Model Based Testing : principles and applications in the context of timed systems
|
|
- Abraham Merritt
- 6 years ago
- Views:
Transcription
1 A. Rollet - ETR Brest (France) - August /63 Model Based Testing : principles and applications in the context of timed systems Antoine Rollet Université de Bordeaux - LaBRI (UMR CNRS 5800), France rollet@labri.fr
2 A. Rollet - ETR Brest (France) - August /63 Outline 1 Model Based Testing 2 Conformance Testing with IOLTS 3 Testing Timed Systems 4 Conclusion and further work
3 A. Rollet - ETR Brest (France) - August /63 Outline 1 Model Based Testing 2 Conformance Testing with IOLTS 3 Testing Timed Systems 4 Conclusion and further work
4 A. Rollet - ETR Brest (France) - August /63 Introduction on testing Why testing? Systems getting more and more complex potentially more bugs A failure may cost a lot (human and financial) earlier detection implies weaker consequences Limitations Testing can only be used to show the presence of bugs, but never to show their absence (Dijkstra) need to make some assumptions Objective : increase the confidence in the system
5 A. Rollet - ETR Brest (France) - August /63 Different kinds of testing black box / white box white box : most elements of the system are known, especially source code (structural testing) black box : implementation is considered as an unknown black box; only interfaces are known test generation based on the specification (functional testing) What do we intend to test User testing, performance testing, conformance testing, interoperability testing, robustness testing, etc... Testing that a black-box implementation (IUT) of a system behaves correctly wrt. its functional specification Spec.
6 A. Rollet - ETR Brest (France) - August /63 Different kinds of testing black box / white box white box : most elements of the system are known, especially source code (structural testing) black box : implementation is considered as an unknown black box; only interfaces are known test generation based on the specification (functional testing) What do we intend to test User testing, performance testing, conformance testing, interoperability testing, robustness testing, etc... Testing that a black-box implementation (IUT) of a system behaves correctly wrt. its functional specification Spec.
7 A. Rollet - ETR Brest (France) - August /63 Conformance testing of reactive systems Reactive system System which reacts to its environment through its interfaces. Environment: human, software, hardware Necessary to think about : Controllability : how the tester can lead the test Observability : how the tester can get information definition of Points of Control and Observation (PCO). definition of a test architecture
8 A. Rollet - ETR Brest (France) - August /63 Model Based Testing Industrial practice: manual design of test suites from informal specifications Model Based Testing Model Based Testing (MBT) testing with the ability to detect faults which do not conform to a model called specification. Specification specifies conforms Implementation Under Test (IUT) possible automation for test generation, test execution, test evaluation (verdict) Formal Methods
9 A. Rollet - ETR Brest (France) - August /63 Model Based Testing (2) Test cases are generated from the Model Problems : need to find a good model of the specification what does specify mean? what does conform mean? Implementation is supposed to be equivalent to a formal model (but Implementation is unknown) Need to define a conformance relation between the Specification and the Implementation
10 A. Rollet - ETR Brest (France) - August /63 Model Based Testing (2) Test cases are generated from the Model Problems : need to find a good model of the specification what does specify mean? what does conform mean? Implementation is supposed to be equivalent to a formal model (but Implementation is unknown) Need to define a conformance relation between the Specification and the Implementation At the beginning... Two main approaches of MBT : Finite State Machines Labeled Transition Systems
11 A. Rollet - ETR Brest (France) - August /63 General schema Property P S P? Specification S I conf S? Implementation I
12 A. Rollet - ETR Brest (France) - August /63 General schema Property P S P? VERIFICATION Specification S I conf S? Implementation I
13 A. Rollet - ETR Brest (France) - August /63 General schema Property P S P? Specification S I conf S? TEST Implementation I
14 A. Rollet - ETR Brest (France) - August /63 General schema Property P S P? Specification S I conf S? Implementation I?! observation control Test cases Verdict
15 A. Rollet - ETR Brest (France) - August /63 General schema Property P S P? Specification S Test Generation I conf S? Implementation I?! observation control Test cases Verdict
16 A. Rollet - ETR Brest (France) - August /63 General schema Property P Test Purpose S P? Specification S Test Generation I conf S? Implementation I?! observation control Test cases Verdict
17 A. Rollet - ETR Brest (France) - August /63 Main ingredients of a testing theory Specification, implementation and conformance Specification: model of requested behaviors, Implementations: model of observable real behavior (unknown) Conformance relation: formalizes IUT conforms to Spec Tests cases and their executions Test cases, test suites: model of tests (control/observation) Test execution: interaction test IUT, produced observations, associated verdicts (e.g. pass, fail) Test suite properties: IUT passes TS IUT conf S Test generation Algorithms : tests = testgen( Spec (+ TestPurpose))
18 A. Rollet - ETR Brest (France) - August /63 Outline 1 Model Based Testing 2 Conformance Testing with IOLTS 3 Testing Timed Systems 4 Conclusion and further work
19 A. Rollet - ETR Brest (France) - August /63 References Part essentially based on : [Tre96] J. Tretmans, Test generation with inputs, outputs, and repetitive quiescence, Software Concepts and Tools, vol. 17, pp , [JJ04] C. Jard and T. Jéron, Tgv: theory, principles and algorithms, a tool for the automatic synthesis of conformance test cases for non-deterministic reactive systems, Software Tools for Technology Transfer (STTT), [Jer04] T. Jéron, Contribution à la génération automatique de tests pour les systèmes réactifs, 2004, habilitation à Diriger des Recherches - Université de Rennes 1.
20 A. Rollet - ETR Brest (France) - August /63 Input Output Labelled Transition System (IOLTS) τ 2 s 0?reset?digit s 1?reset τ 1 s 2!beep?digit s 7!open s 3!alarm τ 3 s 4 s 5 s 6 τ 4 M = (Q M, A M, M, q M 0 ) with : Q M set of states q M 0 Q M initial state A M action alphabet, A M I input alphabet (with?) A M O output alphabet (with!) I M internal actions (τ k ) M Q M A M Q M transition relation A M V IS = AM I A M O set of visible actions
21 A. Rollet - ETR Brest (France) - August /63 Input Output Labelled Transition System (IOLTS) τ 2 s 0?r?d s 1?r τ 1 s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 M = (Q, A,, q 0 ) with : Q set of states q 0 Q initial state A action alphabet, A I input alphabet (with?) A O output alphabet (with!) I internal actions (τ k ) Q A Q transition relation A V IS = A I A O set of visible actions
