Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University

Published byJulie Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University"— Presentation transcript:

1 Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University [shumsky,henschen]@ece.nwu.edu

2 Introduction Formal verification is widely used in hardware verification Errors found late in the production cycle are more expensive to correct in hardware than in software In safety-critical software systems correctness requirements warrant formal verification Emphasis on design processes that already employ formal methods

3 Specification and Description Language SDL A formal description technique standardized in 1988 by International Telecommunication Union Intended for description of communication protocols Used on a variety of distributed, concurrent, communicating, asynchronous systems Many support tools exists, but no framework for theorem-proving based verification Main building blocks are processes represented by extended finite-state machines and delaying and instantaneous communication links

4 Example of Modeling with SDL: a simple communication protocol A sender and a receiver communicate Buffer size is 1: each message must be acknowledged before next is sent If acknowledgement does not arrive in a reasonable time, message is resent The communication network may lose but not corrupt messages

5 Protocol Modeling in SDL: Part 1

6 Protocol Modeling in SDL: Part 2

7 Simulator vs. Specification Verification We are building a verified simulator for SDL specifications – one-time effort Design engineers can use the simulator to verify SDL specifications – multiple verification efforts on multiple designs ACL2 used in both cases

8 SDL Specifications Simulator Architecture Activator Translator Process Simulator & Utilities SDL Specifications Specifications in Lisp-Based Format System Instance System Simulation Formally correct valid instance, valid specification pair equivalent specifications correct instance simulation Correct simulation of original specification

9 Process Translation Superficial, stores entities as lists Receiver process translated: (receiver (1. 1) (ackid frameid) (start (() (task ackid -1) (label 1) (output ack (ackid) () ()) (nextstate waiting))) (waiting ((frameid (frameid)) (decision ((= frameid (+ ackid 1)) (task ackid (+ ackid 1)) (join 1)) ((<> frameid (+ ack 1)) (join 1))))))

10 Communication Network Translation Paths consisting of several links are collapsed into multi-component single entities Instantaneous paths: (source destination route-name) Delaying paths: (source destination (member routes) queue) Network from example: (sender receiver (out1 link in2) nil) (receiver sender (out2 link in1) nil)

11 Translator Correctness Defined an inverse function untranslate, and prove that no information is lost w.r.t. to a specialized equivalence relation (equal* (untranslate (translate S)) S) Trivial for process translation Tricky for network translation

12 Activator SDL differentiates between process definition and process instance Defined process activation mechanism Receiver process instance (1 receiverprocess start ((ackid. nil) (frameid. nil) (self. 1) (sender. nil) (parent. 0) (offspring. nil) ((start …)) nil) Correctness property: defined a recognizer for valid instances of a system (defthm activate-makes-instance (implies (wf-type S) (wf-instance (activate S) S)))

13 Process Simulator Receiver Process Simulation Simulator functions defined for: signal input and output, assignment, updating state, decision, process creation, procedure call, timer operations, stop, and goto Correctness: simulating each action preserves wf-instance property actionstateMemoryqueue After instantiationstart(ackid. nil) (frameid. nil) (sender. nil)nil After initializationwaiting(ackid. -1) (frameid. nil) (sender. nil)nil Signal arrives in queuewaiting(ackid. -1) (frameid. nil) (sender. nil)Frame(0) Signal consumedwaiting(ackid. -1) (frameid. 0) (sender. 2)nil Transition completedwaiting(ackid. 0) (frameid. 0) (sender. 2)nil

14 Concurrency Simulation An oracle indicates to the top-level simulator function the id of the next instance to simulate How fine-grained should a simulation be? –Transitions are considered atomic: the simulation might miss some possible real-life process interleaving scenarios –Actions are considered atomic: some actions, such as procedure calls, are more time consuming than simple actions, such as goto and nextstate We are implementing mechanisms to handle both cases, so that appropriate process interleaving can be selected for each application

15 Network Handling A signal traveling through an instantaneous path is immediately delivered to the destination An oracle is supplied to delaying paths to determine whether the path forwards the signal If there is an inconsistency in the address of the signal, a warning is generated, and the signal is discarded

