CTL Model-checking for Systems with Unspecified Components Summer-1384 Hajar Niamehr Neda Noroozi

Hajar Niamehr, Neda Noroozi2 Outline Introduction to component based systems Problem definition in unspecified component-based system verification  Testing options  Formal verification methods Model checking driven black-box testing  System model  Related procedures of verification  Examples

Hajar Niamehr, Neda Noroozi3 Introduction Component-based software development has gained great popularity in building large software systems  Advantages Reusing valuable software assets Reducing development costs Improving productivity  Disadvantages Serious challenges in quality assurance Prefabricated component could be a new source of system failures

Hajar Niamehr, Neda Noroozi4 Problem? how to ensure that a component functions correctly in the host system where the component is deployed?

Hajar Niamehr, Neda Noroozi5 Assurance of component functionality When integrating a component into a system, system developers could:  Trust the component provider’s claim and go ahead to use it  Extensively retest the component alone  Hook the component to the system and conduct integration testing Software components are generally built with multiple sets of functionality and testing all the functionality of a software component is  expensive  infeasible, considering the potentially huge state space of the component interface This option is not always applicable. Because, software components could be applied for dynamic upgrading or extending a running system that is costly or not supposed to shut down for retesting at all.

Hajar Niamehr, Neda Noroozi6 Formal verification techniques Testing-based strategies are not sufficient to solve the problem for critical systems.  We need formal methods like model- checking!

Hajar Niamehr, Neda Noroozi7 Formal verification techniques cont. Formal verification techniques not directly applicable  Design details  Source code of the component are not available to the developers of the host system.

Hajar Niamehr, Neda Noroozi8 Verification of systems with unspecified components A new approach: Model-checking driven black-box testing Advantages  Strong confidence about the reliability of the system  System developers can customize the testing with respect to specific system properties  Intermediate model-checking results can be reused to avoid integration testing

Hajar Niamehr, Neda Noroozi9 The system Model Consider system with only one unspecified component.  M: host system  X: an unspecified component Both M and X are finite-state transition systems communicating synchronously with each other via a finite set of input and output symbols.

Hajar Niamehr, Neda Noroozi10 System Model cont. X is defined as a deterministic Mealy machine whose internal structure is unknown. X is defined as a triple  : set of X’s input symbols  : set of X’s output symbols  m : an upper bound for the number of states in X ( the m is given) A run of X is a sequence of alternating input-output symbols, α 0 β 0 α 1 β 1 … such that, starting form the initial state s init.

Hajar Niamehr, Neda Noroozi11 System Model cont. The host system M is defined as 5- tuple  S: a finite set of state  Г: a finite set of events  R env ⊆ S ×Г ×S defines a set of environment transitions.  R comm ⊆ S × Σ× ∇ ×S defines a set of communication transitions.  I ⊆ S is M’s initial states.

Hajar Niamehr, Neda Noroozi12 System Model cont. An execution path of the system can be represented as a sequence ζ of states and symbols, s 0 c 0 s 1 c 1...  each s i ∈ S  each c i is either a symbol in Гor a pair α i β i. ζ satisfies the following requirements:  s 0 is an initial state of M;  for each c i ∈ Г, (s i, c i, s i+1 ) is an environment transition of M;  for each c i = α i β i, (s i, α i, β i, s i+1 ) is a communication transition of M.

Hajar Niamehr, Neda Noroozi13 System Model cont. The communication trace of ζ, denoted by ζ X, is the sequence obtained from ζ by retaining only symbols in Σ and ∇. For any given state s ∈ S, we say that the system Sys can reach s iff Sys has an execution path ζ on which s appears ζ X and X (if not empty) is also a run of X.

Hajar Niamehr, Neda Noroozi14 An example System

Hajar Niamehr, Neda Noroozi15 Model-checking driven black- box testing ‹ M,X › ╞ f holds, where f is a CTL formula specifying some requirement for system.  Model-checking procedure drives from the M and f a condition P over the component X.  The system satisfies f iff P is satisfied by X.  Condition P over component X is checked through adequate black-box testing.  Condition P is in the form of communication graph, called witness graph

Hajar Niamehr, Neda Noroozi16 Ideas For each subformula h in the form of EX g, E[g 1 Ug 2 ] or EG g, the witness graph (WG) is constructed.  :Represents exactly all the path that witness h is true at some state.  If K is the total number of the CTL operators in f, the algorithm construct k WG (from 2 to k+1, 1 is reserved for true).  : denotes the ID number of h’s WG If h is in the form of ¬ or V, the state which holds h is labeled as follows:  ID := 1 | 2 | … | k+1  Ψ := ID | ¬ Ψ | Ψ V Ψ Ψ is set of all the ID expressions.  L h : S  Ψ: labeling function to record the ID expression of each state for each subformula h.

Hajar Niamehr, Neda Noroozi17 The Algorithm for solving CTL Problem.

Hajar Niamehr, Neda Noroozi18 Processing the CTL Formula

Hajar Niamehr, Neda Noroozi19 Processing the CTL Formula – HandleUnion and HandleNegation HandleUnion  If state s is in both Lg 1 ’s and Lg 2 ’s domain, L h labels s with 1 if either Lg 1 or Lg 2 labels s with 1 and label s with ID expression Lg 1 (s) ∨ Lg 2 (s) otherwise;  If state s is in Lg 1 ’s domain but not in Lg 2 ’s domain, let L label s with Lg 1 (s). HandleNegation  If state s is not in the domain of Lg, let L h label s with 1;  If state s is in the domain of Lg but not labeled with 1 by Lg, L h labels s with ID expression ¬Lg(s).

