Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
Computer Science Technical Report Archive
/
USC Computer Science Technical Reports, no. 716 (1999)
(USC DC Other)
USC Computer Science Technical Reports, no. 716 (1999)
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
SYSTEMA TIC TEST SYNTHESIS F OR MUL TIPOINT PR OTOCOL DESIGN
b y
Ahmed Ab delGhaar Helm y
A Dissertation Presen ted to the
F A CUL TY OF THE GRADUA TE SCHOOL
UNIVERSITY OF SOUTHERN CALIF ORNIA
In P artial F ulllmen tof the
Requiremen ts for the Degree
DOCTOR OF PHILOSOPHY
Computer Science August Cop yrigh t Ahmed Ab delGhaar Helm y
i
Dedication
Tom y paren ts I o wey ou ev ery success
Tom y father A b delGhaar Helmyy ou w ere a father a brother and a dearest friend
and to m y mother Hadia R amadan y ou supp orted me all m y life to disco v er m y
p oten tials Iwill alw a ys b e indebted and grateful to y ou
Tom y brother T ar ek Helmyy ou are alw a ys a big brother and a friend
Tom y wifetob e and b est friend for life Hania A b ou A lShamat y ou givem y life balance
and meaning and y ou complete m y b eing
A sp ecial note to m y aun t Hib a R amadan A ttary ou are a mo del for altruism and
patience and y ou makeev erything in this life seem so simple Y ou ha v e a heart of gold
With all the lo v e and resp ect to m y family ii
Ac kno wledgmen ts
I am grateful to Deb orah Estrin m y advisor men tor and friend Deb orahs supp ort
encouragemen t and guidance lead the w a y for me to realize m y ideas through our researc h
Deb orahs understanding in tec hnical and p ersonal matters w as a motiv e for me to con tin ue
through tough times
Sp ecial thanks go to Sandeep Gupta m y coadvisor for the STRESS pro ject His
insigh tful commen ts and deep questions made us rethink lots of our initial researc h ideas
and impro v e up on them
Thanks for m y committee mem b ers Deb orah Estrin Sandeep Gupta and Ramesh
Go vindan for their useful discussions and commen ts on the dissertation and for serving
on m y qualication and defense exams
Thanks also go to Cengiz Alaettinoglu and Ma ja Mataric for serving on m y qualication
committee in addition to the ab o vemem bers Iw ould lik e to thank all m y colleagues in the PIM VINT and STRESS pro jects Their
in teraction enric hed m y exp erience and inspired me Esp eciallyIw ould lik e to thank Reza
Rejaie for b eing suc h a dear friend in go o d and bad times
I thank m y colleagues at ISI Cisco and Silicon Graphics Inc and all those who par
ticipated in ideas or discussion useful to this w ork
iii
Con ten ts
Dedication ii
Ac kno wledgmen ts iii
List Of Figures viii
Abstract x
In tro duction Related W ork Multicast Proto cols Multicast Routing Endtoend Multip oin t Proto cols Proto col V erication Theorem Pro ving Reac habilit y analysis Distributed Algorithms
Conformance T esting
VLSI Chip T esting
F ramew ork Ov erview F ramew ork Ov erview
T est Generation
Detailed Sim ulation
Implemen tation In terface
System Mo del and Denition
The system mo del
T est Sequence Denition
T est Input P attern
T est requiremen t
Brief description of PIMDM
iv
Heuristic T est Generation Metho d Ov erview
Scenario Generation
Sim ulation and T racing
Output Analysis
Case Study
T op ology Equiv alence
T est suites
Applying the Metho d
Obtaining fault y scenarios
Example for PIMDM
Searc hbased Approac hes The Proto col Mo del
PIMDM Mo del
FSM mo del M
i
S
i
i
i
Global FSM mo del
Dening stable states
Classication of T ransitions
T ransition Completion
Problem Complexit y
Complexit y of exhaustiv e state space searc h
State reduction through equiv alence
Represen tation of error and correct states
F aultindep enden t T est Generation Exhaustiv e Searc h
Reduction Using Equiv alences
Applying The Metho d
Metho d input
Complexit y of forw ard searc h for PIMDM
Summary of b eha vioral errors for PIMDM
Challenges and Limitations
F aultorien ted T est Generation Metho d Ov erview
T ransition T able
F OTG details
Syn thesizing the Global State
F orw ard Implication
Bac kw ard Implication
Applying The Metho d
Metho d input
Illustrativ e example
Summary of Results
Challenges and Limitations
v
P erformance Ev aluation of EndtoEnd Multip oin t Proto cols Timer Suppression in Multip oin t Proto cols
The mo del
The T op ology Mo del
The F ault Mo del
Applying The Metho d
Algorithm Outline
T ask Denition
Case Study The Timer Suppression Mec hanism
Ev aluation Criteria
Timer Suppression Mo del
Proto col Ov erhead Analysis
W orstcase analysis
Bestcase analysis
Example Case Studies
T op ology Syn thesis
Timer conguration
Resp onse Time Analysis
T arget ev en t
The searc h
Conclusion
Summary and F uture W ork Con tributions
The Metho dology
T est Generation Algorithms
Mo deling
Case Studies
F uture W ork
App endix A
Heuristic T est Generation for PIMSM
A PIMSM Ov erview
A T est suites
A Applying the Metho d
A Scenario and proto col co v erage
A Results
A Summary of Results
A Detailed Results
App endix B
State Space Complexit y
B State Space Completeness
B Error states
B Correct states
B Num b er of Correct and Error State Spaces
vi
B First case denition
B Second case denition
App endix C
F orw ard Searc h Algorithms
C Exhaustiv e Searc h
C Reduction Using Equiv alence
C Complexit y analysis of forw ard searc h for PIMDM
App endix D
F OTG Algorithms
D PreConditions
D Dep endency T able
D T op ology Syn thesis
D Bac kw ard Searc h
D Exp erimen tal statistics for PIMDM
D Results
D In terlea ving ev en ts and Sequencing
App endix E
EndtoEnd P erformance Ev aluation
E Conditions and Inequalities for Ov erhead Analysis
E W orstcase Ov erhead Analysis
E Bestcase Analysis
E Mathematical Mo del for Solving the System of Inequalities
E Multiple request rounds
vii
List Of Figures
Establishing m ulticast deliv ery tree Generic BIST sc heme
The STRESS framew ork
T est pattern dimensions
The blo c k diagram of the sim ulation metho d
The scenario lter
The equiv alenttopologies
The top ology used for the case study
The pr une ov er r ide loss scenario for PIMDM
The p ercen tage of the correct and error states
Sim ulation statistics for forw ard algorithms Exp ande d States is the n um ber
of visited states and Forwards is the n um ber of forw ard adv ances of the
state mac hine
Sim ulation statistics for forw ard algorithms T r ansitions is the n um ber
of transien t states visited and E r rors is the n um b er of stable state errors
detected
J oin top ology syn thesis forw ardbac kw ard implication
Graft ev en t sequencing
Crash leading to join latency
Crash leading to blac k holes
The virtual LAN and the dela y matrix
Time lines sho wing p ossible ev en t sequencing a and b sequences do not
lead to suppression while c leads to timer suppression
The virtual LAN with p oten tial resp onders
The virtual LAN sho wing pairwise dela ys
A Ho w senders rendezv ous with receiv ers
A The top ology used for the case study
A Simple pac k et trace graph sho wing pac k et loss and duplication
A The Assert scenario under study
A T ransition diagram for joinsand asserts
viii
A The JoinPrune scenario under study
A The r e gister scenarios under study
C Sim ulation statistics for forw ard algorithms E xpandedS tates is the n um ber
of visited states
C Sim ulation statistics for forw ard algorithms Forwards is the n um ber of
calls to f or w ar d
C Sim ulation statistics for forw ard algorithms T r ansitions is the n um ber of
transien t states visited
C Sim ulation statistics for forw ard algorithms The n um ber of stable error
states reac hed
C Reduction ratio from exhaustiv e to the reduced algorithm
D Sim ulation statistics for bac kw ard algorithms
D Complexit y of the F OTG algorithm for error states
D P ercen tage of reac hableunreac hable error states using F OTG
D A top ology ha ving a fF
i
F
j
F
k
g LAN
D Graft ev en t sequencing
E The timeline for transition ordering
E F orw ard searc h for m ultiple sim ultaneous ev en ts
E Bac kw ard searc h for m ultiple sim ultaneous ev en ts
ix
Abstract
The recen t gro wth and increased heterogeneit y of the In ternet has increased the com
plexit y of net w ork proto col design and testing In addition the adv en t of m ultip oin t
m ulticastbased applications has in tro duced new c hallenges that are qualitativ ely dif
feren t in nature than the traditional poin ttop oin t proto cols Multip oin t applications
t ypically in v olv e a group of participan ts sim ultaneously and hence are inheren tly more
complex As more m ultip oin t proto cols are coming to life the need for systematic and au
tomated metho ds to study and ev aluate suc h proto cols is b ecoming more apparen t Suc h
metho ds aim to exp edite the proto col dev elopmen t cycle and impro v e proto col robustness
and p erformance
Related w ork on automatic proto col v erication has usually targeted proto col correct
ness under idealized conditions This study targets proto col robustness and p erformance
in the presence of lo w er lev el net w ork failures In addition previous w ork do es not address
m ulticast proto cols or top ology syn thesis b oth of whic h are addressed in this study In this dissertation a new metho dology for dev eloping systematic and automatic test
generation algorithms for m ultip oin t proto cols is prop osed These algorithms attempt to
syn thesize net w ork top ologies and sequences of ev en ts that stress the proto cols correctness
or p erformance This problem can be view ed as a domainsp ecic searc h problem that
suers from the state space explosion problem One goal of this researc h is to circum v en t
the state space explosion problem utilizing kno wledge of net w ork and fault mo deling and
m ultip oin t proto cols Sev eral approac hes are in v estigated in this dissertation including
approac hes based on heuristic forw ard and bac kw ard searc h tec hniques F o cus is giv en
on t w o searc h algorithms based on an extended nite state mac hine FSM mo del of
the proto col The rst algorithm uses forw ard searc h to p erform reduced reac habilit y
analysis Using domainsp ecic information for m ulticast routing o v er LANs the algorithm
complexit y is reduced from exp onen tial to p olynomial in the n um ber of routers This
approac h ho w ev er do es not fully automate top ology syn thesis The second algorithm
the faultorien ted test generation automates top ology syn thesis b y utilizing bac kw ard
x
searc h tec hniques This algorithm uses bac ktrac king to generate ev en t sequences instead
of searc hing forw ard from initial states
Using these algorithms studies are conducted for correctness of m ulticast routing pro
to cols o v er LANs These algorithms are further extended to study endtoend m ultip oin t
proto cols b y incorp orating dela y seman tics and p erformance criteria The notion of a vir
tual LAN is in tro duced to represen t dela ys of the underlying m ulticast distribution tree
As a case study the metho d is used to generate w orst and b est case scenarios for the timer
suppression mec hanism emplo y ed in sev eral In ternet m ultip oin t proto cols
xi
Chapter In tro duction
Net w ork proto col errors are often detected b y application failure or p erformance degrada
tion Suc h errors are hardest to diagnose when the beha vior is unexp ected or unfamiliar
Ev en if a proto col is pro v en to b e correct in isolation its b eha vior ma y b e unpredictable in
an op erational net w ork where in teraction with other proto cols and the presence of failures
ma y aect its op eration
Proto col errors ma y be v ery costly to repair if disco v ered after deplo ymen t Hence
endea v ors should be made to capture proto col a ws early in the design cycle b efore de
plo ymen t
Man y researc hers ha v e dev elop ed proto col v erication metho ds to ensure that cer
tain prop erties of a proto col hold prop erties lik e freedom from deadlo c ks or unsp ecied
receptions Muc h of this w ork ho w ev er w as based on assumptions ab out the net w ork
conditions that ma y not alw a ys hold in to da ys In ternet and hence ma y b ecome in v alid
Other approac hes suc has reac habilit y analysis attempt to c hec k the proto col state space
and generally suer from the state explosion problem This problem is exacerbated with
the increased complexit y of the proto col Muc h of the previous w ork on proto col v erica
tion targets correctness W e target proto col p erformance and robustness in the presence
of net w ork failures In addition w e pro vide new metho ds for studying m ulticast proto cols
and top ology syn thesis that previous w orks do not pro vide
Net w ork proto cols are b ecoming more complex with the exp onen tial gro wth of the
In ternet and the in tro duction of new services at the net w ork transp ort and application
lev els In particular the adv en t of IP m ulticast and the MBone enabled applications
ranging from m ultipla y er games to distance learning and teleconferencing among others
T o date little eort has b een exerted to form ulate systematic metho ds and to ols that aid
in the design and c haracterization of these proto cols
In addition researc hers are observing new and obscure y et all to o frequen t failure
mo des o v er the in ternets P axb P axa Suc h failures are b ecoming more frequen t
mainly due to the increased heterogeneityoftec hnologies in terconnects and conguration
of v arious net w ork comp onen ts Due to the synergy and in teraction bet w een dieren t
net w ork proto cols and comp onen ts errors at one la y er ma y lead to failures at other la y ers
of the proto col stac k F urthermore degraded p erformance of lo w lev el net w ork proto cols
mayha v e ripple eects on endtoend proto cols and applications
T o pro vide an eectiv e solution to the ab o v e problems w e presen t a framew ork for
the systematic design and testing of m ulticast proto cols The framew ork in tegrates test
generation algorithms with sim ulation and implemen tation co de W e prop ose a suite of
practical metho ds and to ols for automatic test generation for stac ks of net w ork proto cols
Th us far w e ha v e in v estigated three approac hes for test generation The rst is a
heuristic approac h that uses top ological and ev en t equiv alence relations to reduce the
problem space The second approac h faultindep enden t test generation uses a forw ard
searc h algorithm to explore a subset of the proto col state space to generate the ev enttests
automatically State and fault equiv alence relations are used in this approac h to reduce the
state space The last approac h is faultorien ted test generation that uses a mix of forw ard
and bac kw ard searc h tec hniques to syn thesize test ev en ts and top ologies automatically W e ha v e also built a partial protot yp e of these metho ds in a net w ork sim ulator and
applied it to t wom ulticast routing proto cols adopted bythe In ternet comm unit y PIMDM
and PIMSM Our case studies rev ealed sev eral design errors for whic hweha veform ulated
solutions with the aid of this systematic pro cess
Weha v e further extended the system mo del to include endtoend dela ys using the no
tion of virtual LAN W e use a v arian t of the faultorien ted test generation for p erformance
ev aluation of endtoend m ultip oin t proto cols W e apply the new metho d to the timer
suppression mec hanism a building blo c k for sev eral In ternet m ultip oin t proto cols
The rest of this do cumen t is organized as follo ws Chapter giv es a brief o v erview
of m ulticast and c hapter presen ts related w ork in proto col v erication conformance
testing and VLSI c hip testing Chapter in tro duces the prop osed framew ork and system
denition Wein tro duce the heuristic test generation in c hapter Chapters presen t
the searc h based approac hes and problem complexit y the faultindep enden t test generation
and the faultorien ted test generation resp ectiv ely The application of our framew ork to
endtoend p erformance ev aluation is presen ted in c hapter Chapter concludes the
dissertation b y giving a summary of our con tributions and presen ting directions of future
researc h
Chapter Related W ork
The related w ork falls mainly in the eld of m ulticast proto cols proto col v erication and
distributed algorithms In addition some concepts of our w ork w ere inspired b y VLSI
c hip testing Most of the literature on m ulticast proto col design addresses arc hitecture
sp ecication and comparisons b et w een dieren t proto cols W e are not a w are of an y other
w ork to dev elop systematic metho ds for testing m ulticast proto col robustness
There is a large b o dy of literature dealing with v erication of comm unication proto cols
Proto col v erication t ypically addresses w elldened prop erties suc h as safet y prop erties
freedom from deadlo c ks and liv eness prop erties freedom from starv ation
In general the t w o main approac hes for proto col v erication are theorem pro ving and
reac habilit y analysis or mo del c hec king CW Hel
Theorem pro ving systems dene a set of axioms and construct relations on these ax
ioms Desirable prop erties of the proto col are then pro v en mathematically Theorem
pro ving includes mo delb ase d and lo gicb ase d formalisms including rst and higher order
logic
Reac habilit y analysis algorithms LCLa LCLb attempt to generate and insp ect
all the proto col states that are reac hable from giv en initial states Suc h algorithms suer
from the state space explosion problem esp ecially for complex proto cols T o circum v en t
this problem state reduction and con trolled partial searc h tec hniques Pro Go d could be used These tec hniques fo cus only on parts of the state space and ma y use
probabilistic MS random W es or guided searc hes PJ In Section w e outline the main c haracteristics of proto col v erication approac hes
and discuss the adequacy of these approac hes for the v erication of m ulticast proto col
robustness
W ork on distributed algorithms deals with sync hronous net w orks async hronous shared
memory and async hronous net w ork ed systems Lyn Pro ofs can b e established using an
automatatheoretic framew ork Section presen ts w ork on distributed algorithms and
outlines ho w it relates to our w ork
Conformance testing is used to c hec k that a giv en implemen tation of a proto col is
equiv alen t to its sp ecication It do es not target design errors or proto col p erformance
but implemen tation errors and uses searc htec hniques to attempt to co v er the state space
of the implemen tation W e discuss conformance testing in Section There is an analogy bet w een our w ork and VLSI c hip testing Chip test generation
metho ds attempt to generate test v ectors to rev eal faults in the VLSI fabrication pro cess
These metho ds dene a fault mo del and a circuit mo del for the c hip under test and
usually use searc h algorithms to nd patterns exp osing exp ected faults The BuiltInSelf
T est BIST KBJND in tegrates test generation and fault detection algorithms in one
sc heme VLSI c hip testing sc hemes are discussed in Section Other related w ork includes a new approachfor v erication of cac he coherence proto
cols PD This recen t study sho ws howreac habilit y analysis complexit y can b e reduced
b y using equiv alence relations and sym b olic represen tation of states A global FSM nite state mac hine mo del w as used to c haracterize the proto col b eha vior One of our
approac hes in Chapter adopts some of the principles presen ted in the ab o v e study Multicast Proto cols
Multicast proto cols are the class of proto cols that supp ort group comm unication Am ul
ticast group mayin v olvem ultiple receiv ers and one or more senders In this dissertation
w e address m ulticast proto cols for the In ternet based on the IP m ulticast mo del These
proto cols include m ulticast routing proto cols eg D VMRP SD MOSPF Mo y PIMDM EFH
a CBT BF C and PIMSM EFH
b m ulticast transp ort pro
to cols eg SRM FJL
R TP and R TCP SCFJ and m ultipart y applications eg
WB McC v at JM vic MJ n te Hana and SDR Hanb all of whichw e
simply refer to as m ultip oin t proto cols
Multicast Routing
The rst part of this study fo cuses on m ulticast routing proto cols whichdeliv er pac k ets
ecien tly to group mem b ers b y establishing distribution trees Figure sho ws a v ery
simple example of a source S sending to a group of receiv ers R
i
Multicast distribution trees ma y be established b y either broadcastandprune or ex
plicit join proto cols In the former suc h as D VMRP or PIMDM a m ulticast pac k et is
S
R1
R2
R3
R4 R5
S: sender to the group
Ri: receiver i of the group
Figure Establishing m ulticast deliv ery tree
broadcast to all leaf subnet w orks Subnet w orks with no lo cal mem b ers for the group send
prune messages to w ards the sources of the pac k ets to stop further broadcasts Link state
proto cols suchas MOSPF broadcast mem b ership information to all no des In con trast
in explicit join proto cols suc h as CBT or PIMSM routers send hopb yhop join messages
for the groups and sources for whic h they ha v e lo cal mem b ers When receiv ed these mes
sages build routing state in routers and cause further messages to b e sen t upstream un til
the distribution tree is established Up on receiving a m ulticast pac k et a router forw ards
the pac k et according to the routing state
W e conduct robustness case studies for PIMDM and PIMSM W e are particularly
in terested in m ulticast routing proto cols b ecause they are vulnerable to failure mo des
suc h as selectiv e loss that ha v e not been traditionally studied in the area of proto col
design
F or most m ulticast proto cols when routers are connected via a m ultiaccess net w ork
or LAN
hopb yhop messages are m ulticast on the LAN and ma y exp erience selectiv e
loss ie ma y b e receiv ed b y some no des but not others The lik eliho o d of selectiveloss is
increased b y the fact that LANs often con tain h ubs bridges switc hes and other net w ork
devices Selectiv e loss ma y aect proto col robustness
W e use the term LAN to designate a connected net w ork with resp ect to IPm ulticast This includes
shared media suc h as Ethernet or FDDI h ubs switc hes etc
Similarly endtoend m ulticast proto cols and applications m ust deal with situations
of selectiv e loss This dieren tiates these applications most clearly from their unicast
coun terparts and raises in teresting robustness questions
Our case studies illustrate wh y selectiv e loss should be considered when ev aluating
proto col robustness This lesson is lik ely to extend to the design of higher la y er proto cols
that op erate on top of m ulticast and can ha v e similar selectiv e loss
Endtoend Multip oin t Proto cols
The second part of this study targets p erformance ev aluation of endtoend m ultip oin t
proto cols W e refer to m ulticastbased proto cols as m ultip oin t proto cols These include
m ulticast transp ort proto cols and m ultipart y applications The design of m ultip ointpro to cols has in tro duced new c hallenges and problems Some of the problems are common
to a wide range of proto cols and applications One suc h problem is the multir esp onder
problem where m ultiple mem b ers of a group ma y resp ond almost sim ultaneously to an
ev en t whic hma y cause a o o d of messages throughout the net w ork and in turn ma y lead
for example to unin tended and coun terpro ductivesync hronized resp onses and ma y cause
additional o v erhead eg the w ellkno wn A ck implosion problem leading to p erformance
degradation
One common tec hnique to alleviate the ab o v e problem is the multic ast damping tec h
nique whic h emplo ys a timer suppr ession mec hanism W e use this mec hanism for our
p erformance ev aluation case study in Chapter This mec hanism is emplo y ed in a range of m ultip oin t proto cols suc h as m ulticast
routing proto cols eg PIMDM EFH
a PIMSM EFH
and IGMP F en m ulticast transp ort proto cols eg SRM FJL
RRM GYE MFTP MR TW and R TPR TCP SCFJ address allo cation AAP Han SDR Hanb and
MASC KR T
adaptiv e w eb cac hing ZMN
and other m ultip oin t applications
media gatew a y AMK Proto col V erication
Proto col v erication is the problem of ensuring the logical consistency of the proto col sp ec
ication indep enden t of an y particular implemen tation Proto col v erication t ypically
addresses safety liveness and r esp onsiveness prop erties SAASA Safet y prop erties
include freedom from deadlo c ks assertion violations improp er terminations and unsp eci
ed receptions Liv eness prop erties include detection of acceptance cycles and absence of
nonprogress cycles while resp onsiv eness prop erties include timeliness and fault tolerance
whic h reco v ers the system to a legal state to resume normal execution from an illegal state
Most proto col v erication systems aim to detect violations of these proto col prop erties
Although w e cannot do justice to the extensiv e body of w ork in this area w e shall
dw ell up on some of the main asp ects and common approac hes to proto col v erication
There are t w o main approac hes to proto col v erication theorem pro ving using formal
metho ds and reac habilit y analysis sometimes called mo del c hec king
Theorem Pro ving
In theorem pro ving system prop erties are expressed in logic form ulas dening a set of
axioms and rules In con trast to reac habilit y analysis and mo del c hec king theorem pro ving
can deal with innite state spaces Ho w ev er in teractiv e theorem pro v ers require h uman
in terv en tion and hence are slo w and errorprone
Theorem pro ving includes mo delb ase d and lo gicb ase d formalisms Mo delbased for
malisms suc h as Z Spi and Vienna Dev elopmen t Metho d VDM Jon are suitable
for proto col sp ecications in a succinct manner but lac k the to ol supp ort for eectiv e pro of
of prop erties The use of rst order logic allo ws the use of theorem pro v ers suc h as the
Bo y erMo ore logic pro v er Nqthm BM but ma y result in sp ecications that are di
cult to read Higher order logic suc h as Protot yp e V erication System PVS ORSH
pro vides expressivepo w er for clear descriptions and pro of capabilities for proto col prop
erties
In general theorem pro ving systems require the denition of aset of axioms and the
construction of relations based on these axioms The n um ber of axioms and relations
gro ws with the complexit y of the proto col These systems require strong mathematical
bac kground and understanding The fact that axiomatization and pro ofs dep end largely
on h uman in telligence ma y limit the use of theorem pro ving systems
Theorem pro ving has b een used in v erication of distributed algorithms and systems
see Section Sev eral attempts to apply formal v erication to net w ork proto cols ha vebeen made F or
example assertional pro of tec hniques w ere used to pro v e distance v ector routing T aj path v ector routing SC and route diusion algorithms JM GLA and MS using comm unicating nite state mac hines
An example p oin ttop oin t mobile application w as pro v ed using assertional reasoning
in RMP using UNITY CM Axiomatic reasoning w as used in pro ving a simple
transmission proto col in Hai Algebraic systems based on the calculus of comm unicat
ing systems CCS Mil ha v e b een used to pro v e CSMACD P ar F ormal v erication
has b een applied to TCP and TTCP in Smi
In all formal v erication metho ds ma y b e imp ortan t to proto col design Ho w ev er they
ha v e not b een applied to widearea m ulticast or complete routing proto cols W e believ e
that theorem pro ving systems will b e ev en more complex and p erhaps in tractable in the
con text of m ulticast proto cols
Reac habilit y analysis
Most automated v erication systems are based on exhaustiv e reac habilit y analysis T o
establish the observ ance of state in v arian ts it is sucien tto v erify their correctness with
a test for eac h state that is reac hable from a giv en initial system state The main problem
that m ust b e addressed in the design of suc h a system is the state space explosion problem
V erication of state prop erties includes assertion violations and improp er terminations
V erication of sequences of states includes nonprogress conditions and temp oral claims
A reac habilit y analysis algorithm attempts to generate and insp ect all the states of
a distributed system that are reac hable from a giv en initial state The three main t yp es
of reac habilit y analysis algorithms are full searc h con trolled partial searc h and random sim ulation
If full searc h exceeds the memory or time limits it eectiv ely reduces to an uncon trolled
partial searc h and the qualit y of the analysis deteriorates quic kly Con trolled partial searc h
attempts to select a fraction of the full state space that can b e searc hed within giv en time
and space constrain ts Random w alk of the state space ma y be used for v ery large state
spaces where full or partial searc h is not feasible
The t ypical measures of reac habilit y analysis qualit y are
state co v erage the fraction of system states tested ie
Num ber of T ested States
T otal Num b er of States
error co v erage the fraction of system errors found This measure represen ts the
abilit y to nd errors and is not easily quan tied since the total n um ber of errors
presen t is usually unkno wn
In practice ho w ev er these measures ma y not b e obtainable for complex proto cols
F ull State Space Searc h
A nite state mac hine FSM is dened b y a nite n um b er of states and state transitions
Eac h state transition has a precondition and an eect or a p ostcondition The transition
is enabled only if the precondition holds The eect of an execution can c hange the state
of the system
A reac hable state or sequence of states can be c hec k ed for general safet y conditions
eg absence of deadlo c ks or buer o v erruns or proto colsp ecic requiremen ts eg
temp oral claim ab out a retransmission discipline
States are stored and retriev ed from a w orking set W The algorithm p erforms a
breadthrst BF or a depthrst DF searc h of the state space tree BF nds the
shortest error sequences rst DF requires a smaller w ork set W in general The depth of
the searc h tree dep ends on the maxim um length of a unique execution sequence The width
of the tree on the other hand is determined b y maxim um n um ber of distinct execution
sequence usually a m uc h larger n um ber F or example a proto col with successors for
ev ery state after n transitions the breadth is n
states while depth is only n states
In DF when an error is disco v ered an execution sequence leading to the error ma ybe
easily pro duced F or BF ho w ev er the execution sequence path m ust b e reconstructed
Con trolled P artial Searc h
Con trolled P artial Searc h is based on the premise that in most cases of practical in terest the
maxim um n um b er of states that can b e analyzed A is only a fraction of the total n um ber
of reac hable states R Ob jectiv es of con trolled partial searc h are to analyze precisely A
states with A MS where M is the memory a v ailable and S is the memory required to
store one system state suc h that a all ma jor proto col functions are tested and b the
searchqualit y ie the probabilit y of nding an ygiv en error is b etter than the co v erage
AR Some con trolled partial searc hes are based on
depthb ounds b ounds are placed on the length of the execution sequences that are
analyzed limiting the searchto a useful subset of b eha viors ruling out degenerate
cases of m ultiple o v erlapping sequences
scattersearc h executions that lead closer to p oten tial error states are selected F or
deadlo c k for example an algorithm fa v ors receiv e op erations o v er send op erations
since one of the requisites of a deadlo c k is that all c hannels are empt y This ma y
increase the probabilit y of nding errors fast
guidedsearc h the selection criterion is a cost function that is dynamically ev aluated
for eac h successor state Not m uc h has b een pro v en ab out ho w useful a cost function
is
probabilistic searc h successor states are explored in decreasing order of their prob
abilityof o ccurrence T ransitions in the system are tagged b y probabilityof o ccur
rence and these are used as the selection criterion
partial orders the main factor resp onsible for the state space explosion problem is
the large n um b er of p ossible in terlea vings of concurrentev en ts Not all in terlea vings
are necessarily relev an t in the searc h for error states The goal is to prune a w a y that
part of the searc h pro v en to be irrelev an t or redundan t One approac h to ac hiev e
this is the formal denition of equiv alence relations on system b eha vior
random selections simplest and ma y satisfy the ob jectiv es of con trolled partial
searc h
The rst metho ds try to predict where the errors in a proto col can b e found whic h
ma y b e inheren tly risky since one purp ose of automatic v erication is to capture unpre
dictable errors P artial orders and random selection of successor states in principle a v oid
that problem F or partial orders it is not trivial to pro v e irrelev ance F or example if pro
cess A in teracts with pro cess C and B with C there ma yb e an implicit in teraction b et w een
A and B One cannot assume that A and B are disjoin t and that all p ossible in terlea vings
of their b eha viors are necessarily equiv alen t
Random Sim ulation
Random sim ulation may beusedfor h uge problem sizes where the memory requiremen ts
are larger than the a v ailable memory This approac h discards sets A the analyzed set of
states and W the w orking set and explores the state space with random sim ulation or
random w alk The qualit y of the algorithm in this case cannot b e directly measured and
the state co v erage dep ends on the time giv en for sim ulation
Recen tly sev eral researc hers dev elop ed approachestotac kle the state explosion problem in
a more uniform manner Wemen tion here fair reac habilit y LM and leaping reac habilit y
analysis SU In b oth cases the proto col ma y b e represen ted b y comm unicating nite
state mac hines CFSM
In the fair reac habilit y analysis the state reduction is ac hiev ed b y forcing the proto col
to progress through fair execution sequences and hence cutting do wn the redundancy of
state exploration Ho w ev er the result giv en in the ab o v e study only applies to the class
of cyclic proto cols ie that ha v e only one input c hannel and one output c hannel for eac h
pro cess whose logical correctness is decidable Its extensibilityto other proto col classes
and other mo dels of nite state mac hines is questionable
Leaping reac habilit y analysis forces m ultiple mac hines of the proto col to progress b y
the concurren t execution of transitions at global states hence leaping through the state
space Again the assumption underlying the study suc h as FIF O queues ma y be v ery
restrictiv e for real proto cols Also these approac hes mainly target deadlo c ks and liv eness
prop erties and do not address robustness asp ects p er se
In our w ork ho w ev er w e adopt approac hes extending reac habilit y analysis for m ulticast
proto cols Our faultindep enden t test generation metho d in Chapter is similar to
con trolled partial searc h and uses reduction tec hniques based on equiv alence relations
Distributed Algorithms
There has been m uc h w ork on distributed systems and algorithms Distributed algo
rithms ma y be classied based on the in terpro cess comm unication metho d or the timing
mo del Lyn Comm unication metho ds include accessing shared memory message pass
ing or remote pro cedure calls With resp ect to timing systems can be sync hronous
partially sync hronous or async hronous Sync hronous systems comm unicate in p erfect
lo c kstep sync hron y In con trast async hronous systems tak e steps in arbitrary orders In
partially sync hronous systems pro cessors ha v e partial information ab out timing of ev en ts
eg using appro ximately sync hronized clo c ks
Sev eral failure mo dels w ere considered in some of the studies on distributed algo
rithms including message loss or duplication and pro cessor failures suc h as stop or
crash failures transien t failures or b yzan tine failures LSP where failed pro cessors
beha v e arbitrarily Ho w ev er for our target domain as w ell as for most applications it is sucien t to
assume with a high probabilit y that fault y systems will crash cleanly CDK hence w e
do not consider b yzan tine failures
In Lyn distributed algorithms are treated in a formal framew ork using automata
theoretic mo dels and state mac hines and sometimes presen ting results in terms of set
