Complementary Criteria for Testing Temporal Logic Properties - - PowerPoint PPT Presentation

Complementary Criteria for Testing Temporal Logic Properties

Gordon Fraser and Franz Wotawa Graz University of Technology, Austria

Model-Based Development Process

Informal ideas Realization Code Design Specification

Model-Based Development Process

Informal ideas Realization Code Design Specification

Real world World of models Informal world

Model-Based Development Process

Informal ideas Realization Code Design Specification

Real world World of models Informal world Validation

Model-Based Development Process

Informal ideas Realization Code Design Specification

Real world World of models Informal world Validation Formal verification

Model-Based Development Process

Informal ideas Realization Code Design Specification

Real world World of models Informal world Validation Formal verification Model−based testing

Specification Based Testing

Informal ideas Realization Code Design Specification

Real world World of models Informal world Validation Formal verification Specification based testing

Specification Based Testing

Informal ideas Realization Code Design Requirement Properties Executable Specification

Formal verification

Real world World of models Informal world

Specification Based Testing

Informal ideas Realization Code Design Requirement Properties Executable Specification

Formal verification

Real world World of models Informal world Specification based testing

Test cases derived from executable spec

✎ When is a property covered? ✎ How is it covered? ✎ How to generate tests for properties? ✎ Which tests to generate? ✎ ✎

Test cases derived from executable spec

✎ When is a property covered? ✎ How is it covered? ✎ How to generate tests for properties? ✎ Which tests to generate? ✎ Contribution: 2 new criteria to measure and

generate tests

✎

Test cases derived from executable spec

✎ When is a property covered? ✎ How is it covered? ✎ How to generate tests for properties? ✎ Which tests to generate? ✎ Contribution: 2 new criteria to measure and

generate tests

✎ Assumption: Properties specified in

temporal logic

Model Checking

satisfies

Model Property

G (x −> F y)

?

Model Checking

satisfies

Model Property

G (x −> F y)

Model Checking

violates

Model Property

G (x −> F y) Counterexample

Specification Based Testing

Informal ideas Realization Code Design Requirement Properties Executable Specification

Formal verification

Real world World of models Informal world Specification based testing

Specification Based Testing

Specification Based Testing

Model Checker Counterexamples LTL Properties

Test Case Generation with Model Checkers

SPECIFICATION Test predicates Model checker Counter example Trap property never(tp) Test Suite generator Cex = sequence

• f states

that cover tp = test Coverage Criteria Test + coverage info Test suite

Example Specification: NuSMV

▼❖❉❯▲❊ ♠❛✐♥ ❱❆❘ ❛❝❝❡❧❡r❛t❡✿ ❜♦♦❧❡❛♥❀ ❜r❛❦❡✿ ❜♦♦❧❡❛♥❀ ✈❡❧♦❝✐t②✿ ④ st♦♣✱ s❧♦✇✱ ❢❛st ⑥❀ ❆❙❙■●◆ ✐♥✐t✭✈❡❧♦❝✐t②✮ ✿❂ st♦♣❀ ♥❡①t✭✈❡❧♦❝✐t②✮ ✿❂ ❝❛s❡ ❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀ ❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ s❧♦✇ ✿ ❢❛st❀ ✦❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ ❢❛st ✿ s❧♦✇❀ ✦❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ s❧♦✇ ✿ st♦♣❀ ❜r❛❦❡✿ st♦♣❀ ❚❘❯❊ ✿ ✈❡❧♦❝✐t②❀ ❡s❛❝❀

Example Specification: NuSMV

Temporal Logics

Temporal Logics Example Property

G ✿✭ velocity ❂ fast✮

Temporal Logics Example Property

X velocity ❂ slow

Temporal Logics Example Property

F ✿ accelerate

Temporal Logics Example Property

accelerate U brake

Example: NuSMV

▼❖❉❯▲❊ ♠❛✐♥ ❱❆❘ ❛❝❝❡❧❡r❛t❡✿ ❜♦♦❧❡❛♥❀ ❜r❛❦❡✿ ❜♦♦❧❡❛♥❀ ✈❡❧♦❝✐t②✿ ④ st♦♣✱ s❧♦✇✱ ❢❛st ⑥❀ ❆❙❙■●◆ ✐♥✐t✭✈❡❧♦❝✐t②✮ ✿❂ st♦♣❀ ♥❡①t✭✈❡❧♦❝✐t②✮ ✿❂ ❝❛s❡ ❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀ ❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ s❧♦✇ ✿ ❢❛st❀ ✦❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ ❢❛st ✿ s❧♦✇❀ ✦❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ s❧♦✇ ✿ st♦♣❀ ❜r❛❦❡✿ st♦♣❀ ❚❘❯❊ ✿ ✈❡❧♦❝✐t②❀ ❡s❛❝❀

