SLIDE 1
Real-Time Modeling and Test Case Generation
Konrad Krentz
A Convincing Safety Case
2
Architecture A Convincing Safety Case Fault Tree Analysis Testing Formal Methods
(…) [1]
Real-Time Modeling and Test Case Generation Konrad Krentz A - - PowerPoint PPT Presentation
Real-Time Modeling and Test Case Generation Konrad Krentz A - - PowerPoint PPT Presentation
Real-Time Modeling and Test Case Generation Konrad Krentz A Convincing Safety Case [1] 2 A Convincing Safety Case Fault Formal () Architecture Tree Testing Methods Analysis UPPAAL Agenda 3 Timed Timed UPPAAL Model- Overview
SLIDE 2
SLIDE 3
Agenda
UPPAAL Overview Timed Automata Model- Checking Timed Testing
Folienmaster | Max Mustermann | 7. Oktober 2007
3
SLIDE 4
4
[2]
SLIDE 5
Approach
5
[2,4]
a c b a c b 1 2 4 3 1 2 4 3 1 2 4 3
SLIDE 6
UPPAAL’s Architecture
6
[3]
SLIDE 7
Agenda
UPPAAL Overview Timed Automata Model- Checking Timed Testing
Folienmaster | Max Mustermann | 7. Oktober 2007
7
SLIDE 8
From State Machines to Timed Automata
8
Train
SLIDE 9
Timed Automaton
9
) Invariants (Location ) ( : ns) (Transitio 2 ) ( (Actions) } { (Clocks) Location) (Initial L ) (Locations ) , , , , , ( C B L I L C B A L E O I A C l L I E A C l L
C
[3]
SLIDE 10
Demo
10
SLIDE 11
Agenda
UPPAAL Overview Timed Automata Model- Checking Timed Testing
Folienmaster | Max Mustermann | 7. Oktober 2007
11
SLIDE 12
Model-Checking with UPPAAL
12
[2] (Engine)
SLIDE 13
Reachability Properties
13
reachable. is E formulae. state a be Let
[3,6]
SLIDE 14
Safety Properties
14
true. always is path where is there E[] satisfied. always is A[] formulae. state a be Let
[3,6]
SLIDE 15
Liveness Properties
15
satisfied. be will eventually then , If
- .
statisfied be eventually will A formulae. state a be Let
[3,6]
SLIDE 16
Demo
16
SLIDE 17
Agenda
UPPAAL Overview Timed Automata Model- Checking Timed Testing
Folienmaster | Max Mustermann | 7. Oktober 2007
17
SLIDE 18
Challenges in Timed Testing
- When to stimulate and when to expect the
response?
- What is correct?
- Test system may become itself a real-time
system
18
SLIDE 19
Offline Test Generation
19
[4]
SLIDE 20
Diagnostic Trace Test Case
- 1. Partition into subnetworks E and S
- 2. Projection to E (Remove invisible traces and
sum adjacent delay actions)
- 3. Add verdicts
Assumptions: Deterministic, Weakly input enabled, Output urgent, Isolated outputs
20
[4]
SLIDE 21
Generating Diagnostic Traces based on Coverage Criterions 1.Adding auxiliary variables to the original model and expressing the coverage criterion as reachability formulae. 2.A coverage specification language “observers”
21
SLIDE 22
Edge Coverage Criterion “Traverse every of the selected edges.” E<> e[0] and e[1] and e[2]
22
e
SLIDE 23
Location Coverage Criterion “Visit every of the selected locations.” E<> l[0] and l[1] and l[2] and l[3]
23
SLIDE 24
Definition-Use Pair Coverage “Cover all DU-Pairs of Variable v.” “DU-Pair”: Assignment of v and usage without redefinition in between.
24
SLIDE 25
Observers as Coverage Specification Language
25
sitions) delay tran
- n
react cannot (observer automaton timed
- bserved
by the ion taken ut transit input/outp
- n the
depending boolean a to evaluates ' form the
- f
Edges locations
- bserver
accepting location
- bserver
initial locations
- bserver
) , , , ( b q q B Q Q Q q Q B Q q Q
b f f
SLIDE 26
Location Coverage Observer
26
loc(near_cross) loc(cross) loc(safe) target_loc(safe) target_loc(cross) target_loc(near_cross)
X (X) location in ends ion transit target_loc : Predicates
SLIDE 27
Edge Coverage Observer
27
edge_cov(0) edge(2) edge(1) edge(0) edge_cov(1) edge_cov(2)
n transitio by the traversed is edge e : Predicates X dge(X)
SLIDE 28
Definition-Use Pair Coverage Observer
28
used is Variable ) ( traversed is Edge ) ( defined is Variable ) ( : Predicates X X use E E edge X X def
SLIDE 29
Generating Traces from Observers
- Algorithm simulates the observer by exploring the
timed automaton without regarding time (only input/output transitions)
- Keeps track of the set of reachable observer
locations, the current trace and the visited states
- Outputs the trace with the most covered
accepting observer locations
29
SLIDE 30
Offline Testing with UPPAAL COVER
30
[4]
SLIDE 31
Online Testing
31
[4]
SLIDE 32
Online Testing with UPPAAL TRON
32
SLIDE 33
Offline versus Online Testing
33
[4]
SLIDE 34
Conclusion
- High initial effort
- Features: worst case execution time calculation,
schedulability analysis, deadlock detection
- Testing has been successfully done in many
industrial case studies
- “Certification must consider multiple sources of
evidence and ultimately rests on informed engineering judgment and experience” [Rushby]
Folienmaster | Max Mustermann | 7. Oktober 2007
34
SLIDE 35
Sources (1/2)
- 1. Herrmann Kopetz: Real-Time Systems Design Principles for
Distributed Embedded Applications, 1997 , Kluwer Academic Publishers
- 2. Kim Guldstrand Larsen: Formal Methods for Real Time Systems,
1998 http://www.cs.aau.dk/~kgl/ARTES
- 3. Gerd Behrmann et al.: A Tutorial on Uppaal, 2004,
http://www.it.uu.se/research/group/darts/papers/texts/new- tutorial.pdf
- 4. Anders Hessel et al.: Testing Real-Time Systems Using UPPAAL,
2008, Springer Berlin, http://www.cs.aau.dk/~marius/tron/FMT2008.pdf
- 5. Anders Hessel et al.: Time-optimal Real-Time Test Case Generation
using UPPAAL http://www.cs.aau.dk/~marius/tron/FMT2008.pdf Folienmaster | Max Mustermann | 7. Oktober 2007
35
SLIDE 36
Sources (2/2)
- 6. Gerd Behrmann, Kim Larsen, Intro to UPPAAL,
www.cs.aau.dk/~adavid/RTSS05/uppaal-intro.pdf
- 7. http://i12www.ira.uka.de/~engelc/lehre/keypraktWS0607/slides/U
ppaalHandout.pdf
36