theoretic mathematics The formal framew ork is used to presen t pro ofs or imp ossibilit y
results
V erication and pro of metho ds for distributed algorithms include in v arian t assertions
and sim ulation relationships and are generally pro v ed using induction An in v arian t asser
tion is a prop ert y that holds true for all reac hable states of the system while a sim ulation
is a formal relation b et w een an abstract solution of the problem and a detailed solution
In v arian t and sim ulation mapping pro ofs ma y be c hec k able using theorempro v ers eg
Larc h theorempro v er GG Async hronous net w ork comp onen ts can b e mo deled as an inputoutput automata IO
automata This mo del allo ws the comp osition of dieren t comp onen ts as an IO automa
ton The correctness of the comp osed automaton can be based on pro ofs of correct
ness of its comp onen ts T o include clo c ks or timeouts the timedautomata mo dels are
used MMT Lyn presen ts mo dels for the simpler systems ie sync hronous net w orks and asyn
c hronous shared memory algorithms Then discusses transformations to p ermit algorithms
dev elop ed for the simpler systems to run in the more complex async hronous net w ork
mo del The sync hronizer transformation Aw e enables async hronous net w ork systems
to sim ulate sync hronous net w orks but do es not w ork in the presence of faults Another
tec hnique enables async hronous net w orks to sim ulate async hronous shared memory and a
third tec hnique uses logical times Lam The monitoring tec hnique allo ws detection of
stable prop erties of the algorithm suc h as termination or deadlo c k b y pro ducing global
snapshots of the system state F GL CL The async hronous net w ork mo del includes pro cess and c hannel IO automata mo d
els The c hannel could be poin ttop oin t FIF O queue also called sendreceiv e c hannel
broadcast or m ulticast where only a set of systems receiv e the messages sen t to the
c hannel
In ternet m ultip oin t proto cols that w e address in this study can be mo deled as asyn
c hronous net w orks with the comp onen ts as timedautomata including failure mo dels
In fact the global nite state mac hine GFSM mo del used b y our searc h algorithms is
adopted from async hronous shared memory systems in sp ecic cac he coherence algo
rithms PD and extended with v arious m ulticast and timing seman tics
The transitions of the IO automaton is giv en in the form of preconditions and eects
This is similar to our represen tation of the transition table for the faultorien ted test
generation metho d Also a cause function is used to describ e the connection bet w een
message sending and receiving ev en ts This is similar to one of our implication rules in
Chapter Theorem pro ving metho ds can be used with distributed algorithms to pro v e safet y
prop erties eg absence of deadlo c ks liv eness eg absence of liv elo c ks or giv e imp os
sibilit y results It ma y also b e used to establish asymptotic b ounds on the complexityof
the distributed algorithms
It is not clear ho w ev er ho w theorem pro ving tec hniques can b e used in test syn thesis to
construct ev en t sequences and top ologies that stress net w ork proto cols Also aside from
asymptotic b eha vior it ma y be hard for suc h tec hniques alone to address p erformance
issues
In sum w e feel that parts of our w ork dra w from distributed algorithms v erication
principles Y et w e feel that our w ork complemen ts suchw ork as w e fo cus on test syn thesis
problems The com bination of timed automata in v arian ts sim ulation mappings automa
ton comp osition and temp oral logic Lam seem to be v ery useful to ols for pro ving or
dispro ving and reasoning ab out prop erties of net w ork proto cols
Conformance T esting
A giv en implemen tation ideally realizes all functions of the sp ecication o v er the range
of acceptable parameter v alues and rejects erroneous inputs A conformance test is used
to c hec k that the external b eha vior of agiv en implemen tation of a proto col is equiv alen t
to its formal sp ecication A conformance test should fail only if implemen tation and
sp ecication dier In con trast v erication of the proto col m ust alw a ys rev eal the design
error
Giv en an implemen tation under test IUT sequences of input messages are pro vided
and the resulting output is observ ed The test passes only if all observ ed output matc hes
those of the formal sp ecication Another approac h of conformance testing is to establish
the conformance of the con trol structure of the implemen tation to the structure of the
sp ecication Implemen tation and sp ecication ha v e the same structure if they mo del
equiv alen t sets of states and allo w for the same state transitions
A state of the IUT is a stable condition a w aiting input signal A transition is the
consumption of an input signal the p ossible generation of an output signal and the
p ossible mo v e to a new state The mo vem ust b e deterministic in order for the test to b e
repro ducible In eac h state a complete IUT can accept and resp ond to all input sym b ols
from the complete system v o cabulary The acceptance of an input signal that is outside
the ocial input v o cabulary ma y cause a transition in to a set of states that pro duces
erroneous b eha vior
The series of input sequences used this w a y is called a conformance test suite The
cost of the test can be expressed as the length of the test suite ie the total n um ber of
messages sen t to the IUT The main problem is to nd an ecien t pro cedure for generating
a conformance test suite for a giv en proto col
One p ossible solution is to generate a sequence of state transitions that passes through
ev ery state and ev ery transition at least once also kno wn as a transition tour The problem
of nding a minim um length transition tour of a nite state mac hine describ ed for instance
in Kle can b e solv ed in p olynomial time
Ho w ev er in order for this solution to w ork the state of the mac hine m ust b e c hec k ed
after eac h transition since the implemen tation ma y b e fault y This leads to the denition
of UIO sequences
A Unique InputOutput UIO sequence or state signature is a sequence of transitions
that can b e used to determine the state of the IUT T obe abletov erify ev ery state in the
IUT w em ust b e able to deriv e a UIO sequence for ev ery state separately This approac h generally suers from the follo wing dra wbac ks a Not all UIO sequences
are necessarily dieren t It ma y be p ossible to deriv e a distinguishing sequence a single
UIO sequence that can be used to iden tify an y state in a nite state mac hine FSM b
Not all FSMs ha vesuc h a distinguishing sequence and not all states ha v e a UIO sequence
c Ev en if all states in a FSM ha v e a UIO sequence the problem of deriving UIO sequences
has b een pro v ed to be PSP A CEcomplete in YL ie only v ery short UIO sequences
can b e found in practice and d UIO sequences can iden tify states reliably only in a correct
IUT Their b eha vior for fault y IUTs is unpredictable and they cannot guaran tee that an y
t yp e of fault in an IUT remains detectable Only the presence of desirable b eha vior can
b e tested b y conformance testing not the absence of undesirable b eha vior
In conclusion conformance testing tec hniques are imp ortan t for testing proto col imple
men tations Ho w ev er it is not suitable as is to b e used in the design stage of a proto col
W e consider w ork in this area as complemen tary to the fo cus of our study VLSI Chip T esting
Chip testing uses a set of w ellestablished approac hes to generate test v ector patterns
generally for detecting ph ysical defects in the VLSI fabrication pro cess
Common test v ector generation metho ds detect singlestuc k faults where the v alue of a
line in the circuit is alw a ys at logic or T est v ectors are generated based on a mo del
of the circuit and a giv en fault mo del The cost of the test generation dep ends on the
complexit y of the circuit to b e tested as w ell as the metho d of test generation Random
v ector generation is simple but in general p erforms p o orly in terms of fault co v erage if
the v ector set is not large In con trast deterministic v ector generation pro duces shorter
and higher qualit y tests b y pro cessing a mo del of the circuit and hence is more exp ensiv e
Deterministic v ector generation can be faultindep enden t or faultorien ted In a fault
orien ted pro cess test v ectors are generated for sp ecied faults as dened b y the fault
mo del On the other hand a faultindep enden t pro cess w orks without targeting individual
faults
In the faultorien ted pro cess the t w o fundamen tal steps in generating a test v ector are
a to activ ate or excite the fault and b to propagate the resulting error to an observ able
output Activ ating a fault in v olv es a line justication step that is setting circuit input
v alues to cause a line l in the circuit to ha v e a sp ecic v alue T o propagate the error to an
output a path from l to the output needs to b e sensitized A line whose v alue in the test
t c hanges in the presence of the fault f is said to be sensitized to the fault f b y the test
t A path comp osed of sensitized lines is called a sensitized path Sev eral algorithms ha v e
been dev elop ed to solv e the path sensitization problem suc h as the Dalgorithm the V
algorithm and the P athOrien ted Decision Making PODEM algorithm
Line justication or error propagation usually in v olv e a searc h pro cedure with a bac k
trac king strategy to resolveorundo con tradiction in the assignmen t of line and input v al
ues The line assignmen ts p erformed sometimes determine or imply other line assignmen ts
The pro cess of computing the line v alues to b e consisten t with previously determined v al
ues is referred to as implic ation F orw ard implication is implying v alues of lines from the
fault to w ard the output while bac kw ard implication is implying v alues of lines from the
fault to w ard the circuit input
F aultindep enden t test generation attempts to generate a set of input v ectors that
detect a large set of faults without targeting individual faults One suc h metho d is the
criticalpath metho d The basic steps of a criticalpath algorithm is to a select an output
and assign it to a v alue then b recursiv ely justify the v alue of a gate output b y assigning
v alues to the gate input
Another concept of VLSI testing in whichweare in terested is fault equiv alence Tw o
faults f and g are said to b e functionally equiv alen t for a circuit C under test x i C
f
x
C
g
x A test t is said to distinguish b et w een t w o faults f and g if C
f
t C
g
t suc h
faults are distinguishable The relation of functional equiv alence partitions the set of faults
in to equiv alence classes F or fault analysis it suces to consider only one fault from ev ery
equiv alen t class
Asc heme that utilizes the ab o v e concepts for online c hip testing is the BuiltInSelf
T est BIST KBJND BIST pro vides a systematic tec hnique for c hip testing syn thesis
A generic BIST sc heme is sho wn in gure Test
Circuit
Response
Test
Test
Inputs
Outputs
Error
Test
1
0
Multiplexer
generator
circuit
patterns
signal
under
test
signal
responses
monitor
circuit
Figure Generic BIST sc heme
This tec hnique can be used to detect faults due to singlestuc kline BIST uses a
test pattern generator TPG to pro duce the input patterns applied to the circuit under
test The test patterns are c hosen to maximize fault co v erage with a minim um n um ber
of inputs A resp onse monitor circuit is used to monitor and detect error signals The
exp ected output for VLSI c hip testing is fault co v erage vs test length curv e
W e are particularly in terested in the arc hitectural paradigm of BIST after whic h w e
mo del our sim ulation metho d Our approac hes for proto col testing use some of the ab o v e
principles suc has forw ard and bac kw ard implication faultindep enden t and faultorien ted
approac hes
Ho w ev er in VLSI c hip testing the test v ectors are pro duced for a giv en circuit whereas
in proto col test generation the top ology is v ariable and a proto col should b e designed to
w ork with arbitrary top ologies whic h adds another dimension to our problem
Chapter F ramew ork Ov erview
Proto cols maybe ev aluated for correctness or p erformance W e refer to correctness studies
that are conducted in the absence of net w ork failures as v erication In con trast robustness
studies consider the presence of net w ork failures suc has pac k et loss or crashes In general
the robustness of a proto col is its abilit y to resp ond correctly in the face of net w ork
comp onen t failures and pac k et loss This dissertation presen ts a metho dology for studying
and ev aluating m ulticast proto cols sp ecically addressing robustness and p erformance
issues Supp orted b y a set of to ols for automatic test generation and syn thesis the metho d
in tegrates proto col mo deling sim ulation and implemen tation in a single framew ork The
ma jor con tribution of this w ork lies in dev eloping new metho ds for generating stress test
scenarios that target robustness and correctness violation or w orst case p erformance
W e adopt a systems approac h to failure and beha vioral analysis That is instead
of studying proto col b eha vior in isolation w e incorp orate m ultiple proto col la y ers with
net w ork dynamics and failures in order to rev eal more realistic beha vior of proto cols in
op eration
This c hapter presen ts an o v erview of the framew ork and its constituen t comp onen ts
The mo del used to represen t the proto col and the system is presen ted along with denitions
of the terms used
F ramew ork Ov erview
Our framew ork in tegrates test generation with sim ulation and implemen tation co de It
is used for Systematic Testing of Robustness by Evaluation of Synthesize d Sc enarios
STRESS As the name implies systematic metho ds for scenario syn thesis are a core
part of the framew ork W e use the term scenarios to denote the testsuite consisting of
the top ology and ev en ts Scenarios will b e discussed in more detail in Chapter
The input to this framew ork is the sp ecication of a proto col and a denition of
its design requiremen ts in terms of correctness or p erformance Usually robustness is
dened in terms of net w ork dynamics or fault mo dels A fault mo del represen ts v arious
comp onen t faults suc h as pac k et loss corruption reordering or mac hine crashes The
desired output is a set of testsuites that stress the proto col mec hanisms according to the
robustness criteria
The STRESS framew ork includes the follo wing comp onen ts see gure Automatic test generation and top ology syn thesis algorithms
Detailed sim ulator driv en b y the syn thesized test patterns and scenarios and
Proto col implemen tation driv en through an em ulation in terface to the sim ulator
T est Generation
The core con tribution of our w ork lies in the dev elopmen t of systematic test generation
algorithms for proto col robustness W e in v estigate three suc h algorithms eac h using a
dieren t approac h
In general there are t w o approac hes for test generation TG random TG R TG
and deterministic TG R TG in v olv es only the generation of random test patterns see
Section for the denition of test patterns and hence is simple Ho w ev er a large
set of test patterns is needed to ac hiev e a high measure of error co v erage and ev en then
determining the test qualityma y b e exp ensiv e Also the cost of running long test sequences
ma y be high R TG generally do es not tak e in to accoun t the function or the structure of
the proto col under test and do es not attempt to minimize the test length
Heuristics maybe dev elop ed ho w ev er to increase the test qualit y Our rst approac h
utilizes top ological and ev en t equiv alences to establish an initial set of tests This set
is then expanded to include the p ossible fault scenarios eg message loss according
to the proto col robustness W e use a sim ulationbased metho d to run the tests analyze
erroneous beha vior and collect co v erage information The heuristic approac h and the
sim ulation metho d are describ ed in Chapter Deterministic TG on the other hand pro duces tests based on a mo del of the proto col
Hence it ma y b e more exp ensivethan R TG Ho w ev er the kno wledge built in to the proto col
mo del enables the pro duction of shorter and higherqualit y test sequences Deterministic
TG can b e man ual or automatic In this study w e fo cus on automatic TG A TG
Deterministic TG can b e a faultindep enden t or b faultorien ted F aultindep enden t
TG w orks without targeting individual faults as dened b y the fault mo del Suc h an
Automatic
Test
Generation (ATG)
Protocol Analysis through
Simulation
Test Patterns and
Scenarios
Emulation
Interface
Design
refinement
Protocol Implementation
Test Signals
Testing
Analysis
and refinement
- Establish a protocol model (e.g. FSM)
- Obtain test sequences to stress certain
(e.g. robustness to message loss, or crashes)
aspects of the model
- Develop detailed protocol simulation
- Study the behavior under the stress
test-suites
- Implement the protocol
- Debug and study behavior using
the simulator output test signals
- Evaluate the test quality (e.g. using
code coverage)
Figure The STRESS framew ork
approac h ma y emplo y a forw ard searc h tec hnique to insp ect the proto col state space or
an equiv alen t subset thereof after in tegrating the fault in to the proto col mo del In this
sense it ma y b e considered a v ariantofreac habilit y analysis with sym b olic represen tation
and state and fault equiv alence used to reduce the state space Chapter describ es our
faultindep enden t approac h
In con trast faultorien ted tests are generated for sp ecied faults F aultorien ted test
generation starts from the fault eg a lost message and syn thesizes the necessary top ology
and sequence of ev en ts that trigger the error This algorithm uses a mix of forw ard and
bac kw ard searc hes W e presen t our faultorien ted algorithm in Chapter In Chapter w e further extend the faultorien ted algorithm to address endtoend
p erformance ev aluations b y syn thesizing w orst and b est case p erformance scenarios
W e will presen t these algorithms in more detail in later c hapters of this do cumen t
along with sev eral case studies The case studies are applied to PIMDM to illustrate
dierences bet w een the approac hes and pro vide a basis for comparison In addition w e
apply the heuristic approachto PIMSM to illustrate ho w test generation can b e applied
to dieren ta v ors of m ulticast routing F or endtoend p erformance ev aluation w e apply
our metho d to the timer suppression mec hanism in Chapter
Detailed Sim ulation
Usually automatic test generation is p erformed on a proto col mo del that sometimes
abstracts out some c haracteristics of the proto col An error that ma y be exp erienced in
the abstract mo del ma y not b e exp erienced in a more detailed mo del of the proto col suc h
as a detailed sim ulation and vice v ersa F or this reason the test sequences generated from
the abstract mo del are further v alidated b y driving a sim ulator and analyzing the output
Also the rst algorithm based on heuristics uses the sim ulator as an in tegrated part
to generate the tests In a later stage these tests are applied to the implemen tation co de
W e ha v e implemen ted detailed sim ulators for PIMDM and PIMSM in the net w ork
sim ulator NS and used them for parts of our case studies Chapter describ es ho w
the sim ulation en vironmen t is in tegrated with the test generation The sim ulations of
SRM in NS can also b e conducted using the scenarios generated for the timer suppression
mec hanism
Implemen tation In terface
An em ulation in terface to the sim ulator ma y be used in order to observ e ho w the actual
implemen tation of the proto col b eha v es under the generated tests
This will enable us to a conduct conformance tests b y applying conformance test
suites through the em ulator and b p erform thorough analysis of the correctness and
p erformance of the proto col implemen tation under test
In the remainder of this section w e describ e the system mo del and denition
System Mo del and Denition
The system mo del
W e dene our target system in terms of net w ork and top ology elemen ts and a fault mo del
Elemen ts of the net w ork Elemen ts of the net w ork consist of m ulticast capable no des
and bidirectional symmetric links No des run same m ulticast routing but not necessarily
the same unicast routing The top ology is an N router LAN mo deled at the net w ork lev el
w e do not mo del the MACla y er
F or endtoend p erformance ev aluation the m ulticast distribution tree is abstracted out
as dela ys bet w een end systems and patterns of loss for the m ulticast messages Cascade
of LANs or uniform top ologies are addressed in future researc h
The fault mo del W e distinguish bet w een the terms err or and fault An err or is a
failure of the proto col as dened in the proto col design requiremen t and sp ecication F or
example duplication in pac k et deliv ery is an error for m ulticast routing A fault is a lo w
lev el eg ph ysical la y er anomalous b eha vior that ma y aect the b eha vior of the proto col
under test Note that a fault ma y not necessarily b e an error for the lowlev el proto col
The fault mo del ma y include
Loss of pac k ets suc haspac k et loss on a link due to an y queue congestion o v ero w
link failures or pac k et corruption in the in terconnect devices suc has net w ork in ter
faces switc hes h ubs etc W e assume that the pac k ets are either deliv ered correctly or are dropp ed ie pac k et corruption is disco v ered using c hec ksum or other error
detection co des W e takein to consideration selectiv e pac k et loss where a m ulticast
pac k et ma y b e receiv ed b y some mem b ers of the group but not others
Loss of state suc h as m ulticast andor unicast routing tables due to failure of the
routing proto col crashes or insucien t memory resources
The dela y mo del Dela ys in the net w ork ma y be due to transmission propagation
or queuing dela ys W e assume that the pro cessing dela ys are negligible with resp ect
to the time gran ularit y our analyses are addressing Sometimes dela y fault problems
ma y be translated in to ev en t sequencing problems as w e will sho w b y example in
Section F or endtoend dela ys the dela ys incurred b y the net w ork are those
of the m ulticast distribution tree and dep end up on the m ulticast routing proto col in
addition to the ab o vemen tioned net w ork factors
Unicast routing anomalies suc h as route inconsistencies oscillations or apping
Usually a fault mo del is dened in conjunction with the robustness criteria for the
proto col under study F or our robustness studies w e study PIM The designing robust
ness goal for PIM is to be able to reco v er gracefully ie without going in to erroneous
stable states from single proto col message loss That is b eing robust to a single message
loss implies that transitions cause the proto col to mo v e from one correct stable state to
another ev en in the presence of selectiv e message loss In addition w e study PIM proto
col b eha vior in presence of crashes and route inconsistencies F or endtoend studies w e
consider extended dela ys and selectivepac k et loss among group mem bers
T est Sequence Denition
A fault mo del ma y include a single fault or m ultiple faults F or p erformance studies the
mo del ma y include m ultiple faults suc h as extended dela ys and pac k et loss patterns that
lead to degradation of proto col p erformance see Chapter In our robustness studies
ho w ev er w e adopt a singlefault mo del where only a single fault ma y o ccur during a
scenario or a test sequence
W e dene t w o sequences T e
e
e
n
and T
e
e
e
j
fe
k
e
n
where e
i
is an ev en t and f is a fault Let P q T be the sequence of states and stim uli
of proto col P under test T starting from the initial state q T
is a test sequence if nal
P q T
is incorrect ie the stable state reac hed after the o ccurrence of the fault do es
not satisfy the proto col correctness conditions see Section irresp ectiveof P q T In case of a faultfree sequence where T T
the error is attributed to a proto col design
error Whereas when T T
and nal P q T is correct the error is manifested b y the
fault This denition ignores transien t proto col b eha vior W e are only concerned with the
stable ie nontransien t b eha vior of a proto col
T est Input P attern
A test input pattern is dened b ya list of host ev en ts Ev a top ology T and a fault
mo del F W e dene a test input pattern as a tuple Ev T F as sho wn in gure
Topology
Events
Faults
triggered timed interleaved
LAN
regular topologies
random
packet loss
crashes
routing
anomalies
Figure T est pattern dimensions
Ev en ts Ev ev
ev
ev
n
is a list of host ev en ts Eachev en t ev
j
consists of
action time where action is the host or no de ev en t input for example join
lea v e send pac k et etc
This facilitates the analysis of erroneous b eha vior
T op ology T N L is the routed top ology of set of no des N and links L N n
n
n
k
is the list of no des eac h running a set of proto cols
L l
l
l
m
are the links connecting the no des t wo in caseofa poin ttop oin t
link or more for LANs A link has a dela y and a bandwidth This mo del is extended
to representv arious dela ys and bandwidths b et w een pairs of no des b y using a virtual
LAN matrix see Chapter F aults F is the fault mo del used to inject the fault in to the test According to our
singlemessage loss mo del for example a fault ma y denote the loss of the second
message tra v ersing link l
i
of t yp e pr une Kno wing the lo cation and the triggering
action of the fault is imp ortan t in analyzing the proto col b eha vior
T est requiremen t
reac habilit y the test should driv e the proto col in to erroneous states reac hable from
agiv en initial state
con trollabilit y or con trolled fault mo del the test should not in tro duce additional
faults except those sp ecied b y the fault mo del F or example no extra loss should
o ccur due to queue o v ero ws This ma y b e realized in a sim ulator b y using virtually
innite queue lengths
observ abilit y or error propagation unless otherwise sp ecied b y the proto col a
data pac k et that is lost duplicated in a LAN top ology is not repro duced absorb ed
b y the net w ork and hence can b e observ ed b y the endp oin ts
The reac habilit y requiremen t is general while con trollabilit y and observ abilit y mainly
deal with the sim ulation en vironmen t eg similar to that used in Chapter F or the
nite state mac hine mo dels w e assume full con trollabilit y and observ abilit y
Brief description of PIMDM
F or our robustness studies w e apply our automatic test generation algorithms to a v ersion
of the Proto col Indep enden t MulticastDense Mo de or PIMDM
The description giv en
here is useful for Chapters through This is a reasonable assumption since our fo cus is on testing proto col design not implemen tation
The heuristic test generation w as also applied to PIMSparse Mo de see app endix A W e use the term
PIM to indicate b oth PIMDM and PIMSM
PIMDM uses broadcastandprune to establish the m ulticast distribution trees In this
mo de of op eration a m ulticast pac k et is broadcast to all leaf subnet w orks Subnet w orks
with no lo cal mem b ers send prune messages to w ards the sources of the pac k ets to stop
further broadcasts
Routers with new mem bers joining the group trigger Gr aft messages to w ards previ
ously pruned sources to reestablish the branc hes of the deliv ery tree Gr aft messages are
ac kno wledged explicitly at eac h hop using the Gr aftA ck message
PIMDM uses the underlying unicast routing tables to get the nexthop information
needed for the RPF rev ersepathforw arding c hec ks This ma y lead to situations where
there are m ultiple forw arders for a LAN The Assert mec hanism prev en ts these situations
and ensures there is at most one forw arder for a LAN
The correct function of a m ulticast routing proto col in general is to deliv er data from
senders to group mem b ers only those that ha v e joined the group without an y data loss
F or our metho ds w e only assume that a correctness denition is giv en b y the proto col
designer or sp ecication F or illustration w e discuss the proto col errors and the correctness
conditions
PIM Proto col Errors
In this study w e target proto col design and sp ecication errors Weare in terested mainly in
erroneous stable ie nontransien t states The proto col errors are dened in terms of the
endtoend b eha vior and ma y be used to capture the error in a sim ulation en vironmen t
where the endp oin t traces ma y be obtained for example see Chapter A proto col
error ma y manifest itself in one of the follo wing w a ys
black holes consecutivepac k et loss b et w een p erio ds of pac k et deliv ery p acket lo oping the same pac k et tra v erses the same set of links m ultiple times
p acket duplic ation m ultiple copies of the same pac k et are receiv ed b y the same
receiv ers
join latency lackof pac k et deliv ery after a receiv er joins the group
le ave latency unnecessary pac k et deliv ery after a receiv er lea v es the group
Join and lea v e latencies ma y b e considered in other con texts as p erformance issues Ho w ev er in our
study w e treat them as errors
waste d b andwidth unnecessary pac k et deliv ery to net w ork links that do not lead to
group mem bers Correctness Conditions
W e assume that correctness conditions are pro vided b y the proto col designer or the proto col
sp ecication These conditions are necessary to a v oid the ab o v e proto col errors in a LAN
en vironmen t and include
If one or more of the routers is exp ecting to receiv e pac k ets from the link ie
ha ving the link as their nexthop then one other router m ust b e a forw arder for the
link Violation of this condition ma y lead to data pac k et loss eg join latency or
blac k holes
The link m ust ha v e at most one forw arder at a time Violation of this condition ma y
lead to data pac k et duplication
The deliv ery tree m ust b e lo opfree
a An y router should accept pac k ets for SG from one incoming in terface only This condition is enforced b y the RPF Rev erse P ath F orw arding c hec k
b The underlying unicast top ology should b e lo opfree
Violation of this condition maylead to data pac k et lo oping
If one of the routers is a forw arder for the link then there m ust b e at least one router
exp ecting pac k ets from the link ie ha ving the link as their nexthop Violation of
this condition maylead to lea velatency These are the correctness conditions for stable states ie not during transien ts and
are dened in terms of proto col states as opp osed to end p oin tbeha vior They are used
in the faultindep enden t and faultorien ted test generation where the proto col mo del do es
not capture end p oin t traces W e also use these conditions for top ological equiv alence in
the heuristic test generation
The mapping from functional correctness requiremen ts for m ulticast routing in general
eg single deliv ery of pac k ets to group mem b ers to the denition in terms of the proto col
mo del eg if there is a mem b er then there exists exactly one forw arder is curren tly done
b y the designer The automation of this pro cess is part of future researc h
Some esoteric scenarios of route apping ma ylead to m ulticast lo ops in spite of RPF c hec ks Curren tly our study do es not address this issue as it do es not p ertain to a lo calized b eha vior
Chapter Heuristic T est Generation
In this c hapter w e presen t one test generation algorithm based on a heuristic top ology
equiv alence relations and sim ulation
After giving an o v erview of the approac h w e illustrate ho w it can b e applied to m ul
ticast routing proto cols b y conducting t w o case studies on the Proto col Indep enden t Mul
ticast PIM
Metho d Ov erview
The main purp ose of this approachisto iden tify a set of scenarios that ma y exp erience a
proto col error in the presence of single message loss These scenarios are c hosen from a
set of represen tativ e scenarios and top ologies obtained through equiv alence relations and
heuristics The scenarios are then sim ulated and the output is analyzed to iden tify errors
The sim ulation metho d consists of three stages sc enario gener ation prepro cessing
tr acing sim ulation and output analysis p ostpro cessing Figure illustrates these
stages The building blo c ks in the gure are explained in detail throughout the rest of this
section
Note that the engineering design pro cess is usually iterativ e where an in v estigator ma y
cycle and feedbackin to previous stages based on hisher in tuition and insigh t sometimes
gained b y the analysis of earlier sim ulations Our metho dology do es not con tradict suc h
pro cess In fact w e will sho w in app endix A ho w w e iterated through the stages to guide
our sim ulations The follo wing section ho w ev er only discusses the mo dules supp orting
the dieren t stages
Scenario Generation
Scenarios are comp osed of routed top ologies and sequences of ev en ts input stim uli and
state transitions and describ e the sim ulation con text that ma y cause proto col transitions
Scenario parameters include the r oute d top olo gy host sc enarios and loss sc enarios Routed top ology
The routed top ology is the net w ork infrastructure up on whic h the proto col op erates no des
links and lo w lev el proto cols eg unicast routing
W e try to iden tify simple top ologies that facilitate the ev aluation of the main mec h
anisms of the proto col and to whic h other more complex top ologies ma y be reduced
Wec ho ose a LAN with four connected routers as the basic top ology W e showho w other
top ologies are reducible to the fourr outer LAN top ology and discuss the limitations of
suc h a top ology in section W e further extend the top ology to capture particular
c haracteristics of the proto col under studyPIM Scenario
Generation
Host
Scenarios
Routed
Topology
Loss &
Failures
End Point
Tracing
Protocol
Tracing
Code
Annotation
Simulation & Tracing
Output Analysis
Identifying
End Point
Errors
Relating Errors
to Protocol
Code
Profiling
Simulation
Set-up
Link
Tracing
Simulation
Engine
Figure The blo c k diagram of the sim ulation metho d
As a comp onen t of the routed top ology unicast route inconsistencies ma y b e a common
source of error Unicast routing ma y exist in one of the follo wing three states a consisten t
routing b transien t inconsisten t routing and c long liv ed inconsistency Case a
requires no c hanges The study of case b is con v ergence analysis whic h w e do not
address here W e are particularly in terested in case c
W e add an inconsisten t unicast
Tw o top ologies are said to b e reducible or equiv alen t if they driv e the proto col according to the host
scenarios applied in to the same states exp eriencing the same set of state transitions
This ma y b e caused bya m ulticast region spanning more than one unicast routing AS
routing comp onen t to force the m ulticast routing proto col in to states encoun tered in suc h
pathology and analyze those states
Host scenarios
Host scenarios are com binations of p ossible host actions In our case study these are
dened b y the m ulticast service mo del Host actions include joining or lea ving groups
or sending pac k ets to groups F or large n um b ers of hosts and groups it is prohibitiv ely
costly to explore all p ossible com binations exhaustiv ely The heuristics used in this study do not guaran tee that all fault y scenarios for a proto col
will b e co v ered Our more practical and ac hiev able ob jectiv e is to study m ulticast proto col
beha vior for scenarios that include the primary host ev en ts in this case joining a group
lea ving a group and sending to a group F or these scenarios w e generate all p ossible
message loss cases and extract the fault y scenarios automatically Wec ho ose a simple m ulticast host scenario that has a single source S and t w o receiv ers
R and R for the same group
W e estimate all the p ossible com binations of our host mo del and try to reduce the
n um b er to those simple scenarios that supp ort the main proto col functions W e call suc h
scenarios r epr esentative sc enarios T o obtain the represen tativ e scenarios w e apply the
sc enario lter sho wn in gure Host Events
Protocol Constraints
Practical Input
Symmetry &
Equivalence
Rep.
