How To Validate Synchronous Reactivesystems



Similar documents
Forum of International Development Studies 21 (Mar. 2002)

Acommonvericationproblemforhardwaredesignsistodetermineifevery

KeyEscrowinMutuallyMistrustingDomains?

There e really is No Place Like Rome to experience great Opera! Tel: to discuss your break to the Eternal City!


Rover. ats gotorock getrock gotos. same time compatibility. Rock. withrover 8-39 TIME

accept order accept order1 accept order2 accept order n

RETAIL SUPPLY CHAIN CONFERENCE 2015

Meß- und Kommunikationstechnik GmbH Annaberger Str Chemnitz Tel

Two Papers on Internet Connectivity and Quality. Abstract

ABB SACE SACE PR S8 RH L0478 1/6

RapidResponse Capacity Planning (Constraints) Application

Company Profile Osaki, Shinagawa-ku, Tokyo, Japan Tel

Financial Accounting Chapter 9: Receivables

A Security Protocol Animator Tool for AVISPA

By the numbers. The Co-operative Housing Federation. of Canada. A guide to creating a long-term financial forecast for your co-op (Section 95 co-ops)

TIDEWATER COMMUNITY COLLEGE TUITION & FEES IN-STATE RATE

OFFICE FOR HARMONIZATION IN THE INTERNAL MARKET (TRADE MARKS AND DESIGNS) Certificate of Registration 1

How To Write A Paper On Csp And Object-Z

OPTICAL PARTICLE SIZER MASS CALIBRATION METHOD

Così sol d una chiara fonte viva Seconda parte of 'Hor che'l ciel'e la terra' Canto

CHAPTER 11. Proposed Project. Incremental Cash Flow for a Project. Treatment of Financing Costs. Estimating cash flows:

Analysis of Boolean Programs

RapidResponse. Demand Planning. Application


Planchar por el reverso / Iron on reverse side/ Repasser à l'envers No vaporizar / Do not steam / Ne pas repasser avec vapeur

Rutgers, The State University of New Jersey. Department of Psychiatric Rehabilitation & Counseling Professions

FY 2014 Senior Executive Service (SES) Performance Management Training

January March 2015 Conference Call and Webcast 29 April 2015

When Everything's Priority, Who Gets the Expert? November 2013

Handling missing data in large data sets. Agostino Di Ciaccio Dept. of Statistics University of Rome La Sapienza

How To Understand The Concept Of Redundancy In A Network (Uni, Enni)

Sales & Operations Planning Training - UK Consultant

Seller s Guide. be asked to sign a RERA form called Form A, which regulates the consultant and client relationship.

ISMI Risk Screening Tool

1. Sales Forecast. Attachment. Table 1: Sales Forecast Diffusion Index. Category Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1


The objectives of the course are to provide students with a solid foundation in all aspects of internet marketing. Specifically my goals are:

Resource Management as a Service (RMaaS)

Transactions for Software Model Checking

Statistics W4240: Data Mining Columbia University Spring, 2014

AN INDUSTRIAL AND ACADEMIC JOINT EXPERIMENT ON AUTOMATED VERIFICATION OF A SECURITY PROTOCOL

1 Introduction. 2 Assumptions. Implementing roaming for OpenBTS

TS-3GB-S.R0103-0v1.0 Network Firewall Configuration and Control (NFCC) - Stage 1 Requirements

CANDIDATE RECORD SHEET: GCE Applied ICT Unit 4 WEB DESIGN

Option Pricing. Chapter 4 Including dividends in the BS model. Stefan Ankirchner. University of Bonn. last update: 6th November 2013

/,,7($78/267((7. 78/267(,'(1</(,6,b20,1$,688.6,$ 78/267(,'(1(6,77(/<

Deployment Guide AX Series with Microsoft Windows Server 2008 Terminal Services

STRATEC Biomedical AG

LISTING CRITERIA FOR PUBLIC SECTOR PANELS OF CONSULTANTS (PSPC)

Performance Appraisal Application (PAA) How to Guide For Rating Officials

Analysis One Code Desc. Transaction Amount. Fiscal Period

CHEMICAL RESISTANCE OF CLEARTEX ERGOFORM TERMINATOR / JAGUAR PLUS / LAGUNA / ULTIMA MATS MADE BY PVC AND PVC/NBR, PRODUCED AT MUOVIHAKA