Example: NuSMV

▼❖❉❯▲❊ ♠❛✐♥ ❱❆❘ ❛❝❝❡❧❡r❛t❡✿ ❜♦♦❧❡❛♥❀ ❜r❛❦❡✿ ❜♦♦❧❡❛♥❀ ✈❡❧♦❝✐t②✿ ④ st♦♣✱ s❧♦✇✱ ❢❛st ⑥❀ ❆❙❙■●◆ ✐♥✐t✭✈❡❧♦❝✐t②✮ ✿❂ st♦♣❀ ♥❡①t✭✈❡❧♦❝✐t②✮ ✿❂ ❝❛s❡ ❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀ ❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ s❧♦✇ ✿ ❢❛st❀ ✦❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ ❢❛st ✿ s❧♦✇❀ ✦❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ s❧♦✇ ✿ st♦♣❀ ❜r❛❦❡✿ st♦♣❀ ❚❘❯❊ ✿ ✈❡❧♦❝✐t②❀ ❡s❛❝❀

Coverage Criteria

❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀

Predicate Coverage

✎ ✭ ❫ ✿ ❫ ❂ ✦ ✿✭ ❂ ✮✮ ✎ ✭✿✭ ❫ ✿ ❫ ❂ ✮ ✦ ✭ ❂ ✮✮

Coverage Criteria

❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀

Predicate Coverage

✎ G ✭ accelerate ❫ ✿ brake ❫ velocity ❂ stop ✦ X ✿✭ velocity ❂ slow✮✮ ✎ ✭✿✭ ❫ ✿ ❫ ❂ ✮ ✦ ✭ ❂ ✮✮

Coverage Criteria

❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀

Predicate Coverage

✎ G ✭ accelerate ❫ ✿ brake ❫ velocity ❂ stop ✦ X ✿✭ velocity ❂ slow✮✮ ✎ G ✭✿✭ accelerate ❫ ✿ brake ❫ velocity ❂ stop✮ ✦ X ✭ velocity ❂ slow✮✮

Coverage Criteria

❛❝❝❡❧❡r❛t❡ ✫ ✦❜r❛❦❡ ✫ ✈❡❧♦❝✐t② ❂ st♦♣ ✿ s❧♦✇❀

Predicate Coverage

✎ G ✭ accelerate ❫ ✿ brake ❫ velocity ❂ stop ✦ X ✿✭ velocity ❂ slow✮✮ ✎ G ✭✿✭ accelerate ❫ ✿ brake ❫ velocity ❂ stop✮ ✦ X ✭ velocity ❂ slow✮✮ ✎ 15 specification based test criteria ✎ 2 property based criteria

1 Based on vacuity 2 Based on MCDC

Unique First Cause Coverage

✎ MCDC: Test cases where clauses affect

predicates

✎

Unique First Cause Coverage

✎ MCDC: Test cases where clauses affect

predicates

✎ UFC [Whalen et al., 2006]:

Clause c is the unique first cause of a formula A, if in the first state along a path where A is satisfied, it is satisfied because of c

Unique First Cause Coverage

✭ ❴ ✮

Unique First Cause Coverage

F ✭a ❴ b✮

Unique First Cause Coverage

✎ Defined as set of rules ✎ Apply rules to property ✦ set of test

predicates

✎ Rules applied to all properties ✎ Test predicates: Measure coverage and

generate tests

Unique First Cause Coverage is not enough

G ✭✭c1 ❫ c2✮ ✩ X d✮

✎

✎ ✎ ✎

❫ ✎ ✎

✿ ❫ ✿

✎ ✦

Unique First Cause Coverage is not enough

G ✭✭c1 ❫ c2✮ ✩ X d✮

✎ UFC covers:

✎ Where c1 causes d to be false. ✎ Where c2 causes d to be false. ✎ Where c1 ❫ c2 causes d to be true.

✎ ✎

✿ ❫ ✿

✎ ✦

Unique First Cause Coverage is not enough

G ✭✭c1 ❫ c2✮ ✩ X d✮

✎ UFC covers:

✎ Where c1 causes d to be false. ✎ Where c2 causes d to be false. ✎ Where c1 ❫ c2 causes d to be true.

✎ What if d represents a safety critical value? ✎

✿ ❫ ✿

✎ ✦

Unique First Cause Coverage is not enough

G ✭✭c1 ❫ c2✮ ✩ X d✮

✎ UFC covers:

✎ Where c1 causes d to be false. ✎ Where c2 causes d to be false. ✎ Where c1 ❫ c2 causes d to be true.

