Scalable Software Testing and Verification of Non-Functional - - PowerPoint PPT Presentation
Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search and Optimization Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS,
Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS, March 13, 2017
2
3
4
5
6
7
8
9
10
Models“, IEEE/ACM ICSE 2016
Controllers”, ACM ESEC/FSE 2015 (Distinguished paper award)
Scalable Search Using Surrogate Models”, IEEE/ACM ASE 2014 (Distinguished paper award)
Framework, Tool Support, and Case Studies”, Information and Software Technology, Elsevier (2014)
More functions Comfort and variety Safety and reliability Faster time-to-market Less fuel consumption Greenhouse gas emission laws
11
Controlling Computation State-Based Continuous Transforming Calculating unit convertors calculating positions, duty cycles, etc State machine controllers Closed-loop controllers (PID)
12
13
14
Hardware-in-the-Loop Stage Model-in-the-Loop Stage
Simulink Modeling Generic Functional Model MiL Testing
Software-in-the-Loop Stage
Code Generation and Integration Software Running
SiL Testing Software Release HiL Testing
0.05
1
FuelLevelSensor
100 0.8
Gain1 Add1 Add
1
FuelLevel Continuous Integrator
15
Supercharger Bypass Flap Supercharger Bypass Flap
16
Initial Desired Value Final Desired Value time time
Desired Value Actual Value
T/2 T T/2 T
Plant Model Controller (SUT)
Desired value
Error
Actual value
System output
18
Plant Model + + +
+
actual(t) desired(t)
KD
de(t) dt
19
Initial Desired (ID) Desired ValueI (input) Actual Value (output) Final Desired (FD) time T/2 T Smoothness Responsiveness Stability
20
Initial Desired (ID) Final Desired (FD)
problem as a search problem
with certain properties, i.e., constraints
(if, loops, …): complex, discontinuous, non-linear search spaces (Baresel)
(metaheuristics), from local search to global search, e.g., Hill Climbing, Simulated Annealing and Genetic Algorithms
Fitness Input domain
Genetic Algorithms are global searches, sampling man
Search-Based Software Testing: Past, Present and Future Phil McMinn Genetic Algorithm
21
Input domain
portion of input domain denoting required test data randomly-generated inputs
Random search may fail to fulfil low-probability
22
break the requirement at MiL level
22
23
24
HeatMap Diagram
List of Critical Regions Domain Expert Worst-Case Scenarios
+
Controller- plant model Objective Functions based on Requirements
Search
time
Desired Value Actual Value
1 2 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
Initial Desired Final Desired
25
26
Number of Iterations Fitness
27
0.315 0.316 0.317 0.319 0.321 0.323 0.324 0.326 0.327 0.329 0.330 10 20 30 40 50 60 70 80 90 100 0.328 0.325 0.320 0.318 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
Random Search (1+1) EA
10 20 30 40 50 60 70 80 90 100 0.0166 0.0168 0.0170 0.0176 0.0180 0.0178 0.0172 0.0160 0.0162 0.0164
Random Search (1+1) EA
10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 0.0174
Average (1+1) EA Distribution Random Search Distribution Number of Iterations
partner had found so far, and much worse than random search (baseline)
much more expensive: MiL results -> test selection for HiL
– Simulations are expensive – Configuration parameters – Dynamically adjust search algorithms in different subregions (exploratory <-> exploitative)
0.30 0.31 0.32 0.33 0.34 0.35 0.36 0.37 0.38 0.39 0.40 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80 0.10 0.11 0.12 0.13 0.14 0.15 0.16 0.17 0.18 0.19 0.20 0.90 0.91 0.92 0.93 0.94 0.95 0.96 0.97 0.98 0.99 1.00
(a) (b)
28
29
30
+
Controller Model (Simulink) Worst-Case Scenarios List of Critical Partitions Regression Tree 1.Exploration with Dimensionality Reduction 2.Search with Surrogate Modeling Objective Functions Domain Expert
Visualization of the 8-dimension space using regression trees Dimensionality reduction to identify the significant variables (Elementary Effect Analysis) Surrogate modeling to predict the objective function and speed up the search (Machine learning)
Elementary Effect Analysis (EEA)
inputs in computationally costly mathematical models
than other techniques
simulations generated during the Exploration step
and standard deviation for each dimension of the distribution of elementary effects
