testing planning domains without model checkers franco
play

Testing Planning Domains (without Model Checkers) Franco Raimondi, - PowerPoint PPT Presentation

Oct 17, 2023 •304 likes •594 views

Testing Planning Domains (without Model Checkers) Franco Raimondi, Charles Pecheur, Guillaume Brat Overview Motivational introduction Flight rules Review of MC/DC and definition of UFC with weak/strong coverage. Planning: Europa 2

  1. Testing Planning Domains (without Model Checkers) Franco Raimondi, Charles Pecheur, Guillaume Brat

  2. Overview • Motivational introduction • Flight rules • Review of MC/DC and definition of UFC with weak/strong coverage. • Planning: Europa 2 and NDDL • The Rover Example: NDDL code, flight rules and trap formulae. • From trap formulae to planning goals. • Conclusion. 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 2

  3. Motivation • Planner are used extensively in a number of autonomous applications (e.g., the NASA rovers exploring Mars’ surface). • Methodology are needed to verify that certain requirements (the flight rules ) are not violated when executing plans. • Verification of planning domain has been investigated in the past by translating planning models into input for model checkers (but problems with state space explosion). 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 3

  4. Our contribution Key idea : translate the verification problem into a planning problem. Flight Rules Planning domain 1 : Encode as LTL formulae Planning domain + Test using new goals the planner 2: Generate test cases 3: Convert into planning goals 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 4

  5. Flight rules • Flight rules are requirements that must be satisfied in every execution (currently written in plain English). • Typically, flight rules are temporal patterns and can be encoded as LTL formulae. • Example: all Instruments must be stowed when moving , which is translated into ϕ = G (moving → stowed) NEXT: How to build a suitable set of test cases to guarantee coverage of the above by extending MC/DC. 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 5

  6. Brief overview of MC/DC (required coverage for avionic SW) • Every basic condition in a decision in the model has taken on all possible outcomes at least once. • Each basic condition has been shown to independently affect the decision’s outcome. An example: let ϕ = p ∨ q . ϕ can be either true or false, and it can be so either because of p , or because of q . Test cases: p ∨ q p q ⊤ ⊥ ⊤ ⊥ ⊥ ⊥ ⊥ ⊤ ⊤ Each test case can be captured by a (Boolean) formula. Let ϕ pos be the set of test cases for positive outcomes, and ϕ neg the set for negative outcomes. ϕ pos = { p ∧ ¬ q, ¬ p ∧ q } ; ϕ neg = {¬ p ∧ ¬ q } . 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 6

  7. Unique First Cause coverage [Whalen et al., 2006] UFC extends MC/DC to requirements based testing (i.e., testing flight rules). A test suite achieve UFC of a set of requirements (expressed in LTL) if: 1. Every basic condition in any formula has taken on all possible outcomes at least once. 2. Each basic condition has been shown to affect the formula’s outcome as the unique first cause. A basic condition a is the UFC for a formula ϕ along a path π if, in the first state along π in which ϕ is satisfied, it is satisfied because of a (see paper for a formal definition). 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 7

  8. Trap formulae [Whalen et al., 2006] A trap formula ufc ( a, ϕ ) is a temporal formula characterising adequate test cases for a in ϕ . ufc ( a, a ) = a ; ufc ( a, ¬ a ) = ¬ a ufc ( a, ϕ a ∨ ϕ b ) = ufc ( a, ϕ a ) ∧ ¬ ϕ b ufc ( a, F ϕ a ) = ( ¬ ϕ a ) U ufc ( a, ϕ a ) ufc ( a, G ϕ a ) = ϕ a U ( ufc ( a, ϕ a ) ∧ G ϕ a ) Problem: this only applies to infinite paths. If tests (paths) need to be finite, we need to change this definition. 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 8

  9. Strong and weak UFC coverage A finite path (test case) π f gives: = + ϕ ) if π f “carries all 1. strong evidence for ϕ (written as π f | necessary evidence for” ϕ ; = − ϕ ) if π f “carries no 2. weak evidence for ϕ (written as π f | evidence against” ϕ ; Example: a strong test case for a in F ( a ∧ ¬ b ) and a weak test case for a is G ( a ∨ b ). a,b a,b b a (see paper for the formal definition of ufc ± ) 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 9

