Toward Automatic Generation of Models with Probes from the SDL System Specification
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Toward Automatic Generation of Models with Probes from the SDL System Specification

on

  • 236 views

Workshop on Formal Verification

Workshop on Formal Verification
of Telecommunication Systems, Part I
Zagreb, 5. 11. 2004.

Statistics

Views

Total Views
236
Views on SlideShare
230
Embed Views
6

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 6

http://matrix.uni-mb.si 6

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 1

Toward Automatic Generation of Models with Probes from the SDL System Specification Presentation Transcript

  • 1. Toward Automatic Generation of Models with Probes from the SDL System Specification University of Maribor Faculty of Electrical Engineering and Computer Science Boštjan Vlaovič , Ph. D. [email_address] Workshop on Formal Verification of Telecommunication Systems , Part I Zagreb, 5. 11. 2004 UM FERI
  • 2.
    • A design without the requirements cannot
    • be incorrect. It can be only surprising.
    • ( Willem Louis van der Poel )
  • 3. Overview
    • Introduction
    • Automatic Generation of Models from the SDL Specification
    • Probes insertion
    • Case Study - Formal verification of the V.76 protocol specification
    • Conclusion
  • 4. Introduction
    • Modern society depends on proper operation of telecommunication
    • systems.
    • Due to increasing functional complexity of contemporary
    • communication s ystems their design is getting increasingly
    • difficult .
    • Other influencing factors:
    • shorter time to market,
    • concurrency,
    • traditional approaches to verification (simulation and testing).
    • Our goal is to introduce formal verification of systems specified
    • with the SDL in all steps of the development process.
  • 5. Specification and Description Language
    • Telecommunication industry and standardisation bodies are using SDL
    • for the formal or semi-formal specification of the telecommunication
    • systems.
    • General attributes:
    • abstract non-formal description,
    • semi-formal description,
    • formal description,
    • development tools (external implementation of operators),
    • suitable for the specification of the concurrent systems,
    • behaviour is described by the concurrent processes - extended finite automata.
    SDL: Specification and Description Language Formal specification of a system in the SDL is unambiguous, clear and exact.
  • 6. SDL Specification
  • 7. Model Checking Technique system specification requirements model of the system model with probes formal verification tool SDL Promela claims, temporal formulas Şpin violation of the requirements counter-example
  • 8. SDL Extended Finite Automata
    • Q - set of states
    • q 0 - start state, q 0  Q
    • A - input alphabet
    • f - transition function
    • Z - set of variables
    • X - output alphabet
    simulation implementation formal verification Additional expansions:
    • save construct and
    • timers.
    • decision statement,
    • spontaneous transition,
  • 9. Process Definition
    • Definition: Process is 12-tuple (sdlname; pmlname; fpar;
    • channel; sigset; state; sigin; sigout; timer; variable; start; max),
    • where is:
    • sdlname – name of the process in the specification;
    • pmlname – name of the process in the model of the system;
    • fpar – set of formal parameters;
    • channel – name of the associated channel in the model of the system;
    • sigset – set of explicitly and implicitly defined valid signals;
    • state – set of explicitly defined states;
    • sigin – set of signals that have an associated transition;
    • sigout - set of output signals of the process;
    • timer – set of timers;
    • variable – set of variables;
    • start – number of process instances at the start of the system;
    • max – maximum number of allowed instances during the execution
    • of the system.
    Total number of 34 definitions were used to describe SDL system
  • 10. Data Types
    • We support following SDL data types :
    • predefined data:
      • INTEGER,
      • BOOLEAN,
      • PID,
      • NATURAL,
      • CHARACTER,
      • CHARSTRING,
      • REAL,
      • TIME,
      • DURATION .
    • data type definitions:
      • struct ,
      • array ,
      • enumerated data type.
  • 11.
    • We take into account:
    • default value,
    • the range of values,
    • inheritance,
    • number of bits to describe all possible values.
    • Special solutions:
    • definition of arrays with the structures,
    • explicit definition of literals,
    • additional definitions of data types for the definition of the associated channels,
    • hidden variable for the modelling of the implicit signal reception.
    Formal specification of the automatic model generation is described by 40 algorithms in pseudo-SDL.
  • 12. Promela Model of the System proctype dataLink__AtoB(pt__chan input; pt__pid parent){ pt__pid offspring, sender; byte pv__ptr, pv__cur; xr input; V76paramTyp V76par; goto ready; ready: end_1: do :: table_channum_ptr[input] > pv__cur -> table_channum_prio[input]=false; pv__cur++; pv__ptr=0; atomic{ do :: pv__ptr <= cv__buff-1 -> if :: else -> set__clear(); fi; pv__ptr++ ; :: else -> goto ready_start; od; } ready_start: if :: table_channum_prio[input]==true -> pv__ptr=0; do :: (pv__ptr <= cv__buff-1) && (table_channum_nsp[input].data[pv__ptr].prio==true) -> if /* PRIORITY INPUT */ :: else -> skip; fi; :: (pv__ptr == cv__buff) -> break; :: else -> pv__ptr++ od; :: else -> pv__ptr=0; do :: (pv__ptr <= cv__buff-1) -> if :: skip__save() :: else -> . . . }