22 A. Rollet - ETR Brest (France) - August /63 Runs / Traces τ 2 s 0?r?d s 1?r τ 1 s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 Runs: alternate sequences of states and actions fireable btw those states?d τ s 0 s 1?d!o 1 s2 s 3 s 4 Runs(M) Traces: projections of Runs on visible actions: Traces(M) = {ε,?d,?r,?d.?r,?r.?d,?d.!b,...} P after σ: set of states reachable from P after observation σ: {s 2 } after?d.!o = {s 0, s 4 } {s 0 } after?d,!a = M after σ {q 0 } after σ
23 A. Rollet - ETR Brest (France) - August /63 Non-determinism?x!a s 1 s 2!a s 3 Not to be confused with uncontrolled choice s τ 1 s 2!b!a s 3 s 4?x!a s 2 s 1!b s 3 M is deterministic if it has no internal action, and q, q, q a Q, a A V IS, (q q a q q ) q = q Determinization: det(m) = (2 Q, A V IS, det, q 0 after ɛ) with P a det P P, P 2 Q, a A V IS and P = P after a. Traces(M) = Traces(det(M))
24 A. Rollet - ETR Brest (France) - August /63 Non-determinism?x!a s 1 s 2!a s 3 Not to be confused with uncontrolled choice s τ 1 s 2!b!a s 3 s 4?x!a s 2 s 1!b s 3 M is deterministic if it has no internal action, and q, q, q a Q, a A V IS, (q q a q q ) q = q Determinization: det(m) = (2 Q, A V IS, det, q 0 after ɛ) with P a det P P, P 2 Q, a A V IS and P = P after a. Traces(M) = Traces(det(M))
25 A. Rollet - ETR Brest (France) - August /63 Observation of quiescence In testing practice, one can observe traces of the IUT, but also its quiescences with timers. Only quiescences of IUT unspecified in S should be rejected. τ 2?r s 0 s 1?d τ 1?r s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 Notation : Γ(q) {a A q } a deadlock : no possible evolution : Γ(q) =. outputlock : systems waiting for an action : Γ(q) A I. livelock : internal actions loop : τ 1,...τ n : q τ 1...τ n q. quiescent(m) = deadlock(m) livelock(m) outputlock(m)
26 A. Rollet - ETR Brest (France) - August /63 Observation of quiescence In testing practice, one can observe traces of the IUT, but also its quiescences with timers. Only quiescences of IUT unspecified in S should be rejected. τ 2?r s 0 s 1?d τ 1?r s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 Notation : Γ(q) {a A q } a deadlock : no possible evolution : Γ(q) =. outputlock : systems waiting for an action : Γ(q) A I. livelock : internal actions loop : τ 1,...τ n : q τ 1...τ n q. quiescent(m) = deadlock(m) livelock(m) outputlock(m)
27 A. Rollet - ETR Brest (France) - August /63 Observation of quiescence In testing practice, one can observe traces of the IUT, but also its quiescences with timers. Only quiescences of IUT unspecified in S should be rejected. τ 2?r s 0 s 1?d τ 1?r s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 Notation : Γ(q) {a A q } a deadlock : no possible evolution : Γ(q) =. outputlock : system waiting for an action : Γ(q) A I. livelock : internal actions loop : τ 1,...τ n : q τ 1...τ n q. quiescent(m) = deadlock(m) livelock(m) outputlock(m)
28 A. Rollet - ETR Brest (France) - August /63 Observation of quiescence In testing practice, one can observe traces of the IUT, but also its quiescences with timers. Only quiescences of IUT unspecified in S should be rejected. τ 2?r s 0 s 1?d τ 1?r s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 Notation : Γ(q) {a A q } a deadlock : no possible evolution : Γ(q) =. outputlock : system waiting for an action : Γ(q) A I. livelock : internal actions loop : τ 1,...τ n : q τ 1...τ n q. quiescent(m) = deadlock(m) livelock(m) outputlock(m)
29 A. Rollet - ETR Brest (France) - August /63 Observation of quiescence In testing practice, one can observe traces of the IUT, but also its quiescences with timers. Only quiescences of IUT unspecified in S should be rejected. τ 2?r s 0 s 1?d τ 1?r s 2!b?d s 7!o s 3!a τ 3 s 4 s 5 s 6 τ 4 Notation : Γ(q) {a A q } a deadlock : no possible evolution : Γ(q) =. outputlock : system waiting for an action : Γ(q) A I. livelock : internal actions loop : τ 1,...τ n : q τ 1...τ n q. quiescent(m) = deadlock(m) livelock(m) outputlock(m)
30 A. Rollet - ETR Brest (France) - August /63 Suspension automaton!δ Quiescence : special output δ s 0?d?r The suspension iolts of M = (Q, A,, q 0 ) is an iolts (M) = (Q, A {δ}, (M), q 0 ) where (M) = {q δ q q quiescent(m)}. τ 2 s 1?r τ 1 s 2!b?d s 7!δ s 3!o!a τ 3 s 4 s 5 s 6!δ τ 4!δ
31 Suspension traces!δ!δ s 0?r?d τ s 1 2?r τ 1 s!b 2 s 7!δ?d τ 3 s!o 4 s!a 3 s 5 s 6!o s 0, s 4?r?d?r s 1, s 2?d!b s 7!δ s 3!a s 5, s 6!δ τ 4!δ!δ Suspension traces (S) det( (S)) STraces(M) Traces( (M)) = Traces(det( (M))) STraces(S) and STraces(I) represent visible behaviors of S and I for testing a base for the definition of conformance. A. Rollet - ETR Brest (France) - August /63
32 A. Rollet - ETR Brest (France) - August /63 Testing framework Specification : iolts S = (Q S, A S, S, s S 0 ) Implementation : iolts IUT = (Q IUT, A IUT, IUT, s IUT 0 ) Unknown implementation, except for its interface, identical to S s Hyp.: IUT is input-complete : In any state, IUT accepts any input, possibly after internal actions.
33 A. Rollet - ETR Brest (France) - August /63 Conformance relation The conformance relation defines the set of implementations IU T conforming to S. Conformance IUT ioco S σ STraces(S), Out( (IU T ) after σ) Out( (S) after σ) with Out(P ) Γ(P ) A δ O a : set of outputs quiescences in P. a A δ O is equivalent notation for A O since δ is an output of (S) and (IUT ) Intuition : IUT conforms to S iff after any suspension trace of S and IUT, all outputs and quiescences of IUT are specified by S.
34 A. Rollet - ETR Brest (France) - August /63 ioco: example s 0!δ?a!z s 1!δ!x!y s 2 s 3 specification (S) s 0!δ?a!z s 1!x s 2 I 1 : Implem. choice s 0!δ?a!z s 1!δ!x!y!z s 2 s 3!δ s 4 I 3 : Unspec. output s 0!δ!z?b?a s 4!δ s 1!δ!z!x!y s 5 s 2 s 3 I 2 : Implem. of a partial spec. s 0!δ!z?a?a s 4 s 1!δ!x!y s 2 s 3!δ I 4 : Unspec. quiescence
35 A. Rollet - ETR Brest (France) - August /63 Canonical Tester From S (more precisely from det( (S)) = (Q d, A d, d, q0 d)), build an iolts Can(S) = (Q c, A c, c, q0 c ) the most general iolts permitting to detect non-conformance of implementation IUT. Q c = Q d {Fail} and q0 c = qd 0 A c = A c I Ac O where Ac I = Ad O and Ac O = Ad I inputs of the tester are outputs of S and reciprocally. a c = d {q c Fail q Q d, a A c I (q a d )}, all non-specified outputs lead to Fail.
36 A. Rollet - ETR Brest (France) - August /63 Canonical Tester From S (more precisely from det( (S)) = (Q d, A d, d, q0 d)), build an iolts Can(S) = (Q c, A c, c, q0 c ) the most general iolts permitting to detect non-conformance of implementation IUT. Q c = Q d {Fail} and q0 c = qd 0 A c = A c I Ac O where Ac I = Ad O and Ac O = Ad I input / output inversion a c = d {q c Fail q Q d, a A c I (q a d )}, all non-specified outputs lead to Fail.
37 A. Rollet - ETR Brest (France) - August /63 Canonical Tester From S (more precisely from det( (S)) = (Q d, A d, d, q0 d)), build an iolts Can(S) = (Q c, A c, c, q0 c ) the most general iolts permitting to detect non-conformance of implementation IUT.?δ q 0!r!r!d?o q 1?b q 4!d?δ q 2 q 3?a?δ
38 A. Rollet - ETR Brest (France) - August /63 Canonical Tester From S (more precisely from det( (S)) = (Q d, A d, d, q0 d)), build an iolts Can(S) = (Q c, A c, c, q0 c ) the most general iolts permitting to detect non-conformance of implementation IUT.?δ q 0!r!r!d?a,?o,?b?a,?o,?δ?o q 1?b q 4?a,?b,?o Fail!d?δ?b,?δ q 2?a q 3?a,?b,?o?δ