  10. Summary of UFC Given an atomic condition a appearing in a formula ϕ (a requirement) and an execution model M : = ufc + ( a, ϕ ) in the traces of M , then π f • if there is a test case π f | shows that a can necessarily positively affect ϕ ; = ufc − ( a, ϕ ), then π f only shows that a can possibly positively • if π f | affect ϕ ; = ufc ± ( a, ϕ ): if ϕ is a desired • if there is no π f in M for which π f | property, then this means that a is a vacuous condition in ϕ w.r.t. M ; • if ϕ is a negative (forbidden) property, then it confirms that this particular case of ϕ cannot happen, which is the desired result; • A test fails if it is possible to find a path π f in M such that = ufc ± ( a, ϕ ), where ϕ is a negative property. π f | 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 10

  11. Planning with EUROPA 2.0 (E2) [Excerpts from C. McGann, How to Solve It ] “ Planning can be considered a process of generating descriptions of how to operate some system to accomplish something. The resulting descriptions are called plans , and the desired accomplishments are called goals . In order to generate plans for a given system a model of how the system works must be given. ” Model E2 Plans Goals Models and goals are written in NDDL (see below). 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 11

  12. Tokens and Timelines A token is “ an instance of a temporally scoped predicate ” (predicates describe true facts). For instance: {2} {5} READY Tokens may represent states of a single object in the system, and are sometimes mutually exclusive. A Timeline is a structure where sequences of tokens appear contiguously. For instance, the state of a printer: {2} [3−5] [3−5] {21} {21} +inf READY BUSY OUT−OF−TONER Constraints (rules) are expressed using Allen’s temporal logic constructs, such as “meets”, “met by”, etc. Essentially, these are (in)equalities over tokens’ bounds. 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 12

  13. NDDL using an example: simple Rover model 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 13

  14. NDDL using an example: simple Rover model Class Diagram_1 Rover Location Timeline Path + name:String + to,from + name:string + x:int + coast :real Class_4 + y:int + location Commands + to,from TakeSample Navigator Instrument At PhoneHome Unstow PhoneLander Going TakeSample Place Stow Stowed Created with Poseidon for UML Community Edition. Not for Commercial Use. 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 14

  15. Some NDDL class Navigator extends Timeline { predicate At{ Location location; } predicate Going{ Location from; Location to; neq(from, to); // prevents rover from going from a location straight back to that location. } } Tokens are constrained using rules : Navigator::At{ met_by(object.Going from); eq(from.to, location); // next Going token starts at this location meets(object.Going to); eq(to.from, location); // prevous Going token ends at this location } 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 15

  16. NDDL goals and executions Location lander = new Location("LANDER", 0, 0); [...] goal(Navigator.At initialPosition); eq(initialPosition.location, lander); goal(Commands.TakeSample sample); sample.start.specify(50); sample.rock.specify(rock4); 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 16

  17. A concrete example: flight rules for the rover 1. The Rover Battery State of charge cannot go below X. 2. All Instruments must be stowed when moving. 3. . . . In LTL: 1. G ( x ), where x is a proposition true when the charge is ≥ X . 2. G ( p → q ), where p = moving and q = stowed. 3. . . . (translation done similarly). We now apply the machinery presented above to compute test cases for the second requirement, G ( p → q ). 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 17

  18. Test cases for a flight rule Three test cases for the formula: 1. (true value caused by “stowed”): ufc − ( q, ϕ ) = (( ¬ p ∧ q ) U ( ¬ p ∧ ¬ q )); 2. (true value caused by “moving”): ufc − ( p, ϕ ) = (( ¬ p ∧ q ) U ( p ∧ q ∧ ϕ )); 3. (this is the negative test case): ufc + / − ( p, ¬ ϕ ) = ufc + / − ( q, ¬ ϕ ) = (( ¬ p ∨ q ) U ( p ∧ ¬ q )) 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 18

