious for state machines, clearly appears when we con-

M. Diaz / Modelingand Analysis of Protocolsusing PetriNets

?

o

1

Fig. 2. From sequential automata to Petri net.

421

consider the Petri net given in Fig. 3. Thus P = (P i, P2, P3). T = ( t l ) , a(p~, t~)=2, a(p2, t l ) = 1 and /3(p3, t~)= 3. From its marking, M = (3, 2, 0) and M ( p 1) = 3, M ( P 2 ) = 2, M ( p 3 ) = 0. Furthermore Pre(t~) = (Pl, P2), P o s t ( t ) = (P3)-

Definition 4. A transition t of a Petri net is enabled under a given marking M iff: Vp ~ Pre(t), M(p)>~ a(p, t). For example, in Fig. 3 we have: a ( p ~ , t l ) = 2 and M ( p , ) = 3

a(p2,t,)= 1 andM(p2)=2 sider Petri nets which are extensions of state machines. Fig 2c shows the extension: for every transition, there can be multiple input and multiple output places.

Definition 1. A Petri net is a tuple (P, T, ~,/3) where P is a set of places ( P ~: 0), represented by circles T is a set of transitions ( T ~ 0, and P • T = 0), represented by bars a: P × T - , N, a forward incidence function (with N = the set of integers) /3: P x T ~ N, a backward incidence function. If the sets P and T are ordered, a and/3 can be defined as matrices having m lines if m is the n u m b e r of places and n columns if n is the n u m b e r of transitions. There is an arc from place p~ to transition t, iff a(pk, t i ) = n k , ~ : 0 . The corresponding arc is labelled by the value nk, called "weight". There is an arc from transition (/ to place Pl iff/3( Pt, tj) = n O ~ 0. This arc is labelled by the weight nl ~. Generally, the default value of the arc weights is one.

Definition 2. For a given Petri net for t ~ T, Pre(t) = (p E P / a ( p , t ) ~ 0), where Pre(t) is the set of input places of transition t; for t ~ T, Post(t) = (p ~ P//3(p, t ) ~ O) where Post(t) is the set of output places of transition t. An integer n u m b e r of marks, called tokens, are allowed to exist in the places. They constitute the marking, defined as follows. Definition 3. A marking M of a Petri net is a m a p p i n g of the set of places P into N, the set of non-negative integers. With IPI = m, a marking M is represented by a column vector M ~ N ' ; its ith c o m p o n e n t is denoted M(p,). For example, let us

then Vp ~ Pre(t~ ), M ( p ) > / a ( p , t) and transition t~ is enabled.

Definition 4.1. In Petri nets an enabled transition is firable.

Definition 5. Firing a transition t is defined by the transformation of the enabling marking M into another marking M ' such that: Vp ~ P, M ' ( p ) = M ( p ) + B(P, t , ) - ~ ( p ,

tl)

For example, the firing of transition tl in Fig. 3 gives the new marking M ' such that:

M'( p,) = M( p.) + B( P., t , ) - ~ ( p,, t, ) =3+0-2=1 M'(pz)=

M( pz) + fl( p 2, t l ) - a ( p 2, t,) =2+0-1=I

M'(p3) = M(p3) +/3(p3,

,,)

=0+0+3=3 because t L is the transition that has been fired. Note also that the net of Fig. 3b is no longer firable because M ' ( p l ) < 2. Other unfirable markings are given in Fig. 4a (because the right place has no token) and in Fig. 4b (because the left place

Pl ~

t 3] ~

P2

P3

O< Z 1 0

-- 0 3

3.a.Beforefiring

Fig. 3. Firing in a Petri net.

M= 3.b.AfterfiriPg

422

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

the marking Mk+ I is reachable from M 1 by the firing of o.

4.a.

4.b.

Fig. 4. No firable markings: the system is waiting.

has less than 4 tokens). Note also that the number of marked places and the number of tokens after firing may be greater than before firing; as new tokens can define new processing states, this allows the modelling, even when it increases, of the parallelism of the system. This is because if a new token is put in a place it can represent the beginning of a new computation. The behavioral rules for markings and firings will then allow waiting and parallelism to be explicitly expressed.

Definition 8. The forward marking class M o is the set of markings reachable from the initial marking m 0 by a legal firing sequence. M 0 gives the set of the possible control states of the system behaviour with respect to initial control state M 0. The main properties of Petri nets related to correctness will be given in the next section but the two best known and most essential ones are also given now. Definition 9. A Petri net is bounded by n for an initial marking M 0 if f, whatever the current marking M ~ M o , Vp ~ P, M(p)<~ n. An unbounded Petri net implies that the corresponding system may have an infinite number of markings (states): its implementation is not possible.

Definition 6. A Petrt net is self-loop free (or elementary loop free) iff: Vt ~ T, P r e ( t ) n Post(t) = 0 i.e. a place cannot be an input place and an output place of the same transition.

Definition 10. A Petri net is live for an initial marking M o iff, whatever the current marking, for any transition t, there exists a legal firing sequence such that this transition is enabled, i.e.:

Self-loop free nets are also called pure Petri nets. For self-loop free nets, only one matrix is sufficient to describe their behavior. This matrix, called the incidence matrix, is defined as: C =/3 a = / 3 ( p , t ) - a ( p , t) and firing a transition t can be written as: M ' = M + C . X in which X is a vector of n components having 1 for value in the entry corresponding to the fired transition and 0 for value elsewhere. This form is useful for mathematical handling by linear algebra and is widely used when dealing with invariants as will be seen in the next section. Let M~ be the marking which enables transition t k and Mj the marking which results from the firing of transition tk; firing is noted:

VM ~

tk

Definition 7. Let o be a finite sequence of transitions tit2.., t k. • is called a legal firing sequence starting from M~ iff there exists in the net the markings M2... Mk+ 1 such that: tI

M 1 ~Mz...

tk

~Mk+l;

Vt E T,3o M ~

A

~ M"

.

When a Petri net is live, the associated system is deadlock-free. Petri nets have useful properties but also have some limitations because their power is less than Turing machines and can become quite complex even for medium scale problems. Investigators have developed extended Petri net models in order to overcome some of these difficulties. The nets presented below are some of these interesting extensions. 2.2. Place-coloured nets - P I - C I nets

In the previously described Petri nets (P1-Tr nets) it is not possible to distinguish the tokens: they have no identity in themselves. Their identity is (, the empty name. As a consequence while it is possible to count a given number of tokens of the same class, different classes of tokens, if they are to be distinguished, need to appear in different places. It follows that the nets can become very large, even for medium scale systems. To alleviate

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

Although this could be a real solution, it does not solve the problem in which it is required that a philosopher can eat only if his two neighboring forks are free. A correct solution by using Petri nets needs to define one place for each of the philosophers and one place for each of the forks [20]. Another and more compact possible solution using PI-CI nets is given in Fig. 5b. If i • 1 means (i + 1) mod 5, then the arcs are labelled either by P, or by {~, f ~ 1}: for transition t 1 to fire, there must be an i such that a philosopher P, is in the " t h i n k " place and his two forks ( f , .~. i} are in the "free fork" place. The formal definitions of an enabled transition, a firing, a sequence, etc. are extensions of the previous ones. They are not given here because of lack of space but are developed in [15,16,20]. The key point is that firing is now possible only if the input places of a transition hold a bag that covers the one existing on their outgoing transitions. Its forks f and f e l are not in the "free fork" place then transition t 1 cannot fire for a given P, in the " t h i n k " place. Thus for our purposes understanding how a transition may fire, how identified tokens are removed from the input places of a transition and how they are added to the output places (according to the names appearing in the arcs) should be sufficient; for instance, a transition may fire if the variables corresponding to or appearing in its incoming arcs are covered by the tokens contained in the corresponding input places.

this problem [30] for simulation, [15,16,20] for verification introduced the notion of token identity. In coloured Petri nets [20] each token has a colour that indicates its identity. Note that PI-CI nets are a simplification of the P r - T r nets given in [15] and which will be presented later on. We comply with this simplification and, in the P1-C1 nets, no explicit predicates exist; a significant simplification of the model is obtained. Only an informal definition will be given here. Definition 11. A P1-C1 net consists of: 1. A bipartite graph whose vertices are places and transitions 2. Arcs are labelled with expressions denoting functions or bags of coloured tokens (a bag is a generalization of a set: in a bag there exist many instances of the same element) 3. An initial marking M 0' which associates to every place, p, a bag of given values of the initial colours.

Note that a particular domain of colours is the domain of the tokens used in Petri nets: their colour is denoted 4. As an example, taken from [20], let us consider the dining philosophers problem (for 5 philosophers) given in Fig. 5. Fig. 5a shows a Petri net description with (-tokens. In this case, a philosopher can eat when 2 forks (any two) are free.

