ConCerence Reports 313

neous user interface. FinNly, Spaccapietra illustrated an overall diagram of a heterogeneous DDBMS and discussed possible variations.

G. Le [_ann (1NRIA, Le Chesnay, France) discussed key problems in Consistency, Synchroniza- tion and Concurrency Control in Distributed Data- base Systems. He examined in some detail the cir- culating sequencer technique which is based on the utilization of a virtual ring to comply with the requirements of distributed concurrency control.

Replicated Data was the title of Patricia Selinger's first lecture (IBM Research Laboratory, San Jose, California). She described a number of proposals to read and update replicated files. Tire update proposals trade off availability of the system for update against complexity of tire update algorithm and the amount of bookkeeping needed to preserve data consistency. It was pointed out, that none of the proposals are simple, but the primary-secondary approaches appear slightly less complex and correspondingly more appealing. In her second lecture, on Authorization and Views, Ms. Selinger described how the local access control mechanism should work, how applica- tion programs are authorized, and presented a way to avoid access checking on every request. Sire finally discussed the conflict between dynamic object dele- tion and node autonomy.

B.G. Lindsay (IBM Research Laboratory, San Jose, California) lectured on Single and Multi-Site Recoveo' Facilities. He discussed the design of trans- action management facilities which give the database user the ability to define logical units of work which are recoverable and atomic. The importance of trans- action atomicity is that it eliminates interactions between separate transactions and insures that only complete sequences of actions are posted to the data- base. On the other hand, recovery facilities insure integrity and allow the system or tire application program to abort the effects of incomplete transac- tions.

In a time of accelerating technological change it is

sometimes rather too easy to become entranced with new methods and to forget that good design and management techniques still apply perhaps in an even more fundamental w a y - to topics such as distributed database, which still lie within the realms of basic research. Distributed Database Design and Administration of J.M. Gross, P.E. Jackson, J. Joyce and F.A. McGuire (Data Logic, Ltd., Middlesex, UK) concentrated upon the techniques required to design and implement t\dl-scale distributed database systems.

F.A. Schreiber, C. Baldissera and S. Ceri (Politec- nico di Milano, Italy) presented an overview of the general features characterizing distributed comput- ing applications. Architectures, data partitioning and redundancy were examined and classified, and application areas were surveyed from the viewpoint of each feature. A few comments were made on methodological aspects of distributed systems. Finally, a large distributed information system was sketched.

G. Pelagatti and F.A. Schreiber of the same affi- liation as the former lecturers, discussed the CADDAS project, in a lecture entitled Distributed Data Base Apl~lications." Model o fan Access Strategy, in a Distri- buted Data Base. The CADDAS project deals with the problem of designing an efficient access strategy to a distributed data base. The lecturer approached the problem from the point of view of a system analyst who has to design a global application function. He presented an overview of the CADDAS project, together with a precise definition of the model which is used as a unified framework for the analysis of relevant design subproblems.

The original course lecture notes have been exten- sively revised and edited by the organizers, I.W. Draffan and F. Poole. The course text has been published by Cambridge University Press under the title "Distributed Data Bases". £ 15.00. ISBN: 0 521 23091 8. x + 374 pp.

Protocol Testing and Verification

A three day workshop on the subject of communi- cation protocol testing and verification was hosted by the British National Physical Laboratory, May 2 7 - 29, 1981. Sponsored by IFIP TC6.1 and NPL, the

workshop was intended to bring together active researchers in the field for discussion of recent devel- opments and future directions.

Thir ty experts from 11 countries participated,

314 Conference Reports

each making a short presentation on his current work in the area. Presentations were divided into four major sessions, with generous time allotments for dis- cussions, which proved to be lively.

The first session on specification methods had several presentations on generalized state machine methods, but newer methods including buffer histo- ries, sequencing expressions and temporal logic were also discussed. The consensus seemed to be that state machine (or abstract machine) specifications were relatively widely understood and gaining in usage, and that this was a worthwhile trend. Nevertheless, they have certain limitations and inconveniences associated with their reliance on individual state transitions which have led to the newer methods proposed. These seem promising in providing for greater abstrac- tion and facilitating expression of progress as well as safety properties, but further work is needed.

The session on validation and verification also introduced a variety of methods. State exploration methods in one form or another have been employed by several groups, and in many cases at least partially automated. Although unable to handle the full behavior of complex protocols (e.g., values of sequence numbers or message texts cause problems), they have produced some very useful partial results for real protocols such as CCITT X.21 and X.25. Traditional program verification methods have also been applied to .protocols, more recently including the use of temporal logic. Interesting work with abstract data type models and with symbolic execu- tion is also being done. These newer methods are potentially more powerful (more general properties can be analyzed faster), but also more difficult to accomplish.

A shorter session on design considered methods for producing correct protocol designs and imple- mentations. Design rules have been formulated that

add necessary transitions to the system as it is being developed, or synthesize entire missing components, but so far these rules have only been applied to sim- ple examples. Simulation is also a very useful design aid, particularly if the protocol specification itself can be directly "executed" or interpreted. Several groups are well advanced in directly implementing major portions of the protocol specification in running code, thereby eliminating the possibility for introducing implementation bugs.

A final session on testing and certification heard reports from several national projects attempting to develop test plans or centers for protocol standards (UK, USA, France). Individual researchers are also experimenting with various test methods and tools. Development of test sequences and analysis of results are still largely ad hoc procedures, but some interest- ing work was presented on techniques to divide protocols into small, independently testable state machine components to allow exhaustive testing, and on the dangers of testing against so called reference standard implementations.

Lively discussions followed each of the presentation sessions, and the opportunity to find out more about each other's work was widely exploited. A 500 page digest containing research papers and summaries of the discussions was prepared by NPL and distributed to attendees. Copies may be obtained for £25 (to cover copying and mailing costs) from Dave Rayner, National Physical Laboratory, Queens Road, Tedding- ton, Middlesex TW11 0LW, England.

Participants agreed that another workshop should be held in Spring of 1982 in North America. Inter- ested parties may contact Dr. Carl Sunshine, USC Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, CA 90230, USA.

C. Sunshine