How To Validate Synchronous Reactivesystems



Similar documents
Forum of International Development Studies 21 (Mar. 2002)

Acommonvericationproblemforhardwaredesignsistodetermineifevery

KeyEscrowinMutuallyMistrustingDomains?

There e really is No Place Like Rome to experience great Opera! Tel: to discuss your break to the Eternal City!


Rover. ats gotorock getrock gotos. same time compatibility. Rock. withrover 8-39 TIME

accept order accept order1 accept order2 accept order n

RETAIL SUPPLY CHAIN CONFERENCE 2015

Meß- und Kommunikationstechnik GmbH Annaberger Str Chemnitz Tel

How To Raise Finance With Enterprise Enfield

Two Papers on Internet Connectivity and Quality. Abstract

ABB SACE SACE PR S8 RH L0478 1/6

clinical negligence collaborative law commercial dispute resolution commercial property company & commercial contentious wills and probate education

RapidResponse Capacity Planning (Constraints) Application

Using In-Common Laboratories to Diagnose & Improve Performance

Company Profile Osaki, Shinagawa-ku, Tokyo, Japan Tel

Financial Accounting Chapter 9: Receivables

A Security Protocol Animator Tool for AVISPA

By the numbers. The Co-operative Housing Federation. of Canada. A guide to creating a long-term financial forecast for your co-op (Section 95 co-ops)

TIDEWATER COMMUNITY COLLEGE TUITION & FEES IN-STATE RATE

OFFICE FOR HARMONIZATION IN THE INTERNAL MARKET (TRADE MARKS AND DESIGNS) Certificate of Registration 1

How To Write A Paper On Csp And Object-Z

OPTICAL PARTICLE SIZER MASS CALIBRATION METHOD

Così sol d una chiara fonte viva Seconda parte of 'Hor che'l ciel'e la terra' Canto

CHAPTER 11. Proposed Project. Incremental Cash Flow for a Project. Treatment of Financing Costs. Estimating cash flows:

Performance Evaluation of Mobile Network Technologies for Reliable M2M-Applications in Automation

A Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN

Analysis of Boolean Programs

RapidResponse. Demand Planning. Application


Planchar por el reverso / Iron on reverse side/ Repasser à l'envers No vaporizar / Do not steam / Ne pas repasser avec vapeur


Rutgers, The State University of New Jersey. Department of Psychiatric Rehabilitation & Counseling Professions

FY 2014 Senior Executive Service (SES) Performance Management Training

Risk Management in Pharmaceutical Supply Chains the experience of the insurer

January March 2015 Conference Call and Webcast 29 April 2015

Colorado. Congressional Statistics: Disability Insurance for December Social Security. $1.6 billion (estimated)

When Everything's Priority, Who Gets the Expert? November 2013

Doctor of Business Administration degree (3 year)

Handling missing data in large data sets. Agostino Di Ciaccio Dept. of Statistics University of Rome La Sapienza

How To Understand The Concept Of Redundancy In A Network (Uni, Enni)

Feature-Based Decomposition of Inductive Proofs Applied to Real-Time Avionics Software

Towards ``zero abandonments'' in call center performance

Governing Expenses Project

Pension Plan Personalized Information and Retirement Horizon Web sites

Know your. vendors. Evaluate your consultant s performance. engagement is finished and go on to use the resulting information.

Sales & Operations Planning Training - UK Consultant

Seller s Guide. be asked to sign a RERA form called Form A, which regulates the consultant and client relationship.

ISMI Risk Screening Tool

1. Sales Forecast. Attachment. Table 1: Sales Forecast Diffusion Index. Category Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1


Q Sales Michel Favre, CFO. October 22, 2013

The objectives of the course are to provide students with a solid foundation in all aspects of internet marketing. Specifically my goals are:

Formal Specification of Non-functional Properties of Component-Based Software

Sanity Checks in Formal Verification

Resource Management as a Service (RMaaS)

Performance Fact Sheet 2012 & 2013 Calendar Years Vocational Nursing Program (LVN) 13 months Program

The response to this request will be released on the PBO website (

Transactions for Software Model Checking

Statistics W4240: Data Mining Columbia University Spring, 2014

AN INDUSTRIAL AND ACADEMIC JOINT EXPERIMENT ON AUTOMATED VERIFICATION OF A SECURITY PROTOCOL

How much will a/an. loan cost? AUTO TITLE LOAN SINGLE PAYMENT. Thirty Day. Ask Yourself... How Long Could It Take to Repay a Loan?

