Transacted Memory for Smart Cards by Hartel, Pieter H. et al.
Transated Memory for Smart Cards
1
Pieter H. Hartel, Mihael J. Butler, Eduard de Jong, and Mark Longley
fphh,mjbges.soton.a.uk and Eduard.deJongSun.COM
Delarative Systems and Software Engineering Group
Tehnial Report DSSE-TR-2000-9
August 16 2000
Department of Eletronis and Computer Siene
University of Southampton
Higheld, Southampton SO17 1BJ, United Kingdom
1
This work was supported by Sun Mirosystems In, USA and by Senter, The Netherlands under ontrat nr ITG94130
Transated Memory for Smart Cards
y
Pieter H. Hartel
z
, Mihael J. Butler
z
, Eduard de Jong
x
, and Mark Longley
z
August 17, 2000
Abstrat
A transated memory that is implemented using EEP-
ROM tehnology oers persistene, undoability and au-
diting. The transated memory system is formally spe-
ied in Z, and rened in two steps to a prototype C im-
plementation / SPIN model. Conlusions are oered both
on the transated memory system itself and on the devel-
opment proess involving multiple notations and tools.
1 Introdution
The purpose of transation proessing [1℄ is to provide
atomi updates of arbitrarily sized information. Smart
ards need suh a faility as any transation an easily be
aborted by pulling the smart ard out of the Card A-
eptane Devie (CAD). Smart ards provide limited re-
soures. High-end smart ards today oer 64KB of ROM,
64KB of EEPROM and 2KB of RAM. These limitations
make tehniques developed for mainstream transation
proessing systems inappropriate for smart ards.
Current smart ard solutions, inluding Java
1
Card im-
plementations [13℄ typially maintain a log of old values,
while an updated value is being onstruted [4℄. The log
is leared one the transation is ommitted. If required,
the logs an be used to provide the audit trail for seurity.
Current smart ard implementations, by their very na-
ture, view the memory as a resoure, used to support a
transation proessing API. We present a novel (patented)
view [3℄, whih embeds the transation apabilities into
the memory system itself. Transated memory allows an
arbitrary sequene of items to be written as a single trans-
ation to the memory. The spae required for suh a se-
quene may even exeed the size of the RAM. An audit
trail is automatially provided. The disadvantage of our
system is an inreased EEPROM requirement to twie the
y
This work was supported by Sun Mirosystems In, USA and
by Senter, The Netherlands under ontrat nr ITG94130
z
Dept. of Eletronis and Computer Siene, Univ. of
Southampton, UK, Email: fphh, mjbges.soton.a.uk
x
Sun Mirosystems, In. Palo Alto, CA 94043 USA, Email: Ed-
uard.deJongSun.COM
1
Java and all Java-based trademarks and logos are trademarks
or registered trademarks of Sun Mirosystems, In. in the U.S. or
other ountries, and are used under liense.
size of the data. The permanent RAM requirements are
NIL, transient RAM requirements are of the order of a
few bytes.
Transated memory does not impose strutural on-
straints on the information stored, nor does it provide
marshaling and unmarshalling apabilities. These are in-
tended to be implemented, for instane by an API on top
of the transated memory.
The urrent work is part of a series of formally speied
omponents [7, 6℄ of smart ard systems. We hope that
we will eventually be able to design, speify and imple-
ment a omplete smart ard operating system kernel that
an be subjeted to Common Criteria at evaluation level
EAL7 [12℄.
Transated memory is not to be onfused with transa-
tional memory [8℄, whih is a tehnique for supporting lok
free data strutures on multi proessor arhitetures. The
implementation of transational memory is an extension
of the ahe oherene protool of suh mahines [8℄. We
onsider a dierent problem domain with severe resoure
onstraints.
We present a high level speiation of the system (us-
ing Z) and disuss two renements (in Z) of the system,
ultimately leading to exeutable ode (using C). A num-
ber of properties of the high level speiations have been
proved (by hand), and the prototype implementation has
been subjeted to assertion heking (using SPIN).
The ontributions of the paper are:
 A presentation of the novel smart ard transated
memory manager.
 A disussion of the lessons learned by systematially
translating a Z speiation with proofs into C ode
with assertion heking. This omplements the re-
sults reported in our earlier paper [5℄.
1.1 The proess
Figure 1 desribes the speiations and the prototype
implementation of the memory management system. Z
was hosen as the speiation language beause at the
time the projet was started, (Summer of 1996) this ap-
peared to be the speiation language most aeptable
by industry.
1
'$
Revise
?
Z




Abstrat
?
Rene




Renement 1
?
Rene




Renement 2
C/Promela




Prototype
?
Informal
Figure 1: The proess
The abstrat speiation was produed after initial
disussions between the inventor of transated memory
(Eduard de Jong) and the speiation team (the other
authors). After further rounds of onsultation the ab-
strat speiation was revised, and a rst renement was
produed to reet the reality of the EEPROM tehnology
as doumented in Setion 3.
In 1997 a seond data renement was produed to
reet the possibilities of errors arising by interrupting
EEPROM write operations. In 2000, the nal speia-
tion labelled \prototype" was produed manually by in-
terpreting the seond renement as literally as possible.
The prototype is at the same time an exeutable speia-
tion (beause it is a SPIN model) and a C program. Some
maros are used to transfer from a ommon notation to
either SPIN or C.