39 A. Rollet - ETR Brest (France) - August /63 Canonical Tester From S (more precisely from det( (S)) = (Q d, A d, d, q0 d)), build an iolts Can(S) = (Q c, A c, c, q0 c ) the most general iolts permitting to detect non-conformance of implementation IUT.?δ?o q 0!r?a,?o,?b!d!r?a,?o,?δ q 1!d?b q 4?a,?b,?o?δ Fail?b,?δ?a,?b,?o q 2?a q 3?δ IUT ioco S STraces(IUT ) Traces Fail (Can(S)) =
40 A. Rollet - ETR Brest (France) - August /63 Test cases A test case is a deterministic iolts (Q TC, A TC, TC, t TC 0 ), equipped with verdict states: Pass, Fail and Inconc s.t. A TC O = AS I and ATC I = A S O {δ} (input / output inversion) T C is controllable, i.e. never have to choose btw. several outputs or btw. inputs and outputs : q Q TC, ( a A TC O, q A TC b, (b a q TC )) a TC b All states permitting an input, are input-complete, except verdict states. t 0?δ?othw t 1!d t 2 Fail!d?othw t?a 3?othw?o Inconc t 4?δ Pass
41 A. Rollet - ETR Brest (France) - August /63 Test execution Modelled by the parallel composition T C (IU T ) synchronizing on common visible actions s 0, t 0 t 0?δ s 0, t 1?δ?othw!δ!d t 1 s 0?r s 1, t 2!d t?d!d 2 Fail τ s s!d?othw 2 1 2, t?b 3 Fail τ?r!b 1?o t?d?a 3 s Inconc s 6, t 3 5!δ?a s?othw s 4, t 4 2?o!o τ 1 τ Inconc 2 t!b 4 s 4 s!a 6 s 7!δ s 0, t 4 s 3?δ?δ Pass!δ Pass T C1 (IUT ) T C1 (IUT )
42 A. Rollet - ETR Brest (France) - August /63 Properties of test suites T C fails IUT iff an execution of T C (IUT ) reaches Fail Expresses a possibility for rejection. Due to non-controllable choices of IUT, a single test case applied on a single Implementation can produce all different verdicts! Soundness, Exhaustiveness, Completeness A set of test cases T S is Sound IUT : (IUT ioco S = T C T S : (T C fails IUT )), i.e. only non-conformant IUT may be rejected by a T C T S. Exhaustive IUT : ( (IUT ioco S) = T C T S : T C fails IUT ), i.e. any non-conformant IUT may be rejected by a T C T S. Complete = Sound and Exhaustive
43 A. Rollet - ETR Brest (France) - August /63 Properties of test suites T C fails IUT iff an execution of T C (IUT ) reaches Fail Expresses a possibility for rejection. Due to non-controllable choices of IUT, a single test case applied on a single Implementation can produce all different verdicts! Soundness, Exhaustiveness, Completeness A set of test cases T S is Sound IUT : (IUT ioco S = T C T S : (T C fails IUT )), i.e. only non-conformant IUT may be rejected by a T C T S. Exhaustive IUT : ( (IUT ioco S) = T C T S : T C fails IUT ), i.e. any non-conformant IUT may be rejected by a T C T S. Complete = Sound and Exhaustive
44 A. Rollet - ETR Brest (France) - August /63 Test selection Objective : Find an algorithm taking as input a finite state iolts S, and satisfying the following properties: produces only sound test suites is limit-exhaustive i.e. the infinite suite of test cases that can be produced is exhaustive Two techniques : 1 Non-deterministic selection (à la TorX) 2 Selection guided by a test purpose (à la TGV)
45 A. Rollet - ETR Brest (France) - August /63 Non-deterministic selection Algorithm: partial unfolding of Can(S) Start in q0 c. After any trace σ in Can(S) if Can(S) after σ Fail, emit a Fail verdict otherwise make a choice between produce a Pass verdict and stop, consider all inputs of Can(S) after σ and continue. choose one output in those of Can(S) after σ and continue. Properties T S = all possible Test cases generated with this algorithm : T S is sound and limit-exhaustive
46 A. Rollet - ETR Brest (France) - August /63 Non-deterministic selection Algorithm: partial unfolding of Can(S) Start in q0 c. After any trace σ in Can(S) if Can(S) after σ Fail, emit a Fail verdict otherwise make a choice between produce a Pass verdict and stop, consider all inputs of Can(S) after σ and continue. choose one output in those of Can(S) after σ and continue. Properties T S = all possible Test cases generated with this algorithm : T S is sound and limit-exhaustive
47 A. Rollet - ETR Brest (France) - August /63 Examples q 0?o?δ q 0!r?a,?o,?b!d!r?a,?o,?δ q 1?b q 4?a,?b,?o Fail!d?δ?b,?δ?a,?b,?o q 2?a q 3?δ Can(S)!r?a,?b,?o q 0 Fail?δ q 0!d q 1?b q 4?δ Pass?a,?o,?δ Fail?a,?o,?b Fail T C1
48 A. Rollet - ETR Brest (France) - August /63 Examples q 0?δ!d?o q 0!r?a,?o,?b!d!r?a,?o,?δ q 1!d?b q 4?a,?b,?o?δ Fail?b,?δ?a,?b,?o q 2?a q 3?δ Can(S)?a,?o,?b Fail q 3 q 1 q 2?a?o?b,?δ?δ q 0 Pass q 0?δ?a,?o,?b Pass T C2!d!r Fail Fail
49 A. Rollet - ETR Brest (France) - August /63 Test Purpose generation Previous algorithm : maybe quite long if we intend to focus on a specific behavior... Main characteristics of Test Purpose Generation: test selection by test purposes describing a set of behaviors to be tested, targeted by a test case, off-line selection, a posteriori execution.
50 Test Purpose definition Test Purpose Deterministic and complete iolts T P = (Q TP, A TP, TP, q TP 0 ) equipped with two sets Accept TP and Refuse TP of trap states, s.t. A T P = A S V IS {δ}?δ?o q 0!r?a,?o,?b!d!r?a,?o,?δ q 1!d?b q 4?a,?b,?o?δ Fail?b,?δ?a,?b,?o q 2?a q 3 p 3 Refuse?r p 0 p 1?r!o p 2 Accept?δ Can(S) T P A. Rollet - ETR Brest (France) - August /63
51 A. Rollet - ETR Brest (France) - August /63 Selection principle
52 A. Rollet - ETR Brest (France) - August /63 Synchronous Product : definition Definition of Synchronous Product The Synchronous Product of two iolts M 1 = (Q M1, A, M1, q0 M1), and M 2 = (Q M2, A, M2, q0 M2 ) is the iolts M 1 M 2 = (Q M1 Q M2, A,, q0 M1 q0 M2 ) where is defined by : (q M1, q M2 ) a (q M1, q M2) (q M1 a M1 q M1) (q M2 a M2 q M2)
53 The Synchronous Product Can(S) T P?δ?δ?o!r!d q 0 q 1!d!r?a,?o,?δ q 4?b?a,?b,?o?b,?δ?δ q 2 q 3?a p 3 Refuse?r?δ?a,?o,?b p 0 p 1?r!o p 2 Accept Fail?a,?b,?o q 0,p 0!d!r?o?δ q 0,p 1 q 1,p 0!r!d?b!d!r?δ,!r q 0,p 3 q 1,p 1 q 4,p 0 q 2,p 0!r!d?b!r!d?δ?a q 1,p 3?o q 2,p 1 q 4,p 1 q 3,p 0?δ?b!d?o?a?δ?δ q 4,p 3 q 2,p 3!r q 0,p 2 q 3,p 1?δ?a!d?δ q 3,p 3?δ q 1,p 2?othw F ail A. Rollet - ETR Brest (France) - August /63
54 A. Rollet - ETR Brest (France) - August /63 Complete Test Graph (CTG)?δ Keep the first Accept state in a path If q coreach(p ass) keep q If q {Fail} keep q If q coreach(p ass) input (tester point of view) successor of a state q coreach(p ass) then Inconc?δ q 0, p 0 q 0, p 1!d?o!r q 1, p 0!r!d?b!d q 1, p 1 Inconc q 2, p 0!d?b?a q 2, p 1 Inconc Inconc?o?a Pass Inconc?othw F ail
55 A. Rollet - ETR Brest (France) - August /63 Ensuring controlabillity of test cases q 0, p 0?δ?othw Fail?othw!r q 0, p 1?δ q 0, p 1!d q 1, p 1!d q 2, p 1?o?a Pass Inconc Example of Test Case?δ q 0, p 0!d!r?o q 0, p 1 q 1, p 0!r!d?b!d q 1, p 1 Inconc q 2, p 0!d?b?a q 2, p 1 Inconc Inconc?o?a Pass Inconc?othw F ail The test suite composed of the set of test cases that the algorithm can produce is sound and limit-exhaustive.
56 A. Rollet - ETR Brest (France) - August /63 Conclusion Testing theory for iolts Test generation for finite iolts Non-deterministic selection: unfolding of Can(S) Selection by test purpose: for finite iolts based on co-reachability analysis. Soundness and exhaustiveness.