31
Cal5 ID Cal3 FD Cal4 Cal6 Cal1,Cal2
0.6 0.4 0.2 0.0
0.0 0.2
∗10−2 ∗10−2
δi
A
∆x ∆y
A1 A2 C
∆x ∆y
C1 C2 B
∆x ∆y
B1 B2 X Y
F(A1)-F(A) F(B1)-F(B) F(C1)-F(C) … F(A2)-F(A) F(B2)-F(B) F(C2)-F(C) …
32
33
All Points FD>=0.43306
Count Mean Std Dev Count Mean Std Dev
FD<0.43306
Count Mean Std Dev
ID>=0.64679
Count Mean Std Dev Count Mean Std Dev
Cal5>=0.020847 Cal5>0.020847
Count Mean Std Dev Count Mean Std Dev
Cal5>=0.014827 Cal5<0.014827
Count Mean Std Dev Count Mean Std Dev 1000 0.007822 0.0049497
ID<0.64679
574 0.0059513 0.0040003 426 0.0103425 0.0049919 373 0.0047594 0.0034346 201 0.0081631 0.0040422 182 0.0134555 0.0052883 244 0.0080206 0.0031751 70 0.0106795 0.0052045 131 0.0068185 0.0023515
Regression Tree
critical partition, given a number of observations, and use that to avoid as many simulations as possible and speed up the search
34
35
statistical technique providing fitness predictions with confidence intervals 1. Predict higher fitness with high confidence: Move to new position, no simulation 2. Predict lower fitness with high confidence: Do not move to new position, no simulation 3. Low confidence in prediction: Simulation
Surrogate Model Real Function
Mean of R2/MRPE values for different surrogate modeling techniques
Fr
36
0.0 0.02 0.04 0.06 0.08 0.05 0.01 0.02 0.03 0.04 0.1 0.2 0.3 DR No DR DR No DR DR No DR
Fr
Mean Relative Prediction Errors (MRPE Values)
37
Search Output Values Search Output Values
0.215
SM
After 800 seconds After 2500 seconds After 3000 seconds
NoSM
0.220 0.225 0.230 0.235
SM
NoSM
SM
NoSM
After 200 seconds 0.160 0.164 0.168 After 300 seconds After 3000 seconds
NoSM NoSM
SM
NoSM
SM
SM
38
MiL-Testing different configurations Stability Smoothness Responsiveness MiL-Testing fixed configurations Manual MiL-Testing
24% over/undershoot 20% over/undershoot 5% over/undershoot 170 ms response time 80 ms response time 50 ms response time
39
Controlling Computation State-Based Continuous Transforming Calculating unit convertors calculating positions, duty cycles, etc State machine controllers Closed-loop controllers (PID)
40
41 OnMoving OnSlipping OnCompleted
time + +; ctrlSig := f(time)
Engaging
time + +; ctrlSig := g(time) time + +; ctrlSig := 1.0
[¬(vehspd = 0) ∧ time > 2] [(vehspd = 0) ∧ time > 3] [time > 4]
simulation time
Simulink stateflows
analysis of output signals
On Off CtrlSig
42
4 3
0.0 1.0 2.0
0.0 0.5 1.0 Time CtrlSig Output
0.0 1.0 2.0 Time 0.0 0.25 0.50 0.75 1.0 CtrlSig Output
44
45
Using Multi-Objective Search and Neural Networks”, ACM ESEC/FSE 2016
46
collision-warning system providing improved vision
47
48
Generation of Test specifications Static
[ranges/values/ resolution]
Dynamic
[ranges/ resolution]
(2)
test case specification
Domain model Requirements model
(1)Development of Requirements
and domain models
49
Real
Test Scenario
Vehicle
Pedestrian
Real
Test Scenario PeVi 1 1 1 1
«positioned»
Dynamic Object
Vehicle
Pedestrian
Position * 1 1
Collision PeVi
Detection 1 1 1 1
Output Trajectory
Static inputs Dynamic inputs Outputs
SceneLight 1
Condition
Weather
«enumeration» Condition
Real
Camera Sensor RoadSide Object
Road 1
«enumeration» RT 1 * 1 Parked Cars Trees
Real
Test Scenario
«uses»
1 1 PeVi
50
<<trace>> <<trace>> Speed Profile Path 1 1 Slot Path Segment 1..*
*
1 Trajectory Human 1 * trajectory Warning Sensors posx1, posx2 posy1, posy2 AWA Car/Motor/ Truck/Bus sensor has has awa 1 1 1 * human appears
posx1 posx2 posy1 posy2
The NiVi system shall detect any person located in the Acute Warning Area of a vehicle
51
Simulator + NiVi
Environment Settings (Roads, weather, vehicle type, etc.) Fixed during Search Manipulated by Search Human Simulator (initial position, speed, orientation) Car Simulator (speed) PeVi Meta-heuristic Search (multi-objective) Generate scenarios Detection
Collision
5 2
Type of Road Type of vehicle Type of actor
Situation 1 Straight Car Male Situation 2 Straight Car Child Situation 3 Straight Car Cow Situation 4 Straight Truck Male Situation 5 Straight Truck Child Situation 6 Straight Truck Cow Situation 7 Curved Car Male Situation 8 Curved Car Child Situation 9 Curved Car Cow Situation 10 Curved Truck Male Situation 11 Curved Truck Child Situation 12 Curved Track Cow Situation 13 Ramp Car Male Situation 14 Ramp Car Child Situation 15 Ramp Car Cow Situation 16 Ramp Truck Male Situation 17 Ramp Truck Child Situation 18 Ramp Truck Cow Situation 19 Situation 20 Straight Car+ Cars in parking Car + buildings Male
