toward automatic generation of models with probes from the sdl system specification

Toward Automatic Generation of Models with Probes from the

SDL System Specification

Toward Automatic Generation of Models with Probes from the

SDL System Specification

University of Maribor

Faculty of Electrical Engineering and Computer Science

Boštjan Vlaovič, Ph. [email protected]

Workshop on Formal Verification of Telecommunication Systems, Part I

Zagreb, 5. 11. 2004

U N IV E R Z A

V M A R I B O R U

UM FERI

Zagreb, November 2004: Toward Automatic Generation of Models with Probes from the SDL System Specification

2/31

U N IV E R Z A

V M A R I B O R U

UM FERI

A design without the requirements cannotbe incorrect. It can be only surprising.

(Willem Louis van der Poel)


3/31

U N IV E R Z A

V M A R I B O R U

UM FERI

OverviewOverview

• Introduction• Automatic Generation of Models from the SDL Specification• Probes insertion • Case Study - Formal verification of the V.76 protocol specification• Conclusion


4/31

U N IV E R Z A

V M A R I B O R U

UM FERI

IntroductionIntroduction

Modern society depends on proper operation of telecommunication

systems.

Due to increasing functional complexity of contemporary communication systems their design is getting increasingly difficult.

Other influencing factors:• shorter time to market,• concurrency, • traditional approaches to verification (simulation and

testing).

Our goal is to introduce formal verification of systems specified with the SDL in all steps of the development process.


5/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Specification and Description Language

Specification and Description Language

Telecommunication industry and standardisation bodies are using SDL for the formal or semi-formal specification of the telecommunication systems.

General attributes:• abstract non-formal description,• semi-formal description,• formal description,• development tools (external implementation of operators),• suitable for the specification of the concurrent systems,• behaviour is described by the concurrent processes - extended finite

automata.

SDL:Specification andDescription Language

Formal specification of a system in the SDL is unambiguous, clear and exact.


6/31

U N IV E R Z A

V M A R I B O R U

UM FERI

SDL SpecificationSDL Specification

...

signalna pot

kanal

system S1

process P3

-

next

newtype

(1,4)

newtypesyntypesynonym

synonymsyntype

block B1

start

PP

block B2newtype

dcl

kanaldookolja

process P1

process P2

procedure PP

(1,2)process P2

process P1


7/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Model Checking TechniqueModel Checking Technique

system specification requirements

model of the system

model with probes

formal verification tool

SDL

Promela

claims,temporal formulas

Şpin

violation of the requirements

counter-example


8/31

U N IV E R Z A

V M A R I B O R U

UM FERI

SDL Extended Finite Automata

SDL Extended Finite Automata

Q - set of states

q0 - start state, q0 Q A - input alphabet f - transition function Z - set of variables X - output alphabet

e

oe o e

o

1 10 0

simulation

implementation

formal verification

Additional expansions:

• save construct and

• timers.

• decision statement,

• spontaneous transition,


9/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Process DefinitionProcess Definition

Definition: Process is 12-tuple (sdlname; pmlname; fpar;channel; sigset; state; sigin; sigout; timer; variable; start;

max), where is:• sdlname – name of the process in the specification;• pmlname – name of the process in the model of the system;• fpar – set of formal parameters;• channel – name of the associated channel in the model of the

system;• sigset – set of explicitly and implicitly defined valid signals;• state – set of explicitly defined states;• sigin – set of signals that have an associated transition;• sigout - set of output signals of the process; • timer – set of timers;• variable – set of variables;• start – number of process instances at the start of the system;• max – maximum number of allowed instances during the execution of the system.

Total number of34 definitions were used to describe SDL system


10/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Data TypesData Types

We support following SDL data types:• predefined data:

– INTEGER,– BOOLEAN,– PID,– NATURAL,– CHARACTER,– CHARSTRING,– REAL,– TIME,– DURATION.

• data type definitions:– struct,– array,– enumerated data type.


11/31

U N IV E R Z A

V M A R I B O R U

UM FERI

We take into account:• default value,• the range of values,• inheritance,• number of bits to

describe all possible values.

Special solutions:• definition of arrays with

the structures, • explicit definition of

literals,• additional definitions of

data types for the definition of the associated channels,

• hidden variable for the modelling of the implicit signal reception.

Formal specification of the automatic model generationis described by40 algorithmsin pseudo-SDL.


12/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Promela Model of the System

Promela Model of the System

proctype dataLink__AtoB(pt__chan input; pt__pid parent){

pt__pid offspring, sender;

byte pv__ptr, pv__cur;

xr input;

V76paramTyp V76par;

goto ready;

ready:

end_1:

do

:: table_channum_ptr[input] > pv__cur ->

table_channum_prio[input]=false;

pv__cur++;

pv__ptr=0;

atomic{

do

:: pv__ptr <= cv__buff-1 ->

if

:: else -> set__clear();

fi;

pv__ptr++ ;

:: else -> goto ready_start;

od;

}

ready_start:

if

:: table_channum_prio[input]==true ->

pv__ptr=0;

do

:: (pv__ptr <= cv__buff-1)

&& (table_channum_nsp[input].data[pv__ptr].prio==true) ->

if

/* PRIORITY INPUT */

:: else -> skip;

fi;

:: (pv__ptr == cv__buff) -> break;

:: else -> pv__ptr++

od;

:: else ->

pv__ptr=0;

do

:: (pv__ptr <= cv__buff-1) ->

if

:: skip__save()

:: else ->

.

