Download - Basic Protocols, Message Sequence Charts, and the Verification of Requirements Specifications
Basic Protocols, Message Sequence Charts, and the Verification of Requirements Specifications
A. Letichevsky, J. Kapitonova, A. Letichevsky Jr., V. Volkov
Glushkov Institute of Cybernetics, National Academy of Science, Kiev, Ukraine
ISS Ltd
S. Baranov, V. KotlyarovMotorola, St.Petersburg, Russia
T. WeigertMotorola, Schaumburg, Illinois, United States
WITUL04
2 Nov 2004
WITUL
VerdictMSC
Using formal methods in requirement capturing
Informal reqs
related to behavior
Formalization
ReviewGenerating
traces
START
Manual Automated
Formalmodels
Basic ProtocolsScenarios
MSCUML
Formal Specs
Proving annotations
Checking consistency
Testing scenarios
MSC
Verified requirements
2 Nov 2004
WITUL
Requirement Specification Languages
Temporal Logic linear/branching, propositional/predicate
-calculus propositional/predicate
Logics
Process Algebras CCS, CSP, pi-calculus,…
Automata Buchi, Muller, …
ASM
Dynamics
Basic protocolsAnnotated scenarios Extended MSC,SDL,UML
Agents and Environments(insertion programming)
2 Nov 2004
WITUL
Basic ProtocolsSYRaSRMenu 430 Upon determining that the setup greeting prompt has been completed and if a Voice Recognition Session is active and menu level is “Main Phone Setup” then the system shall request the audio input channel and shall allow the user session silence timeout time to speak a voice command. SYRaCSTATE 701 While in the no phone call state and
upon detecting that the Selected Device is set to a valid device and the Selected Device’s call status indicates a call in progress, the system shall assume it is in cip.
)),()(),(( xrvxPxrux
Precondition
Postcondition
Process
Parameters
Attributes
2 Nov 2004
WITUL
postcondition: (DAP d.group_list := (m,DAP d.group_list) & MS(m, idle)
MS m ACG a DAP d
precondition: DAP(d, paging m) & ACG(a, serving d) & (MS m.serving_acg = a) & valid m & not_empty(DAP d.page_list)
postcondition: (DAP d.paging_ms := head (DAP d.page_list)) & (DAP d.page_list := tail (DAP d.page_list)) &
MS (m, respond a) & DAP(d, paging(DAP d.paging_ms))
MS m ACG a DAP d
precondition: MS(m, respond a) & ACG(a, serving d)
Two basic protocols with MSC diagrams
2 Nov 2004
WITUL
What is new?
Not Hoare like triples, but
* Special language of pre- and postconditionsbased on the model of interaction of agents and environments
* The algebra of basic protocols* Applications to real life projects
Using MSC is not essential. It can be UCM, wave diagr,…Important is interpretation as behaviors of transition systems.
2 Nov 2004
WITUL
The logic language is based on interaction of Agents and Environments
n
agent
environment
agent
agent
environment
Insertion function
2 Nov 2004
WITUL
AgentsLabeled or attributed (states are labeled by attribute values) transition systems with terminal and divergent states considered up to bisimilaritys's
a
div
term
Δ
a
aa
b
a
Δ
a.0+a.b.(a.0+a. Δ+ Δ)
Behaviors
Continuous complete behavior algebra F(A) over action algebra А (vs. final coalgebra)
0 , , , ,. , uavu
uIi
ii uau
.
Recursive definitions can be used to extend the signature:
,...),( 21 uuFu ii
)()()( AFAFAF finfin
(x1:z1,…,xn:zn)
2 Nov 2004
WITUL
Environments
Agent E over action set C with continuous insertion function Ins
][)]([ ,:][
],[),( ,)(:
ueeuEEu
ueueInsEAFEIns
][][~ vuvu E Insertion equivalence of agents:
Multilevel environments: ],...][],[[ 2211 ueuee
2 Nov 2004
WITUL
Phone n Network
phone(n,idle)
phone(n, dial)
offhook n
dialtone n
Phone m
Phone n Network
phone(m,dial)
dial(m,n)
phone(m, dial n)
call setup initial call setup dialing 1
Precondition
Postcondition
Two basic protocols for telephone system
2 Nov 2004
WITUL
call setup dialing 2 call setup failure 2
Phone m
Network Phone n
phone(m, dial n) & ~(valid n)
phone(m, busy)
busy
phone(m, dial n) & valid n
phone(m, ringing n) & phone(n,ringing)
ring
ring
Phone m
Network Phone n
Two more protocols
2 Nov 2004
WITUL
Phone m Network Phone n
phone(m,idle)
offhook
dialtone
dial(m,n)
when valid n
anno phone(m, ringing n)
when ~(valid n)