Scenarios
Figure The scenario lter
The use of the lter sho wn in the gure is illustrated b y the follo wing example F or
one source and t w o receiv ers the v e p ossible host ev en ts are source S sending to a
group or S for short receiv er joining a group or J and J for receiv ers R and
R resp ectiv ely and receiv er lea ving a group or L and L for receiv ers R and
R resp ectiv ely
F or all p ossible perm utations there exists scenarios considering that eac h
host ev en t o ccurs once Then as sho wn b y gure w e apply proto col constrain ts
eg a r e c eiver do es not le ave b efor e it joins the gr oup to reduce the n um b er of p ossible
com binations to scenarios F urther as a practical input w e assume
without loss of generalit y that the sour c e sends p ackets thr oughout the simulation to
reduce the n um b er of p ossible scenarios to scenarios These six scenarios are
JJLL JJLL JLJL
JJLL JJLL JLJL
The n um b er of represen tativ e scenarios can b e further reduced if the host distribution
is symmetric with resp ect to the top ology since the follo wing scenarios will b e equiv alen t
i equiv alen t to ii equiv alen t to and iii equiv alen t to ie w e need only
in v estigate dieren t host scenarios for the giv en top ology Loss and F ailures
Are dened b y the fault mo del the single message loss This mo del includes selectiv e
loss where a message sen t on a LAN ma y b e lost byan y of the in tended receiv ers The
input to the loss failures substage sho wn in gure is obtained from initial traces
of sim ulations without proto col message loss These traces guide further sim ulations to
co v er all p ossible proto col message loss scenarios
Sim ulation and T racing
During this stage the proto col mec hanisms are sim ulated and traces are collected
Sim ulation One desirable approac h for sim ulating complex proto cols is to include de
tailed mec hanisms of parts of the proto col while abstracting out others w e call this ap
proac h subsetting T o main tain proto col correctness ho w ev er an abstracted part m ust
b e replaced b y its equiv alen t that exhibits similar external beha vior under the study as
sumptions Subsetting allo ws us to fo cus on sp ecic parts of the proto col state space and
can be based on proto col functions states or messages Subsetting proto col functions or
mec hanisms refers to the abstraction of these functions This maybe ac hiev ed b y replacing
a complex mec hanism b y a simpler one exhibiting similar external b eha vior under relaxed
assumptions F or example w e ma y use static conguration instead of sim ulating a de
tailed b o otstrap algorithm This w a yw ema y study other proto col mec hanisms assuming
correctness of the b o otstrap mec hanism Using proto col states subsetting a study ma y
fo cus on sp ecic proto col states This allo ws for example the study of m ulticast group
state without dealing with sourcesp ecic state Subsetting proto col messages allo ws the
examination of sp ecic proto col message t yp es in the absence of others
T racing T racing is the pro cess of logging information ab out ev en ts or pac k ets during the
sim ulation run Logged information is analyzed during the p ostpro cessing ie the output
analysis stage In addition some traces are used as feedbac k to the scenario generator to
guide further sim ulations W e consider sev eral kinds of tracing
Endp oin t tracing T racing endp oin ts includes logging information p ertaining to
hosts sending or receiving pac k ets and joining or lea ving m ulticast groups A detailed
description of the traces is giv en in the case study sections
T o iden tify errors and pathologies in the proto col itself w e fo cus on the eect of the
m ulticast routing proto col transitions on the endp oin t pac k et deliv ery as explained in
section Proto col transition tracing A proto col can be represen ted b y a nite state ma
c hine automaton consisting of states transitions and stim uli inputs outputs and timer
actions Based on kno wledge of initial proto col states w e obtain the sequence of proto col
transitions b y tracing all stim uli
W e use proto col traces to diagnose and v erify proto col b eha vior and to analyze errors
Link tracing Wek eep trac k of pac k ets tra v ersing links as w ell as ev en ts of pac k et
loss on links Link tracing is mainly used for fault injection links carrying message t yp es
of in terest are targeted for in ten tional message loss in further sim ulations Weac hievethis
through feedbac k to the scenario generation stage as sho wn in gure This reduces the
n um b er of loss scenarios examined to those directly aecting the proto col b eha vior under
in v estigation W e also use link tracing in output analysis and visualization
Co de annotation When placed in k ey poin ts suc h as b eginning of proto col pro
cedures or co de mo difying the state of the proto col co de annotations capture in ternal
execution of the proto col mac hinery W e use co de annotation to estimate what part of the
co de and subsequen tly the proto col has b een executed and stressed co de co v erage
Output Analysis
One ma jor concern of our approac h is to iden tify pathological cases and indicate when
and if an error o ccurred and wh y This is ac hiev ed in the output analysis stage whic h
consists of
Iden tifying endp oin t errors Error conditions ma y b e sp ecied with resp ect to end
poin t traces as men tioned in section If the factors during one sim ulation run are
relativ ely static ie static unicast routing static top ology and con trolled loss the end
poin t error ma y b e attributed to an error in the m ulticast routing proto col
Once the sp ecied error is iden tied b y the output analyzer the trace log is rolled bac k
in time to in v estigate the proto col traces as explained next
Relating errors to proto col After detecting an endp oin t error the output analyzer
isolates p ossible causes of suc h errors in the form of proto col traces
The output analyzer
in this case is similar to a logic analyzer allo wing the designer to na vigate bac kw ard in
time and in v estigate the causes of the error
As will be sho wn in the case studies the pro cess of iden tifying a proto col error ma y
suggest xes to the problem
Co de proling The proler captures information ab out the annotated co de suc h as
whic h pro cedures w ere or w ere not in v ok ed and the order and frequency of in v o cation
This information indicates the p ortion of the proto col stressed b y the examined scenarios
Case Study
T o ev aluate the utilit y of the heuristic approac h w e applied it to a complex m ulticast
routing proto col PIM Both PIMSM and PIMDM are considered in the case study Ho w ev er w e presen t the PIMDM study briey in this section and presen t the details of
the PIMSM in app endix A Being robust to at least a single message loss ev en in the presence of unicast in
consistencies w asadesign goalfor PIMasw as describ ed in section The PIMDM
proto col w as describ ed in section In our exp erience the cause for endp oin t errors w as often due to proto col misb eha vior in the recen t
trace history of the error
A
B
C
A B
C
Topology I
A B
C D
D
[3-router LAN]
Topology II
[4-router LAN;
Topology III
[4-router LAN;
downstream addition] upstream addition]
downstream
upstream
Figure The equiv alen t top ologies
W e p ointout t woPIM mec hanisms relev an t to this study Assert and pruneoverride The PIM Assert mec hanism is the pro cess b y whic h at most one forw arder for a LAN is
selected to a v oid duplicates in case of m ultiple p oten tial forw arders due to parallel paths
to the source The pruneoverride enables a do wnstream router ie with do wnstream
mem b ers to retain its established branc h of the tree in case another router on the same
LAN tries to prune that branc h
The rest of this section is outlined as follo ws Section establishes the equiv alence
relationship for the top ology used for the case study Section describ es the sim ulation
test suites and section presen ts an example for applying the metho d T op ology Equiv alence
Tw o top ologies are equiv alentif they driv e the proto col transitions in to the same states
under the same set of ev en t sequences A top ology is reducible to another top ology with
few er connections and routers if the t w o top ologies are equiv alen t
W e sho w in this section that for single message loss scenarios the fourr outer LAN
top ology adopted in this study exp eriences the same proto col errors that an Nr outer
LAN top ology exp eriences where N and hence they are equiv alen t for PIM joins prunes and asserts F or brevit yw e only pro veequiv alence in the case of prune messages
and hin t to the pro of approac h in the other cases W e also iden tify assumptions and
limitations under whic h this equiv alence relationship holds
T o ac hiev e this a do wnstream router receiving a prune on its incoming in terface triggers a join
upstream
Prunes First w e consider Nr outer LAN top ologies where N and resp ectiv ely It is trivial to pro v e that these top ologies are not equiv alen t for hopb yhop messages
Assumption Nr outer LAN top olo gy wher e N is r e ducible to the thr e er outer
LAN top olo gy for prunes wrt single message loss sc enarios
T o justify our assumption w e rst pro v e that a fourr outer LAN top ology is reducible
to a thr e er outer LAN top ology Correctness condition As describ ed b y section the conditions necessary to
a v oid pac k et duplication and blac k holes ma y b e stated as
If a r outer on the LAN has
the LAN as its inc oming interfac e ther e must b e one other r outer with the LAN in its
outgoing list Once this condition is satised violating it is considered a proto col error
Next w e examine the thr e er outer LAN top ology In gure top ology I assume
that A and B are do wnstream routers and C is an upstream router
In gure top ology I router C has the LAN in its outgoing list router A has
the LAN as its incoming in terface and router B is lea ving the group and so sends a
prune to w ards CThe prune is m ulticast on the LAN
The only case where the correctness condition ma y be violated is when C receiv es
the prune while A do es not In the other cases either the prune is not receiv ed b y
C or is receiv ed b y A whic h triggers a pruneoverride to reestablish the LAN in Cs
outgoing list This is illustrated b y the follo wing selectiv e loss pattern table for the
prune message sentb y B A C
error
where a indicates noloss and indicates loss The error o ccurs where the
upstream router C receiv ed the prune but the router with do wnstream mem bers
A did not receiv eit F or brevityw e only consider blac k holes and pac k et duplicates correctness conditions
This is to dieren tiate b et w een join latency whic h is not considered a proto col error and a blac k hole
whic h is a proto col error
In gure top ology I I w e add another do wnstream router D The selectiv eloss
pattern table follo ws
A D C
error
The only error o ccurs when the upstream router C receiv es the prune but neither of
the do wnstream routers receiv es it If the prune is receiv ed byan y of the do wnstream
routers a pruneoverride w ould reestablish the LAN in Cs outgoing list
F rom the symmetry of the loss patterns and top ology w e see that all errors are triggered
b y the same transitions exp erienced b y router A in top ology I Hence the extended
top ology I I do es not in tro duce an y new errors and exhibits the same external beha vior
as do es top ology I W e conclude that top ology I and top ology I I are equiv alen t for
prunes W e no w sho w that the Nr outer LAN top ology is reducible to the N case where
N With the addition of an upstream router gure top ology I I I no added error cases
are encoun tered The addition of a do wnstream router ho w ev er ma yin tro duce new error
scenarios Similar to the fourr outer LAN case w e establish the follo wing assertion the
only err or c ase o c curs when al l downstr e am r outers lose the prune and the upstr e am r outer
r e c eives it If the prune w as receiv ed b y an y of the do wnstream routers the correctness
condition w ould b e retained using pruneoverrides
The assertion holds in b oth top ologies Hence w e conclude that the Nr outer top ology
exp eriences the same errors as the Nr outer top ology Pruneo v errides are actually join messages The eect of join message loss is describ ed in section
RP
S1
S2, R2 R1
AB
CD
RP
S1
R2 R1
AB
CD
RP
S2, R2 R1
AB
CD
unicast route
to RP
Topology 1 Topology 2 Overall topology
Figure The top ology used for the case study
F rom the ab o v e w e see that b y sim ulating the thr e er outer LAN top ology w e capture
all the errors with resp ect to selectiv e loss for the prune mec hanism that ma y be
exp erienced byan y Nr outer LAN top ology where N
Joins and pruneo v errides F or pr une ov er r ides the only router aected b y the message
is the destined upstream router hence the equiv alence is readily established The loss of
a PIMSM j oin ma y lead to join latency but do es not cause blac kholes Joins leading to
pac k et duplication lead to asserts that are discussed next
Asserts In most cases pro ofs similar to the pr une case can be applied to Asserts Ho w ev er since asserts ma y b e triggered due to parallel paths the base case is established
for the fourr outer LAN top ology Figure top ology I I I represen ts the fourr outer
LAN top ologywhere A and B are do wnstream routers and C and D are upstream routers
F or PIMSM a limitation to the fourr outer LAN top ology is giv en for the esoteric case of three
upstream routers and three do wnstream routers with inconsisten t unicast routing tables This case creates
one extra transition that can only b e captured b y at least a sixr outer LAN top ology W e do not consider
this a practically signican t scenario and w e consider its analysis as a sp ecial case not captured b y the
fourr outer LAN top ology Ho w ev er aside from this exception the Nr outer LAN top ology where N is equiv alentto a four
r outer LAN top ology wrt asserts
F or our case studyw euse a fourr outer LAN top ology with an added source S The
o v erall ph ysical top ology consists of v e routers four of whic h are connected via a LAN
as sho wn in gure T est suites
In this section w e elab orate on the routed top ology host scenarios and loss pattern gener
ation used for our case study W e also describ e the simplications and subsettings applied
Ph ysical and routed top ologies The o v erall top ology used is that sho wn in gure F or the unicast routing proto col w e use a cen tralized v ersion of Dijkstras Shortest P ath
First SPF algorithm Dij
PIM uses the underlying unicast routing tables for building m ulticast trees Therefore
unicast routing inconsistencies aect the op eration of PIM T oin v estigate suchin teraction
w e add a comp onen t to force inconsistentm ulticast routes b et w een PIM routers as sho wn
in gure top ology Host scenarios Since proto col states for dieren t groups do not in teract w e consider
only one group Also since proto col states for dieren t sources do not in teract it suces
to consider only one source S p er sim ulation run
The source is mo deled as a constan tbit
rate CBR stream with xed pac k et size The source mo del do es not aect the correctness
of the metho d Ho w ev er to assure full con trollabilityo v er the selectiv e loss mo del w eset
the data rate to ensure that no loss o ccurs due to queue o v ero w
While w e consider only a single source w e consider t w o receiv ers R and R for
the same group to accoun t for shared tree state in teractions W e use the represen tativ e
host scenarios describ ed in section Loss patterns W e in v estigate all p ossible selectiv e loss scenarios for m ulticast hopb y
hop PIM messages in the equiv alen t top ology Loss mo dels are applied exhaustiv ely to those links that carry proto col messages under
in v estigation The tracing stage iden ties these links during the rst sim ulation run
without pac k et loss and feeds bac k the link information to the loss generation mo dule as
W e do not consider aggregated source or group en tries in this study
F or this w e use pac k et size of b ytes and a send in terv al of ms ie source rate of kbs
this ensures no queue drops on the Mbs links used with pac k et queue limit
sho wn in gure As wewill sho w in section A the n um b er of represen tativ e scenarios
is quite small and hence the n um ber of o v erall lossy scenarios explored is manageable
T racing T race information includes the ev en t t yp e send or receiv e the no de exp eri
encing the ev en t the t yp e of message sen t or receiv ed and the time at whic h the ev en t
o ccurred Ev ery data pac k et is assigned a unique sequence n um ber Applying the Metho d
This section pro vides an illustrativ e example sho wing ho w the heuristic approachmaybe
used to iden tify and analyze errors encoun tered during the sim ulation of the represen tativ e
scenarios
W e ha v e implemen ted an initial v ersion of the metho d in the Net w ork Sim ulator
NS MF NS is an ev en tdriv en pac k etlev el sim ulator con trolled and congured via
Tcl Ous and Ob jectTcl or OTcl WL
T o supp ort our metho d w eha v e added
mo dules to pro vide LAN supp ort con trolled selectiv e loss proto col tracing proling ca
pabilities and a detailed implemen tation of PIMDM and PIMSM This implemen tation
serv es as the sim ulation en vironmen t for our case study In addition the building blo c ks
w ere designed to be reused within the same framew ork to apply this metho d to other
m ulticast proto cols
Tov erify that our implemen tation conforms to the proto col sp ecication w e ran sev eral
conformance testsuites using the sim ulator
Obtaining fault y scenarios
T o obtain the faulty sc enarios ie those that con tain errors w e execute the metho d
stages in order ie scenario generation sim ulation and tracing and output analysis
resp ectiv ely and then rev erse the order from the output to the traces to iden tify the
fault y scenarios These phases are automated bythe to ols pro vided and are transparen t
to the user once the scenario setup is complete
The pro cess of attributing endp oin t errors to proto col actions ma y b e automated only
if the error conditions are giv en in terms of suc h proto col actions In practice these
proto col error conditions are often not kno wn a priori b y the designer and are usually
dened in terms of endp oin t errors suc h as pac k et loss or duplication The supp orting
F or information ab out the sim ulator see h ttpcatarinausceduvin t
R2 R1
AB
C
S1
1
R2 R1
AB
C
2
S1
3
5
4
1) R1 joins the group. B sends graft towards S1.
2) R2 joins the group. A sends graft towards S1.
3) R1 leaves the group. B multicasts prunes onto the LAN.
4) A gets the prune and sends a join to override. The join is lost.
5) C gets the prune and sends it towards S1.
Figure The pr une ov erride loss scenario for PIMDM
to ols iden tify endp oin t errors and pro vide a history of proto col traces The designer then
examines the traces and iden ties the proto col errors This pro cess ma y suggest xes to
the problem as w e will sho w in section A
Example for PIMDM
In this section w e briey describ e one example in whic h the heuristic approachw as used in
conjunction with sim ulation to rev eal design errors in PIMDM Other examples and results
that w ere obtained using this approac h are providedinappendix A The scenario presen ted
here w as iden tied after the sim ulation and analysis of the represen tativ e scenarios with
the selectiv e loss mo del
W e used the represen tativ e scenario JJLL o v er top ology In this scenario the
fault w as represen ted b y the loss of the j oin ie pr une ov er r ide message sen tb y router
A as sho wn in gure The error in this scenario w as observ ed as a gap in the sequence n umberofthe pac k ets
receiv ed b y receiv er R indicating a blac khole The start of this gap w as sync hronized
with the ev en t L ie the lea v e of receiv er R when the router B triggered a pr une on to
the LAN The failure of router A to o v erride this pr une caused the blac khole This failure
w as caused b y the loss of a single j oin message and hence the robustness requiremen t for
PIMDM w as not satised
T o x this problem a second c hance should b e giv en to the do wnstream router in this
case Ato o v erride the pr une This maybe ac hiev ed for example b yha ving the lea ving
router B in this case send t w o prunes when lea ving or ha v e the upstream router C send a pr une al er t in the form of a pr une on the LAN b efore remo ving the LAN from
its routing en tries
Although the heuristic approac h ma y capture some design errors it lac ks formalit y and
do es not pro duce the testsuites automatically W e attempt to address these issues in the
other t w o approac hes the faultindep enden t and faultorien ted test generation
Chapter Searc hbased Approac hes
The problem of test syn thesis can be view ed as a searc h problem By searc hing the
p ossible sequences of ev en ts and faults o v er net w ork top ologies and c hec king for design
requiremen ts either correctness or p erformance w e can construct the test scenarios that
stress the proto col Ho w ev er due to the state space explosion tec hniques m ust be used
to reduce the complexit y of the space to b e searc hed W e attempt to use these tec hniques
to ac hiev e high test qualit y and proto col co v erage In this c hapter w e presen t t w o suc h
tec hniques apply them to PIMDM as a case study and analyze them quan titativ ely and
qualitativ ely As men tioned earlier our approac hes that are based on searc h algorithms namely the
faultindep enden t test generation FITG and the faultorien ted test generation F OTG
tak e as input a pro cessable mo del of the proto col in the form of a global FSM GFSM
F ollo wing w e will presen t the GFSM mo del for the case study proto col PIMDM and
use it as an illustrativ e example to analyze the complexit y of the state space and the searc h
problem as w ell as illustrate the algorithmic details and principles in v olv ed in FITG and
F OTG
The Proto col Mo del
W e represen t the proto col as a nite state mac hine FSM and the o v erall LAN system b y
a global FSM GFSM
I FSM mo del Ev ery instance of the proto col running on a single router is mo deled
b y a deterministic FSM consisting of i a set of states ii a set of stim uli causing state
transitions and iii a state transition function or table describing the state transition
rules F or a system i this is represen ted b y the mac hine M
i
S
i
i
where S is a
nite set of state sym b ols i
is the set of stim uli and i
is the state transition function
S i
S II Glob al FSM mo del The global state is dened as the comp osition of individual
router states The output messages from one router ma y b ecome input messages to other
routers Suc h in teraction is captured b y the GFSM mo del in the global transition table
The beha vior of a system with n routers ma y be describ ed b y M
G
S
G
G
G
where
S
G
S
S
S
n
is the global state space G
n
S
i
i
is the set of stim uli and G
is
the global state transition function S
G
G
S
G
The fault mo del is in tegrated in to the GFSM mo del F or message loss the transi
tion caused b y the message is either n ullied or mo died dep ending on the selectiv e loss
pattern Crashes ma y be treated as stim uli causing the routers aected b y the crash to
transit in to a cr ashed state
Net w ork dela ys are mo deled when needed through the
dela y matrix presen ted in Chapter PIMDM Mo del
F ollo wing is the mo del of a simplied v ersion of PIMDM
FSM mo del M
i
S
i
i
i
F or a giv en group and a giv en source ie for a sp ecic sourcegroup pair w e dene the
states wrt a sp ecic LAN to whic h the router R
i
is attac hed F or example a state ma y
indicate that a router is a forw arder for or a receiv er exp ecting pac k ets from the LAN
The cr ashed state ma yb e one of the states already dened for the proto col lik ethe empty state or
ma y b e a new state that w as not dened previously for the proto col
System States S P ossible states in whic h a router ma y exist are
State Sym bol Meaning
F i Router i isaforw arder for the LAN
F i Timer i forw arder with Timer Timer running
NF i Upstream router i a nonforw arder
NH i Router i has the LAN as its nexthop
NH i T imer same as NH i with Timer Timer running
NC i Router i has a negativ ecac he en try
EU i Upstream router i is empt y
ED i Do wnstream router i is empt y
M i Do wnstream router with attac hed mem ber
NM i Do wnstream router with no mem bers
The p ossible states for upstr e am and downstr e am routers are as follo ws
S
i
fF
i
F
i T imer
N F
i
EU
i
g if the router is upstream
fNH
i
N H
i T imer
N C
i
M
i
N M
i
ED
i
g if the router is do wnstream Stim uli The stim uli considered here include transmitting and receiving proto col
messages timer ev en ts and external host ev en ts Only stim uli leading to c hange of state
are considered F or example transmitting messages per se vs receiving messages do es
not cause an y c hange of state except for the Gr af t in whichcase the Rtx timer is set
F ollo wing are the stim uli considered in our study
T ransmitting messages Graft transmission Gr af t
Tx
Receiving messages Graft reception Gr af t
Rcv
Join reception Join Prune
reception P r une Graft Ac kno wledgemen t reception GAck Assert reception Asser t
and forw arded pac k ets reception FPkt
Timer ev en ts these ev en ts o ccur due to timer expiration Exp and include the
Graft retransmission timer Rtx the ev en t of its expiration R txE xp the forw arder
deletion timer Del and the ev en t of its expiration Del E xp W e refer to the ev en t of
timer expiration as T imer I mpl ication
External host ev en ts Ext include host sending pac k ets SP k t host joining a
group H J oin or HJ and host lea ving a group Leav e or L fJ oin P r une Gr af t
Tx
Graf t
Rcv
GAck Asser t F P k t R tx D el S P k t H J L g
Global FSM mo del
Subscripts are added to distinguish dieren t routers These subscripts are used to describ e
router seman tics and ho w routers in teract on a LAN An example global state for a top ology
of routers connected to a LAN with router as a forw arder router exp ecting pac k ets
from the LAN and routers and ha venegativecac hes is giv en b y fF
N H
N C
N C
g F or the global stim uli G
subscripts are added to stim uli to denote their originators and
recipien ts if an y The global transition rules G
are extended to encompass the router
and stim uli subscripts
Dening stable states
W e are concerned with stable state ie nontransien t b eha vior dened in this section T o
obtain erroneous stable states w e need to dene the transition mec hanisms b et w een suc h
states Wein tro duce the concept of transition classication and completion to distinguish
bet w een transien t and stable states
Classication of T ransitions
W e iden tify t w o t yp es of transitions external ly trigger e d ET and internal ly trigger e d
IT transitions The former is stim ulated byev en ts external to the system eg H J oin
or Leav e whereas the latter is stim ulated b y ev en ts in ternal to the system eg FPkt
or Gr af t W e note that some transitions ma y be triggered due to either in ternal and external
ev en ts dep ending on the scenario F or example a Prune ma y be triggered due to for
w arding pac k ets b y an upstream router FPkt whic h is an in ternal ev en t or a Leav e
whic h isanexternalev en t
A global state is c hec k ed for correctness at the end of an externally triggered transition
after completing its dep endentin ternally triggered transitions
F ollo wing is a table of host ev en ts their dep enden t ET and IT ev en ts
Host Ev en ts SP kt H J oin Leav e
ET ev en ts FPkt Gr af t P r une
IT ev en ts Asser t P r une GAck Join
J oin
Seman tics of the global stim uli and global transitions will b e describ ed as needed see Chapter
T ransition Completion
T o c hec k for the global system correctness all stim ulated in ternal transitions should be
completed to bring the system in to a stable state In termediate transien t states should
not b e c hec k ed for correctness since they ma y temp orarily seem to violate the correctness
conditions set forth for stable states and hence ma ygiv e false error indication
The pro cess of iden tifying complete transitions dep ends on the nature of the proto col
But in general w e ma y iden tify a complete transition sequence as the sequence of all
transitions triggered due to a single external stim ulus eg H J oin or Leav e Therefore
w e should b e able to iden tify a transition based up on its stim uli either external or in ternal
A t the end of eac h complete transition sequence the system exists in either a correct or
erroneous stable state Ev en ttriggered timers eg Del Rtx re at the end of a complete
transition
Problem Complexit y
The problem of nding test scenarios leading the proto col in to error or erroneous states
can be view ed as a searc h problem in the state space of the proto col or the system A
con v en tional reac habilit y analysis approac h LCLa w ould attempt to in v estigate this
space exhaustiv ely and hence is lik ely to suer the state space explosion problem T o
circum v en t this problem w e need to use searc h reduction tec hniques using domainsp ecic
information in this case kno wledge of m ulticast routing
In this section w e rst giv e the complexit y of the state space if explored using exhaus
tiv e searc h approac h Then w e discuss the reduction tec hniques weemplo y based on notion
of equiv alence and discuss the complexit y of the state space as comp osed of erroneous
states and correct states
Complexit y of exhaustiv e state space searc h
Exhaustiv e searc h attempts to generate and analyze all system states that are reac hable
from initial system states
F or a system of n routers where eac h router ma y exist in an y state s
i
Sand jS j s
states the n um b er of reac hable states in the system is b ounded by s n
Toin v estigate all
the transitions with l p ossible transitions w e obtain l s n
state visits to complete the
pro cess F or our case study jS j Note that faults suc h as message loss and crashes
increase the branc hing factor l and ma y ev en in tro duce new states and hence aect S
In our case the message loss increases the branc hing factor b y the p ossible selectiv e loss
scenarios leading to dieren t global states while crashes return an y state to the empt y
state ie in our case branc hing increases b y factor of State reduction through equiv alence
As explained ab o v e exhaustiv e searc h exp eriences exp onen tial complexit y T o circum v en t
this w ellkno wn state space explosion problem w e in tro duce the notion of equiv alence
In tuitiv elyw etakeadv an tage of domainsp ecic information for m ulticast routing where
the order in whic h the states are considered do es not matter eg if router R
or R
is a
forw arder is insignican t so long as there is only one forw arder Hence w e can treat the
global state as an unordered set of state sym bols W e use asym b olic represen tation as a
con v enien t form of represen ting the global state to illustrate the notion of equiv alence and
to help in dening the error and correct states in a succinct manner
Sym bolic represen tation
An alternativ e represen tation of the system ma y b e obtained through sym b olic represen
tation where r routers in state q are represen ted b y q
r
The global state for a system of
n routers is represen ted b y G q
r
q
r
q
r m
m
where m jS j r
i
n F or sym b olic
represen tation of top ologies where n is unkno wn r
i
! ! is or more and
" is or more
T o satisfy the correctness conditions for PIMDM the correct stable global states are
those con taining no forw arders and no routers exp ecting pac k ets or those con taining one
forw arder and one or more routers exp ecting pac k ets from the link sym b olically this ma y
be giv en b y G
F
N H
N C
and G
F
N H
N C
Weuse X to denote any state s
i
S F or example fX F g
denotes or more states
s
i
S f F g This sym b olic represen tation will b e used later in this section to estimate
the size of the reduced state space
Coun ting equiv alence
Tw o system states q
q
q
n
and p
p
p
n
are strictly equiv alen t i q
i
p
i
where q
i
p
i
S i n Ho w ev er all routers are assumed in terc hangeable and
F or con v enience w ema y represen t these t w o states as G NC
and G F N H
N C
their b eha vior is giv en b y a common deterministic FSM hence all n perm utations of a
q
q
q
n
are equiv alen t b ecause the order of the tuple is not imp ortan t
F ollo wing from the sym b olic represen tation of G ab o v e w ema y represen t a state for a
system with n routers as
Q
jS j
i s
k
i
i
where k
i
is the n um ber of routers in state s
i
S and
jS j
i k
i
n Coun ting Equiv alence
Two system states
Q
jS j
i s
k
i
i
and
Q
jS j
i
s
l
i
i
ar e e quivalent if k
i
l
i
i In other w ords t w o system states are equiv alen t if the n um b er of routers in a sp ecic
state in one system is equal to the n um ber of routers in the same state in the other
system for all router states The notion of equiv alence b y denition implies that b y
in v estigating the equiv alen t subspace w e can test for proto col correctness That is if the
equiv alen t subspace is v eried to b e correct then the proto col is correct and if there is an
error in the proto col then it m ust exist in the equiv alen t subspace
The notion of coun ting equiv alence also applies to transitions and faults Those tran
sitions or faults leading to equiv alen t states are considered equiv alen t
Complexit y of the state space with equiv alence reduction
Considering coun ting equiv alence nding the n um b er of equiv alen t states b ecomes a prob
lemofcom binatorics The n um b er of equiv alen t states b ecomes C n ! s n
n s n s
where n is the n um b er of routers s is the n um b er of state sym b ols and C x y
x y x y is the n um ber of y com bination of xset CLR Represen tation of error and correct states
Dep ending on the correctness denition w e ma y get dieren t coun ts for the n um ber of
correct or error states T o get an idea ab out the size of the correct or error state space
for our case study w e tak e t w o denitions of correctness and compute the n um ber of
correct states As sho wn earlier for the correct states of PIMDM w e either ha v e no
forw arders with no routers exp ecting pac k ets from the LAN or exactly one forw arder
with routers exp ecting pac k ets from the LAN These conditions w e ha v e found to be
reasonably sucien t to meet the functional correctness requiremen ts Ho w ev er they ma y
not b e necessary hence the searc h ma y generate false errors Pro ving necessit y is part of
future w ork
0
10
20
30
40
50
60
70
80
90
100
1 11 21 31 41 51 61 71 81 91
number of routers (n)
Percentage
Error States
Correct States
Figure The p ercen tage of the correct and error states
The correct space and the erroneous space m ust be disjoin t and they m ust be com
plete ie add up to the complete space otherwise the sp ecication is incorrect See
App endix B for details
W e presentt w o correctness denitions that are used in our case
The rst denition considers the forw arder states as F and the routers exp ecting
pac k ets from the LAN as NH Hence the sym b olic represen tation of the correct
states b ecomes fX NH F g
or NH F fX F g
and the n um b er of correct states is
C n ! s n ! C n ! s n The second denition considers the forw arder states as fF
i
F
i Del
g or simply F
X
and the states exp ecting pac k ets from the LAN as fNH
i
N H
i Rtx
g or simply NH
X
Hence the sym b olic represen tation of the correct states b ecomes
fX NH
X
F
X
g
or NH
X
F
X
fX F
X
g
and the n um b er of correct states is
C n ! s n ! C n ! s n C n ! s n Refer to App endix B for more details on deriving the n um b er of correct states
Figure sho ws the p ercen tage of eac h of the correct and error state spaces and ho w
this p ercen tage c hanges with the n um ber of routers The gure is sho wn for the second
error denition but similar results w ere also obtained for the rst denition
In general w e nd that the size of the error state space according to b oth denitions
constitutes the ma jor p ortion of the whole state space This means that searchtec hniques
explicitly exploring the error states are lik ely to be more complex than others W e tak e
this in consideration when designing our metho d
Chapter F aultindep enden t T est Generation
F aultindep enden t test generation FITG uses the forw ard searchtec hnique to in v estigate
parts of the state space As in reac habilit y analysis forw ard searc h starts from initial
