Evnts and Constaints: A Gaphical Edito fo Captuing Logic Rquimnts of Pogams Magat H. Smith Bll Laboatois Rm. 2C-407 600 Mountain Avnu Muay Hill, NJ 07974 mhs@sach.bll-labs.com Gad J. Holzmann Bll Laboatois Rm. 2C-522 600 Mountain Avnu Muay Hill, NJ 07974 gad@sach.bll-labs.com Kousha Etssami Bll Laboatois Rm. 2C-472 600 Mountain Avnu Muay Hill, NJ 07974 kousha@sach.bll-labs.com Abstact A logic modl chck can b an ffctiv tool fo dbugging softwa applications. A stumbling block can b that modl chcking tools xpct th us to supply a fomal statmnt of th coctnss quimnts to b chckd in tmpoal logic. Expssing non-tivial quimnts in logic, howv, can b challnging. To addss this poblm, w dvlopd a gaphical tool, th TimLin Edito, that simplifis th fomalization of ctain kinds of quimnts. A sis of vnts and quid systm sponss a placd on a timlin. Th us convts th timlin spcification automatically into a tst automaton, that can b usd dictly by a logic modl chck, o fo taditional tst-squnc gnation. W hav usd th TimLin Edito to vify th call pocssing cod fo Lucnt s PathSta Accss Sv against th TlCodia LSSGR standads. Th TimLin dito simplifid th task of convting a lag body of English pos quimnts into fomal, yt adabl, logic quimnts. Kywods modl chcking, softwa vification, tsting, quimnts. 1. Intoduction Logic modl chcks a gaining in populaity as tools fo dbugging concunt, distibutd softwa. Whil thy cannot compltly plac taditional tsting tools, fo ctain typs of softwa bugs, namly contol logic and communications os, modl chcks a unqualld in thi spd and covag [5]. Th basic stps involvd in th application of a modl chck to a softwa application, shown in Figu 1 a: Fix Souc Souc Cod Modl Eo Nw Vsion of Souc Cod Modl Chcking Rquimnts No Eo Figu 1. Modl chcking pocss Passd Tst 1. obtain a modl of th souc cod. 2. obtain th quimnts to b chckd. 3. pfom modl chcking stp (automatd). 4. valuat any o tacs that th modl chck gnats, dtmin if th o is in th cod o th quimnts, and pat th pocss if ndd. Dfining th quimnts to b chckd (stp 2.) can b an optional stp. In th absnc of spcific quimnts to b chckd, a modl chck will chck fo som gnally dsiabl pogam quimnts such as: absnc of dadlock, livlock, and unachabl cod. Howv, if on wants to chck spcific quimnts, o in oth wods, chck that th souc cod satisfis application-spcific quimnts, thn som quimnts must b dfind.
Th tlphon systm is by its vy natu a distibutd application, and thfo tlphony softwa is a natual candidat fo modl chcking applications. Ths systms typically suppot hundds of distinct and potntially intacting fatus, which maks thi complxity fa xcd human asoning abilitis. If w want to dtmin, fo instanc, that a tlphon switch satisfis th simpl quimnt: whn us gos offhook th systm povids dialton a modl chck can xhaustivly tst whth th is any possibl intlaving of vnts that can lad to an o (i.., a violation of th statd quimnt). W might attmpt to tst th sam quimnt using taditional tsting. To do so, w could ty to alt th stat of th switch in as many ways as possibl and go offhook (i.., pick up th handst) to dtmin whth w gt dialton in vy cas. At bst such a mthod sampls th possibl bhavio of th switch. A lucky tst will discov an xcption to th quimnt, but many bugs pass though, to b discovd in th fild by uss. Th bnfits of modl chcking fo xhaustivly tsting distibutd cod should b cla, howv, on of th hudls that pactitions of modl chcking fac is that th quimnts must b statd stictly fomally. A ncssay stp is to stat infomal quimnts, such as ou xampl quimnt gading dialton, in a fomal notation. Whn th quimnt is statd fomally, w call it a quimnt. Th fomal notation of choic fo spcifying quimnts of softwa applications is Lina Tmpoal Logic (LTL) [12]. LTL allows on to dscib how a systm s vnts and stats a latd ov tim, which is xactly what w nd fo xpssing logic contol and communications quimnts. Fo xampl, w can us an LTL fomula to fomally stat th simpl quimnt abov, but also mo complx quimnts about quid causality in th systm. A stngth of LTL is that it is xpssiv, allowing th fomalization of vastly mo complx quimnts than th on w xpssd. A dawback of LTL is that it is had to dbug an LTL fomula, vn fo xpts. In an industial application of modl chcking to th Lucnt PathSta Accss Sv, w w facd with th challng of spcifying and chcking th cod fo confomanc with 117 distinct fatu quimnts. W had two altnativs fo ovcoming this hudl. Th fist was to captu all quimnts in logic, and to sv adquat tim fo dbugging th LTL fomulas. Th scond was to find a mo natual way to gnat th quid fomal quimnts without witing LTL fomulas. To suppot th scond appoach, w built a gaphical TimLin Edito that can gnat fomal quimnts fom a visual psntation of quid causal lations. Whil not as xpssiv as LTL, th TimLin Edito allowd us to spcify a lag faction of th fatu quimnts of intst in th vification of th PathSta Accss Sv [9]. Th tim spnt building th dito was wll wadd by th tim savings alizd. Th TimLin Edito is wll suitd fo xpssing th typs of quimnts ncountd in th PathSta application. Spcifically th TimLin Edito can xpss quimnts with a pambl (a squnc of vnts that act as a pattn to b matchd against xcution squncs) and a spons. Oth visual notations [1][13] hav bn dvlopd to addss th xpssiv nds of diffnt applications, o to xpss a boad st of quimnts. Oth latd wok [7] has bn to classify and codify ctain fquntly obsvd quimnt typs. To xplo th TimLin Edito futh w will look at how w can discov quimnts, typical foms of quimnts, th timlin notation and gaphical intfac, how to convt a timlin to a tst automaton, th typs of quimnts that can and can not b xpssd using timlins, global quimnt constaints, and an xampl o that was found using th TimLin Edito and th Fav/Spin modl chcking famwok. 