Combining Verification and Conformance Testing for Validating - - PowerPoint PPT Presentation

Combining Verification and Conformance Testing for Validating Reactive Systems

Vlad Rusu, Thierry Jéron, and Hervé Marchand

First.Last@irisa.fr

IRISA/INRIA Rennes, project Vertecs http://www.irisa.fr/vertecs

Combining verification and conformance testing - ETR’05 – p.1/38

Verification

Properties: P Specification: S S | = P

Combining verification and conformance testing - ETR’05 – p.2/38

Conformance testing

Implementation: I

Specification: S I ioco S

Combining verification and conformance testing - ETR’05 – p.3/38

Model-based development

Implementation: I Testing Verification Properties: P Specification: S

Combining verification and conformance testing - ETR’05 – p.4/38

Model-based development

Implementation: I Testing Verification Properties: P Specification: S Verification?

Combining verification and conformance testing - ETR’05 – p.5/38

Model-based development

Implementation: I Verification Properties: P Specification: S Testing Testing

Combining verification and conformance testing - ETR’05 – p.6/38

Outline

verification conformance testing combining the two: consistency? test generation.

Combining verification and conformance testing - ETR’05 – p.7/38

Verification

Properties: P Specification: S S | = P

properties: safety, liveness . . . specification: SDL, Statecharts, extended automata . . .

Combining verification and conformance testing - ETR’05 – p.8/38

Verification techniques

model checking: automatic, finite-state, exact theorem proving: interactive, infinite-state, exact abstract interpretation: automatic, infinite-state, approximated (conservative)

Combining verification and conformance testing - ETR’05 – p.9/38

Sample specification

MSG!(m) m = x ∧ x > 0 x := x − 1 x = 0 STOP! START?(p) x := p

Combining verification and conformance testing - ETR’05 – p.10/38

Property: after START?(p) with p > 0, no STOP! without MSG!(m) in between

STOP! MSG!(m) Violate p > 0 START?(p)

∗ ∗

START?(p) MSG!(m) m = x ∧ x > 0 x := x − 1 x = 0 x := p STOP!

Combining verification and conformance testing - ETR’05 – p.11/38

Verifying Property on Specification

check reachability of Violate in synchronous product (Spec × observer for property) undecidable (abstract interpretation: conservative) here, property is proved, but not proved if p ≥ 0 only.

Combining verification and conformance testing - ETR’05 – p.12/38

Outline

verification conformance testing conformance relation test generation and execution combining the two: consistency? test generation.

Combining verification and conformance testing - ETR’05 – p.13/38

Conformance testing

Implementation: I

Specification: S I ioco S

ioco ≅ after all traces of S, outputs of I ⊆ outputs of S.

Combining verification and conformance testing - ETR’05 – p.14/38

Conformance and non-conformance

ST ART ?(0) ST OP ! I1ioco S ST ART ?(0) MSG!(0) ¬(I2ioco S) ST ART ?(0) MSG!(0) ST ART ?(0) I3ioco S x = 0 ST OP ! ST ART ?(p) x := p S m = x ∧ x > 0 MSG!(m) x := x − 1

Combining verification and conformance testing - ETR’05 – p.15/38

Conformance?

MSG!(m) m = x ∧ x > 0 x := x − 1 START?(p) x := p x = 0 STOP! I S Quiet... START?(0)

Combining verification and conformance testing - ETR’05 – p.16/38

Blocking and suspension

blocking δ!: deadlock, or waiting for input δ! observed on black-box I (using timers) computed on S: suspension operation δ(·) Traces(δ(S)) = Traces(S) + δ! when blocked.

Combining verification and conformance testing - ETR’05 – p.17/38

Non-Conformance!

MSG!(m) m = x ∧ x > 0 x := x − 1 δ! x < 0 δ! START?(p) x := p x = 0 STOP! δ! δ(I) δ! δ(S) START?(0)

Combining verification and conformance testing - ETR’05 – p.18/38

Conformance relation

I ioco S Traces(δ(I)) ∩ Traces(δ(S)) · (Λ!

S ∪ {δ}) ⊆ Traces(δ(S)).

“After all traces of δ(S), outputs of δ(I) ⊆ outputs of δ(S)”

Combining verification and conformance testing - ETR’05 – p.19/38

Test generation & execution

Specification S Test Purposes Implementation I Verdicts (e.g., Fail, Pass, Inconclusive) Test Generation Test Execution Test Cases selects ioco

Combining verification and conformance testing - ETR’05 – p.20/38

Test Purpose and Test Case

STOP? Test Case START!(0) START?(p) STOP! ∗ Test Purpose Pass Fail MSG?(m) δ?