Hrvatski zavod za zapošljavanje ACTIVITIES OF THE CROATIAN EMPLOYMENT SERVICE AIMED AT ROMA INCLUSION IN THE LABOUR MARKET

1 Introduction. 2 Assumptions. Implementing roaming for OpenBTS

TS-3GB-S.R0103-0v1.0 Network Firewall Configuration and Control (NFCC) - Stage 1 Requirements

Santander Universities Entrepreneurship Awards Information Pack

CANDIDATE RECORD SHEET: GCE Applied ICT Unit 4 WEB DESIGN

Live Learning Center. Solution-Driven Integrated Learning Paths. Make the Most of Your Educational Experience

File: 8/logs/catalina log Pagina 1 di 11

Option Pricing. Chapter 4 Including dividends in the BS model. Stefan Ankirchner. University of Bonn. last update: 6th November 2013

Converting Technology to Wealth Workshop. Module 1: Commercialization. Day 2 Market Research

/,,7($78/267((7. 78/267(,'(1</(,6,b20,1$,688.6,$ 78/267(,'(1(6,77(/<

Deployment Guide AX Series with Microsoft Windows Server 2008 Terminal Services

STRATEC Biomedical AG

PNC Bank Education Loan Information Related to the New York SLATE Act. The interest rate on this loan is capped at 18%.

EWI Security of Supply Update

LISTING CRITERIA FOR PUBLIC SECTOR PANELS OF CONSULTANTS (PSPC)

Performance Appraisal Application (PAA) How to Guide For Rating Officials

Analysis One Code Desc. Transaction Amount. Fiscal Period

CHEMICAL RESISTANCE OF CLEARTEX ERGOFORM TERMINATOR / JAGUAR PLUS / LAGUNA / ULTIMA MATS MADE BY PVC AND PVC/NBR, PRODUCED AT MUOVIHAKA

Aluminium warehousing, premiums and prices

Software Quality Exercise 1

GSM GSM TECHNICAL November 1996 SPECIFICATION Version 5.0.0

April 21, Mr. Richard A. Stoff President and CEO Ohio Business Roundtable, Inc. 41 South High Street Columbus, Ohio Dear Mr.

Verifying Large SDL-Specifications using Model Checking

TOFAŞ 2009 Q1ANALYST PRESENTATION

MIXes in Mobile Communication Systems: Location Management with Privacy *

Winning With Adwords D JANSEN (2014)

Draft IFRIC Interpretation DI/2010/1 Stripping Costs in the Production Phase of a Surface Mine

PUBLIC SECTOR PANELS OF CONSULTANTS (PSPC)

turning ideas into success

Lean Production Performance Metrics Exercises

Process Improvement Plan

Project Management Planning

CGS X X X X X

ISO 9000 QUALITY MANAGEMENT PRINCIPLES AND GUIDELINES ON THEIR APPLICATION

bi-cube - Universally valid and branch oriented role model

Standard of measurement by which efficiency, performance, progress, or quality of a plan, process, or product can be assessed 1.

Tree Data Decision Diagrams

On Simulation Method of Small Life Insurance Portfolios By Shamita Dutta Gupta Department of Mathematics Pace University New York, NY 10038

Transcription:

fromformalvericationtoautomatictesting? ValidationofSynchronousReactiveSystems: fnicolas.halbwachs,pascal.raymondg@imag.fr NicolasHalbwachs,PascalRaymond thevalidationofreactivesystemsdescribedinthesynchronousdata-ow Abstract.Thispapersurveysthetechniquesandtoolsdeveloppedfor Verimag??,Grenoble{France tionofsafetyproperties,bymeansofsynchronousobservers.themodel- checkerlesar[rhr91]takesalustreprogram,andtwoobservers languagelustre[hcrp91].thesetechniquesarebasedonthespecica- (Boolean)abstractionofthesystem.Recentworkconcernsextensions assumptionsaboutthesystemenvironmentunderwhichtheseproperties areintendedtohold,andperformsthevericationonanitestate towardssimplenumericalaspects,whichareignoredinthebasictool. respectivelydescribingtheexpectedpropertiesoftheprogram,andthe mentassumptions,andtorunthetestwhilecheckingthesatisfactionof thespeciedproperties. Providedwiththesamekindofobservers,thetoolLurette[RWNH98] isabletoautomaticallygeneratetestsequencessatisfyingtheenvironnentinteractionwithaphysicalenvironment.inthisarea,systemreliability, designso-called\reactivesystems",whicharesystemsthatmaintainaperma- 1Introduction reactivesystemsaresafetycritical.asaconsequence,manyvalidationtools andthereforedesignvalidation,areparticularlyimportantgoals,sincemost Synchronouslanguages[Hal93,BG92,LGLL91,HCRP91]havebeenproposedto tion[ldbl93,dr94,jpv95,bou98,rhr91],formalproof[bcdp99],orprogram meansofsynchronouslanguages.thesetoolseitherconcernautomaticverica- testing[borz98,rwnh98,mhmm95,mar98]. havebeenproposed,whicharededicatedtodealwithsystemsdescribedby raisesspecicproblems liketakingintoaccountknownpropertiesoftheenvironment andontheotherhandallowstheapplicationofspecictechniques incontrastwithclassicalconcurrentprocesses,whicharegenerallymodelled sincetheprogramstobevalidatedaredeterministicsystemswithinputs, Asamatteroffactthevalidationofsynchronousprograms,ononehand??VerimagisajointlaboratoryofUniversiteJosephFourier,CNRSandINPGassociatedwithIMAG. testing,theuserhastospecify: asnon-deterministicandclosedsystems.bothforformalvericationandfor?thisworkwaspartiallysupportedbytheesprit-ltrproject\syrf".

