Your SlideShare is downloading. ×
  • Like
Toward Automatic Generation of Models with Probes from the SDL System Specification
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Toward Automatic Generation of Models with Probes from the SDL System Specification

  • 158 views
Published

Workshop on Formal Verification …

Workshop on Formal Verification
of Telecommunication Systems, Part I
Zagreb, 5. 11. 2004.

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
158
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • 1

Transcript

  • 1. Toward Automatic Generation of Models with Probes from the SDL System Specification University of Maribor Faculty of Electrical Engineering and Computer Science Boštjan Vlaovič , Ph. D. [email_address] Workshop on Formal Verification of Telecommunication Systems , Part I Zagreb, 5. 11. 2004 UM FERI
  • 2.
    • A design without the requirements cannot
    • be incorrect. It can be only surprising.
    • ( Willem Louis van der Poel )
  • 3. Overview
    • Introduction
    • Automatic Generation of Models from the SDL Specification
    • Probes insertion
    • Case Study - Formal verification of the V.76 protocol specification
    • Conclusion
  • 4. Introduction
    • Modern society depends on proper operation of telecommunication
    • systems.
    • Due to increasing functional complexity of contemporary
    • communication s ystems their design is getting increasingly
    • difficult .
    • Other influencing factors:
    • shorter time to market,
    • concurrency,
    • traditional approaches to verification (simulation and testing).
    • Our goal is to introduce formal verification of systems specified
    • with the SDL in all steps of the development process.
  • 5. Specification and Description Language
    • Telecommunication industry and standardisation bodies are using SDL
    • for the formal or semi-formal specification of the telecommunication
    • systems.
    • General attributes:
    • abstract non-formal description,
    • semi-formal description,
    • formal description,
    • development tools (external implementation of operators),
    • suitable for the specification of the concurrent systems,
    • behaviour is described by the concurrent processes - extended finite automata.
    SDL: Specification and Description Language Formal specification of a system in the SDL is unambiguous, clear and exact.
  • 6. SDL Specification
  • 7. Model Checking Technique system specification requirements model of the system model with probes formal verification tool SDL Promela claims, temporal formulas Şpin violation of the requirements counter-example
  • 8. SDL Extended Finite Automata
    • Q - set of states
    • q 0 - start state, q 0  Q
    • A - input alphabet
    • f - transition function
    • Z - set of variables
    • X - output alphabet
    simulation implementation formal verification Additional expansions:
    • save construct and
    • timers.
    • decision statement,
    • spontaneous transition,
  • 9. Process Definition
    • Definition: Process is 12-tuple (sdlname; pmlname; fpar;
    • channel; sigset; state; sigin; sigout; timer; variable; start; max),
    • where is:
    • sdlname – name of the process in the specification;
    • pmlname – name of the process in the model of the system;
    • fpar – set of formal parameters;
    • channel – name of the associated channel in the model of the system;
    • sigset – set of explicitly and implicitly defined valid signals;
    • state – set of explicitly defined states;
    • sigin – set of signals that have an associated transition;
    • sigout - set of output signals of the process;
    • timer – set of timers;
    • variable – set of variables;
    • start – number of process instances at the start of the system;
    • max – maximum number of allowed instances during the execution
    • of the system.
    Total number of 34 definitions were used to describe SDL system
  • 10. Data Types
    • We support following SDL data types :
    • predefined data:
      • INTEGER,
      • BOOLEAN,
      • PID,
      • NATURAL,
      • CHARACTER,
      • CHARSTRING,
      • REAL,
      • TIME,
      • DURATION .
    • data type definitions:
      • struct ,
      • array ,
      • enumerated data type.
  • 11.
    • We take into account:
    • default value,
    • the range of values,
    • inheritance,
    • number of bits to describe all possible values.
    • Special solutions:
    • definition of arrays with the structures,
    • explicit definition of literals,
    • additional definitions of data types for the definition of the associated channels,
    • hidden variable for the modelling of the implicit signal reception.
    Formal specification of the automatic model generation is described by 40 algorithms in pseudo-SDL.
  • 12. Promela Model of the System proctype dataLink__AtoB(pt__chan input; pt__pid parent){ pt__pid offspring, sender; byte pv__ptr, pv__cur; xr input; V76paramTyp V76par; goto ready; ready: end_1: do :: table_channum_ptr[input] > pv__cur -> table_channum_prio[input]=false; pv__cur++; pv__ptr=0; atomic{ do :: pv__ptr <= cv__buff-1 -> if :: else -> set__clear(); fi; pv__ptr++ ; :: else -> goto ready_start; od; } ready_start: if :: table_channum_prio[input]==true -> pv__ptr=0; do :: (pv__ptr <= cv__buff-1) && (table_channum_nsp[input].data[pv__ptr].prio==true) -> if /* PRIORITY INPUT */ :: else -> skip; fi; :: (pv__ptr == cv__buff) -> break; :: else -> pv__ptr++ od; :: else -> pv__ptr=0; do :: (pv__ptr <= cv__buff-1) -> if :: skip__save() :: else -> . . . }