Aluminium warehousing, premiums and prices

Software Quality Exercise 1

PUBLIC SECTOR PANELS OF CONSULTANTS (PSPC)

turning ideas into success

Lean Production Performance Metrics Exercises

Process Improvement Plan

Project Management Planning

CGS X X X X X

ISO 9000 QUALITY MANAGEMENT PRINCIPLES AND GUIDELINES ON THEIR APPLICATION

bi-cube - Universally valid and branch oriented role model

Standard of measurement by which efficiency, performance, progress, or quality of a plan, process, or product can be assessed 1.

On Simulation Method of Small Life Insurance Portfolios By Shamita Dutta Gupta Department of Mathematics Pace University New York, NY 10038

Transcription:

fromformalvericationtoautomatictesting? ValidationofSynchronousReactiveSystems: fnicolas.halbwachs,pascal.raymondg@imag.fr NicolasHalbwachs,PascalRaymond thevalidationofreactivesystemsdescribedinthesynchronousdata-ow Abstract.Thispapersurveysthetechniquesandtoolsdeveloppedfor Verimag??,Grenoble{France tionofsafetyproperties,bymeansofsynchronousobservers.themodel- checkerlesar[rhr91]takesalustreprogram,andtwoobservers languagelustre[hcrp91].thesetechniquesarebasedonthespecica- (Boolean)abstractionofthesystem.Recentworkconcernsextensions assumptionsaboutthesystemenvironmentunderwhichtheseproperties areintendedtohold,andperformsthevericationonanitestate towardssimplenumericalaspects,whichareignoredinthebasictool. respectivelydescribingtheexpectedpropertiesoftheprogram,andthe mentassumptions,andtorunthetestwhilecheckingthesatisfactionof thespeciedproperties. Providedwiththesamekindofobservers,thetoolLurette[RWNH98] isabletoautomaticallygeneratetestsequencessatisfyingtheenvironnentinteractionwithaphysicalenvironment.inthisarea,systemreliability, designso-called\reactivesystems",whicharesystemsthatmaintainaperma- 1Introduction reactivesystemsaresafetycritical.asaconsequence,manyvalidationtools andthereforedesignvalidation,areparticularlyimportantgoals,sincemost Synchronouslanguages[Hal93,BG92,LGLL91,HCRP91]havebeenproposedto tion[ldbl93,dr94,jpv95,bou98,rhr91],formalproof[bcdp99],orprogram meansofsynchronouslanguages.thesetoolseitherconcernautomaticverica- testing[borz98,rwnh98,mhmm95,mar98]. havebeenproposed,whicharededicatedtodealwithsystemsdescribedby raisesspecicproblems liketakingintoaccountknownpropertiesoftheenvironment andontheotherhandallowstheapplicationofspecictechniques incontrastwithclassicalconcurrentprocesses,whicharegenerallymodelled sincetheprogramstobevalidatedaredeterministicsystemswithinputs, Asamatteroffactthevalidationofsynchronousprograms,ononehand??VerimagisajointlaboratoryofUniversiteJosephFourier,CNRSandINPGassociatedwithIMAG. testing,theuserhastospecify: asnon-deterministicandclosedsystems.bothforformalvericationandfor?thisworkwaspartiallysupportedbytheesprit-ltrproject\syrf".