57 A. Rollet - ETR Brest (France) - August /63 Outline 1 Model Based Testing 2 Conformance Testing with IOLTS 3 Testing Timed Systems 4 Conclusion and further work
58 A. Rollet - ETR Brest (France) - August /63 References Part essentially based on : [HLMNPS08] A. Hessel, K. Larsen, M. Mikucionis, B. Nielsen, P. Pettersson, and A. Skou, Testing real-time systems using uppaal, in Formal Methods and Testing, LNCS, vol Springer Berlin / Heidelberg, 2008, pp [MLN04] M. Mikucionis, K. G. Larsen, and B. Nielsen, T-uppaal: Online model-based testing of real-time systems, in 19th IEEE International Conference on Automated Software Engineering (ASE 2004), September 2004, Linz, Austria. IEEE Computer Society, 2004, pp [KT04] M. Krichen and S. Tripakis, Black-box conformance testing for real-time systems, in Model Checking Software, 11th International SPIN Workshop, Barcelona, Spain, April 1-3, 2004, LNCS vol Springer, 2004, pp
59 A. Rollet - ETR Brest (France) - August /63 Main lines Need a new model to describe real-time aspects : Timed Automata with Inputs and Outputs... and semantics. Need a new conformance relation : rtioco Non-deterministic online test generation Discussion about offline test generation
60 A. Rollet - ETR Brest (France) - August /63 Uppaal-like approach Explicit and separate model of the environment input Real Env. IUT i output E S o + test generation tool can synthesize only relevant scenario + designer can lead the test to specific situations
61 A. Rollet - ETR Brest (France) - August /63 Timed Automaton l 0 x 1!wCoffee?coin x 1!sCoffee x < 5 l 1 x 3 l 2 x 3 l 3 x 5 Semantics defined in terms of TIOTS. Possibly non-deterministic
62 A. Rollet - ETR Brest (France) - August /63 Timed Input Output Transition System (TIOTS) Given a set of actions A, divided in A out and A in, and τ A. (A τ A {τ}) if no precision is given, in the following a [k] is an action, d [k] is a delay TIOTS definition S = (S, s 0, A in, A out, ) where : S set of states, s 0 S the initial state S (A τ R 0 ) S transition relation with time determinism : (s d s s d s ) s = s time additivity : (s d1 s s d 2 s ) s d1+d2 s zero-delay : s, s 0 s Testing point of view : Timed Traces are considered, e.g. σ =?coin 1 2!wCoffee 9?coin
63 Notations / Definitions s a s iff s τ a τ s s d s iff s τ d 1 τ d 2 where d = n k=1 d k usually generalized to sequences Observable Timed Traces T T r(s) τ τ... d n T T r(s) = {σ (A R 0 ) s σ } Example : σ =?coin 1 2!wCoffee 9?coin τ s After s After σ = {s s σ s }, S Afterσ = s S s After σ Out Out(s) = {a A out R 0 s } a Out(S ) = s S Out(s) A. Rollet - ETR Brest (France) - August /63
64 Notations / Definitions s a s iff s τ a τ s s d s iff s τ d 1 τ d 2 where d = n k=1 d k usually generalized to sequences Observable Timed Traces T T r(s) τ τ... d n T T r(s) = {σ (A R 0 ) s σ } Example : σ =?coin 1 2!wCoffee 9?coin τ s After s After σ = {s s σ s }, S Afterσ = s S s After σ Out Out(s) = {a A out R 0 s } a Out(S ) = s S Out(s) A. Rollet - ETR Brest (France) - August /63
65 Notations / Definitions s a s iff s τ a τ s s d s iff s τ d 1 τ d 2 where d = n k=1 d k usually generalized to sequences Observable Timed Traces T T r(s) τ τ... d n T T r(s) = {σ (A R 0 ) s σ } Example : σ =?coin 1 2!wCoffee 9?coin τ s After s After σ = {s s σ s }, S Afterσ = s S s After σ Out Out(s) = {a A out R 0 s } a Out(S ) = s S Out(s) A. Rollet - ETR Brest (France) - August /63
66 Notations / Definitions s a s iff s τ a τ s s d s iff s τ d 1 τ d 2 where d = n k=1 d k usually generalized to sequences Observable Timed Traces T T r(s) τ τ... d n T T r(s) = {σ (A R 0 ) s σ } Example : σ =?coin 1 2!wCoffee 9?coin τ s After s After σ = {s s σ s }, S Afterσ = s S s After σ Out Out(s) = {a A out R 0 s } a Out(S ) = s S Out(s) A. Rollet - ETR Brest (France) - August /63
67 A. Rollet - ETR Brest (France) - August /63 Timed Automata (with Inputs and Outputs) : definition Given X set of clock variables, G(X) set of guards, U(X) set of updates. x 1!wCoffee l 2 x 3 x < 5 l 0 l 1?coin x 3 x 1!sCoffee l 3 x 5 Timed Automaton T A = (L, l 0, I, E) where L set of locations, l 0 initial location I : L G(X) assigns invariants to locations E L G(X) A τ U(X) L set of edges (written l g,α,u l ) Observable trace example : σ =?coin Out(?coin 6 3) = {scoffee} [0, 2]
68 most reasoning done on the semantics A. Rollet - ETR Brest (France) - August /63 Semantics of Timed Automata Semantics as a TIOTS defined by : States of the form s = (l, v), s.t. l is a location v R X 0 clock valuation satisfying invariant of l Delay transitions (l, v) d d.i l (d ) d (l, v + d) Discrete transitions l g(v) I l (v ), v = u(v) α (l, v) (l, v ) l g,α,u
69 A. Rollet - ETR Brest (France) - August /63 Relativized timed conformance rtioco e S = (S S, s S 0, A in, A out, S ) a weakly input enabled (i.e. s S S, i A in, s ) i TIOTS IUT = (S IUT, s IUT 0, A in, A out, IUT ) a weakly input enabled TIOTS E = (E E, e E 0, A out, A in, E ) (input / output inversion) weakly input enabled TIOTS. Let s S S, e E E and iut S IUT : iut rtioco e s iff σ T T r(e), Out((iut, e) After σ) Out((s, e) After σ) iff T T r(iut) T T r(e) T T r(s) T T r(e)
70 A. Rollet - ETR Brest (France) - August /63 Relativized timed conformance (2) rtioco ensures Implementation has only the behavior allowed by Specification : Implementation not allowed to produce an output at a time when not allowed by Specification Implementation not allowed to omit producing an output when required by the Specification
71 A. Rollet - ETR Brest (France) - August /63 rtioco examples!coin l 0 l 0?wCoffe?sCoffe x 1!wCoffee?coin x 1!sCoffee x 2!wCoffee?coin x 3!sCoffee!req x < 5 l 1 x 3 x 4 l 1 x > 4 l 2 x 3 l 3 x 5 l 2 x 2 l 3 x 3 Environment Specification s Implementation i 1 Trace σ Out(s After σ) Out(i 1 After σ) c 2 R 0 R 0 c 4 r 1 {wcoffee, scoffee} [0, 4] [0, 1] c 4 r 2 {wcoffee, scoffee} [0, 3] {wcoffee, 0} c 5 r 3 {scoffee} [0, 2] {scoffee, 0} c 5 r 5 {scoffee, 0}
72 A. Rollet - ETR Brest (France) - August /63 rtioco examples (2)!coin l 0 l 0?wCoffe?sCoffe x 1!wCoffee?coin x 1!sCoffee x 2!wCoffee?coin x 6!sCoffee!req x < 5 l 1 x 3 x 4 l 1 x > 4 l 2 x 3 l 3 x 5 l 2 x 3 l 3 x 7 Environment Specification s Implementation i 2 Trace σ Out(s After σ) Out(i 2 After σ) c 2 R 0 R 0 c 4 r 1 {wcoffee, scoffee} [0, 4] [0, 2] c 4 r 2 {wcoffee, scoffee} [0, 3] {wcoffee} [0, 1] c 5 r 3 {scoffee} [0, 2] [0, 4] c 5 r 5 {scoffee, 0} [0, 2]
73 A. Rollet - ETR Brest (France) - August /63 Online testing (à la TorX) On-the-fly testing : combines test generation and execution Non-deterministic generation Symbolic states Weakly input-enabled and non-blocking TIOTS Advantages : reduces state space explosion handles non-determinism Drawbacks : specification must be analyzed online, in real-time test runs may be long... coverage criteria can not be guaranteed
74 A. Rollet - ETR Brest (France) - August /63 Non-determinism Often used : as means of abstraction to model optional behavior, permitted but not required determinism definition An TIOTS (S) is deterministic if α (A τ R 0 ), s S, (s α s s α s ) s = s. l 1 l 0 x 7?a?a l 2 l 4 l 5 l 6?a l 3 (l 0, x = 3) After a = {(l 2, x = 3), (l 4, x = 3), (l3, x = 0)} (l 5, x = 0) After 4 = {(l 5, x = 4), (l 6, 0 x 4)}
75 Uppaal TRON algorithm T estgenexe(s, E, IUT, T ) while Z = iterations T do switch randomly choose btw action, delay and restart do case action /* offer an input */ if EnvOutput(Z) then randomly choose i EnvOutput(Z); send i to IUT ; Z := Z After i ; case delay /* wait for an output */ randomly choose d Delays(Z) ; sleep for d time units or wake up on output o at d d; if o occurs then Z := Z After d ; if o ImpOutput(Z) then return FAIL else Z := Z After o else Z := Z After d ; case restart Z := {(s 0, e 0)}, reset IUT /* reset and restart */ if Z = then return FAIL else return PASS A. Rollet - ETR Brest (France) - August /63
76 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 0 l 0, x = 0)} EnvOutput: coin ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Wait for ouput (delay) or offer input?
77 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 0 l 0, x = 0)} EnvOutput: coin ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Wait for ouput (delay) or offer input?
