A Timed Rewriting Logic Semantics for SDL: A Case Study of the Alternating Bit Protocol by Steggles LJ & Kosiuczenko P
A Timed Rewriting Logic Semantics for SDL:
A Case Study of the Alternating Bit Protocol
L. J. Steggles
1
and P. Kosiuczenko
2
.
1
Department of Computer Science, University of Newcastle.
email: L.J.Steggles@newcastle.ac.uk
2
Institut fur Informatik, Ludwig{Maximilians{Universitat of Munchen.
email: kosiucze@informatik.uni-muenchen.de
Abstract
SDL is an industrial standard formal description technique for telecommunication systems.
Despite its wide spread use and industrial importance it lacks at present an adequate for-
mal semantics integrating its static, dynamic, and real{time aspects. Timed Rewriting Logic
(TRL) is a new variant of Rewriting Logic, an algebraic formalism which allows the dynamic
behaviour of systems to be axiomatised using rewrite rules. In TRL rewrite rules can be
labelled with time constraints and this provides a means of reasoning about time elapse in
real{time systems. TRL has been used to develop an object{oriented specication language
Timed Maude for distributed real{time systems. In this paper we demonstrate the expressive
power and versatility of Timed Maude by applying it to the denition of a formal semantics
for SDL. The semantics we develop captures in an intuitive way the hierarchical structure of
SDL specications and integrates within one formalism the static and dynamic aspects of an
SDL system. We demonstrate and motivate the semantics we develop by considering in detail
a case study of the bench mark alternating bit protocol.
1 Introduction.
SDL (Specication and Description Language) is an industrial standard formal description
technique (FDT) for real{time distributed systems. It was developed in the early 1970's by the
CCITT (renamed to the ITU-T) as a standard language for the description of telecommunication
systems. Since then it has become increasingly popular as an FDT for industrial real{time systems,
due in part to it having both a graphical and textual syntax. Various versions of the language
have appeared but we consider only SDL{88 (see [6]) a widely used and supported version of the
language. Despite being described as a formal language SDL does not at present have a complete,
integrated and usable formal semantics. Given the wide spread industrial use and importance of
SDL there is a real need for a natural formal semantics of SDL to be developed which can be
used to analyse and verify system specications. To this end there have been several attempts
in the past few years including semantics based on: process algebra [3], temporal logic [14] and
duration calculus [17], stream processing functions [5], [10] and [9]. With the exception of [9]
these semantics focus on dierent views of SDL and formalize dierent parts of the language. In
our opinion SDL still lacks a formal semantics which integrates within one unifying framework all
the main aspects of the language.
In this paper we address this shortfall by proposing a natural, integrated formal semantics for
SDL based on Timed Rewriting Logic (TRL). TRL (see for example [12]) is a new algebraic for-
malism for specifying real-time systems. TRL is based on Rewriting Logic (RL) [15], an algebraic
formalism which extends standard algebraic specication techniques by allowing the dynamic be-
haviour of systems to be modelled using rewrite rules. As in RL the idea behind TRL is to dene
the static and functional aspects of a system using standard algebraic specications and to then
1
view terms over this specication as system states. The real{time behaviour of the system is then
axiomatised by timed rewrite rules which dene the possible concurrent state transitions of the
system and thus enable us to reason about time elapse in real{time systems. RL has been used to
dene an object{oriented specication language called Maude which is described in [16]. A timed
version of Maude has also been developed based on TRL (see for example [12]).
In the following we describe in detail how we can derive a Timed Maude specication which
provides a formal model of the intended meaning of an SDL specication. We begin by considering
how to use TRL to model basic SDL specications [2]. We then consider modelling some of the
more complex features of SDL including decision constructs and saving signals, and in particular,
we consider using TRL to model SDL's concept of time and timers. We demonstrate our approach
by a detailed case study of constructing a semantic model of the benchmark alternating bit
protocol. We use this case study to discuss how our TRL model can be used to simulate and test
SDL systems using the Maude rewriting tool. We also investigate how the TRL model can be
used to analyse SDL systems and we derive some simple timing properties for the SDL alternating
bit protocol system.
The semantic model we propose demonstrates the expressive power and versatility of TRL
and Timed Maude. It utilises Timed Maudes object{oriented features and uses distinct objects
to represent the processes, blocks and channels contained within an SDL system. Thus the
structure of our semantics corresponds in a very natural way to that of an SDL specication. We
also take advantage of Timed Maudes modular structuring mechanisms and each block in an SDL
specication results in a corresponding module specication which imports the necessary subblock
or process modules. Thus the resulting operational semantics captures in an intuitive way the
hierarchical structure of an SDL specication. Our semantics has some key advantages over its
predecessors. It integrates together the dierent views of an SDL specication including abstract
data types, process, block and real-time descriptions and thus unies the static and dynamic
aspects within one formalism. It also provides an intuitive and natural formal basis for analysing
SDL specications and has the added advantage of ecient tool support provided by the Maude
implementation. In our opinion the unifying approach and the use of a formal object-oriented
specication language along with ecient tool support makes the new semantics interesting.
The paper is organised as follows. In Section 2 we introduce the necessary background material
on TRL and Timed Maude. Then in Section 3 we present a brief overview of SDL. We consider
modelling SDL specications in Section 4 and demonstrate our ideas with a detailed case study of
an SDL specication for the benchmark alternating bit protocol in Section 5. Finally, in Section
6 we make some concluding remarks.
2 Timed Rewriting Logic and Timed Maude.
In this section we briey introduce Timed Rewriting Logic and its associated object{oriented
specication language Timed Maude. For a detailed account of TRL and Timed Maude we refer
the interested reader to [12], while for an example of its use see [19]. In the following we assume
the reader is familiar with the basic theory of algebraic specication methods (see for example
[20]).
2.1 Timed Rewriting Logic.
Rewriting Logic (RL) is an extension of standard algebraic specication techniques which is
able to model dynamic system behaviour. In RL the functional and static properties of a system
are described by standard algebraic specications, whereas the dynamic behaviour of the system
is modelled using rewrite rules. Terms over a given signature  represent the global states (or
congurations) of a system and rewrite rules model the dynamic transitions between these states.
For a detailed introduction to RL see [15].
2
Timed Rewriting Logic (TRL) extends RL by allowing timing constraints to be added to rewrite
rules. Every time dependent rewrite step in the system is labelled with a time stamp and this
allows us to reason about time elapse in real{time systems. In TRL time is modelled abstractly
by an archimedean monoid [12] and thus time can be modelled by the natural or real numbers.
A timed rewrite rule is a literal written as t1   r ! t2, where r 2 R
+
and t1; t2 2 T (;X)
s
are  terms of the same sort s. Informally, this means that t1 evolves to t2 in time r (R
+
is
the domain of the underlying archimedean monoid). The basic rules of the rewriting calculus [15]
are extended with time labels as follows: transitivity yields the addition of the time elapses; the
congruence and replacement rules are modelled by synchronous composition (which allows us to
enforce uniform time elapse in all components of a system); and reexivity is modelled using a
0-time reexivity rule which allows actions to be interleaved (see [12] for a more detailed account).
2.2 Timed Maude.
Timed Maude is an object-oriented real-time specication language which is based on TRL.
Timed Maude extends the language Maude [16] by replacing concurrent rewriting with TRL.
An object in Maude is represented by a tuple, more precisely by a term, comprising a unique
object identier, the class to which the object belongs and a set of attributes (local state). For
example, the term < p : P j state : S; saved : n > represents an object with object identier p
belonging to the class P . The attribute state has value S and the attribute saved has value n. A
message is a term that consists of the message's name, the identier of the object the message is
addressed to and, possibly, parameters (in mixx notation). A Maude specication or program
makes computational progress by rewriting its global state, referred to as its conguration. A
conguration is a multiset, or bag, of objects and messages. The sorts Msg of messages and Obj
of objects are considered as subsorts of the sort Conf of congurations. Formally, a conguration
is a term of the form m
1