1.theintendedbehavioroftheprogramundervalidation,whichmaybemore 2.theassumptionsabouttheenvironmentunderwhichthepropertiesspecied timesafetyproperties. orlesspreciselydened.inparticular,itmayconsistofasetofproperties, and,forthekindofconsideredsystems,criticalpropertiesaremostofthe in(1)areintendedtohold.theseassumptionsaregenerallysafetyproperties,too. theinputsandtheoutputsoftheprogramundervalidation,anddetectthe ertiesistouse\synchronousobservers"[hlr93],whichareprogramsobserving Insynchronousprogramming,aconvenientwayofspecifyingsuchsafetyprop- formalverication:onecanverify,bymodel-checking,thatforeachinput validationtoolscanusethemfor violationoftheproperty.oncetheseobservershavebeenwritten,automatic automatictesting:theassumptionobserverisusedtogeneraterealistictest tionoftheprogramunderverication. property.ingeneral,thisvericationisperformedonanite-stateabstrac- sequences,whichareprovidedtotheprogram;thepropertyobserverisused owsatisfyingtheassumption,thecorrespondingoutputowsatisfythe hasbeendeveloppedforlong,andextendedtowardsdealingwithsimplenumericalproperties.twotestingtools,lutess[borz98]andlurette[rwnh98bilities. 2SynchronousObserversinLUSTRE arealsoavailable;here,wefocusonlurette,whichhassomenumericalcapa- languagelustre[hcrp91].amodel-checkerforlustre,calledlesar[rhr91], Inthispaper,wepresenttheseapproachesinthecontextofthedeclarative asan\oracle"determiningwhethereachtestsequence\passes"or\fails". 2.1OverviewofLustre programisintendedtohaveacyclicbehavior,andxnisthevalueofxatthe xrepresentsaow,i.e.,aninnitesequence(x0;x1;:::;xn;:::)ofvalues.a Letusrstrecall,inasimpliedway,theprinciplesofthelanguageLustre: Output(andpossiblylocal)owsaredenedbymeansofequations(inthe nthcycleoftheexecution.aprogramcomputesoutputowsfrominputows. ALustreprogramoperatesonowsofvalues.Anyvariable(orexpression) canbeunderstoodasatemporalinvariant.lustreoperatorsoperategloballyon mathematicalsense),anequation\x=e"meaning\8n;xn=en".so,anequation owsasjustshown wewillconsideronlytwotemporaloperators: ows:forinstance,\x+y"istheow(x0+y0;x1+y1;:::;xn+yn;:::).inaddition tousualarithmetic,boolean,conditionaloperators extendedpointwiseto {theoperator\pre"(\previous")givesaccesstothepreviousvalueofitsargument:\pre(x)"istheow(nil;x0;:::;xn 1;:::),wheretheveryrstvalue \nil"isanundened(\noninitialized")value.

{theoperator\->"(\followedby")isusedtodeneinitialvalues:\x->y"is theow(x0;y1;:::;yn;:::),initiallyequaltox,andthenequaltoyforever. Asaverysimpleexample,theprogramshownbelowisacounterof\events": IttakesasinputstwoBooleanows \evt"(truewheneverthecounted \event"occurs),and\reset"(true wheneverthecountershouldbe reinitialized),andreturnsthenumberofoccurrencesof\events"since thelast\reset".oncedeclared, sucha\node"canbeusedanywhereinaprogram,asauserdenedoperator.forinstance,our countercanbeusedtogeneratean event\minute"every60\second", bycounting\second"modulo60. nodecount(evt,reset:bool) returns(count:int); letcount=if(true->reset)then0 elseifevtthenpre(count)+1 elsepre(count) tel mod60=count(second,pre(mod60=59)); minute=(mod60=0); 2.2SynchronousObservers Now,anobserverinLustrewillbeanodetakingasinputsalltheowsrelevant tothesafetypropertytobespecied,andcomputingasinglebooleanow,say \ok",whichistrueaslongastheobservedowssatisfytheproperty. Forinstance,letuswriteanobservercheckingthateachoccurrenceofanevent\danger"isfollowedbyan\alarm"beforethenext occurrenceoftheevent\deadline". Itusesalocalvariable\wait",triggeredby\danger"andresetby \alarm",andthepropertywillbe violatedwhenever\deadline"occurs when\wait"ison. nodeproperty(danger,alarm,deadline:bool) returns(ok:bool); varwait:bool; letwait=ifalarmthenfalse elseifdangerthentrue else(false->pre(wait)); ok=not(deadlineandwait); tel AssumethattheabovepropertyisintendedtoholdaboutasystemS, computing\danger"and\alarm",while\deadline"comesfromtheenvironment. Obviously,exceptifSemits \alarm"simultaneouslywitheach \danger",itcannotfulllthepropertywithoutanyknowledgeabout \deadline".now,assumeweknow that\deadline"neveroccursearlier thantwocyclesafter\danger". nodeassumption(danger,deadline:bool) returns(ok:bool); letok=notdeadlineor (true->pre(notdangerand (true->pre(notdanger)))); tel Thisassumptioncanalsobeexpressedbyanobserver.

