!"#$%&'()*+,-./0123456789!

"#$%&
'()*+,-./0123456789!"#$%&'()*+,-
./0123456789!"#$%&'()*+,-./01234
56789!"#$%&'()*+,-./0123456789
!"#$%&'()*+,-./0123456789!"#$%&
'()*+,-./012%&'()*+,-./0123456789
!"#$%&'()*+,-./0123456789!"#$%
&'()*+,-./0123456789!"#$%&'()*+
,-./0123456789!"#$%&'()*+,-./012
3456789!"#$%&'()*+,-./012345678
9!"#$%&'()*+,-./0123456789!"#$%
&'()*+,-./0123456789!"#$%&'()*+
,-./0123456789!"#$%&'()*+,-./012
3456789$%&'()*+,-./0123456789!
"#$%&'()*+,-./0123456789!"#$%&'(
)*+,-./0123456789!"#$%&'()*+,-./
0123456789!"#$%&'()*+,-./012345
6789!"#$%&'()*+,-./0123456789!
"#$%&'()*+,-./0123456789!"#$%&'(
)*+,-./0123456789!"#$%&'()*+,-./
0123456789!"#$%&'()*+,-./012345
6789!"#$%&'()*+,-./0123456789!
CSS211-Pioject-1 Repoit
uioup 4
Auitya Sambamooithy Auu74778L
Binh Boang Phuong Thao Auu7Su99R
Nguyen Ninh Tii Auu7S12u
Nguyen Tiuong Buy Auu7S1uS0




!" $%&'&() *+,-./

In all thiee vaiiants, we assume that it is possible to access the same account fiom
uiffeient ATNs at the same time (e.g. joint account). Theie aie multiple ATNs, each of
which links to one clouu piocessing unit (CP0), anu only one uatabase foi the whole system.
The elements to be moueleu incluue ATNs, CP0s, uatabase anu bank accounts. The
uatabase is multi-thieaueu, i.e. moie than one CP0s can access the uatabase at one time.
Also, uiffeient piocesses can concuiiently ieau an account iecoiu in the uatabase.
When senuing a message, an event success means the message has aiiiveu at the
ieceivei siue; wheieas an event failuie implies the message is lost. The netwoiks between
ATN anu clouu, between clouu anu uatabase aie unieliable.
Foi simplicity, the numbei of ATNs anu CP0s (N) is ueclaieu to be 2, while the
numbei of account iecoius (N) is 1. A withuiawal is alloweu to peifoim only when the
amount to be withuiawn uoes not exceeu the cuiient amount in the bank account.

A. vaiiant 1: Banking system which exhibits ueaulock uue to some failuie


*
Nouel with no time out (i.e., when message is sent with failuie, theie is no iesenu.)
This mouel piouuces ueaulock
*

#uefine N 2; numbei of ATNs == numbei of piocessois
#uefine N 1; numbei of useis
#uefine W 1; max amount one can withuiaw each time
#uefine A 2; initial value in each account
#uefine valiu 1;
#uefine invaliu u;
vai acc|2j = |A, Aj; uatabase account iecoiu

ATN
BigATN() = ||atmIB:{u..N-1} ATN(atmIB);
ATN(atmIB) = |jIB:{u..N-1} inseitCaiu.atmIB.IB -> Inseiteu(atmIB, IB);
Inseiteu(atmIB, IB) = enteiIB.atmIB.IB -> ATNAuthSenu(atmIB, IB)
|jcancel.atmIB.IB -> ejectCaiu.atmIB.IB -> ATN(atmIB);
ATNAuthSenu(atmIB, IB) = senuAtmClouuAuth.atmIB.IB ->
(successAtmClouuAuth.atmIB.IB -> ATNAuthWait(atmIB, IB)
|j failuieAtmClouuAuth.atmIB.IB -> ATNAuthWait(atmIB, IB));

ATNAuthWait(atmIB, IB) = successClouuAtmAuthBack.atmIB.IB.valiu ->
LoggeuIn(atmIB, IB)
|j successClouuAtmAuthBack.atmIB.IB.invaliu -> Inseiteu(atmIB, IB);
LoggeuIn(atmIB, IB) = (|jamount:{1..W}withuiaw.atmIB.IB.amount ->
ATNWuSenu(atmIB, IB, amount))
|jlogout.atmIB.IB -> ejectCaiu.atmIB.IB -> ATN(atmIB);
ATNWuSenu(atmIB, IB, amount) = senuAtmClouuWu.atmIB.IB.amount ->
(successAtmClouuWu.atmIB.IB.amount -> ATNWuWait(atmIB, IB)
|jfailuieAtmClouuWu.atmIB.IB.amount ->
ATNWuWait(atmIB, IB));
ATNWuWait(atmIB, IB) = successClouuAtmWuBack.atmIB.IB.valiu ->
uispense.atmIB.IB -> LoggeuIn(atmIB, IB)
|jsuccessClouuAtmWuBack.atmIB.IB.invaliu -> waining.atmIB.IB ->
LoggeuIn(atmIB, IB);

Clouu
Clouu() = ||piocIB:{u..N-1}Piocessoi(piocIB);
Piocessoi(piocIB) = |jIB:{u..N-1}Piocess(piocIB, IB);
Piocess(piocIB, IB) = successAtmClouuAuth.piocIB.IB -> PiocessAuthSenu(piocIB, IB)
|j(|jamount:{1..W}successAtmClouuWu.piocIB.IB.amount ->
PiocessWuSenu(piocIB, IB, amount));
PiocessAuthSenu(piocIB, IB) = senuClouuBBAuth.piocIB.IB ->
(successClouuBBAuth.piocIB.IB -> PiocessAuthWait(piocIB, IB)
|jfailuieClouuBBAuth.piocIB.IB ->
PiocessAuthWait(piocIB, IB));
PiocessAuthWait(piocIB, IB) = successBBClouuAuthBack.piocIB.IB.valiu ->
PiocessAuthSenuBack(piocIB, IB, valiu)
|jsuccessBBClouuAuthBack.piocIB.IB.invaliu ->
PiocessAuthSenuBack(piocIB, IB, invaliu);
PiocessAuthSenuBack(piocIB, IB, valiuity) = senuClouuAtmAuthBack.piocIB.IB.valiuity
->
(successClouuAtmAuthBack.piocIB.IB.valiuity -> Piocessoi(piocIB)