    
m
k

O
1

    
O
l
, where 
 is the function symbol for multiset
union modelling composition, m
1
; : : : ;m
k
are messages (terms of sort Msg), and O
1
; : : : ; O
l
are
objects (terms of sort Obj ). For brevity we often omit the symbol 
 in congurations, i.e. we
write m
1
: : : m
k
O
1
: : : O
l
. The multiset union operator 
 is commutative, associative and has an
identity null .
Congurations evolve by consuming and producing messages and removing and creating ob-
jects. This evolution is specied using timed rewrite rules which have the following general form
m
1
: : : m
n
< o
1
: C
1
j atts
1
> : : : < o
q
: C
q
j atts
q
>   r !
< o
i1
: C
0
i1
j atts
0
i1
> : : : < o
ik
: C
0
ik
j atts
0
ik
>< o
0
1
: D
1
j atts
00
1
> : : :
< o
0
p
: D
p
j atts
00
p
> m
0
1
: : : m
0
l
if Cond
In the above rule the messages m
1
; : : : ;m
n
are consumed and the new messages m
0
1
; : : : ;m
0
l
are
created. Objects occurring only on the left hand side of the rule are deleted, objects occurring
only on the right hand side are created, and those on both sides may change their local state.
The Boolean expression Cond is an optional rule condition or guard controlling the application
of the rule. The rewrite rule takes r time units to be performed.
3 Introduction to SDL.
SDL (Specication and Description Language) is a formal description technique (FDT) for
real{time distributed systems. It was developed in the early 1970's by the CCITT as a standard
language for the description of telecommunication systems. Since then several versions of the
language have evolved, the most recent being an object{oriented version called SDL{92 (see [7]
and [8]). This paper is based on SDL{88 [6], an earlier version of the language which is widely
used and supported. For an introduction to SDL{88 we recommend [2].
3
SDL is an FDT providing both a graphical and textual syntax for specications. An SDL
specication describes a system which consists of a number of blocks which communicate with
each other and the environment via a number of channels. Each block consists of a number of
communicating sub{blocks until, at the lowest level, we have what we refer to as the atomic blocks.
Atomic blocks consist only of processes which communicate with each other and the associated
block channels via signal routes. Note that a block never contains both processes and sub{blocks.
This hierarchical system structure is illustrated in gure 1 where the squares represent blocks
and the rounded boxes represent processes. The behaviour of the entire system is derived by
combining the behaviour of all the processes in the system.
Figure 1: The structure of an SDL system specication.
A process can be viewed as an extended nite state machine which works autonomously
but concurrently with other processes. Processes communicate with each other by sending and
receiving signals and each process has a unique process identication number (pid) which is
normally used to address signals. We note that signals sent via signal routes suer no delay, where
as signals sent along channels are assumed to suer a non{deterministic delay. Each process has
an explicit state but can also contain local variables which can inuence state transitions. Each
process has a single unbounded input queue and all incoming signals from its associated signal
routes are placed on this queue in the order they arrive (simultaneous signals are ordered non{
deterministically). States are assumed to be stable positions and state transitions are normally
triggered by the consumption of a signal from the processes input queue. If the next input signal
does not cause a state transition to occur then it is simply discarded (referred to as an implicit
transition). During a transition local variables maybe updated. The behaviour of a process can
be specied using a graphical notation, summarised in gure 2, which describes state transitions,
consumption of input signals, and local variable updates.
<sig(p)><state> <sig(p)>
State Symbol Input Symbol Output Symbol
<task>
Task Symbol
<cond>
Decision Symbol
Figure 2: The main graphical symbols for specifying SDL processes.
In SDL time is represented by two sorts, Time which represents absolute time and Duration
representing relative time. Both of these sorts are considered to be copies of the real numbers. In
any given SDL system it is assumed that there is an absolute global time which all processes in the
system can access via the Now expression (which always evaluates to the current absolute time).
However, since SDL is used to model distributed systems it is assumed that no synchonisation of
4
events in dierent processes can be based on Now. In SDL processes mainly gain access to time
via the use of timers. A timer can be set by a process to expire at some absolute time (usually
dened using the Now construct). When a timer expires it places a predened timeout signal on
the input queue of the process which created it. Once a timer has been set it is said to be active
and it remains active until either it has expired and its timeout signal has been consumed, or it
is reset. When a timer is reset any timeout signal it has generated is removed from the processes
input queue. We note that setting a timer necessarily involves rst resetting the timer. Since a
reset removes any existing timeout signals from the process's input queue we know that only one
timeout signal from a particular timer can ever be in a process's input queue at any one time.
4 A TRL Semantics for SDL.
In this section we outline a new semantic model for SDL based on TRL. We formulate a
general approach to modelling SDL and in particular, consider modelling decision constructs,
saved signals, and timers. The approach we develop will be demonstrated in the next section
when we consider in detail how to construct a TRL semantics for an SDL specication of the
benchmark alternating bit protocol.
An SDL specication can be viewed as consisting of two parts: a static part dening the sys-
tems physical structure and data types; and a dynamic part which denes the systems behaviour.
The static part of an SDL specication will be modelled using the standard algebraic specication
methods provided by Maude. Note that abstract data types in SDL are already dened using
algebraic techniques and thus can be straightforwardly coded into Maude. The dynamic part of
an SDL specication will be modelled using (timed) rewrite rules. In this way we integrate both
static and dynamic aspects of an SDL system within a single semantic framework.
At the lowest level an SDL specication denes process types which taken collectively specify
the overall behaviour of the system. Consider an SDL process type P which can be in states
S1; : : : ; Sn and has local variables x
1
; : : : ; x
m
. Then to model P we introduce a new class ProP
and a new sort StateP with constants S1; : : : ; Sn. Process P will be modelled in Maude using two
objects P 
Q
P
, where P is the process's main body and Q
P
represents the process's input queue.
(This division is necessary in order to prevent a process being blocked during communication, as
explained below.) The objects have the form
P =< p : ProP j St : Si; x
1
: u
1
; : : : ; x
m
: u
m
>; Q
P
=< p : InQ j Q : q >;
where p is a unique object identier representing the process's pid, ProP is the class for processes
of type P , and InQ is the class for input queues. The attribute St stores the current state Si
of process P , each attribute x
i
stores the current value u
i
of the corresponding variable, and Q
stores the current input queue q for the process.
In SDL processes communicate with other processes by sending/receiving signals using signal
routes and channels. We do not explicitly represent signal routes within our model. Instead they
are implicitly modelled by restricting the allowed communication between objects within the same
block. The dynamic behaviour of a process is modelled using rewrite rules. Each possible state
transition is modelled using three steps: (i) rst we read the next input signal(s); (ii) next we
perform any actions on the process's local variables; and (iii) nally we perform the appropriate
outputs and enter the nal state of the transition. Time is only allowed to pass in step (ii) and
this ensures that reading and sending signals does not block the processes involved. As an ex-
ample consider gure 3 in which process P1 when in state S and readings signal s can perform a
transition to a state S
0
, updating the value of its local variable x to u
0
and outputing a signal s
0
to
process P2 (assumed to be in the same block). Lets assume this is the ith possible state transition
from state S and that the update takes t time units. Then we model this state transition using
two new intermediate states S
i;1
and S
i;2
as follows.
5
Sx:=u’
S’
s
s’
Figure 3: An example of a state transition.
(* Step 1: Read input signal to initiate transition *)
< p1 : ProP1 j St : S > 
 < p1 : InQ j Q : s:q1 >   0!
< p1 : ProP1 j St : S
i;1
> 
 < p1 : InQ j Q : q1 >;
(* Step 2: Perform updates and allow time to pass *)
< p1 : ProP1 j St : S
i;1
; x : u >   t! < p1 : ProP1 j St : S
i;2
; x : u
0
>;
(* Step 3: Output signals *)
< p1 : ProP1 j St : S
i;2
> 
 < p2 : InQ j Q : q2 >   0!
< p1 : ProP1 j St : S
0
> 
 < p2 : InQ j Q : q2:s
0
> :
For brevity we introduce a new notation = t) to allow the above three rules to be expressed as
a single compound rule:
< p1 : ProP1 j St : S; x : u > 
 < p1 : InQ j Q : s:q1 > 

< p2 : InQ j Q : q2 > = t) < p1 : ProP1 j St : S
0
; x : u
0
> 

< p1 : InQ j Q : q1 > 
 < p2 : InQ j Q : q2:s
0
> :
Note we always assume that the above order of input, update and output is followed during
a state transition. Any state transition which does not observe this order can be straightfor-
wardly transformed into one that does by simply adding extra temporary states. In order to
model the behaviour of processes we also require rules for discarding signals (implicit transitions),
and allowing process objects to progress in time. These rules are straightforward to formulate
and for brevity are omitted here.
An atomic block B containing processes P1; : : : ; Pn is modelled by an object
B =< b : Blk j Ps : P1
Q1
    