The prototype is a proper implementation, it is as mem-
ory eÆient as possible. It is not as time eÆient as possi-
ble, beause often-used information is reomputed instead
of ahed. However the prototype is a useful yardstik to
measure progress of further implementations by, whih
would explore spae / time tradeos. The prototype also
allows for a onsiderable degree of parallelism to be ex-
ploited in a hardware implementation of the memory sys-
tem.
1.2 The Idea
Transated memory is designed around two notions: a tag
and an information sequene. A tag is merely a unique ad-
dress, e.g. identier of a partiular information sequene.
An information sequene is the unit of data stored and re-
trieved. An information sequene would be used to store
a olletion of objets that are logially part of a transa-
tion.
There may be several generations of the information as-
soiated with a tag. Operations are provided to write a
new generation, and to read the urrent or older genera-
tions. All generations assoiated with a tag have the same
size, although this ould be generalised.
The transation proessing apability of the memory is
supported by a ommit operation, whih makes the most
reently written information the urrent generation. The
oldest generation is automatially purged should the num-
ber of generations for a tag exeed a preset maximum.
Transated memory thus provides undoability (by being
able to revert to a previous generation) and persistene
(by using EEPROM tehnology). These are preisely the
ingredients neessary to support transations [11℄.
To provide this funtionality, transated memory main-
tains a ertain amount of book-keeping information. In its
most abstrat form, the book-keeping information reords
three items:
 The size of the information sequene that may be
assoiated with the tag.
 The dierent generations of information assoiated
with eah tag. It is possible that there is no informa-
tion assoiated with a tag.
 Whih tags are urrently ommitted.
Having skethed the ideas, we will now make this preise
by presenting an abstrat Z speiation.
2 Abstrat Speiation
The abstrat speiation assumes the existene of tags
used to address the memory, and the existene of informa-
tion to be stored in the memory. No further assumptions
are made about either.
[Tag ; Info℄
The existene of a nite set of available tags is assumed
(tags), as well as limits on the size of the memory (msize)
and the maximum number of generations that may be
assoiated with any tag (maxgen):
tags : F Tag
msize : N
1
maxgen : N
1
2
Two partial funtions asso and size and a set
ommitted speify the memory system. The derived value
usage is inluded to aid the presentation:
AMemSys
asso : tags 7! seq(seq Info)
size : tags 7! N
1
ommitted : P tags
usage : N
dom asso = dom size
ommitted  domasso
8 t : tags j t 2 ommitted  asso t 6= hi
8 t : tags j t 2 dom asso 
#(asso t)  maxgen ^
(8 i : N
1
j 1  i  #(asso t) 
#(asso t i) = size t)
usage = (t : tags j t 2 dom asso 
#(asso t)  size t)
usage  msize
The asso funtion assoiates a tag with a sequene of
sequenes of information, the most reent generation is
at the head of the sequene. The size funtion gives the
length of the information sequenes assoiated with a tag.
The ommitted set reords those tags whose most reent
generation of information has been ommitted. The two
funtions must have the same domain, the ommitted set
must be a subset of this domain and all the information se-
quenes assoiated with a tag must be of the length given
by the size funtion. The total amount of information as-
soiated with all the tags should not exeed the size of the
memory system. The non-standard Z onstrut  sums
all values of the expression #(asso t)  size t.
The initial state of the memory system is desribed as
follows:
AInitialMemSys
AMemSys
dom asso = ?
The ANewTag operation returns an unused tag. The
size of the information sequenes to be written to the tag
is speied as an argument n? to this operation.
ANewTag
AMemSys
n? : N
1
t ! : tags
t ! 62 dom asso
asso
0
= asso [ ft ! 7! hig
size
0
= size [ ft ! 7! n?g
The operation returns an unused tag (one that has no
assoiated sequene of information sequenes), marks the
most reent generation as empty, and reords the expeted
length of the information sequenes.
The AReadGeneration operation reads the information
sequene of a given generation g? assoiated with a tag.
The tag t? must have an assoiated information sequene
of the given generation, numbered relative to the urrent
generation.
AReadGeneration
AMemSys
t? : tags
g? : N
info! : seq Info
t? 2 dom asso
asso t? 6= hi
g?  (#(asso t?)  1)
info! = asso t? (g? + 1)
The shema CurrentGeneration onstrains a genera-
tion argument to the urrent generation:
CurrentGeneration
g? : N
g? = 0
The ARead operation reads the urrent generation of
information assoiated with a tag. It is speied using
shema onjuntion and hiding.
ARead b= (AReadGeneration ^
CurrentGeneration) n (g?)
The ARelease operation releases all the information as-
soiated with a tag. The operation does this by removing
the tag from the domains of the funtions asso and size,
and from the ommitted set.
ARelease
AMemSys
t? : tags
t? 2 dom asso
asso
0
= ft?g
 
C asso
size
0
= ft?g
 
C size
ommitted
0
= ommitted n ft?g
The operation ACommit ommits the urrent genera-
tion of information assoiated with a tag. The tag must
have an assoiated information sequene, whih is agged
as ommitted.
