Interactive Simulation 83 A. Return to the previous simulation step by pressing the undo Simulator button. B. In the Simulator, select the transition 38 trans dlca!dlc(1): from waitua input t320 : as shown in Figure 4.46, the Editor displays in bold the corresponding input (T320). In the ELSE branch, you see the output of DLCstopped, which caused the problem. Figure 4.46 Searching for the unexpected signal bug C. In the Editor, select Navigate > Up: the block type V76 DLC is now displayed, as in Figure 3.12; you see that signal DLCstopped goes to process dispatch, through the signal route DLCs. D. In the Editor, select process dispatch and do Navigate > Down and Navigate > Next Partition: you see that under state waitUA, the input of signal DLCstopped is missing. 4.3.3.3 Correct the bug You will add the missing input of signal DLCstopped under state waitUA in process dispatch. A. When the Simulator is running, the Editor prevents you from modifying the SDL model: exit from the Simulator (answering No to the question) to enable the modification features of the Editor. Do not exit from the Editor. 38 The firable transition trans dlca!dlc(1): from waitua input t320 is preceded by a *: it reminds you that you executed it before the undo. 84 Validation of Communications Systems with SDL B. In Windows (or Unix), make a copy of the file v76.pr into v76 v1.pr (but continue working on v76.pr, which becomes version 2). C. In process dispatch, partition part2, select the input of DLCstopped under state ready, copy it, select the state waitUA and paste: the whole transition is inserted, as shown in Figure 4.47. waitUA V76frame (V76para) V76para ! present UA V76frame(V76para) TO DLCs(V76para ! UA ! DLCi) ready ELSE - DLCstopped (DLCnum) L_ReleaseInd(DLCnum) DLCs(DLCnum):= NULL ready Figure 4.47 Missing input of signal DLCstopped added under state waitUA D. In the pasted transition, don’t forget to change the nextstate -intonextstate ready,otherwise you will be stuck in state waitUA. E. Save the SDL model. 4.3.3.4 Simulate to check the bug correction To check that the bug has been corrected, you will load and automatically replay the scenario stored in Section 4.3.3.1. See Section 4.3.1 for details on restarting the Simulator. A. In the SDL Editor, unload all files except v76.pr. B. If the ObjectGeode Launcher is not running, in the Editor select Tools > SDL & MSC Simulator. C. In the ObjectGeode Launcher, Press the Build button, then if you do not get any SDL errors, press the Execute button. D. The Simulator starts: press on SDL Tracking and on Start MSC . E. In the Editor, close all windows except Default tracking and ogsm4, close the Framework view and select Window > Tile Horizontally, to obtain the screen shown in Figure 4.38. F. In the Simulator, select File > Scenario > Load , and open retry1.scn:afterend of scenario loading, you see 0/26 in the lower part of the Simulator, as shown in Figure 4.48: it means that you are at Step 0, and the loaded scenario has 26 steps. G. Press the button All located under Redo: (or press 26 times the redo Simulator button): when you see end of scenario execution and 26/26, it means that the scenario loaded from the file retry1.scn has been replayed entirely 39 . 39 If the scenario does not replay until the end, check that your feeds are loaded: see Section 4.3.1.4. Interactive Simulation 85 Figure 4.48 The current and maximum step numbers after loading the scenario H. The bottom of the MSC generated by the Simulator looks like Figure 4.49(a): the signal dlcstopped has been transmitted, but it is in the queue of process dispatch. dlcstopped(0) dlcstopped(0) (a) (b) Figure 4.49 MSC trace: signal dlcstopped in the process queue (a) and consumed (b) I. To watch the input FIFO queues of the model, press the Watch button; in the Watch creation window, press Queues: as depicted in Figure 4.50, a watch window appears, dis- playing the contents of the queues. As expected, you can see the signal dlcstopped in the queue of process dispatch. first signal in the queue signal name signal parameter value empty queue Figure 4.50 Watching the input queues J. In the Simulator, double-click the transition trans dlca!dispatch : from_waitua_input_dlcstopped the signal dlcstopped disappears from the watch and the MSC shows a filled arrowhead as in 40 Figure 4.49(b). We have returned to the initial model state, from where we can simulate other scenarios. 40 The arrow is inclined, because the actual input of dlcstopped (the arrowhead) occurred after the process stop (the X symbol). A horizontal arrow would mean output dlcstopped, followed by input dlcstopped and then by process stop, which is not the actual behavior. 