anno phone(m, busy)
alt
ring ring
busy
ПостусловиеAnnotations
Guardedconditions
Initial condition
Annotated scenario
2 Nov 2004
WITUL
environment( attributes: obj(Nil); parameters: obj(Nil); agent_types: obj( phone:obj( valid:symb, cw:symb, twc:symb, connector:bool, onhook:int, number:int ) ); axioms:Nil; reductions:(x)( equ_zero(0)=1, equ_zero(x)=0 ); instances: … agents: … initial: … );
Environment description for telephone example
instances: (Phone 1, Phone 2, Phone 3, Phone 4, Network);agents: obj( p1:phone, p2:phone, p3:phone, p4:phone);initial: env( obj( attributes: obj(Nil); agent_attributes:obj( p1:obj(valid:1,cw:0,twc:0,connector:0,onhook:0,number:1), p2:obj(valid:1,cw:0,twc:0,connector:0,onhook:0,number:2), p3:obj(valid:1,cw:0,twc:0,connector:0,onhook:0,number:3), p4:obj(valid:1,cw:0,twc:0,connector:0,onhook:0,number:4) ); numeric_restrictions: 1; logic_restrictions:Nil ), state(phone(p1,idle),phone(p2,idle), phone(p3,idle),phone(p4,idle)))
2 Nov 2004
WITUL
System defined by basic protocols
)( )(
),(
Bb
bb SPS
))(,(),(
)}(|{)(
protocol a of process theis
language base theof formula a is
processes ofn compositio sequentialpatially a is ()()
bb
bBbB
bPb
postTr
pre
For MSC diagrams it is a weak sequential composition
Behavior of a system in a state with property alpha
Environment transition
2 Nov 2004
WITUL
Partially sequential composition
);().().(
. ,.
,vu
Iiii
Jjbujj
vJj
jjIi
uii
vuavubvu
vbvuau
j
Permutable
Not commuteNot permutable
bubabua
bvbubvu
bbb
.
)(
)0(),(,
permutability
2 Nov 2004
WITUL
Predicate transformers
Predicate transformer: ),(Tr
Example:
),(Let
result ,)()(such that all Delete
... ..., to Reduce 2121
Tr
AttrAttr ijij
iii
postcondition: (DAP d.paging_ms := head (DAP d.page_list)) & (DAP d.page_list := tail (DAP d.page_list)) &
MS (m, respond a) & DAP(d, paging(DAP d.paging_ms))easy case
post ,before
What will be after?
more general case
2 Nov 2004
WITUL
Main verification problems
Consistency and completeness of basic protocols Decomposition of scenarios to basic protocols Annotation consistency of scenarios composed by basic protocols
(implemented for MSC and SDL) Reachability in the system defined by basic protocols
Solved in verification environment of VRS.
Integration of modeling and automatic theorem proving
2 Nov 2004
WITUL
Inconsistent protocols(feature interaction between 3way Calling and Call Waiting)
Protocol 3way teardown 2
Phone n Phone k Network Phone m
phone(m, dial)
phone(n, dial)
phone(k, idle)
phone(k,3way connect(m&n) )
dialtone
onhook
dialtone
Phone k Phone m Phone n Network
phone(m, idle) phone(k,connected n)& phone k.cw:=0
phone(k,connected m)& phone(n,cw_wait k)
flash
busy
onhook
Protocol cw teardown 1
phone(m,dial) & phone(n,dial)
2 Nov 2004
WITUL
Phone m Phone n Phone k Network Phone z
Phone m
dial
dialtone offhook
ring
ring
offhook
dialtone
dial
ring
ring
offhook
flash offhook
dialtone
dial k
ring
ring
flash
flash
anno phone(z,3way connect(m&k))
anno phone(k,connected z)&phone(n,cw wait k)
Scenarioconfirming
inconsistency
phone(z,connected m)
phone(k,connected n)
phone(z,dial)pone(m, 3way wait z)
phone(k,connected z)phone(n, cw wait k)
2 Nov 2004
WITUL
Inconsistent state
k m
n
z
3 wayconnect
m&k
n cw_wait k
onhook z ???
<3way teardown 2>phone(k,dial)
<cw teardown 1>phone(k,connected n)
2 Nov 2004
WITUL
Piloting VRS
Project
Reqs & related docs in pages
Number of MSCs in
formalized specs
Coverage of
original reqs
Defects found
Generated traces with
counter-examples
Effort in staff-weeks
Estimated
COQ/ COPQ reducti
on Telecommunication 1
400 127 50% 11 0 5.5 45%
Telematics 1
200 70 100% 10 3 5.6
Telecommunication 2
730 192 100% 18 7 20 50%
Telecommunication 3
1500 56 8 5 5.5 40%
Telematics 2
323 219 60% 38 8 3 45%
Telematics 3
116 42 100%
3(*) 1 0.7 40%
(*) All these problems have been fixed by the development team in the next release of requirements
2 Nov 2004
WITUL
Next project where VRS will be applied contains about 10 000 requirements.
Special technology is under development to reduce states and trace spaces.
What next?
More UML to logic language
2 Nov 2004
WITUL