asm specification comment: approximate specification of the intermediate level of the Mondex case study as an ASM: we take messages directly from the ether instead of from an input list (+ check whether in ether). Also we do not group operations (e.g. ABORT with STARTFROM) since there is no need to do so: an ASM can execute ABORT by its own decision, and must not read an input in doing so. IGNORE operations as present in the original operations have been dropped too for the same reason.; using set-nat genname status set-message set-PayDetails initial state exLog := λ na. ∅ ether := {λ msg. isStartTo(msg)} ∪ {λ msg. isStartFrom(msg)} ∪ {⊥} state := λ na. idle final state ether = ∅ BSTEP# choose msg, fail?, receiver with (msg ∈ ether ∧ authentic(receiver)) in if isStartTo(msg) ∧ state(receiver) = idle then STARTTO# else if isStartFrom(msg) ∧ state(receiver) = idle then STARTFROM# else if isreq(msg) ∧ state(receiver) = epr then REQ# else if isval(msg) ∧ state(receiver) = epv then VAL# else if isack(msg) ∧ state(receiver) = epa then ACK# else ABORT# seq ether := ether ++ outmsg ABORT# choose n with nextSeqNo(receiver) ≤ n in if state(receiver) = epa ∨ state(receiver) = epv then exLog(receiver) := exLog(receiver) ++ pdAuth(receiver) seq state(receiver) := idle nextSeqNo(receiver) := n outmsg := ⊥ STARTFROM# let msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if authentic(msgna) ∧ ¬ fail? ∧ receiver ≠ msgna ∧ value ≤ balance(receiver) then choose n with nextSeqNo(receiver) < n in begin pdAuth(receiver) := mkpd(receiver, nextSeqNo(receiver), msgna, msgno, value) state(receiver) := epr seq nextSeqNo(receiver) := n outmsg := ⊥ else outmsg := ⊥ STARTTO# let msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if authentic(msgna) ∧ ¬ fail? ∧ receiver ≠ msgna then choose n with nextSeqNo(receiver) < n in pdAuth(receiver) := mkpd(msgna, msgno, receiver, nextSeqNo(receiver), value) state(receiver) := epv seq outmsg := req(pdAuth(receiver)) nextSeqNo(receiver) := n else outmsg := ⊥ REQ# if msg = req(pdAuth(receiver)) ∧ ¬ fail? then balance(receiver) := balance(receiver) - pdAuth(receiver) .value state(receiver) := epa seq outmsg := val(pdAuth(receiver)) else outmsg := ⊥ VAL# if msg = val(pdAuth(receiver)) ∧ ¬ fail? then balance(receiver) := balance(receiver) + pdAuth(receiver) .value state(receiver) := idle outmsg := ack(pdAuth(receiver)) else outmsg := ⊥ ACK# if msg = ack(pdAuth(receiver)) ∧ ¬ fail? then state(receiver) := idle outmsg := ⊥ else outmsg := ⊥ end asm specification asm specification comment: approximate specification of the intermediate level of the Mondex case study as an ASM: we take messages directly from the ether instead of from an input list (+ check whether in ether). Also we do not group operations (e.g. ABORT with STARTFROM) since there is no need to do so: an ASM can execute ABORT by its own decision, and must not read an input in doing so. IGNORE operations as present in the original operations have been dropped too for the same reason.; using set-nat genname status set-message set-PayDetails target procedures BASM# : (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset × message nonfunctional indeterministic; BSTEP# : (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset × message nonfunctional indeterministic; ABORT# name × (name → PayDetails) : (name → PayDetailsSet) × (name → status) × (name → nat) × message nonfunctional indeterministic; STARTFROM# message × bool × name × (name → nat) : (name → status) × (name → nat) × (name → PayDetails) × message nonfunctional indeterministic; STARTTO# message × bool × name : (name → status) × (name → nat) × (name → PayDetails) × message nonfunctional indeterministic; REQ# message × name × bool × (name → PayDetails) : (name → nat) × (name → status) × message nonfunctional; VAL# message × name × bool × (name → PayDetails) : (name → nat) × (name → status) × message nonfunctional; ACK# message × name × bool × (name → PayDetails) : (name → status) × message nonfunctional; variables balance : name → nat; exLog : name → PayDetailsSet; state : name → status; nextSeqNo : name → nat; pdAuth : name → PayDetails; ether, newether : messageset; fail?, fin : bool; msgno, value : nat; msgna, receiver : name; messages : messageset; msg, outmsg : message; declaration asm : BASM# (var balance, exLog, state, nextSeqNo, pdAuth, ether, outmsg) begin exLog := λ na. ∅, ether := {λ msg. isStartTo(msg)} ∪ {λ msg. isStartFrom(msg)} ∪ {⊥} , state := λ na. idle ; while ether ≠ ∅ do BSTEP#(; balance, exLog, state, nextSeqNo, pdAuth, ether, outmsg) end; BSTEP# (var balance, exLog, state, nextSeqNo, pdAuth, ether, outmsg) begin var msg, fail?, receiver with (msg ∈ ether ∧ authentic(receiver)) in begin if isStartTo(msg) ∧ state(receiver) = idle then STARTTO#(msg, fail?, receiver; state, nextSeqNo, pdAuth, outmsg) else if isStartFrom(msg) ∧ state(receiver) = idle then STARTFROM#(msg, fail?, receiver, balance; state, nextSeqNo, pdAuth, outmsg) else if isreq(msg) ∧ state(receiver) = epr then REQ#(msg, receiver, fail?, pdAuth; balance, state, outmsg) else if isval(msg) ∧ state(receiver) = epv then VAL#(msg, receiver, fail?, pdAuth; balance, state, outmsg) else if isack(msg) ∧ state(receiver) = epa then ACK#(msg, receiver, fail?, pdAuth; state, outmsg) else ABORT#(receiver, pdAuth; exLog, state, nextSeqNo, outmsg) ; ether := ether ++ outmsg end end; ABORT# (receiver, pdAuth; var exLog, state, nextSeqNo, outmsg) begin var n with nextSeqNo(receiver) ≤ n in begin if state(receiver) = epa ∨ state(receiver) = epv then exLog(receiver) := exLog(receiver) ++ pdAuth(receiver) ; state(receiver) := idle, nextSeqNo(receiver) := n, outmsg := ⊥ end end; STARTFROM# (msg, fail?, receiver, balance; var state, nextSeqNo, pdAuth, outmsg) begin var msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if authentic(msgna) ∧ ¬ fail? ∧ receiver ≠ msgna ∧ value ≤ balance(receiver) then var n with nextSeqNo(receiver) < n in begin pdAuth(receiver) := mkpd(receiver, nextSeqNo(receiver), msgna, msgno, value), state(receiver) := epr ; nextSeqNo(receiver) := n, outmsg := ⊥ end else outmsg := ⊥ end; STARTTO# (msg, fail?, receiver; var state, nextSeqNo, pdAuth, outmsg) begin var msgna = msg .name, value = msg .value, msgno = msg .nextSeqNo in if authentic(msgna) ∧ ¬ fail? ∧ receiver ≠ msgna then var n with nextSeqNo(receiver) < n in begin pdAuth(receiver) := mkpd(msgna, msgno, receiver, nextSeqNo(receiver), value), state(receiver) := epv ; outmsg := req(pdAuth(receiver)), nextSeqNo(receiver) := n end else outmsg := ⊥ end; REQ# (msg, receiver, fail?, pdAuth; var balance, state, outmsg) begin if msg = req(pdAuth(receiver)) ∧ ¬ fail? then begin balance(receiver) := balance(receiver) - pdAuth(receiver) .value, state(receiver) := epa ; outmsg := val(pdAuth(receiver)) end else outmsg := ⊥ end; VAL# (msg, receiver, fail?, pdAuth; var balance, state, outmsg) begin if msg = val(pdAuth(receiver)) ∧ ¬ fail? then balance(receiver) := balance(receiver) + pdAuth(receiver) .value, state(receiver) := idle, outmsg := ack(pdAuth(receiver)) else outmsg := ⊥ end; ACK# (msg, receiver, fail?, pdAuth; var state, outmsg) begin if msg = ack(pdAuth(receiver)) ∧ ¬ fail? then state(receiver) := idle, outmsg := ⊥ else outmsg := ⊥ end; end asm specification