Hajar Niamehr, Neda Noroozi20 Processing the CTL Formula- HandlingEX If state s has a successor s′ in the domain of L g  if s′ is reachable through an environment transition and s′ is labeled with 1 by L g then L h also labels s with 1  otherwise L h labels s with the current value of the global variable id. The witness graph of EX g is created as triple:  N is a set of nodes and E is a set of annotated edges.

Hajar Niamehr, Neda Noroozi21 Processing the CTL Formula- HandlingEX cont. The witness graph is created as follows:  Add one node to N for each state that is in the domain of Lg.  Add one node to N for each state that has a successor in the domain of Lg.  Add one edge between two nodes in N to E when M has a transition between two states; if the transition involves a communication with X then annotate the edge with the communication symbols.  Increase the global variable ID by 1 (since one new witness graph has been created).

Hajar Niamehr, Neda Noroozi22 Processing the CTL Formula- HandlingEU Labeling function is constructed recursively  Fist, L h labels state s in the domain of Lg 2 with Lg 2 (s).  Second, if state s has a successor s′ in the domain of L h if both s and s′ is labeled with 1 by Lg 1 and L h respectively and s can reach s′ through an environment transition then L h also labels s with 1 otherwise L h labels s with the current value of the global variable id. Notice that, in the second step, if a state s can be labeled with both 1 and the current value of id, let L h label s with 1.

Hajar Niamehr, Neda Noroozi23 Processing the CTL Formula- HandlingEU cont. The witness graph is created as a 4- tuple,  N is a set of nodes and constructed by adding one node for each state that is in the domain of L h  E is a set of edges and constructed in the same way as that of HandleEX.  At last the global variable id is increased by 1.

Hajar Niamehr, Neda Noroozi24 Processing the CTL Formula- HandlingEG The labeling function L h is constructed :  state s that can reach a loop C through a path p such that every state (including s) on p and C is in the domain of Lg, If every state (including s) on p and C is labeled with 1 by Lg And if no communications are involved on the path and the loop then L h also labels s with 1  otherwise L h labels s with the current value of the global variable id. The witness graph is created as triple,  The graph is constructed in a same way as that of HandleEU.

Hajar Niamehr, Neda Noroozi25 Testing a Witness Graph The algorithm CheckCTL  gives a definite “yes” or “no” answer  or reduces the problem to check whether the ID expression Ψ labeled to s 0 can be evaluated true at the state. The evaluation procedure is carried out by the following recursive procedure TestWG, after an input sequence π has been accepted by the component X.

Hajar Niamehr, Neda Noroozi26 Testing a Witness Graph- TestEX For checking whether an EX witness graph G can be evaluated true at a state s 0 :  test whether the system M can reach from s 0 to another state s′ ∈ dom(Lg) through a transition in G such that the ID expression Lg(s′) can be evaluated true at s′.

Hajar Niamehr, Neda Noroozi27 Testing a Witness Graph- TestEU For checking whether an EU witness graph G can be evaluated true at a state s0:  traverse all paths p in G with length less than mn m is an upper bound for the number of states in the unspecified component X n is the maximal number of communications on all simple paths between s0 and s′  test the unspecified component X to see whether the system can reach some state s′ ∈ dom(Lg 2 ) through one of those paths.  In the meantime, it should also check whether Lg 2 (s′) can be evaluated true at s′ and whether Lg 1 (s i ) can be evaluated true at s i for each s i on p (excluding s′) by calling TestWG.

Hajar Niamehr, Neda Noroozi28 Testing a Witness Graph- TestEG For checking whether an EG witness graph G can be evaluated true at a state s0, it is sufficient to find an infinite path in G along which the system can run forever. Procedure TestEG  first decomposes G into a set of SCCs.  Then, for each state s f in the SCCs, it calls another procedure SubTestEG to test whether the system can reach s f from s 0 along a path not longer than mn, as well as whether the system can further reach s f from s f for m−1 times.

Hajar Niamehr, Neda Noroozi29 Example Ξ The EG witness graph:

Hajar Niamehr, Neda Noroozi30 References 1. G. Xie, Z. Dang, CTL Model-checking for Systems with Unspecified Components, 3rd Workshop on Specification and Verification of Component-based Systems at ACM SIGSOFT, California, October 31-November 1, G. Xie, Decompositional Verification of Component-based System- A Hybrid Approach,19th IEEE International Conference on Automated Software Engineering (ASE'04 Doctoral Symposium), Linz, Austria, pp , September 20, D. Hung, D. Vu Anh, Model Checking Component Based Systems with Black-box Testing, International Institute for software technology, October D. Hung, D. Vu Anh, Model Checking Real-time Component Based Systems With Black-box Testing, N. Aguirre, T. Maibaum, Hierarchical Temporal Speci¯cations of Dynamically Recon¯gurable Component Based Systems, FESA G. Xie, Z. Dang, Model checking Driven Blackbox Testing Algorithms for Systems with Unspecified Components, 2004