1.theintendedbehavioroftheprogramundervalidation,whichmaybemore 2.theassumptionsabouttheenvironmentunderwhichthepropertiesspecied timesafetyproperties. orlesspreciselydened.inparticular,itmayconsistofasetofproperties, and,forthekindofconsideredsystems,criticalpropertiesaremostofthe in(1)areintendedtohold.theseassumptionsaregenerallysafetyproperties,too. theinputsandtheoutputsoftheprogramundervalidation,anddetectthe ertiesistouse\synchronousobservers"[hlr93],whichareprogramsobserving Insynchronousprogramming,aconvenientwayofspecifyingsuchsafetyprop- formalverication:onecanverify,bymodel-checking,thatforeachinput validationtoolscanusethemfor violationoftheproperty.oncetheseobservershavebeenwritten,automatic automatictesting:theassumptionobserverisusedtogeneraterealistictest tionoftheprogramunderverication. property.ingeneral,thisvericationisperformedonanite-stateabstrac- sequences,whichareprovidedtotheprogram;thepropertyobserverisused owsatisfyingtheassumption,thecorrespondingoutputowsatisfythe hasbeendeveloppedforlong,andextendedtowardsdealingwithsimplenumericalproperties.twotestingtools,lutess[borz98]andlurette[rwnh98bilities. 2SynchronousObserversinLUSTRE arealsoavailable;here,wefocusonlurette,whichhassomenumericalcapa- languagelustre[hcrp91].amodel-checkerforlustre,calledlesar[rhr91], Inthispaper,wepresenttheseapproachesinthecontextofthedeclarative asan\oracle"determiningwhethereachtestsequence\passes"or\fails". 2.1OverviewofLustre programisintendedtohaveacyclicbehavior,andxnisthevalueofxatthe xrepresentsaow,i.e.,aninnitesequence(x0;x1;:::;xn;:::)ofvalues.a Letusrstrecall,inasimpliedway,theprinciplesofthelanguageLustre: Output(andpossiblylocal)owsaredenedbymeansofequations(inthe nthcycleoftheexecution.aprogramcomputesoutputowsfrominputows. ALustreprogramoperatesonowsofvalues.Anyvariable(orexpression) canbeunderstoodasatemporalinvariant.lustreoperatorsoperategloballyon mathematicalsense),anequation\x=e"meaning\8n;xn=en".so,anequation owsasjustshown wewillconsideronlytwotemporaloperators: ows:forinstance,\x+y"istheow(x0+y0;x1+y1;:::;xn+yn;:::).inaddition tousualarithmetic,boolean,conditionaloperators extendedpointwiseto {theoperator\pre"(\previous")givesaccesstothepreviousvalueofitsargument:\pre(x)"istheow(nil;x0;:::;xn 1;:::),wheretheveryrstvalue \nil"isanundened(\noninitialized")value.