states and applies the stim uli rep eatedly to pro duce the reac hable state space or part
thereof Con v en tionally an exhaustiv e searc h is conducted to explore the state space In
the exhaustiv e approac h all reac hable states are expanded un til the reac hable state space is
exhausted W e use sev eral manifestations of the notion of coun ting equiv alence in tro duced
earlier to reduce the complexit y of the exhaustiv e algorithm and expand only equiv alen t
subspaces T o examine robustness of the proto col w e incorp orate selectiv e loss scenarios
in to the searc h
Exhaustiv e Searc h
The exhaustiv e searc h approac h is describ ed in this section Suc h an approac h starts
from the initial states and expands the state space un til it is exhausted This can be
implemen ted using a breadth rst or depth rst searc h The pro cedure starts from the
initial states and k eeps alist of states visited to prev en t lo oping Eac h state is expanded
b y applying the stim uli and adv ancing the state mac hine forw ard b y implemen ting the
transition rules and returning a new stable state eac h time
T o generate all p ossible initial states giv en a set of initial state sym bols IS and the
n um b er of routers n depth rst or breadth searc h can b e used again F or a giv en n um ber
of initial state sym bols jI S j is the complexit y of this pro cedure is giv en b y is n
F or our case study the routers start as either a nonmem ber NM or empt y upstream
routers EU that is I S fNM EU gand is F or details of the ab o v e pro cedures see App endix C
Reduction Using Equiv alences
In the ab o v e exhaustiv e searc h algorithm no reduction tec hniques w ere used Weno w use
the coun ting equiv alence notion to reduce the complexit y of the searc h in three stages of
the searc h
The rst reduction w e use is to in v estigate only the equiv alen t initial states T o
ac hiev e this w e simply treat the set of states constituting the global state as unordered
set instead of ordered set F or example the output of suc h pro cedure for I S fNM EU g and n w ould b e fNM N M g fNM EU g fEU E U g One pro cedure that pro duces suchequiv alen t initial state space giv en in App endix C
The complexit y of the this algorithm is giv en b y C n ! is n as w as sho wn in
Section and v eried through sim ulation
The second reduction w e use is during state comparison Instead of comparing the
actual states w e compare and store equiv alen t states Hence for example the states
fNF
N H
g and fNH
N F
g are equiv alen t
A third reduction is made based on the observ ation that applying iden tical stim
uli to dieren t routers in iden tical states leads to equiv alen t global states Hence
w e can eliminate some redundan t transitions F or example for the global state
fNH
N H
F
g a Leav e applied to R
or R
w ould pro duce the equiv alen t state
fNH
N C
F
g Toac hiev e this reduction w e add ag c heckbefore adv ancing the
state mac hine forw ard W e call the algorithm after the third reduction the reduced
algorithm
In all the ab o v e algorithms a forw ard step adv ances the GFSM to the next stable
state This is done b y applying all the in ternally dep enden t stim uli elicited due to the
applied external stim ulus in addition to an y timer implications if an y exists Only stable
states are c hec k ed for correctness
Applying The Metho d
In this section w e discuss ho w the faultindep enden t test generation can be applied to
the mo del of PIMDM W e apply forw ard searchtec hniques to study correctness of PIM
DM The study w as conducted rst without including faults to study the complexit y of
the algorithms Then selectiv e message loss w as applied and the proto col b eha vior w as
studied to analyze the proto col errors
Metho d input
The proto col mo del is pro vided b y the designer or proto col sp ecication in terms of a
transition table or transition rules of the GFSM and a set of initial state sym b ols The
design requiremen ts in terms of correctness in this case is assumed to be also giv en b y
the proto col sp ecication This includes denition of correct states or erroneous states in
addition to the fault mo del if studying robustness F urthermore the detection of equiv a
lence classes needs to be pro vided b y the designer
Curren tly w e do not automate the
detection of equiv alen t classes Also the n um b er of routers in the top ology or top ologies
to b e in v estigated ie on the LAN has to b e sp ecied
Complexit y of forw ard searc h for PIMDM
The pro cedures presen ted ab o v e w ere sim ulated for PIMDM The forw ard searc h algo
rithms w ere sim ulated for PIMDM to study its correctness This set of results sho ws
beha vior of the algorithms without including faults ie when used for v erication W e
iden tied the initial state sym b ols to b e fNM EU g NM for do wnstream routers and EU
for upstream routers The n um ber of reac hable states visited the n um ber of transitions
and the n um ber of erroneous states found w ere recorded A summary of the results is
giv en in Figures and The n um b er of expanded states denotes the n um b er of visited stable states The n um
b er of forw ards is the n um b er of times the state mac hine w as adv anced forw ard denoting
the n um b er of transitions b et w een stable states The n um b er of transitions is the n um ber
of visited transien t states and the n um ber of error states is the n um ber of stable or ex
panded states violating the correctness conditions The error condition is giv en as in the
second error condition in Section Note that eac h of the other error states is equiv
alen t to at least one error state detected b y the reduced algorithm Hence ha ving less
n um ber of disco v ered error states b y an algorithm in this case do es not mean losing an y
information or causes of error whic h follo ws from the denition of equiv alence Reducing
the error states means reducing the time needed to analyze the errors
W e notice that there signican t reduction in the algorithm complexit y with the use of
equiv alence relations In particular the n um b er of transitions is reduced from O n
for the
exhaustiv e algorithm to O n
for the reduced algorithm Similar results w ere obtained
for the n um ber of forw ards expanded states and n um ber of error states The reduction
F or our case study the symmetry inheren tin m ulticast o v er LANs w as used to establish the coun ting
equiv alence for states transitions and faults
Expanded States Forwards
Rtrs Exhaustive Reduced Exhaustive Reduced
1 14 9 80 43
2 52 18 537 124
3 178 30 2840 263
4 644 48 14385 503
5 2176 73 63372 881
6 7480 106 271019 1430
7 24362 148 1060120 2187
8 80830 200 4122729 3189
9 259270 263 15187940 4477
10 843440 338 55951533 6092
11 2684665 426 199038216 8079
12 8621630 528 708071468 10483
13 27300731 645 2.461E+09 13353
14 86885238 778 8.546E+09 16738
Figure Sim ulation statistics for forw ard algorithms Exp ande d States is the n um ber
of visited states and Forwards is the n um ber of forw ard adv ances of the state mac hine
gained b y using the coun ting equiv alence is exp onen tial More detailed presen tation of the
algorithmic details and results are giv en in App endix C
F or robustness analysis vs v erication faults will b e included in the GFSM mo del
In tuitiv ely an increase in the o v erall complexit y of the algorithms will b e observ ed Al
though w e ha v e only applied faults to study the beha vior of the proto col and not the
complexit y of the searc h w e an ticipate similar asymptotic gains in the reduction using
coun ting equiv alence
Summary of beha vioral errors for PIMDM
Sev eral PIMDM errors w ere detected b y the metho d some p ertaining to correctness in
the absence of message loss while others w ere only detected in the presence of message
loss W e ha v e studied cases of up to router LANs Sometimes errors w ere found to
occur in dieren t top ologies for similar reasons as will be sho wn Here w e only discuss
results for the t w o router and router LAN cases for illustration
Only one error w as detected in the t w orouter case With the initial state fEU E U g
ie b oth routers are upstream routers the system en ters the error state fF N F g where there is a forw arder for the LAN but there are no routers exp ecting pac k ets
or attac hed mem b ers In this case the Asser t pro cess c hose one forw arder for the
Transitions Errors
Rtrs Exhaustive Reduced Exhaustive Reduced
1 19 11 1 1
2 90 31 7 3
3 343 65 33 6
4 1293 119 191 13
5 4328 197 783 25
6 14962 307 3235 43
7 47915 449 11497 68
8 158913 633 41977 101
9 503860 857 142197 143
10 1638871 1133 491195 195
11 5185208 1457 1625880 258
12 16666549 1843 5441177 333
13 52642280 2285 17751178 421
14 167757882 2799 58220193 523
Figure Sim ulation statistics for forw ard algorithms T r ansitions is the n um ber of
transien t states visited and E rrors is the n um b er of stable state errors detected
LAN but there w ere no do wnstream routers to P r une o the extra trac and so
the proto col causes w asted bandwidth
Sev eral errors w ere detected for the router LAN case
Starting from fEU E U EU g the system en ters the error state fF N F N F g for
a similar reason to that giv en ab o v e
Starting from fNM EU EU g the system en ters the error state fNC N F F g By analyzing the trace of ev en ts leading to the error w e notice that the do wn
stream router NC pruned o one of the upstream routers NF b efore the
Asser t pro cess tak es place to c ho ose a winner for the LAN Hence the proto col
causes w asted bandwidth
Starting from fNM EU EU g the system en ters state fN HFF g This is due
to the transition table rules when a forw arder sends a pac k et all upstream
routers in the EU state transit in to F state This is not an actual error
ho w ev er since the system will reco v er with the next forw arded pac k et using
Asser t
The detection of this falseerror could ha v e been a v oided b y issuing
This is one case where the correctness conditions for the mo del are sucien t but not necessary to meet
the functional requiremen ts for correctness th us leading to a false error Suciency and necessit y pro ofs
are sub jects of future w ork
SP k t stim ulus b efore the error c hec k to see if the system will reco v er with the
next pac k et sen t
With message loss errors w ere detected for J oin and P r une loss When the
system is in fNH N H F g state and one of the do wnstream mem b ers lea v es
ie issues L ev en t a Prune is sen t on the LAN If this P r une is selectiv ely
lost b y the other do wnstream router a J oin will not be sen t and the system
en ters state fNC N H NF g Similarlyifthe Join is lost the proto col ends up
in an error state
Challenges and Limitations
In order to generalize the faultindep enden ttest generation metho d w e need to address
sev eral op en researc h issues and c hallenges Some of these issues are addressed in later
parts of the dissertation others are to b e sub jects of future w ork
The top ology is an input to the metho d in terms of n um b er of routers In Chapter w e presen t a new metho d that syn thesizes the top ology automatically as part of
the searc h pro cess An alternativ e approac h w ould be to add top ology syn thesis to
FITG One direction to in v estigate is to use the sym b olic represen tation presen ted
in Section where the use of rep etition constructs
ma y b e used to represen t the
LAN top ology in general Ideas similar to those used in PD for cac he coherence
proto col v erication ma ybein v estigated where the state space is split using rep eti
tion constructs based on the correctness denition Note ho w ev er that our problem
adds fault mo deling and the state space split will dep end on the fault and robust
ness denition In addition correctness v aries for dieren t net w ork proto cols so the
state space split has to b e parametrized as function of correctness It is imp ortantto
pro v e the suciency of suc h approac h to generate top ology that capture all p ossible
errors
Equiv alence classes are giv en as input to the metho d Automating iden tication of
equiv alence classes is part of future w ork In this study w e ha v e used symmetries
inheren t in m ulticast routing on LANs to utilize equiv alence This symmetry ma y
not exist in other proto cols or top ologies hence the forw ard searc h ma y b ecome
increasingly complex Other kinds of equiv alence ma y be in v estigated to reduce
Rep etition constructs include for example the to represen t zero or more states or the to
represen t one or more states t w o or more so on
complexit y in these cases
Also other tec hniques for complexit y reduction maybe
in v estigated suc h as statistical sampling based on randomization or hashing Hol Ho w ev er sampling tec hniques do not ac hiev e full co v erage of the state space
The top ology used in this study is limited to a singlehop LAN Although w e found it
quite useful to study m ulticast routing o v er LANs the metho d needs to b e extended
to m ultihop LAN to be more general Chapter in tro duces the notion of virtual
LAN and future w ork addresses m ultiLAN top ologies
The faultindep enden t test generation ma y be used for proto col v erication as w as
sho wn giv en the symmetry inheren t in the system studied ie proto col and top ology
F or robustness studies where the fault mo del is included in the searc h the complexit y
of the searc h gro ws The faultindep enden t approac h as presen ted here is not t to
address p erformance issues or top ology syn thesis These issues are addressed in the coming
c hapters The notion of forw ard searc h and the use of equiv alence for complexit y reduction
is reused in our other metho ds as w ell
An example of another kind of equiv alence is fault dominanc e where a system is pro v en to necessarily
reac h one error b efore reac hing another th us the former error dominates the latter error
Chapter F aultorien ted T est Generation
In this c hapter w ein v estigate the faultorien ted test generation F OTG where the tests
are generated for sp ecic faults In this metho d the test generation algorithm starts
from the faults and searc hes for a p ossible error establishing the necessary top ology and
ev en ts to pro duce the error Once the error is established a bac kw ard searc h tec hnique
pro duces a test sequence leading to the erroneous state if suc h a state is reac hable W e
use the FSM formalism presen ted in Chapter to represen t the proto col W e also reuse
some ideas from the other algorithms previously presen ted suc h as forw ard searc h and the
notion of equiv alence for searc h reduction
Metho d Ov erview
F aultorien ted test generation F OTG targets sp ecic faults or conditions and so is b etter
suited to study robustness in the presence of faults in general F OTG has three main
stages a top ology syn thesis b forw ard implication and error detection and c bac kw ard
implication The top ology syn thesis establishes the necessary comp onen ts eg routers
and hosts of the system to trigger the giv en condition eg trigger a proto col message
This leads to the formation of a global state in the middle of the state space
F orw ard
searc h is then p erformed from that global state in its vicinit y ie within a complete
transition after applying the fault This pro cess is called forwar d implic ation and uses
searc h tec hniques similar to those explained earlier in Chapter If an error occurs bac kw ard searc h is p erformed thereafter to establish a v alid sequence leading from an
initial state to the syn thesized global state T o ac hiev e this the transition rules are
The global state from whichF OTG starts is syn thesized for a giv en fault suc h as a message to b e lost
or a giv en condition or target ev en t as will b e sho wn in Chapter
rev ersed and a searc h is p erformed un til an initial state is reac hed or the syn thesized state
is declared unreac hable This pro cess is called b ackwar d implic ation Muc h of the algorithmic details are based on condition ef f ect reasoning of the
transition rules This reasoning is emphasized in the seman tics of the transition table used
in the top ology syn thesis and the bac kw ard searc h Section describ es these seman tics
In Section w e describ e the algorithmic details of F OTG and in Section w e describ e
howF OTG w as applies to PIMDM in our case study and presen t the results and metho d
ev aluation Section w e discuss the limitations of the metho d and our ndings
T ransition T able
The global state transition ma y b e represen ted in sev eral w a ys Here w ec ho ose a transi
tion table represen tation that emphasizes the eect of the stim uli on the system and hence
facilitates top ology syn thesis The transition table describ es for eac h stim ulus the condi
tions of its o ccurrence A condition is giv en as stim ulus and state or transition denoted
b y stimulusstatetr ans where the transition is giv en as star tS tate endS tate W e further extend message and router seman tics to capture m ulticast seman tics F ol
lo wing w e presen t a detailed description of the seman tics of the transition table then giv e
the resulting transition table for our case study to b e used later in this c hapter
Seman tics of the transition table
In this subsection w e describ e the message and router seman tics preconditions and p ost
conditions
Stim uli and router seman tics Stim uli are classied based on the routers aected b y
them Stim uli t yp es include
or ig stim uli or ev en ts o ccurring within the router originating the stim ulus but
do not aect other routers and include HJ L SP k t Gr af t
Tx
Del and Rtx dst messages that are pro cessed b y the destination router only and include
J oin GAck and Gr af t
Rcv
mcast m ulticast messages that are pro cessed b y all other routers and include
Asser t and FPkt mcastD ow nstr eam m ulticast messages that are pro cessed b y all other do wn
stream routers but only one upstream router and includes the P r une message
These t yp es are used b y the searc h algorithm for pro cessing the stim uli and messages
According to these dieren tt yp es of stim uli pro cessing a router maytak e as subscript
or ig dstor other or ig designates the originating router of the stim ulus or message
whereas dst designates the destination of the message other indicates routers other
than the originator Routers are also classied as upstr eam or dow nstr eam as
presen ted in Chapter PreConditions The preconditions in general are of the form stimul usstatetr ansition where the transition is giv en as star tS tate endS tate If there are sev eral pre
conditions then w e can use a logical OR to represen t the rule A t least one pre
condition is necessary to trigger the stim ulus
Example of a stimul usstate condition is the condition for Join message namely Prune
other
N H
or ig
that is a Join is triggered b y the reception of a Prune from an
other router with the originator of the J oin in NH An example of a stimul ustr ansition
condition is the condition for Graft transmission HJ NC NH ie a host join
ing and the transition of the router from the negativ e cac he state to the next hop
state
P ostConditions A p ostcondition is an ev en t andor transition that is triggered
b y the stim ulus
P ostconditions ma y be in the form of tr ansition conditiontr ansition conditionstimul us and stimul ustr ansition tr ansition has an implicit condition with whic h it is asso ciated ie a b means if a GS tate then a b F or example Join p ostcondition NF
dst
F
dst
means if NF
dst
GS tate then transition NF F will o ccur
C onditiontr ansition is same as except the condition is explicit
C onditionstimul us if the condition is satised then the stim ulus is triggered
F or example P r une p ostcondition NH
other
J oin
other
means that for all
NH
x
GS tate where x is not equal to or ig then ha v e router x trigger a
J oin S timul ustr ansition has the transition condition implied as in ab o v e F or
example Gr af t
Rcv
p ostcondition GAck NF
dst
F
dst
means if NF
dst
GS tate then the transition o ccurs and GAck is triggered
Net w ork faults suc h as message loss ma y cause the stim ulus not to takeeect F or example losing a
J oin message will cause the ev entof J oin reception not to takeeect This do es not app ear in our case study
If more than one p ostcondition exists then the logical relation bet w een them is
either an X OR if the router is the same or an AND if the routers are dieren t
F or example J oin p ostconditions are F
dst Del
F
dst
N F
dst
F
dst
whic h means
F
dst Del
F
dst
X OR NF
dst
F
dst
Ho w ev er P r une p ostconditions are F
dst
F
dst Del
N H
other
J oin
other
whic h im
plies that the transition will o ccur if F
dst
GS tate AND a J oin will b e triggered if
NH GS tate F ollo wing is the transition table used in our case study Stim ulus Preconditions P ostconditions
Join P r une
other
N H
or ig
F
dst Del
F
dst
N F
dst
F
dst
P r une LN C F P k tN C F
dst
F
dst Del
N H
other
J oin
other
Gr af t
Tx
HJ NC NH RtxE xp NH
Rtx
NH Gr af t
Rcv
NH NH
Rtx
Gr af t
Rcv
Gr af t
Tx
NH NH
Rtx
GAck NF
dst
F
dst
GAck Gr af t
Rcv
F NH
dst Rtx
NH
dst
Asser t FPkt
other
F
or ig
F
other
NF
other
FPkt S pk tF P r une NM NC ED NH M NH EU
other
F
other
F
other
Asser t
Rtx R txExp Gr af t
Tx
NH
or ig Rtx
NH
or ig
Del DelExp F
or ig Del
NF
or ig
SP kt Ext FPkt EU
or ig
F
or ig
H J oin Ext NM M Gr af t
Tx
NC NH Leav e Ext M N M P r une NH NC P r une NH
Rtx
NC The ab o v e preconditions can b e deriv ed automatically from the p ostconditions The
PreConditions pro cedure tak es as input one form of the con v en tional transition table and
pro duces the precondition seman tics See App endix D for details of suc h pro cedure
State Dep endency T able
T o aid in test sequence syn thesis through the bac kw ard implication pro cedure w e construct
what w e call a state dep endency table This table can b e inferred automatically from the
transition table W e use this table to impro v e the p erformance of the algorithm and for
illustration
F or eac h state the dep endency table con tains the p ossible preceding states and the
stim ulus from whic h the state can b e reac hed or implied T o obtain this information for a
state s w e searchthe p ostcondition column of the transition table for en tries where the
endS tate of a transition is s In addition a state ma y b e iden tied as an initial state IS
There is an implicit condition that can nev er b e satised in b oth statemen ts whic h is the existence of
dst in only one state at a time
The dep endencyT able pro cedure in App endix D generates the dep endency table from the
transition table of conditions F or s I S asym b ol denoting initial state is added to the
arra y en try F or our case study I S fNM EU g Based on the ab o v e transition table
follo wing is the resulting state dep endency table
State P ossible Bac kw ard Implications
F i
FPkt
other
EU i J oin
F
i Del
Join
NF i Gr af t
Rcv
NF i SP kt
EU i
F
i Del
Prune
F i
NF i
Del
F
i Del
Asser t
F i
NH i
RtxGAck
NH i Rtx HJ
NC i FPkt
M i FPkt
ED i
NH i Rtx
Gr af t
Tx
NH i
NC i
FPkt
NM i L
NH i Rtx L
NH i
EU i I S
ED i I S
M i
HJ
NM i
NM i
L
M i IS In cases where the stim ulus aects more than one router eg m ulticast P r une
m ultiple states need to b e sim ultaneously implied in one bac kw ard step otherwise an I S
ma y not be reac hed T o do this the transitions in the p ostconditions of the stim ulus
are tra v ersed and an y states in the global state that are endS tates are replaced b y their
corresp onding star tS tates F or example fM
i
N M
j
F
k
g
FPkt
fNH
i
N C
j
F
k
g This is
tak en care of b y the bac kw ard implication section describ ed later
F OTG details
As previously men tioned our F OTG approac h consists of three phases I syn thesis of
the global state to insp ect I I forw ard implication and I I I bac kw ard implication These
phases are explained in more detail in this section In Section w e presen t an illustrativ e
example for the these phases
Syn thesizing the Global State
Starting from a condition eg proto col message or stim ulus and using the information in
the proto col mo del ie the transition table a global state is syn thesized for in v estigation
W e refer to this state as the globalstate insp ected G
I
and it is obtained as follo ws
The p ossible bac kw ard implications are separated b y commas indicating OR relation
The global state is initially empt y and the insp ected stim ulus is initially set to the
stim ulus in v estigated
F or the insp ected stim ulus the states or the star tS tates of the transition of the
p ostcondition are obtained from the transition table If these states do not exist in
the global state and cannot b e inferred therefrom then they are added to the global
state
F or the insp ected stim ulus the states or the endS tates of the transition of the
precondition are obtained If these states do not exist in the global state and cannot
b e inferred therefrom then they are added to the global state
Get the stim ulus of the precondition of the insp ected stim ulus call it new S timul us If new S timul us is not external Ext then set the insp ected stim ulus to the new S timul us and go bac k to step The second step considers p ostconditions and adds system comp onen ts that will be
aected b y the stim ulus While the third and forth steps syn thesize the comp onen ts nec
essary to trigger the stim ulus The pro cedure giv en in App endix D syn thesizes minim um
top ologies necessary to trigger a giv en stim ulus of the proto col
Note that there ma y be sev eral preconditions or p ostconditions for a stim ulus in
whic h case sev eral c hoices can be made These represen t branc hing poin ts in the searc h
space A t the end of this stage the global state to b e in v estigated is obtained
F orw ard Implication
The states follo wing G
I
ie G
I i
where i are obtained through forw ard implication
W e simply apply the transitions starting from G
I
as giv en b y the transition table in
addition to implied transitions suc h as timer implication F urthermore faults are incor
p orated in to the searc h F or example in the case of a message loss the transition that
w ould ha v e resulted from the message is not applied If more than one state is aected b y
the message then the space is expanded to include the v arious selectiv e loss scenarios for
the aected routers F or crashes the routers aected b y the crash transit in to the crashed
state as dened b y the expanded transition rules as will b e sho wn in Section F orw ard
implication uses the forw ard searchtec hniques describ ed earlier in Chapter According to the transition completion concept see Section the prop er analysis
of b eha vior should start from externally triggered transitions F or example the analysis
should not consider a J oin without considering the Prune triggering it and its eects
on the system Th us the global system state m ust be rolled bac k to the b eginning of a
complete transition ie the previous stable state b efore applying the forw ard implication
This will b e implied in the forw ard implication algorithm to simplify the discussion
Bac kw ard Implication
Bac kw ard implication attempts to obtain a sequence of ev en ts leading to G
I
from an
initial state I S if suc h a sequence exists ie if G
I
is reac hable from I S
The state dep endency table describ ed in Section is used in the bac kw ard searc h
Bac kw ard steps are tak en for the comp onen ts in the global state G
I
eac h step pro duc
ing another global state GS tate F or eac h state in GS tate p ossible bac kw ard implication
rules are attempted to obtain v alid bac kw ard steps to w ard an initial state This pro cess is
rep eated for preceding states in a depth rst fashion A set of visited states is main tained
to a v oid lo oping If all bac kw ard branc hes are exhausted and no initial state w as reac hed
the state is declared unreac hable
T o rewind the global state one step bac kw ard the rev erse transition rules are ap
plied Dep ending on the stim ulus t yp e of the bac kw ard rule dieren t states in GS tate are
rolled bac k F or or ig and dst only the originator and destination of the stim ulus is rolled
bac k resp ectiv ely F or mcast all aected states are rolled bac k except the originator
mcastD ow nstr eam is similar to mcast except that all do wnstream routers or states are
rolled bac k while only one upstream router the destination is rolled bac k App endix D
sho ws pro cedures Bac kw ard and Rewind that implemen t the ab o v e steps
Note ho w ev er that not all bac kw ard steps are v alid and bac ktrac king is p erformed
when a bac kw ard step is in v alid Bac ktrac king ma y occur when the preceding states
con tradict the rules of the proto col These con tradictions ma y manifest themselv es as
Sr c not found sr c is the originator of the stim ulus and the global state has to
include at least one comp onen t to originate the stim ulus An example of this con
tradiction o ccurs for the Prune stim ulus for a global state fN HFN F g where the
an originating comp onen t of the Prune NC in this case do es not b elong to the
global state
F ailure of minim um top ology c hec k the necessary conditions to trigger the stim ulus
m ust be presen t in the global top ology Examples of failing the minim um top ology
c hec k include for instance J oin stim ulus with global state fNH N F g or Asser t
stim ulus with global state fF N H N C g F ailure of consistency c hec k to main tain consistency of the transition rules in the
rev erse direction w em ust c hec k that ev ery bac kw ard step has an equiv alen t forw ard
step T o ac hiev e this w e m ust c hec k that there is no transition x y for the
giv en stim ulus suc h that x GS tate Since if x remains in the preceding global
state the corresp onding forw ard step w ould transform x in to y and the system w ould
exist in a state inconsisten t with the initial global state b efore the bac kw ard step
An example of this inconsistency exists when the stim ulus is FPkt and GS tate fF N F E U gwhere EU F is a p ost condition for FPkt See App endix D for the
consistency c hec k pro cedure
Applying The Metho d
In this section w e discuss ho w the faultorien ted test generation can b e applied to the mo del
of PIMDM Sp ecically w e discuss in details the application of F OTG to the robustness
analysis of PIMDM in the presence of single message loss and mac hine crashes W e rst
w alk through a simple illustrativ e example Then w e presen t the results of the case study
in terms of correctness violations captured b y the metho d Metho d input
The proto col mo del is pro vided b y the designer or proto col sp ecication in terms of a
transition table
and the seman tics of the messages In addition a list of faults to be
studied is giv en as input to the metho d F or example denition of the fault as single selec
tiv e proto col message loss applied to the list of messages fJ oin P r une Asser t Gr af t g Also a set of initial state sym b ols in our case fNM EU g A denition of the design
requiremen t in this case denition of correctness is also pro vided b y the sp ecication
The rest of the pro cess is automated
Illustrativ e example
Figure sho ws the phases of F OTG for a simple example of a J oin loss F ollo wing are
the steps tak en for that example
The traditional inputoutput transition table is sucien t for our metho d The prep ostcondition
transition table can b e deriv ed automatically therefrom
NH
j
NF
k
NC
i
Join
i
Prune
j
.NH
i
Prune
j
Leave
j
.NC
j
Leave
j
Host Event
Stimulus Pre-conditions Post-conditions
NF
k
F
k
(F
k
NF
k
). NH
i
.Join
i
(NH
j
NC
j
).Prune
j
Synthesized
Topology
G
I+1
={NC
j
,NH
i
,F
k
}
No loss of Join
G
I+1
={NC
j
,NH
i
,NF
k
}
Loss of Join
Error state
Prune
j G
I-1
={NC
j
,NH
i
,F
k
}
G
I
={NC
j
,NH
i
,NF
k
}
G
I+
Forward implication G
I-
Backward implication
G
I-2
={NM
j
,M
i
,F
k
}
G
I-3
={NM
j
,M
i
,EU
k
}
G
I-4
={NM
j
,NM
i
,EU
k
}
FPkt
SPkt
HJ
i
Figure Join top ology syn thesis forw ardbac kw ard implication
Syn thesizing the Global State
Join star tS tate of the p ostcondition is NF
dst
G I fNF
k
g
Join state of the precondition is NH i G I fNH i N F
k
g goto Prune
P r une star tS tate of the p ostcondition is F
k
whic h can b e implied from NF
k
in G I
P r une state of the precondition is NC j G I fNH i N F
k
N C j g goto
L External ev en t
the star tS tate of the p ostcondition is NH whic h can b e implied from NC in
G I
F orw ard implication
without loss G I fNH i N F
k
N C j g
Join
G I fNH i F
k
N C j g
loss wrt R j fNH i N F
k
N C jg G I fNH i N F
k
N C j g error
Bac kw ard implication
G I fNH i N F
k
N C j g
P r une
G I fNH i F
k
N C j g
FPkt
G I fM i F
k
N M j g
SP kt
G I fM i EU
k
N M j g
HJ
i
G I fNM i EU
k
N M j g I S
Losing the Join b y the forw arding router R
k
leads to an error state where router R
i
is exp ecting pac k ets from the LAN but the LAN has no forw arder
Summary of Results
In this section w e briey discuss the results of applying our metho d to PIMDM The
analysis is conducted for single message loss and momen tary loss of state F or a detailed
analysis of the results see App endix D
Single message loss
W e ha v e studied single message loss scenarios for the J oin P r une Asser t and Gr af t
messages F or this subsection w e mostly consider nonin terlea v ed external ev en ts where
the system is stim ulated only once bet w een stable states The Gr af t message is particu
larly in teresting since it is ac kno wledged and it raises timing and sequencing issues that
w e address in a later subsection where w e extend our metho d to consider in terlea ving of
external ev en ts
Our metho d as presen ted here ho w ev er ma y not b e generalized to transform anyt yp e
of timing problem in to sequencing problem This topic b ears more researc h in the future
Join A scenario similar to that presen ted in Section incurred an error In this
case the robustness violation w as not allo wing another c hance to the do wnstream router
to send a J oin A suggested x w ould b e to send another prune b y F
Del
b efore the timer
expires
Prune In the top ology ab o v e an error o ccurs when R
i
loses the Prune hence no J oin
is triggered The x suggested ab o v e tak es care of this case to o
Assert An error in the Asser t case o ccurs with no do wnstream routers eg G
I
fF
i
F
j
g The design error is the absence of a mec hanism to prev en t pruning pac k ets in
this case One suggested x w ouldbeto ha vethe Asser t winner sc hedule a deletion timer
ie b ecomes F
Del
and ha v e the do wnstream receiv er if an y send J oin to the Asser t
winner
Graft A Gr af t message is ac kno wledged b y GAck hence the proto col did not incur
error when the Gr af t message w as lost with nonin terlea v ed external ev en ts The proto col
is robust to Gr af t loss with the use of Rtx timer Adv ersary external conditions are
in terlea v ed during the transien t states and the Rtx timer is cleared suc h that the adv erse
ev en t will not b e o v erridden bythe Rtx mec hanism
A
B
upstream
downstream
A B
Graft
Graft
GAck
A B
time
Graft
GAck
(I) no loss
(II) loss of Graft
A B
t
1
t
2 t
3
t
4
t
5
t
6
Graft
Prune
Graft
GAck
(III) loss of Graft &
interleaved Prune
t
1 t
1
t
2
t
2
t
3
t
3
t
4
Figure Graft ev en t sequencing
T o clear the Rtx timer a transition should be created from NH
Rtx
to NH whic h is
triggered b y a GAck according to the state dep endency table NH
GAck
NH
Rtx
This
transition is then inserted in the ev en t sequence and forw ard and bac kw ard implications
are used to obtain the o v erall sequence of ev en ts illustrated in gure In the rst and
second scenarios I and II no error o ccurs In the third scenario III when a Gr af t
follo w ed b y a P r une is in terlea v ed with the Gr af t loss the Rtx timer is reset with the
receipt of the GAck for the rst Gr af t and the systems ends up in an error state A
suggested x is to add sequence n um b ers to Gr af ts at the exp ense of added complexit y Loss of State
W e consider momen tary loss of state in a router A C r ashstim ulus transfers the crashed
router from an y state X in to EU or ED Hence w e add the follo wing line to the
transition table
Stim ulus Precond P ostcond stim ulusstatetrans
C r ash Ext fNM M N H NC N H Rtxg ED fF F
Del
N F g EU
The FSM resumes function immediately after the crash ie further transitions are
not aected W e analyze the b eha vior when the crash o ccurs in an y router state F or
ev ery state a top ology is syn thesized that is necessary to create that state W e lev erage
the top ologies previously syn thesized for the messages F or example state F
Del
ma y
be created from state F b y receiving a Prune F
Del
Prune
F Hence w e ma y use the
