primitive part. The directed graph part expresses lem to design an ideal language that simulta-
the control flow of the protocol, and the primitive neously satisfies all these required conditions.
part defines symbols such as variables used in the The Harmonic Design Method is a new ap-
directed graph part. The aim of NESDEL is to proach that we propose to achieve approximately
enhance the understandability and to avoid the the above-mentioned ideal language. The ap-
ambiguity of a protocol specification, by using proximation is carried out by the process of parti-
"graphs" and "primitives" at the same time. IDL tioning and unification. By partitioning, we mean a
is a high-level programming language, based on process by which several types of problem-ori-
the concept of a finite-state machine with varia- ented languages are provided, in order to satisfy
bles and program segments, for describing com- the different requirements or purposes desired in
munication software. It has concise language con- the target ideal language. By unification, we mean
structs needed to describe communication-ori- a process by which the problem-oriented lan-
ented software. And, it closely resembles guages produced by partitioning are associated
NESDEL, in its underlying concept. EXPA is a with each other, in order to achieve approximately
method for validating certain properties of proto- the target ideal language. This unification is
cols. It has an appropriate representation for sup- accomplished by providing transformation
porting validation. EXPA is a generalization of algorithms between the problem-oriented lan-
the validation method, based on perturbation guages. Providing "bidirectional" transformation
analysis, proposed by West [8]. Its validation abil- algorithms between two languages is very useful.
ity is superior to that by West. EXPA also resem- For example, assume that a specification language
bles NESDEL, in its underlying concept. and a programming language are given as prob-
This paper is organized as follows. Section 2 lem-oriented languages, and that both a forward
gives, in detail, the Harmonic Design Method transformation algorithm, i.e., an algorithm for
described above. As an application of the transforming the specification language into the
Harmonic Design Method, the design of a support programming language, and a backward transfor-
system for protocols and communication software marion algorithm, i.e., an algorithm for transfor-
development is outlined in Section 3. The protocol ming the programming language into the specifi-
specification language NESDEL, the communica- cation language, are provided (note that the back-
tion software oriented programming language IDL ward transformation can be accomplished by using
and the protocol validation method EXPA, which the information derived from the forward trans-
are components of the support system given in formation). If a user detects "bugs" while debug-
Section 3, are described in Sections 4, 5 and 6, ging an expression written in the programming
respectively. Section 7 outlines the algorithms used language, then he has to, possibly, not only debug
for the transformation between these languages. the expression but also revise the corresponding
Some of tools used for supporting these languages specification written in the specification language.
and transformation between these languages are Given the provision of backward transformation,
introduced in Section 8. it is relatively easy to do such task, since the user
can easily detect the portion in the specification
corresponding to the "bugs" by using this provi-
2. Harmonic Design Method sion. On the other hand, without such a provision,
it is generally difficult to do such a task, and
In general, when a designer is going to design a consequently a heavier maintenance cost is
language for software development, he has to pay incurred.
attention to various requirements. For example, We regard the collection of the problem-ori-
the language should be easy to read, write and ented languages and the transformation algorithms
learn, and it should have a high expressibility. produced through the process of partitioning and
Furthermore, it may be required that the language unification as an approximation to the target ideal
should provide the capability of verifying certain language.
properties. These conditions become more and The design procedure of the Harmonic Design
more important as the software system grows Method is outlined in Fig. 1. The details are as
larger in size and complexity. It is a crucial prob- follows.
248 N. Shiratori et al. / A Software Design Method
@ partitioning unification
approximation
Fig. 1. The approach of the Harmonic Design Method.
Protocol Machine
above
I. start I m
put
I 1 I
I
I'~ stop [ 4- . . . . . . . . . -~
Timer Protocol Machine
~_] Protocol
I timeout I
input ! ~transmit
I Protocol Machine
below
dures. Figure 3 shows the model of the environ- the parent arc. An operation, which indicates the
ment of a protocol machine. transmission or reception of an event, is associ-
As described above, a NESDEL specification ated with a parent arc, and the name of the
consists of two parts: a directed graph part and a corresponding event is associated with the child
primitive part. The directed graph part expresses arc. A predicate may be associated with a parent
the control flow of the protocol. It corresponds to arc or a child arc. If a node has two or more arcs,
an ordinary state transition diagram. The primi- an arc whose predicate is interpreted as "true" is
tive part defines symbols such as variables, mes- chosen for execution. On the other hand, the
sages and operations used in the graph part. A primitive part gives the details of a specification
basic SDL specification [15] contains ambiguous by supplementing its corresponding directed graph
descriptions as it permits the use of a natural part. The name of a protocol machine, the list of
language expression. (In order to augment basic interface events exchanged between the protocol
SDL vis-a-vis strictness of description and intro- machine and its environment, the names and time-
duction of structuring concept and procedures, out limits of timers, the declaration of variables,
etc., some recommendations have been made [16].) the meaning of variables, events, etc., operations
To avoid ambiguity, primitive expressions are in- used for processing and so on are described in the
troduced in the NESDEL specification. A primi- primitive part.
tive expression is a kind of high-level program- Now, we outline NESDEL by showing an ex-
ming language expression. The notable features of ample. Figure 4 shows an example of a NESDEL
NESDEL are better understandability and avoi- specification. It represents the behavior of a pro-
dance of ambiguity in protocol specifications, by tocol machine (which works with the environment
using directed graph expressions and primitive shown in Fig. 3) implementing the following sim-
expressions at the same time. ple protocol:
In NESDEL, a directed graph part is described
by using four kinds of nodes, arcs and arc labels.