{theoperator\->"(\followedby")isusedtodeneinitialvalues:\x->y"is theow(x0;y1;:::;yn;:::),initiallyequaltox,andthenequaltoyforever. Asaverysimpleexample,theprogramshownbelowisacounterof\events": IttakesasinputstwoBooleanows \evt"(truewheneverthecounted \event"occurs),and\reset"(true wheneverthecountershouldbe reinitialized),andreturnsthenumberofoccurrencesof\events"since thelast\reset".oncedeclared, sucha\node"canbeusedanywhereinaprogram,asauserdenedoperator.forinstance,our countercanbeusedtogeneratean event\minute"every60\second", bycounting\second"modulo60. nodecount(evt,reset:bool) returns(count:int); letcount=if(true->reset)then0 elseifevtthenpre(count)+1 elsepre(count) tel mod60=count(second,pre(mod60=59)); minute=(mod60=0); 2.2SynchronousObservers Now,anobserverinLustrewillbeanodetakingasinputsalltheowsrelevant tothesafetypropertytobespecied,andcomputingasinglebooleanow,say \ok",whichistrueaslongastheobservedowssatisfytheproperty. Forinstance,letuswriteanobservercheckingthateachoccurrenceofanevent\danger"isfollowedbyan\alarm"beforethenext occurrenceoftheevent\deadline". Itusesalocalvariable\wait",triggeredby\danger"andresetby \alarm",andthepropertywillbe violatedwhenever\deadline"occurs when\wait"ison. nodeproperty(danger,alarm,deadline:bool) returns(ok:bool); varwait:bool; letwait=ifalarmthenfalse elseifdangerthentrue else(false->pre(wait)); ok=not(deadlineandwait); tel AssumethattheabovepropertyisintendedtoholdaboutasystemS, computing\danger"and\alarm",while\deadline"comesfromtheenvironment. Obviously,exceptifSemits \alarm"simultaneouslywitheach \danger",itcannotfulllthepropertywithoutanyknowledgeabout \deadline".now,assumeweknow that\deadline"neveroccursearlier thantwocyclesafter\danger". nodeassumption(danger,deadline:bool) returns(ok:bool); letok=notdeadlineor (true->pre(notdangerand (true->pre(notdanger)))); tel Thisassumptioncanalsobeexpressedbyanobserver.

correct=property(danger,alarm,deadline); realistic=assumption(danger,deadline); (danger,alarm,...)=s(deadline,...); S Assumption Propertyrealistic Fig.1.ValidationProgram correct 2.3ValidationProgram program,eithertheoutput\correct"isalwaystrue,ortheoutput\realistic"is observers,propertyandassumption.wecancomposetheminparallel,ina problemcomesdowntoshowingthat,whateverbetheinputstothevalidation surroundingprogramcalled\validationprogram"(seefig.1).ourverication Nowweareleftwith3programs:theprogramSundervalidation,anditstwo havebeenpointedout: sometimesfalse.theadvantagesofusingsynchronousobserversforspecication {observersareexecutable;onecantestthemtogetconvincedthatthespecied {thereisnoneedtolearnanduseadierentlanguageforspecifyingthanfor programming. ton(generally,abuchiautomaton),andshowing,byperformingasynchronous nique[vw86]consistingindescribingthenegationofthepropertybyanautoma- Noticethatsynchronousobserversarejustaspecialcaseofthegeneraltech- propertiesarethedesiredones. synchronousproductisthenormalparallelcomposition,sothistechniquecan beappliedwithintheprogramminglanguage. acceptedbytheautomaton.thepointisthat,insynchronouslanguages,the productofthisautomatonandtheprogram,thatnotraceoftheprogramis 3Model-Checking Ofcourse,aLustreprogramcanbeviewedasatransitionsystem.Alloperators, 3.1Lustreprogramsasstatemachines true,andthenalwaysfalse.theresultofapreoperatoristhevaluepreviously exceptpreand->,arepurelycombinational,i.e.,don'tusethenotionofstate. Theresultofa->operatordependsonwhethertheexecutionisinitsrst takenbyitsargument,soeachpreoperatorhasanassociatedstatevariable.all cycleornot:letinitbeanauxiliarybooleanstatevariable,whichisinitially bymodel-checking[qs82,ces86,bcm+90,cbm89]:whentheprogramunder haveonlybooleanvariableshavenitelymanystatesandcanbefullyveried thesestatevariablesdenethestateoftheprogram.ofcourse,programsthat vericationandbothofitsobserversarepurelyboolean,onecantraversethe