top ologies constructed for P r une loss to analyze a crash for F
Del
state
F orw ard implication is then applied and b eha vior after the crash is c hec k ed for correct
pac k et deliv ery Toac hiev e this host stim uli ie SP k t HJ and L are applied then the
system state is c hec k ed for correctness
In lots of the cases studied the system reco v ered from the crash ie the system state
w as ev en tually correct The reco v ery is mainly due to the nature of PIMDM where
proto col states are recreated with reception of data pac k ets This result is not lik ely to
extend to proto cols of other natures eg PIM SparseMo de EFH
Ho w ev er in violation with robustness requiremen ts there existed cases in whic h the
system did not reco v er In gure the host joining in I I a did not ha v e the sucien t
state to send a Gr af t and hence gets join latency un til the negativecac he state times out
upstream and pac k ets are forw arded on to the LAN as in I I b
NF NF NF F NF F
NH ED M
NH NM NC
(I)
NH
Crash
ED
(II)
HJ
SPkt
(III)
L
SPkt
Prune
(a)
(b)
FPkt FPkt
Figure Crash leading to join latency
In gure I I a the do wnstream router incurs join latency due to the crash of the
upstream router The state is not corrected un til the p erio dic broadcast tak es place and
pac k ets are forw arded on to the LAN as in I I b
Challenges and Limitations
Although weha v e b een able to apply F OTG to PIMDM successfully there remains to b e
some c hallenges and op en issues that w e discuss in this section Some of these c hallenges
are addressed in later c hapters to generalize F OTG to apply to a wider range of proto cols
and ev aluations Others are still under study and will be addressed in the future w ork
section W e also discuss our exp erience ndings and insigh ts that w e ha v e dev elop ed
through the pro cess of designing and implemen ting F OTG
EU F EU NF
NH
NH NC NC
(II)
SPkt
(III)
L
Prune
(a) (b)
F
EU
NH
Rtx NH
(I)
F
Crash
EU
G
Tx
G
Rcv
GAck
Figure Crash leading to blac k holes
The top ologies syn thesized b y the ab o v e F OTG study are only limited to a single
hop LAN with n routers This means that the ab o v e F OTG analysis is necessary
but not sucien ttov erify robustness of the endtoend b eha vior of the proto col in a
m ultihop top ology ev en if eac h LAN in the top ology op erates correctly the in ter
LAN in teraction mayin tro duce erroneous b eha viors Applying F OTG to m ultiLAN
top ologies is part of future researc h
The analysis for our case studies w as done for net w ork la y er proto cols namely m ulti
cast routing in a singlehop LAN en vironmen t W e did not consider net w ork dela ys
In order to study endtoend proto cols net w ork dela ys m ust be considered in the
mo del In Chapter w e extend the notion of the LAN to include endtoend dela y
seman tics w e call it a virtual LAN
The ev aluation criteria for proto cols esp ecially for endtoend proto cols usually
emphasize p erformance in addition to correctness and robustness Seman tics of
p erformance measures and incorp orating ric her timing seman tics that are often
part of these measures are discussed in Chapter Minimal top ologies that are necessary and sucien t to trigger the stim uli ma y not
be sucien t to capture all correctness violations F or example in some cases it
ma y require one mem b er to trigger a J oinbut t womem b ers to exp erience an error
caused b y J oin loss Hence the top ology syn thesis stage m ust b e complete in order
to capture all p ossible errors T o ac hiev e this w e prop ose to use the sym b olic rep
resen tation F or example to co v er all top ologies with one or more mem b ers w e use
M
In tegration of this notation with the full metho d is part of future w ork
The eciency of the bac kw ard searchma y b e increased using reduction tec hniques
suchasequiv alence of states and transitions similar to the ones presen ted in Chap
ter This is still a topic of researc h and is part of future w ork P ossible directions
to in v estigate include using heuristics to direct the searc h and a v oid bac ktrac king
F or example a heuristic function ma y be used to giv e w eigh ts to edges that are
more lik ely to succeed or giv e shorter test sequences Suc h function ma y be based
on statistical sampling to dev elop a prole for the proto col b eha vior or ma y utilize
insigh ts ab out the proto col suc h as the transition completion tables describ ed in
Chapter Instead of p erforming complete bac kw ard searc h un til initial state is reac hed or
unreac habilit y is detected the algorithm ma y use information ab out reac hable states
to reduce the searc h This information ab out state reac habilit y could be obtained
simply b y storing previous sequences and states visited Alternativ ely the designer
ma y pro vide information based on proto colsp ecic kno wledge ab out reac hable
states through a compact represen tation thereof
The top ologies constructed byF OTG are inferred from the mec hanisms sp ecied b y
the transition table of the GFSM The F OTG algorithm will not construct top ologies
resulting from nonsp ecied mec hanisms F or example if the Asser t mec hanism that
deals with duplicates w as left out due to a design error the algorithm w ould not
construct fF
i
F
j
g top ology Hence F OTG is not guaran teed to detect duplicates
in this case So F OTG as presen ted here ma y be used to ev aluate b eha vior of
sp ecied mec hanisms in the presence of net w ork failures but is not a general proto col
v erication to ol If used for v erication F OTG w ould start from the error states
and searc h bac kw ards In our case study ho w ev er w e ha v e noticed that the error
state space constitutes the ma jorit y of the state pace for large n um ber of routers
hence the complexitygro ws See Chapter The global states syn thesized during the top ology syn thesis phase are not guaran teed
to b e reac hable from an initial state Hence the algorithm maybe in v estigating non
reac hable states un til they are detected as unreac hable in the last bac kw ard searc h
phase Adding reac habilit y detection in the early stages of F OTG is sub ject of future
w ork Ho w ev er statistics collected in our case study see App endix D sho w that
unreac hable states are not the determining factor in the complexit y of the bac kw ard
searc h Hence other reduction tec hniques ma y be needed to increase the eciency
of the metho d
The error in the Gr af t mec hanism w as only detected after inserting an adv ersary
in terlea v ed ev en t The logic presen ted in this do cumen t deals with the timing mec h
anisms in our case study In order to generalize a mec hanism to con v ert timing
problems in to sequencing problems if p ossible further study m ust be conducted
F uture w ork in this area should also include classication of timing problems
Another t yp e of timing problems is addressed in Chapter using the dela y ma
trix virtual LAN and in tegration of timing seman tic in to the mo del and the searc h
algorithm
W e b eliev e that the strength of our faultorien ted metho d as w as demonstrated lies in
its abilit y to construct the necessary conditions for erroneous b eha vior b y starting directly
from the fault and a v oiding the exhaustiv e w alk of the state space Also con v erting
timing problems in to sequencing problems as w as sho wn for Gr af t analysis reduces the
complexit y required to study timers F OTG as presen ted in this c hapter seems b est t to
study proto col robustness in the presence of faults F aults presen ted in our studies include
single selectiv e loss of proto col messages and router crashes
Chapter P erformance Ev aluation of EndtoEnd Multip oin t Proto cols
In this c hapter w e extend the faultorien ted test generation metho d to study p erformance
of endtoend m ultip oin t mec hanisms W e in tro duce the concept of a virtual LAN to
represen t the underlying net w ork in tegrate timing and dela y seman tics in to our mo del
and use p erformance criteria to driv e our syn thesis algorithm
As a case studyw e iden tify the timer suppression mec hanism as a building blo c k used
bysev eral m ultip oin t proto cols and analyze its w orst and b est case p erformance b eha viors
in a systematic fashion
Timer Suppression in Multip oin t Proto cols
As describ ed in section the timer suppression mec hanism is a common tec hnique used
to alleviate the Ac kimplosion problem It is emplo y ed in sev eral m ultip oin t proto cols
In this mec hanism a mem ber of a m ulticast group that has detected the loss of a
data pac k et sends a m ulticast request for reco v ery Other mem bers of the group that
ha v e previously receiv ed the data pac k et sc hedule the transmission of a resp onse In
general randomized timers are used in sc heduling the resp onse While a resp onse timer
is running at one endsystem host if a resp onse is receiv ed from another endsystem
then the resp onse timer is suppressed to reduce the n um ber of resp onses per request
Consequen tly the resp onse time ma ybe dela y ed to allo w for more suppression
The t w o main p erformance ev aluation criteria used in this case are the o v erhead of
resp onse messages and the time to reco v er from pac k et loss According to the relativ e
dela ys b et w een the group mem b ers and the timer settings the mec hanism exhibits dieren t
p erformance In this c hapter our metho d attempts to obtain scenarios of best case and
w orst case p erformance according to the ab o veev aluation criteria
Here w e describ e the role of the timer suppression mec hanism in some of these proto
cols
IPm ulticast proto cols suc h as PIM EFH
and IGMP F en use the timer
suppression mec hanism on LANs to reduce the n um ber of con trol messages sen t in
the JoinPrune and Assert mec hanisms
F or reliable m ulticast sc hemes suc h as scalable reliable m ulticast SRM FJL
the mec hanism is used to alleviate the ac kimplosion problem or reduce n um ber
of resp onses on a LAN as in m ulticast ftp MFTP MR TW V arian ts of the
SRM timers are used in registry replication eg RRM GYE and adaptiv ew eb
cac hing ZMN
In m ulticast address allo cation sc hemes suc h as the address allo cation proto col
AAP Han and session directory sdr Hanb the timer suppression mec h
anism is used in the requestresp onse proto col to a v oid an implosion of resp onses
during the collision detection phase
In the con text of activ e services AMK eg in a service oered b y media gatew a y
serv ers m ulticast damping is used to launc h one service agentserv en t from a p o ol
of serv ers
There are other applications of the timer suppression mec hanism in areas of self
organizing hierarc hies SCAN GAE and transp ort proto cols eg XTP A CFS and R TP SCFJ
The mo del
The mo del is a pro cessable represen tation of the system under study that enables automa
tion of our metho d The o v erall mo del consists of three parts A the proto col B the
top ology and C the faults
The proto col mo del is based on the global nite state mac hine GFSM mo del presen ted
in c hapter Instead of ha ving eac h nite state mac hine be a router here it is an end
system host running an instance of the m ultip oin t proto col
The T op ology Mo del
The top ology cannot b e captured simply b y one metric Indeed its dynamics ma ybe too
complex to mo del and sometimes in tractable W e capture t w o primary c haracteristics of
the top ology the dela ys and loss patterns see the fault mo del W e use a virtual LAN
VLAN mo del to represen t the underlying net w ork top ology and m ulticast distribution
tree The VLAN captures dela y seman tics using a dela y matrix D see Figure where
d
ij
is the dela y from system i to system j Q
V. LAN
1
2 3
0 dQ,1 dQ,2 dQ,3
d1,Q 0 d1,2 d1,3
d2,Q d2,1 0 d2,3
d3,Q d3,1 d3,2 0
D =
Figure The virtual LAN and the dela y matrix
The F ault Mo del
The general fault mo del w as dened in c hapter Here w e only consider pac k et loss and
extended dela ys bet w een end systems Selectiv e loss is the general form of pac k et loss
that ma y b e exp erienced bya m ultip oin t application where a m ulticast message ma y be
receiv ed b y some systems but not others The loss of a message b y a sp ecic system
prev en ts its reception and hence prev en ts the transition that it w as mean t to trigger at
that system
Applying The Metho d
T o apply the metho d the designer sp ecies the proto col mo del to be ev aluated and the
criteria of ev aluation In this pap er w e address p erformance criteria The algorithm
op erates on the sp ecied mo del and obtains a set of constrain ts or relations bet w een
dela ys and timers to stress the proto col according to the ev aluation criteria The stress
scenarios are then obtained b y satisfying these constrain ts b y assigning top ology dela ys or
timer v alues
In this section w e giv e an outline of the algorithmic details of the metho d Then w e
describ e t w o tasks relating to the timer suppression mec hanism in general to whic h our
metho d ma y b e applied
Algorithm Outline
This section outlines the algorithm used for test syn thesis This algorithm is a v arian t
of the faultorien ted test generation F OTG algorithm presen ted in It includes the
top ology syn thesis the bac kw ard searc h and the forw ard searc h stages Here w e only
describ e those asp ects of our algorithm that deal with timing and p erformance seman tics
The basic algorithm passes through three main steps the target ev en t iden tication
the searc h and the task sp ecic solution
The target ev en t The algorithm used in our metho d starts from a giv en ev en t
called the target ev en t The target ev en t eg sending a message is iden tied b y
the designer as one relev an t to the proto col ev aluation criteria eg the o v erhead of
agiv en message
The searc h Three steps are tak en in the searc h a iden tifying conditions b
obtaining sequences and c form ulating inequalities
a Identifying c onditions The algorithm uses the transition rules to iden tify con
ditions and transitions necessary to trigger the target ev entor prev en t it these
are called wante d tr ansitions and unwante d tr ansitions resp ectiv ely b Obtaining se quenc es Once the previous transitions are iden tied the algorithm
uses i bac kw ard searc h and ii forw ard searc h to build sequences of ev en ts
leading to these transitions and calculates the times of these ev en ts as follo ws
i Bac kw ard searc h is used to iden tify ev en ts preceding the w an ted and
un w an ted transitions and uses implication rules that op erate on the pro
to cols transition table Some implication rules include timing seman tics
to accoun t for net w ork dela ys or durations of timers Implication rules in
clude receptiontransmission pairing where reception of a transmitted
message is implied after applying the net w ork dela y if the message is not
lost timer expiration where the ev en t of ring the timer is implied af
ter the expiration period and state creation where previous states are
implied b y rev ersing the state transition rules
ii F orw ard searc h is used to v erify the bac kw ard steps tak en and to elimi
nate con tradictions Ev ery bac kw ard step m ust corresp ond to a v alid for
w ard step otherwise bac ktrac king is used to reco v er from con tradictions
c F ormulating ine qualities Based on the conditions and transitions previously
obtained along with the timed sequences leading to the transitions the algo
rithm form ulates timing constrain ts in the form of inequalities in terms of
dela ys and timer settings that w ould trigger the w an ted transitions and a v oid
the un w an ted transitions
T ask sp ecic solution The output of the searc h includes a set of ev en t sequences
and constrain ts in the form of timing inequalit y relations bet w een timers and net
w ork dela ys that satisfy the giv en condition or ev aluation criterion
The output is then pro cessed to nd a solution dep ending on the task denition
whether it is top ology syn thesis or timer conguration
These steps are further discussed in section and illustrated b y a case study T ask Denition
Weiden tify t w o kinds of tasks to whic h our metho d ma y b e applied top ology syn thesis
and timer conguration
T op ology syn tehsis is p erformed when the timer v alues are kno wn and the ob jec
tiv e is to iden tify the top ology ie D matrix that pro duces the b est or w orst case
beha vior
Timer conguration is p erformed when the top ology is giv en ie the D matrix
is kno wn and the timer v alues are b eing determined ie v ariables The solution
in this case is the timer expiration v alues or ranges that cause b est or w orst case
beha vior
Case Study The Timer Suppression Mec hanism
As explained earlier in c hapter the timer suppression mec hanism is used in v arious
m ultip oin t proto cols W e believ e it is a go o d building blo c k to analyze as a rst endto
end case study since it is ric h in m ulticast and timing seman tics and can be ev aluated
using standard p erformance criteria In this section w e presen t a simple description of
the mec hanism then presen t its mo del used thereafter in the analysis
The timer suppression mec hanism in v olv es a request q and one or more resp onses p When a system Q detects the loss of a data pac k et it sets a request timer and m ulticasts a
request q When a system i receiv es q it sets a resp onse timer randomly or as a function
of some parameter the expiration of whic h after duration Exp
i
triggers a resp onse p If the system i receiv es a resp onse p from another system j b efore its timer expires it
suppresses its o wn resp onse
Ev aluation Criteria
Tw o criteria ma y b e used to ev aluate the p erformance of this mec hanism
The rst is the n um b er of resp onse messages p er request In this case w e dene the
w orst case b eha vior to b e one that pro duces the maxim um n um b er of resp onses p er
request As an extreme case this o ccurs when no suppression tak es place ie all
p oten tial resp onders that set their timers do indeed resp ond
The second p erformance criterion is the resp onse dela y ie the time tak en b y the
requester to receiv e a resp onse The w orst scenario in this case is one that exp eriences
maxim um resp onse dela y Timer Suppression Mo del
F ollo wing is the mo del of the timer suppression mec hanism w e use in the rest of the pap er
Proto col states S F ollo wing is the state sym bol table for our mo del of the timer suppression mec hanism
along with the meaning of eachsym bol State Meaning
D p oten tial resp onder
D T resp onder with the resp onse timer set
R original state of the requester
R T requester with the request timer set
Stim uli or Ev en ts Sendingreceiving messages sending resp onse p
t
and request q
t
receiving re
sp onse p
r
and request q
r
Timer and other ev en ts the ev en ts of ring the request timer Req and resp onse
timer Res L denotes detecting pac k et loss
Notation
F ollo wing is a description of the notations used in the transition table
An ev en t subscript denotes the system initiating the ev en t eg p
t
i
is resp onse sen t
b y system i while the subscript m denotes m ulticast reception eg p
r m
denotes
receipt of a resp onse b y all mem bers of the group if no loss o ccurs When system i
receiv es a message sen t b y system j this is denoted b y the subscript i j eg p
r
ij
is system i receiving resp onse from system j The state subscript T is used to denote the existence of a timer and is used b y the
algorithm to apply the timer implication to re the timer ev en t after the expiration
p erio d
A state transition has a start state and an end state and is expressed in the form
star tS tate endS tate eg D D
T
It implies the existence of a system in
the star tS tate ie D as a condition for the completion of the transition to the
endS tate ie D
T
An ee ct in the transition table maycon tain state transition and stim ulus in the form
star tS tate endS tate stimul us whic h indicates the triggering of the stim ulus if
the state transition o ccurs An eect ma ycon tain sev eral transitions eg T rans
T rans whic h indicates that out of these transitions all transitions with satised
conditions will o ccur
T ransition T able F ollo wing is the transition table for the timer suppression mec hanism
Sym bol Ev en t Eect Meaning
loss L R R T q t loss detection causes q transmission and setting of request timer
tx req q t q r m
transmission of q causes m ulticast reception of q after net w ork dela y
rcv req q r D D T reception of q causes a system in D state to set resp onse timer
res tmr Res D T D p t resp onse timer expiration causes p transmission c hange to D state
tx res p t p r m
transmission of p causes m ulticast reception of p after net w ork dela y
rcv res p r R T R reception of p b y a system with the timer set causes
D T D suppression
req tmr Req q t expiration of request timer causes transmission of q
The mo del con tains one requester Q and sev eral p oten tial resp onders eg i and j Let t
be the time at whic h Q sends the request q All the poten tial resp onders initially
exist in state D The request sen t b y Q is receiv ed b y i and j at times d
Qi
and d
Qj
resp ectiv ely When the request q is sen t the requester transitions in to state R
T
b y setting
the request timer Up on receiving a request apoten tial resp onder in state D transitions
in to state D
T
b y setting the resp onse timer The time at whichanev en t o ccurs is giv en
b y t ev ent eg q
r
j
o ccurs at t q
r
j
Implication Rules
The bac kw ard searc h uses the follo wing causeeect implication rules
T ransmissionReception Tx Rcv By the reception of a message the algorithm
implies the transmission of that message without loss sometime in the past after
applying the net w ork dela ys An example of this implication is p
r
ij
p
t
j
where
t p
r
ij
t p
t
j
! d
ji
Timer Expiration Tmr Exp When a timer expires the algorithm infers that it
w as set Exp time units in the past and that no ev en t o ccurred during that period
to reset the timer An example of this implication is Res
i
D
i
D
T
i
D
T
i
where
t Res
i
t D
T
i
! Exp
i
and Exp
i
is the duration of the resp onse timer Res
i
State Creation St Cr A state is created from another byrev ersing the transition
rules and going to w ards the star tS tate of the transition F or example D
T
i
D
T
i
D
i
Since there is only one requester w e simply use q t instead of q t
Q
and q r
i
instead of q r
iQ
The time of a state is when the state w as rst created so t D T
i
is the time at whic h i transited in to
state D T W e use the notation E v entE f f ect to represen t a transition
In the follo wing sections w e use the ab o v e mo del and algorithm to syn thesize w orst
and b est case b eha vior scenarios according to the proto col o v erhead and the resp onse time
p erformance criteria
Proto col Ov erhead Analysis
In this section w e conduct w orst and b est case p erformance analyses for the timer suppres
sion mec hanism with resp ect to the n um ber of resp onses triggered per request Initially w e assume no loss of messages un til reco v ery and w e assume that the request timer is high
enough that the reco v ery will occur within one request round Multiple request rounds
that in v olvem ultiple timers is discussed in App endix E
W orstcase analysis
W orstcase o v erhead analysis in our study aims to attain scenarios that exp erience the
maxim um n um ber of resp onses per request In this section w e presen t our algorithm to
obtain the inequalities that lead to w orstcase scenarios These inequalities are giv en in
terms of net w ork dela ys and timer expiration v alues
T arget ev en t and conditions
Since the o v erhead in this case is measured as the n um ber of resp onse messages the
designer iden ties the ev en t of triggering a resp onse p
t
as the target ev en t and the goal is
to maximize the n um b er of resp onse messages
The searc h
As previously describ ed in section there are three main steps for the searc h algorithm
iden tifying the targets w an ted and un w an ted transitions
obtaining sequences leading to the w an ted and un w an ted transitions and calculating
the times for these sequences and
form ulating the inequalities that ac hiev e the time constrain ts required to in v ok e
w an ted transitions and a v oid un w an ted transitions
Iden tifying conditions
The algorithm searc hes for the transitions necessary to trigger the target ev en t
and their conditions recursiv ely These are called wante d tr ansitions and wante d
c onditions resp ectiv ely In addition the algorithm searc hes for transitions that
n ullify the target ev entor in v alidate an y of its conditions These are called unwante d
tr ansitions In our case the target ev en t is the transmission of a resp onse ie p
t
The algorithm
iden ties transition r es tmr R es D
T
D p
t
as a wante d tr ansition and its condi
tion D
T
as a wante d c ondition T ransition r cv r e q q
r
D D
T
is also iden tied as
a wante d tr ansition since it is necessary to create D
T
The unwantedtr ansition is iden tied as transition r cv r es p
r
D
T
D since it alters
the D
T
state without in v oking p
t
Obtaining sequences
Using bac kw ard searc h the algorithm obtains sequences and calculates time v alues
for the follo wing transitions the w an ted transition r es tmr the w an ted
transition r cv r e q and the un w an ted transition r cv r es as follo ws
T o obtain the sequence of ev en ts for transition r es tmr the algorithm applies
implication rules Tmr Exp St Cr Tx Rcv in that order and w eget
Res
i
D
i
D
T
i
p
t
i
q
r
i
D
T
i
D
i
q
t
Q
Hence the calculated time for t p
t
i
b ecomes
t p
t
i
t
! d
Qi
! Exp
i
T o obtain the sequence of ev en ts for transition r cv r e q the algorithm applies
implication rule Tx Rcv and w eget
q
r
i
D
T
i
D
i
q
t
Q
Hence the calculated time for t q
r
i
b ecomes
t q
r
i
t
! d
Qi
T o obtain the sequence of ev en ts for transition r cv r es for systems i and j the
algorithm applies implication rules Tx RcvTmr Exp St Cr Tx Rcv in that
order and w eget
p
r
ij
D
i
D
T
i
Res
j
D
j
D
T
j
p
t
j
q
r
j
D
T
j
D
j
q
t
Q
Hence the calculated time for t p
r
ij
b ecomes
t p
r
ij
t
! d
Qj
! Exp
j
! d
ji
F orm ulating Inequalities
Based on the ab o vew an ted and un w an ted transitions the algorithm a v oids transition
r cv r es while in v oking transition r es tmr to transit out of D
T
T o ac hiev e this the
algorithm automatically deriv es the follo wing inequalit y see App endix E for more
details
t p
t
i
t p
r
ij
Substituting expressions for t p
t
i
and t p
r
ij
previously deriv ed w e get
d
Qi
! Exp
i
d
Qj
! Exp
j
! d
ji
In other w ords V
t
i
V
t
j
! d
ji
where V
t
i
d
Qi
! Exp
i
V
t
i
is the time required for
system i to trigger a resp onse transmission if an y
Alternativ ely the system m ust exist in a state dieren t than D
T
to a v oid the un
w an ted transition and the algorithm automatically deriv es the follo wing inequalit y
see App endix E for more details
t p
r
ij
t q
r
i
Again substituting expressions deriv ed ab o v e w eget d
Qi
d
Qj
! Exp
j
! d
ji
Note that equations and are general for an yn um b er of resp onders where
i and j are anyt w o resp onders in the system
Figure sho ws equations and in a and b resp ectiv ely
Timer
suppression
time
Q
2
1
Exp
1
Exp
2
d
1,2
d
Q,2
d
Q,1
p
r2,1
p
t2
q
r2
p
t1
q
r1
q
t
q
t
Exp
1
d
1,2
d
Q,2
d
Q,1
p
r2,1
q
r2
p
t1
q
r1
Exp
2
Exp
2
p
t2
q
r2
Exp
1
d
1,2
d
Q,2
d
Q,1
p
r2,1
p
t1
q
r1
q
t
(a) (b) (c)
t(p
t2
) < t(p
r2,1
) t(p
r2,1
) < t(q
r2
) t(p
t2
) > t(p
r2,1
)
t(p
r2,1
) > t(q
r2
)
Figure Time lines sho wing p ossible ev en t sequencing a and b sequences do not
lead to suppression while c leads to timer suppression
T ask sp ecic solutions
T op ology syn thesis Giv en the timer expiration v alues or ranges w ew anttond
a feasible solution for the w orstcase dela ys A feasible solution in this con text means
p ositivedela y assignmen ts
In equation ab o v e if w etak e d
Qi
d
Qj
w eget Exp
i
Exp
j
d
ji
The inequalities put an upp er limit on the dela ys d
ji
hence w e can alw a ys nd a
p ositiv e d
ji
to satisfy the inequalities
Note that the dela ys used in the dela y matrix reect dela ys o v er the m ulticast
distribution tree In general these dela ys are aected b y sev eral factors including
the m ulticast routing proto col tree t yp e and dynamics the unicast routing proto col
and the propagation transmission and congestion dela ys One simple top ology that
The n um b er of inequalities is less then the n um b er of the unkno wns d ij in this case hence there are
m ultiple solutions W e can obtain a solution b y assigning v alues to some of the unkno wns and solving for
the others
reects the dela ys of the dela y matrix is the completely connected net w ork where
the underlying m ulticast distribution tree coincides with the unicast routing
Timer conguration Giv en the delayv alues or ranges ie b ounds w ew antto
obtain timer expiration v alues that pro duce w orstcase beha vior
W e can obtain a range for the relativ e timer settings ie Exp
i
Exp
j
using
equation ab o v e
Sev eral examples in the section illustrate ho w to apply the ab o v e solutions
Note ho w ev er that it ma y not b e feasible to satisfy all the constrain ts due to upp er
b ounds on the dela ys for example In this case the problem b ecomes one of maximization
where the w orstcase scenario is one that triggers maxim um n um ber of resp onses per
request This problem is discussed in App endix E
Bestcase analysis
Best case o v erhead analysis constructs constrain ts that lead to maxim um suppression ie
minim um n um b er of resp onses
T arget ev en t and conditions
The p erformance criteria is c hanged to minimize the n um b er of resp onses p er request The
designer iden ties the ev en t q
t
as the target ev en t only this time the condition is to a v oid
ie minimize the target ev en t Hence the algorithm iden ties transition r es tmr as the
un w an ted transition Alternativ ely the algorithm iden ties transition r cv r e q as the target
condition
The searc h
The follo wing conditions are form ulated using steps similar to those giv en in the w orstcase
analysis
t p
t
i
t p
r
ij
and
t p
r
ij
t q
r
i
These are complemen tary conditions to those giv en in the w orst case analysis Fig
ure sho ws equations and in c Refer to the App endix E for more details
on the inequalit y deriv ation
T ask sp ecic solutions
T op ology syn thesis
Giv en the timer expiration v alues or ranges w e w an t to syn thesize the b estcase
dela y assignmen t for the top ology Using equation if w etak e d
Qi
d
Qj
w eget Exp
i
Exp
j
d
ij
In this case the output top ology ma y not alw a ys b e feasible eg if Exp
i
Exp
j
and problem b ecomes that of minimization of the n um b er of resp onses W e discuss
this case in App endix E
Timer conguration
Giv en the top ology delayv alues and ranges w ew an t to determine the timer expira
tion settings that pro duce the b estcase beha vior
F rom equation weget d
Qi
d
Qj
! Exp
j
! d
ji
This can b e rewritten as
Exp
j
d
Qi
d
Qj
d
ji
d
Qj
d
Qi
! d
ji
F rom equation ab o v e w e get
d
Qi
! Exp
i
d
Qj
! Exp
j
! d
ji
whic h can b e rearranged in to
Exp
i
Exp
j
d
Qj
d
Qi
! d
ji
If the dela ys are giv en for example in an in terv al xy then using in terv al analysis
d
Qj
d
Qi
! d
ji
x y y x a b F rom equations and weget
the t w o inequalities for the b est case p erformance b ecome
Exp
j
aand
Exp
i
Exp
j
! b Weha v e presen ted the algorithmic details to construct w orst and b est case relations
bet w een net w ork dela ys and timer expiration v alues for the proto col o v erhead in
terms of resp onse messages The solution of the set of inequalities represen ts the
dela y and timer settings for the p erformance stress scenarios These relations are
used in sev eral examples in the next section
Example Case Studies
In this section w e presentsev eral case studies that showho w to apply the previous analysis
results to examples in reliable m ulticast and related proto col design problems
T op ology Syn thesis
In this subsection w e apply the test syn thesis metho d to the task where the timer v alues
are kno wn and the top ology ie D matrix is to be syn thesized according to the w orst
case beha vior W e explore v arious timer settings W e use the virtual LAN in Figure
to lo ok at t w o examples of top ology syn thesis one uses a timers with xed randomization
in terv als and the other uses timers that are function of distance
Let Q b e the requester and and b e p oten tial resp onders A t time t
Q sends the
request
F or simplicityw e assume without loss of gener ality that the systems are ordered suc h
that V
t
i
V
t
j
for i j eg system has the least d
Q ! Exp
then and then F rom in terv al analysis x y x y x x y y x y x y x y y x
z x y z y
Q
V. LAN
1
2 3
Figure The virtual LAN with p oten tial resp onders
Th us the inequalities V
t
i
V
t
j
! d
ji
are readily satised for i j and w e need only satisfy
it for i j F rom equation for the w orstcase ab o v e weget V
t
V
t
! d
V
t
V
t
! d
V
t
V
t
! d
By satisfying these inequalities w e obtain the dela y settings of the w orst case top ology as will b e sho wn in the rest of this section
Timers with xed randomization in terv als
Some m ulticast applications and proto cols suc h as wb IGMP F en or PIM EFH
b
emplo y xed randomization in terv als to set the suppression timers F or instance for the
shared white b oard wb FJL
the resp onse timer is assigned a random v alue from
the uniformly distributed in terv al t"t where t msec for the source sr c and msec for other resp onders
Assume Q is a receiv er with a lost pac k et Using wb parameters w e get Exp
sr c
msec and Exp
i
msec for all other no des
T o deriv e w orstcase top ologies from the inequalities w e ma y use a standard
mathematical to ol for linear or nonlinear programming for more details see App endix E
Ho w ev er in the follo wing w e illustrate general tec hniques that ma y b e used to obtain the
solution
F rom the inequalities w e get
d
Q ! Exp
V
t
V
t
! d
d
Q ! Exp
! d
This can b e rewritten as
d
Q d
Q ! d
Exp
Exp
dif f
where
dif f ifissrc ifissrc Otherwise Q 1
2 3
d
Q,1
d
Q,2
d
Q,3
d
1,3
d
2,3
d
1,2
Figure The virtual LAN sho wing pairwise dela ys
Similarlyw e deriv e the follo wing from inequalities for V
t
d
Q d
Q ! d
dif f
and
d
Q d
Q ! d
dif f
As a sp ecial case w e assume system to b e the source and for a conserv ativ e solution
wec ho ose the minim um v alue of dif fw eget
min dif f
min dif f
min dif f
W e then substitute these v alues in the ab o v e inequalities and assign the v alues of some
of the dela ys to compute the others
Example if w e assign d
Q d
Q d
Q msec w e get d
d
and d
Figure sho ws one p ossible top ology to whic h the ab o v e assigned dela ys can be
applied These dela ys exhibit w orstcase beha vior for the timer suppr ession me chanism Timers as function of distance
In con trast to xed timers this section uses timers that are function of an estimated
distance The expiration timer ma y be setasa function of the distance to the requester
F or example system i ma y set its timer to rep ond to a request from system Q in the
in terv al C
E
iQ
C
! C
E
iQ
where E
iQ
is the estimated distancedela yfrom i to
Q whic h is calculated using message exc hange eg SRM session messages and is equal
to d
iQ
! d
Qi
Note that this estimate assumes symmetry whic h sometimes is not
v alid
FJL
suggests v alues for C
and C
as or log
G where G is the n um ber of
mem b ers in the group
As a sp ecial case w e tak e C
C
and attempt to syn thesize the w orstcase
top ology W e get the expression
Exp
Exp
d
Q
! d
Q d
Q
! d
Q d
Q
! d
Q d
Q
! d
Q Example if w e assume that d
Q
d
Q d
Q
d
Q msec w e can rewrite the
ab o v e relation as Exp
Exp
msec
Substituting in equation ab o v e w e get d
msec Under similar assump
tions w e can obtain d
msec and d
msec
T op ologies with the ab o v e dela y settings will exp erience the w orst case o v erhead be ha vior as dened ab o v e for the timer suppr ession mec hanism
As w as sho wn the inequalities form ulated automatically b y our metho d in section can be used with v arious timer strategies eg xed timers or timers as function of dis
tance Although the top ologies w e ha v e presen ted are limited a mathematical to ol can
b e used to obtain solutions for larger top ologies
Timer conguration
In this subsection wegiv e simple examples of the timer conguration task solution where
the dela y b ounds ie D matrix are giv en and the timer v alues are adjusted to ac hiev e
the required b eha vior
In these examples the delayisgiv en as an in terv al xy msec W e sho w examples for
w orstcase and b estcase analysis
W orstcase analysis
If the giv en ranges for the dela ys are msec for all dela ys then the term d
Qj
d
Qi
!
