WITUL 04 Basic Protocols, Message Sequence Charts, and the Verification of Requirements Specifications A. Letichevsky, J. Kapitonova, A. Letichevsky Jr. , V. Volkov Glushkov Institute of Cybernetics, National Academy of Science, Kiev, Ukraine ISS Ltd S. Baranov, V. Kotlyarov Motorola, St. Petersburg, Russia T. Weigert Motorola, Schaumburg, Illinois, United States WITUL 2 Nov 2004
Using formal methods in requirement capturing Testing scenarios START Checking consistency Formalization Basic Protocols Scenarios MSC UML Informa l reqs related to behavior Formal models Formal Specs Review Manual Proving annotations Verdict MSC Generating traces Verified requirements Automated WITUL 2 Nov 2004
Requirement Specification Languages Logics Temporal Logic linear/branching, propositional/predicate -calculus propositional/predicate Process Algebras Dynamics Agents and Environments (insertion programming) CCS, CSP, pi-calculus, … Automata Buchi, Muller, … ASM Basic protocols Annotated scenarios Extended MSC, SDL, UML WITUL 2 Nov 2004
Basic Protocols SYRa. SRMenu 430 Upon determining that the setup greeting prompt has been completed and if a Voice Recognition Session is active and menu level is “Main Phone Setup” then the system shall request the audio input channel and shall allow the user session silence timeout time to speak a voice command. SYRa. CSTATE 701 While in the no phone call state and upon detecting that the Selected Device is set to a valid device and the Selected Device’s call status indicates a call in progress, the system shall assume it is in cip. Process Attributes Parameters Precondition Postcondition WITUL 2 Nov 2004
precondition: MS m DAP(d, paging m) & ACG(a, serving d) & (MS m. serving_acg = a) & valid m & not_empty(DAP d. page_list) MS m ACG a DAP d precondition: MS(m, respond a) & ACG(a, serving d) Two basic protocols with MSC diagrams postcondition: (DAP d. paging_ms : = head (DAP d. page_list)) & (DAP d. page_list : = tail (DAP d. page_list)) & MS (m, respond a) & DAP(d, paging(DAP d. paging_ms)) (DAP d. group_list : = (m, DAP d. group_list) & MS(m, idle)
What is new? Not Hoare like triples, but * Special language of pre- and postconditions based on the model of interaction of agents and environments * The algebra of basic protocols * Applications to real life projects Using MSC is not essential. It can be UCM, wave diagr, … Important is interpretation as behaviors of transition systems. WITUL 2 Nov 2004
The logic language is based on interaction of Agents and Environments environment agent n environment Insertion function agent WITUL 2 Nov 2004
(x 1: z 1, …, xn: zn) s a s' term Agents Labeled or attributed (states are labeled by attribute values) transition systems with terminal and divergent states considered up to bisimilarity Behaviors Continuous complete behavior algebra F(A) over action algebra А (vs. final coalgebra) a a div b Δ a a Δ Recursive definitions can be used to extend the signature: a. 0+a. b. (a. 0+a. Δ+ Δ) WITUL 2 Nov 2004
Environments Agent E over action set C with continuous insertion function Insertion equivalence of agents: Multilevel environments: WITUL 2 Nov 2004
Two basic protocols for telephone system Phone n Network phone(n, idle) Phone m Phone n phone(m, dial) dial(m, n) offhook n dialtone n Network Precondition Postcondition phone(m, dial n) phone(n, dial) call setup initial call setup dialing 1 WITUL 2 Nov 2004
Two more protocols Phone m Network Phone n Phone m phone(m, dial n) & valid n Network Phone n phone(m, dial n) & ~(valid n) ring busy ring phone(m, busy) phone(m, ringing n) & phone(n, ringing) call setup dialing 2 call setup failure 2 WITUL 2 Nov 2004