 Pn
Qn >;
where Blk is the class for blocks, b is a unique block identier and the attribute Ps stores the
current conguration of processes in the block. Communication between blocks occurs along
channels which we model explicitly by objects of the form C =< c : Chan j Q : q >; where Chan
is the class for channels, c is a unique object identier and Q is an attribute storing a queue of
signals being transmitted. We have a general reexivity rule for channels
< c : Chan j Q : q >   1!< c : Chan j Q : q >;
6
which allows time to pass for channel objects. A general blockB consisting of subblocksB1; : : : ; Bn
and channels C1; : : : ; Cm is simply modelled by an appropriate object of type Blk , i.e.
B =< b : Blk j Ps : C1
    
 Cm
B1
    
Bn > :
Signals are passed between channels and their associated blocks by formulating appropriate syn-
chronous rewrite rules for communication. For example, suppose in the previous example P1
which is in block B1 needs to use a channel C to communicate to P2 which is in a dierent block.
Then we simply replace step (iii) in the above example with the following rule:
< b1 : Blk j Ps :< p1 : ProP1 j St : S
i;2
> 
cf > 
 < c : Chan j Q : q1 >   0 !< b1 :
Blk j Ps :< p1 : ProP1 j St : S
0
> 
cf >

 < c : Chan j Q : q1:s
0
>;
where cf is a variable of type conguration. We note that the transmission of signals from a
channel to a process can be modelled in a similar way. The non{deterministic delay associated
with sending signals along channels is automatically incorporated by the reexivity rule for chan-
nels and the non{deterministic nature of applying rewrite rules.
Finally, a system Sys containing at the top level blocks B1; : : : ; Bn, input channels I1; : : : ; Im
and output channels O1; : : : ; Ok is simply modelled as a block object
< sys : Blk j Ps : I1
    