.

.

}


13/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Scientific Contributions (1)Scientific Contributions (1)

1. Modelling of dynamic process creation and termination with the reuse of the Process Identification Numbers (PIDs):

Promela has a restriction of 256 concurrently active processes.

2. Algorithm for the modelling of the process body – the constructs that describe process behaviour.

3. Full support for structures and arrays with the minimal contribution to the state vector.

4. Algorithm for direct assignment of values to the whole structure.

5. Modelling of the Save construct.6. Modelling of the asterisk (*) state.


14/31

U N IV E R Z A

V M A R I B O R U

UM FERI

CommunicationCommunication

vrstavhodna

proces 1

vrstavhodna

proces 2 vrstavhodna

vrstavhodna

proces 3

signalna pot

signalna pot

BlokA

proces 1

BlokB

signalna pot

signalna pot

kanal

priključek

Address types:• PID,• name of the process

or• implicit.

We support additionalpath limitations with the

use of the Via statement.


15/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Analysis of potential receivers

Analysis of potential receivers

BLOCK B;SUBSTRUCTURE ;CHANNEL k1 FROM B1 TO B2 WITH sig1;FROM B2 TO B1 WITH sig1;ENDCHANNEL;CHANNEL k2 FROM B1 TO B2 WITH sig1;FROM B2 TO B1 WITH sig1;ENDCHANNEL;BLOCK B1;SIGNALROUTE sr3 FROM P1 TO P2 WITH sig1;FROM P2 TO P1 WITH sig1;

SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1;FROM ENV TO P1 WITH sig1;SIGNALROUTE sr2FROM P2 TO ENV WITH sig1;FROM ENV TO P2 WITH sig1;CONNECT k1,k2 AND sr1, sr2; PROCESS P1;PROCESS P2;ENDBLOCK;BLOCK B2;SUBSTRUCTURE ;CHANNEL k22FROM B22 TO ENV WITH sig1;FROM ENV TO B22 WITH sig1;ENDCHANNEL;

CHANNEL k21FROM B21 TO ENV WITH sig1;FROM ENV TO B21 WITH sig1;ENDCHANNEL;CONNECT k1 AND k22;CONNECT k2 AND k21;BLOCK B21;SIGNALROUTE sr1 FROM P1 TO ENV WITH sig1;FROM ENV TO P1 WITH sig1;SIGNALROUTE sr2FROM P2 TO ENV WITH sig1;FROM ENV TO P2 WITH sig1;CONNECT k21 AND sr1, sr2;

PROCESS P1;PROCESS P2;ENDBLOCK;BLOCK B22;SIGNALROUTE sr1FROM P1 TO ENV WITH

sig1;FROM ENV TO P1 WITH

sig1;CONNECT k22 AND sr1;PROCESS P1;ENDBLOCK;

P1P1

P2P2

P2

P1

P1

P2

B

B2

k1k2

sr2sr1sr3

B1

B21sr1 sr2

k21

B22

P1

sr1

k22

P1

k1

k21 k22

k2sr1

sr1 sr2

sr3

sr1

P1


16/31

U N IV E R Z A

V M A R I B O R U

UM FERI

CommunicationCommunication

2

4

prio2

s1

a > 5

5

6

a < 5

a := 7

pogoj

1

3

prio1sig1 sig3

s1

sig2

a := 0

s2

sig1caso

caso

a := 07

a = 0

a := 1

sprejem signala

prioritetni sprejem signala

konstrukt shrani

trajni signal in pogojni sprejem

set(NOW+5,caso)

prio1

sig3

prio2

sig1

sig2

prio1

sig3

sig2

sig2

sig1

sig2

caso

caso

sig2

sig2

prio2

sig2

sig1

prio2

sig1

sig2

sig1

sig3


17/31

U N IV E R Z A

V M A R I B O R U

UM FERI


1. Algorithm for the definition of the associated channel,2. Modelling of the addressing with the use of PID, name

of the process.3. Modelling of the implicit addressing based on the

definition of signal routes and channels.4. Modelling of the path limitations.5. Mechanism for dynamic input queue supervision. 6. Modelling of the priority input.7. Modelling of the implicit transition.8. Modelling of the spontaneous transition.9. Modelling of the conditional transition. 10. Modelling of timer with parameters.11. Modelling of the continuous signal.12. Modelling of the asterisk (*) input.