Phone m Network Phone n phone(m, idle) Guarded conditions Initial condition offhook dialtone dial(m, n) alt Annotated scenario when valid n ring Постусловие Annotations anno phone(m, ringing n) when ~(valid n) busy anno phone(m, busy) WITUL 2 Nov 2004
Environment description environment( for telephone example attributes: obj(Nil); parameters: instances: (Phone 1, Phone 2, Phone 3, Phone 4, Network); obj(Nil); agents: obj( agent_types: obj( p 1: phone, p 2: phone, p 3: phone, p 4: phone: obj( ); valid: symb, cw: symb, twc: symb, initial: env( connector: bool, onhook: int, number: int obj( ) attributes: obj(Nil); ); agent_attributes: obj( axioms: Nil; p 1: obj(valid: 1, cw: 0, twc: 0, connector: 0, onhook: 0, number: 1), reductions: (x)( p 2: obj(valid: 1, cw: 0, twc: 0, connector: 0, onhook: 0, number: 2), equ_zero(0)=1, p 3: obj(valid: 1, cw: 0, twc: 0, connector: 0, onhook: 0, number: 3), equ_zero(x)=0 p 4: obj(valid: 1, cw: 0, twc: 0, connector: 0, onhook: 0, number: 4) ); ); instances: … numeric_restrictions: 1; logic_restrictions: Nil agents: … ), initial: … state(phone(p 1, idle), phone(p 2, idle), phone(p 3, idle), phone(p 4, idle)) ); ) WITUL 2 Nov 2004
System defined by basic protocols Behavior of a system in a state with property alpha For MSC diagrams it is a weak sequential composition Environment transition WITUL 2 Nov 2004
Partially sequential composition permutability Permutable Not commute Not permutable WITUL 2 Nov 2004
Predicate transformers What will be after? easy case postcondition: (DAP d. paging_ms : = head (DAP d. page_list)) & (DAP d. page_list : = tail (DAP d. page_list)) & MS (m, respond a) & DAP(d, paging(DAP d. paging_ms)) Predicate transformer: more general case Example: WITUL 2 Nov 2004
Main verification problems _ Consistency and completeness of basic protocols _ Decomposition of scenarios to basic protocols _ Annotation consistency of scenarios composed by basic protocols (implemented for MSC and SDL) _ Reachability in the system defined by basic protocols Solved in verification environment of VRS. Integration of modeling and automatic theorem proving WITUL 2 Nov 2004
Inconsistent protocols (feature interaction between 3 way Calling and Call Waiting) Phone m Network Phone n Phone m phone(k, connected m)& phone(n, cw_wait k) Network Phone n phone(k, 3 way connect(m&n) ) onhook dialtone busy dialtone flash phone(k, idle) phone(m, idle) phone(k, connected n)& phone k. cw: =0 phone(m, dial) & phone(n, dial) Protocol 3 way teardown 2 Protocol cw teardown 1 WITUL 2 Nov 2004
Phone m Phone z Network offhook dialtone Phone k Phone n offhook Scenario confirming inconsistency dialtone dial ring offhook phone(z, connected m) offhook flash dialtone dial k ring phone(z, dial) pone(m, 3 way wait z) ring phone(k, connected n) flash phone(k, connected z) phone(n, cw wait k) anno phone(z, 3 way connect(m&k)) Phone m anno phone(k, connected z)&phone(n, cw wait k) WITUL 2 Nov 2004
Inconsistent state onhook z ? ? ? z <cw teardown 1> phone(k, connected n) 3 way connect m&k m n k n cw_wait k <3 way teardown 2> phone(k, dial) WITUL 2 Nov 2004
Piloting VRS WITUL 2 Nov 2004
What next? Next project where VRS will be applied contains about 10 000 requirements. Special technology is under development to reduce states and trace spaces. More UML to logic language WITUL 2 Nov 2004
WITUL 2 Nov 2004
Скачать презентацию WITUL 04 Basic Protocols Message Sequence Charts and
7e69ef40a6b44f0b9c00f240ccdfc93a.ppt