Download presentation
Presentation is loading. Please wait.
Published byGeraldine Clark Modified over 8 years ago
1
IWFST 2005 Formal Specification and Verification of a Communication Protocol Ho Jung Bang Sung Deok Cha
2
FM DSLab., KAIST2 System Overview The Requirements Specification of a system air conditioner –Natural language specification with MSC-like diagrams –About 210-page long –Complicated initialization scenario and 14 basic scenarios –1-to-many and parallel communication
3
FM DSLab., KAIST3 Approach Overview Comparison to the existing techniques –Informal techniques such as interview and inspections –Verification principles Completeness: explicitly consider all possible inputs in all possible situations Consistency: avoid unexpected situations –Used model checking techniques to track subtle errors checked if erroneous scenarios are indeed possible
4
FM DSLab., KAIST4 Three Phases ModelingValidationVerification 4 man-months1 man-months5 man-month Techniques used Interviews Inspections Errors found in the phase Ambiguity: 3 Inconsistency: 2 Incorrectness: 12 Other errors: 17 Tools used State/Event Table: to check completeness SDL Simulator: to check all the behaviors in the specification are also possible in the model SDL Validator: to check basic properties, such as dead-locks and live-locks. Validation results Infinite loops are found Tools used sdl2spin: in-house tool for translating SDL to Promela timeline editor SPIN Properties to check All scenarios are still possible? All processes eventually go to a responsible state? Are there minimal environmental conditions for scenarios to success? Are these errors possible in the model?
5
FM DSLab., KAIST5 Results and Experience Verification ResultsExperience (Lessons learned) Facts # of properties = 102 # runs of verification = 204 (2 for each) # of counter-examples = 136 Average time elapsed = 46 min. Average length of CE = 114,234 steps We found numbers of errors during inspecting the specifications and creating the SDL model Some subtle errors found by the verification resulted from confusion of message IDs, lack of session management, and arrival of messages after timeout In spite of aggressive abstraction, partial verification had to be used for some properties. Proving safety properties was impossible using exhaustive verification Instead, bit-states reduction, which is not safe, was used; Counter-examples were too long for manual examination Finding the shortest one is time-consuming task Iterative search by increasing bounds would help Tailoring environment to guide model checking is useful for disproving safety properties (that is, in finding errors) It greatly reduced time needed; Not helpful for proving safety properties
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.