correct=property(danger,alarm,deadline); realistic=assumption(danger,deadline); (danger,alarm,...)=s(deadline,...); S Assumption Propertyrealistic Fig.1.ValidationProgram correct 2.3ValidationProgram program,eithertheoutput\correct"isalwaystrue,ortheoutput\realistic"is observers,propertyandassumption.wecancomposetheminparallel,ina problemcomesdowntoshowingthat,whateverbetheinputstothevalidation surroundingprogramcalled\validationprogram"(seefig.1).ourverication Nowweareleftwith3programs:theprogramSundervalidation,anditstwo havebeenpointedout: sometimesfalse.theadvantagesofusingsynchronousobserversforspecication {observersareexecutable;onecantestthemtogetconvincedthatthespecied {thereisnoneedtolearnanduseadierentlanguageforspecifyingthanfor programming. ton(generally,abuchiautomaton),andshowing,byperformingasynchronous nique[vw86]consistingindescribingthenegationofthepropertybyanautoma- Noticethatsynchronousobserversarejustaspecialcaseofthegeneraltech- propertiesarethedesiredones. synchronousproductisthenormalparallelcomposition,sothistechniquecan beappliedwithintheprogramminglanguage. acceptedbytheautomaton.thepointisthat,insynchronouslanguages,the productofthisautomatonandtheprogram,thatnotraceoftheprogramis 3Model-Checking Ofcourse,aLustreprogramcanbeviewedasatransitionsystem.Alloperators, 3.1Lustreprogramsasstatemachines true,andthenalwaysfalse.theresultofapreoperatoristhevaluepreviously exceptpreand->,arepurelycombinational,i.e.,don'tusethenotionofstate. Theresultofa->operatordependsonwhethertheexecutionisinitsrst takenbyitsargument,soeachpreoperatorhasanassociatedstatevariable.all cycleornot:letinitbeanauxiliarybooleanstatevariable,whichisinitially bymodel-checking[qs82,ces86,bcm+90,cbm89]:whentheprogramunder haveonlybooleanvariableshavenitelymanystatesandcanbefullyveried thesestatevariablesdenethestateoftheprogram.ofcourse,programsthat vericationandbothofitsobserversarepurelyboolean,onecantraversethe

statewithoutfalsifyingtheoutput\realistic"areconsidered,andineachreached Thiscanbedoneeitherenumeratively(i.e.,consideringeachstateinturn)or symbolically,byconsideringsetsofstatesasbooleanformulas. nitesetofstatesofthevalidationprogram.onlystatesreachedfromtheinitial state,onecheckthat,foreachinput,either\realistic"isfalse,or\correct"istrue. Programswithnumericalvariablescanbepartiallyveried,usingasimilarapproach.Weconsidersuchaprogramasanintepretedautomaton:thestates 3.2Lustreprogramsasinterpretedautomata automaton.anexampleofsuchaninterpretedautomatonwillbeshowninsection4.ifithappensthatapropertycanbeprovedonthe(nite)controlpart andactionsonnumericalvariablesareassociatedwiththetransitionsofthe oftheautomatonaredenedbythevaluesofthebooleanstatevariables,as above.theassociatedinterpretationdealswiththenumericalpart:conditions resultisunconclusive. 3.3LESAR oftheautomaton,thenitissatisedbythecompleteprogram.otherwise,the avalidationprogram,eitherenumerativelyofsymbolically.moreprecisely,it restrictsitssearchtothepartoftheprogramthatcaninuencethesatisfaction kindofvericationdescribedabove,bytraversingthesetofcontrolstatesof oftheproperty.thispart,sometimescalledtheconeofinuence,canbeeasily LesarisavericationtooldedicatedtoLustreprograms.Itperformsthe showsthat,inmanypracticalcases,theaddressedpropertyonlyconcernsa determined,becauseofthedeclarativenatureofthelanguage:alldependences betweenvariablesareexplicit.thisisanimportantfeature,sinceexperience verysmallpartofaprogram:insuchacase,lesarmaybeabletoverifythe 4TowardsNumericalProperties property,evenifthewholestatespaceoftheprogramcouldnotbebuilt. Onlypropertiesthatdependonlyonthecontrolpartoftheprogramcanbe veriedbymodelchecking.thereasonisthatlesarcanconsiderasreachable somecontrolstatesthatareinfactunreachablebecauseofthenumericalinterpretation,whichisignoredduringthestatespacetraversal:sometransitions areconsideredfeasible,whilebeingforbiddenbytheirnumericalguards.letus illustratethisphenomenononaverysimpleexample,extractedfromasubway casteachsecondbyacentralclock.ideally,itshouldencounteronebeaconeach speedregulationsystem: second,but,toavoidshaking,theregulationsystemappliesahysteresisasfollows:let#band#sbe,respectively,thecurrentnumbersofencounteredbeacons Atraindetectsbeaconsplacedalongthetrack,andreceivesasignalbroad-