A node may be expressed hierarchically, that is, it (protocol)
may be expressed by using another NESDEL ex- 1. The user (i.e., the layer above) requests the
pression. An arc, which indicates a transition be- protocol machine to transmit a message.
tween two nodes, is represented using a parent arc 2. The protocol machine transmits this message
(thick arc) and a child arc (thin arc) connected to to the peer protocol machine, through the
N. Shiratori et al. / A Software Design Method 251
protocol-machine (PM)
local messages (USER):
INPUT = {message}
OUTPUT = {success,
failure}
global messages (CHANNEL):
accept INPUT = {aek,nak}
pl• age
transmit
OUTPUT= {message}
timers (timer = 3000)
vat ( r : INTEGER)
meaning
timer : for timeout detection
message start r : retransmission counter
local messages :
message = data message
success = successful
timeout transmission
failure =unsuccessful
/ I input transmission
global messages :
timer ~ _ . ~ n a k ack message = data message
aek = acknowledgement
nak = negative ack.
prim ASSIGN : assignment
layer below. At this time, a timer is activated In Fig. 4, the transition arc from node Wt to
for retransmission. node/'1 and its arc labels "accept" and "message"
3. If the protocol machine receives an acknowl- in the upper part of the directed graph, for
edgement from the peer protocol machine, instance, mean that when the protocol machine is
through the layer below, then message in node Wt, called W-node, the protocol machine
"success" is returned to the user. If a nega- receives message "message" from " t h e protocol
tive acknowledgement is received or the machine above" and then moves on to node P1,
retransmission timer goes off, then the mes- called P-node, for processing. (In NESDEL, a
sage is retransmitted. This retransmission is W-node is used to indicate that the protocol ma-
permitted up to three times. In the case of chine waits for the occurrence of an interface
the four consecutive occurrences of timeout event). The processing of node "P1" is described
or reception of negative acknowledgement, in the procedure definition section, identified with
the protocol machine returns message key word " p r o c " , in the primitive part. In this
"failure" to the user, without retransmitting example, node "P1" performs " A S S I G N ( r , 0)",
the message. i.e., assignment of the value zero to the integer
4. Repeats 1-3. variable " r " . In node "W2", the arc labeled with
252 N. Shiratori et al. / A Software Design Method
expressions are illustrated later in this paper. An Figure 5 shows an example of a description. In
action sequence is associated with each transition, Fig. 5, the left-hand side represents a software
in order to describe the processing involved in the specification by a state transition diagram and the
transition. As described above, such an action right-hand side represents the corresponding de-
sequence is enabled when the condition specified scription of the software in IDL. This example
by its corresponding event expression is satisfied demonstrates that given a software specification in
while the FSM is in its corresponding state. In an terms of a state transition diagram, the user can
action sequence, the statement "NEXT-STATE" easily describe a program corresponding to the
is used for indicating the next state of the FSM. In specification, by virtue of the feature (a) men-
order to describe an action sequence, the following tioned above. For example, the transition from
statements can be used: state "INITIAL" to state "WAIT" corresponds to
- "TRANSMIT": outputs an interface the first FSM action unit description part (i.e., six
event, lines from statement "STATE INITIAL" to state-
- "NEXT-STATE": indicates next state or calls a ment "NEXT-STATE WAIT"). Keyword "INI-
sub-FSM, TIAL" represents the initial state of the FSM. As
- " A N Y O and "END": indicates that
R D E R ' ' seen in this example, event expressions have several
the statements enclosed by these keywords kinds of representation forms. For example, event
may be executed in arbitrary order, expression "Q1 * MESSAGE" in the first FSM
- "TIMER": activates a timer, action unit description part indicates that if there
- "CANCEL": suspends a timer activated previ- is at least one event in queue " Q I " while the FSM
ously, is in state "INITIAL", then an event is removed
- others: statements, used in ordinary program- from the head of the queue, the event is assigned
ming languages, such as "IF", "DO", to variable "MESSAGE", and then its corre-
"CALL", assignment, etc. sponding action sequence is executed. In IDL,
FSM TRANSMITTER
FSM-DATA-DECLARATION
EVENT MESSAGE
02 TEXT C(128)
EVENT RESPONSE
02 FILLER BIT(6)
02 ACK BIT(2)
EVENT REPLY
02 FILLER BIT(6)
02 SF BIT(2)
R INT VALUE 0
END-OF-DECLARATION
/ ~tivate ; timer ; FSM-BODY
timer ; Success.
STATE INITIAL
clear R. EVENT QI*MESSAGE
r>y
/
/
failure. ~ ,
/ ACTION
STATE
EVENT
TRANSMIT(Q3*MESSAGE)
TIMER(TIMER,3000)
R:=0
NEXT-STATE WAIT
WAIT
Q4*RESPONSE.ACK = WOO'
ACTION CANCEL(TIMER)
REPLY.SF: = B'00'
Simeon:/ TRANSMIT(Q2*REPLY)
NEXT-STATE INITIAL
increment ~ EVENT TIMEOUT(TIMER)
ACTION R:=R+I
. R. r<3~ IF R>3: REPLY.SF:=B'10'
TRANSMIT(Q2*REPLY)
,~ message ; NEXT-STATE INITIAL i
R~3 : TRANSMIT(Q3*MESSAGE)
aetiZt; TIMER(TIMER,3000)
NEXT-STATE WAIT !
END
END-OF-BODY
Fig. 5. A n example of a description in IDL.