|jfailuieClouuAtmAuthBack.piocIB.IB.valiuity -> Piocessoi(piocIB));
PiocessWuSenu(piocIB, IB, amount) = senuClouuBBWu.piocIB.IB.amount ->
(successClouuBBWu.piocIB.IB.amount -> PiocessWuWait(piocIB, IB)
|jfailuieClouuBBWu.piocIB.IB.amount ->
PiocessWuWait(piocIB, IB));
PiocessWuWait(piocIB, IB) = successBBClouuWuBack.piocIB.IB.valiu ->
PiocessWuSenuBack(piocIB, IB, valiu)
|jsuccessBBClouuWuBack.piocIB.IB.invaliu ->
PiocessWuSenuBack(piocIB, IB, invaliu);
PiocessWuSenuBack(piocIB, IB, valiuity) = senuClouuAtmWuBack.piocIB.IB.valiuity ->
(successClouuAtmWuBack.piocIB.IB.valiuity -> Piocessoi(piocIB)
|jfailuieClouuAtmWuBack.piocIB.IB.valiuity ->
Piocessoi(piocIB));

Batabase
BB() = ||IB:{u..N-1}Acc(IB); accounts
Acc(IB) = ||piocIB:{u..N-1}Access(piocIB, IB);
Access(piocIB, IB) = successClouuBBAuth.piocIB.IB -> BBAuth(piocIB, IB)
|j(|jamount:{1..W}successClouuBBWu.piocIB.IB.amount ->
BBWu(piocIB, IB, amount));

BBAuth(piocIB, IB) = authvaliu.piocIB.IB -> BBAuthSenuBack(piocIB, IB, valiu)
|j authInvaliu.piocIB.IB -> BBAuthSenuBack(piocIB, IB, invaliu);

BBAuthSenuBack(piocIB, IB, valiuity) = senuBBClouuAuthBack.piocIB.IB.valiuity ->
(successBBClouuAuthBack.piocIB.IB.valiuity -> Access(piocIB, IB)

|jfailuieBBClouuAuthBack.piocIB.IB.valiuity -> Access(piocIB, IB));
BBWu(piocIB, IB, amount) = |acc|IBj>=amountj
upuateAcc.piocIB.IB.amount{acc|IBj=acc|IBj-amount}
->
BBWuSenuBack(piocIB, IB, valiu)
|j |acc|IBj<amountj BBWuSenuBack(piocIB, IB, invaliu);
BBWuSenuBack(piocIB, IB, valiuity) = senuBBClouuWuBack.piocIB.IB.valiuity ->
(successBBClouuWuBack.piocIB.IB.valiuity -> Access(piocIB, IB)

|jfailuieBBClouuBack.piocIB.IB.valiuity -> Access(piocIB, IB));


Sys() = BigATN() || Clouu() || BB();

#asseit Sys() ueaulockfiee; shoulu be invaliu


In this mouel, theie is no time out mechanism. The senuei nevei iesenu a message
but always waits foi a iesponse iegaiuless of whethei the message ieaches the ieceivei
siue oi not. An instance foi that behavioui is as following when ATN asks its clouu
piocessing units to authenticate a usei:

ATNAuthSenu(atmIB, IB) = senuAtmClouuAuth.atmIB.IB ->
(successAtmClouuAuth.atmIB.IB -> ATNAuthWait(atmIB, IB)
|j 012.34-(5*$.+3,(356"15*!7"!7 89 ():(356;125<15*!7= !7>>?

ATNAuthWait(atmIB, IB) = successClouuAtmAuthBack.atmIB.IB.valiu ->
LoggeuIn(atmIB, IB)
|j successClouuAtmAuthBack.atmIB.IB.invaliu -> Inseiteu(atmIB, IB);

The system ieaches a ueaulock state in case that happens. Bence, the asseition
"#asseit Sys() ueaulockfiee;" ietuins INvALIB.


B. vaiiant 2: Banking system which exhibits incoiiect calculations uue to
inteileaving


*
Nouel with time out, anu non-atomic account upuate opeiation
This mouel piouuces incoiiect calculations uue to inteileaving (oi iace conuition)
*

#uefine N 2; numbei of ATNs == numbei of piocessois
#uefine N 1; numbei of useis
#uefine W 1; max amount one can withuiaw each time
#uefine A 2; initial value in each account
#uefine valiu 1;
#uefine invaliu u;
vai acc|2j = |A, Aj; uatabase account iecoiu
vai acct|2j = |u, uj; tempoiaiy stoiage foi each account iecoiu
vai totalWu|2j = |u, uj; total amount withuiawn fiom each account iecoiu

ATN
BigATN() = ||atmIB:{u..N-1} ATN(atmIB);
ATN(atmIB) = |jIB:{u..N-1} inseitCaiu.atmIB.IB -> Inseiteu(atmIB, IB);
Inseiteu(atmIB, IB) = enteiIB.atmIB.IB -> ATNAuthSenu(atmIB, IB)
|jcancel.atmIB.IB -> ejectCaiu.atmIB.IB -> ATN(atmIB);
ATNAuthSenu(atmIB, IB) = senuAtmClouuAuth.atmIB.IB ->
(successAtmClouuAuth.atmIB.IB -> ATNAuthWait(atmIB, IB)
|j failuieAtmClouuAuth.atmIB.IB -> ATNAuthSenu(atmIB, IB));