Init OnTime Early Fig.2.Interpretedautomatonofthesubwayexample Late Early Late andofelapsedseconds.whenever#b #sbecomesgreater10,thetrainisconsideredearly,until#b #sbecomesnegative.symmetrically,whenever#b #s becomessmallerthan 10,thetrainisconsideredlate,until#b #sbecomes positive.weonlyconsiderthepartofthesystemwhichdetermineswhetherthe trainisearlyoflate.inlustre,thecorrespondingprogramfragmentcouldbe: early=false->ifdi>10thentrue di=0->ifsecondandnotbeaconthenpre(di){1 elsepre(di); elseifbeaconandnotsecondthenpre(di)+1 late=false->ifdi<{10thentrue elseifdi>0thenfalse elseifdi<0thenfalse elsepre(late); elsepre(early); \OnTime"areguardedasfollows: structureshownbyfig2,and,forinstance,thetransitionssourcedinthestate tiallytrue,andthenfalseforever)andthevariablesstoringthepreviousval- uesofearlyandlate.thecorrespondinginterpretedautomatonhasthecontrol Thisprogramhas3Booleanstatevariables:theauxiliaryvariableinit(ini- knowthatsomeoftheseguards(g1andg2)canbesimplied,northatone Withoutanyknowledgeaboutnumericalguards,themodel-checkerdoesnot g1:di>10^di 10!Earlyg3:di>10^di< 10!EarlyLate ofthem(g3)isunsatisable.thisiswhythestate\earlylate"isconsidered g2:di10^di< 10!Lateg4:di10^di 10!OnTime staticallyunfeasible.inourexample,ifweremovestaticallyunfeasibletransitions,wegettheautomatonoffig.3,wherethestate\earlylate"isnolonger reachable. reachable.asimplewayofimprovingthepowerofamodel-checkeristoprovide Atransitiontheguardofwhichisnumericallyunsatisablewillbecalled

Init Late OnTime Fig.3.Thesubwayexamplewithoutstaticallyunfeasibletransitions Early Late Init Fig.4.Thesubwayexamplewithoutdynamicallyunfeasibletransitions di0 10di10 OnTime di0 Early cases.forinstance,unfeasibilityofguardsmadeoflinearrelationsiseasyto decide1. itwiththeabilityofdetectingstaticallyunfeasibletransitions,insomesimple canbecut,the\bad"stateisnolongerconsideredreachable.thisverypartialimprovementsignicantlyincreasesthenumberofpracticalcaseswherethe model-checkingalgorithm,thetoolcanlook,alongthepathsleadingtothis state,fortransitionsguardedbyunfeasiblelinearguards.ifallsuch\bad"paths linearalgebra:whenastateviolatingthepropertyisreachedbythestandard ThisiswhyLesarhasbeenextendedwithsuchadecisionprocedurein vericationsucceeds. sitionsareclearlyimpossible,sincedivariesofatmost1ateachcycle,and Moreover,sometransitionsareunfeasiblebecauseofthedynamicbehaviorof transitionsfromstate\early"tostate\late"andconversely.now,thesetran- numericalvariables.forinstance,intheautomatonoffig.3,therearedirect Ofcourse,wearenotalwaysabletodetectstaticallyunfeasibletransitions. cannotjumpfrombeing0instate\early"tobecoming< 10instate callyunfeasibletransitionsismuchmoredicult.weexperiment\linearrelation analysis"[hpr97] anapplicationofabstractinterpretation tosynthesize \Late".Suchtransitionsarecalleddynamicallyunfeasible.Detectingdynami- invariantlinearrelationsineachstateoftheautomaton.iftheguardofatransitionisnotsatisablewithintheinvariantofitssourcestate,thenthetransition 1atleastforrationalsolutions;butsinceunfeasibilityinrationalnumbersimplies unfeasibilityinintegers,suchanapproximatedecisionisstillconservative.