3
ACommit
AMemSys
t? : tags
t? 2 dom asso
asso t? 6= hi
ommitted
0
= ommitted [ ft?g
The operation AWrite writes a sequene of information
to a tag. This operation has a number of dierent ases
depending on the state of the sequene of generations as-
soiated with the tag and whether the urrent generation
has been ommitted.
The rst write to a tag by AWriteF irst, after
ANewTag, must make sure there is enough room to write
the new information. The assoiation for the tag with
a singleton sequene ontaining the new information se-
quene is replaed.
AWriteFirst
AMemSys
t? : tags
info? : seq Info
t? 2 dom asso
#info? = size t?
asso t? = hi
(usage +#info?)  msize
asso
0
= asso  ft? 7! f1 7! info?gg
Writing to a tag whose urrent generation is not om-
mitted, by AWriteUnommitted, does not need any extra
room.
AWriteUnommitted
AMemSys
t? : tags
info? : seq Info
t? 2 dom asso
#info? = size t?
asso t? 6= hi
t? 62 ommitted
asso
0
= asso  ft? 7! (asso t? f1 7! info?g)g
Writing to a tag whose urrent generation has been
ommitted by AWriteCommitted requires extra room for
the new information. In this ase the new assoiation is
obtained by onatenating the new sequene in front of
the existing one and then ropping the sequenes of se-
quenes by the maximum allowed generation.
AWriteCommitted
AMemSys
t? : tags
info? : seq Info
t? 2 dom asso
#info? = size t?
asso t? 6= hi
t? 2 ommitted
(usage +#info?)  msize
asso
0
= asso  ft? 7!
((1 : :maxgen)C (f1 7! info?g
a
(asso t?)))g
ommitted
0
= ommitted n ft?g
Using shema disjuntion the AWrite operation is spe-
ied as follows:
AWrite b= AWriteFirst _
AWriteUnommitted _ AWriteCommitted
This ompletes the presentation of the abstrat spei-
ation of the transated memory. In the following setions
we will present the priniples and the data strutures of
two renements. The full speiations may be found in
our tehnial report [2℄.
3 Renement 1
EEPROM tehnology normally supports byte reads but
only blok writes. The blok size is typially of the order
of 8 : : : 32 bytes. EEPROM tehnology allows a full blok
to be written eÆiently, and we assume that a blok is
written atomially. It may be neessary to use a low level
blok write operation to ahieve this. EEPROM lifetime
is limited, so repeated writes to the same blok must be
avoided.
3.1 Data strutures
To aknowledge these tehnologial onstraints, the rst
renement introdues atomi operations over \pages" in
terms of whih all operations must be desribed. The two
mappings asso and size, and the set ommitted of the
abstrat speiation are rened by four more onrete
data strutures. Before desribing these, we introdue the
denitions needed by the renement. The rst denition
introdues a boolean ag.
B ::= False j True
The EEPROM is treated as a sequene of pages, where
eah page ontains a small amount of book-keeping infor-
mation and a payload onsisting of a single item of in-
formation from one of the original information sequenes.
The page size would typially be the blok size of the
4
EEPROM tehnology. The type Lo below represents the
loations of the pages in the memory. The type Page rep-
resents the atual data stored in eah page, together with
the book-keeping:
Lo == 0 : : (msize   1)
Page == Info  B  tags  N  N
The type Page ontains ve omponents:
1. Info represents one item from an information se-
quene, the atual payload.
2. The boolean ag states whether the page is atually
in use.
3. tags represents the tag with whih the urrent infor-
mation sequene is assoiated.
4. The fourth omponent gives the generation index of
the urrent information sequene.
5. The fth omponent gives the page number of the
item within the information sequene.
The renement needs a small table, whih reords the
essential data for eah tag as type TagData.
TagData == B  N
1
 B  N  N
The type TagData ontains ve omponents:
1. The rst boolean ag states whether the tag is atu-
ally in use.
2. The seond omponent states the size of the informa-
tion sequene assoiated with this tag.
3. The third omponent states whether the urrent gen-
eration assoiated with the tag has been ommitted.
4. The fourth omponent gives the number of genera-
tions assoiated with the tag.
5. The fth omponent gives the generation index of the
urrent information sequene.
Having introdued the relevant types we are now in a
position to show the four data strutures that represent
the state of the transated memory.
MemSys
data : tags ! TagData
mem : Lo ! Page
freetags : P tags
freelos : PLo
: : :
The two sets freetags and freelos are introdued for
onveniene. We refer to a tehnial report [2℄ for a de-
sription of the remainder of the renement, and for a
disussion of the abstration invariant linking the state
variables of the rst renement with the state variables of
the abstrat speiation. The present renement has not
been veried, but we have veried an earlier renement
for a system without generations.
4 Renement 2
The seond data renement desribes the error states that
may arise when a sequene of atomi page writes is in-
terrupted. This may happen at any point, leaving the
memory in error states not found during normal opera-
tion. These error states are therefore not present in the
abstrat speiation or in the rst renement.
There are two dierent ways to handle erroneous states.
The rst approah is to modify the higher level spei-
ations to allow for suh erroneous states. The seond
renement ould then simply allow suh states but avoid
disussing how they might be handled. The problem with
this approah is that while error states an be deteted,
by the absene or dupliation of pages, there is no way to
reognise the ause of the error and therefore no way to
perform error reovery. To solve this problem the mem-
ory manager would have to reord some indiation of its
urrent state in the memory in suh a way as to allow for
subsequent error reovery. The reording of suh a state
in a form that relates to the memory operations as seen by
an appliation require repeated writes of the state infor-
mation to some page in memory. This has to be avoided,
so as not to wear out the EEPROM.