ATNAuthWait(atmIB, IB) = successClouuAtmAuthBack.atmIB.IB.valiu ->
LoggeuIn(atmIB, IB)
|j successClouuAtmAuthBack.atmIB.IB.invaliu -> Inseiteu(atmIB, IB);
LoggeuIn(atmIB, IB) = (|jamount:{1..W}withuiaw.atmIB.IB.amount ->
ATNWuSenu(atmIB, IB, amount))
|jlogout.atmIB.IB -> ejectCaiu.atmIB.IB -> ATN(atmIB);
ATNWuSenu(atmIB, IB, amount) = senuAtmClouuWu.atmIB.IB.amount ->
(successAtmClouuWu.atmIB.IB.amount -> ATNWuWait(atmIB, IB)
|jfailuieAtmClouuWu.atmIB.IB.amount ->
ATNWuSenu(atmIB, IB, amount));
ATNWuWait(atmIB, IB) = successClouuAtmWuBack.atmIB.IB.valiu ->
uispense.atmIB.IB -> LoggeuIn(atmIB, IB)
|jsuccessClouuAtmWuBack.atmIB.IB.invaliu -> waining.atmIB.IB ->
LoggeuIn(atmIB, IB);

Clouu
Clouu() = ||piocIB:{u..N-1}Piocessoi(piocIB);
Piocessoi(piocIB) = |jIB:{u..N-1}Piocess(piocIB, IB);
Piocess(piocIB, IB) = successAtmClouuAuth.piocIB.IB -> PiocessAuthSenu(piocIB, IB)
|j(|jamount:{1..W}successAtmClouuWu.piocIB.IB.amount ->
PiocessWuSenu(piocIB, IB, amount));
PiocessAuthSenu(piocIB, IB) = senuClouuBBAuth.piocIB.IB ->
(successClouuBBAuth.piocIB.IB -> PiocessAuthWait(piocIB, IB)
|jfailuieClouuBBAuth.piocIB.IB -> PiocessAuthSenu(piocIB, IB));

PiocessAuthWait(piocIB, IB) = successBBClouuAuthBack.piocIB.IB.valiu ->
PiocessAuthSenuBack(piocIB, IB, valiu)
|jsuccessBBClouuAuthBack.piocIB.IB.invaliu ->
PiocessAuthSenuBack(piocIB, IB, invaliu);
PiocessAuthSenuBack(piocIB, IB, valiuity) = senuClouuAtmAuthBack.piocIB.IB.valiuity
->
(successClouuAtmAuthBack.piocIB.IB.valiuity -> Piocessoi(piocIB)
|jfailuieClouuAtmAuthBack.piocIB.IB.valiuity ->
PiocessAuthSenuBack(piocIB, IB, valiuity));

PiocessWuSenu(piocIB, IB, amount) = senuClouuBBWu.piocIB.IB.amount ->
(successClouuBBWu.piocIB.IB.amount -> PiocessWuWait(piocIB, IB)
|jfailuieClouuBBWu.piocIB.IB.amount -> PiocessWuSenu(piocIB, IB,
amount));

PiocessWuWait(piocIB, IB) = successBBClouuWuBack.piocIB.IB.valiu ->
PiocessWuSenuBack(piocIB, IB, valiu)
|jsuccessBBClouuWuBack.piocIB.IB.invaliu ->
PiocessWuSenuBack(piocIB, IB, invaliu);
PiocessWuSenuBack(piocIB, IB, valiuity) = senuClouuAtmWuBack.piocIB.IB.valiuity ->
(successClouuAtmWuBack.piocIB.IB.valiuity -> Piocessoi(piocIB)
|jfailuieClouuAtmWuBack.piocIB.IB.valiuity ->
PiocessWuSenuBack(piocIB, IB, valiuity));

Batabase
BB() = ||IB:{u..N-1}Acc(IB); accounts
Acc(IB) = ||piocIB:{u..N-1}Access(piocIB, IB);
Access(piocIB, IB) = successClouuBBAuth.piocIB.IB -> BBAuth(piocIB, IB)
|j(|jamount:{1..W}successClouuBBWu.piocIB.IB.amount ->
BBWu(piocIB, IB, amount));

BBAuth(piocIB, IB) = authvaliu.piocIB.IB -> BBAuthSenuBack(piocIB, IB, valiu)
|j authInvaliu.piocIB.IB -> BBAuthSenuBack(piocIB, IB, invaliu);

BBAuthSenuBack(piocIB, IB, valiuity) = senuBBClouuAuthBack.piocIB.IB.valiuity ->
(successBBClouuAuthBack.piocIB.IB.valiuity -> Access(piocIB,
IB)
|jfailuieBBClouuAuthBack.piocIB.IB.valiuity ->
BBAuthSenuBack(piocIB, IB, valiuity));

BBWu(piocIB, IB, amount) = |acc|IBj>=amountj
upuateAcc1.piocIB.IB.amount{acct|IBj=acc|IBj-amount}
->
upuateAcc2.piocIB.IB.amount{acc|IBj=acct|IBj}
->
upuateAccS.piocIB.IB.amount{totalWu|IBj=totalWu|IBj+amount}
->
BBWuSenuBack(piocIB, IB, valiu)
|j |acc|IBj<amountj BBWuSenuBack(piocIB, IB, invaliu);
BBWuSenuBack(piocIB, IB, valiuity) = |acc|IBj+totalWu|IBj==Aj
senuBBClouuWuBack.piocIB.IB.valiuity ->
(successBBClouuWuBack.piocIB.IB.valiuity -> Access(piocIB, IB)
|jfailuieBBClouuBack.piocIB.IB.valiuity ->
BBWuSenuBack(piocIB, IB, valiuity))
|j|acc|IBj+totalWu|IBj!=Aj illegal.IB -> Stop();


Sys() = BigATN() || Clouu() || BB();


#asseit Sys() |= |j(!<>illegal.u); shoulu be invaliu

Time out mechanism is auueu to this veision. Foi example, if the authentication
message sent fiom ATN to its linkeu clouu piocessing unit is lost, ATN iesenus the
message.

