Formal Verification and Testing for Formal Verification and Testing - - PowerPoint PPT Presentation

formal verification and testing for formal verification
SMART_READER_LITE
LIVE PREVIEW

Formal Verification and Testing for Formal Verification and Testing - - PowerPoint PPT Presentation

Sep 15, 2022 551 likes •886 views

ARTIST2 - ARTIST2 - MOTIVES MOTIVES Trento - - Italy, February 19 Italy, February 19- -23, 2007 23, 2007 Trento Session: Testing and Runtime Verification Formal Verification and Testing for Formal Verification and Testing for Reactive

slide-1
SLIDE 1

ARTIST2 ARTIST2 -

  • MOTIVES

MOTIVES

Trento Trento -

  • Italy, February 19

Italy, February 19-

  • 23, 2007

23, 2007

Session: Testing and Runtime Verification

Vlad Vlad Rusu Rusu INRIA Rennes, France INRIA Rennes, France

Formal Verification and Testing for Formal Verification and Testing for Reactive Systems Reactive Systems

slide-2
SLIDE 2

Formal verification: proving correctness

  • Verification by “paper/pencil”
  • Algorithmic techniques

– Model checking – Abstract interpretation

  • Deductive techniques

– Interactive theorem proving

  • Various combinations of the above.
slide-3
SLIDE 3

Testing: finding errors

  • What is available for testing:

– White box: Source code – Black box: Executable code

  • What is tested:

– Functional (against specification/oracle) – Structural (against coverage criteria) – Robustness, performance, real time…

slide-4
SLIDE 4

Combining verification and testing: best of both worlds?

  • Testing using verification techniques

White box

  • Using a model checker to derive structural tests [Ammann][Heitmeyer]
  • Definition of coverage using temporal logic/observers [Lee][Jonsson]
  • Abstraction for structural testing: “predicate coverage” [Henzinger] “abstract path coverage”

[Ball]

Black box

  • Test generation for conformance using model checking techniques [Jard, Jéron] [Brinksma,

Tretmans]

  • Test generation for conformance using symbolic techniques [Le Gall] [Jéron, Rusu]
  • Test generation for temporal-logic properties using model checking [Fernandez]
  • Combining verification and testing

The ESC/Java toolset

slide-5
SLIDE 5

Outline

  • A closer look at verification vs. conformance testing
  • Verification: the many ways to reachability
  • Conformance testing : the ioco relation and symbolic test generation
  • Integrating verification and conformance testing
  • Conclusion and perspectives.
slide-6
SLIDE 6

Formal Verification

Properties: P Specification: S

Satisfaction (²)

slide-7
SLIDE 7

Verification Problem: S v P

  • Can be reformulated as S ×

S × P 9

  • Basic operations involved:

– Product – Complementation (determinisation) – Reachability.

slide-8
SLIDE 8

Conformance Testing

Specification: : S S Implementation: I

Conforms-to (ioco [Tretmans])

slide-9
SLIDE 9

Conformance Testing Problem: I ioco S

  • Reformulated as Iktest(S) 9
  • Basic operations required :

Parallel composition

Complementation (determinisation)

Reachability.

slide-10
SLIDE 10

Verification vs. ConformanceTesting

  • Same basic operations involved
  • Verification: all formal models & reasoning

– Can prove or disprove satisfaction relation

  • Conformance testing: model of I unknown

– Can only disprove conformance relation.

slide-11
SLIDE 11

Verification and Conformance Testing

Properties: P (possibility, safety) Specification: S

Verification

Implementation::I

Testing Testing

slide-12
SLIDE 12

Verification: Reachability

??? Initial states Final states

slide-13
SLIDE 13

Computing sets of reachable states

For certain classes of models (finite automata, timed automata, classes of hybrid automata…)

slide-14
SLIDE 14

If exploration does not terminate..

slide-15
SLIDE 15

Refine approximation

Success story in formal verification

  • Cf. SLAM (Microsoft)

Still an active research domain

slide-16
SLIDE 16

Verification by Theorem Proving: “Invariant Strengthening”

  • Goal: find predicate Θ

Invariant (closed) under →

Includes

Does not intersect

  • Start with Θ =

Failed invariance proofs: auxiliary predicates A

Continue with Θ := ¬ A ¬ A until proof (or… too tired)

  • Also with compositional reasoning, partial-order reduction:

SSCOP protocol (3 months) [Computer Journal’06].

slide-17
SLIDE 17

Conformance Testing

Specification: : S S Implementation: I

Conforms-to (ioco)

slide-18
SLIDE 18

I ioco S : after all traces of δ(S), outputs of δ(I) ⊆ outputs of δ(S)

?START(0) !STOP ?START(0) !DEC(0) ?START(0) ?START(0) ?START(0) ?START(0) !DEC(0) ?START(0) !δ l0 l1 l2

?START(p) x := p

x = 0

!STOP m=x Æ x >0 !DEC(m) x := x-1

!δ !δ x < 0 !δ

slide-19
SLIDE 19

Suspension, Determinisation Out-completion

Test Case Implementation Ik

Symbolic Test Generation

Specification S Test Purpose P

Test execution

Verdicts: Fail, …

“Canonical tester”

Product, selection

slide-20
SLIDE 20

Back to example: specification

q0

Satisfy !DEC(p) l0 l1 l2

?START(p) x := p

x = 0

!STOP m=x Æ x >0 !DEC(m) x := x-1

!δ !δ x < 0 !δ Fail !other

, test purpose

slide-21
SLIDE 21

Resulting Symbolic Test Case

?δ p ≥ 0

!START(p) x := p

q0l0 q0l1

m=x Æ x > 0 ?DEC(m), x:= x-1

Satisfy Fail ?other ?other Inconc p > 0

x=0 ?STOP

x< 0

slide-22
SLIDE 22

Papers on Symbolic Test Generation

  • Theory: [Integrated Formal Methods’00, Tacas’05,

IFIP/TCS’06]

  • STG tool [Tacas’02]
  • Main case study: Electronic purse [e-smart’01]
slide-23
SLIDE 23

Towards integrating verification and conformance testing

  • “Test purpose”: a possibility property of the

specification: certain traces are possible

  • More (most?) interesting properties: safety
  • Different interpretation of final locations
  • Observers: standard approach in verification.
slide-24
SLIDE 24

Example: observer for a safety property

No !STOP between ?START and !DEC

!DEC(p) ?START(p) !STOP Violate

* *

slide-25
SLIDE 25

Verification and Conformance Testing

Properties: P (possibility, safety) Specification: S

Verification

Implementation::I

Testing Testing

slide-26
SLIDE 26

Methodology

  • Verify S against (observers for) properties P

Build their product ×, check reachability of final location(s)

Under-approximation (e.g. model checking) to prove reachability

Over-approximation (e.g. abstract interpretation) to disprove it

  • Whether verification conclusive or not! test generation

Transform S into observer for nonconformance: “canonical tester”

  • Suspension, Determinisation, Output-completion

Product with observers for properties P : lots of verdicts!

  • Test selection: choose among verdicts, compute co-reachability

(abstraction interpretation again)

  • Test execution: may complete verification.
slide-27
SLIDE 27

Test generation: product

Satisfy !START(p) x := p x = p Æ x > 0 ?DEC(p) ?δ Fail ?οther x ≠ p Ç x ≤ 0 ?DEC(p)

x<0 ?δ

x = 0 ?STOP Satisfy Fail Violate Fail Violate x ≠ 0 ?STOP ?οther p>0

, selection

slide-28
SLIDE 28

Interpretation of verdicts

Non-conformance Violating safety Satisfying possibility

slide-29
SLIDE 29

Summary: integrating verification and conformance testing…

  • Establishes relative consistency between implementation,

specification, properties

  • Testing step does not depend on success of verification

– Can even be done all at the same time

  • [Formal Methods’05, Chap. 2 in Traité Hermès I2C, 2006]
slide-30
SLIDE 30

Some General Conclusions

  • Verification and testing are complementary

– Operations, methodology

  • Integration of methods is still the future

– Also with control synthesis, fault diagnosis…

  • Main issues to wider application

– Complexity/limits of tools – Lack/incompleteness of formal specifications – But promising start in certain areas/industries.

slide-31
SLIDE 31

Perspectives

  • In conformance testing:

– Coverage – More expressive models (time, recursion, …) – Compositionality – Testing and games – Target application: security

  • In verification:

– Build links with semi-formal methods, notations – “Invisible formal methods” [Rushby]

  • Even more integration

– To deal with incomplete/missing specifications: learning.