The seond way to ope with erroneous states would
allow all the error detetion and reovery to be ontained
within the seond renement and hidden at some level
within the nal implementation of the system. This has
been adopted and is desribed below.
4.1 Realisti Constraints
There are a number of new onstraints that were used
as goals when preparing the seond renement. The rst
onstraint was atually the motivation for the develop-
ment of the tagged memory management system. How-
ever, the abstrat speiation and the rst renement
did not take this into aount and in that sense it is new
in this speiation:
 a given page should be written as few times as possi-
ble. This means that a page should only be written
to when there is no hoie:
{ When writing new pages of information.
5
{ When superseding pages of information.
{ When removing an assoiation between a page
and a tag.
All the information required to trak the state of the
memory manager should be stored using only these
write operations. The seond renement satises all
these onstraints while imposing only a slight mem-
ory ost on the memory manager.
 Memory is limited so the memory management sys-
tem should use as little as possible itself.
 The only write operation that may be performed on
the memory is the atomi writing of a page.
 Any sequene of atomi write operations an be inter-
rupted at any point. It should be possible to detet
the resulting erroneous state and then to tidy up the
memory.
 Lost memory should be reoverable when an atomi
operation sequene is interrupted.
 All the onstraints employed in the previous spei-
ations should be retained, suh as the main orret-
ness requirement that the information read from a
tag is equal to that previously written to that tag.
4.2 Causes of error states
There are four ontexts in whih a sequene of atomi
operations an be interrupted to give rise to a distint
error state:
 When writing a new generation of information not all
the required pages may be suessfully written.
 Writing a new version of the urrent generation may
fail to write all the pages of the new version or to
supersede all the pages of the old version.
 When releasing the pages of an old generation in or-
der to provide spae for a new generation some of the
pages of the old generation may not be released.
 When dealloating all the pages for a tag for the Re-
lease operation, some of the pages may not be re-
leased.
It is not possible to reord a separate ag to trak the
urrent state of the memory manager as we would have to
pik a page to keep it in whih would then suer from re-
peated writes as the state hanged. Instead the presene
of page zero has been hosen to indiate the presene of
all the other pages of a generation. In addition, the in-
formation otherwise stored in a page is elaborated by a
further piee of data:
 A yli, three state ag that makes it possible to
determine the relative age of two versions of the same
generation.
Here is the Z speiation of the ag:
Version ::= VA j VB j VC
Eah page in a given version will have the same value
in this ag, the pages of a new version will all take the
suessor state to that of the urrent version.
4.3 Error Reovery
As heking for and remedying error states before eah
operation would be expensive, it was deided to wait un-
til there is no hoie but to relaim the memory lost due
to disrupted operations. Thus the presene of an error
state in the memory manager will be noted by a Write
operation failing to nd suÆient free pages. An opera-
tion to tidy up the memory is invoked, whih releases the
lost pages for reuse. By performing some inexpensive lo-
al housekeeping in the operations, the omplexity of the
error states that an arise from repeated disruptions is
restrited. This greatly simplies the error reovery task.
Below we list the dierent forms of error reovery, how
they are tidied up, the error states that invoke them and
the housekeeping required of the operations:
1. If there are pages marked as in use by a tag but the
tag data does not mark it as in use they an all be
marked as not in use. This will only our due to a
disruption while releasing all the information assoi-
ated with a tag. The New operation is required to
tidy up any pages marked as in use by the new tag.
2. If there are pages for a given generation and version
with no page zero they an all be marked as not in
use. This will our due to disruptions after writing
new generations and versions and while superseding
old versions and releasing old generations. The Com-
mit and Write operations are required to tidy up in-
omplete versions and generations for the given tag.
3. If there are two omplete sets of pages for a tag with
the same generation the pages of the older version
an be marked as not in use. This will only our
due to a disruption while writing a new version of
the urrent generation. The Commit and Write op-
erations are required to tidy up out-of-date versions
for the given tag. Given this housekeeping we an en-
sure that only the urrent generation an ever have
multiple versions.
4. If there are more generations assoiated with a tag
than the maximum allowed then the pages of the old-
est generation an be marked as not in use. This
6
will only our due to a disruption while writing a
new generation when the maximum number of gen-
erations already exists. The Write operation is re-
quired to tidy up exessively old generations for the
given tag.
Given this loalised housekeeping it beomes possible to
alulate a onservative estimate of the number of loa-
tions urrently in use before eah Write operation. This
estimate is onservative in the sense that, in the error
states, loations may be marked as in use that are in fat
not in use. During normal operation this estimate will
orrespond exatly to the number of pages required by all
the tags urrently in use. If this estimate indiates that
there are not enough free loations the memory an be
tidied, reovering loations lost due to interruption of a
memory update. If there are still not enough free loa-
tions this indiates an unreoverable error due to an ap-
pliation requiring more than the available memory. No
attempt has been made to handle this error. Instead the
user is required to avoid alling operations in suh a man-
ner as would ause this error. This may well require that
memory boundedness onstraints are veried for all ap-
pliations.
This is an instane of a general issue onerning the
limits of our speiation. We are assuming that ertain
operations will only be alled when it is sensible to do so.