ATNAuthSenu(atmIB, IB) = senuAtmClouuAuth.atmIB.IB ->
(successAtmClouuAuth.atmIB.IB -> ATNAuthWait(atmIB, IB)
|j 012.34-(5*$.+3,(356"15*!7"!7 89 ():(356%-@,<15*!7= !7>>?

ATNAuthWait(atmIB, IB) = successClouuAtmAuthBack.atmIB.IB.valiu ->
LoggeuIn(atmIB, IB)
|j successClouuAtmAuthBack.atmIB.IB.invaliu -> Inseiteu(atmIB, IB);

This seconu veision is exposeu to incoiiect amount upuate uue to inteileaving. The
piocess of upuating an account involves calculating the new amount baseu on the cuiient
amount anu stoiing that new value in a tempoiaiy vaiiable
(upuateAcc1.piocIB.IB.amount{acct|IBj=acc|IBj-amount}), befoie upuating the account
iecoiu accoiuing to the value of the coiiesponuing tempoiaiy vaiiable
(upuateAcc2.piocIB.IB.amount{acc|IBj=acct|IBj}).

BBWu(piocIB, IB, amount) = |acc|IBj>=amountj
upuateAcc1.piocIB.IB.amount{acct|IBj=acc|IBj-amount}
->
upuateAcc2.piocIB.IB.amount{acc|IBj=acct|IBj}
->
upuateAccS.piocIB.IB.amount{totalWu|IBj=totalWu|IBj+amount}
->
BBWuSenuBack(piocIB, IB, valiu)
|j |acc|IBj<amountj BBWuSenuBack(piocIB, IB, invaliu);


Note that event upuateAccS.piocIB.IB.amount{totalWu|IBj=totalWu|IBj+amount}
is auueu foi the puipose of asseiting whethei an account iecoiu has been upuateu
coiiectly.

An account iecoiu woulu be upuateu incoiiectly if theie aie moie than one
piocesses concuiiently wiite to the iecoiu as they aie alloweu to inteileave one anothei.
The asseition "#asseit Sys() |= |j(!<>illegal.u);" which checks foi coiiect upuate of acc|uj in
all cases woulu ietuin INvALIB.


BBWuSenuBack(piocIB, IB, valiuity) = |acc|IBj+totalWu|IBj==Aj
senuBBClouuWuBack.piocIB.IB.valiuity ->
(successBBClouuWuBack.piocIB.IB.valiuity -> Access(piocIB, IB)
|jfailuieBBClouuBack.piocIB.IB.valiuity ->
BBWuSenuBack(piocIB, IB, valiuity))
|j|acc|IBj+totalWu|IBj!=Aj 2..-A1."!7 -> Stop();



C. vaiiant S: Banking system with two pievious eiiois fixeu

*
Nouel with time out, anu atomic account upuate opeiation
This mouel is ueaulockfiee anu coiiect calculations
*

#uefine N 2; numbei of ATNs == numbei of piocessois
#uefine N 1; numbei of useis
#uefine W 1; max amount one can withuiaw each time
#uefine A 2; initial value in each account
#uefine valiu 1;
#uefine invaliu u;
vai acc|2j = |A, Aj; uatabase account iecoiu
vai acct|2j = |u, uj; tempoiaiy stoiage foi each account iecoiu
vai totalWu|2j = |u, uj; total amount withuiawn fiom each account iecoiu

ATN
BigATN() = ||atmIB:{u..N-1} ATN(atmIB);
ATN(atmIB) = |jIB:{u..N-1} inseitCaiu.atmIB.IB -> Inseiteu(atmIB, IB);
Inseiteu(atmIB, IB) = enteiIB.atmIB.IB -> ATNAuthSenu(atmIB, IB)
|jcancel.atmIB.IB -> ejectCaiu.atmIB.IB -> ATN(atmIB);
ATNAuthSenu(atmIB, IB) = senuAtmClouuAuth.atmIB.IB ->
(successAtmClouuAuth.atmIB.IB -> ATNAuthWait(atmIB, IB)
|j failuieAtmClouuAuth.atmIB.IB -> ATNAuthSenu(atmIB, IB));

ATNAuthWait(atmIB, IB) = successClouuAtmAuthBack.atmIB.IB.valiu ->
LoggeuIn(atmIB, IB)
|j successClouuAtmAuthBack.atmIB.IB.invaliu -> Inseiteu(atmIB, IB);
LoggeuIn(atmIB, IB) = (|jamount:{1..W}withuiaw.atmIB.IB.amount ->
ATNWuSenu(atmIB, IB, amount))
|jlogout.atmIB.IB -> ejectCaiu.atmIB.IB -> ATN(atmIB);
ATNWuSenu(atmIB, IB, amount) = senuAtmClouuWu.atmIB.IB.amount ->
(successAtmClouuWu.atmIB.IB.amount -> ATNWuWait(atmIB, IB)
|jfailuieAtmClouuWu.atmIB.IB.amount ->
ATNWuSenu(atmIB, IB, amount));
ATNWuWait(atmIB, IB) = successClouuAtmWuBack.atmIB.IB.valiu ->
uispense.atmIB.IB -> LoggeuIn(atmIB, IB)
|jsuccessClouuAtmWuBack.atmIB.IB.invaliu -> waining.atmIB.IB ->
LoggeuIn(atmIB, IB);

Clouu
Clouu() = ||piocIB:{u..N-1}Piocessoi(piocIB);
Piocessoi(piocIB) = |jIB:{u..N-1}Piocess(piocIB, IB);
Piocess(piocIB, IB) = successAtmClouuAuth.piocIB.IB -> PiocessAuthSenu(piocIB,
IB)
|j(|jamount:{1..W}successAtmClouuWu.piocIB.IB.amount ->
PiocessWuSenu(piocIB, IB, amount));
PiocessAuthSenu(piocIB, IB) = senuClouuBBAuth.piocIB.IB ->
(successClouuBBAuth.piocIB.IB -> PiocessAuthWait(piocIB, IB)
|jfailuieClouuBBAuth.piocIB.IB -> PiocessAuthSenu(piocIB, IB));