2. Discoving quimnts Many ffots hav bn mad to apply vaious quimnts modling tools in systms ngining. Dspit this, th pactical ality is that most quimnts a today still xpssd in English pos. Such was th cas fo th Bllco (now TlCodia) LSSGR standads [9] that svd as quimnts fo th PathSta Accss Sv. In ths documnts, th quimnts a not numatd, o makd, but dscibd in a whit pap fomat. W thooughly xplod th standad fo ach fatu to find quimnts that w amnabl to modl chcking. Such quimnts must b tstabl and thy must dscib th quid tmpoal bhavio of th systm. To b tstabl, a quimnt must dscib som aspct of th systm that is obsvabl and th outcom of th quimnt must b masuabl. Not vy quimnt will mt this cition. Fo instanc, in th LSSGR standad fo Call Waiting (CW), this quimnt appas: Th numb of spcial cicuits (if any) that a usd by a switching systm in poviding CW should b an ngind quantity. How do w tst this quimnt? Fom this quimnt w lan that a switching systm may o may not hav spcial cicuits. W can guss that taffic masumnt and application of fomulas a involvd in dtmining xactly how many spcial cicuits, if any, a ndd, but this quimnt dosn t giv us data o th ncssay fomulas. Thfo, w conclud that this quimnt
cannot b tstd with modl chcking bcaus th is no masuabl outcom. To b amnabl to modl chcking, a quimnt must also spcify th tmpoal bhavio of a systm; that is, how th systm acts in spons to xtnal stimuli and intnal conditions ov tim. Evn if th spcial cicuit quimnt had dscibd an obsvabl and masuabl aspct of th systm, it claly dos not pass th scond citia bcaus it dos not dscib tmpoal bhavio. Som of th fatus w tstd w two us fatus and many w th o mo us fatus. Th numb of uss was th gatst dtminant in th complxity of th fatu bcaus as th numb of uss incasd th possibl combinations of us vnts incasd xponntially. Fo instanc, at any givn point in fatu pocssing, any paty on th call can go onhook, and fo th quimnts to b complt, th must b a spcific systm spons quimnt fo ach us s onhook vnt at ach stat of fatu pocssing. Fo th lss complx fatus, such as Call Fowading (fowading an incoming call to an altnat dstination und ctain cicumstancs -- i.. no answ, busy, tc.) o Dnid Oiginating Svic (dnying th subscib th ability to initiat calls), it was staightfowad to undstand th tmpoal bhavio and th quimnts could b wittn dictly. Fo fatus with mo than two uss: Call Waiting, N-Way Calling, Hold, Tansf, in od to undstand th bhavio of th fatu it was ncssay to build an infomal modl of th intndd fatu bhavio,.g., in a gaphical dito. An infomal modl, such as th on fo a potion of th Call Hold fatu shown in Figu 2, can b usd to mak su that on has captud all th possibl vnts that can occu and is usful fo idntifying lvant constaints on quimnts (as will b dscibd in Sction 4.). Whn th infomal modl is complt, w can slct paths though th gaph that flct th citical aspcts of th intndd bhavio. Each path bcoms a quimnt that can b chckd in dtail against th souc cod. A path in th infomal modl is a squnc of vnts, wh an vnt is ith gnatd by th systm o by a tst hanss. In Figu 2, th systm vnts a shown on a gay backgound. Th cp fs to th contolling paty, and th hp fs to th hld paty. In th vification of th PathSta Accss Sv w dvisd a mchanism that allowd us to automatically gnat a fomal modl dictly fom th souc cod of th application (which was wittn in C) [6]. Th modl xtaction tool convts C souc cod into th input languag of an fficint softwa modl chcking tool, Spin [5]. Spin uss th fomal quimnts (xpssd in tmpoal logic o with th hlp of th TimLin Edito tool) to fin-tun th pogam modl with a slicing tchniqu. Th slicing algoithm in Spin uss data dpndncy analysis and contol flow analysis to cp nts digits valid addss answ stabl call stat cp flash cp nts CHD cod systm placs call on hold, applis call dialton, & stats pmannt signal timing hp onhook cp onhook ing back hp onhook idl cp flash systm applis call dialton, & stats 4 scond pmannt signal timing outgoing call cp nts switch nonhp & CHD cod hp cp offhook connct cp & hp KEY: cp contolling paty hp hld paty CHD call hold cod cod Figu 2. A patial modl of th Call Hold fatu, with a quimnt, dpictd as a path automatically abstact away dtails of th modl that a not lvant to th quimnt bing chckd, whil taining th pats of th modl that a lvant to th quimnt. Th abstaction that is mployd h has th impotant popty that it is logically consvativ, which mans that if th abstactd modl can b shown to satisfy th coctnss quimnt, thn th oiginal souc pogam ncssaily also satisfis that quimnt. Using th quimnts to guid th gnation of th abstact modl of th souc cod hlps to nsu that th lvls of abstactions in th quimnt and th modl match. Fo instanc, if th quimnts a concnd with th fact that a full digit sting has bn ntd ath than th paticula digits in th digit sting, thn in th modl xtaction stp w can automatically abstact away most of th dtails of th digit analysis cod so that w only tain th possibl outcoms: invalid digits, patial digits o full digit sting. In total w analyzd 17 Tlcodia LSSGR fatu standads. On avag w idntifid svn quimnts to tst p fatu. Th fatu with th lagst numb of tst quimnts idntifid was Call Waiting, with 13 tst quimnts. Th lag numb of tstabl quimnts fo Call Waiting flcts th complxity of th fatu, and th thoough and complt quimnts fo Call Waiting, as compad to th oth fatus w analyzd.