This makes it possible to avoid the additional omplexity
that would be required in the speiations when onsid-
ering these additional soures of errors. In a development
proess involving veriation of the use of operations, it
should be possible to formally justify suh simplifying as-
sumptions.
4.4 Data strutures
The type DPage represents the renement of the type
Page:
DPage == B  tags  Info  N  N Version
The type DPage ontains six omponents, whih is a
little more than the information kept by the rst rene-
ment:
1. The boolean ag states whether the page is atually
in use.
2. tags represents the tag with whih the urrent infor-
mation sequene is assoiated.
3. Info represents one item from an information se-
quene, the atual payload.
4. The rst number gives the generation index of the
urrent information sequene.
5. The seond number gives the page number of the item
within the information sequene.
6. V ersion is the yli ag that we mentioned in Se-
tion 4.2.
The type DTagData represents the renement of the
type TagData.
DTagData == B  N
1
 B
The type DTagData ontains three omponents, i.e.
onsiderably less than the information kept for the same
purpose in the rst renement.
1. The rst boolean ag states whether the tag is atu-
ally in use.
2. The seond, numeri omponent states the size of the
information sequene assoiated with this tag.
3. The last boolean ag states whether the urrent gen-
eration assoiated with the tag has been ommitted.
This ag is only false upto the ourrene of the rst
write.
The data strutures of the seond renement show the
mappings that represent the state of the memory. No fur-
ther data strutures are used to maintain the transated
memory. Both mappings are supposed to be stored in
EEPROM.
DMemSys
ddata : tags ! DTagData
dmem : Lo ! DPage
: : :
The abstrat Z speiation of Setion 2 is (almost)
standard Z notation. In the two renements we felt the
need to deviate more from standard Z to express impor-
tant onstraints suh as the writing of pages to memory in
a partiular order. While it would be possible to speify
this in Z, the speiations we ame up with ontained
some elements that were less intuitive than say a simple
for loop. Therefore we will not present further details of
the Z version of the two renements here [2℄. Instead we
disuss the essential elements of the SPIN and C version
of the seond renement.
5 SPIN and C Prototype
The Prototype implements the two mappings ddata and
dmem that form the ore of the memory system as arrays.
This is eÆient, both in Promela (the modelling language
of the SPIN tool) and in C:
7
#define msize 10
#define tsize 2
#define DTagData byte
#define DPage short
DTagData ddata[tsize℄ ;
DPage dmem[msize℄ ;
The domains of the mappings, tags and Lo, are rep-
resented by integers. The types DTagData and DPage
are represented as a byte and a short respetively. De-
pending on the atual size of an information item, and
the number of tags in the system larger sizes would be
required. In any ase the information must be tightly
paked, as in a prodution implementation. An alterna-
tive would have been to use a strut. This would have
been made it diÆult to ahieve the same information
density, and it would not model reality aurately.
As a onsequene, the various elds of the range types,
as speied in Setion 4.4, are aessed by a olletion of
maros. These maros work equally well in Promela as
they do in C. For example reading the `in use' ag of an
element of the ddata array, and writing an entry in the
same array are modelled as follows:
#define read_ddata1(t, u) \
u =(ddata[t℄ >> inuse_shift) & inuse_mask
#define write_ddata3(t, u, s, ) \
ddata[t℄ = \
((u) << inuse_shift) | \
((s) << size_shift) | \
(() << ommitted_shift)
The shifts and masks are appropriately dened to pak
and unpak the information. The remaining aess oper-
ations are dened in a similar way.
5.1 DNewTag in C
Below is the C version of the DNewTag operation. Note-
worthy is the for loop, whih (ineÆiently) loates a
tag that is not is use, as stipulated by the prediate
t ! 62 dom asso in the Z speiation.
Tag DNewTag( Size size ) {
Tag tag ;
bool taginuse ;
for( tag = 0; tag < tsize; tag++ ) {
read_ddata1(tag, taginuse) ;
if( ! taginuse ) {
write_ddata3(tag,
true, size, false) ;
break ;
}
}
return tag ;
}
The Z speiation also states that the DNewTag op-
eration is undened if the preonditions are not met, i.e.
if there is no available tag. The C and SPIN prototype
rene this speiation by returning a value for tag that
is outside the permitted range of 0 .. tsize-1.
Given the enapsulation of the memory read and
write operations by the maros read_ddata1 and
write_ddata3, the C version of the DNewTag operation
is lear and onise.
5.2 DNewTag in Promela
The next point of interest is to ompare the C version
of DNewTag to the Promela version shown below. The
rst issue to be addressed is that Promela does not oer
a funtion all mehanism. Instead funtion all/return
must be simulated trough proess reation and message
passing [9℄. This requires four steps.
The rst step introdues a number of tags to distinguish
the various messages required:
mtype {MSize, MTag, Mabort, Mdone, ... } ;
The seond step introdues two hannels { one to pass
arguments to the simulated proedure, and another to
return the results:
han go_DNewTag = [0℄ of { mtype, Size } ;
han done_DNewTag = [0℄ of { mtype, Tag } ;
The third step models a proedure as a proess, whih
ontinually waits for a message on its go_... hannel,
and responds on its done_... hannel. A typial all to a
proedure would send on the go_... hannel and reeive
from the done_... hannel:
init {
go_DNewTag ! MSeq, 2 ;
done_DNewTag ? MTag, tag ;
...
