Software Testing IV. Prof. Dr. Holger Schlingloff. Humboldt-Universität zu Berlin

Similar documents
COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Timed Automata: Semantics, Algorithms and Tools

Lecture 2. Decidability and Verification

Timed Automata. Rajeev Alur. University of Pennsylvania

Timed Automata From Theory to Implementation

T Reactive Systems: Kripke Structures and Automata

A Test Case Generation Algorithm for Real-Time Systems

Automatic synthesis of switching controllers for linear hybrid systems: Reachability control

Qualitätssicherung von Software (SWQS)

Specification-based Testing of Embedded Systems H. Schlingloff, SEFM 2008

Automated Formal Methods for Embedded Systems

Timo Latvala. January 28, 2004

Real-time Testing with Timed Automata Testers and Coverage Criteria

Towards Compositional Testing of Real-Time Systems

Automatic Testing with Formal Methods

Testing of software and of communication systems. Richard Castanet, Bordeaux

Specification and Analysis of Real-Time Systems Using Real-Time Maude

Specification-based Testing of Embedded Systems H. Schlingloff, SEFM 2008

Improved BDD-based Discrete Analysis of Timed Systems

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

Fachgebiet Softwaretechnik, Heinz Nixdorf Institut, Universität Paderborn. 2.3 Timed Automata and Real-Time Statecharts

Foundations of Computer Science Spring Mathematical Preliminaries

Efficient Synthesis of Production Schedules by Optimization of Timed Automata

A game-theoretic approach to real-time system testing David, Alexandre; Larsen, Kim Guldstrand; Li, Shuhao; Nielsen, Brian

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

Applied Formal Methods - From CSP to Executable Hybrid Specifications

Program verification. Generalities about software Verification Model Checking. September 20, 2016

AN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION

Reducing Clocks in Timed Automata while Preserving Bisimulation

Qualitätssicherung von Software (SWQS)

Model-based Analysis of Event-driven Distributed Real-time Embedded Systems

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

MODEL-BASED DESIGN OF CODE FOR PLC CONTROLLERS

Implementation of Lexical Analysis

Kahina Gani, Marinette Bouet, Michel Schneider, and Farouk Toumani. 1 2

Implementation of Lexical Analysis

9.5 Equivalence Relations

Model checking and timed CTL

Lecture 9: Reachability

Improvements on the Online Testing with T-UppAal: Coverage Measurement and Re-runs

Part I: Preliminaries 24

Formal Verification for UML/SysML models

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Killing strategies for model-based mutation testing

DISCRETE MATHEMATICS

LOGIC SYNTHESIS AND VERIFICATION ALGORITHMS. Gary D. Hachtel University of Colorado. Fabio Somenzi University of Colorado.

Real-Time Model-Checking: Parameters Everywhere

Negations in Refinement Type Systems

Implementation of Lexical Analysis

Specification-based Testing for Refinement

CS2 Language Processing note 3

Practical Model-based Testing With Papyrus and RT-Tester

Implementation of Lexical Analysis

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

T. Background material: Topology

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Fine-grained Compatibility and Replaceability Analysis of Timed Web Service Protocols

Overview of Timed Automata and UPPAAL

Lexical Analysis. Implementation: Finite Automata

LTCS Report. Concept Descriptions with Set Constraints and Cardinality Constraints. Franz Baader. LTCS-Report 17-02

Ch9: Exact Inference: Variable Elimination. Shimi Salant, Barak Sternberg

Modeling and Analysis of Fischer s Algorithm

On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap

THEORY OF COMPUTATION

Slides for Faculty Oxford University Press All rights reserved.

Sérgio Campos, Edmund Clarke

Implementation of Lexical Analysis

Under-Approximation Refinement for Timed Automata

Lecture 16: Hierarchical State Machines II

Discrete Mathematics Lecture 4. Harper Langston New York University

Lecture 1: Conjunctive Queries

Distributed Systems Programming (F21DS1) Formal Verification

Interaction Testing! Chapter 15!!

Implementation of Lexical Analysis

Towards a Logical Reconstruction of Relational Database Theory

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

UPPAAL. Verification Engine, Options & Patterns. Alexandre David

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

Graphical Tool For SC Automata.