 Im
B1
    
Bn
O1
    
Ok > :
The system conguration stored in Ps evolves by concurrently applying the rewrite rules derived
for the blocks, channels and processes contained within the SDL system.
(Timed) Maude provides a module system that allows a specication to be constructed hier-
archically. We use this module system to structure our TRL semantics of SDL; each block has a
corresponding Timed Maude object module and subblock modules are imported as required. Thus
the Timed Maude module structure of our semantics closely resembles the hierarchical structure
of the given SDL system. Given the range of renaming and parameterization operations provided
by Maude, the approach also facilitates the reuse of block specications.
It is straightforward to incorporate many of the more complex features of SDL into this
semantic model and as illustrative examples we now consider modelling decision constructs, the
save signal construct, and timers within our framework.
4.1 Decision and Save Constructs.
We begin this subsection by considering how to model the two main branching constructs
available for choosing between a set of transitions. The rst branching construct we consider
is the decision construct which allows transitions to branch depending on some conditional ex-
pression. As an example consider the decision construct depicted in gure 4(a). After the
process P reads signal s in state S the decision command allows the process to enter state S1
if local variable c is greater than 9, or state S2 if c is less than or equal to 9. Let the objects
< p : Pro j St : S; c : n > 
 < p : InQ j Q : q > represent the process P and its input queue, and
assume an equational axiomatisation of the greater than function >: Nat  Nat ! Bool . Then
assuming the evaluation of the conditional takes t time units we can model the transition using
the following (conditional) compound rules:
< p : Pro j St : S > 
 < p : InQ j Q : s:q > = t)
< p : Pro j St : S1 ; c : n > 
 < p : InQ j Q : q > if (n > 9);
< p : Pro j St : S > 
 < p : InQ j Q : s:q > = t)
7
sS1 S2
c > 9
s
Any
S1 S2
SS
NoYes
Figure 4: (a) The decision construct. (b) The any construct.
< p : Pro j St : S2 ; c : n > 
 < p : InQ j Q : q > if not(n > 9):
Note in the above we treat each of the possible paths through the decision construct as a separate
transition which will have its own intermediate states.
The second branching construct SDL provides is called the any construct which allows a non-
deterministic choice between a set of possible transitions. An example of such a rule is depicted
in gure 4(b). It is straightforward to model the non-deterministic any construct by having a
compound rule to represent each possible transition and then using the built in non-determinism
of rewriting logic to choose which rule to apply.
In SDL a process normally consumes signals in the order in which they arrive at the input
queue and any signal which is not explicitly mentioned as an input in a particular state is simply
discarded. However, often it is necessary to store or save signals which would normally be dis-
carded so that they can be used in future states. SDL provides a construct to allow this, referred
to as the save construct. An example of the save construct is depicted in gure 5; this species a
transition from a state S to the state S1 if the next signal is s1 2 Sigset , where Sigset is the set
of possible input signals. However, there is a set of signals ss  Sigset , ss \ fs1g = ; which we
want to save and this is indicated by the save box (slanted rectangle symbol). Let the objects
sss1
S1
S
Figure 5: An example of the save construct.
< p : Pro j St : S; SQ : q0 > 
 < p : InQ j Q : q > represent the process in question, where SQ
is an additional attribute used to store a queue of saved signals (SQ is initially empty). Then we
can model the save command using the following rules:
(i) rst we have a compound rule to axiomatise what happens if the next signal is s1 (assuming
the transition takes t time units)
< p : Pro j St : S; SQ : q0 > 
 < p : InQ j Q : s1:q > = t)
< p : Pro j St : S1 ; SQ : empty > 
 < p : InQ j Q : q0:q >;
8
(ii) next for each s 2 ss we have a rule to save s in the save queue
< p : Pro j St : S; SQ : q0 > 
 < p : InQ j Q : s:q >   0!
< p : Pro j St : S; SQ : q0:s > 
 < p : InQ j Q : q >;
(iii) nally we have the standard discard rule for each signal s 2 Sigset such that s 62 fs1; s2g[ss.
4.2 Time and Timers.
To simplify our discussion of time we choose to use discrete time in the sequel and thus we
think of the sorts Time and Duration as being the natural numbers. In fact, as discussed in [3],
there are a number of strong reasons motivating the choice of discrete time. (For a treatment of
dense time within the Maude framework we refer the interested reader to [12].)
In practice the global time which is available in SDL systems is only used to set timers to expire
in some relative time via the Now construct. For this reason we have chosen not to explicitly
model a global time but instead to allow timers to act as counters which produce a timeout signal
after a specied period of time [12]. We model timers using objects of the form
< tm : Tm j time : t;P : p;TO : b >;
where tm is of sort Timer (a subsort of both OId and Signal) and Tm is the class of timer
objects. In the above object timer tm has t time units left before it outputs a timeout signal
tm to it's creating process p. The attribute TO indicates if a timeout signal has been sent
(needed since a timer remains active after sending a timeout signal). The names of the timers
which are currently active for a process P are stored within the process using an additional
attribute TS (we will see in the next section that this extra information is needed to axiomatise
