orig proto (with distinguished filters)
-> basic version (dummy messages)
-> starts

mainblock subproto
-> connections in subproto
-> test ambig loginfailure
-> no error: guarded subprotos  (higher-level security issue)
-> how about subprotos for non-explicit version?  still no error
-> make error: add unmergable action

rec -> recursive do:
-> already connection error
-> connections outside of subproto

filter subproto paramterised on type
-> payload error
-> parameterise on sig

model checking
- state space size can be tricky to predict
- connect/disconnect helps prune state space

connect filter inside subproto
-> bad choice connect
-> have to move connect quite far up


---

experimental work in progress

model checking for WF
- cleanly separate protocol verification (WF) from program verification (typing)
- for protocol verification, "forget" types, language layers, syntactic projection, ...
	- abstract concurrent message passing system, verify good
	- model checking

original ideas for model checking approach
	- determine finite vs. infinite structures
		- i.e. bounded vs unbounded max buffer sizes
	- verify accordingly
- now: soundness of finite model checking
	- "forget" rules that imply safety
	- simpler rules that imply soundness of finite model, and check safety

experiment:
- syntactic checks reduced to: choice subjects and enabling
- set modelling implementation to buffer size 1 asynchrony
- do some examples

1. Orig
- written intuitively
- some trivial bugs, but mostly OK morally
- two main problems:
	- MP session abstraction
	- restrictive syntactic WF
		e.g. deny vs getsuppliers, suppliers vs contracts

2. Basic -- old Scribble
- trivial bugs fixed
- dummy messages to get around both problems

3. Demo -- new WF
- demo: redo from original version under new WF
- trivial
	- authoriser -> AUTHsvc
	- usersvc
- MP session abstraction
	- safety violation
	- Wait-for errors: e.g. [contractsvc, authorisersvc, requestor]
	- trace
	- explicit (no connects yet)
		- not connected: REQuestor, LOGINsvc
	- add connects
		- GOOD
		- no need to change any of the "unbalanced" choices
- model checked WF: add errors to demonstrate
	- loginsuccess -> loginfailure
		- message passing still safe (independent of explicit connects)
	- nondet loginfailure with followup (e.g. success)
		- Wait-for errors: [[REQuestor, LOGINsvc]]
		- global model: safety error is (bad) terminal state
	- cf. distinct enabling syntactic check (now mergability for free)
- main subproto
	- aux for main + connects
	- unused role -> fine
	- factor the continues -> fine (same number of states)
	- recursive aux -> connect error -> error msg? -> how to fix?
- filter subproto
	- supplier only, but parameterise type -> fine
	- also contract -> non-det payload problem
	-> parameterise on sig -> both supplier -> mergable
		-> supplier/contract -> non-det error
		-> distinct ops -> OK

---

minimal examples:

classify safety/liveness errors
- cf. classify good terminal states for safety -- needs termination hack or additional liveness checks