~

Think

f±' fi O 1 5.a.

423

5.b.

Fig. 5. The dining philosophers problem in uncoloured and coloured nets.

424

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

ing, the notation t/indicates that usual (not coloured) tokens are considered.

2.3. P r e d i c a t e - Transition nets - P r - Tr nets

In complex cases, the identity of the tokens is not sufficient to model systems: some relationships between the tokens must be accounted for. This is the aim of P r - T r nets in which, for a transition to fire, the individual tokens must be present in the places and a given relationship between them has to be fulfilled [15,16]. A further level of compactness is obtained: though they have the same power as PI-CI nets, they lead to more compact representations. In these nets, enabling predicates whose parameters are tokens may be associated with the transitions. As before the definition is not a formal one. For the (rather complex) formal definition, consult [15,16]. The important point is to understand the new potentialities resulting from the use of predicates.

2.4. P r e d i c a t e - A c t i o n s nets - P r - A c nets

In P r - T r nets, predicates apply to the input places of the transitions and operations give new tokens in output places. Another way to describe systems divides them into a control part and a data part [22]. It consists of a Petri net, places representing control states (the instruction pointer), and transitions representing the changes between states. In addition, each transition has an expression of the form "predicate; action" attached to it. Definition 13. A Predicate-Action net ( P r - A c net) consists of: a) a Petri net which in [22] is safe (this implies that the arc weights are only one) (see next Section), b) a set of labels, attached to the transitions; each transition t has an expression of the form when p , ( x ) do x ' ~ F t ( x ) attached to it, P, being a predicate, F, an action, both on the vector x of program variables. Note once more that for a transition to fire, it m u s t be enabled and its predicate m u s t be true. When the transition fires, its associated action is executed in an atomic way and the new marking is reached. In order to use P r - A c nets to model protocol and message specific representation has been introduced [64-66]: from the notation of CSP [105]

Definition 12. A predicate-transition net is constituted of: 1. A Place-Coloured net 2. A set of predicates associated with each transition (inscriptions in the transitions); they give the relationships which have to hold between the input tokens for the transition to fire.

Note that, for a transition to fire, the transition must be enabled the names must match and the predicate must be true. An example of firing, taken from [16], is given in Fig. 6. The relationship refers to lexical order-

,z~

~

, z> ¢

6.a. before firing

2x

z

6.b. after firing

Fig. 6. Firing in predicate-transition nets. Transition will fire by the enabling assignments: x = a, y = b, z = c.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

\

/ WHEN

P(X)

~

~' ~

F(X)

;

Fig. 7. A transition in Pr-Ac nets.

a specific predicate; A ? m , when true, will mean that message m has been received from process A and a specific action, A !m, means that a message is being sent to process A (without any semantic consideration). Fig. 7 gives the general form of a transition in P r - A c nets. Fig. 8 shows an example that uses these nets: it represents an exchange of messages between two processes, A and B. Another graphical model, called numerical Petri nets (NPN), having predicates and actions, has been developed in [40]. The difference with P r - A c nets is that, in NPN, there exists specific memory reference enabling conditions referring to memory read data. N P N s and P r - A c are equivalent. 2.5. Timed Petri nets

As has been shown, nets can describe systems that perform actions. The corresponding operations require some finite time and it should be interesting, if possible, to express these execution times.

,) I

WHEN

AT:

;

425

Two different studies were conducted at about the same time. The first approach appeared in [53]. Timed Petri nets are defined by attaching a value to each transition: its firing duration. The purpose was not verification but the evaluation of the time needed by cyclical computations in order to derive limits for the computation rates. Not all nets can be analyzed but only the ones that are safe, live and persistent or the ones that can be decomposed into a set of state machines. The second approach [51,52] is directly related to protocols. Time (Out) Petri nets are defined by attaching a pair (tram, tMAX) of values to each transition: they are interpreted as an interval of time in which the transition must fire. The first value gives the minimal time the transition, after being enabled, must wait before it can be fired. The second value gives the maximal time before which the transition must be fired if it is still enabled: note that: (a) for the transition to fire between tram and tMAX, it must stay enabled between trn~n and tMAX; (b) if the transition has not been fired before tMAx and if it is still enabled then it fires at tMAx. This approach allows [52] to specify recoverable systems, i.e. systems that have some transitions that fire even if tokens are lost (representing lost messages, for instance). Those transitions act as time-outs [51]. In studies concerning timed and time-out Petri nets, formal verification is not addressed. Some examples relating the connection between the verification of Petri nets and of timed Petri nets are given in [50]: - a sufficient condition for a timed Petri net to be bounded is that the related Petri net (the net obtained when removing the time values) be also bounded, it is neither necessary nor sufficient that the related Petri net be live for a timed Petri net to also be live; and vice-versa. Other studies have been devoted to performance analysis of timed nets (see for instance [54,55]) but very few to verificaton. Work is now being conducted on this latter aspect. -

() DO USE ~ S ULTS

;

) _

i,

__

w~Ej

~?,es

;

Fig. 8. Using Pr-Ac nets in message passing.

2.6. Comments

It appears that some kind of increasing generality, complexity and compactness comes when going from type II.a to type II.e. The problem is then to

426

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

select the most appropriate specification and description tool i n each specific application. In fact, a quite important criterion for selecting the model is the possibilities to analyse its properties. It appears that the simpler the model, the more efficient the analyses. The problem is to clearly understand the analysis difficulties inherent to the specification: for instance, if the model is too complex, then only simulation is in fact possible for sophisticated systems; [8] and [40] make this point well. As a consequence, as protocols have highly parallel behavior, the possibility for formal verification is quite important: it is developed in the next section before discussing the way Petri nets can be typically used to model protocols and their relation to state machine models. Note that timed nets will not be discussed any more because very few results exist.

3. Analysis of Nets One of the important features of Petri net based models is that they support rather powerful analyses at different abstract levels of specification. With respect to Petri net analysis, two kinds of validation can be carried out: • general validation: some properties have to be checked and have to be satisfied whatever the net, i.e. whatever the system being designed. Such properties are the most classical ones, such as: is the formal model bounded, proper, live, deterministic, determinate,...? • specific validation; the properties that have to be verified depend heavily on the functional characteristics of the system and then they will generally be expressed by using invariants. For instance, invariants that must hold for the states of the system are easily expressed because the states are represented by the places of the net. 3.1. General Validations 3.1.1. Petri nets Definition 14. A bounded Petri net: see Definition 9. If a net is not bounded, then sequences exist which can cause the implementation capacity to be overflowed. Note: If n = 1 the Petri net is said to be safe. As will appear in the examples, the general case, some

places of the net have to be safe and the others must be bounded: thus the net has to be bounded in any case. Definition 15. A Petri net is proper for an initial marking M 0 iff VM, ~ M 0 there exist o, such that O

M i ~ M 0, i.e., M 0 ~ M r. If the Petri net is not proper then its behavior cannot be repetitive because reinitialization may not occur. Definition 16. A Petri net is live for an initial marking M 0 iff VM, ~ M0, Vt ~ T, 30 such that a ( M i --* A o contains t) This means that any arbitrary transition is ultimately firable from any state: no transition of the system becomes not firable at any time. Note that if the system is in deadlock then no transition can be fired. For analysis algorithms see for instance [37] for approaches using M0, and [11,24] for interesting approaches decreasing the number of possible reachable markings by reductions, e.g. without enumeration of M 0. 3.1.2. PI-CI and P r - T r nets The same properties can be used with P1-C1 and P r - T r nets. This is because the firing rules, in spite of their increased complexity, allows one to look for M 0, the set of the reachable markings. The problem is that the identities of tokens, although reducing the size of the net (the model), do not decrease the number of possible states of the system. Thus M 0 can be a fairly big set and work is being carried out to check for those properties without building M 0. 3.1.3. P r - T r and P r - A c nets The philosophy of the analyses for the predicate nets is the following: if the labelled Petri net contains at least one predicate associated with at least one transition, this predicate or these predicates can only decrease the number of reachable markings compared to the same net with all predicates ignored (i.e., a classical Petri net), Thus: PN bounded D predicate PN bounded, but: PN live predicate PN live. Then liveness has to be checked. If q is a state (marking and data), a possible way given in [22] is to use the notion of a home state qh such that: i) Vq' ~ qo,3° such that

427

M. Diaz / Modeling and Analysis of Protoco& using Petri Nets

q' -~ qh ( qh is always reachable) ii) V t , 3 q " 3 o such that o

qh ~ q" A t is firable from q". Note that proving i) can be done by using the concept of a norm with zero-state [22] and proving that qh is a norm with zero-state; i.e. #(q) = 0 ¢~ q = qh Vq, ~ ( q ) :~ 0 =~ 3o3q', {(t~(q')
Note also that (labelled) P r - A c nets make the use of two levels of validation possible [37]: - Level 1 applies only at the control structure of the system, this control structure being modelled by a Petri net which allows checking for boundedness, liveness etc. - Level 2 applies to the whole system, when the predicates and actions are specified. The formal proof is done by using assertions and invariants. This level is the classical one that is usually used in proving correctness of programs. Note that the complexity of the levels can be increased if the data graph is accounted for [37,39] because another level allows checking for the determinacy property. Furthermore, we consider that, in any case, the unlabelled net (i.e., the corresponding classical Petri net) must be analysed and proven correct before analyzing the P r - A c net itself.