d
ji
ev aluates to F rom equation ab o v e w eget
Exp
i
Exp
j
to guaran tee that a resp onse is triggered
If the dela ys are msec w eget Exp
i
Exp
j
ie is expiration timer m ust b e less than j s b yat least msecs
Note that weha v e an implied inequalit y that Exp
i
for all i These timer expiration settings w ould exhibit w orstcase beha vior for the giv en dela y
b ounds
Bestcase analysis
This case is a direct substitution in equations see Section F or dela y
ranges of msec for all dela ys w eget a and b hence w eget Exp
j
msec and if w e tak e Exp
j
w eget Exp
i
msec
F or dela y ranges of msec for all dela ys w eget a and b hence w eget
Exp
j
msec and if w etak e Exp
j
w eget Exp
i
msec
These timer settings w ould trigger the b est case b eha vior for the giv en dela y ranges
Note that for the w orstcase analysis w e w ere only able to get relativ e timer settings
whereas for the b estcase analysis w e could obtain absolute timer v alues
W e plan to conduct more in tensiv e studies and sim ulations to showthe utilityof our
metho dology
Resp onse Time Analysis
In this section w e conduct the p erformance analysis with resp ect to the resp onse time
whic h is the time for the requester to receiv e the resp onse and reco v er from the pac k et
loss With the assumption of no message loss un til reco v ery the solution b ecomes trivial
since the resp onse time in that case b ecomes the time tak en for the requester to receiv e
the rst resp onse regardless of other resp onses So for our analysis w e allo w the loss of
at most a single resp onse message during the reco v ery phase Suchloss ma y b e selectiv e
ie the resp onse ma y b e receiv ed b y some systems but not others In this case transition
rules are applied to only those systems that receiv e the message
The algorithm obtains p ossible sequences leading to the target ev en t and calculates
the resp onse time for eac h sequence Tosyn thesize the w orst case scenario that maximizes
the resp onse time for example the sequence with maxim um time is c hosen
T arget ev en t
The resp onse time is the time tak en b y the mec hanism to reco v er from the pac k et loss
ie un til the requester receiv es the resp onse p and resets its request timer b y transitioning
out of the R
T
state In other w ords the resp onse time is t p
r
Q
t q
t
Q
t p
r
Q
t
The designer iden ties t p
r
Q
as the target time hence p
r
Q
is the target ev en t
The searc h
F or illustrativ e purp oses w e presen t in detail the case of single resp onder then discuss
the m ultiple resp onders case
Bac kw ard searc h Starting from p
r
Q
the bac kw ard searc h yields
p
r
Q
R
Q
R
T
Q
p
t
j
D
j
D
T
j
R es
j
R
T
Q
q
r
j
D
T
j
D
j
R
T
Q
A t whichpoin t the algorithm reac hes a branc hing p oin t where t w o p ossible preceding
states could cause q
r
j
These are the t woev en ts in the transition table that cause q
t
The rst is transition loss q
t
Q
R
T
Q
R
Q
D
j
and that ends the bac kw ard
searc h for this branc h as the initial state R
Q
is reac hed
The GFSM ma y be represen ted b y comp osition of individual states eg State S tate or
tr ansition S tate
The second is transition r e q tmr Req
Q
q
t
Q
R
T
Q
D
j
Note that Req
Q
indicates
the need for a transition to R
T
Q
and the searc h for this last state yields ev en
tually q
t
Q
R
T
Q
R
Q
D
j
F orw ard searc h The algorithm p erforms a forw ard searc h and c hec ks for consis
tency of the GFSM
The forw ard searc h step maylead tocon tradiction with the original bac kw ard searc h
causing rejection of that branc h as a feasible sequence F or example one p ossible
forw ard sequence from the initial state giv es
q
t
Q
R
Q
R
T
Q
D
j
q
r
j
D
j
D
T
j
R
T
Q
Res
j
D
T
j
D
j
p
t
j
R
T
Q
The algorithm then searc hes t w o p ossible next states
If p
t
j
is not lost and hence causes p
r
Q
then the next state is D
j
R
Q
But
the original bac kw ard searc h started from q
t
Q
R eq
Q
R
T
Q
D
j
whic h cannot be
reac hed from D
j
R
Q
Hence w e get con tradiction and the algorithm rejects
this sequence
If the resp onse p is lost b y Q w e get D
j
R
T
Q
that leads to q
t
Q
R eq
Q
R
T
Q
D
j
The algorithm iden ties this as a feasible sequence
Calculating the resp onse time for eac h sequence the algorithm pic ks the latter se
quence as one of max resp onse time
F or m ultiple resp onders the algorithm automatically explores the dieren t p ossible
selectiv e loss patterns of the resp onse message The only feasible sequence obtained b y
the searc h is when the requester loses the resp onse and is a sequence in whic h only one
resp onder eg j triggers a resp onse and the rest suppress Otherwise the forw ard
searc h with single resp onse loss reac hes con tradiction
T o satisfy this condition the algorithm creates conditions and inequalities similar to
those form ulated for the b estcase analysis with resp ect to n um b er of resp onses see Sec
tion Conclusion
W e ha v e presen ted a metho dology for test syn thesis for p erformance ev aluation of m ulti
poin t proto cols In this c hapter our metho d w as applied to ev aluate the p erformance of the
timer suppression mec hanism a common building blo c k for v arious m ultip oin t proto cols
W e used a virtual LAN mo del to represen t the underlying net w ork top ology W e adopted the faultorien ted test generation algorithm for searc h and extended it to
capture timing and dela y seman tics and to deal with p erformance issues for endtoend
m ultip oin t proto cols
Tw o p erformance criteria w ere used for ev aluation of the w orst and b est case scenarios
the n um b er of resp onses p er request and the resp onse dela y W e applied our algorithm to
sev eral case studies to illustrate ho w to use the metho d in sim ulation and test syn thesis
problems relating to real proto cols
W e do not claim to ha v e a generalized algorithm that applies to an y arbitrary proto col
Ho w ev er w e hop e that similar approac hes ma y be used to iden tify and analyze other
proto col building blo c ks W e b eliev e that suc h systematic analysis to ols will b e essen tial
in designing and testing proto cols of the future
Chapter Summary and F uture W ork
Net w ork proto cols are b ecoming more complex with the gro wth of the In ternet and the
in tro duction of new services suc h as m ulticast In addition net w ork failures ma y cause
proto cols to b eha v e in an unexp ected fashion In this studyw edev elop a metho dology to
study m ultip ointm ulticastbased proto cols in presence of net w ork failures
The goal of our metho dology is to makenet w ork design more robust b y systematizing
and automating test syn thesis for m ultip oin t proto cols W e pro vide a set of practical meth
o ds and algorithms to study robustness and w orst case p erformance of In ternet m ultip oin t
proto cols One ma jor problem w e address using our algorithms is the problem of the state
space explosion where the space of p ossible ev en ts and top ologies b ecomes imp ossible to
searc h exhaustiv ely This do cumen t presen ts our metho dology to ac hiev e the ab o v e goals in the con text of
m ulticast routing and endtoend m ultip oin t proto cols This c hapter presen ts a summary
of our con tributions and describ es our prop osed future w ork
Con tributions
In this dissertation w e ha v e presen ted our framew ork for systematic test syn thesis for
m ultip oin t proto col design In this pro cess weha vecon tributed to the dev elopmen t of the
metho dology the proto col mo dels and the test generation algorithms In addition case
studies for m ultip oin t proto cols resulted in iden tication of design errors in the proto cols
studied
The Metho dology
Weha v e dev elop ed the STRESS metho dology Our con tributions lie in that weha v e
Prop osed a framew ork for systematic ev aluation of m ultip oin t proto col design through
the in tegration of test generation sim ulation and em ulation The framew ork can b e
used to ev aluate design tradeos analyze proto col b eha vior under v arious net w ork
conditions or test proto col implemen tation
Iden tied test generation as an in tegral part of the design and testing pro cess of net
w ork proto cols Our w ork is the rst w ork of whic hw e are a w are that addresses test
syn thesis with all its dimensions top ology ev en t sequences and faults explicitly
and systematically for m ultip ointnet w ork proto cols
T est Generation Algorithms
Weha vedev elop ed three test generation TG algorithms heuristic TG faultindep enden t
TG and faultorien ted TG
The heuristic approac h in tro duces the notion of represen tativ e scenarios to circum
v en t the state explosion problem Also it iden ties represen tativ e top ologies based
on equiv alence relationships The equiv alence denition suggests that extending
the sim ulated top ologies w ould not rev eal additional errors in the proto col This
approac h ho w ev er do es not automate the generation of the host ev en ts and top olo
gies
The faultindep enden t approac h uses a forw ard searc h tec hnique The complexit y
of the algorithm for our case study is reduced from exp onen tial to p olynomial in
the n um ber of routers b y the use of coun ting equiv alence This approac h do es not
syn thesize the top ology automatically By con trast the faultorien ted test generation F OTG uses a bac kw ard searc h as
the main searc h tec hnique starting from the target fault This approac h p erforms
top ology syn thesis automatically as part of the searc h pro cess W e ha v e further
extended the basic F OTG approac h to b e used for endtoend p erformance ev aluation
to syn thesize w orst and b est case p erformance scenarios
Mo deling
W e ha v e mo deled our target system as an extended global nite state mac hine GFSM
The GFSM mo del used in our metho ds w as extended to capture m ulticast seman tics timers
and dela ys byin tro ducing the virtual LAN concept F ault mo dels w ere in tegrated in to the
system mo del to include selectiv e pac k et loss crashes and extended dela ys P erformance
issues w ere also addressed in the mo del to be able to represen t criteria suc h as message
o v erhead and resp onse times
Case Studies
Weha v e conducted case studies for m ulticast routing and endtoend m ultip oin t proto cols
W e ha v e established a set of testsuites for the m ulticast routing proto cols studied
PIMDM and PIMSM Using our metho d w e unco v ered sev eral correctness viola
tions in PIM including blac kholes caused b y the Join Prune and Graft message
loss Register lo oping and w asted bandwidth caused b y the Assert mec hanism W e
also pro vided detailed sim ulations for PIMDM and PIMSM in ns and a detailed
implemen tation of PIMSM
Weha v e studied the timer suppression mec hanism for endtoend m ultip oin t proto
cols W e ha v e syn thesized scenarios for b est and w orst case p erformance b eha viors
for the resp onse o v erhead and resp onse time ev aluation criteria W e applied the
resulting solution to the top ology syn thesis and timer conguration tasks
F uture W ork
Our future w ork includes impro v emen ts of curren t metho ds and algorithms in addition to
exploring p oten tial extensions and applications of the metho dology Impro ving curren t algorithms
The faultindep enden t test generation metho d as presen ted in this study is not
able to syn thesize the top ology as part of the output test scenarios Sym b olic
represen tation tec hniques ma y be in v estigated to add the top ology syn thesis
capabilit y to the metho d
The automatic iden tication of equiv alence classes remains part of future w ork
Completeness of top ology syn thesis for faultorien ted test generation should b e
pro v en in order to ac hievefull co v erage of the state space Using sym b olic rep
resen tation the top ologies syn thesized byF OTG ma y b e pro v en to b e sucien t
to capture all the robustness violations in the giv en proto col
In order to reduce the complexit y of the searc h algorithms in general and
F OTG in sp ecic reduction tec hniques based on equiv alence early detection
of reac habilit y or others should b e in v estigated
Multihop top ologies
The metho ds in this study use a singlehop LAN or a virtual LAN mo del Ho w ev er
to enable studies in v olving more complex top ologies or clusters of systems the
mo del m ust be extended to represen t m ultihop LANs Clusters of net w orks ma y
be represen ted as m ultihop virtual LANs In order to enable m ultihop studies w e
m ust consider in terLAN in teractions in addition to in teractions bet w een systems
on the same LAN
T race driv en test generation
T races collected from op erational net w orks could be used to direct the pro cess of
test generation F ault mo dels that o ccur frequentlyin realnet w orks can b e targeted
b y the searc h algorithm for example Also trac mem b ership top ology and loss
mo dels can be used to direct the searc h F or example during the searc h pro cess
higher priorityma y b e giv en to scenarios that o ccur more frequen tly Mapping functional correctness in to the mo del
In general the criteria of proto col correctness are giv en at the functional lev el suc h
as single pac k et deliv ery or absence of duplicates These criteria m ust be mapp ed
in to the mo del used b y the searc h algorithm in order to c hec k for errors This
mapping m ust b e pro v en to b e sucien t for completeness and necessary to a v oid
false alarms to co v er all the functional errors and only indicate erroneous scenarios
F uture w ork should consider automating the pro cess of this mapping or at least
systematize the pro of pro cess
Implemen tation of algorithms and in tegration with sim ulation
Sim ulation is a v aluable to ol for designing and ev aluating net w ork proto cols Re
searc hers usually use their insigh t and exp ertise to dev elop sim ulation inputs and
test suites Our metho d ma y b e used to assist in automating the pro cess of c ho osing
sim ulation inputs and scenarios
Our future w ork will include implemen ting a more complete to ol to automate our
metho d including searc h algorithms and mo deling seman tics and tie it to a net w ork
sim ulator to b e applied to a wider range of m ultip oin t proto cols
V alidating proto col building blo c ks
The design of new proto cols and applications often b orro ws from existing proto cols
or mec hanisms Hence there is a go o d c hance of reusing established mec hanisms as
appropriate in the design pro cess Iden tifying v erifying and understanding building
blo c ks for suc h mec hanisms is necessary to increase their reusabilit y Our metho d
ma y b e used as a to ol to impro v e that understanding in a systematic and automatic
manner
Ultimately one ma yen vision that a library of these building blo c ks will b e a v ailable
from whic h proto cols or parts thereof will be readily comp osable and v eriable
using CAD to ols similar to the w a y circuit and c hip design is carried out to da y
using VLSI design to ols
In our w ork weha v e iden tied some building blo c kmec hanisms for m ulticast routing
and endtoend m ultip oin t proto cols namely the JoinPrune mec hanism and the
timer suppression mec hanism More w ork is needed to iden tify more building blo c ks
to co v er a wider range of proto cols and mec hanisms
A related researc h area is to classify net w orking problems eg timing problems in to
categories and iden tify mec hanistic building blo c ks that deal with dieren t kinds of
problems
Application to proto col comparison and b enc hmarking
Dieren t proto cols ma y be group ed in the same class based on their functionalit y The absence of a common test suite for a giv en class of proto cols mak es it hard to
compare these proto cols in a neutral w a y Our metho d ma y b e extended to dev elop tests that w ould functionally stress proto
cols with resp ect to giv en criteria th us enabling the establishmentof common test
suites These tests w ould be used to compare dieren t proto cols within the same
class Also they ma y b e used to test dieren tv ersions renemen ts or implemen ta
tions of the same proto col and hence facilitate in terop erabilit y testing
Design space exploration and sensitivit y analysis
Proto col design usually en tails the conguration and setting of v arious parameters
Changing these parameters ma y lead to c hange in beha vior or p erformance It is
often prohibitiv ely complex to in v estigate suc h parameter design space man uallyor
exhaustiv ely
This problem ma y be alleviated b y the use of automatic generation of test suites
for giv en parameter sets F or example examining ho w the w orstcase beha vior or
scenarios c hange with parameter v alues ma y help in making b etter design tradeos
This kind of sensitivit y analysis ma y also b e carried out for en vironmen t parameters
suc h as dela y bandwidth or mem b ership distribution Changing these parameters
mayc hange the b eha vior of the proto col in some resp ect Our metho d ma y b e used
to tune proto col parameters automatically for b est case b eha viors as w eha v e sho wn
for the case of the timer conguration task
In our studyw eha vein v estigated only a single p oin t in the design space at a time
Sensitivit y analysis in v estigates a broader sp ectrum of parameter v alues Th us it
ma y require more ecien t algorithms and w a ys of ltering and pro cessing of the
output results in a manner useful to the researc her
Generalization to p erformance b ound analysis
An approac h similar to the one weha vetak en for endtoend p erformance ev aluation
in Chapter ma y be based on some p erformance b ounds instead of w orst or best
case analyses W e call suc h approac h conditionorien ted test generation or analysis
F or example a target ev entmay bedened asthe resp onse time exceeding certain
dela y b ounds either absolute b ounds or as a function of some parameter If suc h
a scenario is not feasible that indicates that the proto col giv es absolute guaran tees
under the assumptions of the study This ma y b e used to design or analyze qualit y
ofservice or realtime proto cols for example
Applicabilit y to other problem domains
So far our metho d has b een applied to case studies on m ulticast routing robustness
and m ultip oin t proto col p erformance ev aluation in the con text of the In ternet
Other problem and application domains ma y in tro duce new mec hanistic seman tics
or assumptions ab out the system or en vironmen t One example of suc h domains
includes sensor net w orks These net w orks similar to adho c net w orks assume dy
namic top ologies lossy c hannels and deal with stringen t po w er constrain ts whic h
dieren tiates their proto cols from In ternet proto cols EGH P ossible researc h directions in this resp ect include
extending the top ology represen tation or mo del to capture dynamics where
dela ys v ary with time
dening new ev aluation criteria that apply to the sp ecic problem domain suc h
as p o w er usage and
in v estigating the algorithms and searchtec hniques that b est t the new mo del
or ev aluation criteria
App endix A
Heuristic T est Generation for PIMSM
In this app endix w e presen t our case study for PIMSM using the heuristic test generation
approac h see Chapter This study uses the same equiv alen t top ologies represen tativ e
scenarios and test suites that w ere used for the case study on PIMDM presen ted earlier
for the heuristic approac h
An o v erview of PIMSM is giv en rst Then w e presen t an elab orate example of
applying the heuristic approac h in conjunction with sim ulation follo w ed b y the detailed
results of the case study A PIMSM Ov erview
PIMSM is a m ulticast routing proto col that uses explicit join mec hanisms for building
shared m ulticast trees F or simplicit y w e do not address sourcesp ecic trees in this
description
AB C
D
1. Receiver sends a PIM join toward the RP
RP
Sender
Receiver
2. Sender sends a PIM register to the RP
3. RP sends data packets
down the established path
establishing a path from RP back to the receiver.
Figure A Ho w senders rendezv ous with receiv ers
As sho wn in gure A when a receiv ers lo cal router A disco v ers it has lo cal receiv ers
it starts sending periodic join messages to w ard a groupsp ecic Rendezv ousP oin t RP
The join messages are m ulticast hopb yhop Eac h router along the path to w ard the RP
builds a wildcard an ysource r oute entry for the group and sends the join messages on
to w ard the RP A route en try is the state held in a router to main tain the distribution
tree T ypically it includes the source address group address the in terface from whic h
pac k ets are accepted inc oming interfac e and the list of in terfaces to whichpac k ets are
sen t outgoing list This state forms a shared RPro oted distribution tree that reac hes
all group mem bers When a source rst sends to a group its lo cal router D unicasts r e gister messages
to the RP with the sources data pac k ets encapsulated within Data pac k ets reac hing the
RP are forw arded nativ ely do wn the shared tree to w ard group mem b ers
Similarly when a mem ber lea v es the group a prune message is sentb y the lo cal router
to stop the m ulticast trac from o wing do wn the branc h leading to the pruned mem ber Being robust to at least a single message loss ev en in the presence of unicast incon
sistencies w as a design goal for PIMSM The Assert and pruneoverride mec hanisms for
PIMSM are the same as those presen ted earlier for PIMDM
A T est suites
The top ologies used for the study are those sho wn in gure A
The sim ulation en vironmen t and tracing seman tics are the same as those giv en in
Section Subsetting F or brevit y w e do not consider sourcesp ecic trees and switc hing to the
shortest paths in this pap er This is an example of state subsetting since w e consider
shared group states while disregarding sourcesp ecic states
The messages considered in the study are join prune assert and r e gister messages
T o study joins prunes and asserts without the eect of r e gisters w e consider a top ology
where the source and the RP are colo cated see S in gure top ology This is an
example of message subsetting When studying r e gisters joins and prunes w e consider top ology in gure where
a S is the source hence no de A sends registers to the RP and b the routed top ology has
consisten t unicast routing to eliminate the eect of the assert mec hanism This represen ts
function or me chanism subsetting Only triggered actions are in v estigated for simplicit y
RP
S1
S2, R2 R1
AB
CD
RP
S1
R2 R1
AB
CD
RP
S2, R2 R1
AB
CD
unicast route
to RP
Topology 1 Topology 2 Overall topology
Figure A The top ology used for the case study
A Applying the Metho d
Weha v e implemen ted and a detailed implemen tation of PIMSM
The metho d is applied in a manner similar to that presen ted in Section Example In our simple example an error condition is an y pac k et loss or duplication
exp erienced b y the endp oin ts A fault y scenario without pac k et loss that leads to t w o
error conditions is iden tied and explained Then the proto col actions leading to the
errors are analyzed
The represen tativ e scenario explained here is JJLL using top ology This
scenario w as iden tied automatically as a fault y scenario T races in gure A giv e the
history of the errors found A trace tak es the follo wing format R No de A Rcv t
meaning that receiv er R in no de A receiv ed a data pac k et with sequence n um ber at time ms from the b eginning of the sim ulation run The rst error ie the pac k et
duplication has the host ev en t J as the closest join or lea vehost ev en t in its history at
time ms The error is a join transien t caused b y parallel paths to the RP The error
Our detailed PIMSM sim ulation mimics the unix pimd Hel implemen tation mo del and hence is
able to capture man y implemen tation asp ects W e plan to dev elop an in terface b et w een the sim ulator and
an op erational net w ork running the pimd co de Ho w ev er the analyses presen ted in this study are based
strictly on the proto col sp ecication indep enden t of the implemen tation
duplicates
loss
Sent by S1
Rcvd by R1
Rcvd by R2
time
seq. No.