  19. Summary of coverage • A model for the Rover (NDDL file). • Flight rules encoded in LTL, for instance ϕ = G ( moving → stowed ). • Trap formulae for flight rules that guarantee coverage. Next step: translation of elements of ufc ± into planning goals , so that E2 can be used for testing flight rules . This is done without modification of the original NDDL model, by adding new timelines, new rules and new goals 31 March 2007 Testing Planning Domains (without Model Checkers) Slide 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016 Motivation Model checkers return error traces but no evidence when they say yes Complex tools Goal: improve trustworthiness

809 views • 47 slides
Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the Quality Checkers project happen? The quality checkers project has been jointly funded by: Northamptonshire Learning Disability Partnership

749 views • 21 slides
The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in January. There were interviews in February. The Great Quality Checkers Paul C Paul B Tom Victor Mike Karl John Sandra Paul G Debbie Alex

368 views • 14 slides
How Time Variability of Testing the Model Current Map with 8 . . . Testing the Model . . .

How Time Variability of Testing the Model Current Map with 8 . . . Testing the Model . . .

How Temperatures . . . A Model (cont-d) Model: Final Formulas How Time Variability of Testing the Model Current Map with 8 . . . Testing the Model . . . Temperature Depends on a Testing the Model: . . . Testing the Model: . . . Spatial

493 views • 9 slides
CTL - Model Checking Franco Raimondi Department of Computer Science School of Science and

CTL - Model Checking Franco Raimondi Department of Computer Science School of Science and

CTL - Model Checking Franco Raimondi Department of Computer Science School of Science and Technology Middlesex University http://www.rmnd.net logo Franco Raimondi CTL - Model Checking CTL: model checking logo Franco Raimondi CTL - Model

740 views • 30 slides
Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael Ferdman, Peter Milder FPGA Accelerates Model Checking Model checking ensures system correctness By exploring all states of a system Hours

814 views • 37 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di Informatica Universit degli Studi di Salerno Sequentialization Code-to-code translation from a multithreaded program to an equivalent

1.21k views • 58 slides
Testing Model Tranformations Bottom Up and Top Down Amr Al Mallah Testing Model Transformation

Testing Model Tranformations Bottom Up and Top Down Amr Al Mallah Testing Model Transformation

Testing Model Tranformations Bottom Up and Top Down Amr Al Mallah Testing Model Transformation 1. Model Transformations frameworks : 1.1 MoTif in context of Traffic 2 Petri Net. 2. Testing this Model transformation : 2.1. T-Unit approach

567 views • 34 slides
Overview of Porto Franco development The story of Porto Franco Key information about Porto Franco

Overview of Porto Franco development The story of Porto Franco Key information about Porto Franco

FUTURE OFFICES Tallinn, Estonia Overview of Porto Franco development The story of Porto Franco Key information about Porto Franco Word for word, Porto Franco means free port. This combination of The biggest shopping centre in Tallinn city

461 views • 26 slides
Software Testing Software testing 1 V model Software testing 2 Program testing goals To

Software Testing Software testing 1 V model Software testing 2 Program testing goals To

Software Testing Software testing 1 V model Software testing 2 Program testing goals To demonstrate to the developer and the customer that the software meets its requirements. => leads to validation testing To discover situations

264 views • 11 slides
The Promise of Model-Based Testing The Promise of Model-Based Testing Presented by: Mahesh

The Promise of Model-Based Testing The Promise of Model-Based Testing Presented by: Mahesh

T17 Concurrent Session Thursday 05/08/2008 3:00 PM The Promise of Model-Based Testing The Promise of Model-Based Testing Presented by: Mahesh Velliyur Maveric Testing Solutions Presented at: STAR EAST Software Testing Analysis & Review

582 views • 30 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

1.41k views • 114 slides
On representing planning domains under uncertainty Felipe Meneguzzi CMU Yuqing Tang CUNY

On representing planning domains under uncertainty Felipe Meneguzzi CMU Yuqing Tang CUNY

On representing planning domains under uncertainty Felipe Meneguzzi CMU Yuqing Tang CUNY Simon Parsons CUNY Katia Sycara - CMU BR OOKLYN COLLE GE Outline Planning Markov Decision Processes Hierarchical Task Networks