254 N. Shiratori et al. / A Software Design Method
queues are used in order to store interface events states of the communication channels between the
exchanged between a FSM and its environment. processes. West [8] gave an algorithm, based on
All queues have a first-in-first-out discipline. To the perturbation analysis, which could make a
output an event to a queue, the statement reachability graph R G of system states. By using
" T R A N S M I T " is used. For example, " T R A N S - this RG, a designer starts from an initial system
MIT(Q3 * MESSAGE)" in the first FSM action state and traces the whole R G so that he will be
unit description in Fig. 5 represents that the con- able to detect design errors. EXPA is a generaliza-
tents of variable " M E S S A G E " is placed at the tail tion of the perturbation analysis theory of proto-
of queue " Q 3 " b y its execution. As other exam- col validation which overcomes a number of limi-
ples of event expressions, " Q 4 * RESPONSE. tations of the original theory. Validation ability of
ACK=B'00'" in the second FSM action unit EXPA is superior to that of the validation al-
description indicates that if there is at least one gorithm, based on perturbation analysis, made by
event in queue " Q 4 " while the FSM is in state West [8]. For example, E X P A can detect the loca-
" W A I T " and two bits from the seventh bit of an tions of critical system states (defined below) which
event at the head of the queue are both zeros, then cause logical errors, as well as occurrences (system
the event is removed from the queue, the event is states) of logical errors such as deadlock. The
assigned to variable " R E S P O N S E " , and then its main idea in the EXPA algorithm is to give a
corresponding action sequence is executed. Simi- backward perturbation as well as a forward per-
larly, event expression " T I M E O U T ( T I M E R ) " in turbation so that EXPA can overcome the limita-
the second FSM action unit description indicates tions of the original theory. A backward perturba-
that when timer " T I M E R " causes a timeout, its tion is a perturbation analysis which starts from a
corresponding action sequence is executed. A final system state. By the backward perturbation,
timeout event is handled as a special event which all the systems states can be classified into two
does not depend on any queue. We assume that groups, a set of normal system states and a set of
events pertaining to time are controlled by the abnormal system states (see Fig. 6). A normal
particular mechanism of the system under which system state is a system state which is reachable
I D L programs are executed. In addition to the from an initial system state and has access to a
forms of the event expressions mentioned above final system state. An abnormal system state is a
through this example description, we have one system state which is reachable from an initial
more representation form for event expressions. system state and does not have access to a final
Event expression " N U L L " is used for describing system state. A normal system state which has
an action sequence that does not depend on any immediate access to an abnormal system state is
incoming event. It is useful in describing a proce- called a critical system state. As a result of the
dure unconditionally executed. backward perturbation, EXPA can detect the fol-
lowing logical errors automatically and inform
them to the designer:
6. EXPA (a) state deadlocks,
(b) unspecified receptions,
EXPA [38] is a protocol validation algorithm (c) loops,
which can be applied to systems composed of two (d) buffer overflow (channel overflow),
or more processes communicating with each other. (e) critical system states,
In EXPA, each process is modeled as a finite-state (f) error transition sequences.
machine, and is represented by a set of states, a A critical system state indicates a system state
set of actions, a state transition function, an initial which leads to logical errors in the protocol, for
state and a set of final states. Here, an action example, a transition from the critical system state
means the exchange of an event accompanying the to an abnormal system state is a protocol error. If
execution of a transition between states. The basic this transition occurs, the system state cannot
philosophy of EXPA is to examine all possible reach the set of final system states. By performing
states of a system by defining an initial system backward perturbation, EXPA can detect the criti-
state and a set of final system states. A system cal system states which lead to such logical errors
state consists of the states of the processes and the as deadlocks and unspecified receptions. An error
N. Shiratori et al. / A Software Design Method 255
l ~ initialsystem
state
.. Isjl tsll
- "
backward .. " ".
perturbation .- abnormal "'. " abnormal "..
•* -• ."
•,".::i."
" " system states
....................... G---(D ..... .... ..;-:....
final system states
Fig. 6. Classificationof system states.
transition sequence is a sequence of system states and an action, the function 8-1 gives the set of
from a critical system state to a system state system states which have access to the system
representing a logical error. Incidentally, the num- state by the action. For example, system state
ber of system states generated by EXPA is the " S 7'' in Fig. 8 can be reached from system state
same as that generated by the algorithm [8]. "$6" by action " + 1 " . So, we get 8 - 1 ( $ 7 , + 1)
The algorithm of EXPA is as follows: = (s,).
(Step 3)
(Step 1) Perform the backward perturbation, which is a
Find all system states, which are reachable perturbation starting from the final system
from the initial system state, by applying the states by using 8-1 given in Step 2, and classify
forward perturbations, and make the reachabil- the system states into normal system states and
ity graph RG. This is the perturbation analysis abnormal system states.
given by West [8]. Record the complete infor- (Step 4)
marion of the above perturbations. That is, Find the critical system states and then make
build the transition function, say 8, of system the error transition sequences, and report them.
states. For example, system state "$2" in Fig. 8 Detect loops in the sets of the normal system
can reach system states "$3" and "$4" by ac- states and the abnormal system states, and
tions " + 3" (representing the reception of event report them. For example, in Fig. 8, system
" 3 " ) and " - 1 " (representing the transmission state "$2" is a critical system state since it is a
of event ' T ' ) , respectively. So, we get 8 ( S 2, + 3) normal system state which has immediate access
= S 3 and 8 ( S 2 , - 1) = S4. These informations to abnormal system state "$3".
are used to give the backward perturbation in
Step 2 and Step 3. Next, we give a simple execution example of
(Step 2) EXPA. In this example, we consider a system
For all system states found in Step 1, obtain the consisting of two processes represented in Fig. 7.
inverse function, say 8-1, of state transition, by In Fig. 7, a circle indicates the state of a process.
using the informations of the forward perturba- A directed arc and its label represent the transi-
tions recorded in Step 1. Given a system state tion between two process states and the action
256 N. Shiratori et aL / A S o f t w a r e Design M e t h o d
C
+3 -1 -3
+3 (
+1
s~, s~o ¢ ~ s~
]~o ~ ' 2 ~ +1 ~ " ~ S l t'--'%
/ ~ 4 ~ E ~,q..~ 1 1 } |" 0 E "1 +3 .....S3
~E 2jg ~%E 2 1 / ~E 0 / N. 3 1 '"""~*'1 ~ ""
" ~ / " v "I ) - - - " - "' : .... . ~5
. j +2 -i J.-3 $4-- • - 1 ".E 1 ""~'&"'2 " ""
s19 g • .,-" "x ..... -2 : " i
]f .~ ($4) | 1 1 "1 ".E 1 ."