78 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 0 l 0, x = 0)} EnvOutput: coin ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 coin x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Let s offer an input. Choose (the only) coin
79 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 1 l 1, x = 0)} EnvOutput: req ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Update the state set and other variables
80 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 1 l 1, x = 0)} EnvOutput: req ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Wait or offer input? Let s wait for 5 units
81 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 1 l 1, x = 5)} EnvOutput: req ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 5... no ouput so far... update the state set
82 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe Symbolic state set: {(k 1 l 1, x = 5)} EnvOutput: req ImpOutput: x 1!wCoffee x 5 l 2 x 3 l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 req x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 5 Wait or offer input? Let s offer req
83 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: {(k 2 l 2, x = 0), (k 2 l 3, x = 0)} EnvOutput: ImpOutput: l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Update the state set and other variables
84 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: {(k 2 l 2, x = 0), (k 2 l 3, x = 0)} EnvOutput: ImpOutput: l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 0 Wait or offer input? Let s wait for 4 units
85 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: (k 2 l 3, x = 4)} EnvOutput: ImpOutput: {scof f ee} l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 4... no output so far: update the state set
86 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: {(k 2 l 3, x = 4)} EnvOutput: ImpOutput: {scof f ee} l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 4 Wait or offer input? Let s wait for 2 units
87 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: {(k 2 l 3, x = 4)} EnvOutput: ImpOutput: {scof f ee} l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 scoffee x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!sCoffee x > 4 l 3 x 4 x = 4 Got output after 0 delay: update the state set
88 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: {(k 2 l 3, x = 4)} EnvOutput: ImpOutput: {scof f ee} l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!wCoffee x > 4 l 3 x 4 x = 4 What if there is a bug? Let s wait back for 2 units
89 A. Rollet - ETR Brest (France) - August /63 Example of test execution Tester k 0 Implementation l 0?wCoffe!coin k 1!req k 2?sCoffe x 1!wCoffee x 5 l 2 x 3 Symbolic state set: {(k 2 l 3, x = 4)} EnvOutput: ImpOutput: {scof f ee} l 0?coin l 1 x 3!sCoffee x 3 l 3 x 7 wcoffee x == 2!wCoffee x 4 l 2 x 2?coin l 1 x == 4!wCoffee x > 4 l 3 x 4 x = 6 output after 0 delay: wcof f ee {scoffee}
90 A. Rollet - ETR Brest (France) - August /63 Properties of test cases Let a S, E, and IUT three weakly input enabled TIOTS, with IUT deterministic. Soundness, Exhaustiveness Soundness : T estgenexe(s, E, IUT, T ) = Fail (IUT rtioco E S) Exhaustiveness : (IUT rtioco E S) Prob(T estgenexe(s, E, IUT, T ) = Fail T 1 If IUT is not deterministic, exhaustiveness is not guaranteed
91 A. Rollet - ETR Brest (France) - August /63 Offline test generation : main ideas Advantages : test cases are easier and faster to execute possibility to guarantee a coverage or a test objective Drawbacks : specification has to be analyzed entirely state explosion only deterministic (and impossible to determinize in general case) Test Generation with Test Purpose Synchronous Product btw Spec. and T.P. need a finite symbolic representation of TA (Region Graph, Zones,...) Test Case Generation with Uppaal Test Case Generation using Observers Still immature...
92 A. Rollet - ETR Brest (France) - August /63 Offline test generation : main ideas Advantages : test cases are easier and faster to execute possibility to guarantee a coverage or a test objective Drawbacks : specification has to be analyzed entirely state explosion only deterministic (and impossible to determinize in general case) Test Generation with Test Purpose Synchronous Product btw Spec. and T.P. need a finite symbolic representation of TA (Region Graph, Zones,...) Test Case Generation with Uppaal Test Case Generation using Observers Still immature...
93 A. Rollet - ETR Brest (France) - August /63 Offline test generation : main ideas Advantages : test cases are easier and faster to execute possibility to guarantee a coverage or a test objective Drawbacks : specification has to be analyzed entirely state explosion only deterministic (and impossible to determinize in general case) Test Generation with Test Purpose Synchronous Product btw Spec. and T.P. need a finite symbolic representation of TA (Region Graph, Zones,...) Test Case Generation with Uppaal Test Case Generation using Observers Still immature...
94 A. Rollet - ETR Brest (France) - August /63 Offline test generation : main ideas Advantages : test cases are easier and faster to execute possibility to guarantee a coverage or a test objective Drawbacks : specification has to be analyzed entirely state explosion only deterministic (and impossible to determinize in general case) Test Generation with Test Purpose Synchronous Product btw Spec. and T.P. need a finite symbolic representation of TA (Region Graph, Zones,...) Test Case Generation with Uppaal Test Case Generation using Observers Still immature...
95 A. Rollet - ETR Brest (France) - August /63 Offline test generation : main ideas Advantages : test cases are easier and faster to execute possibility to guarantee a coverage or a test objective Drawbacks : specification has to be analyzed entirely state explosion only deterministic (and impossible to determinize in general case) Test Generation with Test Purpose Synchronous Product btw Spec. and T.P. need a finite symbolic representation of TA (Region Graph, Zones,...) Test Case Generation with Uppaal Test Case Generation using Observers Still immature...
96 A. Rollet - ETR Brest (France) - August /63 Offline test generation : main ideas Advantages : test cases are easier and faster to execute possibility to guarantee a coverage or a test objective Drawbacks : specification has to be analyzed entirely state explosion only deterministic (and impossible to determinize in general case) Test Generation with Test Purpose Test Case Generation with Uppaal Still immature...
97 Test Case generation with Test Purpose using Uppaal Uppaal Tool : Model checker for temporal properties Symbolic efficient analysis (using DBM) Generates diagnostic traces (shortest or fastest) Assumptions : TIOTS are deterministic, weakly input enabled and output urgent Idea Formulate the problem as safety property (usually solved by a reachability analysis) obtain a trace of the form (s 0, e 0 ) γ 0 (s 1, e 1 )... γ n 1 (s n, e n ) Obtain a test sequence by projecting the trace to the E component (and summing delays) Add Verdicts to the test sequence to obtain a test case Test sequences are guaranteed to be included in the specification A. Rollet - ETR Brest (France) - August /63
98 Test Case generation with Test Purpose using Uppaal Uppaal Tool : Model checker for temporal properties Symbolic efficient analysis (using DBM) Generates diagnostic traces (shortest or fastest) Assumptions : TIOTS are deterministic, weakly input enabled and output urgent Idea Formulate the problem as safety property (usually solved by a reachability analysis) obtain a trace of the form (s 0, e 0 ) γ 0 (s 1, e 1 )... γ n 1 (s n, e n ) Obtain a test sequence by projecting the trace to the E component (and summing delays) Add Verdicts to the test sequence to obtain a test case Test sequences are guaranteed to be included in the specification A. Rollet - ETR Brest (France) - August /63
99 A. Rollet - ETR Brest (France) - August /63 Example of test case Fail z 0 Sequence :!in 0 delay?out 0 Fail z < delay?out 0 z := 0!in 0 z := 0 Fail z delay?out 1...?out n z == delay?out 0 z := 0 Pass
100 A. Rollet - ETR Brest (France) - August /63 Examples of Test Purposes (light controller) TP1 : Check that the light can become bright : Simple reachability property : eventually the system specification can enter location BRIGHT TP2 : Check the light switch off after 3 successive touches reachability property + specific environment :!touch z := 0 z T react!touch z := 0 z T react!touch z := 0?off goal?off?dim?bright?off?dim?bright?dim?bright
101 A. Rollet - ETR Brest (France) - August /63 Examples of Test Purposes (light controller) TP1 : Check that the light can become bright : Simple reachability property : eventually the system specification can enter location BRIGHT TP2 : Check the light switch off after 3 successive touches reachability property + specific environment :!touch z := 0 z T react!touch z := 0 z T react!touch z := 0?off goal?off?dim?bright?off?dim?bright?dim?bright
102 A. Rollet - ETR Brest (France) - August /63 Examples of Test Purposes (light controller) TP1 : Check that the light can become bright : Simple reachability property : eventually the system specification can enter location BRIGHT TP2 : Check the light switch off after 3 successive touches reachability property + specific environment :!touch z := 0 z T react!touch z := 0 z T react!touch z := 0?off goal?off?dim?bright?off?dim?bright?dim?bright
103 A. Rollet - ETR Brest (France) - August /63 Examples of Test Purposes (light controller) TP1 : Check that the light can become bright : Simple reachability property : eventually the system specification can enter location BRIGHT TP2 : Check the light switch off after 3 successive touches reachability property + specific environment :!touch z := 0 z T react!touch z := 0 z T react!touch z := 0?off goal?off?dim?bright?off?dim?bright?dim?bright