✎ What if d represents a safety critical value? ✎ Is ✿c1 ❫ ✿c2 covered? ✎ ✦

Unique First Cause Coverage is not enough

G ✭✭c1 ❫ c2✮ ✩ X d✮

✎ UFC covers:

✎ Where c1 causes d to be false. ✎ Where c2 causes d to be false. ✎ Where c1 ❫ c2 causes d to be true.

✎ What if d represents a safety critical value? ✎ Is ✿c1 ❫ ✿c2 covered? ✎ ✦ Property Inactive Clause Coverage

Property Inactive Clause Coverage

✚✭x✮ ❂ ❢x❀ ✿x❣ ✚✭A ❫ B✮ ❂ ❢a ❫ ✿B ❥ a ✷ ✚✭A✮❣ ❬ ❢✿A ❫ b ❥ b ✷ ✚✭B✮❣ ✚✭A ❴ B✮ ❂ ❢a ❫ B ❥ a ✷ ✚✭A✮❣ ❬ ❢A ❫ b ❥ b ✷ ✚✭B✮❣ ✚✭✿A✮ ❂ ✚✭A✮ ✚✭ G ✭A✮✮ ❂ ❢A U ✭a ❫ G ✭A✮✮ ❥ a ✷ ✚✭A✮❣ ✚✭ F ✭A✮✮ ❂ ❢✿A U ✭a ❫ ✭A ❴ F A✮✮ ❥ a ✷ ✚✭A✮❣ ✚✭ X ✭A✮✮ ❂ ❢ X ✭a✮ ❥ a ✷ ✚✭A✮❣ ✚✭A U B✮ ❂ ❢✭A ❫ ✿B✮ U ✭a ❫ ✭B ❴ ✭A U B✮✮✮ ❥ a ✷ ✚✭A✮❣❬ ❢✭A ❫ ✿B✮ U ✭b ❫ ✭B ❴ ✭A U B✮✮✮ ❥ b ✷ ✚✭B✮❣

