asm specification comment: definition of an ASM for the concrete level of the Mondex refinement. Only parts of this ASM (STARTFROM#, REQ# etc.) are used in the definitions of concrete operations of the Mondex refinement. Proving ASM refinement directly is future work and may require small corrections to the ASM definition.; using set-nat genname initether status set-PayDetails messagelist declaration initial state exLog := λ na. ∅ ether := {λ msg. isStartTo(msg)} ∪ {λ msg. isStartFrom(msg)} ∪ {⊥} status := λ na. idle final state msgl = [] CSTEP# choose receiver with authentic(receiver) in let msg = hd msgl in msgl := tl msgl seq COP# COP# IGNORE# ∨ ABORT# ∨ INCREASE# ∨ if isStartFrom(msg) then ABORT# ∨ ABORT# seq STARTFROM# else if isStartTo(msg) then ABORT# ∨ ABORT# seq STARTTO# else if isreq(msg) ∧ status(receiver) = epr then REQ# else if isval(msg) ∧ status(receiver) = epv then VAL# else if isack(msg) ∧ status(receiver) = epa then ACK# else ABORT# seq LOSEMSG# LOSEMSG# choose newether with newether ⊆ ether ++ outmsg in ether := newether IGNORE# outmsg := ⊥ INCREASE# choose n with nextSeqNo(receiver) ≤ n in nextSeqNo(receiver) := n seq outmsg := ⊥ STRICTINCREASE# choose n with nextSeqNo(receiver) < n in nextSeqNo(receiver) := n LOGIFNEEDED# if status(receiver) = epa ∨ status(receiver) = epv then exLog(receiver) := exLog(receiver) ++ pdAuth(receiver) ABORT# LOGIFNEEDED# seq status(receiver) := idle seq INCREASE#(receiver; nextSeqNo, outmsg) seq outmsg := ⊥ STARTFROM# let msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if msg ∈ ether ∧ authentic(msgna) ∧ receiver ≠ msgna ∧ value ≤ balance(receiver) ∧ status(receiver) = idle then pdAuth(receiver) := mkpd(receiver, nextSeqNo(receiver), msgna, msgno, value) status(receiver) := epr outmsg := ⊥ seq STRICTINCREASE# else IGNORE# STARTTO# let msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if msg ∈ ether ∧ authentic(msgna) ∧ receiver ≠ msgna ∧ status(receiver) = idle then pdAuth(receiver) := mkpd(msgna, msgno, receiver, nextSeqNo(receiver), value) status(receiver) := epv seq outmsg := req(pdAuth(receiver)) seq STRICTINCREASE# else IGNORE# ∨ ABORT# REQ# if msg ∈ ether ∧ msg = req(pdAuth(receiver)) then balance(receiver) := balance(receiver) - pdAuth(receiver) .value status(receiver) := epa outmsg := val(pdAuth(receiver)) else IGNORE# VAL# if msg ∈ ether ∧ msg = val(pdAuth(receiver)) then balance(receiver) := balance(receiver) + pdAuth(receiver) .value status(receiver) := idle outmsg := ack(pdAuth(receiver)) else IGNORE# ACK# if msg ∈ ether ∧ msg = ack(pdAuth(receiver)) then status(receiver) := idle outmsg := ⊥ else IGNORE# end asm specification asm specification comment: definition of an ASM for the concrete level of the Mondex refinement. Only parts of this ASM (STARTFROM#, REQ# etc.) are used in the definitions of concrete operations of the Mondex refinement. Proving ASM refinement directly is future work and may require small corrections to the ASM definition.; using set-nat genname initether status set-PayDetails messagelist target procedures CASM# : (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset × message × messagelist nonfunctional indeterministic; CSTEP# : (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset × message × messagelist nonfunctional indeterministic; COP# name × message : (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset × message nonfunctional indeterministic; LOSEMSG# message : messageset nonfunctional indeterministic; IGNORE# : message; INCREASE# name : (name → nat) × message nonfunctional indeterministic; STRICTINCREASE# name : (name → nat) nonfunctional indeterministic; LOGIFNEEDED# name × (name → status) × (name → PayDetails) : (name → PayDetailsSet) nonfunctional; ABORT# name × (name → PayDetails) : (name → PayDetailsSet) × (name → status) × (name → nat) × message nonfunctional indeterministic; STARTFROM# message × name × (name → nat) × messageset : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × message nonfunctional indeterministic; STARTTO# message × name × messageset : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × message nonfunctional indeterministic; REQ# message × name × (name → PayDetails) × messageset : (name → nat) × (name → status) × message nonfunctional indeterministic; VAL# message × name × (name → PayDetails) × messageset : (name → nat) × (name → status) × message nonfunctional indeterministic; ACK# message × name × (name → PayDetails) × messageset : (name → status) × message nonfunctional