! ~ x,~ I ~,%3 1 .," , "'"
" ' . . ~" - 2 " u n s p e c i f i e d ,,
-3 %~ 0 ] 86 ~+3 ~+1~: S reception
#" -V+I .'~ "'. .-" "s~ ~--.~9
(S9) * : E 1 : | 1 E I ( 2 1,2)
~o ~ *" 1 *" "~3 2 ~.," ~_3 1 .
t'°211 "'" " "'" f -- n ~-"~ +1
l + 1 -~. +3 . . _]-+3
~-3 "</)t
$7 "'1" ~ ~.. I~$14
. 2 E °' (814) (87) f o 1,2 ) ~ 2 2 )22
"'~.L-'" \ ~, 1 +2
S15
"deadlock" + 1 ~ ' 1 ~ ~ 3 ~ $ !1 E7
C)
:normal. system state S12 0 22"$1i ~- (-S 1 I)
~.E , -3 816
(819) 1
($13)
Fig. 8. Reachabilitygraph correspondingto Fig. 7.
N. Shiratori et aL / A Software Design Method 257
which causes the transition, respectively. The pro- Transformation algorithm (1) is used for verifying
tocol illustrated in Fig. 7 is given to EXPA as an protocols specified in NESDEL. Transformation
input. The information concerning the logical er- algorithm (2) is used for making the results of the
rors is obtained from EXPA as output. For exam- protocol verification performed in EXPA expres-
ple, the reachability graph generated by the execu- sions, which are the output of transformation
tion of EXPA is shown in Fig. 8. We represent a algorithm (1), reflect on the original NESDEL
system state in the form of matrix, as shown in expressions corresponding to the EXPA expres-
Fig. 8. In the matrix form, the top-left element sions. Transformation algorithm (3) generates a
represents the state of process 1, and the bottom- IDL program for implementing a protocol speci-
right element represents the state of process 2. The fied in NESDEL.
top-right element represents the state of the half-
duplex FIFO (First-In-First-Out) channel from 7.1. Transformation from NESDEL into EXPA
process 1 to process 2. Similarly, the bottom-left
element represents the state of the half-duplex
There exist some differences between NESDEL
FIFO channel from process 2 to process 1. The
expressions and EXPA expressions. Thus, a
special symbol " E " is used for denoting the state
NESDEL expression has to be transformed into
of the empty channel. In this example, we assume
the corresponding EXPA expression to validate a
that the initial system state and the final system
protocol specified in NESDEL. Traditional vali-
state are both "'So", that the capacities of the two
dation methods based on the perturbation analysis
channels are both 5, and that all events are
including EXPA require finite-state transition
exchanged perfectly. Then, we obtain the follow-
graphs without predicates and variables, in order
ing results:
to represent protocol specifications to be vali-
(1) normal system states:
dated, as inputs to these methods. However, as
So, sl, s2, s,, &, sg, sl0, s11, s12, &3, described in Section 4, NESDEL expression is
$14, $15, $16, $17, $18, S19, $20, S21; based on a finite-state transition graph with predi-
(2) abnormal system states:
cates and variables. Therefore, transformations of
s3, ss, st, s7; NESDEL expressions into EXPA expressions be-
(3) critical system states:
come difficult, so that, until now, the user has
s2, s,, &;
done this transformation using heuristics by him-
(4) error transition sequences:
self. To overcome this difficulty, we have intro-
(a) s2-" s3-" &, duced predicates and variables into EXPA expres-
(b) S, ~ S6-~ ST,
sions, and have augmented the original EXPA
(c) Ss-~ ST;
described in Section 6. Thus, the current version
(5) unspecified reception:
&; of EXPA can accept expressions with predicates
and variables as its inputs, and the choice of a
(6) deadlock:
possible transition is determined depending on
S 7•
not only the transmission or reception of an event
but also the evaluation of a predicate accompany-
7. Transformations Between the Languages ing the transition. By this augmentation, we have
succeeded in building an algorithm for the above-
In this section, we describe the algorithms for
mentioned transformation.
performing the transformations between the lan-
Now, let G be the NESDEL expression input
guages mentioned in Sections 4, 5 and 6. We
to this transformation. Then, the NESDEL-to-
provide three transformation algorithms for trans-
EXPA transformation algorithm is characterized
forming
by the following transformation rules:
(1) NESDEL expressions into EXPA expres-
sions
(2) EXPA expressions into NESDEL expres- Algorithm
sions, and (Rute/)
(3) NESDEL expressions into IDL expres- Remove the label on each directed arc in G
sions. concerned with the transmission or reception of
258 N. Shiratoriet al. / A SoftwareDesignMethod
an event relating to the layer above. But, retain We actually use a depth-first search technique,
these directed arcs. that is, we start from the root of G and then apply
(Rule 2) the above-mentioned rules to each of directed arcs
Remove each directed arc concerned with the and nodes.
activation of a timer or the occurrence of a For example, the graph representation in Fig. 9
timeout. is obtained by applying the NESDEL-to-EXPA
(Rule 3) transformation algorithm to the N E S D E L expres-
Change each arc label representing the trans- sion given in Fig. 4.
mission of an event to the layer below into the
form of " - i " where " i " is a non-negative 7.2. Transformation from EXPA into NESDEL
integer corresponding to the event to be trans- EXPA generates a reachability graph of system
mitted. states, and informs the user of logical errors such
(Rule 4) as deadlocks, unspecified receptions and buffer
Change each arc label representing the recep- overflows, if any. But, it is not easy for users to
tion of an event from the layer below into the understand them. This is why EXPA expressions
form of " + i " where " i " is a non-negative are inferior to N E S D E L expressions in under-
integer corresponding to the event to be standability. Therefore, in order to improve user
received. understandability, we would like to obtain the
(Rule 5 5 information about logical errors in a protocol
Retain each predicate. Keep informations such specification language, e.g., NESDEL.
as variables and operations effecting the In the following, we give the EXPA-to-
evaluation of the predicates. N E S D E L transformation algorithm. This algo-
(Rule 6) rithm consists of two stages: decomposition stage
Regard each node in G as a process state in the and transformation stage. In the decomposition
corresponding EXPA expression. stage, system states and sequences of system states
are decomposed into states of each process which
are components of a system state. In the transfor-
mation stage, outputs of the decomposition stage
Algorithm
(I) Decomposition stage
This stage consists of two decomposition
processes.