the resetting of timers). To make use of this queue of active timers we introduce two auxiliary
functions: Active : Timer  Que ! Bool which uses TS to tell us if a timer is active; and
Rem : Timer Que ! Que which removes a timer signal from a queue of signals or timers.
The following are general rules which model the passage of time for timers, what happens
when a timer expires, and the passage of time once a timeout signal has been sent by a timer.
< tm : Tm j time : t+ r >   r !< tm : Tm j time : t >;
< tm : Tm j time : 0;P : p;TO : False > 
 < p : InQ j Q : q >   0!
< tm : Tm j time : 0;P : p;TO : True > 
 < p : InQ j Q : q:tm >;
< tm : Tm j time : 0;TO : True >   r !< tm : Tm j time : 0;TO : True > :
We demonstrate how we model the use of timers in the next section in a Timed Maude
specication of the alternating bit protocol.
5 Case Study of The Alternating Bit Protocol.
In this section we demonstrate the TRL semantic model for SDL outlined in the previous
section by considering a case study of the well{known benchmark alternating bit protocol [1]. We
begin with an informal introduction to the alternating bit protocol and by presenting an SDL
specication for it. We then consider how the various SDL constructs contained in this example
can be formalised using TRL, and present a TRL semantics for part of the SDL specication.
We conclude by considering how the TRL model we construct can be used to analyse the timing
properties of the alternating bit protocol.
9
5.1 An SDL Specication of the Alternating Bit Protocol.
The alternating bit protocol is a simple data link protocol designed to allow reliable commu-
nication over an unreliable physical layer [1]. We assume that the unreliable physical layer can
lose messages but that it does not corrupt or rearrange them. The idea behind the protocol is
simple; the sending and receiving processes use a single bit (0 or 1) to check that a message has
been successfully transmitted across the unreliable physical layer. The sender transmits its next
message plus its current check bit value to the receiver and then waits for an acknowledgement.
On receiving an acknowledgement containing the correct check bit the sender may assume its
message has been received and so ips its check bit value and sends the next message. However, if
the sender doesn't receive an acknowledgement within a set time limit or receives an acknowledge-
ment with the wrong check bit, it assumes the message has been lost and resends it. On receiving
a message with the correct check bit the receiver sends an acknowledgement with the check bit to
the sender and then ips its check bit. If the check bit is wrong then the receiver assumes its last
acknowledgement has been lost and resends it using the previous check bit value. To specify the
Block ABP
System AltBit
Block UPL
C1 C2 C3 C4
P2P1
ABP2ABP1
[PDout]
[MD]
IN OUT
[PDin]
[MD] [MD] [MD]
[MD][MD][MD]
[ID]
[ID]
[MD]
Figure 6: SDL system specication for the alternating bit protocol.
alternating bit protocol using SDL we begin with a system specication AltBit, pictured in gure
6, which contains two atomic blocks: the ABP block which represents the protocol layer; and the
UPL block representing the unreliable physical transmission layer. The ABP block communicates
with the environment via two channels IN and OUT, and communication between the two blocks
is achieved via four channels: C1, C2, C3 and C4. Each atomic block contains two processes
which dene their behaviour; block UPL contains processes P1 and P2, and block ABP contains
processes ABP1 and ABP2. For brevity we only present the SDL specication of process ABP1
and ABP2, pictured in gures 7 and 8, which respectively perform the task of the sender and
receiver (as detailed above).
5.2 Constructing the TRL model.
In this subsection we now consider how to apply the approach introduced in Section 4 to
construct a Timed Maude specication which represents the intended semantics of the alternating
bit protocol specication described above. We begin at the lowest level by modelling the processes,
we then model their associated atomic blocks, and nally dene a block to represent the complete
SDL alternating bit protocol system.
As an example we consider the atomic block ABP and its processes ABP1 and ABP2. To
model these processes we introduce two new classes ABP1 and ABP2 and the following process
10
Bt = BYes No
Dcl Bt, B Bit;
D Data;
TOut Timer;
PDin(D)TOut MD(Ack,B)
MD(D,Bt)
Transmit
SetT
Wait
Set(Now+T,TOut)Bt:=0
Input
PDin(D)
Bt:=flip(Bt)
Process ABP1
Reset(TOut)
Input
Transmit
Transmit Transmit
Start
Figure 7: SDL Specication of process ABP1 (Sender).
object bodies (with associated input queue objects Q1 and Q2 )
ABP1 =< a1 : ABP1 j St : S1;TS : ts;SQ : q0;D : d1;B : b1;Bt : b2 >;
ABP2 =< a2 : ABP2 j St : S2;D : d2;B : b3;Bt : b4 >;
where a1 and a2 are unique pids. The attributes D ; B;Bt represent local variables; attribute TS
has been added to store the current list of active timers for ABP1 and SQ is the attribute needed
to implement the save construct (see Section 4.1). Next we need to introduce a block object to
model each block in the specication. Following on with our example we will have a block object
to model the atomic block ABP
< abp : Blk j Ps : ABP1
Q1
ABP2
Q2 > :
Each possible state transition in the system will be modelled by an appropriate compound
rewrite rule (as described in the previous section). Again continuing our example, consider pro-
cess ABP1 and its state transition from state input when it receives a PDin(d) signal. We model
this transition as follows:
< a1 : ABP1 j St : input ;D : d1;Bt : b > 
 < a1 : InQ j Q : PDin(d):q >
= 1) < a1 : ABP1 j St : transmit ;D : d;Bt : ip(b) > 