104 A. Rollet - ETR Brest (France) - August /63 Examples of coverage criteria Edge Coverage Reachability property : add a boolean variable e i for each edge to be covered, initially false add assignment e i := true for each edge to be covered property to reach : e i == true Location (l i ) Coverage add a boolean variable b i for each node, initially false (except initial) for every edge l g,a,u l i add assignment b i := true property to reach : b i == true Etc... but not always possible
105 A. Rollet - ETR Brest (France) - August /63 Examples of coverage criteria Edge Coverage Reachability property : add a boolean variable e i for each edge to be covered, initially false add assignment e i := true for each edge to be covered property to reach : e i == true Location (l i ) Coverage add a boolean variable b i for each node, initially false (except initial) for every edge l g,a,u l i add assignment b i := true property to reach : b i == true Etc... but not always possible
106 A. Rollet - ETR Brest (France) - August /63 Examples of coverage criteria Edge Coverage Reachability property : add a boolean variable e i for each edge to be covered, initially false add assignment e i := true for each edge to be covered property to reach : e i == true Location (l i ) Coverage add a boolean variable b i for each node, initially false (except initial) for every edge l g,a,u l i add assignment b i := true property to reach : b i == true Etc... but not always possible
107 A. Rollet - ETR Brest (France) - August /63 Examples of coverage criteria Edge Coverage Reachability property : add a boolean variable e i for each edge to be covered, initially false add assignment e i := true for each edge to be covered property to reach : e i == true Location (l i ) Coverage add a boolean variable b i for each node, initially false (except initial) for every edge l g,a,u l i add assignment b i := true property to reach : b i == true Etc... but not always possible
108 A. Rollet - ETR Brest (France) - August /63 Using observers Weakness of this offline approach : time-consuming to find the proper model annotation model-checking tools not adapted for test cases generation : may lead to performance problems Possibility to use a language of observers to describe coverage criteria Adaptation of model-checking algorithms for test generation based on observers
109 A. Rollet - ETR Brest (France) - August /63 Outline 1 Model Based Testing 2 Conformance Testing with IOLTS 3 Testing Timed Systems 4 Conclusion and further work
110 A. Rollet - ETR Brest (France) - August /63 Conclusion Testing theory and generation algorithms for finite iolts Extensions for Timed Automata with Inputs and Outputs Off-line and on-line algorithms Perspectives Mature tools (scaling) Real-time coverage criteria Testing seen as Game theory Add variables with complex assignments Run-time verification / enforcement dans le cadre temporisé
111 A. Rollet - ETR Brest (France) - August /63 Conclusion Testing theory and generation algorithms for finite iolts Extensions for Timed Automata with Inputs and Outputs Off-line and on-line algorithms Perspectives Mature tools (scaling) Real-time coverage criteria Testing seen as Game theory Add variables with complex assignments Run-time verification / enforcement dans le cadre temporisé
112 A. Rollet - ETR Brest (France) - August /63 Thank you for your attention rollet@labri.fr
Software Specification 2IX20
Software Specification 2IX20 Julien Schmaltz (with slides jointly with J. Tretmans, TNO&RUN) Lecture 13: Model-Based Testing III (real-timed systems) Correctness Implementation Relation ioco i ioco s =
More informationModel-based conformance test generation for timed systems
Model-based conformance test generation for timed systems Thierry Jéron Joint work with Nathalie Bertrand, Amélie Stainer, Moez Krichen INRIA Rennes - Bretagne Atlantique, France Thierry.Jeron@inria.fr
More informationTesting of real-time systems IOCO
Testing of real-time systems IOCO Brian Nielsen bnielsen@cs.aau.dk With Kim Larsen, Marius Mikucionis, Arne Skou Automated Model Based Conformance Testing x>=2 Model DBLclick! click? x:=0 click? x
More informationA Simplified Approach for Testing Real-Time Systems Based on Action Refinement
A Simplified Approach for Testing Real-Time Systems Based on Action Refinement Saddek Bensalem, Moez Krichen, Lotfi Majdoub, Riadh Robbana, Stavros Tripakis Verimag Laboratory, Centre Equation 2, avenue
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationReal-time Systems Part 4: Online Testing
Model-based d Testing of Real-time Systems Part 4: Online Testing Brian Nielsen bnielsen@cs.aau.dk With Kim Larsen, Marius Mikucionis, Arne Skou Automated Model Based Conformance Testing x>=2 Model DBLclick!
More informationTest generation from recursive tiles systems
Test generation from recursive tiles systems Sébastien Chédor 1, Thierry Jéron 2, Christophe Morvan 3 1 Université de Rennes I 2 INRIA Rennes - Bretagne Atlantique, 3 Université Paris-Est, Marne-La-Vallée,
More informationPDF hosted at the Radboud Repository of the Radboud University Nijmegen
PDF hosted at the Radboud Repository of the Radboud University Nijmegen The following full text is a preprint version which may differ from the publisher's version. For additional information about this
More informationModel Based Testing -- FSM based testing
Model Based Testing -- FSM based testing Brian Nielsen {bnielsen}@cs.aau.dk Automated Model Based Conformance Testing x>=2 Model DBLclick! click? x:=0 click? x
More informationA Framework and a Tool for Robustness Testing of Communicating Software
A Framework and a Tool for Robustness Testing of Communicating Software Fares Saad-Khorchef LABRI, CNRS (UMR 5800) F-33405 Talence, France saad-kho@labri.fr Antoine Rollet LABRI, CNRS (UMR 5800) F-33405
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationFormal Verification Techniques. Riccardo Sisto, Politecnico di Torino
Formal Verification Techniques Riccardo Sisto, Politecnico di Torino State exploration State Exploration and Theorem Proving Exhaustive exploration => result is certain (correctness or noncorrectness proof)
More informationModels for Efficient Timed Verification
Models for Efficient Timed Verification François Laroussinie LSV / ENS de Cachan CNRS UMR 8643 Monterey Workshop - Composition of embedded systems Model checking System Properties Formalizing step? ϕ Model
More informationSoftware Specification 2IX20
Software Specification 2IX20 Julien Schmaltz (with slides jointly with J. Tretmans, TNO&RUN) Lecture 11: Introduction to Model-Based Testing Context & Motivation Testing Testing: checking or measuring
More informationOnline Testing of Real-Time Systems Using UPPAAL
Online Testing of Real-Time Systems Using UPPAAL Kim G. Larsen, Marius Mikucionis, and Brian Nielsen Department of Computer Science, Aalborg University, Fredrik Bajers Vej 7B, 9220 Aalborg Ø st, Denmark
More informationTimed Testing with TorX
Timed Testing with TorX Henrik Bohnenkamp and Axel Belinfante Formal Methods and Tools Department of Computer Science, University of Twente Postbus 217, NL-7500 AE Enschede, The Netherlands {bohnenka belinfan}@cs.utwente.nl
More informationfor System Modeling, Analysis, and Optimization
Fundamental Algorithms for System Modeling, Analysis, and Optimization Stavros Tripakis UC Berkeley EECS 144/244 Fall 2013 Copyright 2013, E. A. Lee, J. Roydhowdhury, S. A. Seshia, S. Tripakis All rights
More informationMethods for the specification and verification of business processes MPB (6 cfu, 295AA)
Methods for the specification and verification of business processes MPB (6 cfu, 295AA) Roberto Bruni http://www.di.unipi.it/~bruni 20 - Workflow modules 1 Object We study Workflow modules to model interaction
More informationModel Based Testing of Embedded Systems
Model Based Testing of Embedded Systems Brian Nielsen Arne Skou {bnielsen ask}@cs.auc.dk Automated Model Based Conformance Testing x>=2 Model DBLclick! click? x:=0 click? x
More informationAutomata-Theoretic Model Checking of Reactive Systems
Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,
More informationTesting Distributed Systems
Testing Distributed Systems R. M. Hierons Brunel University, UK rob.hierons@brunel.ac.uk http://people.brunel.ac.uk/~csstrmh Work With Jessica Chen Mercedes Merayo Manuel Nunez Hasan Ural Model Based Testing
More informationTime and Timed Petri Nets
Time and Timed Petri Nets Serge Haddad LSV ENS Cachan & CNRS & INRIA haddad@lsv.ens-cachan.fr DISC 11, June 9th 2011 1 Time and Petri Nets 2 Timed Models 3 Expressiveness 4 Analysis 1/36 Outline 1 Time
More informationImproving Fault-based Conformance Testing
Improving Fault-based Conformance Testing Bernhard K. Aichernig 1,2, Martin Weiglhofer 1,3, and Franz Wotawa 1,3 1 Institute for Software Technology, Graz University of Technology, Austria {aichernig,weiglhofer,wotawa}@ist.tugraz.at
More informationFinite-State Model Checking
EECS 219C: Computer-Aided Verification Intro. to Model Checking: Models and Properties Sanjit A. Seshia EECS, UC Berkeley Finite-State Model Checking G(p X q) Temporal logic q p FSM Model Checker Yes,
More informationTESTING is one of the most important parts of the
IEEE TRANSACTIONS 1 Generating Complete Controllable Test Suites for Distributed Testing Robert M. Hierons, Senior Member, IEEE Abstract A test suite is m-complete for finite state machine (FSM) M if it
More informationSynthesizing Robust Systems
Synthesizing Robust Systems Roderick Bloem and Karin Greimel (TU-Graz) Thomas Henzinger (EPFL and IST-Austria) Barbara Jobstmann (CNRS/Verimag) FMCAD 2009 in Austin, Texas Barbara Jobstmann 1 Motivation
More informationEE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016
EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Discrete Event Simulation Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley)
More informationController Synthesis with UPPAAL-TIGA. Alexandre David Kim G. Larsen, Didier Lime, Franck Cassez, Jean-François Raskin
Controller Synthesis with UPPAAL-TIGA Alexandre David Kim G. Larsen, Didier Lime, Franck Cassez, Jean-François Raskin Overview Timed Games. Algorithm (CONCUR 05). Strategies. Code generation. Architecture
More informationOverview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?