86 Validation of Communications Systems with SDL 4.3.4 Detect nonsimulated parts After a simulation session, the Simulator indicates 41 which parts of the SDL model have not been simulated: • states • transitions • basic blocks 42 An example of state, transition and basic block is provided in Figure 4.51. process DLC (0, maxDLC + 1) FPAR me DLCident, originator Boolean connected L_DataReq ( , uData) We do not get the first parameter Iparam := fill_Iframe(me, uData, 15) V76frame(I : Iparam) VIA peer - L_ReleaseReq V76frame (DISC : (. me .)) VIA peer waitUAdisc V76frame (V76para) V76para ! present UA, DM DLCstopped(me) ELSE - V76frame (V76para) V76para ! present DISC V76frame (UA : (. me .)) VIA peer DLCstopped (me) CALL CRCok (V76para ! I !CRC) True L_DataInd (me, V76para! I ! data) False - ELSE - a state a transition a basic block I Figure 4.51 Examples of state, transition and basic block Then you can simulate again the SDL model until you reach 100% coverage for the states, transitions and basic blocks. After playing all possible scenarios (which is easier using exhaustive simulation, if the model does not have too many states), the states, transitions and basic blocks not simulated are considered as “dead” parts: they can be removed, after careful inspection. A. If the Simulator is already running, jump to E. B. In the SDL Editor, unload all files except v76.pr. C. If the ObjectGeode Launcher is not running, in the Editor select Tools > SDL & MSC Simulator. D. In the ObjectGeode Launcher, Press the Execute button: the Simulator starts. 41 A counter is associated to each state, each transition and each basic block: every time a state, transition or basic block is simulated, its counter is incremented. A value of 0 means it has never been simulated. 42 In fact, basic blocks include transitions (except the implicit transition corresponding to discarding an unexpected signal). Interactive Simulation 87 Figure 4.52 The Simulator Hierarchy Browser E. In the Simulator, select View > Hierarchy: the Hierarchy Browser appears, as shown in Figure 4.52. F. In the Hierarchy Browser, press the button Reset Coverage:this 43 sets to 0 the coverage counters, in case you did not restart the Simulator just before this exercise. G. In the Hierarchy Browser, select v76test and press the button+ : this displays the coverage rates of the SDL model, as illustrated in Figure 4.53. states coverage transitions coverage basic blocks coverage Figure 4.53 The coverage rates 43 It seems that there are two minor problems in the version 4.2.2 of the Simulator: just after starting the Simulator, without executing any transition, the start symbols of processes atob, btoa and dispatch are marked as executed 2 times instead of 0 (type cover state all), and if you press the button Reset Coverage in the Hierarchy Browser, the coverage counters are all correctly set to 0, but the Hierarchy Browser does not display 0 concerning btoa and dlcb!dispatch. In fact the coverage for btoa and dlcb!dispatch should not be displayed, as they are instances of the same entities than atob and dlca!dispatch. As they concern only start transitions, which will be executed in any case, these problems are not dangerous. 88 Validation of Communications Systems with SDL The first number is the percentage of states simulated, the second number is the percentage of transitions simulated and the last number is the percentage of basic blocks simulated. H. In the Simulator, select File > Scenario > Load, and open test1.scn (see Section 4.3.2.3). I. When you see end of scenario loading, press the button All located under Redo. The Hierarchy Browser now displays the new values of the coverage rates, as shown in Figure 4.54. Figure 4.54 The coverage rates after replaying test1 We see, for example, that • all the states in process atob, dispatch and dlc have been simulated, • 90.9% of the transitions in process dispatch have been simulated, • 72.4% of the basic blocks in process dispatch have been simulated. J. Select dispatch in dlca in the Hierarchy Browser and press the two buttons shown in Figure 4.55: one displays all the transitions, the other displays only nonexecuted transitions; you see that the only transition not simulated is from waitua input dlcstopped. K. In the Hierarchy Browser, select from waitua input dlcstopped and press Locate: the Editor opens process dispatch and selects the uncovered transition, as shown in Figure 4.56. As we have only replayed the scenario test1.scn, it is normal for this transition to be detected as not simulated. To simulate it, we need to replay (without resetting the coverage counters) retry1.scn also and execute the transition trans dlca!dispatch: from waitua input dlcstopped. 4.3.5 Validate against more scenarios After simulation of the main scenarios described in Section 4.3.2, it is wise to play more scenarios to check the reaction of the SDL model. Those scenarios can be: Interactive Simulation 89 Figure 4.55 The transition not simulated in dispatch waitUA V76frame (V76para) V76para ! present UA V76frame(V76para) TO DLCs(V76para ! UA ! DLCi) ready ELSE - DLCstopped ( DLCnum) L_ReleaseInd(DLCnum) DLCs(DLCnum):= NULL ready Figure 4.56 The transition not simulated is automatically located • more complex: for example, two simultaneous connections, • beyond limits: for example, creation of more connections than allowed. 