Verification & Validation Verification –from Latin veritas meaning truth. –Building the product right. Validation –from Latin Valere meaning to be worth. –Building the right product.
Tools for V & V Must be able to support –modelling –simulation –state-space search –testing Must be scalable Must be able to operate on different platforms –Unix or Linux –Windows NT –Windows 95,98
Example: Telelogic Tau Modelling –MSC(Message Sequence Chart) consists of entities and events occurring in time between those entities. –SDL(Specification and Description Language) consists of a system defining the boundaries of the overall task. the system consists of components called blocks which are connected by channels. the blocks can consist of blocks and/or processes. the processes are the actors of the system and are series of actions, changes or functions that bring about a particular result.
–TTCN(Tree and Tabular Combined Notation) A tree contained in a table. Tree is composed of texts having different indentations. Texts having the same indentation have the same height in the tree. Each text is preceded by “?” (incoming event) or “!”(outgoing event). –State Space Coverage A graph that shows all the different combinations of inputs and outputs possible and their resulting transitions. It can be used to check for deadlocks and unspecified receptions.
Simulation –Tau contains a simulator that allows the interactive inspection and checking of the system’s behavior. State-space search –a bit-state or a random walk can be done with the validator in Tau. These will explore the state space of the SDL system to find the most possible run-time errors. Testing –TTCN link –Autolink
Case study: Egg timer system An egg timer which boils an egg for the amount of time specified by the user.
SDL System Diagram A system defines a set of blocks and a set of channels through which interaction occurs between the environment and the system. Signals, signal lists and types are also defined.
SDL Specification and Description Language –Initially built for communicating systems –Divides the specification in Environment System(s) The Environment Border
Into the blocks Blocks are composed of processes or of other blocks. Each block eventually contains processes. The processes communicate with the environment of the block via signal routes.
Signals and Signal lists Signals are the means through which processes interact. Signals to and from the environment are declared at the system level. Signal lists group signals that are used in the same grouping at several places.
SDL A Whole system System Block Process Procedure
Inside an SDL System Channel (and channel name) System name Signals (Messages) Declarations Signalist (set of messages) Newtype definitions
SDL System Structure Signals are shown in square brackets, separated by a comma System blocks Channel name Signallists are declared like signals, but enclosed in parenthesis Environment of the system
The EggTimer SDL Block Connection points (system channel names) Procedure declaration Process declarations General declarations (signals, types, vars) routes Signals
The Egg-Timer SDL Block Structure Processes At least 1 instance and at most 1 instance of this process Procedure Reference Displaying sends to the environment and receives from Timing etc...
SDL Process example State Initial state Initial transition Declarations Input Output If Procedure call Task Timer Input (or timeout)
SDL Declaration example To say you’re declaring something Identifier (instance name) Instance type InitializationTimer declaration Timer Identifier
SDL Transition example FROM WHEN ACTIONS SEND TO Local variable Parameters to send
SDL Tasks Incrementing or attributing a value Making a procedure call Setting the timer Set([NOW+], ) := [; <another task]
SDL Procedures (and operators) Formal Parameters Param modifier name and type Procedure Start Procedure return If first ‘seconds’ digit is 0 then go down, else go left Modifiers: IN - Parameter is an Input parameter OUT - Parameter is an Output parameter IN/OUT - Parameter is both IN and OUT
SDL Message Handling Each process has one and only one message queue sends (by default) a message to the closest receiver (if the process itself is capable of receiving such message, it will send to itself) the default sending procedure can be modified by VIA: TO: VIA TO
SDL Message Handling This process queue has four possible messages IncMinute StartTimer ResetTimer OneSecond The first three are external messages where OneSecond is an internal message, indicating when the clock has decreased one second. There could be several other messages coming from other processes or other blocks
Simulation Once a complete SDL system has been designed, the Tau tool allows us to simulate the system i.e. to inspect and check its behavior. After having generated an executable simulator, a simulator user interface can be started. It looks like the following:
Validation The validator is used to explore the state space to find errors or inconsistencies in the system. It can also be used to verify the system against requirements by running system level MSCs in the validator. An executable validator must be generated and the validator user interface can then be started.
Principles of Validation i) Design –User-centred view scenarios use-cases MSCs functional, blackbox, providing a service (or NOT), end to end –guided execution in SDL high-level design –refined design, re-run validation scenarios
Next i: Tr. Start SDL Guided execution Using the Navigator in a SDL Validator tool. Up 1 Next 1: Signal: OneMinuteBtn Next 2: Signal: StartBtn Next 2: Signal: ResetStopBtn Next 1: Tr. Start... Next 1:... Input: DisplayTime Sender: Timing:1 Parameter(s):1,0,0 By clicking on the Next, we go deriving a scenario by following the state-space tree
SDL Guided Execution (in MSC form)
Functional MSC for the previous EggTimer scenario And executing this MSC in the Validator Tool, by clicking on “Verify MSC” and selecting the proper file, we obtain (as the system has been correctly specified) 1 report 1 MSC Verification MSC ValidatorTrace verified Depth: 7
Principles of Validation ii) Test functional user interface tests in TTCN S1 S2S3 ca b a b + Test Name Event a Event b pass Tree and Tabular Combined Notation TTCN standard for formal test case descriptions Facilitate sharing of tests Eliminates Ambiguities UNIX-based TTCN Workbench toolkit TTCN used for X.25, ISDN, CCS7, and many other protocols All PDU parameters specified All tests are formally assigned verdicts
Principles of Validation ii) Test (cont’d) basic syntax & semantics of TTCN (TREE and TABLE Combined Notation) –Test Case Dynamic Behaviour Test Case Name: Group: Purpose: Default: Behavior Constr. Ver Label Description Reference dict Remarks A!X A?Y A!J A?K Pass A?Z Fail Wrong Resp. A?Otherwise Inc. Test body not reached Extended Comments:
Principles of Verification i) Design –State-space search Process Chart Transition Chart State Space -transitions reduced state space
Principles of Verification i) Design (cont’d) –Possible outcomes Unspecified reception queue overflow deadlock infinite livelock (no real progress) –Random walk
Principles of Verification ii) Test –Conformance Testing (TTCN) preamble test step verification sequence postamble
Principles of Verification Structure of a Transition Test Case for Conformance Testing PREAMBLE: Initialization to Preamble State TEST BODY: Application of Test Stimulus and Confirmation of System Response VERIFICATION: Confirmation of Post-Transition State POSTAMBLE: Reset to Stable State for Next Test
Principles of Verification Represent S1S3S4 a/X b/Y As a sequence of user actions and system responses, starting in state 1 and finishing in state 4. In TTCN +Preamble(S1) !a ?X !b ?Y +Verify(S4) PASS * FAIL * Inconclusive
Industrial Strength Tool Support Value added –MSC coverage and test coverage. –auto test generation. –reverse engineering can be done to a certain extent. –provides graphics editor(MSC & SDL). –provides editor for TTCN(ITEX).