Computer Engineering and Networks Overview Discrete Event Systems Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two circuits
More informationMethods for the specification and verification of business processes MPB (6 cfu, 295AA)
Methods for the specification and verification of business processes MPB (6 cfu, 295AA) Roberto Bruni http://www.di.unipi.it/~bruni 20 - Workflow modules 1 Object We study Workflow modules to model interaction
More informationIntroduction to Model Checking. Debdeep Mukhopadhyay IIT Madras
Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs? Comprising of three parts Formal Verification techniques consist of three parts: 1. A framework for modeling
More informationTimed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang
Timed Automata Semantics, Algorithms and Tools Zhou Huaiyang Agenda } Introduction } Timed Automata } Formal Syntax } Operational Semantics } Verification Problems } Symbolic Semantics & Verification }
More informationAlan Bundy. Automated Reasoning LTL Model Checking
Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have
More informationTime(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA
Time(d) Petri Net Serge Haddad LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA haddad@lsv.ens-cachan.fr Petri Nets 2016, June 20th 2016 1 Time and Petri Nets 2 Time Petri Net: Syntax and Semantic
More informationAn Automatic Test Framework for Interactive Music Systems
An Automatic Test Framework for Interactive Music Systems Florent Jacquemard, Clément Poncelet To cite this version: Florent Jacquemard, Clément Poncelet. An Automatic Test Framework for Interactive Music
More informationAutomatic Verication and Conformance Testing for Validating Safety Properties of Reactive Systems
Automatic Verication and Conformance Testing for Validating Safety Properties of Reactive Systems Vlad Rusu, Hervé Marchand, and Thierry Jéron IRISA/INRIA, Campus de Beaulieu, Rennes, France First.Last@irisa.fr
More informationMonitoring Distributed Controllers
Monitoring Distributed Controllers When an Efficient LTL Algorithm on Sequences is Needed to Model-Check Traces A. Genon T. Massart C. Meuter Université Libre de Bruxelles Département d Informatique August
More informationFailure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications
Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Shengbing Jiang and Ratnesh Kumar Abstract The paper studies failure diagnosis of discrete event systems with
More informationAn introduction to Uppaal and Timed Automata MVP5 1
An introduction to Uppaal and Timed Automata MVP5 1 What is Uppaal? (http://www.uppaal.com/) A simple graphical interface for drawing extended finite state machines (automatons + shared variables A graphical
More informationProbabilistic testing coverage
Probabilistic testing coverage NICOLAE GOGA Eindhoven University of Technology P.O. Box 513, 5600 MB Eindhoven THE NETHERLANDS Abstract: This paper describes a way to compute the coverage for an on-the-fly
More informationRecent results on Timed Systems
Recent results on Timed Systems Time Petri Nets and Timed Automata Béatrice Bérard LAMSADE Université Paris-Dauphine & CNRS berard@lamsade.dauphine.fr Based on joint work with F. Cassez, S. Haddad, D.
More informationCompositional Specifications for ioco Testing
Compositional Specifications for ioco Testing Przemysław Daca and Thomas A. Henzinger IST Austria Klosterneuburg, Austria {przemek, tah}@ist.ac.at Willibald Krenn and Dejan Ničković AIT Austrian Institute
More informationPart I. Principles and Techniques
Introduction to Formal Methods Part I. Principles and Techniques Lecturer: JUNBEOM YOO jbyoo@konkuk.ac.kr Introduction Text System and Software Verification : Model-Checking Techniques and Tools In this
More informationFormally Correct Monitors for Hybrid Automata. Verimag Research Report n o TR
Formally Correct Monitors for Hybrid Automata Goran Frehse, Nikolaos Kekatos, Dejan Nickovic Verimag Research Report n o TR-2017-5 September 20, 2017 Verimag, University of Grenoble Alpes, Grenoble, France.
More informationEE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo
EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories 1 Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo Outline: Contracts and compositional methods for system design Where and why using
More informationStéphane Lafortune. August 2006
UNIVERSITY OF MICHIGAN DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE LECTURE NOTES FOR EECS 661 CHAPTER 1: INTRODUCTION TO DISCRETE EVENT SYSTEMS Stéphane Lafortune August 2006 References for
More informationTesting with model checkers: A survey
COMPETENCE NETWORK SOFTNET AUSTRIA Testing with model checkers: A survey SNA-TR-2007-P2-04 Gordon Fraser, Franz Wotawa, Paul E. Ammann SNA TECHNICAL REPORT NOVEMBER 2007 Competence Network Softnet Austria,
More informationPSL Model Checking and Run-time Verification via Testers
PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University Introduction Motivation (Why PSL?) A new property specification language,
More informationRobust Controller Synthesis in Timed Automata
Robust Controller Synthesis in Timed Automata Ocan Sankur LSV, ENS Cachan & CNRS Joint with Patricia Bouyer, Nicolas Markey, Pierre-Alain Reynier. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata
More informationAutomated Verification of a Parametric Real-Time Program: The ABR Conformance Protocol
Automated Verification of a Parametric Real-Time Program: The ABR Conformance Protocol Béatrice Bérard and Laurent Fribourg LSV Ecole Normale Supérieure de Cachan & CNRS 61 av. Pdt. Wilson - 94235 Cachan
More informationSoftware Verification
Software Verification Grégoire Sutre LaBRI, University of Bordeaux, CNRS, France Summer School on Verification Technology, Systems & Applications September 2008 Grégoire Sutre Software Verification VTSA
More informationA Semantic Framework for Test Coverage
A Semantic Framework for Test Coverage Laura Brandán Briones +, Ed Brinksma +, and Mariëlle Stoelinga + + Faculty of Computer Science, University of Twente, The Netherlands Embedded Systems Institute,
More informationMonitoring and Fault-Diagnosis with Digital Clocks
Author manuscript, published in "6th Int. Conf. on Application of Concurrency to System Design (ACSD'06) (2006)" Monitoring and Fault-Diagnosis with Digital Clocks Karine Altisen Verimag Laboratory Karine.Altisen@imag.fr
More informationSanjit A. Seshia EECS, UC Berkeley
EECS 219C: Computer-Aided Verification Explicit-State Model Checking: Additional Material Sanjit A. Seshia EECS, UC Berkeley Acknowledgments: G. Holzmann Checking if M satisfies : Steps 1. Compute Buchi
More informationEmbedded systems specification and design
Embedded systems specification and design David Kendall David Kendall Embedded systems specification and design 1 / 21 Introduction Finite state machines (FSM) FSMs and Labelled Transition Systems FSMs
More informationCompositional Random Testing using Extended Symbolic Transition Systems
Compositional Random Testing using Extended Symbolic Transition Systems Christian Schwarzl 1, Bernhard K. Aichernig 2, and Franz Wotawa 2 1 Virtual Vehicle, Inffeldgasse 21a, 8010 Graz, Austria, christian.schwarzl@v2c2.at
More informationEE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2014
EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2014 Discrete Event Simulation Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley)
More informationControl Synthesis of Discrete Manufacturing Systems using Timed Finite Automata
Control Synthesis of Discrete Manufacturing Systems using Timed Finite utomata JROSLV FOGEL Institute of Informatics Slovak cademy of Sciences ratislav Dúbravská 9, SLOVK REPULIC bstract: - n application
More informationState-Space Exploration. Stavros Tripakis University of California, Berkeley
EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2014 State-Space Exploration Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE
More informationModel Checking. Boris Feigin March 9, University College London
b.feigin@cs.ucl.ac.uk University College London March 9, 2005 Outline 1 2 Techniques Symbolic 3 Software 4 Vs. Deductive Verification Summary Further Reading In a nutshell... Model checking is a collection
More informationTimed Automata: Semantics, Algorithms and Tools
Timed Automata: Semantics, Algorithms and Tools Johan Bengtsson and Wang Yi Uppsala University {johanb,yi}@it.uu.se Abstract. This chapter is to provide a tutorial and pointers to results and related work
More informationCompilers. Lexical analysis. Yannis Smaragdakis, U. Athens (original slides by Sam
Compilers Lecture 3 Lexical analysis Yannis Smaragdakis, U. Athens (original slides by Sam Guyer@Tufts) Big picture Source code Front End IR Back End Machine code Errors Front end responsibilities Check
More informationAnalysis of a Boost Converter Circuit Using Linear Hybrid Automata
Analysis of a Boost Converter Circuit Using Linear Hybrid Automata Ulrich Kühne LSV ENS de Cachan, 94235 Cachan Cedex, France, kuehne@lsv.ens-cachan.fr 1 Introduction Boost converter circuits are an important
More informationTimed Testing under Partial Observability
Timed Testing under Partial Observability Alexandre David, Kim G. Larsen, Shuhao Li, Brian Nielsen Center for Embedded Software Systems (CISS) Aalborg University DK-9220 Aalborg, Denmark {adavid, kgl,