  • 13. Scientific Contributions (1)
    • Modelling of dynamic process creation and termination with the reuse of the Process Identification Numbers (PIDs): Promela has a restriction of 256 concurrently active processes.
    • Algorithm for the modelling of the process body – the constructs that describe process behaviour.
    • Full support for structures and arrays with the minimal contribution to the state vector.
    • Algorithm for direct assignment of values to the whole structure.
    • Modelling of the Save construct.
    • Modelling of the asterisk (*) state.
  • 14. Communication
    • Address types :
    • PI D ,
    • name of the process or
    • implicit.
    priključek We support additional path limitations with the use of the Via statement.
  • 15. Analysis of potential receivers
    • BLOCK B;
    • SUBSTRUCTURE ;
    • CHANNEL k1
    • FROM B1 TO B2 WITH sig1;
    • FROM B2 TO B1 WITH sig1;
    • ENDCHANNEL;
    • CHANNEL k2
    • FROM B1 TO B2 WITH sig1;
    • FROM B2 TO B1 WITH sig1;
    • ENDCHANNEL;
    • BLOCK B1;
    • SIGNALROUTE sr3
    • FROM P1 TO P2 WITH sig1;
    • FROM P2 TO P1 WITH sig1;
    SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1; FROM ENV TO P1 WITH sig1; SIGNALROUTE sr2 FROM P2 TO ENV WITH sig1; FROM ENV TO P2 WITH sig1; CONNECT k1,k2 AND sr1, sr2; PROCESS P1; PROCESS P2; ENDBLOCK; BLOCK B2; SUBSTRUCTURE ; CHANNEL k22 FROM B22 TO ENV WITH sig1; FROM ENV TO B22 WITH sig1; ENDCHANNEL; CHANNEL k21 FROM B21 TO ENV WITH sig1; FROM ENV TO B21 WITH sig1; ENDCHANNEL; CONNECT k1 AND k22; CONNECT k2 AND k21; BLOCK B21; SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1; FROM ENV TO P1 WITH sig1; SIGNALROUTE sr2 FROM P2 TO ENV WITH sig1; FROM ENV TO P2 WITH sig1; CONNECT k21 AND sr1, sr2; PROCESS P1; PROCESS P2; ENDBLOCK; BLOCK B22; SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1; FROM ENV TO P1 WITH sig1; CONNECT k22 AND sr1; PROCESS P1; ENDBLOCK;
  • 16. Communication
  • 17. Scientific Contributions (2)
    • Algorithm for the definition of the associated channel,
    • Modelling of the addressing with the use of PID, name of the process.
    • Modelling of the implicit addressing based on the definition of signal routes and channels.
    • Modelling of the path limitations.
    • Mechanism for dynamic input queue supervision.
    • Modelling of the priority input.
    • Modelling of the implicit transition.
    • Modelling of the spontaneous transition.
    • Modelling of the conditional transition.
    • Modelling of timer with parameters.
    • Modelling of the continuous signal.
    • Modelling of the asterisk (*) input.
  • 18. Introduction of Probes to the Model
    • Model expansion with probes enables detection of:
    • invalid end states – all valid end states are explicitly selected by the expert,
    • violations of the SDL semantical rules:
      • maximum number of allowed process instances,
      • irregular use of the decision construct,
      • violation of the variable’s range of values,
      • use of the “undefined” variable.
    • search of the potentially erroneous executions:
      • implicit signal reception,
      • explicitly marked unwanted execution paths,
    • search of the cyclic executions,
    • checking of model’s temporal properties with the use of the LTL.
    LTL: Linear Temporal Logic
  • 19. Case Study – FV of protocol V.76
    • Laurent Doldi: Validation of Communications Systems with SDL:
    • the Art of SDL Simulation and Reachability Analysis, Wiley 2003
  • 20. System V76test
  • 21. Block DLC[ab]
  • 22. Model of the environment
  • 23. Automatic Generation of Models
    • SDL system specification without comments … 1304 lines of code .
    • Model of the system in Promela … from 4627 to 5034 lines .
    • Results of the research are implemented with more than 100.000
    • lines of program in the sdl2pml tool.
    • We are using Spin for the formal verification of the generated
    • models. It has received ACM ¨Software System Award¨ in the year
    • 2002 ( it’s implementation consists of 50.000 lines of program
    • code. ).
  • 24. Formal Verifi cation of the Model
    • Search for invalid end states :
      • Selection of valid end-states in every process .
      • Formal verification with the Spin .
  • 25. Corrections of the Specification
  • 26. Inclusion of Probes
    • No more semantical violations of the SDL were found in the model of the system .
    • Search for the implicit signal reception revealed 7 different possible receptions.
    • Explicit marking of all “else” transitions revealed possible execution where command DM would be ignored.
  • 27. Temporal properties
    • []!(environment__SUa__V_Data.val == 86)
  • 28. Temporal properties
  • 29. Scientific Contributions (3)
    • Automatic insertion of permanent probes. They are used for the verification of the semantical correctness of the model in regard to the SDL system specification.
    • Automatic insertion of probes for the :
      • valid end states ,
      • accepting states ,
      • progress states.
    • Automatic insertion of probes for the potentially invalid system executions.
    • Automatic insertion of probes for the verification of the temporal properties of the system.
  • 30.  
  • 31. Counter Example