7
8
9
10
11
12
13
200 250 300 350 400
J2 L1
S1 Node RP Send 12 t 300
L1 Node A Leave G t 300
PIMS Node A Send Prune{NH=C} t 300
PIMR Node C Rcv Prune{NH=C} t 310
PIMS Node C Send Prune{NH=RP} t 310
PIMR Node B Rcv Prune{NH=C} t 310
PIMS Node B Send Join{NH=C} t 310
PIMR Node D Rcv Prune{NH=C} t 310
R2 Node B Rcv 12 t 321
PIMR Node C Rcv Join{NH=C} t 321
PIMS Node C Send Join{NH=RP} t 321
PIMR Node RP Rcv Prune{NH=RP} t 321
PIMR Node A Rcv Join{NH=C} t 321
PIMR Node D Rcv Join{NH=C} t 321
S Node RP Send 13 t 325
PIMR Node RP Rcv Join{NH=RP} t 332
S Node RP Send 14 t 350
R2 Node B Rcv 14 t 371
S Node RP Send 15 t 375
R2 Node B Rcv 15 t 396
x 10
-3
S1 Node RP Send 7 t 175
R1 Node A Rcv 7 t 190
S1 Node RP Send 8 t 200
J2 Node B Join G t 200
PIMS Node B Send Join{NH=D} t 200
PIMR Node A Rcv Join{NH=D} t 210
PIMR Node D Rcv Join{NH=D} t 210
PIMS Node D Send Join{NH=RP} t 210
PIMR Node C Rcv Join{NH=D} t 210
R1 Node A Rcv 8 t 221
R2 Node B Rcv 8 t 221
PIMR Node RP Rcv Join{NH=RP} t 221
S1 Node RP Send 9 t 225
R1 Node A Rcv 9 t 246
R2 Node B Rcv 9 t 246
PIMS Node D Send Assert t 246
PIMS Node C Send Assert t 246
R2 Node B Rcv 9 t 247
R1 Node A Rcv 9 t 247
S1 Node RP Send 10 t 250
PIMS: sent by the PIM component
PIMR: received by the PIM component
NH: next hop
Figure A Simple pac k et trace graph sho wing pac k et loss and duplication
is resolv ed using the Assert messages exc hanged during the duplication at time ms
The second error ie pac k et loss is a lea v e transien t it has a host ev en t L in its
recen t history The loss is due to the prune sentb y no de A at ms and is resolv ed b y
a pruneoverride sentbynode B at ms
Although the proto col actions leading to the endp oin t errors sp ecied as an y pac k et
loss or duplication in this sp ecic example are considered transien t errors they are not
considered proto col design errors W e do ho w ev er address proto col design errors in
Section A
A Scenario and proto col co v erage
While the fact that w e w ere able to disco v er design errors pro vides some evidence of the
metho ds utilit y w e w ould lik e to quan tify the co v erage of proto col states and p ossible
scenarios
The o v erall proto col co v erage has t w o dimensions The rst is the proto col state co v er
age and w eattempttoco v er this dimension using the r epr esentative scenarios reac hable
states In v estigation of the loss scenarios do es not aect proto col co v erage signican tly The second dimension is the space of p ossible in teraction scenarios b et w een the state
mac hines in dieren t routers within the top ology This dimension is explored byin v es
tigating the sele ctive loss scenarios
Scenarios co v ered The initial n um b er of sim ulated scenarios without proto col message
loss w as
X
topol og ies
No rep scenarios Where No rep scenarios is the n um ber of r epr esentative scenarios equal to in our
case discussed in section and the top ologies are the t w o discussed in section Hence w e sim ulated scenarios without proto col message loss
After feeding bac k the link traces for the messages under study the loss patterns w ere
assigned to the corresp onding links The scenario generator then setup the sim ulations
for the new scenarios with loss
The total n um ber of scenarios with proto col message loss sim ulated is giv en b y the
follo wing form ula
X
Topos
X
Reps
X
Msgs
X
Link s
Link M sg s Link Rtr s
A
A
where the terms used are describ ed in the follo wing table
T erm Meaning
T op os T op ologies
Reps Represen tativ e Scenarios
Msgs Messages under study
LinkMsgs No messages tra v ersing the link
LinkR trs No routers connected to the link
F or eac h top ology this form ula giv es the n um b er of scenarios automatically generated
after the rst sim ulation run during whic h the n um ber of messages and links tra v ersed
b y these messages is coun ted
F or example for the rst top ology the messages under study w ere joins prunes and
asserts The represen tativ e scenarios triggered joins prunes and asserts on the
LAN and joins and prunes on poin ttop oin t links F or the second top ology the
messages under study w ere joins and prunes The represen tativ e scenarios triggered
joins and prunes on the LAN and joins and prunes on p oin ttop oin tlinks Hence
the total n um b er of scenarios with loss b ecame and scenarios resp ectiv ely
Proto col co de co v erage A large p ortion of the m ulticast supp ort co de in NS w as
annotated automatically to pro vide co de tracing The represen tativ e scenarios without
loss in v ok ed pro cedures out of o v erall annotated pro cedures The pro cedures that
w ere not in v ok ed dealt mainly with sourcesp ecic state whic hw as abstracted in our test
suites or with the mo dularit y of the ob jectorien ted nature of the co de
A Results
This section describ es the proto col design errors unco v ered for PIMSM under STRESS
W e mo died the error conditions to a v oid join and lea v e transien ts since unlikeour
simple example ab o v e w e are only in terested in design errors The new error conditions
do not consider single duplication or loss
F ollo wing is a summary of the ma jor fault y scenarios encoun tered and ho w they relate
to STRESS F or a more detailed discussion of the proto col errors and xes see section
A
A Summary of Results
W e describ e a partial list of faulty sc enarios captured b y STRESS W e obtained this list
after sim ulating only a few of the represen tativ e scenarios The traces pro duced pro
vided guidance to disco v er the proto col errors Design errors disco v ered include Assert JoinPrune and R e gister mec hanisms
Asserts F or the rst top ology gure top ology a blac kholew as observ ed for one
receiv er
The faultyscenarioin this case in v olv ed another receiv er joining in the recen t history
of the blac k hole By analyzing the proto col trace history after rolling bac k w e noticed
that an Assert pro cess to ok place righ t b efore the loss
In addition the fault y scenario included the loss of a join message whic hprev en ted the
establishmentof the branc h of the shared tree from the Assert winner to the RP Hence
the proto col design error is allo wing a router on a branc h of the tree that is not completely
established to participate in Asserts Joins and Prunes Ov er the same top ology ie gure top ology sev eral other
fault y scenarios lead to blac k holes The host scenarios in v olv ed one receiv er lea ving just
b efore blac k holes w ere exp erienced b y the other receiv er In these cases join and prune
messages o ccurred the recen t history of the endp oin t error
F urthermore all suc h scenarios included either i loss of a join message prev en ting
a pruned branc h from b eing reestablished or ii selectiv e loss of a prune message pre
v en ting a join ie pruneoverride from b eing triggered The proto col design error in this
case w as not allo wing a second c hance for routers with do wnstream mem b ers to o v erride
prunes Registers In the second top ology gure top ology fault y scenarios w ere captured
that cause pac k et duplicates at the endp oin ts
In this case the observ ed fault y scenarios did not follo w a regular pattern and w ere
dev elop ed iterativ ely ie when one fault y scenario led to a suggested x in the proto col
the x w as implemen ted and the metho d rerun to observ e further fault y scenarios
The rst scenario in v olv ed a single host receiving duplicates merely b y joining the
group The pac k ets w ere b eing deliv ered at least t wice once directly from the source b y
virtue of b eing on the same LAN and the second deliv ery from the shared tree after the
r e gister reac hed the RP and w as sen t do wn the shared tree When the n um b er of pac k et
duplicates exceeded t w o this suggested a lo op The lo op o ccurred when a pac k et receiv ed
o v er the shared tree on the LAN w as a pic k ed up bythe lo cal router b reregistered
to the RP and c forw arded do wn the shared tree again The proto col error w as allo wing
the pac k ets to o wdo wn from the shared tree to the originating LAN and b e reregistered
Thexw as to prune suc h sources from the shared tree
The second scenario in v olv ed another receiv er joining b efore the duplicates w ere ob
serv ed The pruned branc h of the shared tree w as reestablished b y the joining receiv er
allo wing the pac k ets to o wdo wn the shared tree to the originating LAN and subsequen tly causing the lo op
The third scenario in v olv ed a prune message loss again allo wing the pac k ets to o w
do wn the shared tree to the originating LAN and led to lo oping
Rules w ere added to prev entpac k ets from b eing forw arded bac k on their original LANs
in the ab o v e scenarios
RP
S1
R2 R1
AB
CD
1
2
RP
S1
R2 R1
AB
CD
5
RP
S1
R2 R1
AB
CD
3
4
1) R1 joins the group. B sends joins towards RP.
2) S1 sends packets to the group. Packets flow
3) R2 joins the group. A sends joins towards RP.
4) The join from C to RP is lost.
RP
S1
R2 R1
AB
CD
6
7
5) Packets forwarded by D onto the LAN are
received by C on an outgoing interface.
6) C Asserts with a winning metric onto the LAN.
7) D removes the LAN from its entry and sends
prunes towards the RP.
down distribution tree and are multicast on the LAN.
(I)
(II)
(III)
(IV)
Figure A The Assert scenario under study
A Detailed Results
The rest of this section describ es the ab o v e fault y scenarios in more detail and illustrates
ho w the solutions w ere dev elop ed with the aid of STRESS After the solutions w ere in te
grated in to the proto col sim ulator w e applied regression testing to v erify that the xes
did not in tro duce an y new errors
A Assert analysis
F ollo wing is a discussion of the pathological cases found in the Assert pr o c ess An exhaus
tiv e list of the results is not included in this do cumen t for brevit y A few errors in the
PIMSM sp ecication w ere un v eiled during this pro cess w e fo cus on errors that created
the p ossibilityof pac k et loss ie blackholes The scenario
In this scenario the top ology in gure A w as setup suc hthat As nexthop to w ards
the RP is C and Bs nexthop to w ards the RP is D Consider the sequence of ev en ts sho wn in gure A whic h used the represen tativ e
scenario JJLL with the loss of a join message on the link b et w een C and RP During the last t woev en ts of the scenario steps and D loses the Assert pro cess to
C with lo w er metric or higher address Subsequen tly D remo v es the LAN from its en trys
in terface list and R stops receiving pac k ets from S This problem p ersists un tilunless
the branc h of the tree from C to RP is established
NoState
State for G
ActiveState
OifDeleted
Rcv join for G; create state, trigger join upstream
Rcv join for G
Rcv pkts for G; activate state, forward pkts
Rcv pkts for G; forward pkts
or
Rcv assert on oif & win; send assert
Rcv assert on oif & lose; delete oif from entry
All oifs deleted
oif: outgoing interface
& entry removed
G: multicast group
Figure A T ransition diagram for joinsand asserts
Discussion and x The curren t rules of the PIM sp ecication aim to guaran tee at
most one forw arder on a m ultiaccess net w ork Ho w ev er to ensure prop er deliv ery of
pac k ets without pac k et loss the righ tseman tics should b e exactly one forw arder
The problem arises more sp ecically because the PIM sp ecication do es not distin
guish b et w een an activ e en try ie an en try created due to arriv al of data pac k ets eg a
m ulticast forw arding cac he and an en try on a branc h of a tree that is not y et established
or an inactive en try An inactiv e en try ma y win an Assert pro cess resulting in blac k
holes
T o solv e this problem w e mo died the sp ecication to ensure exactly one forw arder
seman tics using the follo wing rule A router receiving a data pac k et or Assert on an
outgoing in terface of a matc hing en try do es not participate in the Assert pro cess unless the
entryisactiv e Figure A illustrates the Activ eState added to the transition diagram
to realize the solution
B JoinPrune analysis
In this analysis w e address the eect of selectiv e loss of JoinPrune messages Although
this problem has b een addressed in recen t releases of the PIMSM sp ecication w e pro vide
a more ecien t solution
W e use the top ology giv en in gure A I The represen tativ e scenario used is JJLL
with the second join from no de A lost on the LAN
W e assume that S sends pac k ets to group G throughout the sim ulation Consider the
sequence of ev en ts giv en in gure A I After the last ev en t step R stops receiving
RP
R2 R1
AB
C
S1
1
RP
R2 R1
AB
C
RP
R2
R1
A
B
C
2
S1
S1
3
3
4
5
5
4
1) R1 joins the group. B sends joins towards RP.
2) R2 joins the group. A sends joins towards RP.
3) R1 leaves the group. B multicasts prunes onto the LAN.
4) A gets the prune and sends a join to override. The join is lost.
5) C gets the prune and sends it towards RP.
(I)
(II)
3) R1 leaves the group. B multicasts prunes onto the LAN.
4) A does not receive the prune, and so does not override.
5) C gets the prune and sends it towards RP.
Figure A The JoinPrune scenario under study
Ss pac k ets This problem p ersists un til A sends the next periodic join to C and re
establishes the pruned branc h of the tree A similar problem is encoun tered in gure A
II when the prune sen t from B is selectiv ely lost on the LAN b y A and receiv ed b y C Discussion and x
The solution suggested b y the PIM sp ecication in tro duces a deletion timer This
ho w ev er increases the lea v e latency and incurs unnecessary data o v erhead
A more ecien t solution w ould b e to ha v e the upstream router C announce a prune
alert b efore remo ving the LAN from its outgoing list b y resending the prune message
previously receiv ed from B C Register analysis
F ollo wing is a description of the scenarios that exhibit pac k et duplication due to r e gister
messages and the suggested xes to eliminate suc h duplication The xes w ere applied
iterativ elyun til the error w as eliminated
i First scenario single source single receiv er
In this scenario w e consider S and R in gure A I Consider the sequence of
ev en ts in the gure
P ac k et duplication and r e gister lo oping o ccur in the ab o v e scenario A similar scenario
o ccurs when R joins rst then S starts sending to the group
Suggested xes
RP
S2,R2
A
C
1
2
3
4
1) R2 joins group(G).
RP
S2,R2 R1
AB
C
1
2
3
4
5
1) R2 joins G& S2 sends to G.
2) R1 joins G. B sends join to RP,
A builds routing state& sends join
to G& prune for S2 towards RP.
RP
S2,R2
A
C
1
2
3
4
1) A sends prune to RP; R2 is member
of G& S2 is source. prune is lost.
2) A registers packets from S2 to RP.
3) RP decapsulated &forwards
packets down shared tree.
4) Shared tree packets accepted from
LAN&re-registered to RP forming loop.
2) S2 sends packets to G. A builds source
A sends joins towards RP.
(I) (II) (III)
eliminating prune state for S2 in C.
3) S2 sends to G; A registers to RP.
4) RP decapsulates & forwards
packets down shared tree.
5) Packets forwarded onto LAN are
re-registered by A, causing a loop.
state & registers to RP. Incoming interface
for the state points towards LAN.
3) RP gets registers, decapsulates &
forwards packets down shared tree.
4) Packets down shared tree are accepted
from LAN&re-registered forming a loop.
Figure A The r e gister scenarios under study
The required b eha vior is to send a triggered and p erio dic sourcesp ecic prune o
of the shared tree if a router has sourcesp ecic state for registering and shared tree state
for the same group regardless of the incoming in terface settings
ii Second scenario single sender t w o receiv ers
W e assume the implemen tation of the ab o v e xes to the sim ulator then consider the
sequence of ev en ts in gure A I I This scenario exhibits pac k et duplication and r e gister
lo oping
Suggested x
The problem arises b ecause the pac k ets are forw arded bac k on the originating LAN
and treated as if they w ere new pac k ets originated b y the directly connected source The
follo wing rule solv es this problem for the giv en scenario
A router receiving join message m ust NOT add an in terface on the same subnet as
a source S for an y source sp ecic en try for S asso ciated with same group
iii Third scenario single source single receiv er with message loss
Considering the scenario in gure A I I I The source sp ecic prune sentfrom A to C when A ha ving a shared tree state creates
the source sp ecic en try for registering is lost
P ac k et duplication and r e gister lo oping problems are exp erienced in this scenario The
problem p ersists un til a p erio dic JoinPrune message is successfully sen t upstream
Suggested x
T o be robust to at least one message loss w e suggest the follo wing rule for pac k et
forw arding
A router m ust NOT forw ard a pac k et on to the subnet from whic h the pac k et w as
originated This is ac hiev ed b y p erforming a c hec k on the source and the outgoing
in terface b efore building a source sp ecic state or b efore forw arding a pac k et
Most implemen tations create a cac he for forw arding pac k ets This c hec k can b e done only once when
creating the cac he and is not done p er pac k et
This is dieren t than the incoming in terface c hec k stated b y the curren t sp ecication In the sp ecic
case discussed here the lo oping m ulticast pac k ets will matc h on the incoming in terface the LAN for the
sourcesp ecic en try
App endix B
State Space Complexit y
In this app endix w e presen t analysis for the state space complexit y of our target system
In sp ecic w e presen t completeness pro of of the state space and the form ulae to compute
the size of the correct state space
B State Space Completeness
W e dene the space of all states as X
denoting zero or more routers in an y state W e
also dene the algebraic op erators for the space where
X
X
X
X
B
Y
n
X
Y
n fX Y g
B
B Error states
In general an error ma y manifest itself as pac k et duplicates pac k et loss or w asted band
width This is mapp ed on to the state of the global FSM as follo ws
The existence of t w o or more forw arders on the LAN with one or more routers
exp ecting pac k et from the LAN eg in the NH
X
state indicates duplicate deliv ery
of pac k ets
The existence of one or more routers exp ecting pac k ets from the LAN with no for
w arders on the LANindicatesa deciency in pac k et deliv ery join latency or blac k
holes
The existence of one or more forw arders for the LAN with no routers exp ecting
pac k ets from the LAN indicates w asted bandwidth lea v e latency or extra o v erhead
for duplicates one or more NH
X
with t w o or more F
X
NH
X
F
X
X
B
for extra bandwidth one or more F
X
with zero NH
X
F
X
fX NH
X
g
B
for blac kholes or pac k et loss one or more NH
X
with zero F
X
NH
X
fX F
X
g
B
B Correct states
As describ ed earlier the correct states can b e describ ed b y the follo wing rule
exactly one forwar der for the LAN i one or mor e r outers exp e cting p ackets fr om
the LAN zero NH
X
with zero F
X
fX NH
X
F
X
g
B
one or more NH
X
with exactly one F
X
NH
X
F
X
fX F
X
g
B
from B and B w e get
NH
X
F
X
fX F
X
g
B
if w e tak e the union of B B and B and apply B w e get
NH
X
X
NH
X
fX NH
X
g
B
also from B and B weget F
X
fX NH
X
F
X
g
B
if w e tak e the union of B and B w e get
F
X
fX NH
X
F
X
g
fX NH
X
g
B
taking the union of B and B weget NH
X
fX NH
X
g
X
B
whic h is the complete state space
B Num ber of Correct and Error State Spaces
B First case denition
F or the correct states fX NH F g
reduces the sym b ols from whic h to c ho ose the
state b y ie yields the form ula
C n ! s n C n ! s n While NH F fX F g
reduces then um b er of routers to c ho ose b y and the n um ber
of sym b ols b y yielding
C n ! s n C n ! s n B Second case denition
F or the correct states fX NH
X
F
X
g
reduces the n um b er of states b y yielding
C n ! s n C n ! s n While NH
X
F
X
fX F
X
g
reduces the n um b er of routers to n and the sym b ols
to s and yields
C n ! s n C n ! s n W e ha v e to be careful here ab out o v erlap of sets of correct states F or example
NH F fX F
X
g
is equiv alen t to NH
Rtx
F fX F
X
g
when a third router is in
NH
Rtx
in the rst set and NH in the second set Th us w e need to remo v e one of the sets
NH F N H
Rtx
fX F
X
g
whic h translates in terms of n um ber of states to
C n ! s n C n ! s n A similar argumen t is giv en when w e replace F ab o v e b y F
Del
th us w e m ultiply the
n um b er of states to b e remo v ed by Th us w e get the total n um b er of equiv alen t correct
states
C n ! s n ! C n ! s n C n ! s n T o obtain the E r r or S tates w e can use
E rrorS tates T otal S tates C or r ectS tates
App endix C
F orw ard Searc h Algorithms
This app endix includes detailed pro cedures that implemen t the forw ard searc h metho d as
describ ed in Chapter It also includes detailed statistics collected for the case study on
PIMDM
C Exhaustiv e Searc h
The ExpandSpace pro cedure giv en belo w implemen ts an exhaustiv e searc h where W
is the w orking set of states to be expanded V is the set of visited states ie already
expanded and E is the state curren tly being explored Initially all the state sets are
empt y The nextState function gets and remo v es the next state from W according to the
searc h strategy if depth rst then W is treated as a stac k or as a queue if breadth rst
Eac h state is expanded b y applying the stim uli via the forw ard pro cedure that im
plemen ts the transition rules and returns the new stable state New ExpandSpace initGS tate f
add initGS tate to W
while W not empt y f
E nextGState from W add E to V state E
stim applying to state f
New forw ard E stim
if New W or V
add New to W g
g
g
The initial state initGS tate ma y be generated using the follo wing pro cedure that
pro duces all p ossible com binations of initial states I S Init depth GS tate f
state I S f
add state to GS tate depth depth if depth
ExpandSpace GS tate else
Init depth GS tate
remo v e last elementof GS tate g
g
This pro cedure is called with the follo wing parameters a n um b er of routers n as the
initial depth and b the empty state as the initial GS tate It is a recursiv e pro cedure that
do es a tree searc h depth rst with the n um ber of lev els equal to the n um ber of routers
and the branc hing factor equal to the n um ber of initial state sym bols jIS j is The
complexit y of this pro cedure is giv en by is n
C Reduction Using Equiv alence
W e use the coun ting equiv alence notion to reduce the complexit y of the searchin w a ys
The rst reduction w e use is to in v estigate only the equiv alen t initial states w ecall
this algorithm Equiv One pro cedure that pro duces suc h equiv alen t initial state space is the EquivInit
pro cedure giv en b elo w
EquivInit S i GS tate f
state S
for j i to f
New empty state
Expanded States
Rtrs Exhaustive Equiv Equiv+ Reduced Reduction
1 14 10 9 9 1.555556
2 52 24 18 18 2.888889
3 178 52 30 30 5.933333
4 644 114 48 48 13.41667
5 2176 238 73 73 29.80822
6 7480 496 106 106 70.56604
7 24362 1004 148 148 164.6081
8 80830 2037 200 200 404.15
9 259270 4081 263 263 985.8175
10 843440 8198 338 338 2495.385
11 2684665 16386 426 426 6302.031
12 8621630 32810 528 528 16328.84
13 27300731 65574 645 645 42326.71
14 86885238 131180 778 778 111677.7
Figure C Sim ulation statistics for forw ard algorithms E xpandedS tates is the n um ber
of visited states
for k to j
add state to New New New GS tate
#
S trunc S state
if i j ExpandSpace New
else
EquivInit
#
S i j New
g
g
This pro cedure is in v ok ed with the follo wing parameters a the initial set of states
I S as S b the n um ber of routers n as i and c the empty state as GS tate The
pro cedure is recursiv e and pro duces the set of equiv alen t initial states and in v ok es
the ExpandSpace pro cedure for eac h equiv alen t initial state The trunc function
truncates S suc h that
#
S con tains only the state elemen ts in S after the elemen t state F or example trunc fF N M M gF fNM M g
Forwards
Rtrs Exhaustive Equiv Equiv+ Reduced Reduction
1 80 55 51 43 1.860465
2 537 227 177 124 4.330645
3 2840 730 440 263 10.79848
4 14385 2188 970 503 28.59841
5 63372 5829 1923 881 71.9319
6 271019 14863 3491 1430 189.5238
7 1060120 35456 5916 2187 484.7371
8 4122729 82916 9480 3189 1292.797
9 15187940 187433 14523 4477 3392.437
10 55951533 419422 21429 6092 9184.428
11 199038216 921981 30648 8079 24636.49
12 708071468 2013909 42678 10483 67544.74
13 2.461E+09 4355352 58091 13353 184311
14 8.546E+09 9375196 77511 16738 510576.4
Figure C Sim ulation statistics for forw ard algorithms Forwards is the n um ber of calls
to forward The second reduction w e use is during state comparison Instead of comparing the
actual states w e compare and store equiv alen t states Hence the line if New W
or V w ould c hec k for equiv alen t states W e call the algorithm after this second
reduction Equiv The third reduction is made to eliminate redundan t transitions T o ac hiev e this
reduction w e add ag c hec k b efore in v oking forw ard suc h as stateFlag The ag
is set to when the stim uli for that sp ecic state ha v e been applied W e call the
algorithm after the third reduction the reduced algorithm
C Complexit y analysis of forw ard searc h for PIMDM
The n um ber of reac hable states visited the n um ber of transitions and the n um ber of
erroneous states found w ere recorded The result is giv en in gures C C C C
The reduction is the ratio of the n um b ers obtained using the exhaustiv e algorithm to those
obtained using the reduced algorithm
The n um ber of expanded states denotes the n um ber of visited stable states and is
measured simply as the n um ber of states in the set V in ExpandSpace pro cedure The
n um ber of forw ards is the n um b er of times the forw ard pro cedure w as called denoting the
n um ber of transitions b et w een stable states The n um ber of transitions is the n um ber of
Transitions
Rtrs Exhaustive Equiv Equiv+ Reduced Reduction
1 19 11 11 11 1.727273
2 90 32 31 31 2.903226
3 343 75 65 65 5.276923
4 1293 169 119 119 10.86555
5 4328 347 197 197 21.96954
6 14962 722 307 307 48.73616
7 47915 1433 449 449 106.7149
8 158913 2889 633 633 251.0474
9 503860 5717 857 857 587.9347
10 1638871 11434 1133 1133 1446.488
11 5185208 22715 1457 1457 3558.825
12 16666549 45383 1843 1843 9043.163
13 52642280 90461 2285 2285 23038.2
14 167757882 180794 2799 2799 59934.93
Figure C Sim ulation statistics for forw ard algorithms T r ansitions is the n um ber of
transien t states visited
visited transien t states that are increased with ev ery new state visited in the forw ard pro
cedure The n um b er of error states is the n um b er of stable or expanded states violating
the correctness conditions
The n um b er of transitions is reduced from O
n
for the exhaustiv e algorithm to O n
for the reduced algorithm This means that w e ha v e obtained exp onen tial reduction in
complexit y as sho wn in gure C
Error States
Rtrs Exhaustive Equiv Equiv+ Reduced Reduction
1 1 1 1 1 1
2 7 3 3 3 2.333333
3 33 7 6 6 5.5
4 191 21 13 13 14.69231
5 783 49 25 25 31.32
6 3235 115 43 43 75.23256
7 11497 239 68 68 169.0735
8 41977 504 101 101 415.6139
9 142197 1012 143 143 994.3846
10 491195 2057 195 195 2518.949
11 1625880 4101 258 258 6301.86
12 5441177 8237 333 333 16339.87
13 17751178 16425 421 421 42164.32
14 58220193 32879 523 523 111319.7
Figure C Sim ulation statistics for forw ard algorithms The n um b er of stable error states
reac hed
1.E+0
1.E+1
1.E+2
1.E+3
1.E+4
1.E+5
1 2 3 4 5 6 7 8 9 10 11 12 13 14
number of routers (n)
reduction ratio in states [log]
Figure C Reduction ratio from exhaustiv e to the reduced algorithm
App endix D
F OTG Algorithms
This app endix includes pseudoco de for pro cedures implemen ting the faultorien ted test
generation F OTG metho d presen ted in Chapter In addition it includes detailed
results of our case study to apply F OTG to PIMDM
D PreConditions
The condsarra ycon tains the p ostconditions ie the eects of the stim uli on the system
and is indexed b y the stim ulus The stim ulus function returns the stim ulus if an y of
the condition The transition function returns the transition or state of the condition
The preconditions are stored in an arra y pr eC onds indexed b y the stim ulus
PreConditionsf
stim cond conds stim f
s stim ulus cond t transition cond
add tstim to pr eC onds s g
g
D Dep endency T able
The dep endencyT able pro cedure generates the dep endency table depT abl e from the tran
sition table of conditions conds If theres a state in the condition this ma ybe view ed as state state transition ie transition to
the same state
dep endencyT ablef
stim cond conds stim f
endS tate end cond
star tS tate start cond
add star tS tatestim to depT abl e endS tate g
g
F or eachstate sthatis endS tate of a transition a set of star tS tate stimul us pairs
leading to the creation of s is stored in the depT abl e arra y F or s I S asym b ol denoting
initial state is added to the arrayen try F or our case study I S fNM EU g D T op ology Syn thesis
The follo wing pro cedure syn thesizes minim um top ologies necessary to trigger the v arious
stim uli of the proto col It p erforms the third and forth steps explained in Section buildMinT op os stim f
cond pr eC onds stim f
st end cond stm stim ulus cond if t yp e stm or ig
add st to M inT opos stim else f
if Topo stm buildMinT op os stm topo MinT opos stim add st to M inT opos stim g
g
g
D Bac kw ard Searc h
The Bac kw ard pro cedure calls the Rewind pro cedure to p erform the bac kw ard searc h A
set of visited states V is k ept to a v oid lo oping F or eac h state in GS tate p ossible bac kw ard
implications are attempted to obtain v alid bac kw ard steps to w ard initial state Bac kw ard
is called recursiv ely for preceding states as a depth rst searc h If all bac kw ard branc hes
are exhausted and no initial state w as reac hed the state is declared unreac hable
Bac kw ard GS tate f
if GS tate V
return loop
add GS tate to V
s GS tatef
bk w ds depT abl e s bk bk w dsf
New Rewind bk GS tate s
if New done
break
else
Bac kw ard New
g
g
if all states are done
return reac hed
else
return unreac hable
g
The Rewind pro cedure tak es the global state one step bac kw ard b y applying the
rev erse transition rules replace s st GS tate replaces s in GS tate with st and returns
the new global state Dep ending on the stim ulus t yp e of the bac kw ard rule bk dieren t
states in GS tate are rolled bac k F or or ig and dst only the originator and destination
of the stim ulus is rolled bac k resp ectiv ely F or mcast all aected states are rolled bac k
except the originator mcastD ow nstr eam is similar to mcast except that all do wnstream
routers or states are rolled bac k while only one upstream router the destination is rolled
bac k
Rewind bk GS tate s f
if bk I S
return done
stim stim ulus bk
st start bk
if t yp e stim or ig f
New replace s st GS tate return New g
cond pr econds stim
while sr c not found f
str start cond if str GS tate
sr c found
g
if sr c not found
return bac kT rac k
if t yp e stim dst f
New replace s st GS tate if c hec kMinT op o New stim return New else
return bac kT rac k
if not c hec kConsistency stim GS tate return bac kT rac k
New GS tate if t yp e stim mcast
cond conds stim if end cond GS tate not sr c
New replaceendstartGState
if t yp e stim mcastD ow nstr eam
cond conds stim if end cond GS tate not upstr eam
New replaceendstartGState
else if end GS tate upstr eam
New replaceendstartGState once
if c hec kMinT op o New stim return New else
return bac kT rac k
g
The follo wing pro cedure c hec ks for consistency of applying stim to GS tate c hec kConsistency stim GS tate f
cond conds stim cond has transition
if start cond GS tate
return F alse
else
return T rue
g
The follo wing pro cedure c hec ks if GS tate con tains the necessary comp onen ts to trigger
the stim ulus
c hec kMinT op o GS tate stim f
if M inT opos stim GS tate
return T rue
else
return F alse
g
D Exp erimen tal statistics for PIMDM
Toin v estigate the utilityof FOTG asav erication to ol w e ran this set of sim ulations
This is not ho w ev er howF OTG is used to study proto col robustness
W e also w an ted to study the eect of unreac hable states on the complexit y of the
v erication The sim ulations for our case study sho w that unreac hable states do not
con tribute in a signican t manner to the complexit y of the bac kw ard searc h for larger
top ologies Hence in order to use F OTG as a v erication to ol it is not sucien tto add
the reac habilit y detection capabilityto F OTG
The bac kw ard searc h w as applied to the equiv alen t error states for LANs with to routers connected The sim ulation setup in v olv ed a call to a pro cedure similar to
EquivInit in Section C with the parameter S as the set of state sym b ols and after an
error c heckw as done a call is made to the Bac kw ard pro cedure instead of ExpandSpace
States w ere classied as reac hable or unreac hable F or the four top ologies studied
LANs with to routers statistics w ere measured eg max min median a v erage and
total for n um b er of calls to the Bac kw ard and Rewind pro cedures and the n um ber of
bac kT rac ks w ere measured
Backwards
total average
all states Reachable Unreachable all states Reachable Unreachable
280 64 216 10.77 7.111 12.71
3965 1056 2909 38.12 37.71 38.28
58996 30694 28302 180.4 383.7 114.6
899274 612009 287265 1021 3255 414.5
Number of calls to Backward()
Rewinds
total average
all states Reachable Unreachable all states Reachable Unreachable
471 116 355 18.12 12.89 20.88
8309 2379 5930 79.89 84.96 78.03
134529 71954 62575 411.4 899.4 253.3
2067426 1414365 653061 2347 7523 942.4
Number of calls to Rewind()
BackTracks
total average
all states Reachable Unreachable all states Reachable Unreachable
163 30 133 6.269 3.333 7.824
3459 946 2513 33.26 33.79 33.07
60321 32684 27637 184.5 408.6 111.9
950421 656028 294393 1079 3490 424.8
Number of back tracks
for Error states
Figure D Sim ulation statistics for bac kw ard algorithms
As sho wn in gure D the statistics sho w that as the top ology gro ws all the n um bers
for the reac hable states get signican tly larger than those for the unreac hable states as in
gure D despite the fact that that the p ercen tage of unreac hable states increases with
the top ology as in gure D The reason for suchbeha vior is due to the fact that when the
state is unreac hable the algorithm reac hes a deadend relativ ely early b y exhausting one
branc h of the searc h tree Ho w ev er for reac hable states the algorithm k eeps on searc hing
un til it reac hes an initial global state Hence the reac hable states searc h constitutes the
ma jor comp onentthatcon tributes to the complexit y of the algorithm
D Results
Weha v e implemen ted an early v ersion of the algorithm in the NSVINT en vironmen t see
h ttpcatarinausceduvin t and used it to driv e detailed sim ulations of PIMDM therein
to v erify our ndings In this section w e discuss the results of applying our metho d to
PIMDM The analysis is conducted for single message loss and momen tary loss of state
F or the follo wing analyzed messages w e presen t the steps for top ology syn thesis for
w ard and bac kw ard implication
0
1000
2000
3000
4000
5000
6000
7000
8000
2 3 4 5
number of routers (n)
number of rewinds (avg)
All
Reachable
Unreachable
Figure D Complexityof the F OTG algorithm for error states
Join F ollo wing are the resulting steps for j oin loss
Syn thesizing the Global State
set the insp ected message to J oin
the star tS tate of the p ostcondition is F
dst Del
G I fF
j Del
g
the state of the precondition is NH i G I fNH i F
j Del
g
the stim ulus of the precondition is Prune Set the insp ected message to Prune
the star tS tate of the p ostcondition is F j whic h can b e implied from F
j Del
in G I
the state of the precondition is NC
k
G I fNH i F
j Del
N C
k
g
the stim ulus of the precondition is L Set the insp ected message to L
the star tS tate of the p ostcondition is NH whic h can b e implied from NC in G I
the state of the precondition is Ext an external ev en t
F orw ard implication
without loss G I fNH i F
j Del
N C
k
g
Join
G I fNH i F j N C
k
g correct state
loss wrt aected routers ie R j fNH i F
j Del
N C
k
g
Del
G I fNH i N F j N C
k
g error state
Bac kw ard implication
G I fNH i F
j Del
N C
k
g
P r une
G I fNH i F j N C
k
g
FPkt
G I fM i F j N M
k
g
SP kt
G I fM i EU j N M
k
g
HJ
i
G I fNM i EU j N M
k
g IS Losing the J oin b y the forw arding router R
j
leads to an error state where router R
i
is
exp ecting pac k ets from the LAN but the LAN has no forw arder
Assert F ollo wing are the resulting steps for the Asser t loss
0
10
20
30
40
50
60
70
80
90
2 3 4 5
number of routers (n)
percentage
Unreachable
Reachable
Figure D P ercen tage of reac hableunreac hable error states using F OTG
Syn thesizing the Global State
set the insp ected message to Asser t
the star tS tate of the p ostcondition is F j G I fF j g
the state of the precondition is F i G I fF i F j g
the stim ulus of the precondition is FPkt j Set the insp ected message to FPkt j
the star tS tate of the p ostcondition is EU iinthe whic h can b e implied from F i in G i
the state of the precondition is F j already in G I
the stim ulus of the precondition is SP kt j Set the insp ected message to SP kt j
the star tS tate of the p ostcondition is NF j whic h can b e implied from F j in G I
the stim ulus of the precondition is Ext an external ev en t
F orw ard Implication
G I fF i F j g
Asser t
i
G I fF i N F j g error
Bac kw ard Implication
G I fF i F j g
FPkt
j
G I fEU i F j g
SP kt
j
G I fEU i EU j g IS The error in the Asser t case o ccurs ev en in the absence of message loss This error
o ccurs due to the absence of a prune to stop the o w of pac k ets to a LAN with no
do wnstream receiv ers This problem o ccurs for top ologies with G
I
fF
i
F
j
F
k
g as
that sho wn in gure D
Graft F ollo wing are the resulting steps for the Gr af t loss
LAN
Source
Fi Fj
Fk
.. .