3.2. Specific Validations

The previous validation properties were called general validations, meaning that they have to be fulfilled whatever the net. Obviously, each system has certain specifics. Thus some possibilities may exist to express and prove their specific properties. The best known way is to use invariants which are assertions that must always be true for a given system. Of interest is that, in Petri nets, specific invariants can be deduced from the structure of the net itself. 3.2.1. Petri Nets

In Petri nets, two kinds of invariants are of interest: invariants that apply to the set of places (i.e., invariants that apply to the states, the re-

sources, of the system) and invarianls that apply to the set of transitions (i.e., invariants that apply to the firings of the transitions). A key point is that these invariants, called net invariants, can be deduced from the net structure [23]. As an example, Fig. 9a shows a very simple net and an associated place invariant, M ( p ) being the number of tokens in place p. Fig. 9b gives another net and an associated transition invariant, N(t) being the number of firings of transition t. The concept of linear invariants appears in [23]. In [28,34] invariant and consistent Petri nets were considered. [12,13] proposed a method to obtain the invariants and check if they fulfil the designer's requirements, i.e. the designer's invariants; integer linear programming is used. Definition 17. Let S be a firing sequence firable from a marking M o and let S be a column vector representing_the firing count (or degree) of the sequence S. S, M 0 and the marking M reached by firing S fro n ~ 0 are related by the equation: (0) M = M o + C . S . This is because: M I = M o + C X t .... n

M = M,, = Mo +

X, = Mo + C . S 1

Definition 18. Let i he a solution of the system C L x = 0; ~f is called a place invariant and the

vector of equations ~t. M = ~t. M0 are marking-invariants. This is because, from (0), it can be deduced by transposition: 5:t.M = . f t . M o + x t . C . S

As .~t.C = 0, it follows ~ t . M = ~t.M0 = Constant; .ft. M defines a marking invariant of the net since, whatever the possible firings, the sum xi. M ( p i ) is a constant depending only on the net and its initial marking M0. In the same way, considering C . x = 0 leads to transition invariants that give firing-counts of pos-

k._2" P2 M(Pl) + M(P2) = 4 9.a.

N(tl)

-

N(t2)~ 9.1).

Fig. 9. Two quite simple invariants for simple nets.

0

428

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

sible cyclic firing sequences of transitions in the given nets [12] because M = M 0 + C.S = M 0 + C.S + C.f = M + C:~ = M and M is reached again after a sequence of degree .~. A significant example using invariants in protocol verification will be given in Section 4. Consequently, a possible approach for proving specific properties in systems is to automatically deduce the invariants from the net structure and then to manually prove that these net invariants imply the specific ones given by the designer. A second possible approach is to prove specific invariants directly with the net ones. For this to be possible, the specific invariants must be expressed using linear relationships between places or between transitions [12]. Fortunately, classical invariants can be expressed by such relationships and the proof then becomes automatic because it consists of solving linear systems of inequations with integer variables [13]. It should be noted that there is a connection between general and specific properties. For example, net invariance can be defined ÷ [26] as a property of a net such that all its places belong to at least one invariant. This structural property is such that: place invariance D boundedness; place invariance provides another way of checking whether a net is bounded by using integer linear programming, e.g. without enumeration. 3.2.2. PI-CI, P r - T r and Pr-Ac nets The problem is much more difficult because the support of linear algebra no longer exists. In PI-C1, linear functions have to be handled instead of integers and in P r - T r nets formal sums and relationship have to be manipulated: algorithmic methods for automatically finding invariants are under study. When trial invariants are given by the user, it is much simpler to check whether they are indeed invariant. The difference between PI-C1 nets and P r - T r nets is that dealing with invariants looks much simpler in the former case because of the difference in their structure [21]. In P r - A c nets, because of their generality, the checking of invariants by using the induction principle has been proposed in [22]. Definition 19. A predicate J is said to be Mo-invariant if for each M such that M ~ M o then J ( M ) is true. + C a l l e d " c o n s e r v a t i v e P N " in this reference.

Definition 20. A predicate J is said to be M0-inductive iff:

J( Mo)

(i)

and VM, M', ( ( J ( M ) A M ~ M ' } 3 J ( M ' ) }

(ii)

Proposition: I f J & qo-inductive, it & qo-invariant. • Applying the principle does not require a complete characterization of the reachability set: after checking that, (i) holds, it is only necessary to show that, for each transition, (ii) holds. Here the specific invariants can apply to the labels, i.e. can include variables inside a data part. The resulting approach is rather complex. What is hoped is that this step will be easier if the net invariants are already given by analyzing unlabelled net.

3.3. Note - Suggestion It could be of interest, in some cases and some applications, to consider another class of nets, Place-Action nets (P1-Ac nets), which are Petri nets with actions associated with the transitions but without any predicate (see Fig. 15b as an example). This is because, in those nets, the forward marking graph is the same that the one of the corresponding Petri net, the one obtained by deleting the actions. As a consequence, boundedness and liveness properties and invariants can be derived from the Petri net. They can then be used for dealing with specific properties or those specific properties can be checked by using q-induction as in [22]. This class of nets is only being suggested and its value has not been proved yet.

3.4. Validation of Complex Nets When dealing with complex systems such as protocols, the graphic model size can be reduced by using P1-CI nets or P r - T r nets, as already seen, and also by using the concept of "module". If these modules are too complex, some "reduction rules" can be used to decrease their complexity. Both points have been dealt with the pioneering work of [87,88]. The basic intention of the reduction is to preserve the external behavior of the module while simplifying its internal structure.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

3.4.1. Modules and Reduction Definition 21. A subgraph or a module (IV, B) of a bigraph G = (V, A) is any portion of G in which some nodes act as input nodes and some others as output nodes. In [88] completely reducible modules are looked for. The reduction rules are the ones given by [14] which perform substitutions on the set of transformation expressions (TE) defining the graph (the net). For instance, Fig. 10 gives a module for a request-acknowledge protocol described in terms of a UCLA graph, a Petri net and a set of transformation expressions. In [14]'s work, the reduction procedure performs substitutions on the right hand side and eliminates other TE's from the set of TE's. In the example given in Fig. 10, when the reduction procedure cannot operate any further, then S = X: the graphs and the sets of the TE's are completely reducible. It is also possible that the set of the TE's will not be completely reduced or even reduced at all. Reduction rules have been developed by other writers [18] with serial reduction, parallel reduction and pipe-line reduction, [11] with substitution of places, deleting implicit places and simplifying identity and identical transitions. All can be used to simplify modules. Modules have also been used in [44,49,65,66,70,71 ]. S

S

A

8

A(

ci

429

3.4.2. Software Tools An important point when complex nets are considered is the existence of software packages to handle proofs. In the case of Petri nets, as indicated by a questionnaire during the 2nd European Workshop on Theory and Applications of Petri nets (Sept. 1981) a few industrial packages were or are being developed for simulation (see for instance [59,41,58]). One appears to be available for proving net properties. Originally called Ogive [57,60] it is now being commercialized by the French software company "Syseca" under the name "Ovide". This package, under development at the LAAS-CNRS since 1977, provides the following features with respect to Petri nets: i) check for general properties (is the net bounded, proper, live) by using: the set of reachable markings, reduction rules directly on the nets, global invariants, ii) automatically derive place a n d / o r transition invariants from the nets using some interesting approaches: base of invariants, support of invariants, elementary invariants, invariants including some given places (or transitions) and not including some others, etc. iii) provides an interactive graphical input and can be used to derive abstract views. With such a tool, it is possible to go through the validation phase either by using classical analyses, e.g. following the enumerative approach, or by using structural analysis, e.g. using the set of invariants. Some examples using Ogive-Ovide are given in the next section. Another interesting tool, UCLA's SARA [91], is also being developed and used for control analyses. Based on the use of the UCLA Graph Model of Behavior, SARA appears more developed than Ogive-Ovide as far as the graphical input is concerned because a data graph can be included in the SARA specification - but it appears much less efficient as far as analyses are concerned, because SARA does not treat invariants.