3. Typical foms of quimnts As in taditional tsting, whn applying modl chcking of distibutd softwa, it is ncssay to configu th systm and th tst div lmnts bfo a tst can b pfomd. In taditional tsting on would div th systm into a paticula stat of intst by fding it a squnc of vnts, calld th pambl. Aft th pambl, th tst awaits th xpctd spons. In modl chcking th pambl bcoms a pattn that is matchd against th xcutions of th systm. In modl chcking it is also possibl to mak us of known, wll dfind systm stats in od to duc th numb of vnts in th pambl. In a tlphon switch, fo instanc th a wll-dfind so-calld stabl callstats such as busy, idl, dial, and 3-way call. Th may b many diffnt systm xcutions that lad into on of ths stats, so using th wll-dfind stat as th fist lmnt to b matchd in th pambl, as opposd to a spcific xcution that lads to that stat, has th ffct of gnalizing th quimnt, thby boadning and stngthning th chck. W can s how a systm stat is usd in fomulating a quimnt by slcting a path though th fagmnt of th Call Hold modl. Th Call Hold fatu allows its subscib to plac an activ (non-hld) paty on hold in od to initiat a call to yt anoth paty. Th path w a intstd in bgins at a stabl call stat, which is dfind as a call consisting of th contolling paty (th paty who subscibs to th Call Hold fatu) and anoth paty, in which no chang to th stat of th call s connction is imminnt. Th cp fs to th contolling paty, o th paty that is using Call Hold to initiat a nw call, and th CHD cod is th Call Hold Cod, an assignd squnc of digits that invoks th Call Hold fatu. Fo th path though th Call Hold modl, th pambl consists of ths vnts: cp flash, cp nts CHD cod, cp nts digits, cp flash, cp nts CHD cod Th initial vnt of th pambl: cp flash, occus duing th stabl call stat, and th quid systm spons is that th non-hld and hld patis should b switchd. Th quimnt dfind by th highlightd path should pass th chck. This mans that if th modl chck can find any xcution wh th initial stat and pambl occu, but th quid vnt dos not, this will b potd as a violation of th quimnt. Just as in taditional tsting, in modl chcking th quimnt is not usful if th pambl is not coct. In modl chcking an incoct pambl could giv a vacuously positiv sult bcaus it might not match any xcution in th systm. W can dbug th pambl by asking th modl chck to find at last on squnc that matchs th pambl. If th modl chck finds a match, START! offhook offhook thn w know that ou pambl is not vacuous. If th modl chck dos not find such an xcution, th pambl is likly to b incoct and w can consid its dfinition. Dscibing an accuat pambl can b cumbsom in tmpoal logic. In LTL, chains of vnts a most natually xpssd by a continud functional nsting of Until sub fomula. Fo instanc, th simpl quimnt colating offhook and dialton, without intvning onhook vnts, shown gaphically in Figu 3, is statd in LTL as:!(!offhook U (offhook /\ X [](!dialton /\!onhook))) If w wantd to add additional vnts btwn th offhook vnt and th spons, dialton, ach vnt i would qui th inclusion of an additional nstd Until subfomula of th following fom: X((!vnt i /\!onhook) U (vnt i /\!onhook)) Th addition of vnts quickly maks th LTL vsion of th quimnt long and difficult to undstand. Th opatos usd in this LTL fomula a as follows. [] : always, X: nxt, U: stong until,!: logical NOT, /\: logical AND. 4. Dsciption of timlin notation! onhook dialton 0 1 2 Figu 3. Timlin quimnt: whn th us gos offhook th systm should povid dialton Th timlin notation aos duing th aly phass of th pojct whn th vification tam mmbs w witing and dbugging LTL quimnts fo th vification ffot. To claify what was mant by a ctain LTL quimnt, a timlin diagam would b dawn on th boad. Onc it was obsvd that th timlin diagam could xpss th quimnts of intst to th application, and that it was possibl to automatically convt th timlin diagams dictly to Büchi automata, a dcision was mad to build th TimLin Edito tool. A timlin is psntd by a wid hoizontal ba, as illustatd in Figu 3, with tim pogssing fom lft to ight. Dscnding fom th timlin ba a vtical bas, calld maks, which mak th intsting vnt occuncs, odd in tim. Th vnts can b gnatd