isunfeasible.inourexample,wegettheinvariantsshowninfig.4,whichallow 5AutomaticTesting ustoremoveallunfeasibletransitions. systems withtoocomplexstatespace,orimportantnumericalaspects will remainunfeasible.ontheotherhand,somevalidationproblemsareoutofthe importantvalidationtechnique.ononehand,thevericationoftoocomplex scopeofformalverication:itisthecasewhenpartsoftheprogramcannotbe Inspiteoftheprogressofformalverication,testingisandwillremainan techniques.moreover,testingtechniquesandtoolsshouldbemainlydevoted environment.so,vericationandtestingshouldbeconsideredascomplementary itisalsothecasewhenonewantstovalidatethenalsystemwithinitsactual tocaseswherevericationeitherfailsordoesnotapply.thisiswhyweare formallydescribed,becausetheyareunknownorwritteninlowlevellanguages; needaformaldescriptionofthesystemundertest(blackboxtesting),andthe costofwhichdoesn'tdependontheinternalcomplexityofthetestedsystem. especiallyinterestedintechniquesthatcopewithnumericalsystems,thatdon't automaticgenerationoftestsetsisthesameasforverication:anautomatic testerwillneedaformaldescriptionofboththeenvironment togenerate isextremelyexpensiveanderror-prone.now,itappearsthattheprerequisitefor onlyrealistictestcases andthesystemundertest toprovidean\oracle" Intensivetestingrequiresautomation,sinceproducinghugetestsetsbyhand decidingwhethereachtestpassesorfails.insection2,weproposedtheuseof synchronousobserversfortheseformaldescriptions.inthelurette[rwnh98] andlutess[borz98]tools,suchobserversareusedtoautomaticallygenerate loopwiththeirenvironment.inparticular,theyareoftenintendedtocontrol andruntestsequences.inthissection,weexplaintheprinciplesofthisgenerationṫhespecicfeatureofreactivesystemsis,ofcourse,thattheyruninclosed ofaninputsequencedoesnotmakesenseindependentlyofthecorresponding proach,testsequencesaregeneratedonthey,astheyaresubmittedtothe maydependonthepastoutputs(fromthesystem).inotherwords,therealism outputsequence,computedbythesystemundertest.thisiswhy,inourap- systemundertest. Moreprecisely,weassumethatthefollowingcomponentsareavailable: theirenvironment.thismeansthatthecurrentinput(fromtheenvironment) {TheobserversAandP,respectively {anexecutableversionofthesystemundertest,says.weonlyneedtobeable torunit,stepbystep. checkedduringthetest. i S op A realistic environmentandthepropertiestobe describingtheassumptionsaboutthe correct