E( x

lO.b. 10.a.

The UCLA

graph

S~A,B D~F,R t0.c.

3.4. 3. Methodologies for Easily Multilevel Verifiable Design

Y

The

Petri

net

; A~C,M

; B,M--I-D

;

; C,R~E

; E,F--~X

;

The

TES

Fig. 10. The request acknowledgementsprotocol by a UCLA graph, a Petri net and transformationexpressions.

Even when using efficient validation approaches, some problems occur when dealing with complex systems. One solution, besides verifying efficiently, is to design the systems so that it is easier to verify.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

430

3.4.3.1. One Input - One Output Top-Down Approach. Use a top-down approach for specifying and proving. Such a methodology should enable the proof to be split into smaller independent ones: when all subnets have been verified, the overall net representing the design of the whole system is known to be correct without further analysis. Such an approach for Petri nets is given in [35,36]. The problem is that in communicating systems, top-down design is much more difficult than in sequential systems. This is because in distributed communicating systems, subsystem parts usually interact in sophisticated ways. 3.4.3.2. Modular Multilevel Approach. This second approach allows the design and verification of communication protocols. Introduced in [44,87], it has been explicitely stated in [66]. This approach considers the external behavior of a module as a call to another service level; a particular level is modelled by expressing: - its internal synchronization, - its external ones, i.e. its interface with the needed higher levels and the required lower levels. The corresponding interface will be defined by not using a one input-one output procedure but a general module with multi-input nodes and multiouput nodes instead. If necessary, the modules will be reduced by using the previously given reduction rules leading to the concept of abstract view.

4. Application

to Protocol

Design

and Verification

The design of a complex protocol is a very hard and error prone task. The more complex the protocols, the more numerous the errors and this is why formal methods are needed [3]. Any formal approach must be supported by a well structured organization such as the strongly layered O S I / I S O architecture. As a consequence, any model must account for this architectural organization of the protocols. Fig. 11 givs the global and now well known structure of the three layers that one has to deal with when considering any level N in O S I / I S O protocols. The potential interest of Petri nets for protocol specification can be deduced from the interesting and numerous uses of transition models (i.e. models based on sequential automata concepts); for a survey of the corresponding approaches, see [2,4,8].

I I

I I

LAYERN÷I

I ..... 1

..... I

,~,,,~Rs < N

I

I Fig. 11. The neighbours of layer N in the ISO-OSI architecture.

From such approaches, it appears that, for a given protocol, at a given level N, the model must account for [3,66]: a) the service given by the/-level layer, i.e. the interfaces with its higher level I + 1, b) the service used by the /-level layer, i.e. a model of the services provided by the lower level I-1, c) the specific interacting processes which define the I-level protocol. Let us first consider a given layer N. At this level, the communicating entities will be represented by a set of communicating processes, as in [51,64,87]. In the case of P r - A c nets, these processes are described by (state machine) P r - A c nets which send and receive messages. Such a possibility is given in Fig. 12. This is the usual way of modeling, i.e., by using transition models. Then, two steps are needed to model systems: 1. each of the subsystem modules is identified and modelled by a state machine or a net, 2. the subsystems are connected together by explicit module interconnection mechanisms to give the global system model; note that these interactions must correspond to what actually happens in the implementation.

//iiii k

\\

DO B~m;

\\

Fig. 12. Two communicating processes exchanging a message m.

M. Diaz / Modeling and Analysis o/Protocols using Petri Nets

The problem is how to describe the interactions and the great interest of Petri net based models is that they allow explicit modelling of these interactions. As an example, consider the approach given in [62] in which it is proposed to model each component of the system, including the medium, by a finite state machine; Petri nets are then quite suitable because they support the possibility of connecting the resulting machines together. Let us further consider the model of a simple transmission medium given in Fig. 13a [62] in which m means that the message goes from the sender to the medium, ~ that the message goes from the medium to the receiver, and loss that the message is lost. Fig. 13b gives the corresponding Petri net.

4.1. Basic Models In this example the medium can only have one message in transit. The model can be extended to deal with extra messages: their number can be bounded by N if N tokens appear in the " e m p t y " place or their number can be as high as needed if this place is removed (because the medium is able to hold all the messages sent). In fact, in actual modelling and verification, the model which is the most used is the "shared place" representation, without using the place "empty": this is because the shared place represents the fact

431

that the message has been sent by the sender process and not yet received by the receiving process: this is indeed an actual behavior because it represents the fact that the message is in transit inside the medium. Others possibilities exist, as will be seen in Fig. 14. When tokens have no identity, as in the Petri net of Fig. 16a the messages in "transit" have the same (empty) name. Messages can have different names by using the coloured net given in Fig. 16b. Note here that the messages are unordered in the place which represents the medium. If the medium is a FIFO medium, then either a P r - T r net (Fig. 17a) or a P r - A c net (Fig. 17b) can be used. In Fig. 17a, the F I F O medium is described as a net which takes one element in the first position (arc with name 11) and shifts are performed from q to q' = q + 1 while the next location q' is empty. This model has been given in [44] to describe and validate the data transfer phase in a transport protocol. In Fig. 17b, the sending and receiving of messages are associated with the appending and removing of the messages from a file F which is

P m~CESS p

P~SS

P'

ig"

NRGING

> 14.a.

A2

A'

A2 SENDER

4\\ //

MEDIUM

m

RECEIVER

m

~///I i

SHARED E

PLAC E ~ ,

[4.b.

£t,rn'y

> REQUEST

-/

AC~NOW U~DGE 13.b.

Fig. 13. Equivalence between finite state machines and nets.

Fig. 14. Three sender/receiver interconnection mechanisms.

432

M. Diaz / Modeling and Analysis of Protocols using Petri Nets -

47

lAt -

15.a. The simple ~nnect-dlsconnect

15.b. Global net connected using ~rging : bonded (safe), llve

p~tocol

15.c. Global net connected using shared place : not bounded, live

A

tion of hierarchical communication systems. Let us consider, at any given level N, a pair of transitions, one sending a message m, the other waiting for m. Thus, the N-level model is made up of the N-level protocol, the ( N - 1)-level service, i.e., the interconnection mechanism. The main point is that the interaction mechanism represents an abstract view of the lower levels. Numerous possibilities exist for expressing such an interaction. Three quite usual ones are given in Fig. 14. They are merging as introduced in [105,106], transit place [51,65] and the request acknowledge mechanism. Merging implies no buffering, direct transfer, synchronized send/receive (some sort of rendezvous); shared place implies potentially unbounded buffering, the sender being released after send; request acknowledge implies one message buffering, the sender is released after receiving the acknowledgement. When processes are in distinct nodes, the shared

15.d. Global net using request-acknowledge : bonded, not li~

Fig. 15. A simple protocol and its model by using different interaction mechanisms.

shared between the sender and the receiver. Note that this model employs a FIFO file data type and has to be validated using Pr-Ac net techniques. In any case, it would appear interesting to validate, as a first step, the protocol using a shared place for every, exchanged and different message (if possible). The global corresponding model leads to very few constraints imposed on the medium and so must be shown correct. Such an approach has been widely used (see for example [4,43,44,51 ]). If necessary, as a next step, the specificity of the medium (FIFO,...) has to be accounted for: more complex nets have to be used. Approaches using Pr-Tr nets appear in [15,17,49,96]. Approaches using Pr-Ac nets and an interesting discussion about control and data trade-offs appears in [64]. The general problem is developed in [66] which gives a methodology for the design and verifica-

~

g

l

n

i

n

transit

16.a, Petri nets

\

!

/

V

~

a

!n

ge in transit

16.b. PI-CI net

h

?m

___

Fig. 16. A shared place in Petri nets and PI-CI nets.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

place mechanism is fundamental and, for instance, can be used for implementing the request acknowledge mechanism. Nevertheless, other mechanisms, FIFO based (for files) or transition merging based (for rendez-vous) can model actual implementations. The example presented in Fig. 15 shows that a wrong selection carl lead to an erroneous diagnosis in the analysis phase. Fig. 15a shows a quite simple protocol: process Pt or process P2 can open a connection by sending messages A or A'; only process PI can disconnect by sending message B to /'2. When those nets are connected by using the merging mechanism Fig. 15b is obtained; the resuiting net is bounded and live. When using a shared place mechanism, Fig. 15c is obtained; the net can be shown to be live but not bounded. Using the request-acknowledge interaction leads to the net of Fig. 15d which is bounded but not live. Thus, each of the selected interactions leads to a different analytic result. Note now that two cases exist: if the abstract model of the interconnection is not known, it has INDEX OF EMPTY ELEMENTS

(NAME NUMBER)

APPEND i

TAKE j

q'

q

ELEMENTS

~ SENDING

:

RECEPTION

~

j-~TAKEFIRST[F) ;

17.b.