START incoming call answ incoming call flash activ call put on hold idl! flash! disconnct activ paty 0 1 2 3 4 5 answ 0 o mo vnts, all of which a not a flash and not an incoming call incoming call 0 o mo vnts, all of which a not a disconnct activ paty and not a flash flash! flash! disconnct activ paty 2 3 4 adjacnt stps adjacnt stps Figu 4. Exclusion of ndpoints in a constaint. anywh in th systm, by any on of many concunt pocsss in th distibutd systm. Thfo, no fixd tim-intval can b assumd btwn subsqunt maks (th is no hiddn assumption of a global clock ). Th a th typs of systm vnts that can b indicatd on th timlin. Rgula vnts - dnotd by th ltt. Ths a optional vnts, that a usd to idntify th pcis xcutions of th systm that w a intstd in. Fo a switch, a gula vnt could b th us going offhook, flashing th hook, o th aival of an incoming call. Most gula vnts a gnatd by tst hanss componnts, that is, th stubs of componnts xtnal to th systm und tst. Rquid vnts - dnotd by th ltt. Ths a vnts that a quid to occu if all pvious vnts (gula and quid) on th timlin hav occud, und th applicabl constaints (mo about constaints lat). It is an o if is possibl fo a quid vnt to b absnt fom an xcution und ths cicumstancs. Fo a switch, a quid vnt might b th gnation of dialton, o th fowading of a call. Fail vnts - dnotd by th ltt f and a d X. Ths a vnts that should not occu if all pvious vnts (gula and quid) on th timlin hav occud, und th applicabl constaints. It is an o if a fail vnt occus. Fo a switch, a fail vnt might b gnation of od ton whn th us gos offhook Sinc it is an o fo th systm to giv od ton (fast busy) in spons to th us going offhook, w can add od as a fail vnt btwn th offhook and dialton vnts, to stngthn th quimnt, as shown in Figu 5. Now this quimnt stats that aft w dtct offhook, and whil w a waiting fo dialton, if w dtct od ton, an o has occud In addition to vnts, th a also constaints, which a black hoizontal lins positiond bnath th timlin ba. W can us constaints to spcify that w a not intstd in th occunc of paticula vnts ov ctain intvals of th quimnt. Fo instanc, if th is a quimnt that th systm must spond to an offhook by poviding dialton, w can spcify th constaint!onhook fo th intval btwn th offhook and th dialton vnt. A constaint bgins at on mak and nds at th sam o at a subsqunt mak. A constaint can includ o xclud th maks wh it bgins o nds. Figu 4 shows a
! offhook offhook call ton f! onhook dialton START 1 c1 c2 c3 2 0 1 2 3 Figu 5. Th quimnt in Figu 3 is stngthnd by th addition of th fail vnt, call ton c5 c4 0 1 2 constaint,! flash, that xcluds its nd mak, and anoth constaint! disconnct activ call that xcluds its bgin mak. If a constaint ndpoint includs a mak, this is indicatd by a filld cicl. If a constaint xcluds a mak th nd point of th constaint will not ovlap th mak but will tminat with a shot vtical ba na th mak. If a constaint includs its bgin mak thn th constaint applis fom th momnt that th vnt attachd to this mak occus. If a constaint xcluds its bgin mak, thn th constaint dos not apply whn th vnt attachd to this mak occus (but it still may hold unlss xpssly statd othwis by anoth constaint) but it applis at th vnt immdiatly following th vnt attachd to th bgin mak. Likwis with a constaint that xcluds its nd mak; th constaint applis until th vnt immdiatly pcding th vnt attachd to th constaint s nd mak. If th constaint includs its nd mak, thn th constaint applis bfo th vnt attachd to its nd mak occus and whn th vnt attachd to its nd mak occus. A constaint that is indicatd by a singl filld cicl with no hoizontal lin, such as th idl constaint in Figu 4, holds only fo th vnt to which th constaint is attachd. A constaint that bgins at th START mak, such as constaint c5 in Figu 6, applis fom th bginning of th xcution. Constaints c1, c2, c3, and c4 of Figu 6 show th constaint vaiations that may apply btwn and bfo two non-fail timlin vnts 1 and 2, and th cosponding automata. A constaint may not bgin o nd at a fail vnt, unlss th fail vnt is th fist vnt o last vnt of th timlin. A constaint may intsct a fail vnt as in th cas of constaint! onhook, that intscts th fail vnt call ton on Figu 5. In th quimnt shown in Figu 4 fo th Call Waiting fatu, th fist fou vnts sv as th pambl; th pat of th quimnt that in ffct divs th systm into th stat of intst. Th initial stp of intst in th quimnt is that th subscib is in th idl stat (a Figu 6. Additional constaint vaiations stabl call stat) whn an incoming call aivs. Th subscib thn optionally answs th incoming call. If this occus, and a scond incoming call aivs, th subscib can optionally spond by flashing th hook to invok th Call Waiting fatu. Th systm is thn quid to spond by putting th activ call on hold. Bcaus w want to chck th Call Waiting fatu in paticula, w may want to avoid chcking xcutions that includ a flash bfo th scond incoming call aivs. Th ason fo this is that if th us flashs bfo th scond call aivs, th systm can consid th flash to b an invocation of anoth fatu such as Call Hold o Th- Way Calling. By xcluding th nd mak fom th constaint w stict th xploation to thos xcutions wh th flash occus only aft th scond incoming call has aivd. In th intval btwn th aival of th scond incoming call and th flash, o btwn any two adjacnt maks, th may b zo o mo unspcifid vnts. If th a zo intvning vnts, th flash is th vy nxt xcution stp aft th aival of th scond incoming call.