< a1 : InQ j Q : q > :
Note that we have allocated an upper bound time constraint of one time unit on this transi-
tion (as we do for all transitions in this example). This has been chosen arbitrarily but in practice
a value would be given according to the timing properties of the transmission medium used.
11
Bt:=flip(Bt)
Bt:=0
Input
MD(D,B)
Choice
Bt:=flip(Bt)PDout(D)
MD(Ack,Bt)
Input
MD(Ack,Bt)
Input
Process ABP2
Start
Choice
Bt = BYes No
Dcl Bt, B Bit;
D Data;
Figure 8: SDL Specication of process ABP2 (Receiver).
Following this approach we can derive a Timed Maude semantics for the SDL specication of
the alternating bit protocol. For brevity we present only the Timed Maude module modelling the
atomic block ABP. The specication makes use of three predened Timed Maude modules: Bit ,
Data and SDLBase. The Bit module simply axiomatises the type Bit with constants 0 and 1,
and function ip : Bit ! Bit which ips a bit value. The module Data species a sort for data
elements and contains a distinguished constant Ack . The nal module SDLBase is assumed to
contain the fundamental sort, class, function denitions, and rules which have been formulated
in the previous sections for modelling SDL specications. These modules are straightforward to
dene and so for brevity have been omitted.
omod ABPBlock is
Protecting Bit ; Data :
Extending SDLBase:
Sorts StateABP1 ;StateABP2 :
Constants
a1; a2 : PId :
TOut : Timer :
start ; input ; transmit ; setT ;wait : StateABP1 :
input ; transmit ; setT ;wait
1
;wait
2
;wait
3
: StateABP1 :
start ; input ; choice ; input ; choice
1
; choice
2
: StateABP2 :
abp; in; out ; c1; c2; c3; c4 : OId :
Functions
MD : Data  Bit ! Signame:
PDin : Data ! Signame :
PDout : Data ! Signame:
Classes
12
ABP1 j St : StateABP1 ;TS : Que;SQ : Que;D : Data ;B : Bit ;Bt : Bit :
ABP2 j St : StateABP2 ;D : Data ;B : Bit ;Bt : Bit :
Variables
d : Data :
b; b1; b2; b3 : Bit :
bl : Bool :
t; t1 : Time:
q; q0; q1; q2; tq : Que:
cf : Conf :
Rules
(* Rules for Process ABP1 *)
(* Start -> Input: Initial transition which sets attribute Bt to 0 *)
< a1 : ABP1 j St : start ;Bt : b >   1!< a1 : ABP1 j St : input ;Bt : 0 > :
(* Input -> Transmit: PDin signal read so ip bit and store data *)
< a1 : ABP1 j St : input ;D : d1;Bt : b > 
 < a1 : InQ j Q : PDin(d):q >
= 1) < a1 : ABP1 j St : transmit ;D : d;Bt : ip(b) > 

< a1 : InQ j Q : q > :
(* Input -> Input: Discard rule for MD signal *)
< a1 : ABP1 j St : input ;D : d1;Bt : b > 
 < a1 : InQ j Q : MD(d; b1):q >
  0! < a1 : ABP1 j St : input ;D : d1;Bt : b > 
 < a1 : InQ j Q : q > :
(* Transmit -> SetT: Transmit signal MD *)
< abp : Blk j Ps :< a1 : ABP1 j St : transmit ;D : d;Bt : b > 
cf > 

< c2 : Chan j Q : q > = 1 ) < abp : Blk j Ps :< a1 : ABP1 j St : setT ;D : d;Bt : b > 
cf >

 < c2 : Chan j Q : q:MD(d; b) > :
(* SetT -> Wait: Set timer TOut: 2 Cases *)
(* Case 1: Timer is already active *)
< a1 : ABP1 j St : setT ;TS : ts > 
 < a1 : InQ j Q : q >   0!
< a1 : ABP1 j St : setT ;TS : ts > 
 < a1 : InQ j Q : Rem(TOut ; q) > if Active(TOut ; ts) =
True:
< a1 : ABP1 j St : setT > 
 < TOut : Tm j time : t1;P : a1;TO : bl >   1 !< a1 :
ABP1 j St : wait > 
 < TOut : Tm j time : T;P : a1;TO : False > :
(* Case 2: Timer is inactive so create timer object *)
< a1 : ABP1 j St : setT ;TS : ts >   1 !< a1 : ABP1 j St : wait ;TS : ts:TOut > 
 < TOut :
Tm j time : T;P : a1;TO : False >
if Active(TOut ; ts) = False :
(* Wait -> Transmit: Time out signal TOut read so remove timer *)
< a1 : ABP1 j St : wait ;SQ : q0;TS : ts > 
 < a1 : InQ j Q : TOut :q > 

< TOut : Tm j P : a1 > = 1 )< a1 : ABP1 j St : transmit ;SQ : empty ;TS : Rem(TOut ; ts) >

 < a1 : InQ j Q : q0:q > :
(* Wait -> Input or Transmit: MD(Ack,b) signal read so 2 Choices *)
(* Choice 1: -> Input: Bt equals input b so reset timer TOut: 2 Cases *)
13
< a1 : ABP1 j St : wait ;TS : ts;SQ : q0;B : b1;Bt : b2 > 

