Teaching MC to Undergrads.

Abhik RoychoudhuryNational University of

Singapore

What it is about Training on FV (model checking) as part of a

4th year elective module. Fitting FV course into a very “non-formal” style

curriculum. No mandatory course on logics, automata. Only very basic background on propositional and

predicate logics (from Discrete Mathematics course) assumed.

An undergraduate elective module in our Computer Engineering (Emb. Sys.) curriculum.

The context An elective in Comp. Engg. among

Critical Systems and their Verification Hardware Software Co-design Mobile Computing Performance Analysis of Embedded Systems Embedded Software Design …

Offered over 5 years 45 -55 students chose it among 75

students.

Students’ perspective

First intro. to formal methods. Not even good intro. to the formal

models. Sort of reluctant interest in what

the techniques are about, and How they can be useful for ES design.

Teacher’s perspective Start and stay connected

Try to build up how formal techniques can be useful by discussing industry design practices.

Ensure basic coverage Transition systems, Temporal logics, Model

Checking, BDD, Symbolic Model Checking Focus on sys. modeling via term project

Give students chance to explore via projects We use SMV checker.

Introducing Validation Methods

In circuit Emulator (ICE) Validating a microprocessor interacting

with peripherals, physically replace proc. with ICE

Logic Analyzer Observing signals on a bus

Model based simulation Formal verification techniques

Model Checking Theorem Proving

More on Introduction

No emphasis on historic incidents Therac-25, Arianne, Pentium FP bug

… Discuss (old) industry practices

Physically observing processors/bus Expensive dedicated hardware Go on to FV via model-based

simulation.

Coverage Start with Transition systems and immediately

after discuss the SMV model checker. Modeling circuits, controllers and protocols

(simple) Experience report on SMV as debugging aid

AMBA bus protocol from ARM – Personal Experience

Starvation scenario suspected during modeling of protocol, confirmed by SMV model checker.

Sharing own experiences: no overselling. Temporal properties presented informally first

(when discussing case study) and then formally.

Coverage: students’ side Connection between programs/protocols

and underlying transition systems. Make this connection first!

Used to transformational systems System execution traces of infinite length? Can be studied after the students are

comfortable with transition systems and Kripke structures.

Temporal logics Start with LTL after the students are comfortable

with infinite length execution traces.

Project We all want hands-on training to FV

Several assignments, or One project?

Difficulties in administering projects Choosing at beginning of semester

No clear idea of FV at this stage Give out & discuss a list of possible projects

Diff. students choosing diff projects Consultation.

Example Term project Modeling and validation of

Bus Protocol (IBM Coreconnect) or Distributed controller (Railways), or …

Reading requirements (often 60-100 pages) Identifying processes, state variables Introduce generic modeling tricks early in lectures.

Assume impl. correctness for proving design or protocol correctness

Fairness of arbiter needed for no-starvation.

Property spec. & Model Checking.

Summary Offering FV as elective to non FV inclined

Analyze Student background (Easier to handle if we realize it)

How to introduce the topic Not as something radical which prevents disastrous

errors Improvement over existing design practices

Students’ need to explore Administering term projects on diff topics. Need to discuss standard system modeling tricks early.

Websites http://www.comp.nus.edu.sg/~abhik/CS4271/ Lesson Plan

http://www.comp.nus.edu.sg/~abhik/CS4271/lesson-plan.html

All lecture notes available. List of potential projects

http://www.comp.nus.edu.sg/~abhik/CS4271/proj-ideas.html