Making Model-Driven Verification Practical and Scalable: Experiences - - PowerPoint PPT Presentation
Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel Briand IEEE Fellow, FNR PEARL Chair Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg
Lionel Briand IEEE Fellow, FNR PEARL Chair Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg SAM, Valencia, 2014
ICT security-reliability-trust
industry partners
www.svv.lu
associates, and PhD candidates)
dependability: security, safety, reliability
IEE, Hitec …
2
Basic&Research& Applied&Research& Innova3on&&&Development&
research, which is itself fed by innovation and development
serve an existing market. 3
Schneiderman, 2013
4 Problem Formulation Problem Identification State of the Art Review Candidate Solution(s) Initial Validation Training Realistic Validation
Industry Partners Research Groups
1 2 3 4 5 7
Solution Release
8 6
detection and removal
verification
this is not commonly part of practice
impacted practice
5
6
effectively applied by engineers in realistic conditions? – realistic ≠ universal – includes usability
artifacts (e.g., models, data sets, input spaces) and still provide useful support within reasonable effort, CPU and memory resources?
7
scalable solutions (our research paradigm)
learn
8
9
Company Domain Objective Notation Automation
Cisco Video conference Robustness testing UML profile Search, model transformation Kongsberg Maritime Oil & Gas CPU usage UML+MARTE Constraint Solving WesternGeco Marine seismic acquisition Functional testing UML profile + MARTE Search, constraint solving SES Satellite Functional and robustness testing, requirements QA UML profile Search, Model mutation, NLP Delphi Automotive systems Testing safety +performance Matlab/Simulink Search, machine learning, statistics CTIE Legal & financial Legal Requirements testing UML Profile Model transformation, constraint checking HITEC Crisis Support systems Security, Access Control UML Profile Constraint verification, machine learning, Search CTIE eGovernment Conformance testing UML Profile, BPMN, OCL extension Domain specific language, Constraint checking IEE Automotive, sensor systems Functional and Robustness testing, traceaibility and certification UML profile, Use Case Modeling extension, Matlab/Simulink NLP, Constraint solving
References:
10
Scalable Search Using Surrogate Models”, IEEE/ACM ASE 2014
Framework, Tool Support, and Case Studies”, Information and Software Technology (2014)
11
12
Hardware-in-the-Loop Stage Model-in-the-Loop Stage
Simulink Modeling Generic Functional Model MiL Testing
Software-in-the-Loop Stage
Code Generation and Integration Software Running
SiL Testing Software Release HiL Testing
13
Plant Model + + +
Σ
+
actual(t) desired(t)
Σ
KP e(t)
KD
de(t) dt
KI R e(t) dt P I D
Inputs: Time-dependent variables Configuration Parameters
14
Initial Desired (ID) Desired ValueI (input) Actual Value (output) Final Desired (FD) time T/2 T Smoothness Responsiveness Stability
15 HeatMap Diagram
List of Critical Regions Domain Expert Worst-Case Scenarios
+
Controller- plant model Objective Functions based on Requirements
Search
https://sites.google.com/site/cocotesttool/
Initial Desired (ID) Final Desired (FD)
Worst Case(s)?
16 HeatMap Diagram
List of Critical Regions Domain Expert
+
Controller- plant model Objective Functions based on Requirements
(a) Liveness (b) Smoothness
17 List of Critical Regions Domain Expert
Worst-Case Scenarios
Search
time
Desired Value Actual Value
1 2 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
Initial Desired Final Desired
– Simulink simulations are expensive – Sensitivity analysis to eliminate irrelevant parameters – Machine learning (Regression trees) to partition the space automatically and identify high-risk areas – Surrogate modeling (statistical and machine learning prediction) to predict properties and avoid simulation, when possible
18
case scenarios that were much worse than known and expected scenarios, entirely automatically
19
Reference:
20
21
– are complex
– might be faulty
– difficult – time-consuming – but yet crucial
22
– are complex
– might be faulty
– difficult – time-consuming – but yet crucial
23
Test%Case%Genera+on% Test%Case%Execu+on% Slicing% Ranking% ?% Test%Oracle% Test%Suite% Coverage%Reports% PASS/FAIL% Results% Simulink%Model% Model%Slices% Specifica+on%
0.95% 0.71% 0.62% 0.43%
Ranked%Blocks%
Any test strategy Provided by Matlab tool One slice for each test case and output For each test case and output, or overall
average to detect faults
– Use subsystems outputs – Iterate at deeper levels of hierarchy – Tradeoff: cost of test oracle vs. debugging effort – 2.3% blocks on average
24
Reference:
25
2014
References”, RE 2014
26
law
changes on a regular basis, many cross-references
legal experts, etc.