18/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Introduction of Probes to the Model

Introduction of Probes to the Model

Model expansion with probes enables detection of:

• invalid end states – all valid end states are explicitly selected by the expert,

• violations of the SDL semantical rules:– maximum number of allowed process instances,– irregular use of the decision construct,– violation of the variable’s range of values,– use of the “undefined” variable.

• search of the potentially erroneous executions:– implicit signal reception,– explicitly marked unwanted execution paths,

• search of the cyclic executions,• checking of model’s temporal properties with the use

of the LTL.LTL:Linear Temporal Logic


19/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Case Study – FV of protocol V.76

Case Study – FV of protocol V.76

Laurent Doldi: Validation of Communications Systems with SDL: the Art of SDL Simulation and Reachability Analysis, Wiley 2003

L_DataReqI

L_ReleaseReq

L_ReleaseInd

DISC

Prekinitev povezavePrenos informacijskega okvirja

L_EstabReq

L_EstabConf

SABME

UA

Vzpostavitev povezave

L_SetparmReq

L_SetparmConf

XIDcmd

XIDresp

Potrditev prisotnosti

L_EstabInd

L_EstabResp

L_SetparmInd

L_SetparmResp

L_DataIndL_ReleaseInd

UA

DLCa DLCb DLCa DLCb

DLCb DLCa DLCb DLCa


20/31

U N IV E R Z A

V M A R I B O R U

UM FERI

System V76testSystem V76test


21/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Block DLC[ab]Block DLC[ab]


22/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Model of the environmentModel of the environment


23/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Automatic Generation of Models

Automatic Generation of Models

SDL system specification without comments … 1304 lines of code.

Model of the system in Promela … from 4627 to 5034 lines.

Results of the research are implemented with more than 100.000 lines of program in the sdl2pml tool.

We are using Spin for the formal verification of the generated models. It has received ACM ¨Software System Award¨ in the year 2002 (it’s implementation consists of 50.000 lines of program code.).


24/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Formal Verification of the Model

Formal Verification of the Model

Search for invalid end states:

1. Selection of valid end-states in every process.2. Formal verification with the Spin.

SABMESABME

SABME SABMESABMESABME

SABMESABME

SABMESABME

SABMESABME

SABMESABME

SABMESABME

SABME

environment datalink DLCb

SUb

environment

SUa

DLC

DLCa

DLC

DLCb

dispatch dispatch

DLCa

DLCstoppedDLCstopped

L_EstabReq L_EstabReq


25/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Corrections of the Specification

Corrections of the Specification

SABMESABME

SABME SABME

SABME

SABME

Legenda:

shrani

zavrzi

blokiraproces se

environment datalink DLCb

SUa dispatch dispatch

DLCa

L_EstabReq

L_EstabReq

SUb

environment

SABME SABME

SABME SABME

SABME

SABME

SABME

L_EstabReq DLC

DLCb

DLC

DLCb

DLCstopped

L_ReleaseInd

SABME

L_EstabReq DLC

DLCb

DLCstopped

L_ReleaseInd

L_EstabReq


26/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Inclusion of ProbesInclusion of Probes

• No more semantical violations of the SDL were found in the model of the system.

• Search for the implicit signal reception revealed 7 different possible receptions.

• Explicit marking of all “else” transitions revealed possible execution where command DM would be ignored.

dispatch

DLCaenvironment

SUa

datalink

XIDcmd XIDcmd

XIDrespXIDresp

DLC

DLCaL_EstabReq

SABME SABME

DLCb

dispatch

environment

SUb

L_SetparmInd

L_SetparmResp

L_EstabInd

L_ReleaseReqDM

(0,T)

DM

L_SetparmReq

L_SetparmConf

L_SetparmResp


27/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Temporal propertiesTemporal properties

[]!(environment__SUa__V_Data.val == 86)

dispatch

DLCaenvironment

SUa

datalink DLCb

dispatch

environment

SUb

XIDcmd

XIDresp

L_EstabReq

SABME

(0,T) DLC

DLCa

XIDresp

DLC

DLCb(0,F)

UA UA

UA

SABME

XIDcmd

environment__SUa__V_Data.val=86

L_EstabResp

L_EstabInd

L_SetparmResp

L_SetparmInd

L_SetparmReq

L_SetparmConf

L_EstabConf


28/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Temporal propertiesTemporal properties


29/31

U N IV E R Z A

V M A R I B O R U

UM FERI


1. Automatic insertion of permanent probes. They are used for the verification of the semantical correctness of the model in regard to the SDL system specification.

2. Automatic insertion of probes for the:– valid end states,– accepting states,– progress states.

3. Automatic insertion of probes for the potentially invalid system executions.

4. Automatic insertion of probes for the verification of thetemporal properties of the system.


30/31

U N IV E R Z A

V M A R I B O R U

UM FERI


31/31

U N IV E R Z A

V M A R I B O R U

UM FERI

Counter ExampleCounter Example

toward automatic generation of models with probes from the sdl system specification

Technology

semiformal specification

formal verification

process definition definition

system model

process timer

development process

process behaviour

false pv