START sub- f sub- START incoming call to cp cw ton cw ton cp in stabl call stat cp on hold sub-! disconnct incoming call main quimnt! cp flash Figu 7. Th is a sub-quimnt fo ach quid vnt includd in a quimnt. A systm constaint can b mo complicatd condition than a simpl vnt. Th xampl quimnt in Figu 4, fo instanc, uss th condition idl in a constaint. Idl is not an vnt but ath xpsss a condition on th systm stat, which is dfind spaatly in tms of,.g., valus of vaiabls at th stat. Idl is a faily gnal condition that includs both xcution squncs wh th us has nv gon offhook and thos in which th us has gon onhook sinc th last offhook. In ou systm, Idl quis that th a no activ o hld patis. A singl timlin can contain multipl gula, quid and fail vnts. Each quid o fail vnt in ssnc dfins a sub-quimnt, as shown in Figu 7. If any sub-quimnt is violatd, that is if any quid vnt in th spcification dos not occu whil its pambl dos, o if any fail vnt occus aft its pambl, it is an o. In gnal, a timlin must contain at last on quid o fail vnt. Nomally, th final vnt on th timlin will b a quid o fail vnt. A timlin nd not contain constaints. 5. Timlins as tst automata In this and th nxt sction w dscib how a timlin spcification is to b convtd mchanically into an quivalnt tst automaton that can b usd in a logic modl chcking pocss,.g., with th modl chck Spin [5]. This dsciption will also sv as ou fomal smantics fo what a timlin ally mans. A mo fomal dsciption of th tanslation is povidd in th appndix as psudocod. Th tst automaton poducd fom th timlin spcification is a kind of automaton calld a Büchi automaton, as will b xplaind shotly. Consid this quimnt fom th LSSGR fo th Call Waiting (CW) fatu: CW ton should b applid to th calld paty as an indication of a waiting call. It may b applid twic to th lin with CW, onc whn th incoming call 0 1 2 3 Figu 8. Timlin fo a Call Waiting quimnt aivs, and thn again appoximatly 10 sconds lat if th CW lin has not yt spondd to th CW call. Th cosponding timlin fo this quimnt is shown in Figu 8. This timlin stats that whn th call waiting subscib (th cp) civs an incoming call, th call waiting ton (cw ton) should b givn twic. Th subscib spons that is awaitd is a flash, so th timlin is constaind so that no calling paty flash (! cp flash) occus btwn th fist and scond occunc of th call waiting ton. A flowchat diagam that appas at th nd of th quimnt documnt futh illustats that if th incoming call disconncts no futh call waiting tons should b givn. Thfo, th constaint that th incoming call dos not disconnct (! disconnct incoming call) also applis. Fo this quimnt to apply, th CW subscib must b in a stabl call stat o on hold whn th incoming call aivs. Th subscib is said to b in a stabl call stat if no chang to th cunt connction is anticipatd. Th subscib is said to b on hold if anoth paty has placd th subscib on hold. Intpting this timlin, th TimLin Edito gnats th tst automaton illustatd in Figu 9. Evnt nams a placd by a popositional symbol, in this cas th symbols though shown in th KEY of Figu 9. Th stats of th automaton a th nods in th gaph, psntd by cicls. Th vnts, psntd by aows, div th tansitions btwn stats. Whn th chck bgins w stat out in stat s0 in th tst automaton. At ach stp in th xcution of th systm a tansition in th tst automaton is mad. As long as vnt togth with constaint dos not occu, th automaton mains in its initial stat, by tavsing th slfloop on stat s0 at ach xcution stp of th systm. If and whn and occus, th tst automaton can mov to stat s1. Stat s1 is calld an accpting stat, indicatd by th doubl cicl. If w find an xcution wh th tst automaton can main in such an accpting stat
Figu 10. Nv claim fo automaton in Figu 9 Figu 9. An automaton fo timlin in Figu 8 indfinitly, that xcution constituts a violation of ou timlin quimnt, and th modl chck will pot it as an o. If, howv, w s a togth with th cosponding constaints p4 and, th tst automaton movs to stat s2. Stat s2 is also makd as an accpting stat, which mans it is an o if a systm xcution causs th tst automaton to main in this stat indfinitly. So, anoth occunc of, && p4 &&, must b obsvd to avoid an o pot fom th modl chck. Th intptation of accpting stats is what diffntiats a Büchi automaton fom a standad finit automaton. A Büchi automaton is usd to tap infinit xcution squncs that violat a quimnt, whas a standad automaton can only tap finit xcution squncs. Th gaphical tst automaton in Figu 9 is poducd to aid th us in visually inspcting th tst automata. Th Spin modl chck uss th Nv Claim vsion of th automata, also poducd by th TimLin Edito, and dpictd in Figu 10. 