statewithoutfalsifyingtheoutput\realistic"areconsidered,andineachreached Thiscanbedoneeitherenumeratively(i.e.,consideringeachstateinturn)or symbolically,byconsideringsetsofstatesasbooleanformulas. nitesetofstatesofthevalidationprogram.onlystatesreachedfromtheinitial state,onecheckthat,foreachinput,either\realistic"isfalse,or\correct"istrue. Programswithnumericalvariablescanbepartiallyveried,usingasimilarapproach.Weconsidersuchaprogramasanintepretedautomaton:thestates 3.2Lustreprogramsasinterpretedautomata automaton.anexampleofsuchaninterpretedautomatonwillbeshowninsection4.ifithappensthatapropertycanbeprovedonthe(nite)controlpart andactionsonnumericalvariablesareassociatedwiththetransitionsofthe oftheautomatonaredenedbythevaluesofthebooleanstatevariables,as above.theassociatedinterpretationdealswiththenumericalpart:conditions resultisunconclusive. 3.3LESAR oftheautomaton,thenitissatisedbythecompleteprogram.otherwise,the avalidationprogram,eitherenumerativelyofsymbolically.moreprecisely,it restrictsitssearchtothepartoftheprogramthatcaninuencethesatisfaction kindofvericationdescribedabove,bytraversingthesetofcontrolstatesof oftheproperty.thispart,sometimescalledtheconeofinuence,canbeeasily LesarisavericationtooldedicatedtoLustreprograms.Itperformsthe showsthat,inmanypracticalcases,theaddressedpropertyonlyconcernsa determined,becauseofthedeclarativenatureofthelanguage:alldependences betweenvariablesareexplicit.thisisanimportantfeature,sinceexperience verysmallpartofaprogram:insuchacase,lesarmaybeabletoverifythe 4TowardsNumericalProperties property,evenifthewholestatespaceoftheprogramcouldnotbebuilt. Onlypropertiesthatdependonlyonthecontrolpartoftheprogramcanbe veriedbymodelchecking.thereasonisthatlesarcanconsiderasreachable somecontrolstatesthatareinfactunreachablebecauseofthenumericalinterpretation,whichisignoredduringthestatespacetraversal:sometransitions areconsideredfeasible,whilebeingforbiddenbytheirnumericalguards.letus illustratethisphenomenononaverysimpleexample,extractedfromasubway casteachsecondbyacentralclock.ideally,itshouldencounteronebeaconeach speedregulationsystem: second,but,toavoidshaking,theregulationsystemappliesahysteresisasfollows:let#band#sbe,respectively,thecurrentnumbersofencounteredbeacons Atraindetectsbeaconsplacedalongthetrack,andreceivesasignalbroad-

Init OnTime Early Fig.2.Interpretedautomatonofthesubwayexample Late Early Late andofelapsedseconds.whenever#b #sbecomesgreater10,thetrainisconsideredearly,until#b #sbecomesnegative.symmetrically,whenever#b #s becomessmallerthan 10,thetrainisconsideredlate,until#b #sbecomes positive.weonlyconsiderthepartofthesystemwhichdetermineswhetherthe trainisearlyoflate.inlustre,thecorrespondingprogramfragmentcouldbe: early=false->ifdi>10thentrue di=0->ifsecondandnotbeaconthenpre(di){1 elsepre(di); elseifbeaconandnotsecondthenpre(di)+1 late=false->ifdi<{10thentrue elseifdi>0thenfalse elseifdi<0thenfalse elsepre(late); elsepre(early); \OnTime"areguardedasfollows: structureshownbyfig2,and,forinstance,thetransitionssourcedinthestate tiallytrue,andthenfalseforever)andthevariablesstoringthepreviousval- uesofearlyandlate.thecorrespondinginterpretedautomatonhasthecontrol Thisprogramhas3Booleanstatevariables:theauxiliaryvariableinit(ini- knowthatsomeoftheseguards(g1andg2)canbesimplied,northatone Withoutanyknowledgeaboutnumericalguards,themodel-checkerdoesnot g1:di>10^di 10!Earlyg3:di>10^di< 10!EarlyLate ofthem(g3)isunsatisable.thisiswhythestate\earlylate"isconsidered g2:di10^di< 10!Lateg4:di10^di 10!OnTime staticallyunfeasible.inourexample,ifweremovestaticallyunfeasibletransitions,wegettheautomatonoffig.3,wherethestate\earlylate"isnolonger reachable. reachable.asimplewayofimprovingthepowerofamodel-checkeristoprovide Atransitiontheguardofwhichisnumericallyunsatisablewillbecalled