Property Inactive Clause Coverage Property

✣ ❂ G ✭x ✦ X y✮ ✚✭ ✭ ✮✮ ❂ ❢ ✭ ❫ ✭ ✮✮ ❥ ✷ ✚✭ ✮❣ ✭ ✦ ✮ ✭ ❫ ✭ ✦ ✮✮ ❥ ✷ ✚✭ ✦ ✮

Property Inactive Clause Coverage Property

✣ ❂ G ✭x ✦ X y✮

Rule

✚✭ G ✭A✮✮ ❂ ❢A U ✭a ❫ G ✭A✮✮ ❥ a ✷ ✚✭A✮❣ ✭ ✦ ✮ ✭ ❫ ✭ ✦ ✮✮ ❥ ✷ ✚✭ ✦ ✮

Property Inactive Clause Coverage Property

✣ ❂ G ✭x ✦ X y✮

Rule

✚✭ G ✭A✮✮ ❂ ❢A U ✭a ❫ G ✭A✮✮ ❥ a ✷ ✚✭A✮❣

Result

✭x ✦ X y✮ U ✭a ❫ G ✭x ✦ X y✮✮ ❥ a ✷ ✚✭x ✦ X y✮

Property Inactive Clause Coverage Property

x ✦ X y

Property Inactive Clause Coverage Property

x ✦ X y

Rule

✚✭A ❴ B✮ ❂ ❢a ❫ B ❥ a ✷ ✚✭A✮❣ ❬ ❢A ❫ b ❥ b ✷ ✚✭B✮❣ ✚✭✿A✮ ❂ ✚✭A✮

Property Inactive Clause Coverage Property

x ✦ X y

Rule

✚✭A ❴ B✮ ❂ ❢a ❫ B ❥ a ✷ ✚✭A✮❣ ❬ ❢A ❫ b ❥ b ✷ ✚✭B✮❣ ✚✭✿A✮ ❂ ✚✭A✮

Result

✚✭x ✦ X y✮ ❂ ✚✭✿x ❴ X y✮ ❂ ❢a ❫ X y ❥ a ✷ ✚✭✿x✮❣ ❬❢✿x ❫ b ❥ b ✷ ✚✭ X y✮❣

Property Inactive Clause Coverage Property

X y

Property Inactive Clause Coverage Property

X y

Rule

✚✭ X ✭A✮✮ ❂ ❢ X ✭a✮ ❥ a ✷ ✚✭A✮❣

Property Inactive Clause Coverage Property

X y

Rule

✚✭ X ✭A✮✮ ❂ ❢ X ✭a✮ ❥ a ✷ ✚✭A✮❣

Result

✚✭ X y✮ ❂ ❢ X ✭a✮ ❥ a ✷ ✚✭y✮❣ ❂ ❢ X ✭y✮❀ X ✭✿y✮❣

Property Inactive Clause Coverage Property

✣ ❂ G ✭x ✦ X y✮

Result

❢✭x ✦ X y✮ U ✭✭x ❫ X y✮ ❫ G ✭x ✦ X y✮✮❀ ✭x ✦ X y✮ U ✭✭✿x ❫ X y✮ ❫ G ✭x ✦ X y✮✮❀ ✭x ✦ X y✮ U ✭✭✿x ❫ X ✭y✮✮ ❫ G ✭x ✦ X y✮✮❀ ✭x ✦ X y✮ U ✭✭✿x ❫ X ✭✿y✮✮ ❫ G ✭x ✦ X y✮✮❣

PICC Summary

✎ When do clauses not affect result? ✎ PICC extends UFC like RCDC extends

MCDC

✎ Apply rules to all properties ✦ test

predicates

Mutation Testing for Properties

G (a −> X !b) G (b −> X !c) G (c −> X !d) .... Mutants Model Checker Test cases Model G (a −> X !b) G (b −> X !c) G (c −> X !d) .... Requirements x & !c

Mutation Testing for Properties

Informal ideas Realization Code Design Requirement Properties Executable Specification

UFC, PICC: Are the properties implemented right?

Mutation Testing for Properties

Informal ideas Realization Code Design Requirement Properties Executable Specification

UFC, PICC: Are the properties implemented right? Are the right properties implemented?

Mutation Testing for Properties

✎ Test whether wrong properties are not

implemented

✎ Coupling effect ✎ If mutants are not implemented, complex

wrong properties are not implemented either

Property Mutation Example Property

G ✭x ✦ X y✮

Property Mutation Example Property

G ✭x ✦ X y✮

Example mutants

✎ LRO: G ✭x ✥ X y✮

Property Mutation Example Property

G ✭x ✦ X y✮

Example mutants

✎ LRO: G ✭x ✥ X y✮ ✎ ORO: G ✭x ✦ X x ✮

Property Mutation Example Property

G ✭x ✦ X y✮

Example mutants

✎ LRO: G ✭x ✥ X y✮ ✎ ORO: G ✭x ✦ X x ✮ ✎ ...

Mutation Operators for LTL

G ✭x ✦ X y✮

Mutation Operators for LTL

G ✭x ✦ X y✮

Temporal Operator Insertion

G ✭ X x ✦ X y✮

Mutation Operators for LTL

G ✭x ✦ X y✮

Temporal Operator Insertion

G ✭ X x ✦ X y✮

Temporal Operator Replacement

G ✭x ✦ G y✮

Mutation Operators for LTL

G ✭x ✦ X y✮

Temporal Operator Insertion

G ✭ X x ✦ X y✮

Temporal Operator Replacement

G ✭x ✦ G y✮

Missing Temporal Operator

G ✭x ✦ y✮

Property Mutation Summary

✎ A mutant of a property is a trap property ✎ Each property results in several mutants for

each mutation operator

✎ Test case generation: Create mutants for all

properties

✎ Property mutation measures sensitivity wrt

implemented properties

Case Study

✎ PICC and Mutation add new, previously

uncovered test predicates

✎ ✎ ✎ ✎

Case Study

✎ PICC and Mutation add new, previously

uncovered test predicates

✎ 25% infeasible test predicates average ✎ 45% equivalent property mutants ✎ ✎

Case Study

✎ PICC and Mutation add new, previously

uncovered test predicates

✎ 25% infeasible test predicates average ✎ 45% equivalent property mutants ✎ 16% of literals are vacuously satisfied ✎ Mutation operators can be optimized to

reduce equivalent mutants

Summary

✎ Test in addition to verification ✎ ✎ ✎ ✎ ✎

Summary

✎ Test in addition to verification ✎ Derive tests from properties in addition to

specifications

✎ ✎ ✎ ✎

Summary

✎ Test in addition to verification ✎ Derive tests from properties in addition to

specifications

✎ Test inactive clauses in addition to active

clauses

✎ ✎ ✎

Summary

✎ Test in addition to verification ✎ Derive tests from properties in addition to

specifications

✎ Test inactive clauses in addition to active

clauses

✎ Test that wrong properties are not

implemented, in addition to testing that right properties are implemented

✎ ✎

Summary

✎ Test in addition to verification ✎ Derive tests from properties in addition to

specifications

✎ Test inactive clauses in addition to active

clauses

✎ Test that wrong properties are not

implemented, in addition to testing that right properties are implemented

✎ Thank you for your attention! ✎ Questions?