October 29, 2004SAVCBS04 Presented by: Gaoyan Xie CTL Model-checking for Systems with Unspecified Components Gaoyan Xie and Zhe Dang School of Electrical.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Global States.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Timed Automata.
Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Review of the automata-theoretic approach to model-checking.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
System/Software Testing
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Lecture 05: Theory of Automata:08 Kleene’s Theorem and NFA.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
CTL Model-checking for Systems with Unspecified Components Summer-1384 Hajar Niamehr Neda Noroozi.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Verification & Validation By: Amir Masoud Gharehbaghi
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Software Testing and Quality Assurance 1. What is the objectives of Software Testing?
SOFTWARE TESTING. Introduction Software Testing is the process of executing a program or system with the intent of finding errors. It involves any activity.
An Introduction to Simulated Annealing Kevin Cannons November 24, 2005.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
Quality Assurance in the Presence of Variability Kim Lauenroth, Andreas Metzger, Klaus Pohl Institute for Computer Science and Business Information Systems.
Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
1 Software Testing. 2 What is Software Testing ? Testing is a verification and validation activity that is performed by executing program code.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Software Testing.
Copyright © Cengage Learning. All rights reserved.
CSCI1600: Embedded and Real Time Software
Translating Linear Temporal Logic into Büchi Automata
Presentation transcript:

October 29, 2004SAVCBS04 Presented by: Gaoyan Xie CTL Model-checking for Systems with Unspecified Components Gaoyan Xie and Zhe Dang School of Electrical Engineering and Computer Science, Washington State University, Pullman, WA 99164, USA

SAVCBS04 Motivation Challenges to the quality assurance of component-based systems: Externally obtained components may be new sources of system failures Safely upgrading a deployed component is extremely difficult Example: The Ariane 5 disaster was caused by reusing certain software module from Ariane 4 without sufficiently testing it in the new environment

SAVCBS04 Two Dimensions of The Possible Solutions Methodologies Compositional approaches conventional, used most often Bottom-up, from components to systems Decompositional approaches not many can be automated Top-down, from systems to components Techniques Software Testing A trial and error technique Integration/system testing is often needed at the system level Model-checking: A formal and usually complete technique The assume-guarantee paradigm is often used for system-level verification

SAVCBS04 Testing a Component in Isolation Before it is released By component developers By third-party labs component certification Difficulty: A component may target a wide scope of deployment environments, which may not be tried out When it is integrated into a system By system developers Expensive: A component is usually built with multiple sets of functionalities Infeasible: The state space of a components interface may be too large to be thoroughly tested

SAVCBS04 Testing A Component-based System (CBS) Integration/system testing Difficulties : Components within a CBS may run concurrently Even inside a component may have multi-threads running concurrently, and Concurrency is notoriously difficult to test Locating the source of a bug is not easy! Feasibility : A component may be used for dynamic upgrading a running system, which may not be stopped for testing

SAVCBS04 Model-checking Checks whether a finite-state system is a model of a given temporal formula Requires a complete and formal specification of the finite-state system Not always possible: design details or source codes of components in a CBS are generally unavailable The assume-guarantee paradigm is often used for system-level verification A compositional approach Requires an assumption for the environment of a module

SAVCBS04 The Research Problem A different perspective How to ensure that a component functions correctly in a specific deployment environment (which is called a host system ) A model-checking problem Given a host system M with an unspecified component X and a CTL formula f, check whether f is a model of (M, X): (M, X) = f

SAVCBS04 Basic Ideas Goal Seek a definite answer (no approximation) to the model-checking problem, i.e., (M, X) = f Solution Automatically deduce a sufficient and necessary condition over the unspecified component Check the condition through testing the unspecified component

SAVCBS04 The System Model A system Sys= (M, X) consists of a host system M and an unspecified component X The host system M is a well-specified finite state transition system The unspecified component X can be viewed as a deterministic Mealy machine Internal detail of X is unknown Interface ( input/output symbols) and an upper bound for the number of states in X are known An implementation of X is available for testing M and X run concurrently and communicate with each other by synchronizing over Xs input/output symbols

SAVCBS04 An Example s0s0 s1s1 s2s2 s4s4 msg? send/yes ack/yes send/no ack/yes msg? Comm data ack yes no Host system M Check: starting from state s 0, is state s 3 reachable? (M, Comm), s 0 = E[true U s 3 ] s3s3 s3s3

SAVCBS04 Check: starting from state s 0, is state s 3 reachable? M, s 0 = E[true U s 3 ] s0s0 s1s1 s2s2 s4s4 s3s3 Transition system M An Example contd.