Init Late OnTime Fig.3.Thesubwayexamplewithoutstaticallyunfeasibletransitions Early Late Init Fig.4.Thesubwayexamplewithoutdynamicallyunfeasibletransitions di0 10di10 OnTime di0 Early cases.forinstance,unfeasibilityofguardsmadeoflinearrelationsiseasyto decide1. itwiththeabilityofdetectingstaticallyunfeasibletransitions,insomesimple canbecut,the\bad"stateisnolongerconsideredreachable.thisverypartialimprovementsignicantlyincreasesthenumberofpracticalcaseswherethe model-checkingalgorithm,thetoolcanlook,alongthepathsleadingtothis state,fortransitionsguardedbyunfeasiblelinearguards.ifallsuch\bad"paths linearalgebra:whenastateviolatingthepropertyisreachedbythestandard ThisiswhyLesarhasbeenextendedwithsuchadecisionprocedurein vericationsucceeds. sitionsareclearlyimpossible,sincedivariesofatmost1ateachcycle,and Moreover,sometransitionsareunfeasiblebecauseofthedynamicbehaviorof transitionsfromstate\early"tostate\late"andconversely.now,thesetran- numericalvariables.forinstance,intheautomatonoffig.3,therearedirect Ofcourse,wearenotalwaysabletodetectstaticallyunfeasibletransitions. cannotjumpfrombeing0instate\early"tobecoming< 10instate callyunfeasibletransitionsismuchmoredicult.weexperiment\linearrelation analysis"[hpr97] anapplicationofabstractinterpretation tosynthesize \Late".Suchtransitionsarecalleddynamicallyunfeasible.Detectingdynami- invariantlinearrelationsineachstateoftheautomaton.iftheguardofatransitionisnotsatisablewithintheinvariantofitssourcestate,thenthetransition 1atleastforrationalsolutions;butsinceunfeasibilityinrationalnumbersimplies unfeasibilityinintegers,suchanapproximatedecisionisstillconservative.

isunfeasible.inourexample,wegettheinvariantsshowninfig.4,whichallow 5AutomaticTesting ustoremoveallunfeasibletransitions. systems withtoocomplexstatespace,orimportantnumericalaspects will remainunfeasible.ontheotherhand,somevalidationproblemsareoutofthe importantvalidationtechnique.ononehand,thevericationoftoocomplex scopeofformalverication:itisthecasewhenpartsoftheprogramcannotbe Inspiteoftheprogressofformalverication,testingisandwillremainan techniques.moreover,testingtechniquesandtoolsshouldbemainlydevoted environment.so,vericationandtestingshouldbeconsideredascomplementary itisalsothecasewhenonewantstovalidatethenalsystemwithinitsactual tocaseswherevericationeitherfailsordoesnotapply.thisiswhyweare formallydescribed,becausetheyareunknownorwritteninlowlevellanguages; needaformaldescriptionofthesystemundertest(blackboxtesting),andthe costofwhichdoesn'tdependontheinternalcomplexityofthetestedsystem. especiallyinterestedintechniquesthatcopewithnumericalsystems,thatdon't automaticgenerationoftestsetsisthesameasforverication:anautomatic testerwillneedaformaldescriptionofboththeenvironment togenerate isextremelyexpensiveanderror-prone.now,itappearsthattheprerequisitefor onlyrealistictestcases andthesystemundertest toprovidean\oracle" Intensivetestingrequiresautomation,sinceproducinghugetestsetsbyhand decidingwhethereachtestpassesorfails.insection2,weproposedtheuseof synchronousobserversfortheseformaldescriptions.inthelurette[rwnh98] andlutess[borz98]tools,suchobserversareusedtoautomaticallygenerate loopwiththeirenvironment.inparticular,theyareoftenintendedtocontrol andruntestsequences.inthissection,weexplaintheprinciplesofthisgenerationṫhespecicfeatureofreactivesystemsis,ofcourse,thattheyruninclosed ofaninputsequencedoesnotmakesenseindependentlyofthecorresponding proach,testsequencesaregeneratedonthey,astheyaresubmittedtothe maydependonthepastoutputs(fromthesystem).inotherwords,therealism outputsequence,computedbythesystemundertest.thisiswhy,inourap- systemundertest. Moreprecisely,weassumethatthefollowingcomponentsareavailable: theirenvironment.thismeansthatthecurrentinput(fromtheenvironment) {TheobserversAandP,respectively {anexecutableversionofthesystemundertest,says.weonlyneedtobeable torunit,stepbystep. checkedduringthetest. i S op A realistic environmentandthepropertiestobe describingtheassumptionsaboutthe correct