PiocessAuthWait(piocIB, IB) = successBBClouuAuthBack.piocIB.IB.valiu ->
PiocessAuthSenuBack(piocIB, IB, valiu)
|jsuccessBBClouuAuthBack.piocIB.IB.invaliu ->
PiocessAuthSenuBack(piocIB, IB, invaliu);
PiocessAuthSenuBack(piocIB, IB, valiuity) =
senuClouuAtmAuthBack.piocIB.IB.valiuity ->
(successClouuAtmAuthBack.piocIB.IB.valiuity -> Piocessoi(piocIB)
|jfailuieClouuAtmAuthBack.piocIB.IB.valiuity ->
PiocessAuthSenuBack(piocIB, IB, valiuity));

PiocessWuSenu(piocIB, IB, amount) = senuClouuBBWu.piocIB.IB.amount ->
(successClouuBBWu.piocIB.IB.amount -> PiocessWuWait(piocIB, IB)
|jfailuieClouuBBWu.piocIB.IB.amount -> PiocessWuSenu(piocIB, IB,
amount));

PiocessWuWait(piocIB, IB) = successBBClouuWuBack.piocIB.IB.valiu ->
PiocessWuSenuBack(piocIB, IB, valiu)
|jsuccessBBClouuWuBack.piocIB.IB.invaliu ->
PiocessWuSenuBack(piocIB, IB, invaliu);
PiocessWuSenuBack(piocIB, IB, valiuity) = senuClouuAtmWuBack.piocIB.IB.valiuity -
>
(successClouuAtmWuBack.piocIB.IB.valiuity -> Piocessoi(piocIB)
|jfailuieClouuAtmWuBack.piocIB.IB.valiuity ->
PiocessWuSenuBack(piocIB, IB, valiuity));

Batabase
BB() = ||IB:{u..N-1}Acc(IB); accounts
Acc(IB) = ||piocIB:{u..N-1}Access(piocIB, IB);
Access(piocIB, IB) = successClouuBBAuth.piocIB.IB -> BBAuth(piocIB, IB)
|j(|jamount:{1..W}successClouuBBWu.piocIB.IB.amount ->
BBWu(piocIB, IB, amount));

BBAuth(piocIB, IB) = authvaliu.piocIB.IB -> BBAuthSenuBack(piocIB, IB, valiu)
|j authInvaliu.piocIB.IB -> BBAuthSenuBack(piocIB, IB, invaliu);

BBAuthSenuBack(piocIB, IB, valiuity) = senuBBClouuAuthBack.piocIB.IB.valiuity ->
(successBBClouuAuthBack.piocIB.IB.valiuity -> Access(piocIB,
IB)
|jfailuieBBClouuAuthBack.piocIB.IB.valiuity ->
BBAuthSenuBack(piocIB, IB, valiuity));

BBWu(piocIB, IB, amount) = |acc|IBj>=amountj
upuateAcc1.piocIB.IB.amount{acc|IBj=acc|IBj-amount}
->
upuateAcc2.piocIB.IB.amount{totalWu|IBj=totalWu|IBj+amount}
->
BBWuSenuBack(piocIB, IB, valiu)
|j |acc|IBj<amountj BBWuSenuBack(piocIB, IB, invaliu);
BBWuSenuBack(piocIB, IB, valiuity) = |acc|IBj+totalWu|IBj==Aj
senuBBClouuWuBack.piocIB.IB.valiuity ->
(successBBClouuWuBack.piocIB.IB.valiuity -> Access(piocIB, IB)
|jfailuieBBClouuBack.piocIB.IB.valiuity ->
BBWuSenuBack(piocIB, IB, valiuity))
|j|acc|IBj+totalWu|IBj!=Aj illegal.IB -> Stop();


Sys() = BigATN() || Clouu() || BB();


#asseit Sys() |= |j(!<>illegal.u); shoulu be valiu
#asseit Sys() ueaulockfiee; shoulu be valiu
#asseit Sys() |= |j(successClouuAtmAuthBack.u.u.valiu -> <>withuiaw.u.u.1);
shoulu be invaliu, may keep logging in anu out foievei without any withuiaw

#asseit Sys() |= |j((!(<>withuiaw.u.u.1))||(inseitCaiu.u.u ->(<>withuiaw.u.u.1)));
check if you have to inseit caiu befoie you can withuiaw, foi atmIB==u.
#asseit Sys() |= |j((!(<>withuiaw.1.u.1))||(inseitCaiu.1.u ->(<>withuiaw.1.u.1)));
same as above, with atmIB==1

auuitional asseitions
#asseit Sys() |= |j((inseitCaiu.u.u ->(<>ejectCaiu.u.u)) || !(<>ejectCaiu.u.u));checkc
if a caiu can only be ejecteu at ATN with atmIB==u only aftei the caiu is inseiteu into
that ATN
#asseit Sys() |= |j((inseitCaiu.1.u ->(<>ejectCaiu.1.u)) || !(<>ejectCaiu.1.u));same
as above, with atmIB==1

#uefine valiuWithuiawals (totalWu|uj<=A);
#asseit Sys() |= <>|j valiuWithuiawals;check that total amount withuiawn nevei
exceeus the initial available amount in the account iecoiu

In this thiiu veision, the two pievious eiiois - ueaulock anu incoiiect calculations -
aie fixeu thiough time out anu atomic account upuate opeiation; tempoiaiy stoiage of
calculateu new amount is uiscaiueu, the new value is uiiectly assigneu to the account
iecoiu.

BBWu(piocIB, IB, amount) = |acc|IBj>=amountj
3B,15-(CCD"B4+C!7"!7"1*+3@5E1CCF!7GH1CCF!7G81*+3@5I
->
upuateAcc2.piocIB.IB.amount{totalWu|IBj=totalWu|IBj+amount}
->
BBWuSenuBack(piocIB, IB, valiu)
|j |acc|IBj<amountj BBWuSenuBack(piocIB, IB, invaliu);

As a iesult, the two asseitions "asseit Sys() ueaulockfiee; " anu "#asseit Sys() |=
|j(!<>illegal.u);" both ietuin vALIB.

