Formal Verification of fFSM Model

Sachoun Park, Gihwon Kwon

Department of Computer ScienceKyonggi University, Korea

IWFST, Shanghai, China, 2005.11.08.

2

Formal Verification

Minimization (e.g. bisimulation)

Property specification

State space:- Kripke structure- LTS (Lab.Trans.Syst.)- Marking graphs

Modeling languages:- Communicating FSMs- Process algebra - Petri nets

Generation

init(state):= 0;next(state):= case state=0: {2,3}; state=1: 1; 1 : state; esac;

Verification:- Model checking- Equivalence checking- ??

Logical resultswith counter-example

3

fFSM Model

HierarchyConcurrency

Internal EventVariable State

A2 B C DA1

E

Ff1 f2

B1 B2

B3

snd

sndrcv

rcv D1rcv

rcvsnd

fFSM

Dataflow wormhole (super-block with different domain inside)

System-level Specification in PeaCE

Eventgenerators

Display

Backplane: Discrete Event

4

Flattened Model

• pFSM = (I, IT, O, M, , V), • I = {coin, ready, stop, time}, O = {tilt, game_over, game_on, …}• V = {randn, remain}• M = {m1, m2, m3, m4} (m1) = {m3, m4}, (m2) = , (m3) = , (m4) =

m1 = (S1, s01, L1, T1)

S1 = {GameOff, GameOn}, L1 = {(GameOff, ), (GameOn, )} T1 = {(GameOff, coin==1, game_on=1, timeset=1000, GameOn), …}

m1 m2 m3 m4

5

fFSM Semantics

{GameOff, TimeInit, Ready, R

and},

{coin},

{GameOn, TimeInit, Ready, Ran

d},

{timeset},

{GameOn, Wait, Ready, Rand},

,

{game_on:=1} {remain:=1000}

{GameOff, TimeInit, Ready, Ra

nd},

{coin},

{GameOn, Wait, Ready, Rand},

,

{game_on:=1, remain:=1000}

Micro Step:

Macro Step:

Macro step

Environmental change

Micro steps

Environmental change

stable

6

Desired Properties • No unused components

EF component1 … EF componentn Components: states, events

• No unreachable guards EF (si EX sj), guard(t) = g, source(t) = si , target(t) = sj

• No unambiguous transitions (ambiguous transition) AG ((t1 t2) (t2 t3) (t1 t3)), where {t1, t2, t3} is a set of outgoing tr

ansitions from the same state.• No deadlocks

EFAG deadlock, where deadlock is (t1 … tn)• No divergent behavior (circular transition)

AG (stable A[stable U stable])• Race condition violation

AG(stable uadate AX A[uadate U stable])

7

Stepper: Simulation & Verification Tool

F2V Model

Checker

SMV Translator

SMV Model checke

r

Graph Generator

*.xml

*.xml fFSM simulator *.smvModel

Result

CTL

Property

Formal fFSM Verifier (F2V) Explicit model checker Properties to be checked

Reachability Race condition Ambiguous transitions Circular transitions

8

Discussion Topics• How to avoid the state explosion problem ?

State explosion problem occurs due to variables How to abstract them away ?

• How to integrated heterogeneous models ? fFSM models the control flow of a system SDF models the data flow of a system How to integate them ?

1. data transfer

3. result(flag) transfer

DisplayEventsource

“flag”

Backplane

“a” fFSM

X Ya/out

flag B

“out”A

SDF

C

2. execution

A

SPDFC

B

Eventsource

Backplane domain node_name: foo

script: “stop foo”script: “run foo”

X Y

aFSM

reset

Asynchronous InteractionSynchronous Interaction