instantaneouslyoftheoutputs\o"ofs.since\o"issupposedtobecomputed fromthecurrentinput\i",itwouldbeakindofcausalityloopthattherealism of\i"dependon\o". Moreover,theoutput\realistic"oftheobserverAisrequirednottodepend rst,theinitialstateofa:inthisstate,thelustrecodeofacanbesimplied, andtobeabletorunthesystemsandtheobserverp,stepbystep.itconsiders, byreplacingeachexpression\e1->e2"by\e1",andeachexpression\pre(e)"by \nil".afterthissimplication,theresult\realistic"isacombinationalexpression Basically,thetesteronlyneedstoknowthesourcecodeoftheobserverA, oftheinput\i",say\b(i)".thesatisfactionofthebooleanformulab(i)canbe viewedasaconstraintontheinitialinputstothesystem.aconstraintsolver whichwillbedetailedbelow isusedtorandomlyselectaninputvectori0 toitsnewstate,providinganewconstrainton\i".thesameprocesscanbe oracle\correct"outputbyp.thelustrecodeofacanbesimpliedaccording AandPforastep,tomakethemchangetheirinternalstate,andtogetthe vectoro0(andchangingitsinternalstate).knowingbothi0ando0,onecanrun satisfyingthisconstraint.now,sisrunforasteponi0,producingtheoutput givennumberofsteps. repeatedaslongasthetestpasses(i.e.,preturns\correct=true"),orfora servers.aconstraintisthenapurelybooleanformula,whichisrepresentedby abinarydecisiondiagram.acorrectselectioncorrespondstoapathleading agivenconstraint.inlutess[borz98],oneconsideronlypurelybooleanob- toa\true"leafinthisbdd.thetoolisabletoperformsuchaselection,eitherusinganequiprobablestrategy,ortakingintoaccountuser-givendirectives. Lurette[RWNH98]isabletosolveconstraintsthatareBooleanexpressions Theconsideredtoolsmainlydierintheselectionofinputvectorssatisfying involvingbooleaninputsandlinearrelationsonnumericalinputs. S.Anobserverofthisbehaviorcanbewrittenasfollows: derivative.initially,bothuanditsderivativeareknowntobe0.then,thesecond AssumeSisintendedtoregulateaphysicalvalueu,byconstrainingitssecond derivativeofuwillbeinaninterval[ ;+]aroundthe(previous)outputxof Example:Letusillustratethegenerationprocessonaverysimpleexample. vardudt,d2udt2:real; letdudt=0->(u{pre(u)); nodea(u,x:real)returns(realistic:bool); realistic=(u=0)->((pre(x){delta<=d2udt2) d2udt2=dudt{pre(dudt); Attherstcycle,thecodeofAissimpliedto tel and(d2udt2<=pre(x)+delta)); dudt=0;d2udt2=nil;realistic=(u=0);

systemsisrunforonecycle,withthisinputvalue,letx0bethereturnedvalue. Thereisonlyonewayofsatisfyingtheconstraint,bychoosingu0=0.The SothecodeofAissimpliedto Atthesecondcycle,weknowthat dudt=u;d2udt2=dudt; pre(u)=0;pre(dudt)=0;pre(x)=x0 u1=x0+isselected,andprovidedtos,whichreturnssomenewvaluex1.at thenextcycle,weknowthat whichgivesthe(linear)constraintx0 ux0+.assumethevalue realistic=(x0{delta<=d2udt2)and(d2udt2<=xo+delta); So,thecodeofAsimpliesto dudt=u{(x0+delta);d2udt2=dudt{(x0+delta); pre(u)=pre(dudt)=x0+;pre(x)=x1 whichgivestheconstraintx1+2x0ux1+2x0+2,andsoon... realistic=(x1{delta<=d2udt2)and(d2udt2<=x1+delta) specicationofpropertiesbysynchronousobservers.whilenotbeingrestricted 6Conclusion andconvenientinthatcontext,sincethesamekindoflanguagecanbeusedto tosynchronousmodels,thiswayofspecifyingpropertiesisespeciallynatural Wehavepresentedsomevalidationtechniques,whichmainlyderivefromthe describethesystemanditsproperties. chronousobserverswereanaturalgeneralizationoftherelationsinesterel, couldbeadaptedtoanysynchronouslanguage.notice,however,thatsomeideas whichareawayofexpressingknownimplicationsorexclusionbetweeninput weredirectlysuggestedbythedeclarativenatureoflustre.forinstance,syn- OurpresentationwascenteredonthelanguageLustre,butthetechniques straintisespeciallynaturalwhentheobserveriswritteninlustre,butcanbe sequencegeneration,theideaofconsideringanobserverasa(dynamic)con- invariantbooleanexpressions.generalizedtoanybooleanlustreexpression, thismechanismprovidesawayofspecifyinganysafetyproperty.also,intest events.whentransposedintolustre,theserelationsarejustspecialcasesof adaptedtoanysynchronouslanguage. References [BCDP99]S.Bensalem,P.Caspi,C.Dumas,andC.Parent-Vigouroux.AmethodologyforprovingcontrolprogramswithLustreandPVS.InDependable Society,January1999. ComputingforCriticalApplications,DCCA-7,SanJose.IEEEComputer

