Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University [shumsky,henschen]@ece.nwu.edu.
Download ReportTranscript Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University [shumsky,henschen]@ece.nwu.edu.
Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen
Northwestern University [shumsky,henschen]@ece.nwu.edu
Introduction
• Formal verification is widely used in hardware verification • Errors found late in the production cycle are more expensive to correct in hardware than in software • In safety-critical software systems correctness requirements warrant formal verification • Emphasis on design processes that already employ formal methods
Specification and Description Language SDL
• A formal description technique standardized in 1988 by International Telecommunication Union • Intended for description of communication protocols • Used on a variety of distributed, concurrent, communicating, asynchronous systems • Many support tools exists, but no framework for theorem-proving based verification • Main building blocks are processes represented by extended finite-state machines and delaying and instantaneous communication links
Example of Modeling with SDL: a simple communication protocol
• A sender and a receiver communicate • Buffer size is 1: each message must be acknowledged before next is sent • If acknowledgement does not arrive in a reasonable time, message is resent • The communication network may lose but not corrupt messages
Protocol Modeling in SDL: Part 1
system Protocol Sender link [Frame, Ack] Receiver block Sender SenderProcess link out1[Frame] in1[Ack] link block Receiver out2[Ack] ReceiverProcess link in2[Frame] link
Protocol Modeling in SDL: Part 2
process SenderProcess process ReceiverProcess Start dcl AckId,FrameId Integer; timer Timer; Start dcl AckId,FrameId Integer; FrameId = 0 AckId = -1 Frame(FrameId) Ack(AckId) set(timer) waiting sending Frame (FrameId) Ack(Ackid) timer AckId=FrameId (true) FrameId = FrameId + 1 (false) FrameId = AckId + 1 AckId+1=FrameId (true) (false) AckId =AckId + 1
Simulator vs. Specification Verification
• We are building a verified simulator for SDL specifications – one-time effort • Design engineers can use the simulator to verify SDL specifications – multiple verification efforts on multiple designs • ACL2 used in both cases
SDL Specifications Simulator Architecture
Formally correct Translator SDL Specifications equivalent specifications Activator Specifications in Lisp-Based Format valid instance, valid specification pair Correct simulation of original specification System Instance Process Simulator & Utilities correct instance simulation System Simulation
Process Translation
• Superficial, stores entities as lists • Receiver process translated:
(receiver (1 . 1) (ackid frameid) (start (() (task ackid -1) (label 1) (output ack (ackid) () ()) (nextstate waiting))) (waiting ((frameid (frameid)) (decision ((= frameid (+ ackid 1)) (task ackid (+ ackid 1)) (join 1)) ((<> frameid (+ ack 1)) (join 1))))))
Communication Network Translation
• Paths consisting of several links are collapsed into multi-component single entities • Instantaneous paths:
(source destination route-name)
• Delaying paths:
(source destination (member routes) queue)
• Network from example:
(sender receiver (out1 link in2) nil) (receiver sender (out2 link in1) nil)
Translator Correctness
• Defined an inverse function untranslate, and prove that no information is lost w.r.t. to a specialized equivalence relation
(equal* (untranslate (translate S)) S)
• Trivial for process translation • Tricky for network translation
protocol
in1
sender
out1 link in2
receiver
out2
SenderProcess
(out1 link in2) (out2 link in1)
ReceiverProcess SenderProcess ReceiverProcess
Activator
• SDL differentiates between process definition and process instance • Defined process activation mechanism • Receiver process instance
(1 receiverprocess start ((ackid . nil) (frameid . nil) (self . 1) (sender . nil) (parent . 0) (offspring . nil) ((start …)) nil)
• Correctness property: defined a recognizer for valid instances of a system
(defthm activate-makes-instance (implies (wf-type S) (wf-instance (activate S) S)))
Process Simulator
• Receiver Process Simulation action After instantiation state start Memory (ackid . nil) (frameid . nil) (sender . nil) queue nil After initialization Transition completed waiting Signal arrives in queue waiting Signal consumed waiting waiting (ackid . -1) (frameid . nil) (sender . nil) (ackid . -1) (frameid . nil) (sender . nil) (ackid . -1) (frameid . 0) (sender . 2) (ackid . 0) (frameid . 0) (sender . 2) nil Frame(0) nil nil • Simulator functions defined for: signal input and output, assignment, updating state, decision, process creation, procedure call, timer operations, stop, and goto • Correctness: simulating each action preserves
wf-instance
property
Concurrency Simulation
• An oracle indicates to the top-level simulator function the id of the next instance to simulate • How fine-grained should a simulation be?
– Transitions are considered atomic: the simulation might miss some possible real-life process interleaving scenarios – Actions are considered atomic: such as goto and nextstate some actions, such as procedure calls, are more time consuming than simple actions, • We are implementing mechanisms to handle both cases, so that appropriate process interleaving can be selected for each application
Network Handling
• A signal traveling through an instantaneous path is immediately delivered to the destination • An oracle is supplied to delaying paths to determine whether the path forwards the signal • If there is an inconsistency in the address of the signal, a warning is generated, and the signal is discarded
SDL Specifications Verification
• Once the simulator is proved correct, we can prove properties of specifications w.r.t. the simulator • Our protocol is correct if sender and receiver agree on the id of the last successfully transmitted frame
(defthm sender-receiver-agree-1 (<= (variable-value 'ackid (instance 'receiver (simulate S O))) (variable-value 'frameid (instance 'sender (simulate S O))))) (defthm sender-receiver-agree-2 (let ((v1 (variable-value 'ackid (instance 'receiver (simulate S O)))) (v2 (variable-value 'frameid (instance 'sender (simulate S O))))) (implies (< v1 v2) (= (+ 1 v1) v2))))
• Defined access functions to extract variables and instances
Testing of implementations
• Simulator can be used for testing: implemented units are substituted in place of simulations
system Protocol Sender link [Frame, Ack] Receiver block Sender SenderProcess link out1[Frame] in1[Ack] link block Receiver out2[Ack] ReceiverProcess link in2[Frame] link
Related Work
• Other approaches to verification of SDL specifications are based on model checkers. A couple of examples – IF system from Verimag converts SDL to PROMELA and uses SPIN model checker – A proprietary verification system at Siemens relies on a BDD-based symbolic checker
Summary
• We are developing a simulator for SDL specifications • We are using ACL2 for the development and verification of the simulator • The goal is to provide a framework for verification of SDL specifications using a theorem prover • The simulator also helps in testing of implementations: acts as a test driver and helps compute expected results for test cases