Motivation
Gain insight in the utility of formal method, in particular formal verification, in system design
Identify verification issues in wireless protocol design
Verification in main stream design flow?
Two-Chip Intercom
Wireless network of intercoms Protocol design methodology
successive refinement performance constraints propagation
Tools protocol: Polis/Felix VCC baseband: Simulink
Mocha
Description: reactive modules Specification: alternating temporal
logic Model Checker: symbolic and
enumerative Compositional Reasoning: symbolic
refinement checker
CFSM vs Reactive Modules
CFSM globally asynchronous, locally
synchronous event driven
Reactive Modules synchronous state-based formalism asynchronicity
– A CFSM modeled as two modules– main module: lazy, allow stuttering– buffer module: one boolean variable per input
Translation
awaits Connreq;if (~connected(?
Connreq))emits ConnreqOK;
elseemits ConnreqNotOK; s0 s1
Connreq? & connected(?Connreq);
ConnreqNotOk!
Connreq? & connected(?Connreq);
ConnreqOk!
[] pc=s0 & hasConnReq & connected (ConnReqVALUE) -> pc’ := s1, ConnreqNotOK![] pc=s0 & hasConnReq & ~connected (ConnReqVALUE) -> pc’ := s1, ConnreqOK!
Other Operations
RemReq if decides to finish the conference
DiscReq if decides to exit the network base station removes entry
Properties Checked
Property 1 UI cannot send two request events at
the same time.
AG ( ~(x y)), where x y
and x, y {ConnReq_ui!, DiscReq_ui!, AddReq_ui!, RemReq_ui!}
OK
Properties Checked
Property 2 UI cannot send two consecutive
ConnReq events unless disconnected or reseted
specified by composing UI with a monitor
reduced to invariant checkingOK
Properties Checked
Property 3 instance
– only one base-station, one remote– channel and base-station are fair
remote can connect to the base station whenever it wants– AG <<Remote>> F ConnreqOK!
NOT OK
Top Related