instantaneouslyoftheoutputs\o"ofs.since\o"issupposedtobecomputed fromthecurrentinput\i",itwouldbeakindofcausalityloopthattherealism of\i"dependon\o". Moreover,theoutput\realistic"oftheobserverAisrequirednottodepend rst,theinitialstateofa:inthisstate,thelustrecodeofacanbesimplied, andtobeabletorunthesystemsandtheobserverp,stepbystep.itconsiders, byreplacingeachexpression\e1->e2"by\e1",andeachexpression\pre(e)"by \nil".afterthissimplication,theresult\realistic"isacombinationalexpression Basically,thetesteronlyneedstoknowthesourcecodeoftheobserverA, oftheinput\i",say\b(i)".thesatisfactionofthebooleanformulab(i)canbe viewedasaconstraintontheinitialinputstothesystem.aconstraintsolver whichwillbedetailedbelow isusedtorandomlyselectaninputvectori0 toitsnewstate,providinganewconstrainton\i".thesameprocesscanbe oracle\correct"outputbyp.thelustrecodeofacanbesimpliedaccording AandPforastep,tomakethemchangetheirinternalstate,andtogetthe vectoro0(andchangingitsinternalstate).knowingbothi0ando0,onecanrun satisfyingthisconstraint.now,sisrunforasteponi0,producingtheoutput givennumberofsteps. repeatedaslongasthetestpasses(i.e.,preturns\correct=true"),orfora servers.aconstraintisthenapurelybooleanformula,whichisrepresentedby abinarydecisiondiagram.acorrectselectioncorrespondstoapathleading agivenconstraint.inlutess[borz98],oneconsideronlypurelybooleanob- toa\true"leafinthisbdd.thetoolisabletoperformsuchaselection,eitherusinganequiprobablestrategy,ortakingintoaccountuser-givendirectives. Lurette[RWNH98]isabletosolveconstraintsthatareBooleanexpressions Theconsideredtoolsmainlydierintheselectionofinputvectorssatisfying involvingbooleaninputsandlinearrelationsonnumericalinputs. S.Anobserverofthisbehaviorcanbewrittenasfollows: derivative.initially,bothuanditsderivativeareknowntobe0.then,thesecond AssumeSisintendedtoregulateaphysicalvalueu,byconstrainingitssecond derivativeofuwillbeinaninterval[ ;+]aroundthe(previous)outputxof Example:Letusillustratethegenerationprocessonaverysimpleexample. vardudt,d2udt2:real; letdudt=0->(u{pre(u)); nodea(u,x:real)returns(realistic:bool); realistic=(u=0)->((pre(x){delta<=d2udt2) d2udt2=dudt{pre(dudt); Attherstcycle,thecodeofAissimpliedto tel and(d2udt2<=pre(x)+delta)); dudt=0;d2udt2=nil;realistic=(u=0);

systemsisrunforonecycle,withthisinputvalue,letx0bethereturnedvalue. Thereisonlyonewayofsatisfyingtheconstraint,bychoosingu0=0.The SothecodeofAissimpliedto Atthesecondcycle,weknowthat dudt=u;d2udt2=dudt; pre(u)=0;pre(dudt)=0;pre(x)=x0 u1=x0+isselected,andprovidedtos,whichreturnssomenewvaluex1.at thenextcycle,weknowthat whichgivesthe(linear)constraintx0 ux0+.assumethevalue realistic=(x0{delta<=d2udt2)and(d2udt2<=xo+delta); So,thecodeofAsimpliesto dudt=u{(x0+delta);d2udt2=dudt{(x0+delta); pre(u)=pre(dudt)=x0+;pre(x)=x1 whichgivestheconstraintx1+2x0ux1+2x0+2,andsoon... realistic=(x1{delta<=d2udt2)and(d2udt2<=x1+delta) specicationofpropertiesbysynchronousobservers.whilenotbeingrestricted 6Conclusion andconvenientinthatcontext,sincethesamekindoflanguagecanbeusedto tosynchronousmodels,thiswayofspecifyingpropertiesisespeciallynatural Wehavepresentedsomevalidationtechniques,whichmainlyderivefromthe describethesystemanditsproperties. chronousobserverswereanaturalgeneralizationoftherelationsinesterel, couldbeadaptedtoanysynchronouslanguage.notice,however,thatsomeideas whichareawayofexpressingknownimplicationsorexclusionbetweeninput weredirectlysuggestedbythedeclarativenatureoflustre.forinstance,syn- OurpresentationwascenteredonthelanguageLustre,butthetechniques straintisespeciallynaturalwhentheobserveriswritteninlustre,butcanbe sequencegeneration,theideaofconsideringanobserverasa(dynamic)con- invariantbooleanexpressions.generalizedtoanybooleanlustreexpression, thismechanismprovidesawayofspecifyinganysafetyproperty.also,intest events.whentransposedintolustre,theserelationsarejustspecialcasesof adaptedtoanysynchronouslanguage. References [BCDP99]S.Bensalem,P.Caspi,C.Dumas,andC.Parent-Vigouroux.AmethodologyforprovingcontrolprogramswithLustreandPVS.InDependable Society,January1999. ComputingforCriticalApplications,DCCA-7,SanJose.IEEEComputer