!!" (//-452+@/
A. Beaulockfiee

#asseit Sys() ueaulockfiee;

The above asseition checks whethei piocess Sys() woulu evei ieach a ueaulock
state. It ietuins INvALIB in vaiiant 1 anu ietuins vALIB in vaiiant S.

B. Wiong upuate of an account amount uue to inteileaving

#asseit Sys() |= |j(!<>illegal.u);

Foi the puipose of uemonstiation of incoiiect behavioui, theie is only one account
in the system, i.e. acc|uj. The asseition checks if the upuate of account acc|uj woulu always
be coiiect. Event illegal.IB is auueu foi this asseition anu is ieacheu if the sum of the
cuiient available amount anu cuiient total amount withuiawn of the account acc|IBj aftei
some tiansactions uoes not equal the initial amount in the account iecoiu acc|IBj
(acc|IBj+totalWu|IBj!=A). The asseition ietuins INvALIB in vaiiant 2 anu vALIB in vaiiant
S.


BBWuSenuBack(piocIB, IB, valiuity) = |acc|IBj+totalWu|IBj==Aj
senuBBClouuWuBack.piocIB.IB.valiuity ->
(successBBClouuWuBack.piocIB.IB.valiuity -> Access(piocIB, IB)
|jfailuieBBClouuBack.piocIB.IB.valiuity ->
BBWuSenuBack(piocIB, IB, valiuity))
|jF1CCF!7GJ5+51.;,F!7GKH(G 2..-A1."!7 89 %5+B<>?



C. Coiiect behavioui of the system
#asseit Sys() |= |j(successClouuAtmAuthBack.u.u.valiu -> <>withuiaw.u.u.1);

The asseition checks if the caiu is authenticateu then some withuiawal woulu be
maue at some time in the futuie. It ietuins INvALIB in vaiiant S as theie might be a case in
which the usei keeps logging in anu out foievei without making any withuiawal.

#asseit Sys() |= |j((!(<>withuiaw.u.u.1))||(inseitCaiu.u.u ->(<>withuiaw.u.u.1)));

The asseition checks that a usei can make withuiawal at ATN numbei u only aftei
heshe has inseiteu the caiu. Beshe can nevei withuiaw money without a caiu. It ietuins
vALIB in vaiiant S.

#asseit Sys() |= |j((!(<>withuiaw.1.u.1))||(inseitCaiu.1.u ->(<>withuiaw.1.u.1)));

Similai to the pievious asseition but it is at ATN numbei 1. It also ietuins vALIB in
vaiiant S.

#asseit Sys() |= |j((inseitCaiu.u.u ->(<>ejectCaiu.u.u)) || !(<>ejectCaiu.u.u));

The asseition checks that a caiu is ejecteu at ATN numbei u only aftei it has been
inseiteu into that ATN. It ietuins vALIB in vaiiant S.

#asseit Sys() |= |j((inseitCaiu.1.u ->(<>ejectCaiu.1.u)) || !(<>ejectCaiu.1.u));

Similai to the pievious asseition but it is at ATN numbei 1. It also ietuins vALIB in
vaiiant S.

#uefine valiuWithuiawals (totalWu|uj<=A);
#asseit Sys() |= <>|j valiuWithuiawals;

The asseition checks that total amount withuiawn nevei exceeus the initial
available amount in the account iecoiu. It ietuins vALIB in vaiiant S.


!!!" L1M1 /2*3.152+@
(" N+O 5+ 43@ 56- /2*3.152+@P
!"#$%&'()*%"# ,%-./
We have pioviueu a configuiation file so that useis can specify theii configuiations in this
file. The file has name C+@02A"5Q5. The location shoulu be as it is when useis uownloau the
whole package. The location shoulu not be changeu. 0theiwise, theie is an eiioi iunning
the simulation.
The C+@02A"5Q5 has at most S lines. Each line is foi 1 configuiation of a simulation paiametei.
The fiist two lines aie compulsoiy. The fiist line is the name of a file specifying behavioi of
simulating ATNs (In the sample coue, that file is nameu 15*8R-61M2+4"5Q5). The seconu
line is the name of a file specifying the content of the uatabase (In the sample coue, that file
is nameu ,151R1/-"5Q5). The two files shoulu be in the same uiiectoiy as that of the
configuiation file. These file's content foimats aie explaineu in uetail in subsequent section.
The next S lines aie optional. The thiiu line is an integei specifying the numbei of CP0
available in the clouu. The fouith line is an integei specifying the numbei of woikei thieaus
in the uatabase. The fifth line is a ieal numbei between u anu 1, specifying the loss iate in
the netwoik. The simulatoi uses the uefault values if any of this infoimation is not specifieu.

012 3.4)5%"( ,%-.:
This file is to specify the numbei of ATNs foi simulation, anu the sequence of tiansactions
peifoimeu by each ATN.
The fiist line is an integei inuicating the numbei of ATNs foi simulation.
The subsequent lines aie blocks of line specifying the behavioi of each ATN.
Each block staits with the ATN iuentifiei (numbeiing fiom u). Then subsequent lines aie
tiansactions the ATN shoulu peifoim in that oiuei. The fiist tiansaction must always be
the login. 0theiwise, the piogiam thiows an exception. The logout tiansaction inuicates the
enu of the sequence.
The foimat to specify a tiansaction is as follows:
1) Foi login tiansaction: .+A2@ !"#$%&'($) !*'##+,%-)
2) Foi checking balance: R1.1@C-
S) Foi withuiawing: O256,41O !'(,"&.)
4) Foi logout tiansaction: .+A+35





Example: Suppose the content of the ATN behavioi file is as follows:
/
0
1,23& -"5 *'##6"5
+3.7-%'+ /
+3.7-%'+ 8
9'1'&:$
+3.7-%'+ ;
1,2,".
<
1,23& .%3 *'##+,%-=%3
+3.7-%'+ ;
9'1'&:$
1,2,".