1. Decomposition of system states
Given a system state S as an input,
(1) find states of each process on the
EXPA expression from S;
(2) find the corresponding states (nodes)
in the N E S D E L expression by using
the transformation informations from
the N E S D E L expression into the
Fig. 9. An example of NESDEL-to-EXPAtransformations. EXPA expression.
N. Shiratoriet al. / A SoftwareDesign Method 259
I
input ~ transmit transmit ~ I input ~
I mess3 ~ mess1
j \
~Pathleadingto~~ m]essl )
[ a deadlock state J I
transmitI ~ut input d, /
~,,, ~ mess2
]/-~.~mess4
messl~ /
mess2me i ~ 3 ~ .
~ input [
//Zut b/ ~ messl
~ mess3
input
mess3 mess4 ~ . ~
(~): EXPA-to-NESDEL
transformation ( ) (~): NESDEL-to-EXPA
transformation
~): verification using
EXPA
7.3. Transformation from NESDEL into IDL expression automatically. The acquisition and the
storage of the above knowledge is performed dur-
A NESDEL expression describes a protocol in ing the preprocessing stage of the transformation
terms of, mainly, the logical behavior of the proto- algorithm.
col. On the other hand, a IDL expression must In order to acquire, keep and retrieve the trans-
contain not only its logical behavior but also the formation-information (knowledge), we use the
structure of the data handled by it, queues needed concept of a frame [46,47] in AI. The reason
to input/output events, and so on. Therefore, the behind the choice of the frame concept is that it
information available from a NESDEL expression has a suitable structure for representing a stereo-
is insufficient to transform it into a IDL expres- typed knowledge that just fits our requirement.
sion, we need auxiliary information, i.e., informa- However, some features of frames are redundant
tion which cannot be derived from a NESDEL in our application, e.g., property-inheritance
expression. Such information is mainly concerned among frames, slot filling criteria, etc.
with the primitive part of a NESDEL expression. Thus the transformation-information (knowl-
The NESDEL-to-IDL transformation algorithm edge) we handle are structured in the following
acquires, keeps and utilizes it as auxiliary informa- form;
tion for the transformation (hereafter, called (frame (slot (facet (vahie)(value)...)
transformation-information). The transformation- (facet (value)(value)...)
information is sorted into . o .
which is considered to be useful for the transfor- We have two frames: "'primitive" and "queue ",
mation of any protocol specification and can be concerned with the transformation of NESDEL's
commonly used for the executions of all transfor- primitive part and the queues to be used in the
mations; (b) covers the transformation-informa- target IDL program, respectively. In the primitive
tion peculiar to the execution of individual trans- frame, we have six slots corresponding to the
formation, and is acquired during the execution of knowledge-"bit"s (1)-(6), i.e., "'protocol-name';
the transformation. In practice, both (a) and (b) "'messages" "'timers", "'variables" "'prim" and
are unified and then utilized for the execution of "proc". In the queue frame, we have one slot
the transformation. corresponding to the knowledge-bit (7), i.e.,
Given a NESDEL expression, the following is "queue" slot. There are three types of facets:
the transformation-information necessary for the "'rule" "'default" and "'if-needed". The value se-
transformation: quence in a rule facet represents "fixed" transfor-
(1) finite-state machine name, mation-knowledge. In the case of a default facet,
(2) structure of each message, its value sequence represents default (or built-in)
(3) name and timeout limit of each timer, transformation-knowledge. In either case, a value
(4) name and type of each variable, sequence takes the form (P1 C1)(/}2 C2) ' ' " (Pn Cn)
(5) name and expansion form (IDL expression) where (Pi Ci), roughly speaking, represents a rule
of each protocol dependent primitive, indicating that Pi corresponds to Ci (strictly
(6) details of each P-node in the NESDEL graph speaking, it is interpreted depending on the slot it
expression, and is contained in). For example, the rule (timer 3000)
(7) name of each queue. in the timer slot represents that the timer named
The first six are concerned with the transforma- "timer" has 3000 milliseconds as its timeout limit.
tion of NESDEL's primitive part while the sev- In if-needed facets, the value represents the name
enth is concerned with the use of queues. We can of a procedure. A procedure is activated automati-
regard the above transformation-information as a cally when a new value (new rule) in the rule facet
kind of knowledge about the transformation. Once is needed.
all of the transformation-information (knowledge) Figure 11 gives an outline of the NESDEL-to-
is fixed, the transformation algorithm can trans- IDL transformation algorithm. As shown in this
form the given NESDEL expression into a IDL figure, the transformation algorithm consists of
N. Shiratori et al. / A Software Design Method 261
Common (1) I
transformation * • • Initialization I~
information
call
Frame
representation
primitive , .. • Primitive Frame manager ,11.• of
I call I transformation
information
NEs.E,
graph "'" ~" I Ii'iTranslation [/call/'
IDL J"
expression
(5)
Finalization
five stages: "Initialization", "Queue", "Primitive", (5) Finalization. This stage prints the derived
"Translation" and "Finalization". The functions IDL expression, if needed.