4.3.5.1 Simulate two simultaneous connections You will simulate to check that the SDL model can handle two connections in parallel. A. If the Simulator is already running, jump to E. B. In the SDL Editor, unload all files except v76.pr. C. If the ObjectGeode Launcher is not running, in the Editor select Tools > SDL & MSC Simulator. D. In the ObjectGeode Launcher, press the Build button, then if you do not get any SDL errors, press the Execute button. 90 Validation of Communications Systems with SDL E. The Simulator starts: press on SDL Tracking and on Start MSC . F. In the Editor, close the Framework view and select Window > Tile Horizontally, to obtain the screen shown in Figure 4.38. G. Load and replay the scenario cnx1.scn, as indicated for retry1.scn in Section 4.3.3.4: now one instance of process DLC exists on each side of the system. Now establish one more connection: H. Execute the transition dlca!dispatch: from ready input l estabreq with l estabreq(1) from env dlcasu (double-click it in the Simulator list, as shown in Figure 4.57). You see in the MSC trace that a new instance of process DLC is created, numbered 2. Figure 4.57 The transition to fire I. In the same way, execute the following transitions: dlca!dlc(2) : start atob(1) : from_ready_input_v76frame atob(1) : decision_lose_the_frame(  No  ) dlcb!dispatch : from_ready_input_v76frame dlcb!dispatch : from_waitestabresp_input_l_estabresp with l_estabresp from env_dlcbsu dlcb!dlc(2) : start Interactive Simulation 91 btoa(1) : from_ready_input_v76frame btoa(1) : decision_lose_the_frame(  No  ) dlca!dispatch : from_waitua_input_v76frame dlca!dlc(2) : from_waitua_input_v76frame The new connection has been established between sides A and B. J. To check that all four instances of process DLC exist and are in state connected,enterin the Simulator: print dlc!state The Simulator displays: dlcb!dlc(1) ! state = connected dlcb!dlc(2) ! state = connected dlca!dlc(1) ! state = connected dlca!dlc(2) ! state = connected K. To test that the new connection 44 works, let’s transfer data through it; execute the following transitions: dlca!dispatch : from_ready_input_l_datareq with l_datareq(1, 39) from env_dlcasu dlca!dlc(2) : from_connected_input_l_datareq atob(1) : from_ready_input_v76frame atob(1) : decision_lose_the_frame(  No  ) dlcb!dispatch : from_ready_input_v76frame dlcb!dlc(2) : from_connected_input_v76frame The generated MSC, represented at blocks level in Figure 4.58, shows that block DLCb transmitted signal L DataInd(1, 39) to the environment (representing Service User B): the data 39 has been successfully transferred from A to B through DLC 1. L. Save the Simulator scenario: in the Simulator, select File > Scenario > Save As,entercnx2 and press save. M. To save the current MSC into the file cnx2.msc, enter the following command into the Sim- ulator: msc cnx2 4.3.5.2 Simulate an attempt to create too many connections You will simulate to see what happens if you try to create more connections than allowed. The maximum number of parallel connections in our model is maxDLC + 1 = 2. Figure 3.12 shows that this number corresponds to the maximum number of instances or process DLC ,whichis equal to the size of the array DLCs, declared in Figure 3.14. 44 The DLC number (of type DLCident) of the new connection is 1, and the corresponding instance number of process DLC (given by the Simulator) is 2. 92 Validation of Communications Systems with SDL cnx2 /* Establishment of DLC number 0: */ /* Establishment of DLC number 1: */ /* Transfer of data 39 through DLC number 1: */ l_estabreq( 0 ) v76frame( sabme : (. 0 .) ) v76frame( ua : (. 0 .) ) l_estabconf( 0 ) l_estabreq( 1 ) v76frame( sabme : (. 1 .) ) v76frame( ua : (. 1 .) ) l_estabconf( 1 ) l_datareq( 1,39 ) v76frame( i : (. 1,39,15 .) ) v76frame( sabme : (. 0 .) ) v76frame( ua : (. 0 .) ) v76frame( sabme : (. 1 .) ) v76frame( ua : (. 1 .) ) v76frame( i : (. 1,39,15 .) ) l_estabind( 0 ) l_estabresp l_estabind( 1 ) l_estabresp l_dataind( 1,39 ) DLCa BLOCK / v76test /dlca dataLink BLOCK / v76test/ datalink DLCb BLOCK / v76test /dlcb Figure 4.58 Twoconnections0and1inparallel A. If you exited the tools since Section 4.3.5.1, launch the Simulator and replay the scenario cnx2.scn: two instances of process DLC exist on each side of the system, the maximum is reached. B. Execute the transition dlca!dispatch: from ready input l estabreq with l estabreq(0) from env dlcasu. You see in the MSC trace that the system answers with an L RelelaseInd(0): it means that no more connection can be established. But if you look at the SDL trace (or enter print state), you discover that process dispatch is stuck in state waitUA: this is a modeling bug. Also, transitions are missing in the list of firable transitions. You will correct process dispatch to go to state ready instead of state waitUA after trans- mitting L RelelaseInd. C. Exit from the Simulator (answering No to the question) to enable the modification features of the Editor. Do not exit from the Editor. D. In Windows (or Unix), make a copy of the file v76.pr into v76 v2.pr. E. In process dispatch, partition part2, select the output of L RelelaseInd under the ELSE branch of the decision and click on the nextstate palette symbol; enter – in the newly created symbol, as shown in Figure 4.59. F. Save the SDL model. [...]