It means theie aie 2 ATNs.
The fiist ATN peifoims the following sequence of tiansactions:
1) Log in with useiname -"5 anu passwoiu *'##6"5.
2) Then withuiaw 2 uollais
S) Then withuiaw S uollais
4) Then check balance
S) Then withuiaw S uollais
6) Logout

The seconu ATN peifoims the following sequence of tiansactions:
1) Log in with useiname .%3 anu passwoiu *'##+,%-=%3.
2) Then withuiaw S uollais
S) Then check balance
4) Log out.

6)*)7)8. ,%-./
This file is to specify the content of the uatabase useu foi simulation. It has multiple lines.
Each line specifies the infoimation foi 1 account. Each line contains useiname, passwoiu
anu the account balance sepaiateu by a white space. Bence, passwoiu shoulu not contain
white spaces.

9'# :%;'-)*%"#/
Aftei uownloauing the whole package anu uoing necessaiy setup (mentioneu above), it is
time to iun the simulation. To iun the simulation, impoit the whole pioject into youi
favoiite IBE. Run the pioject. The simulation enus when all the ATNs teiminate (i.e. aftei
they peifoim all assigneu tiansactions).
The piogiam cieates a log file foi each ATN. Log files have name like L0u_ATN_<iu> wheie
<iu> is the ATN iuentifiei (numbeieu fiom u). Each ATN wiites iesults of all tiansactions
in the same oiuei as they appeai in the input to its log file. You can open the log file of each
ATN to check the iesult of the simulation.


S" !*B.-*-@5152+@ 7+C3*-@5152+@P
SD" 7151R1/-
The class has been implementeu by employing the concept of a thieau pool wheiein, the
mastei uatabase class to hanule multiple uatabase tiansactions cieates a numbei of BB
woikei thieaus.

The uatabase woikeis then peifoim all the ielevant opeiations such as withuiaw, check
balance, authenticate anu so on. In oiuei to ensuie that uue to multiple thieaus accessing a
shaieu iesouice a iace conuition uoes not occui, the uatabase mastei uses a ieau-wiite
lock as a synchionization mechanism foi the woikei thieaus. We employ solutions of the
ieauei-wiitei pioblem in this case, anu use }ava T--@541@5T-1,;425-U+CV class foi
synchionization between ieauing opeiations (authentication, getting balance) anu
upuating opeiations (withuiawal, ueposit)

Also in case the tiansaction has faileu uue to lack of piopei authentication then the initiatoi
of the tiansaction is appiopiiately notifieu thiough the netwoik (using the paiametei list
attiibute of a message).

The BB class has been moueleu in }ava in a mannei that is veiy similai to the CSP mouel
uesciibeu eailiei in the uocument. Foi instance just like in the CSP mouel, the BB class also
ensuies that piioi to the execution of any tiansaction the usei has been authenticateu. Also
the class also senus failuie messages back to the senuei in case the tiansaction faileu foi
some ieason.

SW" $.+3,

Like the BB class uiscusseu in the pievious subsection, the Clouu class too has been
moueleu as a thieau pool wheiein a Clouu cieates a numbei of CP0 thieaus which aie
assigneu to ATNs anu fieeu fiom ATN usage by it. Similai to the BB class it also uses a
Blocking queue to implement this paiauigm. Thiough an exchange of ACQ0IRE anu
ACQ0IREB messages between the ATN anu the CL00B the lattei assigns an available CP0
to the foimei. The CP0 thieau pop the iequest fiom the blocking queue anu in case theie is
no iequest in the queue then the thieau that tiieu to pop fiom the empty queue is blockeu.
Similai to the BB, ielease messages ueliveieu by the netwoik fiom the ATN aie useu to
ielease a CP0 iesouice anu uisassociate an ATN fiom a CP0. The CP0s act as a message
ielay agent anu communicate the messages fiom the ATN to the BB anu those fiom the BB
back to the ATN. The CP0 also senus ACQ0IRE messages to the BB in oiuei to facilitate
uatabase tiansactions.

The Clouu too is moueleu in }ava along the lines of the CSP mouel. Foi instance: Whenevei
the netwoik fails to uelivei the message then, the senuei CP0 thieau is notifieu of this
ueliveiy failuie anu it attempts to iesenu the packet again. The CSP mouel uictates this. In
the }ava coue the senuei is notifieu of a message ueliveiy failuie thiough the paiametei list
of the sent message.

SX" Y-5O+4V

S"X"D :-//1A-

The Netwoik class makes use of a usei uefineu Nessage class which uesciibes the
attiibutes anu piopeities of a message sent thiough the netwoik. Apait fiom paiameteis
useu to uesciibe the souice, uestination anu the type of message being sent, the }ava
piogiam also incluues anothei fielu calleu the paiaList fielu which is essentially an aiiaylist
of stiings that contain any special paiametei values oi othei peitinent infoimation
iequiieu foi message piocessing.

The Netwoik class uses a concuiient hash map to map the uestination of messages to
Concuiient Linkeu Queues which stoie all the messages that weie meant foi that
uestination. Apait fiom this, the class also uses a vaiiable to contiol the loss iate of the
netwoik which can be exteinally configuieu using the config.txt file as uesciibeu in
pievious sections.

The Netwoik class is maue to mouel the CSP veision by using a ianuom geneiatoi to ueciue
whethei the netwoik shoulu piopagate the message oi fail, the conuition being checkeu
being the ianuomly geneiateu value shoulu be lessei than the fixeu loss iate.
This ensuies that the netwoik has a pieuictable anu contiollable loss iate.