SAVCBS04 Check: starting from state s 0, is state s 3 reachable? M, s 0 = E[true U s 3 ] Search the graph to see whether there is a path between s 0 and s 3 s 0 s 1 s 4 s 3 is such a witness path s0s0 s1s1 s2s2 s4s4 s3s3 Transition system M An Example contd.

SAVCBS04 s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Comm send ack yes no Test Comm to see whether the communication trace along the path can be accepted by Comm: Will send/no, ack/yes be a successful test case for Comm? Host system M Check: starting from state s 0, is state s 3 reachable? (M, Comm), s 0 = E[true U s 3 ] Search the graph to see whether there is a path between s 0 and s 3 Is s 0 s 1 s 4 s 3 still a witness path? An Example contd.

SAVCBS04 s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Infinite number of paths could be witness path: s 0 s 1 s 2 s 1 s 4 s 3, s 0 s 1 s 2 s 3, s 0 s 1 s 2 s 1 s 2 …s 3,… Infinite number of communication traces need to be tested: send/yes send/no ack/yes, send/yes ack/yes, send/yes send/yes…ack/yes, … Comm send ack yes no Host system M An Example contd.

SAVCBS04 s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Use an annotated directed graph G h (called witness graph) to represent all those communication traces The original model-checking problem is: True, if one of the communication traces in G h is a successful test case for Comm False, if none of the communication traces in G h is a successful test case for Comm s1s1 s2s2 s4s4 s3s3 send/yes ack/yes send/no ack/yes Host system M Witness graph G h An Example contd.

SAVCBS04 An Example contd. How to handle communication traces with infinite length? A result from traditional black-box testing: An equivalent internal structure of a black-box can be recovered through testing if only an upper bound for its number of states is known This result implies that Only communication traces with bounded length need to be tested The bound can be calculated from the number of states in M and the upper bound for the number of states in Comm

SAVCBS04 Our Algorithm The original CTL model-checking algorithm for checking M = f: Goes through a series of stages. A subformula h of f is processed at each stage: h is added to the labels of a state s if h is true at s Returns true if s 0 is labeled with f, or false otherwise Our algorithm adapts the original algorithm to handle systems with unspecified components. It follows a similar structure, except that during each stage for subformula h, the labeling of a state s is far more complicated

SAVCBS04 Our Algorithmcontd. A state s could be labeled with 1 if h is true at s and the truth has nothing to do with communications A witness graph if h is an CTL operator and the truth of h at s depends on communication traces in the graph A logical combination of witness graphs if h is a logic combination of other formulas and the truth of h at s depends on communication traces in the graph For each CTL operator in h, a witness graph is constructed and associated with an ID (which begins from 2) A state is labeled with an ID expression (constructed from IDs and logic connectives, ) A labeling function L h is returned upon the completion of processing h

SAVCBS04 Our Algorithmcontd. The algorithm outline: ProcessCTL is the lableling process, it recursively handles the five cases of f:,, EX, EU, and EG by calling the procedures Negation, Union, ProcessEX, ProcessEU, and ProcessEG respectively Procedure CheckCTL(M, X, s 0, f) L f := ProcessCTL(M, f); If s 0 is labeled by L f Then If L f (s 0 ) = 1 Then Return true; Else Return TestWG(X, reset, s 0, L f (s 0 )); Endif Else Return false; Endif End Procedure The maximal length of communication traces to be tested is bounded by (k·n·m 2 ), where k is the number of CTL operators in the formula f, m is the upper bound for the number of states in the unspecified component X, and n is the number of states in the host system M

SAVCBS04 Another Example Check: starting from the initial state s 0, whenever the system reaches state s 2, it would eventually reach s 3 ; i.e., check (M, X), s 0 = AG(s 2 AF s 3 ) to be true s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Comm send ack yes no Host system M Taking a negation of the original problem, its equivalent to checking (M, X), s 0 = E[true U (s 2 EG s 3 )] to be false

SAVCBS04 Check (M, X), s 0 =E[true U(s 2 EG s 3 )] Step 1. Atomic subformula s 2 is processed by ProcessCTL, which returns a labeling function L 1 = {(s 2, 1)} s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Comm send ack yes no Host system M