of these stages are as follows. A real example, using this algorithm, is shown
(1) Initialization. This stage generates the frame in Fig. 12. This example (i.e., a IDL program) was
representation of the common-transformation-in- obtained by applying the NESDEL-to-IDL trans-
formation, through the frame manager. This infor- lator described in the next section to the NESDEL
mation becomes the "default" knowledge of the expression corresponding to Fig. 4 which has been
frames for the transformation. produced by using the intelligent NESDEL editor
(2) Queue. This stage finds out the names of described in the next section.
the queues used by the target IDL program,
through the frame manager, and stores them as
"fixed" knowledge in the queue frame. 8. Supporting Tools
(3) Primitive. This stage fetches the transfor-
We have been developed a number of software
mation-information pertaining to the NESDEL
tools used for supporting the above-mentioned
primitive expression, through the frame manager,
languages and the transformation between those
and stores them as "fixed" knowledge in the
languages. In this section, these tools are intro-
primitive frame.
duced. The relationship between these tools is
(4) Translation. This stage generates the target
illustrated in Fig. 13.
IDL program by using the NESDEL directed
graph expression and the transformation-informa- 8.1. The Intelligent NESDEL Editor
tion about primitives and queues. The task of this
stage is relatively easy since NESDEL and IDL As stated in Section 4, a NESDEL specification
are both based on the same concept, i.e., FSM. comprises a primitive part and a directed graph
262 N. Shiratori et al. / A Software Design Method
ysis of a graph node. of the major portions (i.e., the editing function) of
(3) Intelligent help. In order to make the use of the editor.
the editor easy, it provides two kinds of help:
user-request-help (i.e., ordinary help) and system- 8.2. The N E S D E L - t o - E X P A Translator, the E X P A
spontaneous-help. A user-request-help is activated Executor, and the E X P A - t o - N E S D E L translator
by the user while a system-spontaneous-help oc-
curs automatically depending on the following We have been developing three tools, which are
factors: (a) the user's thinking time, (b) error closely related to each other, for verifying proto-
occurrence, (c) the value of the class variable and cols written in NESDEL. They are
(d) the complexity of the command. The content (1) the NESDEL-to-EXPA translator, which is
of the help information is decided using the fol- used for the transformation of NESDEL expres-
lowing factors: (a) the current value of the class sions into EXPA expressions,
variable and (b) the present state of the editor. (2) the EXPA executor, by which the EXPA
A real example, produced by this editor, is expressions given as the results of the NESDEL-
illustrated in Fig. 14. It is a hardcopy of the to-EXPA translator are verified using the EXPA
display on the TOSHIBA AS3000 color bitmap verification algorithm described in Section 6, and
display. We have completed the implementation (3) the EXPA-to-NESDEL translator, which is
transmit
Mssl 1
tr•it
input
input
~ss2
mssl
(
r
ttlmea~t t
$s4
R0SZ%screenoump ] Ipr -v
Ipr: standard input: copy file is too large
~os1% screendump I / u s r / ] i b / c t o m I lpr -v
I
Sum of e r r o r sequences: 3
Error sequence number to deadlock: 1 - 2
ransmit
Error sequence number to u n s p e c i f i e d reception: 3
m SLssl J ~ ~ s s l
Input sequence number: 1 ~
Input size: 1.5 [ size ) [unexecutable t . . . . . .. . ~ # ~,
~ v2 t
./
41 i.!
:,i:;l
4'
Input
I
/
/
u2 E
\
\
I
1-2
/pi ...i\
I
I
(:
\
E u2
//
\ .... 3 . I / input
tranzmi t
41
~) IImSS4
12 / ~ ~ unspec recep'Lior mess3
/
\ \
/ w2 mess2 \ / v2 messl \
I 3
E ul / \ E ,al /
\ \
\
/ u2 E \
....
I
\ E u2 /
\ /
v2 ,~mess ~ / pl mess1 \ / pl E ~ pl E \
• / \~,ess3 vl / \ E u2 / ~ E ul /
Fig. 15. A real example of the NESDEL-to-EXPA translator,the EXPA executor, and the EXPA-to-NESDEL translator.
used for making the results of the verification and the path from a critical state to a deadlock
performed by the EXPA executor reflect on the state.
original N E S D E L expressions corresponding to
the EXPA expressions. 8.3. The N E S D E L - t o - I D L Translator
The algorithms used for the implementation of
these tools are those described in Sections 6 and 7. In order to generate a IDL program corre-
We have completed the implementation of the sponding to a protocol specification given in
NESDEL-to-EXPA translator, the EXPA execu- N E S D E L semi-automatically, we have developed
tor, and the EXPA-to-NESDEL translator. A real the NESDEL-to-IDL translator. This translator
example, produced by these three tools, is demon- consists of six software modules each of which
strated in Fig. 15. It is a hard-copy of the display corresponds to a rectangle shown in Fig. 11. The
on the TOSHIBA AS3000 color bitmap display. functions of all the software modules except the
In the Fig. 15, the right upper part represents frame manager have been described in Section 7.3.
validation results of N E S D E L expression and the The frame manager manages the frames, and car-
right lower part shows validation results of EXPA ries out such functions as the acquisition, storage
expression. Also, the left lower part shows proto- and retrieval of the transformation knowledge de-
col errors, i.e., deadlock and unspecified reception, scribed in Section 7.3. Among other things, if
N. Shiratori et al. / A Software Design Method 265
"default" transformation knowledge is useless, the on two important concepts - partitioning and
process of the knowledge acquisition is performed unification, and the collection of the problem-ori-
interactively between the user and the translator. ented languages and the transformation al-
For example, the procedure attached to a slot has gorithms provided as a result of the partitioning
been designed so that, in its execution, "fixed" and unification is regarded as an approximation
transformation knowledge is acquired interac- to the target ideal language.
tively. As an application of the Harmonic Design
A real example, produced by this translator, is Method, we have described the design of a sup-
illustrated in Fig. 12. IDL expression in Fig. 12 is port system for computer communication proto-
corresponding to NESDEL expression in Fig. 4. cols and communication software development. In
the design of this support system, we have pro-
8.4. The I D L Compiler vided three problem-oriented languages, i.e.,
NESDEL, IDL and EXPA, and three transforma-
We have designed two compilers for translating tion algorithms between them, i.e., NESDEL-to-
IDL programs: IDL, NESDEL-to-EXPA and EXPA-to-NESDEL.