Figure D A top ology ha ving a fF
i
F
j
F
k
g LAN
Syn thesizing the Global State
Set the insp ected message to Gr af t Rcv
the star tS tate of the p ostcondition is NF G I fNF g
the endS tate of the precondition is NH Rtx G I fNF N H Rtx g
the stim ulus of the precondition is Gr af t Tx
the star tS tate of the p ostcondition is NH whic hma y b e implied from NH Rtx in G I
the endS tate of the precondition is NH whichma y b e implied
the stim ulus of the precondition is HJ whic his Ext ie external
F orw ard Implication
without loss G I fNH N F g
Gr af t
Tx
G I fNH Rtx N F g
Gr af t
Rcv
G I fNH Rtx F g
GAck
G I fNH F g correct state
with loss of Gr af tie the Gr af t Rcv do es not tak e eect G I fNH N F g
Gr af t
Tx
G I fNH Rtx N F g
T imer I mplication
G I fNH N F g
Gr af t
Tx
G I fNH Rtx N F g
Gr af t
Rcv
G I fNH Rtx F g
GAck
G I fNH F g correct state
W e did not reac h an error state when the Gr af t w as lost with nonin terlea ving external
ev en ts
D In terlea ving ev en ts and Sequencing
A Gr af t message is ac kno wledged b y the Gr af t Ack GAck message and if not ac
kno wledged it is retransmitted when the retransmission timer expires In an attempt to
create an erroneous scenario the algorithm generates sequences to clear the retransmis
sion timer and insert an adv erse ev en t Since the Gr af t reception causes an upstream
router to b ecome a forw arder for the LAN the algorithm in terlea v es a Leav e ev entas an
adv ersary ev en t to cause that upstream router to b ecome a nonforw arder
T o clear the retransmission timer the algorithm inserts the transition NH
GAck
NH
Rtx
in the ev en t sequence
A
B
upstream
downstream
A B
Graft
Graft
GAck
A B
time
Graft
GAck
(I) no loss
(II) loss of Graft
A B
t
1
t
2 t
3
t
4
t
5
t
6
Graft
Prune
Graft
GAck
(III) loss of Graft &
interleaved Prune
t
1 t
1
t
2
t
2
t
3
t
3
t
4
Figure D Graft ev en t sequencing
F orw ard Implication G
I
fNH N F g
Gr af t
Tx
G
I fNH
Rtx
N F g
GAck
G
I fNH N F g error state
Bac kw ard Implication Using bac kw ard implication w e can construct a sequence
of ev en ts leading to conditions sucien t to trigger the GAck F rom the transition table
these conditions are fNH
Rtx
F g
G
I
fNH N F g
HJ
G
I fNC N F g
Del
G
I fNC F
Del
g
P r une
G
I fNC F g
L
G
I fNH
Rtx
F g T o generate the GAck wecon tin ue the bac kw ard implication and attempt to reachan
initial state
G
I fNH
Rtx
F g
Gr af t
Rcv
G
I fNH
Rtx
N F g
Gr af t
Tx
G
I fNH N F g
HJ
G
I fNC N F g
Del
G
I fNC F
Del
g
Prune
G
I fNC F g
FPkt
G
I fNM F g
SP kt
G
I fNM EU g IS Hence when a Gr af t follo w ed b y a P r une is in terlea v ed with the Gr af t loss the
retransmission timer is reset with the receipt of the GAck for the rst Gr af t and the
systems ends up in an error state
W e do not sho w all branc hing or bac ktrac king steps for simplicit y
App endix E
EndtoEnd P erformance Ev aluation
In this app endix w e presen t details of inequalit y form ulation for the endtoend p erfor
mance ev aluation In addition w e presen t the mathematical mo del to solv e these in
equalities W e also discuss the case of m ultiple request rounds for the timer suppression
mec hanism
E Conditions and Inequalities for Ov erhead Analysis
Giv en the target ev en t transitions are iden tied as either w an ted or un w an ted transitions
according to the maximization or minimization ob jectiv e F or maximization w an ted tran
sitions are those that establish conditions to trigger the target ev en t while un w an ted
transitions are those that n ullify these conditions and vice v ersa
Let W b e the w an ted transition and t W b e the time of its o ccurrence Let C b e the
condition for the w an ted transition and t C is the time at whic h it is satised and let U
b e the un w an ted transitions o ccurring at time t U Wew an t to establish and main tain C un til W o ccurs ie in the duration t C t W Hence U ma y only o ccur outside b efore or after that in terv al In Figure E this means
that U can only o ccur in region or region Hence the inequalities m ust satisfy the follo wing
the condition for the w an ted transition Cm ust b e established b efore the ev en t for
the w an ted transition W triggers ie t C t W and
one of the follo wing t w o conditions m ust b e satised
a the un w an ted transition Um ust o ccur b efore C ie t U t C or
b the un w an ted transition U m ust occur after the w an ted transition W ie
t W t U
time
(1) (2) (3)
U U
t(C) t(W)
Figure E The timeline for transition ordering
These conditions m ust b e satised for all systems In addition the algorithm needs to
v erify using bac kw ard searc h and implication rules that no con tradiction exists b et w een
the ab o v e conditions and the nature of the ev en ts of the giv en problem
E W orstcase Ov erhead Analysis
The target ev en t for the o v erhead analysis is p
t
The ob jectiv e for the w orst case analysis is to maximize the n um ber of resp onses p
t
The w an ted transition is transition r es tmr Res D
T
D p
t
see Section Hence
t W t p
t
The condition for the w an ted transition is D
T
and its time from transition
tx r e q q
r
D D
T
is t C t q
r
The un w an ted transition is one that n ullies the condition D
T
T ransition r cv r es
p
r
D
T
D is iden tied b y the algorithm as the un w an ted transition hence t U t p
r
Foragiv en system i the inequalities b ecome
t q
r
i
t p
t
i
and either
t p
r
ij
t q
r
i
or
t p
t
i
t p
r
ij
But from the timer expiration implication rule w e get that the resp onse time m ust
ha v e b een set earlier b y the request reception ie
Res
i
D
i
D
T
i
p
t
i
q
r
i
D
T
i
D
i
and t p
t
i
t q
r
i
! Exp
i
Hence
t q
r
i
t p
t
i
is readily satised and w e need not add an y constrain ts on the expiration
timers or dela ys to satisfy this condition
Th us the inequalities form ulated b y the algorithm to pro duce w orstcase b eha vior are
t p
r
ij
t q
r
i
or
t p
t
i
t p
r
ij
E Bestcase Analysis
Using a similar approachto the ab o v e analysis the algorithm iden ties transition r cv r es
p
r
D
T
D as the w an ted transition Hence t W t p
r
and t C t q
r
The
un w an ted transition is transition r es tmrand t U t p
t
F or system i the inequalities b ecome
t q
r
i
t p
r
ij
and either
t p
t
i
t q
r
i
or
t p
r
ij
t p
t
i
But from the bac kw ard implication w e ha v e t q
r
i
t p
t
i
Hence the algorithm
encoun ters con tradiction and the inequalit y t p
t
i
t q
r
i
cannot b e satised
Th us the inequalities form ulated b y the algorithm to pro duce w orstcase b eha vior are
t q
r
i
t p
r
ij
and
t p
r
ij
t p
t
i
E Mathematical Mo del for Solving the System of Inequalities
In this section w e presen t the general mo del of the constrain ts or inequalities generated
b y our metho d As a rst step w e form a linear programming problem and attempt to
nd a solution If a solution is not found then w e form a mixed nonlinear programming
problem to get the maxim um n um b er of feasible constrain ts
In general the system of inequalities generated b y our metho d to obtain w orst or b est
case scenarios can b e form ulated as a linear programming problem
In our case satisfying all the constrain ts regardless of the ob jectiv e function leads to
obtaining the absolute w orstb est case F or example in the case of w orst case o v erhead
analysis this means obtaining the scenario leading to nosuppression
The form ulated inequalities b y our metho d as giv en in Section are as follo ws
for the w orst case b eha vior
d
Qi
! Exp
i
d
Qj
! Exp
j
! d
ji
or
d
Qi
d
Qj
! Exp
j
! d
ji
for the b est case b eha vior
d
Qi
! Exp
i
d
Qj
! Exp
j
! d
ji
and
d
Qi
d
Qj
! Exp
j
! d
ji
The ab o v e systems of inequalities can be nicely represen ted b y a linear programming
mo del The general form of a linear programming LP problem is
MaximizeZ C
T
X X
i n
c
i
x
i
sub ject to
AX B
X
where Z is the ob jectiv e function C is a v ector of n constan ts c
i
X is a v ector of n
v ariables x
i
A is m n matrix and B is a v ector of m elemen ts
The ab o v e problem can b e solv ed practically in p olynomial time using Karmark ar Kar or simplex metho d Dan if a feasible solution exists
In some cases ho w ev er the absolute w orstb est case ma y not be attainable and it
ma y not be p ossible to nd a feasible solution to the ab o v e problem In suc h cases w e
w an t to obtain the maxim um feasible set of constrain ts in order to get the w orstb est case
scenario Toac hiev e this w e dene the problem as follo ws
Maximize
X
i m
y
i
sub ject to
y
i
f
i
x i
y
i
f g
or
y
i
y
i
where f
i
x is the original constrain t from the previous problem
This problem is a mixed in teger nonlinear programming MINLP problem that can
b e solv ed using branc h and b ound metho ds BM E Multiple request rounds
In Section w e conducted the proto col o v erhead analysis with the assumption that
reco v ery will o ccur in one round of request In general ho w ev er loss reco v ery ma y require
m ultiple rounds of request and w e need to consider the request timer as w ell as the
resp onse timers Considering m ultiple timers or stim uli adds to the branc hing factor of
the searc h Some of these branc hes ma y not satisfy the timing and dela y constrain ts It
w ould b e more ecien t then to incorp orate timing seman tics in to the searchtec hnique to
prune o infeasible branc hes
Let us consider forw ard searc h rst F or example consider the global state q
t
i
R
T
i
ha ving a transmitted request message and a request timer running Dep ending on the
timer expiration v alue Exp
i
and the dela y exp erienced b y the message d
ij
w e ma y get
dieren t successor states If d
ij
Exp
i
then the request timer res rst triggering the
ev en t Req
i
and weget q
t
i
R eq
i
as the successor state Otherwise the request message will
be receiv ed rst and the successor state will b e q
r
j
R
T
i
Note that in this case the timer
v alue m ust be decreased b y d
ij
and tak en in to consideration for further forw ard steps
This is illustrated in gure E The condition for branc hing is giv en on the arro w of the
branc h and the timer v alue of i is giv en b y T
i
q
ti
.R
Ti
q
ti
.Req
i
q
rj
.R
Ti
d i,j > Exp i
d i,j < Exp i
T i = Exp i - d i,j
Figure E F orw ard searchfor m ultiple sim ultaneous ev en ts
F or bac kw ard searc h instead of decreasing timer v alues as is done with forw ard
searc h timer v alues are increased and the starting poin t of the searc h is arbitrary in
time as opp osed to time for forw ard searc h
T o illustrate consider the global state ha ving D
i
D
T
i
R
T
j
with the request timer
running at j and the resp onse timer ring at i Figure E sho ws the bac kw ard branc hing searc h with the timer v alues at eac h step
and the condition for eac h branc h In the rst state the timer T
Q
starts at an arbitrary
pointintime x and the timer T
i
is set to ie the timer expired triggering a resp onse
p
t
i
One step bac kw ard either the timer at i m ust ha v e b een started Exp
Q
x units in
the past or the resp onse timer m ust ha v e b een started Exp
i
units in the past Dep ending
on the relativ e v alues of these times some branc hes b ecome v alid The timer v alues at
eac h step are up dated accordingly Note that if a timer expires while a message is in
igh t ie transmitted but not y et receiv ed w e use the m subscript to denote it is still
m ulticast as in q
r m
in the gure
Sometimes the v alues of the timers and the dela ys are giv en as ranges or in terv als
F ollo wing wepresentho w branc hing decision are made when comparing in terv als
Res
i
. p
ti
.(D
i
D
Ti
).R
TQ
T Q = x
T i = 0
Exp i < Exp Q - x
q
ri
.(D
Ti
D
i
).R
TQ
T Q = Exp i + x T i = Exp i
Exp i > Exp Q - x
D
Ti
.(R
TQ
R
Q
).q
tQ
T Q = Exp Q T i = Exp Q - x
q
tQ
.D
i
.(R
TQ
R
Q
)
q
rm
.D
Ti
.(R
TQ
R
Q
).q
tQ
d Q,i < Exp Q - (x + Exp i )
d Q,i > Exp Q - (x + Exp i )
Figure E Bac kw ard searchfor m ultiple sim ultaneous ev en ts
Branc hing decision for in terv als
In order to conduct the searc h for m ultiple stim uli w e need to c hec k the constrain ts
for eac h branc h T o decide on the branc hes v alid for searc h w e compare v alues of timers
and dela ys These v alues are often giv en as in terv als eg a b Comparison of t woin terv als Int
a
b
and Int
a
b
is done according to the
follo wing rules
Branc h Int
Int
becomes v alid if there exists a v alue in a
b
that is greater than
a v alue in a
b
ie if there is o v erlap of more than one n um ber b et w een the in terv als
Wedene the and relations similarly ie if there are an yn um b ers in the in terv al
that satisfy the relation then the branc h b ecomes v alid
F or example if w eha v e the follo wing branc h conditions i Exp
i
Exp
j
ii Exp
i
Exp
j
and iii Exp
i
Exp
j
If Exp
i
and Exp
j
then according to
our ab o v e denitions all the branc h conditions are v alid Ho w ev er if Exp
i
and
Exp
j
then only branc hes i and ii are v alid
The ab o v e denitions are sucien t to co v er the forw ard searc h branc hing Ho w ev er
for bac kw ard searc h branc hing w emayha v e an arbitrary v alue x as noted ab o v e
F or example tak e the state D
i
D
T
i
R
T
Q
Consider the timer at Q the expiration
duration of whichis Exp
Q
and the v alue of whichis x and the timer at i the expiration
duration of whichis Exp
i
and the v alue of whic h is as giv en in gure E Dep ending
on the relev an t v alues of Exp
i
and Exp
Q
x the searc h follo ws some branc hes If
Exp
Q
a
b
then x b
and Exp
Q
x b
Hence w e can apply the
forw ard branc hing rules describ ed earlier b y taking Exp
Q
x b
as follo ws Since
Exp
i
a
b
where a
and b
hence the branc h condition Exp
i
Exp
Q
x
is alw a ys true The condition Exp
i
Exp
Q
x is v alid when i Exp
i
Exp
Q
or ii
Exp
i
Exp
Q
The last condition Exp
i
Exp
Q
xis v alid only if Exp
i
Exp
Q
These rules are in tegrated in to the searc h algorithm for our metho d to deal with m ul
tiple stim uli and timers sim ultaneously
Reference List
A CFS J A t w ood O Catrina J F en ton and W Stra y er Reliable Multicasting
in the Xpress T ransp ort Proto col Pr o c e e dings of the st L o c al Computer
Networks Confer enc e Octob er AMK Elan Amir Stev e McCanne and Randy Katz An activ e service framew ork
and its application to realtime m ultimedia transco ding A CM SIGCOMM Septem b er Aw e Baruc h Aw erbuc h Complexit y of net w ork sync hronization Journal of the
A CM BF C A J Ballardie P F F rancis and J Cro w croft Core Based T rees In Pr o
c e e dings of the A CM SIGCOMMSan F rancisco BM R Bo y er and J Mo ore A Computational Logic Handb o ok A c ademic Pr ess
Boston BM B Borc hers and J Mitc hell An Impro v ed Branc h and Bound Algorithm
for Mixed In teger Nonlinear Programs Computers and Op er ations R ese ar ch CDK G Coulouris J Dollimore and T Kindb erg Distributed Systems Concepts
and Design A ddisonwesley
CL K Chandy and L Lamp ort Distributed snapshots Determining global states
of distributed systems A CM T r ansactions on Computer Systems CLR T Cormen C Leiserson and R Riv est In tro duction to Algorithms The
MIT Pr ess McGr awHil l
CM KM Chandy and J Misra Par al lel Pr o gr am Design AddisonW esley Pub
lishing Compan y Inc
CW E Clark e and J Wing F ormal Metho ds State of the Art and F uture Direc
tions A CM Workshop on Str ate gic Dir e ctions in Computing R ese ar ch V ol
No pages Decem b er
Dan G Dan tzig Simplex Metho d for Solving Linear Programs The Macmil lian
Pr ess Ltd L ondon Dij E W Dijkstra A note on t w o problems in connection with graphs Nu
merische Mathematik V ol
EFH
a D Estrin D F arinacci A Helm y V Jacobson and L W ei Proto col
Indep enden t Multicast Dense Mo de PIMDM Proto col Sp ecication
Pr op ose d Exp erimental RF C URL httpnetwebusce dupimpimdmPIM
DM ftxtps ggz Septem b er
EFH
b D Estrin D F arinacci A Helm y D Thaler S Deering M Handley VJa cobson C Liu P Sharma and L W ei Proto col Indep enden t Multicast
Sparse Mo de PIMSM Motiv ation and Arc hitecture Pr op ose d Exp eri
mental RF C URL httpnetwebusce dupimpimsmPIMA r ch ftxtps g gz Octob er EFH
D Estrin D F arinacci A Helm y D Thaler S Deering M Handley V Jacobson C Liu P Sharma and L W ei Proto col Indep enden t Mul
ticast Sparse Mo de PIMSM Proto col Sp ecication RF C URL
httpnetwebusce dupimpimsmPIMSMvExpRF C ftxtps ggz Marc h
EGH Deb orah Estrin Ramesh Go vindan and John Heidemann Scalable co ordi
nation in sensor net w orks T e chnic al R ep ort University of Southern
California Jan uary F en W F enner In ternet Group Managemen t Proto col V ersion IDMR Internet
Dr aft pr op ose d standar d No v em b er
F GL M Fisc her N Grieth and N Lync h Global states of a distributed system
IEEE T r ansactions on Softwar e Engine eringMa y
FJL
S Flo yd V Jacobson C Liu S McCanne and L Zhang A Reliable Mul
ticast F ramew ork for Ligh tw eigh t Sessions and Application Lev el F raming
IEEEA CM T r ansactions on NetworkingNo v em ber
GAE R Go vindan C Alaettinoglu and D Estrin SCAN LargeScale F ault Iso
lation$ work in pr o gr ess
GG Stephen Garland and John Guttag A guide to LP the Larc h Pro v er R e
se ar ch R ep ort Digital Systems R ese ar ch Center GLA JJ GarciaLunaAcev es Lo opfree routing using diusing computations
F ebruary Go d P Go defroid Using partial orders to impro v e automatic v erication metho ds
Pr o c nd Workshop on ComputerA ide d V eric ation Springer V erlag New
Y ork GYE R Go vindan H Y u and D Estrin Largescale w eakly consisten t
replication using m ulticast T ec hnical Rep ort USC sep h ttpwwwisiedu haob o ylesrrmpsgz
Hai B Hailp ern A simple proto col whose pro of isnt COM April
Hana M Handley NTE The UCL Net w ork T ext Editor URL httpwwwmic e
nsccsuclacukmic enscto olsnthelpab outhtml
Hanb M Handley The sdr Session Directory An Mb one Conference Sc heduling
and Bo oking System URL httpugwwwe dacukmic ear chivesdr htm l Han M Handley The Address Allo cation Proto col InternetDr aft August Hel A Helm y A Surv ey on Kernel Sp ecication and V erication T e chnic al
R ep ort of the Computer Scienc e Dep artment University of Southern
California URL httpwwwusce dudeptcste chnic al r ep ortshtml Hel A Helm y Proto col Indep enden t MulticastSparse Mo de
PIMSM Implemen tation Do cumen t Internet Dr aft URL
httpwwwusce dudeptcste ch nic al r ep ortshtml Jan uary Hol G Holzmann Design and V alidation of Computer Proto cols A TT Bel l
L abs Pr entic e Hal l JM J Jaee and F Moss A resp onsiv e distributed routing algorithm for com
puter net w orks July
JM V Jacobson and S McCanne v at LBNL Audio Conferencing T o ol URL
httpwwwnr ge elblgovvat Jon C Jones Systematic Soft w are Dev elopmen t using VDM Pr entic eHal l Intl Kar N Karmark ar A new p olynomialtime algorithm for linear programming
Combinatoric a pages KBJND B Konemann B Bennetts N Jarw ala and B NadeauDostie BuiltIn Self
T est Assuring System In tegrit y IEEE Computer Magazine pages
No v em b er Kle V Klee Com binatorial optimization what is the state of the art% Math
Op er ations R ese ar ch V ol
KR T
K Kumar P Radosla v o v D Thaler C Alaettinoglu D Estrin and M Han
dley The MASCBGMP Arc hitecture for In terDomain Multicast Routing
Pr o c A CM Sigc omm Septem ber Lam Leslie Lamp ort Time clo c ks and the ordering of ev en ts in a distributed
system Communic ations of the A CM
Lam Leslie Lamp ort The temp oral logic of actions A CM T r ansactions on Pr o
gr amming L anguages and SystemsMa y
LCLa F Lin P Ch u and M Liu Proto col V erication using Reac habilit y Analysis
Computer Communic ation R eview V ol No LCLb F Lin P Ch u and M Liu Proto col V erication using Reac habilit y Analysis
the state explosion problem and relief strategies Pr o c e e dings of the A CM
SIGCOMM LM H Liu and R Miller Generalized F air Reac habilit y Analysis for Cyclic Proto
cols IEEEA CM T r ansactions on Networking V ol No pages
April LSP Leslie Lamp ort Rob ert Shostak and Marshall P ease The Byzan tine generals
problem A CM T r ansactions on Pr o gr amming L anguages and Systems
Lyn Nancy Lync h Distributed Algorithms Mor gan Kaufmann
McC S McCanne A Distributed Whiteb oard for Net w ork Conferencing UC
Berkeley Computer Scienc e pr oje ctMa y MF S McCanne and S Flo yd NS Net w ork Sim ulator URL httpwww
nr ge elblgovns Mil R Milner A Calculus of Communic ating Systems Num ber Springer
V erlag MJ S McCanne and V Jacobson vic A Flexible F ramew ork for P ac k et Video
A CM Multime dia No v em b er
MMT Mic hael Merritt F rancesmary Mo dugno and Mark T uttle Time constrained
automata nd International Confer enc e on Concurr ency The ory
Mo y J Mo y Multicast Extension to OSPF Internet Dr aft Septem b er
MR TW K Miller K Rob ertson A Tw eedly and M White StarBurst Multicast
File T ransfer Proto col MFTP Sp ecication InternetDr aft
MS P M Merlin and A Segall A failsafe distributed routing proto col COM
MS N Maxemc h uc k and K Sabnani Probabilistic v erication of comm unication
proto cols Pr o c th IFIP WG Int Workshop on Pr oto c ol Sp e cic ation
T esting and V eric ation NorthHol land Publ A mster dam
ORSH S Owre J Rush b y N Shank er and F Henk e F ormal v erication for fault
toleran t arc hitectures Prolegomena to the design of PVS IEEE T r ansactions
on Softwar e Engine ering pages F ebruary Ous J Ousterhout Tcl and the Tk T o olkit A ddison Wesley P ar J P arro w V erifying a CSMACDproto col with CCS In VIII pages
IFIP P axa V P axon EndtoEnd In ternet P ac k et Dynamics A CM SIGCOMM Septem b er P axb V P axon EndtoEnd Routing Beha vior in the In ternet IEEEA CM T r ans
actions on Networking V ol No A n e arlier version app e ar e d in Pr o c
A CM SIGCOMM Stanfor d CA pages Octob er
PD F P ong and M Dub ois V erication T ec hniques for Cac he Coherence Pro
to cols A CM Computing Surveys V olume No pages Marc h
PJ J P ageot and C Jard Exp erience in guiding sim ulation Pr o c VIIIth
Workshop on Pr oto c ol Sp e cic ation T esting and V eric ation A tlantic City
NorthHol land Publ A mster dam
Pro D Probst Using partialorder seman tics to a v oid the state explosion problem
in async hronous systems Pr o c nd Workshop on ComputerA ide d V eric a
tion Springer V erlag New Y ork
RMP GC Roman P J McCann and JY Plun Assertional reasoning ab out pair
wise transientin teractions in mobile computing In IEEE editor th
Inter
national Confer enc e on Softwar e Engine ering pages Marc h SAASA K Saleh I Ahmed K AlSaqabi and A Agarw al A reco v ery approac h
to the design of stabilizing comm unication proto cols Journal of Computer
Communic ation V ol No pages April SC K Shin and M Chen P erformance analysis of distributed routing strate
gies free of pingp ongt yp e lo oping IEEE T r ansactions on Computers C
F ebruary SCFJ H Sc h ulzrinne S Casner R F rederic k and V Jacobson R TP A T ransp ort
Proto col for RealTime Applications RF C Jan uary SD D W aitzman S Deering C P artridge Distance V ector Multicast Routing
Proto col No v em b er RF C
Smi M Smith F ormal V erication of Comm unication Proto cols
F OR TEPSTV Confer enc e Octob er Spi J Spiv ey Understanding Z a Sp ecication Language and its F ormal Seman
tics Cambridge University Pr ess
SU H Sc ho ot and H Ural Proto col v erication b y leaping reac habilit y analysis
Pr o c of IEEE ICCCN R o ckvil le MD pages Octob er
T a j WD T a jibnapis A correctness pro of of a top ology information main tainence
proto col for a distributed computer net w ork Communic ations of the A CM W es C W est Proto col V alidation b y Random State Exploration Pr o c th IFIP
WG Int Workshop on Pr oto c ol Sp e cic ation T esting and V eric ation
NorthHol land Publ A mster dam WL D W etherall and C Lindblad Extending Tcl for Dynamic Ob jectOrien ted
Programming Pr o c e e dings of the TclTk Workshop T or onto Ontario July YL M Y annak akis and D Lee T esting nite state mac hines A CM Symp osium
on The ory of Computing STOC ZMN
L Zhang S Mic hel K Nguy en A Rosenstein S Flo yd and V Jacobson
Adaptiv e W eb Cac hing T o w ards a New Global Cac hing Arc hitecture r d
International WWW Caching Workshop June
Abstract (if available)
Linked assets
Computer Science Technical Report Archive
Conceptually similar
PDF
USC Computer Science Technical Reports, no. 696 (1999)
PDF
USC Computer Science Technical Reports, no. 726 (2000)
PDF
USC Computer Science Technical Reports, no. 663 (1998)
PDF
USC Computer Science Technical Reports, no. 727 (2000)
PDF
USC Computer Science Technical Reports, no. 801 (2003)
PDF
USC Computer Science Technical Reports, no. 765 (2002)
PDF
USC Computer Science Technical Reports, no. 860 (2005)
PDF
USC Computer Science Technical Reports, no. 755 (2002)
PDF
USC Computer Science Technical Reports, no. 674 (1998)
PDF
USC Computer Science Technical Reports, no. 809 (2003)
PDF
USC Computer Science Technical Reports, no. 856 (2005)
PDF
USC Computer Science Technical Reports, no. 757 (2002)
PDF
USC Computer Science Technical Reports, no. 649 (1997)
PDF
USC Computer Science Technical Reports, no. 673 (1998)
PDF
USC Computer Science Technical Reports, no. 816 (2004)
PDF
USC Computer Science Technical Reports, no. 657 (1997)
PDF
USC Computer Science Technical Reports, no. 789 (2003)
PDF
USC Computer Science Technical Reports, no. 837 (2004)
PDF
USC Computer Science Technical Reports, no. 812 (2003)
PDF
USC Computer Science Technical Reports, no. 814 (2004)
Description
Ahmed Abdel-Ghaffar Helmy. "Systematic test synthesis for multipoint protocol design." Computer Science Technical Reports (Los Angeles, California, USA: University of Southern California. Department of Computer Science) no. 716 (1999).
Asset Metadata
Creator
Helmy, Ahmed Abdel-Ghaffar
(author)
Core Title
USC Computer Science Technical Reports, no. 716 (1999)
Alternative Title
Systematic test synthesis for multipoint protocol design (
title
)
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Tag
OAI-PMH Harvest
Format
158 pages
(extent),
technical reports
(aat)
Language
English
Unique identifier
UC16269313
Identifier
99-716 Systematic Test Synthesis for Multipoint Protocol Design (filename)
Legacy Identifier
usc-cstr-99-716
Format
158 pages (extent),technical reports (aat)
Rights
Department of Computer Science (University of Southern California) and the author(s).
Internet Media Type
application/pdf
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/
Source
20180426-rozan-cstechreports-shoaf
(batch),
Computer Science Technical Report Archive
(collection),
University of Southern California. Department of Computer Science. Technical Reports
(series)
Access Conditions
The author(s) retain rights to their work according to U.S. copyright law. Electronic access is being provided by the USC Libraries, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Repository Email
csdept@usc.edu
Inherited Values
Title
Computer Science Technical Report Archive
Description
Archive of computer science technical reports published by the USC Department of Computer Science from 1991 - 2017.
Coverage Temporal
1991/2017
Repository Email
csdept@usc.edu
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/