[BCM+90]J.R.Burch,E.M.Clarke,K.L.McMillan,D.L.Dill,andJ.Hwang.Symbolicmodelchecking:1020statesandbeyond.InFifthIEEESymposium [BG92] [BORZ98]L.duBousquet,F.Ouabdesselam,J.-L.Richier,andN.Zuanon.Lutess: guage:design,semantics,implementation.scienceofcomputerprogram- ming,19(2):87{152,1992. onlogicincomputerscience,philadelphia,1990. G.BerryandG.Gonthier.TheEsterelsynchronousprogramminglan- [Bou98] testingenvironmentforsynchronoussoftware.intoolsupportforsystemspecicationdevelopmentandverication.advancesincomputing Science,Springer,1998. (B.C.),June1998.LNCS1427,SpringerVerlag. nationalconferenceoncomputer-aidedverication,cav'98,vancouver A.Bouali.Xeve:anEsterelvericationenvironment.InTenthInter- [CBM89]O.Coudert,C.Berthet,andJ.C.Madre.Vericationofsynchronous sequentialmachinesbasedonsymbolicexecution.ininternationalworkshoponautomaticvericationmethodsforfinitestatesystems,grenoble.lncs407,springerverlag,1989. [DR94] [CES86] nite-stateconcurrentsystemsusingtemporallogicspecications.acm TOPLAS,8(2),1986. andvericationbycompositionalreductions.ind.dill,editor,6thinternationalconferenceoncomputeraidedverication,cav'94,stanford, June1994.LNCS818,SpringerVerlag. N.Halbwachs.Synchronousprogrammingofreactivesystems.Kluwer R.DeSimoneandA.Ressouche.Compositionalsemanticsofesterel E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automaticvericationof [Hal93] [HLR93] [HCRP91]N.Halbwachs,P.Caspi,P.Raymond,andD.Pilaud.Thesynchronous 79(9):1305{1320,September1991. dataowprogramminglanguagelustre.proceedingsoftheieee, N.Halbwachs,F.Lagnier,andP.Raymond.Synchronousobserversand AcademicPub.,1993. [HPR97]N.Halbwachs,Y.E.Proy,andP.Roumano.Vericationofreal-time thevericationofreactivesystems.inm.nivat,c.rattray,t.rus,and G.Scollo,editors,ThirdInt.Conf.onAlgebraicMethodologyandSoftware Technology,AMAST'93,Twente,June1993.WorkshopsinComputing, [JPV95] SpringerVerlag. systemsusinglinearrelationanalysis.formalmethodsinsystemdesign, 11(2):157{185,August1997. vericationofesterelprogramsandapplicationstotelecommunication software.inp.wolper,editor,7thinternationalconferenceoncomputeraidedverication,cav'95,liege(belgium),july1995.lncs939, L.J.Jagadeesan,C.Puchol,andJ.E.VonOlnhausen.Safetyproperty [LGLL91]P.LeGuernic,T.Gautier,M.LeBorgne,andC.LeMaire.Programming [LDBL93]M.LeBorgne,BrunoDutertre,AlbertBenveniste,andPaulLeGuernic. SpringerVerlag. pages2191{2196,groningen,1993. DynamicalsystemsoverGaloiselds.InEuropeanControlConference, [Mar98] 1336,September1991. B.Marre.Testdataselectionforreactivesynchronoussoftware.In Dagstuhl-Seminar-Report223:TestAutomationforReactiveSystems- TheoryandPractice,September1998. realtimeapplicationswithsignal.proceedingsoftheieee,79(9):1321{

[MHMM95]M.Mullerburg,L.Holenderski,O.Maeis,andM.Morley.Systematic testingandformalvericationtovalidatereactiveprograms.software [RHR91]C.Ratel,N.Halbwachs,andP.Raymond.Programmingandverifying [QS82] QualityJournal,4(4):287{307,1995. 137,SpringerVerlag,April1982. systemsincesar.ininternationalsymposiumonprogramming.lncs J.P.QueilleandJ.Sifakis.Specicationandvericationofconcurrent [RWNH98]P.Raymond,D.Weber,X.Nicollin,andN.Halbwachs.Automatictesting Systems,NewOrleans,December1991. guagelustre.inacm-sigsoft'91conferenceonsoftwareforcritical ofreactivesystems.in19thieeereal-timesystemssymposium,madrid, criticalsystemsbymeansofthesynchronousdata-owprogramminglan- [VW86] programverication.insymposiumonlogicincomputerscience,june Spain,December1998. 1986. M.Y.VardiandP.Wolper.Anautomata-theoreticapproachtoautomatic

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information