Verification of TCI Using Mocha

1
Verification of TCI Using Mocha

• Freddy Mang
• Marco Sgroi

2
Motivation

• Gain insight in the utility of formal method, in
  particular formal verification, in system design
• Identify verification issues in wireless protocol
  design
• Verification in mainstream design flow?

3
What is Formal Verification

• System satisfies certain properties?
• System described in some formal mathematical
  languages (e.g. Esterel)
• Properties written in some formal logic (e.g.
  LTL) or formal model (e.g. Esterel)

4
What can be checked?

• Property Verification
• invariant
• only one remote can send voice data at any time
  slot
• response
• if a remote sends a request to the base station,
  then eventually there is an acknowledgement
• deadlock freedom

5
What can be checked?

• Refinement Checking
• Does the (low-level) implementation conform with
  the (high-level) specification
• Do the mapped CFSMs function the same as the
  specification?

6
Advantages

• Exhaustive (all corner cases tested)
• No test vectors needed
• only system description and properties required
• Liveness/deadlock freedom cannot be checked by
  simulation

7
Mocha

• Modeling Language Reactive Modules
• Specification Alternating Temporal Logic
• Model Checker
• Refinement Checker
• Simulator

8
(No Transcript)
9
TCI Protocol Stack
10
Property 1
UI cannot send two requests at the same time.
UI
AG (? (x ? y)), where x ? y and x, y ?
ConnReq_ui, DiscReq_ui, AddReq_ui, RemReq_ui

• OK

11
Property 2
UI cannot send two consecutive ConnReq events
unless disconnected or reseted or ConnReqNotOK
UI
AG ( ConnReq_ui ? A ( ConnReq_ui W ( Disc ?
Reset ? ConnReqNotOK ) )

• OK

12
Property 3
If RT believes it is connected to the network,
then BS has RT registered.
Conn

• OK

RT
13
Property 4
If the remote request for connection, then
eventually it will be connected.
AG (Connreq ?AF Conn)

• NOT OK

14
Why Fails
15
Why Fails
Reset
16
Why Fails
Reset
Remote never connects again!
Not Conn
RT
Base station
17
Property 5
Remote returns to the disconnect state if user
press the disconnection button.
Disc
AG ( Disc? AF (Not Conn) )

• NOT OK

18
Why Fails?

• Remote accepts Disc from the user even if it is
  not connected
• After the remote has sent DiscReq and waits for
  acknowledgement
• However, base station ignores DiscReq if remote
  is not registered

19
Summary

• Checked some properties of the original TCI
  protocol
• The specification is abstract enough (e.g. no
  details of communication) and therefore
  verification is efficient

20
CFSM vs Reactive Modules

• CFSM
• globally asynchronous, locally synchronous
• event driven
• Reactive Modules
• synchronous state-based formalism
• asynchronicity
• A CFSM modeled as two modules
• main module lazy, allow stuttering
• buffer module one boolean variable per input

21
Translation

• awaits Connreq
• if (connected(?Connreq))
• emits ConnreqOK
• else
• emits ConnreqNotOK

pcs0 hasConnReq connected (ConnReqVALUE)
-gt pc s1, ConnreqNotOK! pcs0
hasConnReq connected (ConnReqVALUE) -gt pc
s1, ConnreqOK!