indeterministic; variables balance : name → nat; exLog : name → PayDetailsSet; status : name → status; nextSeqNo : name → nat; pdAuth : name → PayDetails; ether, newether : messageset; msgno, value : nat; msgna, receiver : name; messages : messageset; msg, outmsg : message; declaration asm : CASM# (var balance, exLog, status, nextSeqNo, pdAuth, ether, outmsg, msgl) begin exLog := λ na. ∅, ether := {λ msg. isStartTo(msg)} ∪ {λ msg. isStartFrom(msg)} ∪ {⊥} , status := λ na. idle ; while msgl ≠ [] do CSTEP#(; balance, exLog, status, nextSeqNo, pdAuth, ether, outmsg, msgl) end; CSTEP# (var balance, exLog, status, nextSeqNo, pdAuth, ether, outmsg, msgl) begin var receiver with authentic(receiver) in var msg = hd msgl in begin msgl := tl msgl ; COP#(receiver, msg; balance, exLog, status, nextSeqNo, pdAuth, ether, outmsg) end end; COP# (receiver, msg; var balance, exLog, status, nextSeqNo, pdAuth, ether, outmsg) begin IGNORE#(; outmsg) ∨ begin ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) ∨ begin INCREASE#(receiver; nextSeqNo, outmsg) ∨ if isStartFrom(msg) then begin ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) ∨ begin ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) ; STARTFROM#(msg, receiver, balance, ether; exLog, status, nextSeqNo, pdAuth, outmsg) end end else if isStartTo(msg) then begin ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) ∨ begin ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) ; STARTTO#(msg, receiver, ether; exLog, status, nextSeqNo, pdAuth, outmsg) end end else if isreq(msg) ∧ status(receiver) = epr then REQ#(msg, receiver, pdAuth, ether; balance, status, outmsg) else if isval(msg) ∧ status(receiver) = epv then VAL#(msg, receiver, pdAuth, ether; balance, status, outmsg) else if isack(msg) ∧ status(receiver) = epa then ACK#(msg, receiver, pdAuth, ether; status, outmsg) else ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) end end ; LOSEMSG#(outmsg; ether) end; LOSEMSG# (outmsg; var ether) begin var newether with newether ⊆ ether ++ outmsg in ether := newether end; IGNORE# (var outmsg) begin outmsg := ⊥ end; INCREASE# (receiver; var nextSeqNo, outmsg) begin var n with nextSeqNo(receiver) ≤ n in nextSeqNo(receiver) := n ; outmsg := ⊥ end; STRICTINCREASE# (receiver; var nextSeqNo) begin var n with nextSeqNo(receiver) < n in nextSeqNo(receiver) := n end; LOGIFNEEDED# (receiver, status, pdAuth; var exLog) begin if status(receiver) = epa ∨ status(receiver) = epv then exLog(receiver) := exLog(receiver) ++ pdAuth(receiver) end; ABORT# (receiver, pdAuth; var exLog, status, nextSeqNo, outmsg) begin LOGIFNEEDED#(receiver, status, pdAuth; exLog) ; status(receiver) := idle ; INCREASE#(receiver; nextSeqNo, outmsg) ; outmsg := ⊥ end; STARTFROM# (msg, receiver, balance, ether; var exLog, status, nextSeqNo, pdAuth, outmsg) begin var msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if msg ∈ ether ∧ authentic(msgna) ∧ receiver ≠ msgna ∧ value ≤ balance(receiver) ∧ status(receiver) = idle then begin pdAuth(receiver) := mkpd(receiver, nextSeqNo(receiver), msgna, msgno, value), status(receiver) := epr, outmsg := ⊥ ; STRICTINCREASE#(receiver; nextSeqNo) end else begin IGNORE#(; outmsg) ∨ ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) end end; STARTTO# (msg, receiver, ether; var exLog, status, nextSeqNo, pdAuth, outmsg) begin var msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if msg ∈ ether ∧ authentic(msgna) ∧ receiver ≠ msgna ∧ status(receiver) = idle then begin pdAuth(receiver) := mkpd(msgna, msgno, receiver, nextSeqNo(receiver), value), status(receiver) := epv ; outmsg := req(pdAuth(receiver)) ; STRICTINCREASE#(receiver; nextSeqNo) end else begin IGNORE#(; outmsg) ∨ ABORT#(receiver, pdAuth; exLog, status, nextSeqNo, outmsg) end end; REQ# (msg, receiver, pdAuth, ether; var balance, status, outmsg) begin if msg ∈ ether ∧ msg = req(pdAuth(receiver)) then balance(receiver) := balance(receiver) - pdAuth(receiver) .value, status(receiver) := epa, outmsg := val(pdAuth(receiver)) else IGNORE#(; outmsg) end; VAL# (msg, receiver, pdAuth, ether; var balance, status, outmsg) begin if msg ∈ ether ∧ msg = val(pdAuth(receiver)) then balance(receiver) := balance(receiver) + pdAuth(receiver) .value, status(receiver) := idle, outmsg := ack(pdAuth(receiver)) else IGNORE#(; outmsg) end; ACK# (msg, receiver, pdAuth, ether; var status, outmsg) begin if msg ∈ ether ∧ msg = ack(pdAuth(receiver)) then status(receiver) := idle, outmsg := ⊥ else IGNORE#(; outmsg) end; end asm specification