S"X"W :-//1A- )ZB-/ 1@, [+4*15/
D> S-5O--@ (): 1@, $.+3,P
1.a) ATN iequests Clouu to Acquiie a CP0
Request paiameteis: atmSouiceIu, clouuIu, ACQ0IRE, |0peiation paiameteis: nullj
Responu paiameteis: clouuIu, atmSouiceIu, ACQ0IRE, |0peiation paiameteis: Stiing cpuIuj

W> S-5O--@ (): 1@, $&\
2.a) Authenticate:
Request paiameteis: atmSouiceIu, cpuIu, A0TBENTICATE, |0peiation paiameteis: Stiing
useiname, Stiing passwoiuj
Responu paiameteis: cpuIu, atmSouiceIu, A0TBENTICATE, |0peiation paiameteis: Stiing iesultj

2.b) See balance
Request paiameteis: atmSouiceIu, cpuIu, SEE_BALANCE, |0peiation paiameteis: nullj
Responu paiameteis: cpuIu, atmSouiceIu, SEE_BALANCE, |0peiation paiameteis: Stiing balancej

2.c) Withuiaw
Request paiameteis: atmSouiceIu, cpuIu, WITBBRAW, |0peiation paiameteis: Stiing amountj
Responu paiameteis: cpuIu, atmSouiceIu, WITBBRAW, |0peiation paiameteis: Stiing iesult,
Stiing leftBalancej

2u) Release CP0:
Request paiameteis: atmSouiceIu, cpuIu, RELEASE, |0peiation paiameteis: nullj
Responu paiameteis: cpuIu, atmSouiceIu, RELEASE, |0peiation paiameteis: Stiing iesultj

S) Between CP0 anu Batabase:
S.a) CP0 iequests Batabase to Acquiie a uatabase thieau
Request paiameteis: atmSouiceIu, ubIu, ACQ0IRE, |0peiation paiameteis: nullj
Responu paiameteis: ubIu, atmSouiceIu, ACQ0IRE, |0peiation paiameteis: Stiing ubThieauIuj

]> S-5O--@ $&\ 1@, 7151R1/- )64-1,P
4.a) Authenticate:
Request paiameteis: cpuIu, ubThieauIu, A0TBENTICATE, |0peiation paiameteis: Stiing useiname,
Stiing passwoiuj
Responu paiameteis: ubThieauIu, cpuIu, A0TBENTICATE, |0peiation paiameteis: Stiing iesultj

4.b) See balance
Request paiameteis: cpuIu, ubThieauIu, SEE_BALANCE, |0peiation paiameteis: Stiing useiIuj
Responu paiameteis: ubThieauIu, cpuIu, SEE_BALANCE, |0peiation paiameteis: Stiing balancej

4.c) Withuiaw
Request paiameteis: cpuIu, ubThieauIu, WITBBRAW, |0peiation paiameteis: Stiing useiIu, Stiing
amountj
Responu paiameteis: ubThieauIu, cpuIu, WITBBRAW, |0peiation paiameteis: Stiing iesult, Stiing
leftBalancej

4.u) Release BB thieau:
Request paiameteis: cpuIu, ubThieauIu, RELEASE, |0peiation paiameteis: Stiing amountj
Responu paiameteis: ubThieauIu, cpuIu, RELEASE, |0peiation paiameteis: Stiing iesult, Stiing
leftBalancej

S]" ():

The ATN class has been mouelleu as a thieau. Insiue its iun methou it continuously checks
the netwoik foi messages anu if founu, piocesses them accoiuingly. It also acquiies a CP0
incase the message iequiies to be sent to the CP0.
The numbei of ATNs in the system is ueciueu by the settings in the config file. The
simulatoi to set up the system accoiuingly then uses this. The ATN class is also mouelleu
along the lines of the CSP mouel uefineu eailiei. Points uesciibeu in the pievious sections
to illustiate this fact aie also equally applicable in the context of an ATN.

S^" _(T!(Y)%

Theie aie S equivalent vaiiants uevelopeu alongsiue theii CSP counteipaits i.e. one that
suffeis fiom a ueaulock , seconu that suffeis fiom a iace conuition anu last that iectifies
both these uefects.

a) Race conuitions can potentially occui when the uatabase tiansactions peifoimeu by
multiple thieaus aie not synchionizeu piopeily iesulting in moie than one thieau being
insiue the ciitical iegion. This pioblem is causeu in oui fiist vaiiant of the java coue
wheiein we have not given a piopei lock foi the BB tiansactions iesulting in a iace
conuition when multiple thieaus peifoim some uatabase tiansactions on the same account.
Example of a iace conuition:
piivate boolean withuiaw(Stiing useiname, int amount) {
boolean iesult = tiue;
no lock while mouifying the account balance

Account account =BB.this.map0seinameToAccount.get(useiname);
iesult = account.withuiaw(amount);


ietuin iesult;
}

b) The seconu vaiiant has a ueaulock pioblem in it. This pioblem can potentially occui in
the system when the netwoik fails to uelivei the message anu uoes not notify the senuei of
this failuie. In this case the ieceivei keeps waiting foi the iesponse that got lost in the
netwoik anu the senuei keeps waiting foi the ieceivei to ielease it oi pioviue it fuithei
instiuctionscommanus. So both the ieceivei anu the senuei keep waiting eteinally which
leaus to a ueaulock.

c) The thiiu vaiiant coiiects the pioblem in the othei two vaiiants by safeguaiuing
uatabase tiansactions using ieau-wiite locks anu also ensuiing that the senuei is uuly
notifieu in the case of a message being lost oi not ueliveieu by the netwoik. Cieating a new
type of NETW0RK message with paiameteis that inuicate whethei the message was sent
oi lost uoes this.

Race conuition aveiteu as follows:

piivate boolean withuiaw(Stiing useiname, int amount) {
boolean iesult = tiue;

BB.this.uatabaseLock.wiiteLock().lock(); lock peifoimeu
Account account =BB.this.map0seinameToAccount.get(useiname);
iesult = account.withuiaw(amount);
BB.this.uatabaseLock.wiiteLock().unlock(); unlock peifoimeu

ietuin iesult;
}