6. Mchanical convsion of timlins to automata Th TimLin Edito convts timlin spcifications to tst automata using a staight-fowad algoithm. Th numb of stats w will nd in th tst automaton is qual to th numb of vnts on th timlin plus on. In th cas of th Call Waiting spcification shown in Figu 9, th a th vnts, hnc fou stats in th automaton. In ach stat w a waiting fo th nxt succssiv vnt on th timlin. Fo instanc, fo th automaton in Figu 9 and Figu 10, w stat out in stat s0 and w a waiting fo (incoming call). Whil w wait fo w may dtct oth vnts (outgoing call, flash, onhook, tc.) and on ach of ths vnts w tavs th slf loop tu. In stat s1 w wait fo and in stat s2 w wait fo th scond instanc of. If w just consid th vnts on th timlin spcification and igno th constaints fo now, w div th tst automata shown in Figu 11. Both s1 and s2 hav a doubl cicl, indicating that thy a spcial stats, calld accpting stats. Ths stats a accpting bcaus if w can main in ths stats indfinitly fo a paticula systm xcution und considation, th xcution is flaggd as an o by th modl chck. Hnc, fo this xampl, if w can main in stat s1 indfinitly, waiting fo th fist quid call waiting ton, this xcution will b flaggd as an o. Likwis, if w can main in stat s2 indfinitly, waiting fo th scond quid call waiting ton, this will also b an o. In gnal, ach quid vnt will hav an associatd accpting stat wh w wait fo that vnt to occu. Th accpting stat fo a quid vnt labld will hav a slf loop labld!. Th stats, lik s0, associatd with gula vnts, in th cas of s0, will also hav a slf loop labld tu. Onc th vnts hav bn usd to fom th stuctu of th automata, and th vnt typs (nomal vsus quid)
Ky: Ky: incoming call to cp cw ton incoming call to cp cw ton START 0 1 2 3 START p4 S0 S1 S2 S3 tu!! Figu 11. Tst automata fo timlin spcification shown in Figu 8, including vnts only hav bn usd to idntify nomal and accpting stats and tansition labls, w can add th constaints. To do this w fist constuct a list of th constaints that ovlap ach vnt. Ths a summaizd in Tabl 1. Tabl 1. Constaints ovlapping vnts fo timlin in Figu 8 Evnt at Mak Constaints 1 2 p4 & 3 p4 & Tabl 2. Constaints that apply btwn vnts fo th timlin in Figu 8 Btwn Evnts Btwn Maks Constaints & 1 & 2 p4 & 2 & 3 p4 & Ovlapping constaints a addd via conjunction to th labl of th tansition coming out of th waiting stat associatd with an vnt. Thus, sinc p4 and ovlap vnt at mak 2, p4 && is addd to th tansition labld out of stat s1. In addition, a constaint that applis in th intval immdiatly pio to an vnt labld and subsqunt to th vnt pcding (o stating at th initial START mak if is th fist vnt) on th timlin is addd by conjunction to th slf loop of th waiting stat of vnt. Constaints that apply in th intvals btwn vnts a summaizd in Tabl 2. In th cas of vnt at mak 2, th constaint p4 applis in th intval btwn at mak 1 and at mak 2, so th constaint p4 is addd to th slf loop at 0 1 2 p4 && 3 p4 p4 && p4 && S0 S1 S2 S3 && && p4 && p4 && && tu! && p4! && p4 && Figu 12. Tst automata fo timlin spcification shown in Figu 8, including vnts and constaints stat s1. Using th algoithm outlind abov, w gnat th final tst automaton shown in Figu 12. So fa ou dsciption of automatd automata gnation has not addssd fail vnts. Fist w will discuss th gnal cas of a fail vnt, that is, a fail vnt that is an intmdiat vnt. Thn w will discuss a spcial cas, whn th fail vnt is th last vnt. W will dfin th pogss path of a gnatd automaton to b th path consisting of thos stats wh w wait fo quid o gula vnts and thos tansitions that w tak upon th cption of quid o gula vnts. Stats in th pogss path a labld S{N}, wh N is th pogss stat numb. Tansitions in th pogss path a lablld with th nomal and quid vnts and constaints that apply, as dscibd pviously. An automata gnatd by th Timlin Edito will contain a singl pogss path and on fail path cosponding to ach fail vnt in th timlin. A fail path is a path lading out of th pogss path and tminating in an accpting stat, calld a fail stat. Fail stats a labld F{N} wh N is th fail stat numb. Hnc, th automata fo a timlin with no fail vnts will contain only a pogss path, and an automata fo a timlin with N fail vnts will contain a pogss path and N fail paths. Each fail vnt will hav an associatd accpting stat that w tansition to if th fail vnt occus in th spcifid intval. Th tansition to th fail stat is mad fom th wait stat associatd with th gula o quid vnt dictly following th fail vnt. So fo th quimnt in
Ky: Ky: incoming call to cp busy ton to cp cw ton p4 incoming call to cp cw ton cp in stabl call stat cp on hold! disconnct! cp flash START f START f 0 1 2 3 tu F0 S0 S1 S3 tu! &&! Figu 13. Tst automata fo timlin containing intmdiat fail vnt, including vnts only Figu 13, th tansition to th fail stat F0 is mad fom th wait stat associatd with quid vnt (cw ton). Th fail stat has a slf loop labld tu bcaus onc in th fail stat, w main th fo th maind of th xcution. Constaints that apply on th tansition to th fail stat a addd via conjunction to th fail tansition. Dtmining which constaints apply on th tansition to th fail stat is don in th sam mann as fo gula and quid vnts; by inspcting which constaints ovlap th fail vnt and which constaints apply btwn th mak pcding th fail vnt and th mak to which th fail vnt is attachd. A spcial cas is a timlin that has a fail vnt as th last vnt, as in Figu 14. This vaiation on th call waiting quimnt stats that it is an o if a thid call waiting ton is givn. Th automaton fo a timlin with a fail vnt as th last vnt is catd by a adding a fail tansition fom th last pogss stat to a fail stat. Any constaints that ovlap th mak to which th final fail vnt is attachd a addd via conjunction to th fail tansition. Timlins a stictd to hav at most on conscutiv fail vnt. To xpss that mo than on vnt can caus a tansition to th fail stat whil waiting fo th nxt gula o quid vnt, th nams