A VERIFICATION STUDY BASED ON THE CTP MODEL KAMRUL HASAN TALUKDER (B Sc in Computer Science and Engineering, Khulna University, Bangladesh) A THESIS SUBMITTED FOR THE DEGREE OF MASTER OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE SCHOOL OF COMPUTING NATIONAL UNIVERSITY OF SINGAPORE 2003 To the departed soul of my father ii Acknowledgements I feel glad having a chance to express my heart-felt and most sincere respect to my respectable supervisor, Professor P S Thiagarajan for his supervision, advice, encouragement and extraordinary patience during the whole period I was under his supervision, without which this thesis would have not been possible I am grateful to Assistant Professor Dr Abhik Roychoudhury for his suggestions and guidance about this project I would like to express my gratitude to Nikhil Jain and Pankaj Jain, students of IIT, Bombay, India who were involved in the early stage of this project I thank them for their earnest replies to my queries at different times I would also like to thank all my lab mates for their support and cooperation I express my respect to the authority of Khulna University, Bangladesh, my job place for granting me a study leave to study at NUS I am deeply indebted to all of my family members especially to my parents for their support by all means I would like to thank my wife Rabeya Binta Rahman (Luna) and my daughter Nafisa Hasan Niha for their great sacrifice to my study at NUS Finally I express my sincere apologies to them whose name I have forgotten to mention here iii Contents Title i Acknowledgements iii Summary vi List of Figures vii List of Definitions viii List of Programs ix Chapter 1: Introduction Chapter 2: Background Knowledge 2.1 Message Sequence Chart (MSC) …………………………………… 2.2 Event Structures …………………………………………………… 2.3 CTL ………………………………………………………………… 13 2.3.1 Specification of properties in CTL …………………………… 15 2.4 Symbolic Model Verifier (SMV) …………………………………… 15 2.4.1 Input language ………………………………………………… 16 Chapter 3: The CTP Model 20 3.1 The CTP Model …………………………………………………… 21 3.2 The Definition of the CTP Model ………………………………… 24 3.3 An Example of the CTP Model …………………………………… 27 iv Chapter 4: Translating CTP into SMV 30 4.1 Syntax of CTP input file … … … … … … … … … … … … … … … … … 31 4.2 Mapping CTP input file to SMV file … … … … … … … … … … … … 36 4.3 Translator … … … … … … … … … … … … … … … … … … … … … … 37 4.3.1 Lexical Analysis … … … … … … … … … … … … … … … … … … 37 4.3.2 Syntactic Analysis … … … … … … … … … … … … … … … … … 39 4.3.3 Generating SMV code … … … … … … … … … … … … … … … … 42 Chapter 5: Modeling the AMBA Bus Protocol through CTP Model 45 5.1 Introduction to AMBA Bus … … … … … … … … … … … … … … … … 46 5.2 The CTP Model … … … … … … … … … … … … … … … … … … … … 48 Chapter 6: Verification 56 6.1 Verification of the AMBA Bus Protocol … … … … … … … … … … … Chapter 7: Conclusions 57 61 7.1 Summary of our work … … … … … … … … … … … … … … … … … … 62 7.2 Future work … … … … … … … … … … … … … … … … … … … … … 63 References 64 v Summary Message Sequence Charts (MSCs) are an appealing visual formalism mainly used in the early stages of system design to capture the system requirements However, if we move towards an implementation, an executable specifications related in some fashion to the MSC-based requirements must be obtained The main difficulty here is that the inter-object interactions described in forms of MSCs must be synthesized as executable specifications given in terms of intra-object behaviors A Roychoudhury and P S Thiagarajan proposed an executable formalism called Communicating Transaction Processes (CTP) that uses MSCs to construct executable specifications in a more direct way The proposed CTP model uses high-level transition systems to capture the control flow of the system components (agents) and MSCs to describe the non-atomic component interactions This model is amenable to formal verification In this thesis, we present a verification study based on the proposed CTP model We have contributed significantly to the following tasks in this respect Firstly, the syntax to specify