}
To allow SPIN to help disover errors in the speia-
tion a fourth step is need. Eah proedure all may either
omplete suessfully or it may abort. An abort would be
triggered by a failed write operation to the EEPROM. A-
tual alls to a proedure all must therefore be prepared
for two dierent kinds of response:
init {
go_DNewTag ! MSeq, 2 ;
8
if
:: done_DNewTag ? MTag, tag -> ...
:: done_DNewTag ? Mabort -> ...
fi
}
The Promela version of the DNewTag operation is
shown below. A non-deterministi hoie is made at the
seond if statement either to perform the write to the
EEPROM, or to abort the operation. Otherwise the ode
is the same as in the C version.
ative protype DNewTag( ) {
Size size ;
Tag tag ;
bool taginuse ;
endloop:
do
:: go_DNewTag ? MSeq, size ->
tag = 0 ;
do
:: tag < tsize ->
read_ddata1( tag, taginuse ) ;
if
:: ! taginuse ->
if
:: done_DNewTag ! Mabort ;
goto endloop
:: write_ddata3( tag,
true, size, false ) ;
break
fi ;
:: else -> skip
fi ;
tag = tag + 1
:: else -> break
od ;
done_DNewTag ! MTag, tag
od
}
It is apparent that loops and other ontrol statements
are a bit more verbose in Promela than they are in C.
The SPIN model uses proesses only to simulate pro-
edures, not to introdue onurreny. Otherwise there
ould be no simple orrespondene between the SPIN
model and the C implementation. The SPIN model does
use the non-determinism oered by SPIN to hoose be-
tween suessful and failed EEPROM writes.
5.3 DTidy
A seond operation of interest is the DTidy operation,
whih performs the four steps explained in Setion 4.3.
The DTidy operation should be used one only, upon
restart of the system i.e. after an aborted write opera-
tion.
The rst phase of the operation is shown below. It
detets and frees the loations in the dmem array that are
marked as being in use by a tag that is itself marked as
not in use, or that is not ommitted.
void DTidy( ) {
Lo lo ;
bool pageinuse ;
Tag tag ;
Info dpi ;
Gen dpx ;
PageNo dpn ;
Ver dpv ;
bool taginuse ;
Size size ;
bool ommitted ;
for( lo = 0; lo < msize; lo++ ) {
read_dmem6( lo,
pageinuse, tag, dpi, dpx, dpn, dpv ) ;
if( pageinuse ) {
read_ddata3( tag,
taginuse, size, ommitted ) ;
if( ! taginuse || ! ommitted ) {
write_dmem6( lo,
false, tag, dpi, dpx, dpn, dpv ) ;
}
}
}
...
}
Here the san of the entire tag array and the mem-
ory is unavoidable as the Tidy operation is intended to
be used when the memory system is restarted after an
aborted write. Short of sanning the entire olletion of
pages there is no way of knowing whih pages belong to
an aborted transation.
The salient aspets of the C prototype and the SPIN
model have now been overed. The omplete list of data
strutures and funtions of the transated memory is
shown in Table 1. The write operations will write the
omplete information sequene only if suÆient spae is
available.
5.4 Testing and assertion heking
The interest of the development of the prototype is in test-
ing (C) and assertion heking (SPIN). Assertion heking
in SPIN involves exeuting all possible exeution paths of
a nite program and testing assertions at various points
in the exeution paths.
9
typedef strut f Gen old, new ;
byte nt ; g GenGenbyte ;
struture used to hold the number of the old-
est and newest generation, and the number of
generations.
typedef strut f Size size ;
Info data[ssize℄ ; g InfoSeq ;
struture used to hold an information sequene
and its size.
GenGenbyte DGeneration( Tag ) ;
Return all available information for the given tag.
The result is undened if the tag is not in use.
Tag DNewTag( Size ) ;
Return an unused tag of the speied size. The
result is undened if no tag is available.
void DTidy( ) ;
Reover from all possible interrupted writes.
InfoSeq DReadGeneration( Tag, Gen ) ;
Read the information sequene of a given tag and
generation. The information sequene is unde-
ned if the tag is not in use.
InfoSeq DRead( Tag ) ;
Read the information sequene of the urrent gen-
eration assoiated with the given tag.
void DCommit( Tag ) ;
Commit the urrent generation for the given tag.
The operation has no eet if the tag is already
ommitted.
void DRelease( Tag ) ;
Release all information assoiated with the given
tag. The operation has no eet if the tag is not
in use.
void DWriteFirst( Tag, InfoSeq ) ;
Write the to a tag immediately after the
DNewTag operation. The result is undened if
insuÆient spae is available.
void DWriteUnommitted( Tag, InfoSeq ) ;
Write to a tag whose urrent generation is
unommitted.
void DWriteCommittedAddGen( Tag, InfoSeq ) ;
Write to a tag whose urrent generation has been
ommitted, and whose maximum number of gen-
erations has not been reahed.
void DWriteCommittedMaxGen( Tag, InfoSeq ) ;
Write to a tag whose urrent generation has been
ommitted, and whose maximum number of gen-
erations has been written. The oldest generation
will be dropped.
Table 1: Transated Memory data strutures and fun-
tions for C.