Fig. 17. A F I F O medium described using P r - T r and Pr-Ac nets.

433

to be derived from the design. 1. in a top-down design, the model has to be selected first and then verified a posteriori, 2. in a bottom-up design, the model has to be derived from the behavior of the lower levels. Let us now consider some typical examples of analyses. 4.2. Verification Using Petri Nets 4.2.1. Alternating Bit Protocol The model of the protocol [1,64,85,87] is given in Fig. 18. The upper part represents the " 0 " handling, the lower part the "1" handling. Note that there is in the model the explicit assumption that the time-out is working properly; this is because the sender goes back to state "SSO" and sends the message again iff place P1 is marked, i.e., if the message or the ack has been lost. This net is bounded and live. Note also that there exists one (shared) place for each message: Data 0, Ack 0, Data 1, Ack 1. 4.2.2. Packet Switching Call Establishment Protocol [65] gives a significant attempt in protocol modeling. By using a combination of timed Petri nets [73] and extended Petri nets [30], the opening and closing of a liaison in the end-to-end transport protocol of Cyclades is given. Modules and scenarios are first used to model the fundamental mechanisms involved in the protocol. Then, as a second step, a complete model is derived. The first part of the modelling gives a good inside view of the mechanims; the second step is made simpler, more structured and easier. In [40,92,94], numerical Petri nets have been applied to the analysis (by using a reachability set program) of a call establishment protocol, which is described in [108]. In this protocol, the two parties may initiate a connection by using four messages, SYN ( ~ ), SYN ( ~ ), ACK ( ---,), ACK ( ~ ). The global protocol has been proved in the case of the fault free situation to terminate properly: no deadlock exists. The model has then been extended to account for possible faults occurring during the message transmissions. In this study the medium has been explicitly modelled and tokens with identity have been used to represent the four different message types needed in the call establishment protocol.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

434

DO SEND

RF fE I V[

D

I

(

L LOSS

r,,,,, AUKNOWLENGEMFN[

EO~LET[

RSO

SS3

DI

ILDSS

[ Ii~LR

w

l

a

SEND

$

I

A1

Fig. 18. The alternating bit with loss.

4.2.3. The Subscribers and the C C I T T n ° 7 Protocol," Connection-Disconnection of Entities

An example of connection-disconnection is given in [10] and [43]. It concerns the specification of subscribers with respect to the circuit switching CCITT n ° 7 protocol. Informal specification was analyzed and led to the formal behavior given in Fig. 19 for a subscriber i. The left side refers to the calling procedure; the right to the called procedure. The resulting net is labeled with the interactions between i andj. Note that in the called (resp. calling) part j is the calling (resp. called) subscriber. The global net, where the interactions are depicted by shared places, is given in Fig. 20. Here, the left side represents the calling part of the subscriber and the right side the called part of the other subscriber. This net has been shown to be bounded and live by using Ogive. 4.2.4. The X.21 Interface

The CCITT X.21 interface specification [91] has been represented in the form of a set of two state-transition diagrams, one for the DCE, one

for the DTE [74]. It appeared that the separate diagrams reduce ambiguity and significantly improve understanding. Starting from the [74] specification, [91] connects together the two parts and obtains a Graph Model of Behavior (GMB). The most important aspect of the model refers to the control specification by using UCLA graphs. The control part of the GMB has been analyzed using the SARA system which applies reduction operations on the TE's (see Fig. 10c) and obtains all the control states of the forward marking graph. From this analysis, many ambiguities due to collisions have been detected. This is quite in agreement with the interesting work in [74]. As a consequence, the automatic analyses lead to a new and improved model of the interface that removes the ambiguities and gives a correct analysis: -transitions have been added to specify the reception of every possible incoming signal, - states have been added to deal with the remaining four errors to explicitly represent inter-

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

Calling

notation

procedure

Called

435

!~rocedure

:

L A[II/tB

(pred

11

('f?

T2

[j

? ACCEPTI]

T3

(j

? ANSWERII

T4

(j

? CLEARBACKWAROIJ

off-hookJj

I CAlL)

! CL.~ARfORWAPD]

T5

T~

T6

[~?

T1

[j

T6

( "~? c l e a r j j

19

lj ? AECEPII]

TIO

( ~I

c l e a r I) ? 8LJSY$)

I CLEARFORWARD] I CLEARFORWARO)

clem [J k ELEARFORI4ARDJ

T11

(J ? CLEAR~CKWARD

112

(j

? ANSWER l J ? CLEARBACKWAq[] )

113

[j

? RLLEASE GUARDI)

114

lj ? E~USYI )

)

T16

(& ~ CALLII

T16

(Ij~ACCEPI)

I17

( T? o f f hooklj

[18

[ ~ ? clear j j I CLEARBACKWARO]

TIg

(j ? CLEARFORWAROJ)

t

ANSWER]

T20 121

(J ? ELEARFORWARDIJ

i RELEASE GU~ni]

122

(j ? CLEARFORWAROI]

! CLEf,~0~E~I. rnD)

T23

IX ? EALLIX

! BUSY)

[~ I j]

Fig. 19. Calling and called procedure interaction model.

mediate situation of the DTE and the DCE. By analysis of the forward marking graph, the protocol has been shown to be bounded, proper and live. Then the validation has been extended by manual intervention to prove that no non wellbehaved states may be reached and that no unsynchronized cycles are allowed.

4.2.5. Three Level Multiprocessor Using Channels Let is consider an example which has been implemented [66]. It is constituted of a three level protocol for real time process control: the task level, the channel level and the physical level. The tasks use channels to communicate; one channel is defined for each pair of user processes and accessed by using two primitives: Send (S), Receive (R). The channel service, seen from the user level, is given in Fig. 21a. The user calls the channel: either by calling Send (2) and waiting for the end of the sending (S) or by calling Receive (R) and waiting for its end (R). The channel level itself has two parts. The left part refers to the procedure that sends; the right part to the procedure that receives.

Before sending message M both the sender and receiver must be ready. The channel itself is given in Fig. 2lb. Upon the reception of R, sent by the user process, the receiving (left) part of the channel sends an AUThorization to the sending part and waits for the message. The message is sent by the sending part of the channel when the primitive Send has been called (S) and that AUT has been received. After sending MES, the channel becomes free. As the channel uses two messages, AUT and MES, the corresponding transitions have to be connected depending on the lower level, the physical level. Suppose that the abstract view of Fig. 21 c may be used at the physical level. Then, connecting the three nets of Fig. 21 leads to Fig. 22a. Note: a) two shared places are used for AUT and MES, b) the requests and indications of S, S, R and _R (user level and channel level) are merged: the interface between the two layers in the same mode

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

436

CALL

BUSY

BUSY

~cleor!

)

~AIT I

"Ti~-

WAIF~ACK

CLEARBACKWA~O

IARI]

Fig. 20. The classes of interactionin the CCITT nr. 7 protocol. is supposed to be perfect. Applying the reduction rules by using Ogive but without simplifying input places ele 2 and output places sis 2 (because they define the beginning and the end of the interaction) gives the simple abstract view of Fig. 22b. This net may be used to model and analyse the interactions at the user level, i.e., when the channels are used. The simplification is rather complex to explain: in the first step, places d, e can be substituted, b, a are implicit; then c can be substituted, etc. 4.2.6. Multiple Cooperation Protocol.

One possible solution to ensure mutual exclusion in networks is based on the use of virtual rings [104,46]. Each processor receives the privilege, uses it and sends it to the next processor on the ring. Such a ring can appear at different levels (accessing the bus, selecting global timestamps, etc.). The analysis of such a mechanism is given in [42] and 1104]: Pr-Ac nets are used to specify each

of the local entities: those nets are translated into PI-Tr nets which are connected by shared places to model and analyze the global protocol. 1. The protocol was first shown bounded and live. 2. Invariants were used to prove that: at most one unit has the privilege at any time and at most one unit may initiate the recovery at any time (deduced from the place invariants). N o permanent loss of the privilege is possible, the protocol is well-behaved and fair (deduced from the transition invariants). As an example, consider the verification of the first property (at most one unit has the privilege at any time: exclusion). Ogive has been used to ask for a covering of place invatiants, i.e., a set of invariants which contains every place of the net; among the 6 invariants constituing the coveting, there is the following one: Z (UP, + SP, + MP~ + O K ~ ) = 1 i

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

437

~

e~ el

a

~Ts ) receiver

Sender

~-

e Aur

M}

s~

e2

21.a. the channel service at the.user level

Receiver

Sender

-~'~ M )

S

!MES

?AtFf (C, M)

c,~)

!AUT(C,M)

sI 22.a. The global net

(

el ~

R

e2

(_..M)

21.b. Ch~mel level

22.b. The abstract view der/w~d from Fijure 22.a.