< a1 : InQ j Q : MD(Ack ; b):q > = 1) < a1 : ABP1 j St : input ;TS : ts;SQ : empty ;B : b;Bt :
b2 > 
 < a1 : InQ j Q : q0:q >
if (b2 = b) ^Active(TOut ; ts) = False :
< a1 : ABP1 j St : wait ;TS : ts;SQ : q0;B : b1;Bt : b2 > 
 < a1 : InQ j
Q : MD(Ack ; b):q > 
 < TOut : Tm j time : t;P : a1;TO : bl > = 1)
< a1 : ABP1 j St : input ;TS : Rem(TOut ; ts);SQ : empty ;B : b;Bt : b2 > 

< a1 : InQ j Q : q0:Rem(TOut ; q) > if (b2 = b) ^Active(TOut ; ts) = True:
(* Choice 2: -> Transmit: Bt not equal to input b so retransmit *)
< a1 : ABP1 j St : wait ;SQ : q0;B : b1;Bt : b2 > 
 < a1 : InQ j Q : MD(Ack ; b):q > = 1) <
a1 : ABP1 j St : transmit ;SQ : empty ;B : b;Bt : b2 > 
 < a1 : InQ j Q : q0:q > if (b2 6= b):
(* Wait -> Wait: PDin signal read so save *)
< a1 : ABP1 j St : wait ;SQ : q0 > 
 < a1 : InQ j Q : PDin(d):q >   0!
< a1 : ABP1 j St : wait ;SQ : q0:PDin(d) > 
 < a1 : InQ j Q : q > :
(* Transmit data from channel C1 to process ABP1 *)
< c1 : Chan j Q : MD(d; b):q1 > 
 < abp : Blk j Ps :< a1 : InQ j Q : q > 
cf >   0 ! < c1 :
Chan j Q : q1 > 
 < abp : Blk j Ps :< a1 : InQ j Q : q:MD(d; b) > 
cf > :
(* Transmit data from channel IN to process ABP1 *)
< in : Chan j Q : PDin(d):q1 > 
 < abp : Blk j Ps :< a1 : InQ j Q : q > 
cf >   0 ! < in :
Chan j Q : q1 > 
 < abp : Blk j Ps :< a1 : InQ j Q : q:PDin(d) > 
cf > :
(* Rules for Process 2 *)
(* Start -> Input: Initial transition which sets Bt to 0 *)
< a2 : ABP2 j St : start ;Bt : b >   1!< a2 : ABP2 j St : input ;Bt : 0 > :
(* Input -> Choice: MD signal read so ip Bt *)
< a2 : ABP2 j St : input ;D : d1;B : b1;Bt : b > 
 < a2 : InQ j Q : MD(d; b2):q > = 1) < a2 :
ABP2 j St : choice;D : d;B : b2;Bt : ip(b) > 
 < a2 : InQ j Q : q > :
(* Choice -> Input: Make choice depending on Bt and B *)
(* Choice 1: Bt equals B so output data and acknowledgement *)
< abp : Blk j Ps :< a2 : ABP2 j St : choice;D : d;B : b1;Bt : b2 > 
cf > 