defined as a function over the distance between the principal town of the municipality on whose territory the taxpayer's home is located and the place of taxpayer’s work. The distance is measured in units of distance expressing the kilometric distance between [principal] towns. A ministerial regulation provides these distances. The amount of the deduction is calculated as follows: If the distance exceeds 4 units but is less than 30 units, the deduction is € 99 per unit of distance. The first 4 units does not trigger any deduction and the deduction for a distance exceeding 30 units is limited to € 2,574.
28
Objective Benefits
Specification of legal requirements
to the text of law
Checking consistency of legal requirements
the law to propagate Automated test strategies for checking system compliance to legal requirements
verify compliance Run-time verification mechanisms to check compliance with legal requirements Analyzing the impact of changes in the law
with change
29
Test cases
Actual software system
Traces to Traces to
Analyzable interpretation
Generates Results match?
Impact of legal changes
Simulates
30
profile
Transformation to enable V&V
content should we expect?
complexity factors?
capturing information requirements
methodology
and IT specialists
automation techniques
grounded theory study
31
expenses deduction (FD) is defined as a function over the distance between the principal town of the municipality on whose territory the taxpayer's home is located and the place of taxpayer’s work. The distance is measured in units of distance expressing the kilometric distance between [principal] towns. A ministerial regulation provides these distances.
Interpretation + Traces
32
The amount of the deduction is calculated as follows: If the distance exceeds 4 units but is less than 30 units, the deduction is € 99 per unit of distance. The first 4 units does not trigger any deduction and the deduction for a distance exceeding 30 units is limited to € 2,574.
Interpretation + Traces
– understandable by both IT specialists and legal experts – precise enough to enable model transformation and support
– tutorials, many modeling sessions with legal experts
OCL constraints alone, this is not applicable
carefully combined with a simple subset of OCL
automated detection (NLP) of cross-references
33
References:
34
OCL”, ECMFA 2014
Business Processes”, IEEE/ACM SAM 2014
Properties with OCL”, submitted
processes
checked – Temporal logics not applicable – Limited tool support (scalability)
verification
35
36
37
analyzing many properties of real business process models
business process models (BPMN) according to modeling methodology at CTIE (applicability)
38
temporal constraints into checking regular constraints on trace conceptual model
to rely on mature technology (scalability)
translation
three days; this notification has to occur before the production of the card is started.”
39
100 200 300 400 500 600 700 800 900 1,000 20 40 60 80 100 Trace Size (k) Average Check Time (s)
P7 P8 P9
(a) globally / P7–P9 100 200 300 400 500 600 700 800 900 1,000 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500 Trace Size (k) Average Check Time (s)
P10 P11 P12
(b) globally / P10–P12 10 20 30 40 50 60 70 80 90 100 5 10 15 20 25 30 Boundary Position (k) Average Check Time (s)
P17 P18 P19 P20
(c) before / P17–P20
References:
40
usage in safety-critical embedded systems to support stress testing,” in IEEE/ACM MODELS 2012.
