A ``Formal'' Promela Model
for CDMA-RLP based on IS707-2

Michael J. Ferguson
INRS-Télécommunications

Contents

1  Introduction

1.1  Literate Programming Methodology

This document is a complete Promela/Spin model for CDMA-RLP as described in IS707-2 standard (see ./is707-2.htm). The objectives of this work are to produce a realistic Promela model of the CDMA-RLP standard and to demonstrate a methodology where

• the overall structure and architecture of the model is clear
• the computational objective, and the implementation procedure of each part of the model is clear
• the computational objective of each code fragment of the model corresponds to the the standard
• the Promela program, ./rlp-vp.prm, that is processed by Spin is nicely indented, formatted, and readable.

The methodology used is a semi-literate and visual version of the ``literate programming'' method of Knuth[4]. In Knuth's approach there is a single master web file that is processed using the program weave to produce a documentation file and is also processed by the program tangle to produce the program file for the compiler. In the approach here, there will be one or more auxilliary documentation files. It is necessary to link the master web file with these external documentation files, which in this case is the IS707-2 standard. The coordinating of the program model and the standard will use HTML hyperlinks and colour.

All current literate programming methodologies alternate the code with the documentation and tend to discourage comments within the code, even though all programming languages allow this. The alternation of documentation/code fragments the visible flow of the program. The use of inline comments can alleviate this somewhat, but if the inline comments too voluminous, the effect on visualising the code flow is similar. In addition to alternating documentation, the approach here embeds hyperlinks in comments in the code.

The method here allows for mixing the two forms of documentation by embedding hyperlinks that point to the relevant document and code sections of the standard.

There are no current systems that allow for all the capabilities listed above. The approach here was to enhance several current systems to create a new system that is capable, with a minimum of pain, to accomplish the above objectives.

1.2  Some Pragmatics

In this section I will discuss the design choices that led to the modified system used for this model. These involved the choice of the literate programming web engine and the underlying typographical engine.

1.2.1  Text Editor

Although my favourite editor is Emacs, I considered a specialised HTML editor, Amaya (http://www.w3.org/Amaya/) for inserting the anchors and links, and the text highlighting that I felt would be needed for the documentation. Amaya, like Acrobat for PDF, has been optimised for setting internal links and anchors. Amaya automatically chooses the names for the anchors and guarantees that these names will be unique. However the names chosen are not necessarily appropriate for external access. It is possible to force Amaya to choose an appropriate name, but I felt the mechanism was not really very convenient. In addition, I did not find a convenient way to highlight text. I feel that highlighting of text is important because it allows the reader to determine immediately what part of the page is actually relevant for the code. I chose to do this here with colour.

Knuth used PlainTeX for formatting his documentation files. He also used a flat, sectionless structure, and formatted the program fragments so they looked nice. This flat, sectionless structure meant that it was difficult to show the gross structure of a program. In addition, nice formatting, for example changing ``&&'' to ``Ù'', made it difficult to recognize textual program expressions in the typeset version. Knuth's version was also programming language dependent. A major advantage of that approach was that it was possible to create an extensive index of all the variables in the program. In 1992 I modified the cweb program of Levy to use all the typesetting capabilities of INRSTeX[1] (eg sections, lists, ...), and in addition modified the typeset ``c'' program fragments to appear more similar to a normal textual ``c'' program. Although it would have been quite easy to convert the grammar from ``c'' to ``Promela'', it would have been almost impossible to convert the INRSTeX file to HTML. The current universal version of TeX is LaTeX.

1.2.2  LaTeX as an intermediate documentation language

LaTeX has a number of advantages as an intermediate documentation language in this context:

• There are many powerful auxilliary programs for documentation that work with LaTeX. Two important ones are

  • bibtex ([2], Chapter 13) for citations
  • makeindex ([2], Chapter 12) for making an index
• TTH (http://hutchinson.belmont.ma.us/tth/) and latex2html (http://cbl.leeds.ac.uk/nikos/tex2html/doc/latex2html/latex2html.html) convert LaTeX to HTML. They both have their limitations, but my preferred converter is TTH. It is very fast, produces a single file, knows about colour, bibtex, makeindex, and understands TeX specials for sending text directly to the HTML file.
• h2l, (http://www.hut.fi/~jkorpela/h2l/), converts an HTML file to LaTeX. It is very simple minded, ignoring the implications HTML section headings and leaving out all graphics but it is a beginning.