the CTP model has been formulated The CTP model is described in a textual input file using that syntax Secondly, a translator that translates the CTP specifications into Symbolic Model Verifier (SMV) programs has been constructed Thirdly, we have modeled the major features of the AMBA bus protocol though CTP model This model has been translated into SMV program using CTP-SMV translator Finally, automatic verification of the protocol is done using the SMV program vi Lists of Figures Figure 2.1 A Message Sequence Chart … … … … … … … … … … … … … Figure 2.2 An Event Structure … … … … … … … … … … … … … … … … … 10 Figure 2.3 Transition System associated with the ES in Figure 2.2 … … 12 Figure 3.1 Inter-process communication and intra-process control flow 22 Figure 3.2 Choice of Inter-process communication … … … … … … … … 23 Figure 3.3 Distributed nature of choice in a transaction … … … … … … … 24 Figure 3.4 CTP System Model … … … … … … … … … … … … … … … … Figure 3.5 Local Choices and Environmental Interaction in Transaction Schemes of Figure 3.4 … … … … … … … … … … … … … … … 28 Figure 4.1 Syntax of CTP input file … … … … … … … … … … … … … … … 31 Figure 4.2 Example of CTP input file … … … … … … … … … … … … … … 33 Figure 5.1 Transaction scheme Localm … … … … … … … … … … … … … 49 Figure 5.2 Transaction scheme Enqueuem … … … … … … … … … … … … 50 Figure 5.3 Transaction scheme Request … … … … … … … … … … … … … 50 Figure 5.4 Transaction normal data transfer in scheme Transfer … … … 52 Figure 5.5 Transaction initiation of wait cycle in scheme Transfer … … 53 Figure 5.6 Transaction wait cycle in scheme Transfer … … … … … … … 53 Figure 5.7 Transaction initiation of splitting in scheme Transfer … … … 54 Figure 5.8 Transaction scheme Dequeues … … … … … … … … … … … … 54 vii 28 Lists of Definitions Definition 2.1 Definition of MSC … … … … … … … … … … … … … … … … Definition 2.2 Definition of Event Structures … … … … … … … … … … … … Definition 2.3 Definition of Transition System … … … … … … … … … … … 11 Definition 2.4 Definition of Transition System associated with ES … … … 12 Definition 3.1 Definition of Product Transition System … … … … … … … … 26 Definition 3.2 Definition of Transition Scheme … … … … … … … … … … … 26 Definition 3.3 Definition of CTP Model … … … … … … … … … … … … … … viii 27 Lists of Programs Program 2.1 An example of SMV program … … … … … … … … … … … … 17 ix Chapter Introduction to be performed, an additional condition must be fulfilled (checked in translated SMV code) that the queue (that holds send information) must not be full and similarly for a receive action the corresponding queue must not be empty These conditions are not shown in the guards of the transaction Figure 5.4 Transaction normal data transfer in scheme Transfer Im.status & Im.g1 & Is.status & Is.waitcnt=0 addr(a) addr_rcvd:=a data(d) data_rcvd:=d status(true) status:=din g1:=din data_sent:= dasent:=d d Im Is The transaction initiation of wait cycle is shown in Figure 5.5 Here Im has the bus access but the queue of Is is full So, the wait cycle starts In this case, the variable waitcnt is increased by one As in SMV, the recursive increment (waitcnt:= waitcnt+1) is restricted, the value of waitcnt is sent to Im and received it from Im in aother variable in Is say count and finally performed the internal action waitcnt:=count+1 in Is The same procedure is followed in other transaction where this type of internal action needs to be performed 52 Figure 5.5 Transaction initiation of wait cycle in scheme Transfer Im.status & Im.g1 & ~Is.status & Is.waitcnt=0 addr(a) data(d) waitcnt:=waitcnt+1 status(false) status:=din g1:=din wait_addr:=a wait_data:=d Im Is In the third transaction, we model the case where the master is passing through wait cycle In this case the status of Is is still false (its queue is full) and the increment of waitcnt is going on This transaction is shown in Figure 5.6 In this case the value of waitcnt is greater than but still does not exceed the threshold maxwait Figure 5.6 Transaction wait cycle in scheme Transfer Im.status & Im.g1 & ~Is.status & Is.waitcnt