Development of an atomic‐broadcast protocol using LOTOS

In this article we report on the development of a group‐communication service using the formal specification language LOTOS, and present our experience in using publicly available tools for this purpose. The service implements atomic broadcast through a Two‐Phase‐Commit protocol, providing at‐least‐once delivery semantics and with no restriction on message delivery order. First we wrote an informal specification describing the desired properties from the service, the interfaces with the underlying network layer and the upper user layer, and the protocol to be used by the service. Then we developed the formal specification of the protocol in LOTOS. After validating the formal specification and thus having a certain confidence in its adequacy with respect to the informal specification, we derived test cases from the formal specification and implemented the service using the Concert/C distributed programming language. While testing the implementation, we found that most errors were related to unspecified features or bugs in the execution environment. From this experience, we draw our conclusions on the usefulness of software development based on formal techniques. Copyright © 1999 John Wiley & Sons, Ltd.     

服务组合的代数规约

现有的服务组合描述途径不能有效地验证和测试组合正确性,针对这一问题,提出了一个代数规约方法,引入规约包机制扩展面向服务代数规约语言SOFIA以支持该方法。用代数规约单元描述服务系统中的各种实体,其中基调部分定义实体的语法和结构,公理部分定义其功能和行为特性。与一个服务相关的规约单元封装在一个包中或拆分在几个相互引用的包中,每个包形成一个命名空间。当多个服务组合在一起时,以这些服务的代数规约包为基础,一方面抽象地定义组合服务的交互过程和语义,形成描述服务组合实现方式的实现规约包;另一方面抽象地定义组合服务对外接口及其功能语义,形成描述组合服务需求的抽象规约包。在实现规约和抽象规约的双元结构基础上,进一步定义了实现规约和抽象规约之间必须满足的“实现”关系,证明了满足实现关系可以保证实现的正确性,从而为服务组合的可验证性和可测试性奠定了理论基础。最后结合实例分析阐述了用代数规约描述服务组合的抽象性、可表达性和可验证性。     

CRDT协议的TLA+描述与验证

无冲突复制数据类型（conflict-free replicated data types，简称CRDT）是一种封装了冲突消解策略的分布式复制数据类型，它能保证分布式系统中副本节点间的强最终一致性，即执行了相同更新操作的副本节点具有相同的状态.CRDT协议设计精巧，不易保证其正确性.旨在采用模型检验技术验证一系列CRDT协议的正确性.具体而言，构建了一个可复用的CRDT协议描述与验证框架，包括网络通信层、协议接口层、具体协议层与规约层.网络通信层描述副本节点之间的通信模型，实现了多种类型的通信网络.协议接口层为已知的CRDT协议（分为基于操作的协议与基于状态的协议）提供了统一的接口.在具体协议层，用户可以根据协议的需求选用合适的底层通信网络.规约层则描述了所有CRDT协议都需要满足的强最终一致性与最终可见性（所有的更新操作最终都会被所有的副本节点接收并处理）.使用TLA+形式化规约语言实现了该框架，然后以Add-Wins Set复制数据类型为例，展示了如何使用框架描述具体协议，并使用TLC模型检验工具验证协议的正确性.     

The Interrogator: Protocol Secuity Analysis

The Interrogator is a Prolog program that searches for security vulnerabilities in network protocols for automatic cryptographic key distribution. Given a formal specification of the protocol, it looks for message modification attacks that defeat the protocol objective. It is still under developement, but is has been able to rediscover a known vulnerability in a published protocol. It is implemented in LM-Prolog on a Lisp Machine, with a graphical user interface.     

Modelling and validating the man-machine interface

This paper describes a formal model for expressing the functional requirements of the man-machine interfaces of interactive systems. It also shows how this model can facilitate the automation of other useful activities such as checking for inconsistency, redundancy, and incompleteness in the specification, and validating the implementation of the interface against its original requirements. Finally, the paper comments on the authors' experience in developing an interactive system using this formal model.     

交互式用户界面的形式化描述与性质验证

随着人机交互技术的发展,计算机和用户之间的接口越来越自然,但用户界面管理系统内部的复杂度却大大地增加了.目前提出的新一代用户界面的模型大都停留在概念模型阶段,缺乏对模型的严格描述和证明.该文结合对基于自然交互方式的用户界面的研究成果,归纳出了一个交互式用户界面的通用模型.为了保证系统设计的正确性,文章讨论了如何使用形式化描述语言LOTOS(language of temporal ordering specification)和基于动作的时序逻辑ACTL(action based temporal log     