  • 13. Scientific Contributions (1)
    • Modelling of dynamic process creation and termination with the reuse of the Process Identification Numbers (PIDs): Promela has a restriction of 256 concurrently active processes.
    • Algorithm for the modelling of the process body – the constructs that describe process behaviour.
    • Full support for structures and arrays with the minimal contribution to the state vector.
    • Algorithm for direct assignment of values to the whole structure.
    • Modelling of the Save construct.
    • Modelling of the asterisk (*) state.
  • 14. Communication
    • Address types :
    • PI D ,
    • name of the process or
    • implicit.
    priključek We support additional path limitations with the use of the Via statement.
  • 15. Analysis of potential receivers
    • BLOCK B;
    • SUBSTRUCTURE ;
    • CHANNEL k1
    • FROM B1 TO B2 WITH sig1;
    • FROM B2 TO B1 WITH sig1;
    • ENDCHANNEL;
    • CHANNEL k2
    • FROM B1 TO B2 WITH sig1;
    • FROM B2 TO B1 WITH sig1;
    • ENDCHANNEL;
    • BLOCK B1;
    • SIGNALROUTE sr3
    • FROM P1 TO P2 WITH sig1;
    • FROM P2 TO P1 WITH sig1;
    SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1; FROM ENV TO P1 WITH sig1; SIGNALROUTE sr2 FROM P2 TO ENV WITH sig1; FROM ENV TO P2 WITH sig1; CONNECT k1,k2 AND sr1, sr2; PROCESS P1; PROCESS P2; ENDBLOCK; BLOCK B2; SUBSTRUCTURE ; CHANNEL k22 FROM B22 TO ENV WITH sig1; FROM ENV TO B22 WITH sig1; ENDCHANNEL; CHANNEL k21 FROM B21 TO ENV WITH sig1; FROM ENV TO B21 WITH sig1; ENDCHANNEL; CONNECT k1 AND k22; CONNECT k2 AND k21; BLOCK B21; SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1; FROM ENV TO P1 WITH sig1; SIGNALROUTE sr2 FROM P2 TO ENV WITH sig1; FROM ENV TO P2 WITH sig1; CONNECT k21 AND sr1, sr2; PROCESS P1; PROCESS P2; ENDBLOCK; BLOCK B22; SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1; FROM ENV TO P1 WITH sig1; CONNECT k22 AND sr1; PROCESS P1; ENDBLOCK;
  • 16. Communication
  • 17. Scientific Contributions (2)
    • Algorithm for the definition of the associated channel,
    • Modelling of the addressing with the use of PID, name of the process.
    • Modelling of the implicit addressing based on the definition of signal routes and channels.
    • Modelling of the path limitations.
    • Mechanism for dynamic input queue supervision.
    • Modelling of the priority input.
    • Modelling of the implicit transition.
    • Modelling of the spontaneous transition.
    • Modelling of the conditional transition.
    • Modelling of timer with parameters.
    • Modelling of the continuous signal.
    • Modelling of the asterisk (*) input.
  • 18. Introduction of Probes to the Model
    • Model expansion with probes enables detection of:
    • invalid end states – all valid end states are explicitly selected by the expert,
    • violations of the SDL semantical rules:
      • maximum number of allowed process instances,
      • irregular use of the decision construct,
      • violation of the variable’s range of values,
      • use of the “undefined” variable.
    • search of the potentially erroneous executions:
      • implicit signal reception,
      • explicitly marked unwanted execution paths,
    • search of the cyclic executions,
    • checking of model’s temporal properties with the use of the LTL.
    LTL: Linear Temporal Logic
  • 19. Case Study – FV of protocol V.76
    • Laurent Doldi: Validation of Communications Systems with SDL:
    • the Art of SDL Simulation and Reachability Analysis, Wiley 2003
  • 20. System V76test
  • 21. Block DLC[ab]
  • 22. Model of the environment
  • 23. Automatic Generation of Models
    • SDL system specification without comments … 1304 lines of code .
    • Model of the system in Promela … from 4627 to 5034 lines .
    • Results of the research are implemented with more than 100.000
    • lines of program in the sdl2pml tool.
    • We are using Spin for the formal verification of the generated
    • models. It has received ACM ¨Software System Award¨ in the year
    • 2002 ( it’s implementation consists of 50.000 lines of program
    • code. ).
  • 24. Formal Verifi cation of the Model
    • Search for invalid end states :
      • Selection of valid end-states in every process .
      • Formal verification with the Spin .
  • 25. Corrections of the Specification
  • 26. Inclusion of Probes
    • No more semantical violations of the SDL were found in the model of the system .
    • Search for the implicit signal reception revealed 7 different possible receptions.
    • Explicit marking of all “else” transitions revealed possible execution where command DM would be ignored.
  • 27. Temporal properties
    • []!(environment__SUa__V_Data.val == 86)
  • 28. Temporal properties
  • 29. Scientific Contributions (3)
    • Automatic insertion of permanent probes. They are used for the verification of the semantical correctness of the model in regard to the SDL system specification.
    • Automatic insertion of probes for the :
      • valid end states ,
      • accepting states ,
      • progress states.
    • Automatic insertion of probes for the potentially invalid system executions.
    • Automatic insertion of probes for the verification of the temporal properties of the system.
  • 30.  
  • 31. Counter Example