1.2.3  PDF documentation

The IS707-2 standard is published as a PDF document. Although it is possible using Adobe Acrobat to link the information within a PDF document to either internal targets (anchors) or external targets, it is impossible to place a named internal target anchor in a PDF document and have that accessible from an external document. This capability seems to only be available in HTML documents. This meant that it was necessary to convert the PDF document to an HTML document. Adobe has a free online web based service that converts the PDF to HTML. However, all the formatting, figures, and tables are lost in the conversion. This form was unacceptable for the model documentation version of the standard because it did not look like the original version. This deficiency would reduce reader confidence that the derived system actually was based on the original standard. For this reason, this HTML version to a version was converted to a LaTeX document that with a format almost identical with the original PDF document. The conversion was possible, and relatively easy, but much more of hack than a production methododology. The method used was as follows:

• the Adobe website service http://access.adobe.com/access_info.html was used to convert the PDF to HTML. The resulting HTML document was so ugly as to unusable. Readers who were familiar with the original PDF document would have no confidence that this HTML document was the original text. This is the document as converted by Adobe - ./is707-2-v0.html. Note that all the tables and figures, except for captions and some internal text, are missing.
• h2l was modified to remove an underfull box for every paragraph and then used it to convert is707-2-v2.html to the very rudimentary LaTeX file is707-2-v0.tex.
• this file was edited to remove all the line numbers in the original document, internal page numbers, the forced linebreaks in the original document, and inserted section headings. Latex allows only for section, subsection and subsubsections while the original document goes two more levels deeper. These lower levels were formatted by an unnumbered subsubsection.
• a new set TeX macros allows easy? insertion of html links, names, and figures into the LaTeX document. All the original tables and figures were onverted to image files. Note that all these figures and tables will only show up in an HTML version of the documentand not in a PostScript version.
• all of the internal references to sections were converted to HTML links and names were added for the sections that were unnumbered.
• TTH was used to convert the TeX file to to HTML - ./is707-2.htm
• - not exactly a production procedure.

1.2.4  The choice of a ``literate programming'' program

``Spiderweb''(http://www.tex.ac.uk/tex-archive/web/spiderweb/README) and ``FunnelWeb''(http://www.ross.net/funnelweb/index.shtml) are two well known ``language independent'' literate programming engines. I chose FunnelWeb because it appeared to slightly more minimalist than SpiderWeb. The TeX formatting side of FunnelWeb is PlainTeX oriented and had a number of incompatibilities when converted to LaTeX. FunnelWeb also allows for HTML output, but this output is quite constrained. The only way that it would be possible to get the necessary capabilities is through modifications to FunnelWeb. The version of Funnelweb used here is sufficiently different from the original in details and philosophy that it is not really FunnelWeb. A number of the changes were necessitated by design decision in LaTeX to implement verbatim as a list environment, and the, albeit consistent, translation of this environment into the HTML <pre> environment by TTH. FunnelWeb is run in its TeX formatting mode.

This is a list of, and the reasons for, the major changes that were made to FunnelWeb.

• The verbatim mode is not used. There were several reasons for this:

  • LaTeX implements verbatim as list environment. This means that it is impossible to have an inline verbatim segment since each new line is list item, on a new line, and there is a large amount of space before and after each new verbatim environment.
  • Since inline verbatim is impossible, it is not possible to interrupt a verbatim section without inserting line and paragraph breaks. Hence LaTeX commands that implement links, anchors, or colour in Promela comments are impossible without breaking up the program. In addition, the insertion of FunnelWeb macro code, because they involve inline TeX commands, do not appear as they would in the original text.
• Instead, all spaces are replaced by the unbreakable space ~ , and all the control characters of TeX, except for the backslash ``\'' are converted into their literal printable versions. This uses a slight modifcation of an internal function of FunnelWeb's weavet.c program. This allows inline macros to appear correctly and also for HTML links and anchors to be specified inside Promela comments. It should also allow for extensive variable indexing.