Combining verification and conformance testing - ETR’05 – p.21/38

Outline

verification conformance testing combining the two: consistency guide implementation towards property violation deal with “imperfect” verification test generation.

Combining verification and conformance testing - ETR’05 – p.22/38

Using P in test generation

Specification S Safety Properties P Implementation I Verdicts (e.g., Fail, Violate, Inconclusive) Test Execution Test Cases | = Test Generation Verification/ ioco

Combining verification and conformance testing - ETR’05 – p.23/38

Problem: S | = P undecidable

try to prove S | = P using abstract interpretation even if S | = P could not be proved, generate test case that correctly detects ¬ I ioco S, I | = P, or S | = P use symbolic techniques for test generation as well.

Combining verification and conformance testing - ETR’05 – p.24/38

Outline

verification conformance testing combining the two: consistency? test generation: first define a canonical tester for S and ioco then compute product with observer for property finally, analyse product, eliminate irrelevant parts.

Combining verification and conformance testing - ETR’05 – p.25/38

Canonical tester: determinisation

Determinisation: det(·) det(S) is deterministic Traces(det(S)) = Traces(S).

Combining verification and conformance testing - ETR’05 – p.26/38

Canonical tester:

• utput-completion

Output-completion: Σ!(·) add a new location: Fail & transitions to it on each missing output notation: canon(S) = Σ!(det(δ(S)))

Combining verification and conformance testing - ETR’05 – p.27/38

canon(S)

MSG!(m) m = x ∧ x > 0 x := x − 1 δ! x < 0 δ! δ! START?(p) x := p x = 0 STOP!

Fail

*! *! *!

canon(S) = canonical tester [Brinksma] for S and ioco. ioco-conformance to S is a safety property!

Combining verification and conformance testing - ETR’05 – p.28/38

Test generation: product with

• bserver

For observer (ω, Violateω) let test(S, ω) = ω||canon(S). Three possible sets of violating locations: ViolateFail = Violateω × {Fail} Fail = Violateω × {Fail} Violate = Violateω × {Fail}

Combining verification and conformance testing - ETR’05 – p.29/38

The ViolateFail verdict

δ(I) | = (test(S, ω), ViolateFail) ⇒ ¬(Iioco S) ∧ δ(I) | = (ω, Violateω) Implementation violates both property and conformance

Combining verification and conformance testing - ETR’05 – p.30/38

The Fail verdict

δ(I) | = (test(S, ω), Fail) = ⇒ ¬(I ioco S) Implementation violate conformance only

Combining verification and conformance testing - ETR’05 – p.31/38

The Violate verdict

δ(I) | = (test(S, ω), Violate) ⇒ δ(S), δ(I) | = (ω, Violateω) Specification & implementation violate property

Combining verification and conformance testing - ETR’05 – p.32/38

Specification and property

MSG!(m) m = x ∧ x > 0 x := x − 1 δ! x < 0 δ! δ! START?(p) x := p x = 0 STOP! STOP! MSG!(m) Violate p ≥ 0 START?(p)

∗ ∗

Combining verification and conformance testing - ETR’05 – p.33/38

Resulting test case

x = 0 STOP? x = 0 STOP? x := x − 1 MSG?(m) m = x ∧ x > 0 m = x ∧ x > 0 MSG?(m) x := x − 1 Violate δ? x < 0 δ? x < 0 δ? Violate x = 0 Fail Fail STOP? ?* ?* ?* ?* p ≥ 0 x := p START!(p)

Combining verification and conformance testing - ETR’05 – p.34/38

Simplifying a test case

Eliminate states from which property cannot be violated (from which Violate and ViolateFail are not reachable). abstract interpretation strikes again! coreachability analysis to Violate and ViolateFail ❀ constraints in each transition strengthen guards of transitions with new constraints

• nly non-coreachable states are eliminated (but some

may remain).

Combining verification and conformance testing - ETR’05 – p.35/38

Simplified test case

Fail *? *? START!(p) x := 0 p ≥ 0 STOP? x = 0 Violate Fail Violate x > 0 STOP? MSG?(m) Inconc

Combining verification and conformance testing - ETR’05 – p.36/38

Conclusion

combination of verification and conformance testing automatic, symbolic methods testing provides correct verdicts, regardless of success in verification step test case “guides” implementation towards violating property. Only one among many approaches!

Combining verification and conformance testing - ETR’05 – p.37/38

Questions?

Combining verification and conformance testing - ETR’05 – p.38/38