SAVCBS04 Step 1. Atomic subformula s 2 is processed by ProcessCTL, which returns a labeling function L 1 = {(s 2, 1)} s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Comm send ack yes no Host system M Step 2. Atomic subformula s 3 is processed by ProcessCTL, which returns a labeling function L 2 = {(s 3, 1)} Check (M, X), s 0 =E[true U(s 2 EG s 3 )]

SAVCBS04 Step 1. Atomic subformula s 2 is processed by ProcessCTL, which returns a labeling function L 1 = {(s 2, 1)} s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Comm send ack yes no Host system M Step 2. Atomic subformula s 3 is processed by ProcessCTL, which returns a labeling function L 2 = {(s 3, 1)} Step 3. Subformula s 3 is processed by Negation, which returns a labeling function L 3 = {(s 0, 1), (s 1, 1), (s 2, 1), (s 4, 1)} Check (M, X), s 0 =E[true U(s 2 EG s 3 )]

SAVCBS04 Step 4. Subformula EG s 3 is processed by ProcessEG, which constructs a witness graph G 1 = with an ID 2 and returns a labeling function L 4 = {(s 0, 2), (s 1, 2), (s 2, 2)} s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? The host system M s0s0 s1s1 s2s2 send/yes Witness graph G 1 with ID 2 Check (M, X), s 0 =E[true U(s 2 EG s 3 )]

SAVCBS04 Step 4. Subformula EG s 3 is processed by ProcessEG, which constructs a witness graph G 1 = with an ID 2 and returns a labeling function L 4 = {(s 0, 2), (s 1, 2), (s 2, 2)} s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? The host system M s0s0 s1s1 s2s2 send/yes Witness graph G 1 with ID 2 Step 5. Subformula s 2 EG s 3 is processed by Negation and Union, which finally return a labeling function L 5 = {(s 2, 2)} Check (M, X), s 0 =E[true U(s 2 EG s 3 )]

SAVCBS04 Step 6. The formula E[true U (s 2 EG s 3 )] is processed by procedure ProcessEU, which constructs a witness graph G 2 = with an ID 3 and returns a labeling function L f = {(s 0, 3), (s 1, 3), (s 2, 3), (s 3, 3), (s 4, 3)} s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? The host system M s0s0 s1s1 s2s2 s4s4 s3s3 send/yes ack/yes send/no ack/yes Witness graph G 2 with ID 3 Check (M, X), s 0 =E[true U(s 2 EG s 3 )] L f (s 0 ) 1, this indicates that the truth of the original problem depends on communications. Then we shall see whether L f (s 0 ) can be evaluated to be true

SAVCBS04 Evaluate ID Expression L f (s 0 ) Evaluating L f (s 0 ) is a testing process with test-cases generated from the two witness graphs (details can be seen in the paper) Essentially, we are testing whether some communication trace (of bounded length) with m consecutive symbol pairs send yes is a successful test-case for the unspecified component X. s0s0 s1s1 s2s2 s4s4 s3s3 msg? send/yes ack/yes send/no ack/yes msg? Comm send ack yes no The host system M Errata: on page 6, in the paragraph above Note., … two consecutive symbol pairs … should be … m consecutive symbol pairs…

SAVCBS04 Summary A decompositional approach Reduces a system verification problem to a testing problem over the unspecified component A hybrid approach Combines model-checking with software testing techniques Advantages Stronger confidence about the reliability of the system Customization of testing over a component with respect to particular system requirement Reuse of intermediate verification results Automatic carrying out of the whole process Complete and sound algorithm with an appropriate bound

SAVCBS04 Related Work Specification-based testing [Heitmeyer et. al. 1999], generate test-cases from counter-examples produced by a model-checker Black-box checking [Peled et. al. 1999], test a single black-box against a given LTL formula Automatic assume-guarantee [Giannakopoulou et. al. 2004], automatic generation of assumptions of a component, uses a less expressive formalism (LTS) for properties Automatic deduction of model-checking conditions [Fisler et. al. 2001], has false negative [Xie & Dang 2004] LTL algorithms for systems with only one, finite-state unspecified component (FATES04) An automata-theoretic and decompositional approach to testing a system of concurrent black-boxes (submitted)

SAVCBS04 Ongoing Work Decompositional LTL model-checking Less-restricted system model Asynchronous communications Multiple unspecified components Unspecified components with infinite state space Case studies CORBA applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.