of th fail vnts may b p4 && 0 1 p4 2 3 p4 p4 && && S0 S1 S2 S3 && && && p4 && p4 && tu! && p4 Figu 14. Th call waiting quimnt in Figu 8 is stngthnd by adding a thid call waiting ton as a fail vnt at th nd of th timlin joind via a logical o ( ) on a singl fail vnt labl. Constaints must b contiguous btwn non-fail vnts. 7. Expssivnss of timlins Tst automata gnatd fom timlin spcifications constitut a limitd fagmnt of th poptis xpssibl in Lina Tmpoal Logic. In paticula, timlins without fail vnts cospond to ctain livnss poptis. Th fomal dfinition of livnss [8],[10] quis that any finit systm xcution must b xtndabl into an infinit xcution that satisfis th givn quimnt (i.., that dos not poduc a violation). Fom any stat in th automaton w can build a finit squnc of vnts that lads us to th final jcting stat (stat s3 in Figu 9). This mans that vy timlin that gnats such an automaton satisfis th dfinition of a livnss quimnt. It can also b shown that a timlin with k+1 vnts minimally quis an LTL fomula with a, so-calld, Until-dpth of k [2]. This mans that w would hav to us k nstd fomulas to psnt th sam quimnt, which maks th LTL quimnt had to ad if mo than two o th vnts a usd in squnc. p4! && p4 && p4 &&! && p4 && 4 && p4 && F0 tu
Figu 15. Timlin Edito tool intfac Whn fail vnts a psnt, w can xpss mo than just livnss poptis. Fo xampl w can xpss th simpl safly popty that a paticula (fail) vnt should nv occu. Modl chcks such as Spin can optimiz th vification pocss if it can b guaantd that coctnss quimnts a stutt-invaiant [3], maning that th quimnt is not snsitiv to stuttd, o patd, individual vnts. Rquimnts xpssd in th subst of LTL without a nxt opato, fo instanc, hav this dsiabl quimnt. Stutt-invaianc cannot b guaantd, though, fo timlin spcifications. Howv, faily simpl algoithmic chcks on th gnatd automata can b usd to dtmin whth o not a timlin quimnt is stutt-invaiant [4], [11], so that th vification pocss can b adjustd accodingly. Timlin spcifications do not xpss al-tim o pfomanc quimnts. Hnc, on th fw occasions
RDA DTS ACR CND Subscib Pant Child1 Call1 Call2 inging inging fowad CFB CFM CW CFV CFD AC AC automatic callback ACR anonymous call jction CFBL call fowading busy lin CFDA call fowading don t answ CFMB call fowading mak busy CFV call fowading vaiabl CND calling numb dlivy CW call waiting DTS dnid tminating svic RDA sidntial distinctiv alting offhook don pat inging od Figu 16. Pcdnc lations fo fatus that a tiggd by th aival of an incoming call that on of ths quimnts was ncountd in th standads, such as th Call Waiting quimnt that th scond call waiting ton must b givn within 10 sconds of th fist call waiting ton, w did not tst it. 8. Global constaints In addition to constaints on vnts, w also occasionally nd to spcify constaints of a mo gnal natu. W call ths global constaints. Global constaints dpnd on th typ of systm that is bing chckd. Fo a tlphon switch, th st of fatus that has bn povisiond fo a givn subscib fom a global constaint. Ctain substs of fatus a tiggd by th sam vnts and fo ths th is gnally a pcdnc lation in th fatu standads that dfins which fatu should b invokd whn all a povisiond fo a givn subscib. Fo instanc, sval fatus could b tiggd by th aival of an incoming call. Figu 16 shows th pcdnc lations fo fatus that a tiggd by th aival of an incoming call, wh high pcdnc fatus point to low pcdnc fatus. If w want to tst a quimnt fo th Call Waiting fatu, w will nd to: nabl CW, and disabl th high pcdnc fatus, othwis w will not b abl to consid th xcutions wh Call Waiting is invokd. W do, howv, want to xplo both th nabld and th disabld cass of potntially conflicting low pcdnc fatus (.g., CFBL) and potntially conflicting fatus that a not in Call Waiting s pcdnc hiachy (th a non in this cas), to nsu that ths fatus a not mistaknly invokd whn Call Waiting is nabld Figu 17. An xampl quimnt violation Th Timlin Edito allows th us to slct fom availabl global constaints using th intfac shown in Figu 15. Und th Fatus hading th us can qui that th fatu b disabld (an X ), nabld (a chck mak), o that th modl chck should consid both cass (indicatd by a blank slction box). Th Sttings fild dfins additional global constaints that contol th bhavio of ou tst hanss fo vifying tlphony softwa. Th tst hanss is composd of abstact modls fo dvic bhavio, subscib bhavio, and tims. Ths nvionmnt modls a puposly dsignd to b hostil to futh incas th scop of th modl chcking pocss. Fo instanc, if th subscib can gnat offhook, onhook, digit, and hook-flash vnts, tc., th subscib modl will assum that th subscib can gnat ths fo vn an atically bhaving subscib. Using this appoach, th modl chck can vify that und no cicumstancs will it b possibl fo vn an atically bhaving subscib to caus os in th bhavio of th tlphon switch. Th Sttings fild can b usd to fin tun th tst hanss bhavio by stipulating, fo instanc, that xactly two flashs should b gnatd by th subscib, that th should at most 1 incoming call, that th a tim may xpi only if no oth vnts can b pocssd, tc. 9. Eo tacs -- an xampl An o tac found by th modl chck can b displayd as ith a mssag squnc chat o a sis of concunt xcution stps, intlavd in tim. Eo tacs potd by th modl chck a oftn squncs with subtl ac conditions, lading to a fault.