(1) IDL programs ~ assembly language pro- The protocol specification language NESDEL has
grams, and proved very useful in specifying real-world proto-
(2) IDL programs ~ C language programs. cols, e.g., X.25 and HDLC. The communication
The development of the former compiler has been software oriented programming language IDL has
completed while the latter complier is scheduled been used successfully in the description and im-
for development. In the following, we summarize plementation of HDLC. We are now studying the
main features of the former compiler. The IDL incorporation of abstract data types [48,50] into
compiler needs to incorporate the structure of NESDEL and IDL. EXPA gives an expression
state transitions and the decision of the incoming form for representing a protocol and a technique
events happening at each state described in the for analyzing the protocol. The three transforma-
IDL program into the control structure of the tion algorithms are used for uniting these lan-
object code. With respect to the control of the guages.
state transitions, the IDL compiler first sets the Given a protocol specification in NESDEL, its
entry point of the object code at the initial state of verification and implementation can be semi-
the IDL program, and then generates "goto" mechanically performed with the assistance of the
statements at the "NEXT-STATE" statements of supporting tools described in Section 8. Conse-
the IDL program. For incoming events, the IDL quently, it is expected that the development cost
compiler generates the decision sequence to check of protocol and communication software is re-
whether the described event expressions are satis- duced.
fied, along with the corresponding action se-
quences which will be executed when the event
expression is satisfied. In order to make access to References
queues and timers possible, the IDL compiler
generates "call" statements, in the object code, [1] T.P. Blumer and D.P. Sidhu, Mechanical Verification and
which call the library programs prepared in ad- Automatic Implementation of Communication Protocols,
vance for access to them. IEEE Transactions on Software Engineering 12 (8) (1986)
827-843.
[2] T.P. Blumer and R.L. Tenney, A Formal Specification
Technique and Implementation Method for Protocols,
9. Conclusion Computer Networks 6 (1982) 201-217.
[3] G. v. Bochmann, G.W. Gerber and J.M. Serre, Semiauto-
In this paper, we have proposed an approach, matic Implementation of Communication Protocols, IEEE
called Harmonic Design Method, to achieve ap- Transactions on Software Engineering 13 (8) (1987).
proximately an ideal language that simultaneously 989-1000.
[4] S. Aggarwal, D. Barbara and K.Z. Meth, SPANNER: A
satisfies different purposes or requirements such Tool for the Specification, Analysis, and Evaluation of
as software specification, verification and imple- Protocols, IEEE Transactions on Software Engineering 13
mentation. The Harmonic Design Method is based (12) (1987) 1218-1237.
266 N. Shiratori et al. / A Software Design Method
[51 D.P. Sidhu and C.S. Crall, Executable Logic Specifica- [25] C.A. Sunshine et al., Specification and Verification of
tions for Protocol Service Interfaces, I E E E Transactions Communication Protocols in AFFIRM Using State
on Software Engineering I 4 (1) (1988) 98-121. Transition Models, I E E E Transactions on Software En-
[6] D.P. Sidhu and T.P. Blumer, Verification of NBS Class 4 gineering 8 (5) (1982) 460-489.
Transport Protocol, I E E E Transactions on Communica- [26] G.V. Bochmann et al., Experience with Formal Specifica-
tions 34 (8) (1986) 781-789. tions Using an Extended State Transition Model, I E E E
[7] J. Rubin and C.H. West, An Improved Protocol Valida- Transactions on Communications 30 (12) (1982) 2506-2513.
tion Technique, Computer Networks 6 (1982) 65-73. [27] A. Danthine, Protocol Representation with Finite-State
[8] C.H. West, General Technique for Communications Pro- Models, I E E E Transactions on Communications 28 (4)
tocol Validation, I B M Journal on Research Development (1980) 632-642.
22 (4) (1978) 393-404. [28] ISO, ESTELLE--A Formal DesCription Technique Based
[9] M.G. Gouda and Y.T. Yu, Protocol Validation by Maxi- on an Extended State Transition Model, ISO/DIS 9074,
mal Progress state Exploration, I E E E Transactions on 1987.
Communications 32 (1) (1984) 94-97. [29] R.L. Schwartz and P.M. Melliar-Smith, From State Mac-
[10] C.H. West, A Validation of the OSI Session Layer Pro- hines to Temporal Logic: Specification Methods for Pro-
toeol, Computer Networks and I S D N Systems 11 (1986) tocol Standards, I E E E Transactions on Communications
173-182. 30 (12) (1982) 2486-2496.
[11] F.D. Smith and C.H. West, Technologies for Network [30] ISO, LOTOS--A Formal Description Technique Based
Architecture and Implementation, I B M Journal on Re- on the Temporal Ordering of Observational Behavior,
search and Development 27 (1) (1983) 68-78. ISO/DIS 8807, 1987.
[12] D.P. Pozefsky and F.D. Smith, A Meta-Implementation [31] H. Zimmermann, OSI Reference Model--The ISO Model
for Systems Network Architecture, I E E E Transactions on of Architecture for Open Systems Interconnection, I E E E
Communications 30 (6) (1982) 1348-1355. Transactions on Communications 28 (4) (1980) 425-432.
[13] G.D. Schultz, D.B. Rose, C.H. West and J.P. Gray, Ex- [32] C.A. Vissers, R.L. Tenney and G.V. Bochmann, Formal
ecutable Description and Validation of SNA, I E E E Description Techniques, Proceedings of the I E E E 71 (12)
Transactions on Communications 28 (4) (1980) 661-667. (1983) 1356-1364.
