MICON 2000

Formal methods for design methodology

by Luigi Logrippo with D. Amyot, R. Chan, L. Charfi, N. Gorse, J.Sincennes, R. Plesa,...

SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING

UNIVERSITY OF OTTAWA

Basic Idea Use Case Maps provide a good basis for high-

level description and design of many aspects of telecom systems

LOTOS is a formal language that matches UCMs in level of abstraction

Translate UCMs into LOTOS and then use LOTOS formal methodology

The LOTOS spec is a ‘formal prototype’ for the UCM requirements

What does this buy us

Validation and Verification� Feature Interaction Detection

Semi-automatic derivation of functional test cases

Semi-automatic derivation of implementations

The design process extends itself into implementation and testing

From UCMs to LOTOSStart/end pointsResponsibilitiesAgents/componentsStubs

Plug-insInter-path causality

Databases, conditions

Visible gatesHidden gatesProcessesProcesses (implement selection policies)ProcessesHidden inter-processsynchronization (msg)Abstract Data Types

Interprocess Communication

LOTOS process synchronization concept can be implemented as a blackboard system

Establishing a relation with a methodology already in place at Mitel

UCM to LOTOS example

Process Agent[A_U, U_A, A_A, req]: (a:Agent, u:User):= U_A !u !a !conReq ?dU:User; req !dU ?dA; A_A !a !dA !conReq !dU; ( A_A !dA !a !conConf !ring; A_U !a !u !conConf !ring; exit [] (* - OR - *) A_A !dA !a !conConf !busy; A_U !a !u !conConf !busy; exit )endproc

Process User[ dial, U_A, A_U, ringBack, busyTone ]:(a:Agent, u:User):= dial !u ?dU:User; U_A !u !a !conReq !dU; ( A_U !a !u !conConf !ring; ringBack; exit [] (* - OR - *) A_U !a !u !conConf !busy; busyTone; exit )endproc

How to use LOTOS methodology

LOTOS can be used to ‘execute’ UCMs� Scenarios for the UCMs can be obtained� Validation tools can be applied to detect

errors� Functional test cases can be obtained

Detection of feature interactions

New, more efficient methods developed Have both static and dynamic feature

interaction detection Proven performance:

� second place (very near to 1st) in 2000 Feature Interaction contest (Glasgow, Scotland)

Feature Interaction Detection Using Predicate Logic, UCM and LOTOS

Feature Interaction Filtering at requirement stage using Prolog

• Identification of possible interactions• Based on requirements

Based on the UCM model• Validation of the global model

Rapid methodNicolas Gorse Master Thesis

Feature Interaction Detection Using Predicate Logic, UCM and LOTOS (cont’d)

Derivation of a LOTOS specification• Provides an executable model• Provides information for scenario generation

Scenario Generation for possible Interactions identified

• Using information on the structure of the feature• Based on possible interactions identified

Feature Interaction Detection Using Predicate Logic, UCM and LOTOS (cont’d)

Feature Interaction scenario-based validation of the LOTOS specification

• Allows to verify whether the possible interactions identified are present in the LOTOS spec

• Method only identifies possible interactions, however experimental study showed very high hit rate

• Scenarios derived can be reused at final system testing stage

Representation of features� Pre-conditions

• CFA: {subs(B, cfa), concerns(B, cfb), cfa(C)}• CFB: {subs(B, cfb), concerns(B, cfb), busy(A), cfb(D)

� Triggering Events• CFA: {call(A, B)} Same triggering events• CFB: {call(A, B)} for both features

� Results• CFA: {call(A, C)} Different results, • CFB: {call(A, D)} non determinism

Feature Interaction Filtering Using Predicate Logic

Feature Interaction Filtering Using Predicate Logic (cont’d)

Mitel Project• 22 feature descriptions (484 pairs), 4 users• 43 possible interactions found in 84.14 secs

Feature Interaction Contest• 97 feature descriptions (9409 pairs), 4 users• 149 possible interactions found in 1299.93 secs

The representation of features is fairly quick to obtain

Another application:

Derivation of Test Cases

The Big Picture

UCMS

LOTOSspecification

test purposes

mappingM

mappingM

LOTOSscenarios

Validationwith LOLA

TGV

TTCNtest suites

MSCgeneration

LOTOS scenarios used for :(1) the spec validation(2) the TTCN test suite generation

(1)

(2)

Leila Charfi’s Master thesis

Several Tools used:

• LOLA

• CAESAR

• TGV (in CAESAR)

• lot2msc

• . . .

busy idle

incomingCallinitiateCall

onHook

disconnection

Phone 1 Switch Phone 2

offHook

ringStub

Callerdisconnection Calleedisconnection

onHook onHookdisconndisconn

busy

offHooktalk

ringringBack

A coverage algorithm uses the internal

representation of the UCM to cover all possible paths at least once

phone1: startpoint ‘offHook’ ;phone1: resp ‘initiateCall’;phone2: resp ‘incomingCall’;phone2: point ‘busy’;phone1: point ‘busy’;phone1: endpoint ‘onHook’;

phone1: startpoint ‘offHook’ ;phone1: resp ‘initiateCall’;phone2: resp ‘incomingCall’;phone2: point ‘idle’;(phone2: resp ‘ring’;exit |||phone1: resp ‘ringBack’;exit) >>phone2: resp ‘offHook’;switch: point ‘talk’;phone2: startpoint ‘onHook’;switch: resp ‘disconn’;

phone1: startpoint ‘offHook’ ;phone1: resp ‘initiateCall’;phone2: resp ‘incomingCall’;phone2: point ‘idle’;(phone2: resp ‘ring’;exit|||phone1: resp ‘ringBack’;exit) >>phone2: resp ‘offHook’;switch: point ‘talk’;phone1: startpoint ‘onHook’;switch: resp ‘disconn’;

user_to_phone !A !offHook; phone_to_user !A !dialTone; user_to_phone !A !dial !B;( phone_to_user !B !ringingOn; exit ||| phone_to_user !A !ringBackTone; exit) user_to_phone !B !offHook; phone_to_user !A !ringBackToneOff; user_to_phone !B !onHook; phone_to_user !A !disconnectTone; user_to_phone !A !onHook;

lotos scenario

scenarioBusyCallee scenarioForwardTakeDown scenarioBackwardTakeDown

des (0, 14, 14)(0, "USER_TO_PHONE !A !OFFHOOK", 1)(1, "PHONE_TO_USER !A !DIALTONE", 2)(2, "USER_TO_PHONE !A !DIAL !B", 3)(3, "PHONE_TO_USER !B !RINGINGON", 4)(3, "PHONE_TO_USER !A !RINGBACKTONE", 5)(4, "PHONE_TO_USER !A !RINGBACKTONE", 6)(5, "PHONE_TO_USER !B !RINGINGON", 6)(6, i, 7)(7, "USER_TO_PHONE !B !OFFHOOK", 8)(8, "PHONE_TO_USER !A !RINGBACKTONEOFF", 9)(9, "USER_TO_PHONE !B !ONHOOK", 10)(10, "PHONE_TO_USER !A !DISCONNECTTONE", 11)(11, "USER_TO_PHONE !A !ONHOOK", 12)(12, ACCEPT, 12)

scenario Aldebaran format

ADT ADT

lotos spec

scenarios from UCMUCM

TGV

test suite

lotos scenario

bcg_min scenario

CAESAR ENVIRONMENT

Choose scenarios to cover all UCM

scenarioForwardTakeDown Test suite generated with TGV

New Topics: CPL and SIP

CPL, the SIP Call Processing Language� CPL has a logic somewhat similar to the

one of LOTOS: communicating processes, with no explicit notion of state

• Develop formal semantics for CPL based on LOTOS

• Develop FI detection methods for CPL based on LOTOS

New Topics: The whole method

Exploring the relation between � interaction resolution methods (e.g. OPI)� UCMs, � LOTOS-based methods

Three methodologies that must work together but are not (yet) clearly coordinated� where do we start, how to use them together

Proof of concept has been provided,but many challenges are ahead...