< out : Chan j Q : q > 
 < c4 : Chan j Q : q1 > = 1) < abp : Blk j Ps :
< a2 : ABP2 j St : input ;D : d;B : b1;Bt : b2 > 
cf > 
 < out : Chan j Q : q:PDout(d) > 
 <
c4 : Chan j Q : q1:MD(Ack ; b2) > if (b2 = b1):
(* Choice 2: Bt not equal to B so ip Bt and output old acknowledgement *)
< abp : Blk j Ps :< a2 : ABP2 j St : choice;B : b1;Bt : b2 > 
cf > 
 < c4 : Chan j Q : q > =
1) < abp : Blk j Ps :< a2 : ABP2 j St : input ;B : b1;Bt : ip(b2) > 
cf > 
 < c4 : Chan j Q :
q:MD(Ack ;ip(b2)) > if (b2 6= b1):
(* Transmit data from channel C3 to process ABP2 *)
< c3 : Chan j Q : MD(d; b):q1 > 
 < abp : Blk j Ps :< a2 : InQ j Q : q > 
cf >   0 ! < c3 :
Chan j Q : q1 > 
 < abp : Blk j Ps :< a2 : InQ j Q : q:MD(d; b) > 
cf > :
endom
14
5.3 Analysing the TRL model.
The above Timed Maude specication provides a precise and natural formal semantics for
the SDL specication of the alternating bit protocol. The specication can be simulated using
the ecient software implementation of the Maude language (see [18] for an account of modelling
TRL in RL) and this allows us to rapidly prototype and test the SDL system. (Note other ecient
rewrite engines were considered, such as ELAN [4], but the Maude tool was chosen because it
is closer to our semantics and has a very ecient prototype implementation.) The specication
also provides a basis for analysing the SDL specication; for example, it is natural to want to
investigate timing properties of the SDL system and in particular, to consider what constitutes a
lower bound for the timer expiration time T . The simple timing diagram shown below in gure
9 can be easily extracted from the Maude specication. It shows that under \perfect" conditions
(i.e. no message loss) it takes at least 10 units of time for the sender to receive an acknowledgement
for a sent message (under the timing constraints we have specied). This represents a lower bound
for the timer, i.e. T must be greater than or equal to 9 for the protocol to work correctly (under
normal fairness assumptions).
ABP1
Set
Timer TOut
P2 ABP2P1
PDin(d)
Time
MD(d,b)
ID(d,b)
MD(d,b)
PDout(d)MD(Ack,b)
ID(Ack,b)
MD(Ack,b)
Figure 9: Time graph for sending a message in perfect conditions.
6 Concluding Remarks.
In this paper we have presented a comprehensive formal semantics for SDL based on Timed
Rewriting Logic. This new semantics has a number of key advantages over its predecessors,
including: a natural correspondence between the structure of the semantics and the corresponding
SDL constructs; integration of the static and dynamic views of an SDL specication within a
single unifying formalism; and the associated support tools for simulation. The semantics we have
presented also provides valuable insight into the formal description technique SDL. It demonstrates
that TRL and its associated object{oriented specication language Timed Maude is a natural and
expressive formalism which is well suited to specifying and reasoning about real{time dynamic
systems. Coupled with the tool support provided by the Maude system, TRL can be seen as an
eective formal framework in which to design and develop complex real{time systems.
In future work we intend to consider extending our semantics to the object{oriented features of
SDL{92 [8] making further use of Maude's object{oriented features. Though our semantics allows
us to describe real-time systems, its operational style makes it dicult to express more complex
real-time requirements. It therefore may be reasonable to consider in future work combining
our approach with temporal logic (see [14] and [17]) and to consider extending the SDL syntax
accordingly. Finally we note that SDL specications are closely related to message sequence
15
charts (MSCs) [11]. In future work we intend to investigate the relationship between these two
real{time FDTs using the formal semantics presented in this paper and the work developed in [13].
Acknowledgements. It is a pleasure to thank U. Hinkel, K. Meinke and M. Wirsing for their
helpful comments and advice during the preparation of this paper. We also gratefully acknowledge
the nancial support of the British Council and DAAD which has made this collaborative work
possible.
References
[1] K. A. Bartlett, R. A. Scantlebury and P. T. Wilkinson. A Note on Reliable Full{Duplex
Transmission over Half{Duplex Links. Communications of the ACM, 12(5):260{261, 1969.
[2] F. Belina and D. Hogrefe. The CCITT Specication and Description Language SDL. Com-
puter Networks and ISDN Systems, 16:311{341, 1989.
[3] J. A. Bergstra and C. Middelburg. Process Algebra Semantics 'SDL. In: Proc. of ACP
'95, The Second Workshop on Algebra of Communicating Process, Eindhoven University of
Technology, Department of Mathematics and Computing Science, pages 309{346, Report No.
95-14, 1995.
[4] P. Borovansky, C. Kirchner, H. Kirchner, P.{E. Moreau and M. Vittek. ELAN: A Logical
Framework Based on Computational Systems. In: J. Meseguer (ed), 1st Int. Workshop on
Rewriting Logic and its Applications, Electronic Notes in Theoretical Computer Science, Vol.
4, 1996.
[5] M. Broy. Towards a formal foundation of the specication and description language SDL.
Formal Aspects of Computing, 3:21{57, 1991.
[6] CCITT. Recommendation Z. 100 { Functional Specication and Description Language
(SDL), BLUE BOOK, Fascile X.1 and X.5, Volume X. International Telecommuncation
Union, 1988.
[7] CCITT. Revised Recommendation Z. 100 { CCITT Specication and Description Language
(SDL), COM X{R 26, Geneva, May 1992.
[8] O. Frgemand and A. Olsen. Introduction to SDL{92. Computer Networks and ISDN Sys-
tems, 26:1143{1167, 1994.
[9] U. Hinkel. A formal semantics for SDL based on FOCUS. Ph. D. Thesis, Technical University
Munich, 1998. (In preparation.)
[10] E. Holz and K. Stolen. An Attempt to Embed a Restricted Version of SDL as a Target
Language in Focus. In: D. Hogrefe and S. Leue (eds), Formal Description Techniques VII,
Chapman and Hall, 1995.
[11] ITU-TS Recommendation Z.120. Message Sequence Charts (MSC). ITU-TS, Geneva, 1996.
[12] P. Kosiuczenko and M. Wirsing. Timed rewriting logic with an application to object-based
specication. Science of Computer Programming, 28:225{246, 1997.
[13] P. Kosiuczenko. Time in Message Sequence Charts: A Formal Approach. Proceedings of
EuroPar '97, LNCS 1300, Springer{Verlag, 1997.
16
[14] S. Leue. Specifying Real-Time Requirements for SDL Specications - A Temporal Logic-
Based Approach. Procs. of 15th Int. Symp. on Protocol Specication, Testing, and Verica-
tion, Chapman and Hall, 1995.
[15] J. Meseguer. Conditional rewriting logic as a unied model of concurrency. Theoretical Com-
puter Science, 96:73{155, 1992.
[16] J. Meseguer. A logical theory of concurrent objects and its realization in the Maude language.
In: G. Agha, P. Wegner and A. Yonezawa (eds), Research Directions in Concurrent Object{
Oriented Programming, MIT Press, 1993.
[17] S. Mork, J. Godskesen, M. Hansen and R. Sharp. A Timed Semantics for SDL. In R. Gotzhein
and J. Bredereke (eds), Formal Description Techniques IX, Chapman and Hall, 1996.
[18] P. Olveczky and J. Meseguer. Specifying Real{Time Systems in Rewriting Logic. Electronic
Notes in Theoretical Computer Science, 4:283{308, 1996.
[19] P. Olveczky, P. Kosiuczenko, and M. Wirsing. Steamboiler specication problem: an algebraic
object-oriented solution. In: J. R. Abrial, E. Boerger, H. Lnagmaack (Eds.), Formal Methods
for Industrial Applications, Lecture Notes in Computer Science 1165, Springer{Verlag, 1996.
[20] M. Wirsing. Algebraic specication. In: J. van Leeuwen (ed) Handbook of Theoretical Com-
puter Science, Vol. B, pages 675{788, North Holland, Amsterdam, 1990.
17