Fig. 22. The channel behavior and its abstract view. 21.c.

abstract view of the physical level

Fig. 21. The three levels for a channel specification.

in which: UP i . . . . . OKR i is the marking of place U P . . . . . O K R in unit i; UP is, in a node, the place that models the fact that the unit has the privilege. As this invariant clearly implies: EUP,~

1;

i

It follows that at most one unit can hold the privilege at any time. 4. 2. 7. Other Applications Nets have also been used in some other applications. The following ones seem of interest. The data transfer phase using a window technique has been modelled either using P1-Tr nets and scenarios in [70,71] or using P r - T r nets in [49]. The first approach gives a quite good insight in the different behaviors of the protocol but the global view is difficult to handle: the second ap-

proach leads to synthetic and complex nets on which manual proofs are difficult but possible. P1-Tr nets have also been used to test, at run time, the behavior of the protocol; after validating the net, the model is used in an observer [81], connected to the medium, that listens to all observed messages and checks whether their actual sequencing is in accordance with the specific one (the one given by the net) [42]. Some connections between nets and temporal logic have recently been reported [17,84,89]. Protocols are dealt with using temporal logic in [98,100,101] and using temporal logic and nets in [84,89].

5. Conclusion

There is a great deal of work being conducted in the theory and application of Petri nets. It appears that protocols are one of the most promising fields of application of net theory. Petri nets are easily understood by engineers and only a

438

34, Diaz / Modeling and Analysis of Protocols using Petri Nets

short time is n e e d e d to read a n d u n d e r s t a n d the g r a p h i c a l models. A t the next level, P r - T r nets are m u c h m o r e difficult to u n d e r s t a n d a n d P r - A c nets m u c h m o r e difficult to analyse. In spite of their limitations P 1 - T r nets have been used a n d signific a n t results derived. N u m e r o u s c o n c u r r e n t languages use nets for their s e m a n t i c support. This suggests that nets can s u p p o r t a significant p a r t of the specification a n d verification of d i s t r i b u t e d systems a n d protocols. P e r h a p s they ought to be e x t e n d e d further to b e t t e r account for d a t a r e p r e s e n t a t i o n a n d to supp o r t efficient analyses. It is possible that a connection with a b s t r a c t d a t a types a n d t e m p o r a l logic w o u l d help. W h a t must be clearly u n d e r s t o o d is the w a y the various nets are " t y p i c a l l y " used to m o d e l p r o t o cols a n d their relation to state models. Places in state m o d e l nets, Petri nets, P1-C1, P r - T r , and P r - A c nets represent: the c o n t r o l states of the processes, a n d / o r the states of the system resources; places in nets can also represent the b o o l e a n s a n d the integers a n d / o r the messages in transit. N e t s can be used to explicitly m o d e l in the m e d i u m a n d the interactions all with he same basic model. A s classical Petri nets have limitations, they have been e x t e n d e d in n u m e r o u s ways. Their m a i n resulting a d v a n t a g e is that separate c o m p o n e n t s that m a k e up a total system can be c o n n e c t e d easily b y different m o d u l a r interactions like merging, transit place, request-acknowledge, F I F O , etc...; this c a p a b i l i t y allows the verification step to a p p l y at a global level that can be c o n s t r u c t e d in an a u t o m a t i c way. Nevertheless as the p r o b l e m s being tackled are quite new, further progress will be m a d e in the n e a r future t o w a r d s the safe design a n d i m p l e m e n t a t i o n of c o m p l e x p r o t o c o l s a n d algorithms in d i s t r i b u t e d systems.

Acknowledgements This p a p e r w o u l d have n o t b e e n possible without the w o r k c o n d u c t e d in the team " L o g i c i e l et C o m m u n i c a t i o n " (Software a n d C o m m u n i c a t i o n ) at the L.A.A.S.-C.N.R.S. ( L a b o r a t o i r e d ' A u t o m a t i q u e et d ' A n a l y s e des S y s t r m e s d u Centre N a t i o n a l de la Recherche Scientifique). Specific acknowledgem e n t s are due to M M . J.M. A y a c h e , P. A z e m a , B.

B e r t h o m i e u , J.P. C o u r t i a t , G. J u a n o l e , M. M e n a s c h e of the L.A.A.S., to C. Sunshine of the U n i v e r s i t y of Southern California, I n f o r m a t i o n Science Institute a n d to T.F. Piatkowski of I o w a State U n i v e r s i t y for discussions a n d / o r constructive c o m m e n t s c o n c e r n i n g this paper.

References Surveys on Protocol Specification and Verification [1] J.M. Ayache, P. Az~ma, J.P. Courtiat, M. Diaz, G. Juanole, "On the applicability of Petri net based models in protocol design and verification", Protocol Testing Workshop, NPL, Teddington (G.B.), May 1981; Europ. Workshop on Application and Theory of Petri nets, Bad Honnef (R.F.A.), September 1981. [2] G.V. Bochmann, "A general transition model for protocols and communication services", IEEE Trans. on Communications, vol. COM-28, n ° 4, April 1980, pp. 643-650, [3] G.V. Bochmann, C.A. Sunshine, "Formal methods in communication protocol design", IEEE Trans. on Communications, vol.COM.28,n°4, April 1980, pp. 624-631. [4] A.S. Danthine, "Protocol representation with finite-state models" IEEE Trans. on Communications, vol. COM-28, n ° 4, April 1980 pp. 632-643. [5] M. Diaz, "Modelling and analysis of communication and cooperation protocols using Petri net based models", Tutorial paper, 2nd Int. Workshop on Protocol Specification, Testing and Verification, Idyllwild Los Angeles, May 1982 - North Holland 1982 - C. Sunshine, Editor. [6] C.A. Sunshine, "Survey of protocol definition and verification techniques", Computer Networks, 2, 1978, pp. 346-350. [7] C.A. Sunshine, "Formal techniques for protocol specification and verification', Computer, September 1979, pp. 20-25. [8] C.A. Sunshine, "Formal modelling of communication protocols", ISI-USC Report RR-81-89, March 1981; 1st Workshop on Protocol Testing, NPL, Teddington (G.B.), May 1981.

Presentation and Analysis of Nets and Related Models [9] C. An&b, "Systbmes /~ ~volutions parall~les: mod~fisation par r~seux de Petri a capacit~ et analyse par abstraction", ThOse de Doctorat is-Sciences, Universit~ de Nice, F~vrier 1981. [10] J.M. Ayache, M. Diaz, R. Valette, "A methodology for specifying control in electronic switching systems", Int. Switching Symposium, ISS 79, Paris, May 1979. [11] G. Berthelot, G. Roucairal, R. Valk, "Reduction of nets and parallel programs", Net Theory and Apphcations, Lect. Notes in Computer Science, 45, Springer Verlag, 1977.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets [12] B. Berthomieu, "Analyse structurelle des rbseaux de Petri, mbthodes et outils", ThOse de Docteur-lngbnieur, Universitb Paul Sabatier, Toulouse, September 1979. [13] B. Berthomieu, "Methods for carrying proofs on Petri nets using their structural properties", to be published, IEEE Trans. on Software Engineering, 1982. [14] V.G. Cerf, "Multiprocessors, semaphores and a graph model of computation", Ph.D. dissertation, Eng. 7223, Univ. of California, Los Angeles, April 1972. [15] H.J. Genrich, K. Lautenbach, "The analysis of distributed systems by means of predicate/transition nets", Semantics of Concurrent Computation, Evian 1979, G. Kahn (ed), Lect. Notes in Computer Sciences, Vol. 70, Springer Verlag 1979 pp. 123-146. [16] H.J. Genrich, K. Lautenbach, "System modelling with high level Petri nets", Theoretical Computer Science, 13, 1981, pp. 109-136, North-Holland. [17] H.J. Genrich, K. Lautenbach, P.S. Thiagarajan, "Elements of net Theory", Lect. Note in Computer Science, 84, 1980, pp. 21-163. [18] Y.W. Han, L.L. Kinney, L.A. Jack, "Petri nets reduction and verification", Research Report F 0326-6, Honeywell Inc., June 1976. [19] A.W. Holt, F. Commoner, "Events and conditions", Record Project MAC Conf. on Concurrent Systems and Parallel Computation, ACM, N.Y., June 1970. [20] K. Jensen, "Couloured Petri nets and the invariant method", Research Report, DAIMI PB-104-AARHUS University, October 1970, revised version: August 1980. [21] K. Jensen, " H o w to find invariants for coloured Petri nets", Research Report, DAMI PB 120, AARHUS University, May 1980. [22] R.M. Keller, "Formal verification of parallel programs", Com. ACM 19-7 July 1976, pp. 371-384, vol. 19, n ° 7. [23] K. Lautenbach, H.A. Schmid, "Use of Petri nets for proving correctness of concurrent process systems", Proc. I FIP Congres 74, North-Holland Publ., Amsterdam, 1974, pp. 187-191. [24] P.E. Lauer, M.W. Shields, E. Best, " O n the design and certification of asynchronous systems of processes", Univ. of Newcastle Upon Tyne, ASM 45 49, March 1978. [25] K. Lautenbach, P.S. Thiagarajan, "Analysis of a resource allocation problem using Petri nets", 1st Europ. Conf. on Parallel and Distributed Processing, Toulouse, France, February 1979. [26] Y. Edmund Lien, "Termination properties of generalized Petri Nets", SIAM J. Comp., vol. 5, n ° 2, June 1976, pp. 251-265. [27] J. Martinez, M. Silva, "A simple and fast algorithm to obtain all invariants of a generalized Petri net", 2nd Europ Workshop on the Appl. & Theory of Petri nets, Bad Honnef (FRG), September 1981, pp. 411-422. [28] G. Memmi, "Fuites et semi-riots dans les r+seaux de Petri", Th~se de Docteur-lng~nieur, Univ. de Paris VI, December 1978. [29] T. Murata, "Petri nets, marked graphs and circuit system theory; a recent case application", IEEE Trans. on Circuit and Systems vol. 11, n ° 3, June 1977. [30] G.J. Nutt, "Evaluation nets for computer system performance analysis", AF1PS Conf. Proc., vol. 41, Part. 1, 1972, pp. 279-286.