704 views • 32 slides
DNS domains and servers testing Sl Slavko Gajin k G ji slavko.gajin@ rcub.bg.ac.rs AMRES

DNS domains and servers testing Sl Slavko Gajin k G ji slavko.gajin@ rcub.bg.ac.rs AMRES

DNS domains and servers testing Sl Slavko Gajin k G ji slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty of Electrical Engineering Motivation DNS first and

427 views • 14 slides
Workshop 1: Project planning Christopher Potts CS 244U: Natural language understanding Feb 5 1

Workshop 1: Project planning Christopher Potts CS 244U: Natural language understanding Feb 5 1

Overview Lit review Getting data Annotating Crowdsourcing Project set-up Development cycle Conclusion Workshop 1: Project planning Christopher Potts CS 244U: Natural language understanding Feb 5 1 / 57 Overview Lit review Getting data

972 views • 65 slides
Neighborhood Advisory Council June 1, 2016 Agenda Welcome/ Introductions Consent

Neighborhood Advisory Council June 1, 2016 Agenda Welcome/ Introductions Consent

Neighborhood Advisory Council June 1, 2016 Agenda Welcome/ Introductions Consent Agenda May 4, 2016 Meeting Summary UMKC Campus Police Crime Update Report Old Business 51 Oak /Whole Foods Final Design

279 views • 16 slides
Senita cactus - senita moth A pollination-seed predator mutualism egg Lophocereus schotii

Senita cactus - senita moth A pollination-seed predator mutualism egg Lophocereus schotii

Senita cactus - senita moth A pollination-seed predator mutualism egg Lophocereus schotii Upiga virescens Holland and DeAngelis (2002) model of the Lophocereus-Upiga mutualism dP/dt<0 dM/dt<0 dM/dt>0 # Moths dP/dt>0 dM/dt<0

325 views • 7 slides
Biochar Farming Carbon Craig Sams Founder and Executive Chairman May 8 2012 Louisiana

Biochar Farming Carbon Craig Sams Founder and Executive Chairman May 8 2012 Louisiana

Help Rescue The Planet RIBA May 7-11 Biochar Farming Carbon Craig Sams Founder and Executive Chairman May 8 2012 Louisiana Territory - Virgin Prairie DUST BOWL 1935 Oklahoma, Kansas, Nebraska Eve Balfour Founded Soil Association 1946

734 views • 28 slides
Software Verification for Space Applications Part 1. Static Analysis Guillaume Brat USRA/RIACS

Software Verification for Space Applications Part 1. Static Analysis Guillaume Brat USRA/RIACS

Software Verification for Space Applications Part 1. Static Analysis Guillaume Brat USRA/RIACS Software blowup 10000 Lines of Code (Thousands) 1700 1000 430 160 100 32 8 10 3 1 Voyager Galileo Cassini MPF Shuttle ISS (1977)

495 views • 49 slides
r r srs tt

r r srs tt

r r srs tt rt sst r sttt

909 views • 62 slides
Wyoming - $1.25 Billion CARES Act Funds Options to Access Funds 1) Legislative Branch or

Wyoming - $1.25 Billion CARES Act Funds Options to Access Funds 1) Legislative Branch or

Wyoming - $1.25 Billion CARES Act Funds Options to Access Funds 1) Legislative Branch or Executive Branch 2) Wyoming Legislature Special Session May 2020 1 st Things 1 st Governors Office Executive Branch 1) Submit application to

726 views • 34 slides
LCMS Youth Gathering July 16-20, 2016 New Orleans, Louisiana What is a Youth Gathering? A

LCMS Youth Gathering July 16-20, 2016 New Orleans, Louisiana What is a Youth Gathering? A

LCMS Youth Gathering July 16-20, 2016 New Orleans, Louisiana What is a Youth Gathering? A Gathering of over 20,000 Lutheran youth and counselors from around the country. A ministry for teens to support, encourage, and challenge them to grow

437 views • 18 slides

More recommend