  • However, there is a difficulty: Each { is changed into the printable $\{$. It is possible to define the LaTeX amcrso so that they will work with this new delimiter but TTH's macro matching capability is not as strong. The solution was to write an AWK program that found the appropriate commands inside a program fragment and change the delimiters. The restriction is that all such commands must start with \hx .

1.3  The Model Architecture

CDMA mobile radio systems, after they have established a physical connection, send frames every 20ms. Since Promela has no concept of real time, this fact is modeled by having the BS (Base Station) and the MT (Mobile Terminal) send a message through a Promela channel and then wait for the arrival of the message from the other side. This arriving message is either processed or modeled as a loss in the channel. Since RLP knows that there should be a complete frame every 20ms, a loss is the channel is referred to as an erasure. After a complete (W-1), where W is the size of the window (W=128 in IS707-2) of consecutive erasures, (127 in IS707-2).

The model in this paper makes the following assumptions:

• non-transparent RLP data transfer
• primary traffic mode only - no secondary traffic
• there is no segmentation of RLP frames

A discussion of the model structure is give when the Promela processes (proctypes) are given in section 3.

2  General program structure and output file

A Promela model usually has all of the components shown in the output file. The output file is the actual Promela program that is processed by Spin.

1: rlp-vp.prm º
{ 
 definitions 
 mtype={mtypes}; 
 channels 
 global variables 
 proctypes 
 init 
 } This macro is attached to an output file.

2.1  Definitions

2.1.1  Modular Arithmetic

Note that all arithmetic in RLP is modulo MODULUS, where MODULUS=256, for data transfer in IS707-2. The standard defines less than < and greater than > in terms of an effective window of MODULUS/2 = 128. The formula for implementing < and > for an arbitrary window, WINDOW and modulus MODULUS is
a < b <==> (a-b+MODULUS) %MODULUS >=WINDOW
a > b <==> (b-a+MODULUS) %MODULUS > WINDOW ... note that < > are not transitive ...

Only the formula (a<b), lt(a,b), is used in this model and is a Promela definition

2: definitions + º
{ 
 #define lt(a,b) ((a-b+MODULUS)%MODULUS>=WINDOW) 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

Note that MODULUS=16 and WINDOW=8 in this model is a defined value below.

3: definitions + º
{ 
 #define MODULUS 32 
 #define WINDOW 16 /* 1/2 of MODULUS */ 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

2.1.2  Definitions of TRUE and FALSE

TRUE=1 and FALSE =0, consistent with their values in C. 4: definitions + º
{ 
 #define TRUE 1 
 #define FALSE 0 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

2.1.3  System Parameters

The values of these parameters are arbitrary and their meaning and use will be indicated in the appropriate section.

5: definitions + º
{ 
 #define NO_NAK_PENDING 240 
 #define NO_RESND_PENDING 230 
 #define RESND_PENDING 231 
 #define RLP_DELAY 2 
 #define NAK_SET 4 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

2.2  Channels

There are two channels, one in each direction:

6: channels + º
{ 
   chan MT_BS=[SIZE_CH] of {mtype, byte, mtype, byte, byte}; /* RLP -> RLP */ 
   chan BS_MT=[SIZE_CH] of {mtype, byte, mtype, byte, byte}; /* RLP -> RLP */ 
 } This macro is defined in definitions 6 and 32.
This macro is invoked in definition 1.

Promela channels have a fixed message format so room must be made in the format for message with the most parameters, namely the NAK. The data in each message are snd_msg, snd_seq, snd_data, snd_first, snd_last. Not all message types use all values. The empty value for snd_data is NULL and the empty value for snd_data, snd_first, snd_last is NOVALUE.

7: mtypes + º
{ 
 NULL, 
 } This macro is defined in definitions 7, 16, 24, 28, 33 and 37.
This macro is invoked in definition 1.

8: definitions + º
{ 
 #define NOVALUE 242 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

The channels are of length SIZE_CH=2. Since Promela uses asynchronous interleaving, it is necessary to allow either the Mobile Terminal or Base Station to receive, process, and send a new message before the opposite side processes the previous message.