[14] IBM, Systems Network Architecture Format and Protocol [33] A.S. Tanenbaum, Network Protocols, A C M Computing
Reference Manual: Architecture Logic, IBM Form No. Surveys 13 (4) (1981) 453-489.
SC30-3112-2, 1980. [34] Proc. 7th I F I P International Workshop on Protocol Specifi-
[15] A. Rockstrom and R. Saracco, SDL--CCIT Specification cation, Testing and Verification (1987).
and Description Language, I E E E Transactions on Com- [35] Proc. 6th I F I P International Workshop on Protocol Specifi-
munications 30 (6) (1982) 1310-1317. cation, Testing and Verification (1986).
[16] CCITT, Functional Specification and Description Lan- [36] N. Shiratori, J. Gohara and S. Noguchi, A New Design
guage (SDL), CCITT Recommendations Z.100-Z.104, Language for Communication Protocols and a Systematic
1984. Design Method of Communication Systems, Proc. 6th
[17] G.J. Dickson and P.E. Chazal, Status of CCITT Descrip- International Conference on Software Engineering (1982)
tion Techniques and Application to Protocol Specifica- 403-412.
tion, Proceedings of the I E E E 71 (12) (1983) 1346-1355. [37] N. Shiratori, K. Takahashi and S. Noguchi, IDESS/85:
[18] S.A. Dart, P.A. Kirton and N.Q. Duc, Use of CCITT Intelligent Support System for Protocols and Communica-
Specification and Description Language (SDL) as a For- tion Software Development, Proc. 8th International Con-
real Description Technique for Open Systems Intercon- ference on Computer Communication (1986) 543-548.
nection Specifications, ISO/TC97/SC16, Technical Note, [38] N. Shiratori, J. Gohara and S. Noguchi, EXPA: Valida-
OSI-81-9, 1981. tion Method of a Communication Protocol Based on the
[19] G.J. Dickson, Formal Description of Data Communica- Perturbation Analysis (in Japanese), Transactions of I P S
dons Protocols Using the Specification and Description of Japan 26 (3) (1985) 446-453.
Language, Research Laboratories Report 7390, Telecom [39] N. Shiratori, K. Takahashi and S. Nognchi, NESDEL:
Australia, 1980. Protocol Oriented Specification and Description Lan-
[20] T. Higashino et al., An Algebraic Specification of HDLC guage and Its Apphcation (in Japanese), Transactions of
Procedures and Its Verification, I E E E Transactions on I P S of Japan 26 (6) (1985) 1136-1144.
Software Engineering 10 (6) (1984) 825-836. [40] K. Takahashi, N. Shiratori and S. Nognchi, Communica-
[21] B. Hailpern, A Simple Protocol Whose Proof Isn't, I E E E tion Software Oriented Very High-Level Programming
Transactions on Communications 33 (4) (1985) 330-337. Language IDL and Its Application (in Japanese), Journal
[22] B.T. Hailpern and S.S. Owicki, Modular Verification of d r i P S of Japan 26 (11) (1985) 1378-1387.
Computer Communication Protocols, 1EEE Transactions [41] K. Takahashi, K. Kurosawa, N. Shiratori and S. Noguchi,
on Communications 31 (1) (1983) 56-68. IDESS/85: Intelligent Support System for Protocols and
[23] B. Chen and R.T. Yeh, Formal Specification and Verifica- Communication Software Development (1)--Intelligent
tion of Distributed Systems, I E E E Transactions on Soft- Editor of Protocol Specification Language, Papers of
ware Engineering 9 (6) (1983) 710-722. Technical Group, SE85-94, IECE Japan, 1985.
[24] S.S. Lain and A.U. Shankar, Protocol Verification via [42] K. Takahashi, N. Shiratori and S. Noguchi, IDESS/85:
Projections, I E E E Transactions on Software Engineering Intelligent Support System for Protocols and Communica-
10 (4) (1984) 325-342. tion Software Development (2)ITranslation from Proto-
N. Shiratori et al. / A Software Design Method 267
col Specificationinto Software, Papers of Technical Group, [48] B. Liskov et al., Abstraction Mechanisms in CLU, Com-
SE85-95, IECE Japan, 1985. munications of the A C M 20 (8) (1977) 564-576.
[43] D. Brand and P. Zafiropuro, On Communicating Finite- [49] N. Wirth, Program Development by Stepwise Refinement,
State Machines, Journal of the A C M 30 (2) (1983) Communications of the A C M 14 (4) (1971) 221-227.
323-342. [50] J.V. Guttag, E. Horowitz and D.R. Musser, Abstract Data
[44] P. Zafiropuro et al., Towards Analyzing and Synthesizing Types and Software Validation, Communications of the
Protocols, IEEE Transactions on Communications 28 (4) A C M 21 (12) (1978) 1048-1064.
(1980) 651-660. [51] P.B. Hansen, Distributed Processes: A Concurrent Pro-
[45] M.G. Gouda and Y. Yu, Synthesis of Communicating gramming Concept, Communications of the ACM 21 (11)
Finite-State Machines with Guaranteed Progress, IEEE (1978) 934-941.
Transactions on Communications 32 (7) (1984) 779-788. [52] C.A.R. Hoare, Communicating Sequential Processes,
[46] P.H. Winston, Artificial Intelligence (Addison-Wesley, Communications of the A C M 21 (8) (1978) 666-677.
Reading, MA, 1977). [53] S. Rotenstreich and W.E. Howden, Two-Dimensional Pro-
[47] P.H. Winston and B.K.P. Horn, LISP (Addison-Wesley, gram Design, IEEE Transactions on Software Engineering
Reading, MA, 1981). 12 (3) (1986) 377-384.