16 SDL Specifications Verification Once the simulator is proved correct, we can prove properties of specifications w.r.t. the simulator Our protocol is correct if sender and receiver agree on the id of the last successfully transmitted frame (defthm sender-receiver-agree-1 (<= (variable-value 'ackid (instance 'receiver (simulate S O))) (variable-value 'frameid (instance 'sender (simulate S O))))) (defthm sender-receiver-agree-2 (let ((v1 (variable-value 'ackid (instance 'receiver (simulate S O)))) (v2 (variable-value 'frameid (instance 'sender (simulate S O))))) (implies (< v1 v2) (= (+ 1 v1) v2)))) Defined access functions to extract variables and instances

17 Testing of implementations Simulator can be used for testing: implemented units are substituted in place of simulations

18 Related Work Other approaches to verification of SDL specifications are based on model checkers. A couple of examples –IF system from Verimag converts SDL to PROMELA and uses SPIN model checker –A proprietary verification system at Siemens relies on a BDD-based symbolic checker

19 Summary We are developing a simulator for SDL specifications We are using ACL2 for the development and verification of the simulator The goal is to provide a framework for verification of SDL specifications using a theorem prover The simulator also helps in testing of implementations: acts as a test driver and helps compute expected results for test cases

Download ppt "Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University"

Similar presentations

Fakultät für informatik informatik 12 technische universität dortmund SDL Peter Marwedel TU Dortmund, Informatik 12 Graphics: © Alexandra Nolte, Gesine.

Fakultät für informatik informatik 12 technische universität dortmund SDL Peter Marwedel TU Dortmund, Informatik 12 Graphics: © Alexandra Nolte, Gesine.
INTERVAL Next Previous 13/02/2014 1 Timed extensions to SDL Analysis requirements –Assumptions on moments and duration Semantics with controllable time.

INTERVAL Next Previous 13/02/ Timed extensions to SDL Analysis requirements –Assumptions on moments and duration Semantics with controllable time.
System and Software Engineering Research 1 Motorola 2003 Integrated Application of MSC Clive Jervis Rapporteur Q15 Motorola UK Research Labs.

System and Software Engineering Research 1 Motorola 2003 Integrated Application of MSC Clive Jervis Rapporteur Q15 Motorola UK Research Labs.
Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.

DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.
NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.

CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
Answers of Exercise 7 1. Explain what are the connection-oriented communication and the connectionless communication. Give some examples for each of the.

Answers of Exercise 7 1. Explain what are the connection-oriented communication and the connectionless communication. Give some examples for each of the.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Protocols. Basics Defining Interactions VERTICAL Application Presentation Session Transport Network Data Link Physical Please do this for me OK It’s.

Protocols. Basics Defining Interactions VERTICAL Application Presentation Session Transport Network Data Link Physical Please do this for me OK It’s.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
20101 The Data Link Layer Chapter 3. 20102 Design Issues Controls communication between 2 machines directly connected by “wire”-like link Services Provided.

20101 The Data Link Layer Chapter Design Issues Controls communication between 2 machines directly connected by “wire”-like link Services Provided.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Timing analysis of an SDL subset in UPPAAL Anders Hessel Institution of Information Technology Department of Computer Systems Uppsala University M.Sc.

Timing analysis of an SDL subset in UPPAAL Anders Hessel Institution of Information Technology Department of Computer Systems Uppsala University M.Sc.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
SEPT, 2005CSI 41181 Part 2.2 Protocols and Protocol Layering Robert Probert, SITE, University of Ottawa.

SEPT, 2005CSI Part 2.2 Protocols and Protocol Layering Robert Probert, SITE, University of Ottawa.
Network Hardware for Expanding Network. Expanding Networks When do we need expansion:  Network cable is full of data movements  Printing tasks needs.

Network Hardware for Expanding Network. Expanding Networks When do we need expansion:  Network cable is full of data movements  Printing tasks needs.
SERIAL BUS COMMUNICATION PROTOCOLS

SERIAL BUS COMMUNICATION PROTOCOLS

Similar presentations

Ads by Google