Formal Methods in Software Engineering. Lecture 07

Theory of Languages and Automata

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Interaction Testing. Chapter 15

Real-time Testing with Timed Automata Testers and Coverage Criteria

More on Verification and Model Checking

Summary of Course Coverage

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

CHAPTER 8. Copyright Cengage Learning. All rights reserved.

Lexical Analysis. Lecture 2-4

Efficient Mutation Killers in Action

Further Topics in Modelling & Verification

Approximation Algorithms

Compiler Construction

want turn==me wait req2==0

Some Interdefinability Results for Syntactic Constraint Classes

MANY real-time applications need to store some data

To illustrate what is intended the following are three write ups by students. Diagonalization

Guided Test Generation from CSP Models

Lecture 15: Hierarchical State Machines I

Transcription:

Software Testing IV Prof. Dr. Holger Schlingloff Humboldt-Universität zu Berlin and Fraunhofer Institute of Computer Architecture and Software Technology FIRST

Outline of this Lecture Series 2006/11/24: Introduction, Definitions, Examples 2006/11/25-1: Functional testing 2006/11/25-2: Structural testing 2006/11/26-1: Model-based test generation 2006/11/26-2: Specification-based test generation Next week: Your turn!

Outline of This Lecture Test generation from Finite State Machines Test generation from UML StateCharts Test generation from Timed Automata

Description of Systems Finite automata have been known since the 1960 s Moore / Mealy: used to describe relations between words (input sequence is transformed into output sequence) Rabin / Scott: used to describe sets of words (accepting / non-accepting states) Can be used to describe the control flow of any system states are (equivalence classes of) configurations of the SUT transitions are actions (external or internal) changing the state

Labelled Transition Systems finite automaton without accepting states formally: (S,L,T,s 0 ) S: finite or countable nonempty set of states L: finite set of labels, τ L transition relation T S (L {τ}) S s 0 initial state Run=finite sequence {(s i l i s i+1 ) i N }, where s 0 is the initial state and (s i l i s i+1 ) T Trace = sequence of observable actions (labels τ) of a run Undirected communication! Actions just happen!

Example: A Light Switch up up dn off low dn dn high τ up can be switched up and down may internally switch off cf. windshield wiper example

Test Generation Code Generator SUT Spec (FSM) Test Generator Test Suite Test Driver / Evaluator Test Results Remarks: each box can be manual or automated if everything is automated, only the tools are tested Requirements: SUT must accept inputs from test driver SUT must provide recognisable outputs for test driver SUT must be resettable by test driver SUT must be deterministic

Conformance Given an LTS, what does it mean that an implementation is correct with respect to this model? same structure? same states? same state classes? same behaviour? same observable behaviour? same choices? fewer choices? more choices? same timing? more specific timing? Fault model (extra/missing state, unexpected output, quiescence, ) Conformance notions (Tretmans)

Trace Refinement Observable behaviour: set of sequences of visible actions of the SUT Traces (P) = set of observable behaviours of process P Imp T Spec gdw. Traces(Imp) Traces(Spec) pre-order (transitive, reflexive) minimal element is the empty trace comparable to language inclusion in finite automata theory

Testing Trace Refinement Test case = trace Test suite = set of traces Test execution of trace σ for Imp and Spec: σ Traces(Imp) pass σ Traces(Imp) Traces(Spec) pass fail, else Verdict of a test suite is the conjunction of individual verdicts Complete test suite: set of all traces over the alphabet Imp T Spec iff complete test suite passes not feasible, thus additional hypotheses (length of traces, number of certain actions etc.)