[BCM+90]J.R.Burch,E.M.Clarke,K.L.McMillan,D.L.Dill,andJ.Hwang.Symbolicmodelchecking:1020statesandbeyond.InFifthIEEESymposium [BG92] [BORZ98]L.duBousquet,F.Ouabdesselam,J.-L.Richier,andN.Zuanon.Lutess: guage:design,semantics,implementation.scienceofcomputerprogram- ming,19(2):87{152,1992. onlogicincomputerscience,philadelphia,1990. G.BerryandG.Gonthier.TheEsterelsynchronousprogramminglan- [Bou98] testingenvironmentforsynchronoussoftware.intoolsupportforsystemspecicationdevelopmentandverication.advancesincomputing Science,Springer,1998. (B.C.),June1998.LNCS1427,SpringerVerlag. nationalconferenceoncomputer-aidedverication,cav'98,vancouver A.Bouali.Xeve:anEsterelvericationenvironment.InTenthInter- [CBM89]O.Coudert,C.Berthet,andJ.C.Madre.Vericationofsynchronous sequentialmachinesbasedonsymbolicexecution.ininternationalworkshoponautomaticvericationmethodsforfinitestatesystems,grenoble.lncs407,springerverlag,1989. [DR94] [CES86] nite-stateconcurrentsystemsusingtemporallogicspecications.acm TOPLAS,8(2),1986. andvericationbycompositionalreductions.ind.dill,editor,6thinternationalconferenceoncomputeraidedverication,cav'94,stanford, June1994.LNCS818,SpringerVerlag. N.Halbwachs.Synchronousprogrammingofreactivesystems.Kluwer R.DeSimoneandA.Ressouche.Compositionalsemanticsofesterel E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automaticvericationof [Hal93] [HLR93] [HCRP91]N.Halbwachs,P.Caspi,P.Raymond,andD.Pilaud.Thesynchronous 79(9):1305{1320,September1991. dataowprogramminglanguagelustre.proceedingsoftheieee, N.Halbwachs,F.Lagnier,andP.Raymond.Synchronousobserversand AcademicPub.,1993. [HPR97]N.Halbwachs,Y.E.Proy,andP.Roumano.Vericationofreal-time thevericationofreactivesystems.inm.nivat,c.rattray,t.rus,and G.Scollo,editors,ThirdInt.Conf.onAlgebraicMethodologyandSoftware Technology,AMAST'93,Twente,June1993.WorkshopsinComputing, [JPV95] SpringerVerlag. systemsusinglinearrelationanalysis.formalmethodsinsystemdesign, 11(2):157{185,August1997. vericationofesterelprogramsandapplicationstotelecommunication software.inp.wolper,editor,7thinternationalconferenceoncomputeraidedverication,cav'95,liege(belgium),july1995.lncs939, L.J.Jagadeesan,C.Puchol,andJ.E.VonOlnhausen.Safetyproperty [LGLL91]P.LeGuernic,T.Gautier,M.LeBorgne,andC.LeMaire.Programming [LDBL93]M.LeBorgne,BrunoDutertre,AlbertBenveniste,andPaulLeGuernic. SpringerVerlag. pages2191{2196,groningen,1993. DynamicalsystemsoverGaloiselds.InEuropeanControlConference, [Mar98] 1336,September1991. B.Marre.Testdataselectionforreactivesynchronoussoftware.In Dagstuhl-Seminar-Report223:TestAutomationforReactiveSystems- TheoryandPractice,September1998. realtimeapplicationswithsignal.proceedingsoftheieee,79(9):1321{

[MHMM95]M.Mullerburg,L.Holenderski,O.Maeis,andM.Morley.Systematic testingandformalvericationtovalidatereactiveprograms.software [RHR91]C.Ratel,N.Halbwachs,andP.Raymond.Programmingandverifying [QS82] QualityJournal,4(4):287{307,1995. 137,SpringerVerlag,April1982. systemsincesar.ininternationalsymposiumonprogramming.lncs J.P.QueilleandJ.Sifakis.Specicationandvericationofconcurrent [RWNH98]P.Raymond,D.Weber,X.Nicollin,andN.Halbwachs.Automatictesting Systems,NewOrleans,December1991. guagelustre.inacm-sigsoft'91conferenceonsoftwareforcritical ofreactivesystems.in19thieeereal-timesystemssymposium,madrid, criticalsystemsbymeansofthesynchronousdata-owprogramminglan- [VW86] programverication.insymposiumonlogicincomputerscience,june Spain,December1998. 1986. M.Y.VardiandP.Wolper.Anautomata-theoreticapproachtoautomatic

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information