To gain ondene in the prototype we wrote a simple
test program. After some initialisation, the test program
writes 16 generations of information for one partiular tag.
After eah write operation, the test program reads bak
all existing generations and asserts that the information
read bak is orret.
Eah write operation will be interrupted at least one,
leading to an error state. The DTidy operation is then
alled upon to reover from the error. Sine DTidy per-
forms write operations as part of the reovery proess,
these writes may be interrupted as well, leading to fur-
ther alls to the DTidy operation.
The test performs over 2000 suessful write operations
and 65 aborted writes, without a single assertion violation.
The above protool initially revealed a number of asser-
tion failures, due to lerial errors made while interpret-
ing the Z speiation in the transition to the prototype.
One these errors were orreted a number of more seri-
ous issues were found. These will be disussed in the next
setion.
6 Lessons learned
A variety of lessons were learned, about the speiation
proess, and about the transated memory system itself.
We will disuss eah, starting with the proess.
The speiations indiated in Figure 1 were made by
dierent authors. Butler started with an abstrat spei-
ation and a renement of an initial version of the system.
This renement was formally veried by hand. The fur-
ther renements of the revised version were not formally
veried but the development of abstration invariants did
help to inrease the ondene in the renements.
The next step in the development proess was an eval-
uation of the speiations, leading to a revised version
and further renement of the speiation (by Longley).
Then the prototype was reated (by Hartel) on the ba-
sis of the earlier speiations. At eah stage there was
a fresh opportunity for making mistakes, from whih, of
ourse, we learn.
The original Z speiations ontain non-standard Z
onstruts. The abstrat speiation ontains a summa-
tion onstrut , and the two renements ontain pro-
edures and for loops. This made it impossible for tools
suh as ZTC [10℄ to be used. To asses whether this would
be a serious problem we ommented the  onstrut out
of the abstrat speiation and ran it through ZTC. This
revealed a number of lerial errors:
 Three ourrenes were found by the ZTC syntax
hek of missing parentheses, writing #f(x) instead
of #(f(x)).
 Five ourrenes were found of a misspelled variable
name by the ZTC syntax hek.
10
 One ourrene of a missing operator was found by
the ZTC type heking, where we wrote #x = y in-
stead of #x = #y.
 One ourrene was found by the ZTC type heker
of an inorretly used operator (a b instead of ab).
The abstrat speiation is relatively small (2 pages, or
10 shemas and two auxiliary denitions). Yet we found
10 lerial errors.
During the manual translation from the seond rene-
ment into Promela a number of errors were found, some
of whih of a serious nature.
 Two ourrenes were found of misspelled identiers.
 One ourrene was found of an auxiliary funtion
whose denition was missing.
 Three ourrenes were found of an auxiliary fun-
tion denition part of an earlier renement that was
impliit reused in a later renement.
 Consider the following Z example, onsisting of state
and an operation on the state:
A
a : N
b : N
Assume that the operation Ina inrements a but
leaves b untouhed.
Ina
A
a
0
= a + 1
Some operations in the two renements expliitly
onstrain b
0
= b, and some omit this. This is learly
inonsistent.
Three serious problems were found:
 In the seond renement the two ommitted write op-
erations made the tag unommitted instead of om-
mitted. This error was found by inspetion.
 Instead of the orret version given in Setion 5.1,
the seond renement stated the equivalent of this
if statement:
if( ! taginuse ) {
write_dmem6( lo,
false, tag, dpi, dpx, dpn, dpv ) ;
}
The inorret version thus failed to release pages with
unommitted data. This error was found by C test-
ing.
 The ACommit operation as speied in Setion 2
laks a prediate t? 62 ommitted and thus permits
the ACommit operation to be repeated. The inter-
pretation leading to the prototype was reated in
a `defensive' style, by systematially exluding all
states in whih an operation was not onsidered to
be appliable. This lead to a disrepany between
the more permissive speiation and the more re-
stritive prototype. The disrepany was found by
Spin's assertion heking.
Consistent with our earlier ndings [5℄, we believe
that using more than one tool/notation has benets that
ontribute to the auray of the resulting speia-
tions/implementations. In the present ase, the prototype
was reated in 10 days, using the seond renement as a
starting point. Creating the seond renement took sev-
eral months to omplete. The ost of providing a `seond
opinion' on a speiation by translating it into a dierent
language/notation an thus be qualied as low.
7 Conlusion and Future work
Our ideas of the transated memory manager have be-
ome more and more aurate as progress was made on
the various, more and more detailed speiations. The
speiations served as a lear and unambiguous basis for
disussions.
The ombination of reating high level speiations in
Z and detailed speiation in Promela worked well for
the memory manager. The high level Z speiations are
learer than the SPIN models would have been and on-
versely, the detailed SPIN models are learer than the de-
tailed Z speiations. Where we would have used proofs
to establish properties of the operations in Z, we used as-
sertion heking for the SPIN model. The manual trans-
lation from the Detailed Z speiation to a SPIN model
is the weakest link in the hain of speiations.
An ad-ho ommon notation has been used, from whih
both a SPIN model and C prototype are generated by
expedient use of simple maros. This gives a reasonable
degree of ondene that the C prototype is onsistent
with the SPIN model. SPIN's onurreny has not been
used, but its faility for making a non-deterministi hoie
has.
