Embed Size (px)
Citation preview
Verification of TCI Using Mocha
Freddy MangMentor: Marco Sgroi
Motivation
Gain insight in the utility of formal method, in particular formal verification, in system design
Identify verification issues in wireless protocol design
Verification in main stream design flow?
Two-Chip Intercom
Wireless network of intercoms Protocol design methodology
successive refinement performance constraints propagation
Tools protocol: Polis/Felix VCC baseband: Simulink
Mocha
Description: reactive modules Specification: alternating temporal
logic Model Checker: symbolic and
enumerative Compositional Reasoning: symbolic
refinement checker
CFSM vs Reactive Modules
CFSM globally asynchronous, locally
synchronous event driven
Reactive Modules synchronous state-based formalism asynchronicity
– A CFSM modeled as two modules– main module: lazy, allow stuttering– buffer module: one boolean variable per input
Translation
awaits Connreq;if (~connected(?
Connreq))emits ConnreqOK;
elseemits ConnreqNotOK; s0 s1
Connreq? & connected(?Connreq);
ConnreqNotOk!
Connreq? & connected(?Connreq);
ConnreqOk!
[] pc=s0 & hasConnReq & connected (ConnReqVALUE) -> pc’ := s1, ConnreqNotOK![] pc=s0 & hasConnReq & ~connected (ConnReqVALUE) -> pc’ := s1, ConnreqOK!
Example Operation (ConnReq)
Base station
ConnReqRemote1
NotConn
Example Operations (ConnReq)
Remote1
Base station
RT1
ConnReqOK
NotConn
Example Operations (ConnReq)
Base station
RT1
ConnReqRemote1
Conn
Remote2
NotConn
Example Operations (ConnReq)
Base station
RT1RT2
Remote1
Conn
Remote2
NotConn
ConnReqOK!
Example Operations (AddReq)
Base station
RT1RT2
Remote2Remote1 AddReq
Conn Conn
Example Operations (AddReq)
Base station
RT1RT2
Remote2
AddReqOK
Remote1
AddReqOK
Add Add
Example Operations (AddReq)
Base station
RT1RT2
Remote2Remote1
Add Add
Other Operations
RemReq if decides to finish the conference
DiscReq if decides to exit the network base station removes entry
TCI Protocol Stack
Properties Checked
Property 1 UI cannot send two request events at
the same time.
AG ( ~(x y)), where x y
and x, y {ConnReq_ui!, DiscReq_ui!, AddReq_ui!, RemReq_ui!}
OK
Properties Checked
Property 2 UI cannot send two consecutive
ConnReq events unless disconnected or reseted
specified by composing UI with a monitor
reduced to invariant checkingOK
Properties Checked
Property 3 instance
– only one base-station, one remote– channel and base-station are fair
remote can connect to the base station whenever it wants– AG <<Remote>> F ConnreqOK!
NOT OK
Why Fails
Base station
RT
Remote
Conn
Reset
Why Fails
Base station
RT
Remote
NotConn
Reset
ConnReq
Why Fails
Base station
RT
Remote
NotConn
ConnReqNotOK
Remote never connects again!Reset
Future Work
Production of reactive modules for every component
Check more properties ATL refinement
Translator from CFSM to Reactive Modules?
![BNKWRTJ^SGROI KXYORGYOTS TL QOVZOJZX$ !# Zg] ma^k^bl hng] mh[^ `hh… · Published by Maney Publishing (c) IOM Communications Ltd BNKWRTJ^SGROI KXYORGYOTS TL QOVZOJZX$ XTQOJZX$!#](https://img.pdfslide.net/doc/110x75/5ae5fe517f8b9a29048cf504/bnkwrtjsgroi-kxyorgyots-tl-qovzojzx-zg-makbl-hng-mh-hh-by-maney-publishing.jpg)