... test1.scn executed till the end (step 41 ) and that both DLCs arrays contain Null: if (step =41 ) and (dlca!dispatch ! dlcs = ( Null )) and \ (dlcb!dispatch ! dlcs = ( Null )) ; echo Replay test1.scn OK ||| test_res1.wri; 94 Validation of Communications Systems with SDL 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 51 52 else ; define test_failed True;... the MSC trace is depicted in Figure 4. 45 Trace is handy when searching the origin of a hard to find bug: you can trace the state of each process instance, of variables, of process queues, and so on 102 Validation of Communications Systems with SDL 4. 3.7.8 Modifying the SDL model Two commands allow you to modify during simulation the content of an element in the SDL model: the let textual command, and... hope that Validation of Communications Systems with SDL: The Art of SDL Simulation and Reachability Analysis Laurent Doldi  2003 John Wiley & Sons, Ltd ISBN: 0 -47 0-85286-0 112 Validation of Communications Systems with SDL the simulation will prove that this property cannot be satisfied More details are provided in Chapter 7 Table 5.1 shows the observation formalisms that can be used in our two SDL tools... and save a lot of time on an actual system validation 45 The file extension wri ensures opening the file with WordPad just by double-click, if you are running Microsoft WindowsTM 96 Validation of Communications Systems with SDL 4. 3.7.1 Aliases To shorten textual commands, you can create aliases, a kind of macros Alias definitions are generally stored in the file geodesm.startup (see Section 4. 3.7.2) to be... Integer, the default value is 0 108 Validation of Communications Systems with SDL 4. 4 ERRORS DETECTABLE BY INTERACTIVE SIMULATION In addition to the static errors detected when compiling the SDL model to generate the C code used for simulation (e.g the ObjectGeode SDL Checker geodecheck, called before simulation, detects 541 kinds of errors and warnings), many kinds of dynamic errors are detected by... error forced by the SDL error expression (e.g n := ERROR in a task symbol) 4. 4.2 Dynamic errors detected by ObjectGeode SDL Simulator 4. 4.2.1 SDL model errors • Nonconformance to expected behavior: by examining the simulation textual or MSC trace, you discover that the SDL model does not behave as expected An example of such an error was discovered in Section 4. 3.5.2 • Deadlock: the SDL simulation should... models, some behaviors can only be simulated when reasonable environment is off (for example, here you cannot send any L EstabReq to the model before starting the 4 process instances) 106 Validation of Communications Systems with SDL (a) Figure 4. 65 (b) Reasonable environment off (a) and on (b) If loose time progression is off, the Simulator will not allow any time progression while the simulation... • Import–Export of variable or procedure: errors similar to output (as exported values or procedures are translated into signal exchanges) • Value out of range: for example, in a syntype, in an Array operator or in a String operator 47 According to the configuration of the Simulator, this can be an error or not (see Edit > Configuration) 110 Validation of Communications Systems with SDL • Variant not... number of symbols trans events limit is reached • Discarding an unexpected signal47 : an example of such error was discovered in Section 4. 3.3.1 4. 4.2.2 SDL dynamic errors • Decision answer missing: the value of the expression in a decision did not match any of the answers • Create process instance: attempt to create more process instances than the maximum number specified (warning) • Output (without... fire it 1 04 Validation of Communications Systems with SDL We have seen how to filter a certain transition (filter trans .), but the argument of the filter command can also be an expression or an event Here are some examples To prevent from firing any transition leading to variable n320cnt > 2 (simulation will only be possible for values 0, 1 and 2): filter n320cnt > 2 To prevent any output of signal L . the origin of a hard to find bug: you can trace the state of each process instance, of variables, of process queues, and so on. 102 Validation of Communications Systems with SDL 4. 3.7.8 Modifying the SDL. actual behavior. 86 Validation of Communications Systems with SDL 4. 3 .4 Detect nonsimulated parts After a simulation session, the Simulator indicates 41 which parts of the SDL model have not been. number of process DLC (given by the Simulator) is 2. 92 Validation of Communications Systems with SDL cnx2 /* Establishment of DLC number 0: */ /* Establishment of DLC number 1: */ /* Transfer of