9: definitions + º
{ 
 #define SIZE_CH  2 /* length of channels */ 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

2.3  Global variables

rcv_state[.] is a global variable that models the aborting the connection by the physical layer, either due to detecting especially bad error conditions or in response to an abort request by the RLP layer. rcv_state[.] is initialized to NOVALUE. In this model an aborting of a connection is always due to a request from RLP.

10: global variables º
{ 
   byte rcv_state[2];  
 } This macro is invoked in definition 1.

rcv_state[.]==ABORT is the value when the MT or BS determines that the connection has been broken.

11: definitions + º
{ 
 #define ABORT 223 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

3  MT and BS Promela Model

The models of the MT and BS differ only in their ID values

12: definitions + º
{ 
 #define MT 0 /* id of Mobile Terminal */ 
 #define BS 1 /* id of Base Station */ 
 } This macro is defined in definitions 2, 3, 4, 5, 8, 9, 11 and 12.
This macro is invoked in definition 1.

This is the basic structure of the MT and BS processes. Each process has 3 input parameters, the input channel ch_in, the output channel ch_out, and the process id.

13: proctypes º
{ 
 proctype rlp(chan ch_in, ch_out; byte id) 
 {  local variables 
   d_step{ 
    variable initialization 
        } 
  send_next: /* send next message */ 
    send next message 
    rcv and process next message 
    goto send_next; 
    abort connection 
 } 
 } This macro is invoked in definition 1.

Although, Spin initializes all Promela variables to 0, it is good programming practise to initialise all variables. The main program loop consists of send next message and rcv and process next message.

3.1  local variables

14: local variables º
{ 
     mtype rcv_msg, snd_msg; 
     byte v_n, v_r, v_s; 
 /* v_s sequence # of next new send message */ 
 /* v_r sequence # of next new receive message */ 
 /* v_n sequence # of next in order receive message */ 
     byte rcv_n_s, rcv_first,  rcv_last; 
     byte snd_seq, snd_first, snd_last; 
     byte snd_data_state=0; 
     byte rcv_data_state=0;  
     mtype snd_data, rcv_data; 
     byte erasure_count; 
     byte nak_increment; 
     byte nak[MODULUS]; 
 /* nak[.]  NAK timer and status */ 
     byte nak_set[MODULUS];  
    byte nak_set_inc,nak_set_abort;/* debug variables */ 
 /* nak_set[.]  counts number of successive settings of nak[.] */ 
     mtype  rcv_buffer[MODULUS];  
 /* rcv_buffer[.] rcv data */ 
     mtype snd_buffer[MODULUS]; /* send buffer */ 
     byte resnd_buffer[MODULUS];  
 /* resnd_buffer[.] resend status */ 
  
     byte p1; /* scratch variable */ 
     mtype rcv_msg_status; /* print trace variable */ 
     mtype new_data; /* data value in next new message */ 
 } This macro is invoked in definition 13.

3.2  variable initialization

This is the initialization all the state variables. Again they will be explained in detail when they are first used.

15: variable initialization + º
{ 
     /* variable initialization */ 
     p1=0;  
     do :: (p1<MODULUS); 
            nak[p1]=NO_NAK_PENDING; 
            nak_set[p1]=0; 
            rcv_buffer[p1]=NULL; 
            resnd_buffer[p1]=NO_RESND_PENDING; 
            snd_buffer[p1]=NULL; 
            p1++ 
        :: (p1==MODULUS); 
            break 
     od; 
     v_s=0; 
     v_r=0; 
     v_n=0; 
     erasure_count=0; 
     nak_increment=0; 
 } This macro is defined in definitions 15.
This macro is invoked in definition 13.

3.3  mtypes

Non-transparent data transfer in RLP uses three message types NAK, DATA, and IDLE. These three represented as Promela mtypes.

16: mtypes + º
{ 
 NAK, /* parameters: V_S, first, last */ 
 DATA, /* parameters: V_S, data */  
 IDLE, /* V_S  */ 
 } This macro is defined in definitions 7, 16, 24, 28, 33 and 37.
This macro is invoked in definition 1.

RLP has strict priority rules on the order of sending the messages:

1. NAK messages
2. messages that need to be retransmitted because of the reception of a NAK
3. New DATA messages
4. IDLE messages if there are no DATA messages to send.