53
Start locationX = 74 Start locationY = 37.72 Start locationZ = 0 Orientation = 0 trajectoryPerson : Trajectory PositionX= 74 Position Y= 37.72 Position Z = 0 OrientationHeading = 93.33 Acceleration = 0 MaxWalkingSpeed =14 height=1.75 person :Actor UniqueId profilePerson : Speed Profile StartPointX = 74 StartPointY = 37.72 StartPointY = 0 StartAngle = 93.33 End Angle = 0 Length = 60 pathPerson : Path Length = 60 Type = Straight MaxSpeedLimit = 14 segmentPerson : Path Segment ID slotPerson : Slot Time = 0 Speed = 12.59 startPerson : StartState Start locationX = 10 Start locationY = 50.125 Start locationZ = 0.56 Orientation = 0 trajectoryCar : Trajectory PositionX=10 Position Y= 50.125 Position Z = 0.56 OrientationHeading = 0 Acceleration = 0 MaxWalkingSpeed =100 car : Actor UniqueId profileCar : Speed Profile StartPointX = 10 StartPointY = 50.125 StartPointZ =0.56 StartAngle = 0 End Angle = 0 Length = 100 pathCar : Path Length = 100 Type = Straight MaxSpeedLimit = 100 segmentCar : Path Segment ID slotCar : Slot Time = 0 Speed = 60.66 startCar : StartState MinTTC=0.3191 Collision
54
– Minimum distance between car and pedestrian – Minimum distance between pedestrian and AWA – Minimum time to collision
55
posx1 posx2 posy1 posy2
56
Individual A Pareto dominates individual B if A is at least as good as B in every objective and better than B in at least one objective.
Dominated by x
O1 O2 Pareto front x
57
Non-Dominated Sorting Selection based on rank and crowding distance Size: 2*N Size: 2*N Size: N
how far they are from the Pareto front, fitness is based on rank.
more evenly across the front (forcing diversity)
58
59
60
61
62
Non-Dominated Sorting Selection based on rank and crowding distance Size: 2*N Size: 2*N Size: N Original Algorithm
new solutions Our Algorithm
& intervals to run simulations only for the solutions likely to be selected
63
0.00 0.25 0.50 0.75 1.00
50 100 150 10
NSGAII (mean) NSGAII-SM (mean)
64
0.00 0.25 0.50 0.75 1.00
50 100 150 10
RS (mean) NSGAII-SM (mean)
65
0.00 0.25 0.50 0.75 1.00
50 100 150 10
RS NSGAII-SM NSGAII
66
Software’’, in 28th IEEE/ACM International Conference on Automated Software Engineering (ASE 2013), 2013
Temporal Constraints Using Search”, ACM International Symposium on Software Testing and Analysis (ISSTA 2014), 2014
67
68
their specific hardware
with their own platform
and send them to car makers
69
synchronization of runnables
simultaneously or in a certain order
CPU time
runnables should remain as low as possible over time
70
71
72
– Many OS tasks and their many runnables run within a limited available CPU time
– Reducing the maximum CPU time used per time slot to be able to
72
5ms 10ms 15ms 20ms 25ms 30ms 35ms 40ms ✗ 5ms 10ms 15ms 20ms 25ms 30ms 35ms 40ms ✔
(a) (b)
73
5ms 10ms 15ms 20ms 25ms 30ms 35ms 40ms 5ms 10ms 15ms 20ms 25ms 30ms 35ms 40ms ✗
Inserting runnables’ offsets
Offsets have to be chosen such that the maximum CPU usage per time slot is minimized, and further, the runnables respect their period the runnables respect their time slot the runnables satisfy their synchronization constraints
73
74
75
76
while satisfying synchronization/temporal constraints
for real-time embedded systems
meta-heuristic single objective search algorithms
an industrial case study with a large search space
77
78
Case Study: an automotive software system with 430 runnables, search space = 10^27
Running the system without offsets 5.34 ms Optimized offset assignment 2.13 ms
runnables
78
79
(ms) (s)
Best CPU usage Time to find Best CPU usage
79
80
(a) (b) (c) (a) Lowest max CPU usage values computed by HC within 70 ms
Lowest max CPU usage values computed by Random within 70 ms over 100 different runs Comparing average behavior of Random and HC in computing lowest max CPU usage values within 70 s and over 100 different runs
80
81
# of slots CPU time usage (ms)
2.04 1.45 12 21 14 1.56
82
83
Number of Slots-NSGAII & Number of Slots-Random 10 15 20 25 30 35 40 45 CPU Time Usage-NSGAII & CPU Time Usage-Random 1.5 2.0 2.5 3.0