439

[31] J.L. Peterson, "Petri nets", ACM Computing Surveys, 9, September 1977, pp. 224-252. [32] J.L. Peterson, "Petri net theory and the modelling of Systems", Prentice Hall, 1981. [33] C.A. Petri, Kommunication mit Automaten, Schriften des Rheinisch, Westfalischen Institutes fur Instrumentelle Mathematik and der Universitat Bonn, 1962, translation by C.F. Greene, Applied Data Research Inc. suppl. 1 to Tech Report RADC-TR-65-337, vol. 1, N.Y., 1965. [34] J. Sifakis, "Le contr~)le des syst~mes asynchrones: concepts, propriet+s, analyse statique". Th~se de Doctorat +s-Sciences, Univ. Sc. et m~d. de Grenoble, June 1979. [35] I. Suzuki, T. Murata, "A method for stepwize refinements and abstraction of Petri nets". Communications lab. Report n ° 80-3, Univ. of Illinois at Chicago Circle, June 1980. [36] R. Valette, "Analysis of Petri nets by stepwise refinements", Journal of Computer and System Sciences. vol. 18, n ° 1. 1979. [37] R. Valette, M. Diaz "Top-down formal specification and verification of parallel control systems", Digital Process, vol. 4, N ° 4, 1978, pp. 181-199. [38] B. Pradin, B. Berthomieu, P. Azema, M. Diaz, S. Bachman, "OGIVE: un outil graphique interactif de v~rification des systemes parall~les d~crits par r~seaux de Petri", Revue MICADO, n ° 35, pp. 23-31, September 1980. [39] R.R. Razouk, G. Estrin, "Modelling and verification of communication protocols in SARA: the X21 Interface", IEEE Trans. on Computers, vol. C-29, n°12, December 1980, pp. 1038-1051. [40] F.J.W. Symons, see in the STATE MACHINES, NETS and PROTOCOLS list. [41] F. Vidondo, "GALILEO, experiences in the design of a Petri net based language for real-time systems", 2nd Eur. Workshop on the Theory and Application of Petri nets, Bad Honnef (FRG), September 1981, pp. 541 550.

State Machines, Nets and Protocols [42] J.M. Ayache, J.P. Courtiat, M. Diaz, "The design and validation by Petri nets of a reliable bus allocation protocol", INFOCOM 82, Las Vegas, March-April 1982. [43] J.M. Ayache, M. Diaz, H. Konber, "Specification and verification of signalling protocols", Int. Switching Symposium ISS81, Verdun (CAN), September 1981. [44] P. Azema, J.M. Ayache, B. Berthomieu, "Design and verification of communication procedures, a bottom-up approach", Third Int. Conf. on Software Eng., May 1978, Atlanta, pp. 168-174. [45] P. Azema, B. Berthomieu, P. Decitre, "The design and validation by Petri nets of a mechanism for the invocation of remote servers", Proc. of IFIP Congress, Melbourne, October 1980. [46] P. Azema, P. Rolin, S. Sedillot, "Virtual ring protection in distributed systems", IEEE Int. Symp. on FaultTolerant Computing, Portland, Maine, USA, June 1981. [47] J.L. Baer, G. Gardarin, C. Girault, G. Roucairol, "The two steps commitment protocol. Modeling, specification and proof methodology", 5th Int. Conf. on Software Engineering, San Diego, March 1981.

440

M. Diaz / Modeling and Analysis of Protocols using Petri Nets

[48] W.L. Bauerfeld, "A communication concept for protocol models", Computer Communication Review, January 1981, Vol. 11, n ° 1, pp. 32-39. [49] G. Berthelot, R. Terrat, "Petri nets theory for the correctness of protocols", 2nd Europ. Workshop on Appl. & Theory of Petri Nets, Bad Honnef (FRG), September 1981, pp. 31-58, also 2nd Int. Work on Protocol Specification Testing and Verification, Idyllwild Los Angeles, May 1982, North-Holland, 1982, C. Sunshine Ed. [50] S. Gosh, "Some comments on timed Petri nets", Journ~e A.F.C.E.T. sur les Rrseaux de Petri, Paris, May 1977. [51] P.M. Merlin, "A study of the recoverability of computing systems", Univ. of California, Irvine, 1974. [52] P.M. Merlin, D.J. Farber, "Recoverability of communication protocols - implication of a theroretical study", 1EEE Trans. on Communications, September 1976, pp. 1036-1043. [53] C. Ramchandani, "Analysis of asynchronous concurrent systems by timed Petri nets", Research Report, Project MAC-TR 120, MIT, February 1974. [54] J. Sifakis, "Performance evaluation of systems using nets", Lect. Notes in Computer Science, 84, Net Theory and Applications, Springer, Verlag, 1970, pp. 307-319. [55] W.M. Zuberek, "Timed Petri nets and preliminary performance evaluation", 7th Ann. Symp. on Computer Architecture, La Baule, France, May 1980. [56] P. Azema, R. Valette, M. Diaz, "Petri nets as a common tool for design verification and hardware simulation", ACM-IEEE Design Automation Conference, San Francisco, Palo Alto, June 1976. [57] B. Chezaviel-Pradin, "Un Outil graphique interactif pour la validation des syst~mes h 6volution parall~le d~crits par rrseaux de Petri (OGIVE)", Th~se de DocteurIng~nieur, Universit~ Paul Sabatier, Toulouse, December 1979. [58] W.K. Hackman, O.V. Flotow, P. Graubmann, G. Zintl, "PES, a net based tool for the development of complex systems", 2nd Europ Workshop on Application and Theory of Petri nets, Bad Honnef (FRG), September 1981, pp. 299-307. [59] I. Lopez, "The use of GALILEO to represent and analyse telecommunication protocols", 2nd Eur. Workshop on the Theory and Application of Petri nets, Bad Honnef (FRG), September 1981, pp. 397-410. [[60] B. Pradin, B. Berthomieu, S. Bachman, M. Diaz, '; Computer aided design and proof of parallel system, application to synchronization software", Internal Report, LAAS/CNRS, December 1979. [61] J. Billington, "Specification of the Transport service using Numerical Petri nets", 2nd Int Work on Protocol Specification, Testing and Verification, Idyllwild Los Angeles, May 1982, North-Holland, 1982, C. Sunshine Ed. [62] G.V. Bochmann, "Finite state description of communication protocols", Conf. Computer Network Protocols, Li/~ge, 1978 also in Computer Networks-2, 1978, pp. 361-372. [63] G.V. Bochmann, R.J. Chung, "A formalized specification of HDLC classes of procedures", NTC'77, Conf. Record, Los Angeles, CA, December 1977. [64] G.V. Bochmann, J. Gecsei, "A unified method for the specification and verification of protocols", IFIP Proceedings, North-Holland, 1977.