Using dierent languages and assoiated tools to spe-
ify and prototype a speiation automatially provides a
seond, and even a third opinion on various important is-
sues. We disovered a onsiderable number of problems in
earlier speiations when working on later speiations.
11
The ost of providing a seond opinion on the transated
memory manager was low.
Eah operation of the prototype requires only a small,
onstant amount of RAM spae, proportional to the num-
ber of generations assoiated with a tag. No RAM spae
is retained in between operations. However, to speed
up some of the operations, a further renement ould be
made to ahe often used data.
The transated memory that we have presented oers
the basi failities for building a type safe transation fa-
ility. In addition, suh a faility would also require a
marshalling and unmarshalling apability. We are ur-
rently pursuing this for the use with Java.
The many for loops in the prototype may seem to in-
trodue onsiderable ineÆieny. However, we intend to
produe further renements down to the hardware level,
where for loops taking a xed number of steps ould be
`unrolled' to form parallel hardware strutures. The in-
tention is to develop an FPGA based prototype.
One of our goals is to ahieve ertiation of the trans-
ated memory manager at EAL7 of the Common Criteria.
This would require veriation of the two the renement
steps as well as further formal renements down to the
hardware level. At this stage we are not sure whether Z
is the most appropriate notation for this purpose. We are
onsidering to rewrite the speiations using B sine it
provides better support for the renement to ode.
Referenes
[1℄ Ph. A. Bernstein and E. Newomer. Priniples of
Transation Proessing. Morgan Kaufman, San Fran-
iso, 1997.
[2℄ M. J. Butler, P. H. Hartel, E. K. de Jong,
and M. Longley. Applying formal methods to
the design of smart ard software. Delarative
Systems & Software Engineering Tehnial Re-
ports DSSE-TR-97-8, University of Southampton,
1997. www.dsse.es.soton.a.uk/ tehreports/
97-8.html.
[3℄ E. K. de Jong and J. Bos. Arrangements for storing
dierent versions of a set of data in separate mem-
ory areas and method for updating a set of data in a
memory. Duth Patent Appliation, 2000.
[4℄ D. Donsez, G. Grimaud, and S. Leomte. Reoverable
persistant memory of smartard. In J.-J. Quisquater
and B. Shneier, editors, 3rd Int. Conf. Smart ard
researh and advaned appliation (CARDIS), LNCS
1820, page to appear, Louvain la Neuve, Belgium,
Sep 1998. Springer-Verlag, Berlin.
[5℄ P. Hartel, M. Butler, A. Currie, P. Henderson,
M. Leushel, A. Martin, A. Smith, U. Ultes-Nitshe,
and B. Walters. Questions and answers about
ten formal methods. In S. Gnesi and D. Latella,
editors, 4th Int. Workshop on Formal Methods
for Industrial Critial Systems, Vol II, pages 179{
203, Trento, Italy, Jul 1999. ERCIM/CNR, Pisa,
Italy. www.dsse.es.soton.a.uk/ tehreports/
99-1.html.
[6℄ P. H. Hartel, M. J. Butler, and M. Levy. The op-
erational semantis of a Java seure proessor. In
J. Alves-Foss, editor, Formal Syntax and Seman-
tis of Java, LNCS 1523, pages 313{352. Springer-
Verlag, Berlin, 1999. www.dsse.es.soton.a.uk/
tehreports/ 98-1.html.
[7℄ P. H. Hartel and E. K. de Jong Frz. Towards
testability in smart ard operating system design.
In V. Cordonnier and J.-J. Quisquater, editors, 1st
Int. Conf. Smart ard researh and advaned appli-
ation (CARDIS), pages 73{88, Lille Frane, Ot
1994. Univ. de Lille, Frane. ftp.wins.uva.nl/
pub/ omputer-systems/ funtional/ reports/
CARDIS94_smartard.ps.Z.
[8℄ M. Herlihy and J. E. B. Moss. Transational memory:
Arhitetural support for Lok-Free data strutures.
In Int. Symp. in Computer Arhiteture (ICSA),
pages 289{300, San Diego, California, May 1993.
Computer Arhiteture News, 21(2).
[9℄ G. J. Holzmann. Design and Validation of Computer
Protools. Prentie Hall, Englewood Clis, New Jer-
sey, 1991.
[10℄ Xiaoping Jia. ZTC: A Type Cheker for Z
{ User's Guide. Dept. of Comp. and Inf.
Si, DePaul Univ.,Chiago, Illinois, May 1995.
ftp.omlab.ox.a.uk/ pub/ Zforum/ ZTC-1.3/
guide.ps.Z.
[11℄ S. M. Nettles and J. M. Wing. Persis-
tene+undoability=transations. In 25th Hawaii In-
ternational Conferene on System Sienes (HICS),
pages 832{43. IEEE Comput. So. Press., Los Alami-
tos, California, 1991.
[12℄ National Institute of Standards and Tehnology.
Common Criteria for Information Tehnology Se-
urity Evaluation. U. S. Dept. of Commere, Na-
tional Bureau of Standards and Tehnology, Aug
1999. http:// sr.nist.gov/ /.
[13℄ Sun. Java Card 2.1 Runtime Environment (JCRE)
Speiation. Sun Miro systems In, Palo Alto,
California, Jun 1999. http:// java.sun.om/
produts/ javaard/.
12