More informationLecture Notes on Software Model Checking
15-414: Bug Catching: Automated Program Verification Lecture Notes on Software Model Checking Matt Fredrikson André Platzer Carnegie Mellon University Lecture 19 1 Introduction So far we ve focused on
More informationBounded Retransmission in Event-B CSP: a Case Study
Available online at www.sciencedirect.com Electronic Notes in Theoretical Computer Science 280 (2011) 69 80 www.elsevier.com/locate/entcs Bounded Retransmission in Event-B CSP: a Case Study Steve Schneider
More informationA General Testability Theory: Classes, properties, complexity, and testing reductions
A General Testability Theory: Classes, properties, complexity, and testing reductions presenting joint work with Luis Llana and Pablo Rabanal Universidad Complutense de Madrid PROMETIDOS-CM WINTER SCHOOL
More informationLinear Temporal Logic and Büchi Automata
Linear Temporal Logic and Büchi Automata Yih-Kuen Tsay Department of Information Management National Taiwan University FLOLAC 2009 Yih-Kuen Tsay (SVVRL @ IM.NTU) Linear Temporal Logic and Büchi Automata
More informationModel Checking: An Introduction
Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations
More informationBridging the Gap between Reactive Synthesis and Supervisory Control
Bridging the Gap between Reactive Synthesis and Supervisory Control Stavros Tripakis University of California, Berkeley Joint work with Ruediger Ehlers (Berkeley, Cornell), Stéphane Lafortune (Michigan)
More informationFormal Definition of a Finite Automaton. August 26, 2013
August 26, 2013 Why a formal definition? A formal definition is precise: - It resolves any uncertainties about what is allowed in a finite automaton such as the number of accept states and number of transitions
More informationLecture 11: Timed Automata
Real-Time Systems Lecture 11: Timed Automata 2014-07-01 11 2014-07-01 main Dr. Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany Contents & Goals Last Lecture: DC (un)decidability This Lecture:
More informationTemporal Logic Model Checking
18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 1 Temporal Logic Model Checking Thomas Wahl Computing Laboratory, Oxford University 18 Feb, 2009 Thomas Wahl, Oxford University
More informationFinite Automata - Deterministic Finite Automata. Deterministic Finite Automaton (DFA) (or Finite State Machine)
Finite Automata - Deterministic Finite Automata Deterministic Finite Automaton (DFA) (or Finite State Machine) M = (K, Σ, δ, s, A), where K is a finite set of states Σ is an input alphabet s K is a distinguished
More informationAutomata-based Verification - III
COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2009 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationTemporal logics and explicit-state model checking. Pierre Wolper Université de Liège
Temporal logics and explicit-state model checking Pierre Wolper Université de Liège 1 Topics to be covered Introducing explicit-state model checking Finite automata on infinite words Temporal Logics and
More informationRevising UNITY Programs: Possibilities and Limitations 1
Revising UNITY Programs: Possibilities and Limitations 1 Ali Ebnenasir, Sandeep S. Kulkarni, and Borzoo Bonakdarpour Software Engineering and Network Systems Laboratory Department of Computer Science and
More informationLogic Model Checking
Logic Model Checking Lecture Notes 10:18 Caltech 101b.2 January-March 2004 Course Text: The Spin Model Checker: Primer and Reference Manual Addison-Wesley 2003, ISBN 0-321-22862-6, 608 pgs. the assignment
More informationAutomatic Synthesis of Distributed Protocols
Automatic Synthesis of Distributed Protocols Rajeev Alur Stavros Tripakis 1 Introduction Protocols for coordination among concurrent processes are an essential component of modern multiprocessor and distributed
More informationMODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS
TKK Reports in Information and Computer Science Espoo 2008 TKK-ICS-R3 MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS Jussi Lahtinen ABTEKNILLINEN KORKEAKOULU TEKNISKA HÖGSKOLAN HELSINKI UNIVERSITY OF
More informationA practical introduction to active automata learning
A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU Dortmund SFM2011 Maik Merten, learning technology 1 Overview Motivation Introduction to active automata
More informationRobust Reachability in Timed Automata: A Game-based Approach
Robust Reachability in Timed Automata: A Game-based Approach Patricia Bouyer, Nicolas Markey, and Ocan Sankur LSV, CNRS & ENS Cachan, France. {bouyer,markey,sankur}@lsv.ens-cachan.fr Abstract. Reachability
More informationInformation Flow Analysis via Path Condition Refinement
Information Flow Analysis via Path Condition Refinement Mana Taghdiri, Gregor Snelting, Carsten Sinz Karlsruhe Institute of Technology, Germany FAST September 16, 2010 KIT University of the State of Baden-Wuerttemberg
More informationReal-Time Systems. Lecture 10: Timed Automata Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany main
Real-Time Systems Lecture 10: Timed Automata 2013-06-04 10 2013-06-04 main Dr. Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany Contents & Goals Last Lecture: PLC, PLC automata This Lecture:
More informationDecentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1
Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1 Stavros Tripakis 2 VERIMAG Technical Report TR-2004-26 November 2004 Abstract We introduce problems of decentralized
More informationsystem perform its tasks (performance testing), how does the system react if its environment does not behave as expected (robustness testing), and how
Test Generation with Inputs, Outputs, and Repetitive Quiescence Jan Tretmans Tele-Informatics and Open Systems Group Department of Computer Science University of Twente P.O. Box 17, NL-7500 AE Enschede
More informationA framework based on implementation relations for implementing LOTOS specifications
Published in: Computer Networks and ISDN Systems, 25 (1992), 23-41 A framework based on implementation relations for implementing LOTOS specifications Guy Leduc Research Associate of the National Fund
More informationDISTINGUISHABILITY RELATIONS BETWEEN INITIALIZED NONDETERMINISTIC FSMs. Nina Yevtushenko Tomsk State University, Russia April, 12, 2011
DISTINGUISHABILITY RELATIONS BETWEEN INITIALIZED NONDETERMINISTIC FSMs Nina Yevtushenko Tomsk State University, Russia April, 12, 2011 Outline 1. Why do we need distinguishability relations? 2. External
More informationGeorg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS
Georg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS Proceedings SDPS, Fifth World Conference on Integrated Design and Process Technologies, IEEE International Conference on Systems Integration, Dallas,
More informationAlgebraic Trace Theory
Algebraic Trace Theory EE249 Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October 21, 2002 ee249
More informationmodels, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS
models, s, LIAFA - University Paris Diderot and CNRS PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics Context A model for verification of real-time systems Invented by Alur and Dill in early
More informationFormal Methods in Software Engineering
Formal Methods in Software Engineering Modeling Prof. Dr. Joel Greenyer October 21, 2014 Organizational Issues Tutorial dates: I will offer two tutorial dates Tuesdays 15:00-16:00 in A310 (before the lecture,
More informationAlgorithmic verification
Algorithmic verification Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2018 Outline Overview Model checking Symbolic execution Outline Overview Model checking Symbolic execution Program verification
More informationModel-Based Testing: Testing from Finite State Machines
Model-Based Testing: Testing from Finite State Machines Mohammad Mousavi University of Leicester, UK IPM Summer School 2017 Mousavi FSM-Based Testing IPM 2017 1 / 64 Finite State Machines Outline 1 Finite
More informationComputation Tree Logic (CTL) & Basic Model Checking Algorithms
Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking
More informationMotors Automation Energy Transmission & Distribution Coatings. Servo Drive SCA06 V1.5X. Addendum to the Programming Manual SCA06 V1.
Motors Automation Energy Transmission & Distribution Coatings Servo Drive SCA06 V1.5X SCA06 V1.4X Series: SCA06 Language: English Document Number: 10003604017 / 01 Software Version: V1.5X Publication Date:
More informationVerification of Hybrid Systems with Ariadne
Verification of Hybrid Systems with Ariadne Davide Bresolin 1 Luca Geretti 2 Tiziano Villa 3 1 University of Bologna 2 University of Udine 3 University of Verona An open workshop on Formal Methods for
More informationAdmissible Strategies for Synthesizing Systems
Admissible Strategies for Synthesizing Systems Ocan Sankur Univ Rennes, Inria, CNRS, IRISA, Rennes Joint with Romain Brenguier (DiffBlue), Guillermo Pérez (Antwerp), and Jean-François Raskin (ULB) (Multiplayer)
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationPartial Order Reductions for Timed Systems
Partial Order Reductions for Timed Systems Johan Bengtsson 1 Bengt Jonsson 1 Johan Lilius 2 Wang Yi 1 1 Department of Computer Systems, Uppsala University, Sweden. Email: {bengt,johanb,yi}@docs.uu.se 2
More information