Protocol converter generation using the STS approach

During the past four years, the authors have developed the Synchronizing Transition Set (STS) approach to solve protocol conversion problems for interconnecting heterogeneous computer networks. The STS approach is a 5-step formal algorithm: given service specifications of target protocols as its input, it derives a protocol converter specification as output. Several variations of the STS algorithm have been studied, and it was formally proven that all of these variations support the same correctness properties [1–4], such as conformity, liveness and transparency properties. Recently, the STS algorithm has been fully implemented in an STS protocol converter generation package. The package is written in the C language under a standard UNIX operating system. It needs less than 1000 lines of C statements to fully implement the STS algorithm. Moreover, to generate a converter between some classical example protocols, such as ABP (alternating bit protocol) and go-back-n protocols, it only takes a few seconds to derive a correct protocol converter specification using a desktop workstation. In this paper, the STS algorithm and its implementation are presented.     

用UML描述组件规格说明

在基于组件的软件开放方式（CBD）下，软件系统是一些盯互联系的可重用组件的集合，因此需要对系统的每一个组件以及组件之间的相互关系有很好的理解。UML作为一种标准建模语言，不仅可以支持面向对象的分析与设计，而且能够有力地支持从需求分析开始的软件开发全过程。但是UML对组件建模的支持并不理想，这就需要开发一种能很好支持组件建模的方法。本文提出一种用UML描述组件规格说明的方法。将组件规格说明分解成组件接口规格说明。通过对组件的每个接口和组件接口之间的相互关系加以形式描述，从而达到组件规格说明的清晰性和精确性。     

面向服务软件体系结构的接口模型

服务接口描述是面向服务软件体系结构描述的关键问题之一,形式化描述方法是保证服务接口描述准确性的重要手段.目前的接口模型并不支持事务信息的描述.通过对已有Web服务接口模型进行扩展,提出了通过错误处理和补偿支持事务信息描述的接口模型,能够分别在特征层、会话层和协议层3个层面对服务的接口进行描述,然后提出了服务接口在3个层面的相容性和可替换性条件,并针对会话接口和协议接口提出了接口规约及其验证方法.该接口模型不仅能够支持准确的事务信息描述,而且还支持灵活、有效的接口规约验证.     

制造网格环境下的资源建模研究

资源建模是制造网格中资源集成和共享的前提.首先按资源在制造网格中提供的服务类型对其进行了分类,便于对其分类建模.其次提出了由资源层、资源表示层和资源接口层组成的资源层次模型.资源层包括各种物理资源,表示层使用XML Schema封装资源数据和信息,接口层使用Web服务描述语言（WSDL）定义对资源的访问操作.该模型用于将制造资源封装为网格节点,使得制造资源可以方便地接入网格中网络共享.最后以企业标准件库的封装为实例验证了该模型的有效性.     

基于LOTOS形式规范的目标实现

LOTOS形式规范的目标实现是协议设计中必不可少的阶段之一。该文对基于LOTOS的形式描述规范的实现方法进行了研究,包括目标实现环境的特点、实现中的空白因素、抽象模型到实现模型的转换、规范的最终目标实现,并对如何将LOTOS规范转换为C、C 语言实现进行了探讨。     

基于WAM的Prolog推理引擎的实现

提出了在实现基于WAM(Warrens Abstract Machine)架构的C-Prolog推理引擎过程中所遇到的问题，以及相应的解决方法和策略。在实现过程中，严格遵循了WAM体系架构中所提出的指令规范。为了提高系统运行时的效率，在指令预处理方面做了大量的工作，利用回填技术生成更快速的WAM代码。而其实现语言C使得该系统易于维护和改善，并与外部的应用程序的接口更方便灵活。     

A model for estimating the size of a formal communication protocol specification and its implementation

Good project management is key when developing a software system successfully. To manage a project well, it is important to have the optimal resource allocation which is affected by the size of an implementation. Early software size estimation is essential for good project management. Existing software size models estimate the size of an implementation usually in terms of the number of lines of code. The main drawback of these models is that there is a wide margin of uncertainty as the actual size depends on the type of application and the software development method adopted. To address this drawback, we focus our work on communication protocol, and propose that the size of a formal specification needs to be estimated from an informal specification. This paper presents a two-stage size model for estimating the sizes of a formal communication protocol specification and its implementation, with the model validated using a test data set. The main benefit of this work is that it can give an indication of the likely sizes of both a formal specification and its implementation early at the development stage, giving developers a technique for managing communication software project better.     

面向体系结构的构件接口模型及其形式化规约

借鉴软件体系结构的思想,提出了面向体系结构的构件接口模型,它既能表达体系结构设计的高层抽象构件,又能表达底层代码级别的实现构件。同时基于该模型,运用顺序通信进程,提出了两级构件接口行为协议规约方法,能够有效规约大粒度复杂软件构件的行为交互协议。