Constraint Programming Approach”, ISSRE 2013, San Jose, USA
Tasks – A Constraint Optimization Model to Support Performance Testing, Constraint Programming (CP), 2014
interdependent tasks which have to finish before their deadlines
design choices
resources with other tasks
predict whether all (critical) tasks are schedulable, i.e., meet their deadlines
probability of leading to deadline misses
loop
41
42
1 2 3 4 5 6 7 8 9 j0, j1 , j2 arrive at at0 , at1 , at2 and must finish before dl0 , dl1 , dl2 J1 can miss its deadline dl1 depending on when at2 occurs! 1 2 3 4 5 6 7 8 9
j0 j1 j2 j0 j1 j2
at0 dl0 dl1 at1 dl2 at2 T T at0 dl0 dl1 at1 at2 dl2
43
Drivers
(Software-Hardware Interface)
Control Modules Alarm Devices (Hardware) Multicore Architecture Real-Time Operating System
Monitor gas leaks and fire in oil extraction platforms
what parts of the space are feasible
44
45
Constraint Optimization Problem
Static Properties of Tasks
(Constants)
Dynamic Properties of Tasks
(Variables)
Performance Requirement
(Objective Function)
OS Scheduler Behaviour
(Constraints)
46
UML Modeling (e.g., MARTE) Constraint Optimization Optimization Problem
(Find arrival times that maximize the chance of deadline misses)
System Platform
Solutions (Task arrival times likely to lead to deadline misses)
Deadline Misses Analysis System Design Design Model (Time and Concurrency Information) INPUT OUTPUT Stress Test Cases Constraint Programming (CP)
IBM CPLEX) cannot handle such large input spaces (CPU, memory)
constraint programming – metaheuristic search identifies high risk regions in the input space – constraint programming finds provably worst-case schedules within these (limited) regions
47
48
UML Modeling (e.g., MARTE) Constraint Optimization Optimization Problem
(Find arrival times that maximize the chance of deadline misses)
System Platform
Solutions (Task arrival times likely to lead to deadline misses)
Deadline Misses Analysis System Design Design Model (Time and Concurrency Information) INPUT OUTPUT Genetic Algorithms (GA) Stress Test Cases Constraint Programming (CP)
49
– Large input and configuration space – Smart search optimization heuristics (machine learning)
– Large number of blocks and lines in Simulink models – Even a small percentage of blocks to inspect can be impractical – Additional information to support decision making? Incremental fault localisation?
– Constraint programming cannot scale by itself – Must be carefully combined with genetic algorithms
50
– Traceability to the law is complex – Many provisions and articles – Many dependencies within the law – Natural Language Processing: Cross references, support for identifying missing modeling concepts
– Traces can be large and properties complex to verify – Transformation of temporal properties into regular OCL properties, defined on a trace conceptual model – Incremental verification at regular time intervals – Heuristics to identify subtraces to verify
51
from the start, not a refinement or an after-thought
machine learning, statistics
within time constraints, not guarantees
project – otherwise it is unlikely to be adopted in practice
minimal form of scalability analysis?
52
information requirements?
inputs available in the right form and level of precision?
53
– Working assumption: availability of sufficiently precise plant (environment) models – Means to visualize relevant properties in the search space (inputs, configuration), to get an overview and focus search
– Availability of tasks architecture models – Precise WCET analysis – Applicability requires to assess risk based on near-deadline misses
54
– Trade-off between # of model outputs considered versus cost of test oracles – Better understanding of the mental process and information requirements for fault localization
– Temporal logic not usable by analysts – Language closer to natural language, directly tied to business process model – Easy transition to industry strength constraint checker
– Modeling notation must be shared by IT specialists and legal experts – One common representation for many applications, with traces to the law to handle changes – Multiple model transformation targets
55
context of applicability
realistic in some industrial domain and context
rarely are anyway
56
thought, a secondary consideration, when at all considered
57
Scientists:
58
Lionel Briand IEEE Fellow, FNR PEARL Chair Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg SAM, Valencia, 2014 SVV lab: svv.lu SnT: www.securityandtrust.lu