Such is th cas with on violation of th dialton quimnt fom Figu 3. A violation of th quimnt, displayd by th modl chck as th mssag squnc chat in Figu 17, occus if th subscib has call fowading and happns to pick up th phon pcisly whn an incoming call is bing fowadd. Th call pocssing softwa can dlay th gnation of dialton abitaily long whil th systm is jcting o fowading a stam of incoming calls. Whn th calls stop, th systm will vntually tim out and dliv dialton (not shown h). Th Pant and Child pocsss in th mssag squnc chat a systm softwa componnts, whas pocsss Subscib, Call1, and Call2 a tst stubs. In th softwa achitctu of th systm w tstd, th Pant pocss spawns a Child pocss fo ach nw call in which th logical subscib paticipats. Th modl chck can also psnt an o scnaio as a tac of C statmnt xcutions, so that th dvlop can analyz th squnc of xcutd statmnts lading to th o. A scnaio such as this on can b xtmly had to dtct with nomal tsting tchniqus, yt faily tivial to gnat with th hlp of a logic modl chcking tool 10. Conclusions.Th TimLin Edito can simplify and spd-up th captu of fomal quimnts to b usd in both tsting and fomal modl chcking. Th TimLin Edito softwa may b downloadd at: http://www.bll-labs.com/topic/swdist/ Implmnting th TimLin Edito took about on month, aft which w quickly usd th tool to xpss 117 quimnts in two months tim, which includd analysis of copious standads documnts. Of th 117 quimnts w spcifid using th TimLin dito, th avag timlin spcification containd 4 to 5 vnts, and 2 to 3 constaints. Th most complx timlin spcification containd 11 vnts and 7 constaints, and th simplst containd 2 vnts and on constaint. Thity-ight pcnt of th vnts w quid vnts, and th maind svd to povid contxt fo th quimnt. Th TimLin Edito is on lin of wok in an ongoing ffot to automat mo aspcts of th fomal vification pocss of complx softwa that w a pusuing. Th goal of th automation is to hid what th modl chck dos fom th us so that th us dos not nd spcial taining in logic to xploit th pow of modl chcking tchnology in systms vification. Ultimatly, w would lik b abl to gnat tstabl quimnts dictly fom a machin adabl quimnts modl. Most cntly, w hav intgatd th TimLin Edito into ou nw FaV [6] font-nd tool, giving th us th ability to fomulat and un tsts intactivly fom a singl intfac. Th a still many ways in which w may b abl to impov th usfulnss of ou TimLin Edito. Fo instanc, w can xtnd th tool by suppoting a gaphical mthod fo dfining cogions of adjacnt vnts on th timlin, to dfin goups of vnts that may occu in abitay od, ath than in stict timlin od. O, w can link th TimLin Edito mo dictly to th modl chck, to povid fdback about achabl and unachabl potions of th timlin spcification. This would giv th us visual fdback on whth o not th pambl is coctly statd. 11. Rfnc [1] L. K. Dillon, G. Kutty, L.E. Mos, P. M. Mllia-Smith, and Y. S. Ramakishna. A Gaphical Intval Logic fo Spcifying Concunt Systms. ACM Tans. on Softwa Engining and Mthodology, 3(2), pp. 131-165, 1994. [2] K. Etssami and T. Wilk, An Until hiachy fo tmpoal logic. 11th Ann. IEEE Symp. on Logic in Comput Scinc. 1996, pp. 108-117. [3] G.J. Holzmann and D. Pld, An impovmnt in fomal vification. Poc. Fomal Dsciption Tchniqus, Fot94, Bn, Sw., Chapman&Hall, 1994, pp. 197-211. [4] G.J. Holzmann and O. Kupfman, Not chcking fo closu und stutting, In: Th Spin Vification Systm, Amican Mathmatical Socity, 1996, pp. 17-22. [5] G.J. Holzmann, Th modl chck Spin, IEEE Tans. on Softwa Eng., 5(23):279-295, 1997. [6] G.J. Holzmann and M.H. Smith, Automating softwa fatu vification, Bll Labs Tchnical Jounal, 5(2):72-87, 2000. [7] http://www.cis.ksu.du/santos/spc-pattns/ [8] L. Lampot, Poving th coctnss of multipocss pogams. IEEE Tans. on Softwa Eng., 3(2):125-143,1977. [9] LSSGR, LATA Switching Systms Gnic Rquimnts, FR- NWT-000064, 1992 Edition. Fatu quimnts, including SPCS capabilitis and fatus. SR-504, Iss. 1, Mach 1996, Tlcodia/Bllco. [10]Z. Manna, and A. Pnuli, Th tmpoal logic of activ and concunt systms, Vol. 1, Sping-Vlag, 1992. [11]D. Pld, T. Wilk, and P. Wolp, An algoithmic appoach fo chcking closu quimnts of tmpoal logic spcifications and w-gula languags. Thotical Comput Scincs, 195(2):183-203, Mach, 1998. [12]A. Pnuli, Th tmpoal logic of pogams. Poc. 18th IEEE Symposium on Foundations of Comput Scinc, 1977, Povidnc, R.I., pp. 46-57. [13]R. Schlo, and W. Damm. "Spcification of Systm-Lvl Hadwa Dsigns Using Timing Diagams". In Poc. Euopan Dsign Automation and Euopan Evnt in ASIC Dsign, Fb. 1993, IEEE Pss, pp. 518-524.
Appndix Th psudocod that follows povids a dsciption of th tanslation of a timlin to a Büchi automata. Th algoithm kps tack of a st of stats stat_st, and a st of labld tansitions btwn thm calld tansition_st. Each stat in th stat st has an associatd flag indicating whth o not it is an accpting stat. W pocss th timlin on vnt at a tim, fom lft to ight, associating th vaiabl Evnt with th cunt vnt und considation. Th following convntion is usd in th psudocod notation blow: } } add tansition (pp, TRUE && C, pp) } ls { add tansition (pp, C &&!Evnt, pp) } add nw stat v Evnt add tansition (pp, C && Evnt, v Evnt) pp = v Evnt C: dnots th conjunction of th labls of thos constaints that apply to th intval btwn Evnt and th pvious vnt (immdiatly pio to Evnt). C : conjunction of th labls of thos constaints that ovlap Evnt. pp: dnots th cunt pogss point on th pogss path, which is usd as a mak duing th tanslation. W not that th automaton gnatd by th psudocod blow actually omits th xta dundant nonaccpting stat at th nd of th pogss path that has bn dpictd in th timlins thoughout th pap. Th xclusion dos not affct th maning of th Büchi automaton. Psudocod: initializ: stat_st = {init} /* intial stat st */ tansition_st = {} pp = init /* th initial pogss point */ whil (mo vnts) { Evnt = gt_nxt_vnt() if (is_fail(evnt)) { if (pp = init) { add tansition (pp, TRUE && C, pp) /* add to tansition_st */ } ls { add tansition (pp,!evnt && C, pp) } add nw accpt stat v /*to stat_st*/ add tansition (pp, C, v) add tansition (v, TRUE, v) } if (is_rquid(evnt)) { mak pp an accpt stat add tansition (pp,!evnt && C, pp) add nw non-accpt stat v Evnt add tansition (pp, Evnt && c,v Evnt) pp = v Evnt } if (is_rgula(evnt)) { if (pp = init) {