Total Number of Time Slots Max CPU Time Usage (ms)
Random(25,000) NSGA-II(25,000)
A B
12 1.45
C
slots between “dependent” tasks
Input.csv:
groups
A list of solutions:
simulations
solutions
84
85
85
86
Optimization Model to Support Performance Testing, Constraint Programming (CP), 2014
Support Stress Testing”, ACM TOSEM, 25(1), 2015
87
88
89
1 2 3 4 5 6 7 8 9 j0, j1 , j2 arrive at at0 , at1 , at2 and must finish before dl0 , dl1 , dl2 J1 can miss its deadline dl1 depending on when at2 occurs! 1 2 3 4 5 6 7 8 9
at0 dl0 dl1 at1 dl2 at2 T T at0 dl0 dl1 at1 at2 dl2
90
91
Static Properties of Tasks
(Constants)
Dynamic Properties of Tasks
(Variables)
Performance Requirement
(Objective Function)
OS Scheduler Behaviour
(Constraints)
92
UML Modeling (e.g., MARTE) Constraint Optimization Optimization Problem
(Find arrival times that maximize the chance of deadline misses)
System Platform
Solutions (Task arrival times likely to lead to deadline misses)
Deadline Misses Analysis System Design Design Model (Time and Concurrency Information) INPUT OUTPUT Stress Test Cases Constraint Programming (CP)
93
Drivers
(Software-Hardware Interface)
Control Modules Alarm Devices (Hardware) Multicore Architecture
Real-Time Operating System
– metaheuristic search (GA) identifies high risk regions in the input space – constraint programming finds provably worst-case schedules within these (limited) regions – Achieve (nearly) GA efficiency and CP effectiveness
94
95
, and in the initial population of GA evolve into
96
UML Modeling (e.g., MARTE) Constraint Optimization Optimization Problem
(Find arrival times that maximize the chance of deadline misses)
System Platform
Solutions (Task arrival times likely to lead to deadline misses)
Deadline Misses Analysis System Design Design Model (Time and Concurrency Information) INPUT OUTPUT Genetic Algorithms (GA) Stress Test Cases Constraint Programming (CP)
97
98
99
Objective Function Search Space
Search Technique
n
Problem = fault model
n
Model = system or environment
n
Search to optimize
n
Metaheuristics
n
Scalability: A small part
traversed
n
Model: Guidance to worst case, high-risk scenarios across space
n
Reasonable modeling effort based on standards or extension
n
Heuristics: Extensive empirical studies are required
100
Objective Function Search Space
Search Technique
n
Model simulation can be time consuming
n
Makes the search impractical or ineffective
n
Surrogate modeling based on machine learning
n
Simulator dedicated to search
101
Objective Function Search Space
Search Technique
n
Use techniques such as sensitivity analysis to minimize dimensionality before running search
n
Predict parts of the space worth searching in
102
Objective Function Search Space
Search Technique
n
Combine with solvers and optimization engines
n
Need heuristic strategies to determine when to use what
103
104
105
106
107
108
– Tends to be versatile, tailorable to new problems and contexts – Particularly suited to the verification of non-functional properties – Entails acceptable modeling requirements – Can provide “best” answers at any time – Scalable, practical
– Not a proof, no certainty – Effectiveness of search guidance is key and must be experimentally evaluated – Models are key to provide adequate guidance – Search must often be combined with other techniques, e.g., machine learning, constraint programming
109
– Is there an efficient constraint model for the problem at hand? – Can effective heuristics be found to order the search? – Better if there is a match to a known standard problem, e.g., job shop scheduling – Tend to be strongly affected by small changes in the problem, e.g., allowing task pre-emption – Often not scalable, e.g., memory
– Detailed operational models (e.g., state models), involving (complex) temporal properties (e.g., CTL) – Enough details to analyze statically or execute symbolically – These modeling requirements are usually not realistic in actual system development. State explosion problem. – Originally designed for checking temporal properties through reachability analysis, as opposed to explicit timing properties – Often not scalable
110
111
Scientists:
112
Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS, March 13, 2017 SVV lab: svv.lu SnT: www.securityandtrust.lu