[65] A. Danthine, "Petri nets for protocol modeling and verification", 1FIP-TC6, COMNET Symp., Budapest, Hong., October 1977. [66] M. Devy, M. Diaz, "Multilevel specification and validation of the control in communication systems", 1st Int. Conf. on Distributed Computing Systems, Huntsville, Alabama, October 1-4, 1979. [67] H. Eckert, R. Prinoth, "A method for analizing communication protocols", 2nd Europ. Workshop on Appl. & Theory of Petri nets, Bad Honnef (FRG), September 1981, pp. 181-240. [68] F.H.J. Feldbrugge, "Protocols for communication stabilization", Nat. Lab. Technical Note Nr 25/78, Philips Research Lab., March 1978. [69] G. Florin, S. Natkin, "Evaluation based upon stochastic Petri nets of the maximum throughput of a full duplex protocol", 2nd Eur. Workshop on Appl. & Theory of Petri nets, Bad Honnef (FRG), September 1981, pp. 245-268. [70] G. Juanole, "A data transfert protocol. Informal specification and modelling by Petri nets", 2nd Europ. Workshop on the Theory and Application of Petri nets, Bad Honnef (FRG), September 1981, pp. 347-364. [71] G. Juanole, "Data Transfer on a link: specification of a class of retransmission strategies for the error control; formal modeling by Petri nets", 5th Hawai Int. Conf. on System Sciences, vol. 1, 1982, pp. 489-498. [72] H.A. Konber, "Contributon a la conception de protocoles de communication dans les autocommutateurs 61ectroniques", Th~se de Docteur-Ingbnieur, Universit~ Paul Sabatier, Toulouse, December 1980. [73] P.M. Merlin, "A methodology for design and implementation of communication protocols", IEEE Trans. Commun., vol. COM-24, n ° 6, June 1976, pp. 614-621. [74] C. West, Zafiropulo, "Automated validation of a communication protocol: the CCITT X.21 recommendation", IBM J. Res. and Devel, vol. 22, Jan. 1978, pp. 60-71. [75] P. Zafiropulo, "Protocol validation by duologue matrix analysis", IEEE Trans. commun., Vol. COM-26, August 1978 pp. 1187-1194. [76] W.M. Zuberek, "Analysis of le Lann's distributed control protocol by Petri nets", 2nd Europ. Workshop on the Theory and Application of Petri nets, Bad Honnef (FRG), September 1981, pp. 269-284. [77] J.M. Ayache, M. Diaz, H. Konber, "Specification and verification of signalling protocols", Int. Switching Symp., ISS 81, Montreal, Sept. 1981. [78] J.M. Ayache, M. Diaz, R. Valette, "A methodology for specifying control in electronic switching systems", Int. Switching Symp., ISS 79, Paris, France, May 1979. [79] Z. Barzilai, Y. Goren, M. Yoeli, "On the top-down design of a computer controlled communication switching system", Technical report ~ ~ 162, Technion, Isra@ Int. of Technology, December 1979. [80] M. Yoeli, Z. Barzilai, "Behavioural descriptions of communication switching systems using Petri nets", Digital Processes, vol. 3, n ° 4, Winter 1977. [81] J.M. Ayache, P. Azema, M. Diaz, "Observer: a concept for on-line detection of control errors in concurrent systems", IEEE Int. Syrup. on Fault-Tolerant Computing, Madison, USA, June 1979.

M. Diaz / Modeling and Analysis of Protocols using Petri Nets [82] J.M. Ayache, P. Azema, M. Diaz, "Observer: a concept for run-time detection of control errors in concurrent systems", to be published, Digital Processes, 1982. [83] J.M. Ayache, J.P. Courtiat, M. Diaz, "Self checking software in Distributed Systems", 3rd conf. on Distributed Computing Systems, Miami, November 1982. [84] M. Diaz, G. Guidacci da Silveira, "On the specification and validation of protocols by temporal logic and nets, 3rd Worshop on the Theory and Application of Petri nets, Varenna (I) September 1982. [85] P. Merlin, "Specification and validation of protocols", IEEE Trans. on Commun., vol. COM-27, n ° 11, November 1979, pp. 1671-1680. [86] P.M. Merlin, D.J. Farber See the timed Petri nets list. [87] J.B. Postel, "A graph model analysis of computer communications protocols", Ph.D. Thesis, Research Report UCLA, ENG/7410, January 1974. [88] J.B. Postel, D. Farber, "Graph modelling of computer communications protocols", Proc. 5th Texas Conf. on Computing Systems, Austin, 1976. [89] J.P. Queille, J. Sifakis, "Specification and verification of concurrent systems in CESAR, an example", 2nd Europ. Workshop on the Theory and Application of Petri nets, Bad Honnef (FRG), September 1981, pp. 483-517. [90] R. Razouk, "Modeling the X.25 using the Graph Model of Behaviour', 2nd Int Worksh on Protocol Specification, Testing and Verification, Idyllwild Los Angeles, May 1982, North-Holland, 1982, C, Sunshine Ed. [91] R.R. Razouk, G. Estrin, "Modelling and verification of communication protocols in SARA: the X21 interface", IEEE Trans. on Computers, vol. C-29, n ° 12, December 1980, pp. 1038-1051. [92] F.J.W. Symons, "Modelling and analysis of communication protocols using numerical Petri nets", Ph.D. Thesis, Univ. of Essex, Being Dept. of Elect. Eng. Sc. Telecomm. Syst. Group Report n ° 152, May 1978. [93] F.J.W. Symons, "Representation, analysis and verification of communication protocols", Australian Telecommunication Research vol. 14, n ° 1, 1980. [94] F.J.W. Symons, "Representation, analysis and verification of communication protocols", Research Report 7380, Telecom. Australia, 1980. [95] A. Tomer, M. Yoeli, "On the application of extended Petri nets to the verification of protocols", 2nd Europ. Workshop on the Theory and Application of Petri nets, Bad Honnef (FRG), September 1981, pp. 519-530. [96] K. Voss, "'Using predicate/transition nets to model and analyse distributed database systems", IEEE Trans. on Software Eng., vol. SE-6, November 1980, pp. 539-544. [97] C.H. West, "General technique for communications

[98]

[99] [100]

[101]

441

protocol validation", IBM J. Res. Develop,, vol. 22, July 1978, pp. 393-404. B.T. Hailpern, S.S. Owicki, "Verifying network protocols using temporal logic, Technical Report n ° 192, CSL, Stanford Univ. June 1980. N. Rescher, A. Urquhart, "Temporal logic, Springer Verlag 1971. R.L. Schwartz, P.M. Melliar-Smith, "Temporal logic specification of distributed systems", 2nd Conf. Distributed Computing Systems, Paris, April 1981, pp. 446 454. R.L. Schwartz, P.M. Melliar-Smith, "From State machine to Temporal Logic: Specification Methods for protocol standards, Tutorial Paper, 2nd Workshop on Protocol Specification, Testing and Verification, Idyllwild Los Angeles, May 1982, North-Holland, 1982, C. Sunshine Ed.

Data Types and Protocols [102] B. Berthomieu, "Algebraic Specification of communication protocols", Research Report ISI-RR-81-98, also Technical Report L.A.A.S.-C.N.R.S., 81.T.26, October 198l. [103] D.R. Thompson, C.A. Sunshine, R.W. Erickson, S.L. Gerhart, D. Schwabe, "Specification and verification of communication protocols in AFFIRM using state transition models", Research Report ISI-RR-81-88, USC, Inf. Sc. Institute, March 1981.

Other Related Papers [104] J.M. Ayache, J.P. Sourtiat, M. Diaz, "REBUS": A Fault-Tolerant Distributed System for Industrial RealTime Control", IEEE, Tr. on computers, Special Issue on Fault-Tolerant Computing, July 1982. [105] C.A.R. Hoare, "Communicating sequential processes", Comm. ACM, vol. 21, August 1978. [106] P.E. Lauer, R.M. Campbell, "Formal semantics of a class of high-level primitives for coordinating concurrent processes", Acta Informatica 5, 1975. [107] P.E. Lauer, P.R. Torrigiani, N.W. Shields, "COSY: a system specification language based on paths and processes", Acta Informatica 12, 1979, pp. 109-158. [108] C.A. Sunshine, "Interprocess communication protocols for computer networks", Ph.D. Thesis, Stanford University, DSL, TR 105, December 1975. [109] H. Zimmerman, "OSI reference model. The ISO model of architecture for open systems interconnection", IEEE Trans. on Communications, vol.COM-28, April 1980.

Modeling and analysis of communication and cooperation protocols using petri net based models

Modeling and analysis of communication and cooperation protocols using petri net based models

Recommend Documents