Failures Failure = (σ, A), where σ is a sequence of observable actions, A is a set of actions Failures(P) = set of failures (σ, A), such that there is an execution of P where σ can be observed, and afterwards no action from A is activated (P after σ refuses A) in automata: non-transitions Imp F Spec iff Failures(Imp) Failures(Spec) also a partial order finer than trace-refinement: Imp F Spec Imp T Spec

Failure Refinement Imp F Spec iff Failures(Imp) Failures(Spec) Imp F Spec iff (Imp after σ refuses A) implies (Spec after σ refuses A) Imp may only refuse those actions which are also refused byspec Imp may only perform those actions which are allowed by Spec Imp has less deadlocks than Spec Refinement with respect to this relation transformational development correctness proofs

Testing of Failure Refinement Test suite T = set of failures (σ, A) Complete test suite = set of all failures for a set of observable events Verdict of a test (σ, A) with respect to Imp and Spec σ Traces(Imp) pass (σ,a) Traces(Imp) for some a A pass (σ,a) Failures(Imp) Failures(Spec) pass fail, else Verdict of a test suite: all test cases pass Test of an implementation Imp Imp F Spec iff complete test suite passes (under certain side-conditions)

Conformance Imp conf Spec iff for all σ in Traces(Spec): (Imp after σ refuses A) (Spec after σ refuses A) for action sequences of the specification same as F Imp may implement additional functionaliy weaker than F (i.e. Imp F Spec Imp conf Spec) conformance testing similar as with failurerefinement-testing widely used as a correctness criterion

IOCO Taking also inputs and outputs into consideration All inputs are always enabled out(p after σ)={a! P may execute σ and then output a!} Imp ioco Spec iff for all σ in Traces(Spec): (out(imp after σ) out(spec after σ) Idea Imp is more deterministic than Spec with respect to specified inputs Imp may implement additional functionality for unspecified inputs

Implementation: TGV TGV Test Generation with Verification Conformance testing for reactive systems, black box test Automated test generation from LTS, IOCO Interaction via PCOs Verdict fail: a non-conformance was observed pass: trace could be executed in the SUT inconc: else

TGV Testing Purposes A testing purpose in TGV is a small LTS with additional transitions ACCEPT, REFUSE TGV builds the cartesian product of spec and testing purpose Test generation: determinisation of LTS and TP, enumeration of traces

UML StateCharts can be seen as LTS with hierarchy parallelism inheritance

Parallelism What is the meaning of parallelism in the specification? structural: must be implemented in parallel engineering: may be implemented in any order pragmatic: will be implemented according to the tool s scheduling strategy

Test Generation from StateCharts ATG ( automated test generator ): Add-on to the UML-tool Rhapsody by ILogix / IBM First, the model is translated into C++ by the Rhapsody code generator Then, inputs and outputs to the model / SUT are identified Then, ATG constructs test cases from the generated code according to certain coverage goals all states all transitions MC/DC

A Real-Life Example A safety protocol for industrial automation

Real Time Real Time concepts in UML (-state diagrams) (a) after (time) as a trigger (b) absolute time point (after start) as a trigger Informal semantics (a) transition will be executed t time units after becoming active (b) transition will be executed at the given time point after (5 ms) / Aktivität Zustand 1 Zustand 2 Often, this is not sufficient no minimal / maximal waiting times no possibility of using several clocks

Timed Automata Extension of LTS by clocks All clocks are constantly running (no stopwatches) All clocks run at the same speed (perfect clocks, t =1) Clocks can be reset by transitions Clocks can influence the switching of transitions S1 a, x:=0 x>1, b S2 x<2 One clock x. No invariant at s1, so the system may stay arbitrarily long in s1. When transitioning to s2 by a the clock will be reset to 0. In s2 the clock is running. After at least 1 time unit the transition to s is possible, after at most 2 time units it must happen.

Example Double-click switch Click on, click off After clicking twice fastly in a row, it becomes brigther klick klick klick off low bright x:=0 x 3 y:=0 y 300 klick x>3 Additional requirement after at most 300 ms turn darker again y>300 More about timed automata: Rajeev Alur, Tom Henzinger R. Alur and T.A. Henzinger. Real-time logics: complexity and expressiveness. Information and Computation 104(1):35-77, 1993 R. Alur and D.L. Dill. A theory of timed automata. Theoretical Computer Science 126:183-235, 1994 http://www.cis.upenn.edu/~alur/talks/sfm-rt-04.ppt

Formal Definition Assume a set X of time variables. A timed condition is a Boolean combination of formulas of the kind x<c, x c (where c is any rational number) A timed automaton is a tupel consisting of a finite set L of locations a subset L 0 of initial locations a finite alphabet Σ of events a finite set Ξ of clocks (clock-variables) An invariant Inv(s) for every location (timed condition, optional) a finite set E of transitions consisting of - source, target - event from the alphabet (optional) - timed condition (optional) - set of clocks to be reset (optional)