17: send next message º
{ 
  atomic{ 
   initialise send parameters 
   check if NAK pending 
   if :: if NAK pending - send NAK 
      :: else -> 
         check if retransmission pending 
         if :: if retransmission pending - send retransmission 
            :: else -> 
                send new DATA or IDLE 
         fi 
   fi; 
        } 
   if :: (rcv_state[(id+1)%2]!= ABORT) -> /* send message only if 
                                            destination has not aborted */ 
              ch_out! snd_msg, snd_seq, snd_data, snd_first, snd_last 
      :: else -> goto end_abort 
   fi; 
 } This macro is invoked in definition 13.

The initial if ... fi; sets the values of the parameters of the sent message. The message is actually sent by ch_out! on the output channel. It is only sent if the destination has not yet aborted.

3.3.1  initialise send parameters

This section initialises the next output message parameters and does so everytime a next is to be sent. snd_msg and snd_data are mtype so the are initialised to the mtype NULL while the other three are byte so they are initialised to the byte value NOVALUE.

18: initialise send parameters º
{ 
   snd_msg=NULL; 
   snd_seq=NOVALUE; 
   snd_data=NULL; 
   snd_first=NOVALUE; 
   snd_last=NOVALUE; 
 } This macro is invoked in definition 17.

3.3.2  check if NAK pending

This section determines if a NAK needs to be sent. The array nak[.] holds the status of the NAK counter (timer) for each sequence number. The possible values are

• NO_NAK_PENDING + X - where X = 0,1,2,3 is the number of NAKs that must be sent for this sequence number.
• 0 to RLP_DELAY - A NAK has been sent for this sequence number, and this is the current value of the NAK counter (timer).

The standard distingushes between a NAK retransmission timer and a NAK abort timer. However, the rules for expiration of each of them is identical. The retransmission timer is allowed to expire twice whereupon it is followed by the abort timer. If the abort timer expires, the connection is aborted. In this model, there is no distinction made of the type of counter. Rather, nak_set[.] records the number of successive times the NAK counter has been set and takes appropriate action. At the first setting of the retransmission counter, one NAK is sent, the second, two NAKs are sent, and at the third, three NAKs are sent. At the fourth setting of the retransmission counter, the connection is aborted.

All of the missing receive message sequence numbers are between the values v_n, the sequence number of next message to be received in order, and v_r, the sequence number of the next new message to be received. The code first sets p1=v_n and looks for the first sequence number that has (nak[p1] > NO_NAK_PENDING but also has (p1, ie lt(p1,v_r). It sets snd_first to this value. The number of unsent NAKs for this sequence number is reduced by one. When the value of nak[p1] drops to NO_NAK_PENDING, nak[p1] is set to 0 for the next count-up to RLP_DELAY. It then continues to increase p1 over a continuous interval where (nak[p1] > NO_NAK_PENDING) is still true. At the first p1 where the assertion fails, it subtracts 1 from p1 and sets snd_last to this value. During the entire interval, it sets the NAK counter to 0. The assert(lt(v_n,p1) || (v_n == p1)); is a sanity check on the code and should never fail. If it does, it says that the NAK interval is larger than the entire receive window.

19: check if NAK pending º
{ 
   p1=v_n; 
   do :: lt(p1,v_r) ->  
         if :: ((nak[p1] > NO_NAK_PENDING)) -> /* first NAK_PENDING */ 
                snd_first=p1; 
                do :: ((nak[p1] > NO_NAK_PENDING)) ->  
                      /* set NAK timer */ 
                       nak[p1]-; /* reduce # of NAKs needed by 1 */ 
                       if :: (nak[p1] == NO_NAK_PENDING) ->  
                              /* all the outstanding NAKs have been sent */ 
                              nak[p1]=0 
                          :: else -> skip 
                       fi; 
                       p1 = (p1+1)%MODULUS 
                    :: else ->  
                       p1 = (p1+MODULUS-1)%MODULUS; 
                       assert(lt(v_n,p1) || (v_n == p1)); 
                       snd_last=p1; 
                       break 
                od; 
                break 
            :: else -> skip 
         fi; 
         p1 = (p1+1)%MODULUS 
      :: else -> break 
   od; 
 } This macro is invoked in definition 17.

3.3.3  if NAK pending - send NAK