Semantics of Timed Automata Each timed automaton is assigned an infinite LTS: states: (l, v) where l is a location and v is an assignment of clocks with real numbers which satisfies Inv(l) initial state: (l 0,(0,,0)) transitions - control transition: (l,v) a >(l,v ) if a transition (l,a,g,r,l ) exists such that v satisfies g and v =v[r:=0] - time transition: (l,v) d >(l,v ) if l =l and v =v+d and both v and v satisfy Inv(l) Each path through the transition system is an execution of the timed automaton control and time transitions strictly alternating semantics = set of (infinite) executions, non-zeno

Determinism Attention: if e.g. the conditions are inconsistent, the set of executions may be empty Additional requirements to take care of such situations the timed conditions are mutually inconsistent (at least those for the same event) they sum up to true, i.e. the disjunction of all timed conditions is a tautology Often combined with other determinism requirements, e.g. input enabledness

Extensions of Timed Automata Input / Output Timed Automata partitioning of Σ in inputs (i?), outputs (o!), and internal events each transition can be labelled by an input or an internal event, and at thesametime byseveraloutputs Additional variables v 1,,v n with finite domains W 1,,W n location = (place, values (w 1,,w n )) Parallel and hierarchical automata similar to StateCharts usual automata product semantics (interleaving) only for convenience in modelling

Test Generation from TA Which one to choose? (Random choice might result in bad coverage ) Wanted: a strategy which covers all behaviours

Idea: Equivalence Classes Partition the infinite state space into finitely many regions such that all regions are behaviorally similar cover the region graph with untimed methods

Quotients of Automata Recall the definition of the quotient automaton of a finite automaton with respect to a partitioning of the state space abstraction of certain variables - smaller domains e.g. Int {-maxint,,-1},{0},{1,,maxint} - elimination of variables (unit domain) states in the quotient automaton are equivalence classes of states in the original automaton this is a coarsening of the specification, the set of executions becomes larger

Quotients of Timed Automata With timed automata abstraction of clock variables: the language of the untimed automaton strictly encompasses the language of the respective timed automaton maybe too coarse (why did we introduce time after all?) a b a x:=0 x>10 b Two quotient constructions have been proposed Region equivalence Zone equivalence

Regions Finite partitioning of the state space y 2 1 1 2 3 x A region (equivalence class) Definition region equivalence: Let c max be the largest constant occurring in the automaton. v R u iff the integral part of all clock valuations is equal or both >c max. the fractional part is both =0 or both >0 if x<c max and y<c max are clocks, then (x y in v iff x y in u)

Zones Finite set of inequalities All possible <-relations between all clock variables Definition: w Z w iff w and w satisfy the same inequalities x i < c, x i = c, x i x j < c, x i x j =c where x i, x j are clocks and c c max is some constant It is sufficient to check this condition for linear combinations of variables (c=k 1 *c 1 + +k n *c n )

Finiteness of the State Space The relations have a finite index i.e. there are only finitely many reqchable regions / zones i.e. the region/zone graph is finite Proof idea (regions) follows from the definition of R : there are only finitely many integral parts c max and finitely many comparisons of fractional parts Proof idea (zones) with finitely many rational numbers there are only finitely many linear combinations smaller than a given bound each timed automaton contains only finitely many constants thus there are only finitely many conditions of the mentioned form

Construction of the Region Graph y 2 1 r[x:=0] r r[y:=0] 1 2 3 Reset region Theorem: the region graph satisfies the same safety properties a the original timed automaton thus, a complete test suite for the region graph will uncover all safety errors in the timed automaton x Successor regions, Succ(r)

Example #Regions depends on #Locations, #Constants, #Clocks i.a. exponential in the number of clocks and the number and size of constants (PSPACE-complete)

UppAal, Kronos, Rabbit Tools for the construction of the region graph animated simulation temporal verification test generation (UppAal) different internal representations sets of inequalities binary decision diagrams (BDDs) difference bound matrices (DBMs) --- Presentation UPPAAL? --- http://www.cs.auc.dk/~kgl/artes/sld041.htm

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback