invisible formal methods generating efficient test sets
play

Invisible Formal Methods: Generating Efficient Test Sets With a - PowerPoint PPT Presentation

Feb 08, 2023 •26 likes •466 views

Invisible Formal Methods: Generating Efficient Test Sets With a Model Checker John Rushby with Gr egoire Hamon and Leonardo de Moura Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Invisible FM

  1. Invisible Formal Methods: Generating Efficient Test Sets With a Model Checker John Rushby with Gr´ egoire Hamon and Leonardo de Moura Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Invisible FM and AutoTestGen: 1

  2. Full Formal Verification is a Hard Sell: The Wall Reward (assurance) theorem proving interactive PVS Effort John Rushby, SR I Invisible FM and AutoTestGen: 2

  3. Newer Technologies Improve the Value Proposition Reward (assurance) automated theorem proving interactive theorem proving checking model and abstraction SAL ICS PVS Effort But only by a little John Rushby, SR I Invisible FM and AutoTestGen: 3

  4. The Unserved Area Is An Interesting Opportunity Reward (assurance) automated theorem proving interactive theorem proving checking invisible model and abstraction formal methods SAL ICS PVS Effort Conjecture: reward/effort climbs steeply in the invisible region John Rushby, SR I Invisible FM and AutoTestGen: 4

  5. Invisible Formal Methods • Use the technology of formal methods ◦ Theorem proving, constraint satisfaction, model checking, abstraction, symbolic evaluation • To augment traditional methods and tools ◦ Compilers, debuggers • Or to automate traditional processes ◦ Testing, reviews, debugging • To do this, we must unobtrusively (i.e., invisibly) extract ◦ A formal specification ◦ A collection of properties • And deliver a useful result in a familiar form John Rushby, SR I Invisible FM and AutoTestGen: 5

  6. Invisible Formal System Specifications • Traditionally, there was nothing formal (i.e., mechanically analyzable) prior to the executable program ◦ Requirements, specifications, etc. were just natural language words, and pictures • So one response is to apply formal methods to programs ◦ E.g., extended static analysis • But for embedded systems, industry has adopted model based design (MBD) at a surprisingly rapid pace ◦ Matlab (Simulink/Stateflow): over 500,000 licenses ◦ Statecharts ◦ Scade/Esterel • Some of these (e.g., Stateflow) have less-than-ideal semantics, but it’s possible to cope with them ◦ E.g., our paper in FASE ’04 John Rushby, SR I Invisible FM and AutoTestGen: 6

  7. Invisible Property Specifications • MBD provides formal specifications of the system • But what properties shall we apply formal analysis to? • One approach is to analyze structural properties ◦ E.g., no reliance on 12 o’clock rule in Stateflow ◦ Similar to table checking in SCR ◦ Prove all conditions are pairwise disjoint ◦ And collectively exhaustive • Another is to generate structural test cases • Either for exploration ◦ E.g., “show me a sequence of inputs to get to here” • Or for testing in support of certification and verification John Rushby, SR I Invisible FM and AutoTestGen: 7

  8. Simplified Vee Diagram time and money system requirements test unit/integration design/code test Vast resources are expended on testing embedded systems John Rushby, SR I Invisible FM and AutoTestGen: 8

  9. Invisible FM Example: Generating Unit Tests • Let’s focus initially on testing individual units of a program • Executable model provides the oracle • Various criteria for test generation Functional tests: tests are derived by considering intended function or desired properties of the unit (requires higher-level specifications, which we do not have) Boundary tests: tests designed to explore inside, outside, and on the boundaries of the domains of input variables Structural tests: tests are designed to visit interesting paths through the specification or program (e.g., each control state, or each transition between control states) • Let’s look at the standard method for structural test generation using model checking John Rushby, SR I Invisible FM and AutoTestGen: 9

  10. Example: Stopwatch in Stateflow Inputs: START and LAP buttons, and clock TIC event Stop Run TIC { cent=cent+1; } LAP { Reset START Running cent=0; sec=0; min=0; during: [cent==100] { disp_cent=0; disp_sec=0; disp_cent=cent; cent=0; disp_min=0; START disp_sec=sec; sec=sec+1; } disp_min=min; } LAP LAP LAP [sec==60] { START sec=0; Lap_stop Lap min=min+1; START } Example test goals: generate input sequences to exercise Lap stop to Lap transition, or to reach junction at bottom right John Rushby, SR I Invisible FM and AutoTestGen: 10

  11. Generating Structural Tests • Problem: find a path that satisfies a desired test goal ◦ E.g., reach junction at bottom right • Symbolically execute the path, then solve the path predicate to generate concrete input sequence that satisfies all the branch conditions for the path ◦ If none, find another path and repeat until success or exhaustion • Repeat for all test goals • Solving path predicates requires constraint satisfaction over theories appearing in the model (typically, propositional calculus, arithmetic, data types) ◦ E.g., ICS and its competitors ◦ For finite cases, a SAT solver will do • Can be improved using predicate abstraction (cf. Blast) John Rushby, SR I Invisible FM and AutoTestGen: 11

  12. Generating Tests Using a Model Checker • Method just described requires custom machinery • Can also be done using off-the-shelf model checkers ◦ Path search and constraint satisfaction by brute force • Instrument model with trap variables that latch when a test goal is satisfied ◦ E.g., a new variable jabr that latches TRUE when junction at bottom right is reached • Model check for “always not jabr” • Counterexample will be desired test case • Trap variables add negligible overhead (’cos no interactions) • For finite cases (e.g., numerical variables range over bounded integers) any standard model checker will do ◦ Otherwise need infinite bounded model checker as in SAL John Rushby, SR I Invisible FM and AutoTestGen: 12

  13. Tests Generated Using a Model Checker John Rushby, SR I Invisible FM and AutoTestGen: 13

  14. Model Checking Pragmatics Explicit state: good for complex transition relations with small statespaces Depth first search: test cases generally have many irrelevant events and are too long • E.g., 24,001 steps to reach junction at bottom right Breadth first search: test cases are minimally short, but cannot cope with large statespaces • E.g., cannot reach junction at bottom right Symbolic: test cases are minimally short, but large BDD ordering overhead in big models • E.g., reaches junction at bottom right in 125 seconds Bounded: often ideal, but cannot generate tests longer than a few tens of steps, and may not be minimally short • E.g., cannot reach junction at bottom right John Rushby, SR I Invisible FM and AutoTestGen: 14

  15. Useful Optimizations • Backward slicing (called cone of influence reduction in model checking) simplifies model relative to a property by eliminating irrelevant state variables and input events ◦ Allows explicit state model checker to reach junction at bottom right in 6,001 steps in just over a second (both depth- and breadth-first) ◦ And speeds up symbolic model checker • Prioritized traversal is an optimization found in industrial-scale symbolic model checkers ◦ Partitions the frontier in forward image computations and prioritizes according to various heuristics ◦ Useful with huge statespaces when there are many targets once you get beyond a certain depth John Rushby, SR I Invisible FM and AutoTestGen: 15

  16. Efficient Test Sets • Generally we have a set of test goals (to satisfy some coverage criterion) • Want to discharge all the goals with ◦ Few tests (restarts have high cost) ◦ Short total length (each step in a test has a cost) • Independent of the method of model checking, generating a separate test for each goal produces very inefficient tests ◦ E.g., Lap to Lap stop test repeats Running to Lap test • Can “winnow” them afterward • Or check in generation for other goals discharged fortuitously ◦ So won’t generate separate Running to Lap test if it’s already done as part of Lap to Lap stop test ◦ But effectiveness depends on order goals are tackled John Rushby, SR I Invisible FM and AutoTestGen: 16

  17. Tests Generated Using a Model Checker (again) Lots of redundancy in the tests generated John Rushby, SR I Invisible FM and AutoTestGen: 17

  18. Generating Efficient Test Sets • Minimal tour-based methods: difficulty is high cost to compute feasibility of paths (or size of problem when transformed, e.g., to colored tours) • So use a greedy approach • Instead of starting each test from the the start state, we try to extend the test found so far • Could get stuck if we tackle the goals in a bad order • So, simply try to reach any outstanding goal and let the model checker find a good order ◦ Can slice after each goal is discharged ◦ A virtuous circle: the model will get smaller as the remaining goals get harder • Go back to the start when unable to extend current test John Rushby, SR I Invisible FM and AutoTestGen: 18

  19. An Efficient Test Set Less redundancy, and longer tests tend to find more bugs John Rushby, SR I Invisible FM and AutoTestGen: 19

Recommend

Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de Pol Formal Methods &

Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de Pol Formal Methods &

Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de Pol Formal Methods & Tools University of Twente The Netherlands Games 2012, Napoli, Italia 1 / 26 Motivation Application: formal verification of process algebraic

531 views • 26 slides
Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Generating Structured Test Data with Specific Properties using Metaheuristic and Nested

Generating Structured Test Data with Specific Properties using Metaheuristic and Nested

Generating Structured Test Data with Specific Properties using Metaheuristic and Nested Monte-Carlo Search Simon Poulding Blekinge Institute of Technology Robert Feldt Chalmers University Context software testing: generating test data for

594 views • 34 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
State-Based Testing Part C Test Cases Generating test cases for complex behaviour Reference:

State-Based Testing Part C Test Cases Generating test cases for complex behaviour Reference:

State-Based Testing Part C Test Cases Generating test cases for complex behaviour Reference: Robert V. Binder Testing Object-Oriented Systems: Models, Patterns, and Tools Addison-Wesley, 2000, Chapter 7 Test strategies Exhaustive

687 views • 47 slides
Fresh for tomorrow? Peter Martin, The Age Invisible? Invisible? Invisible? When searching for

Fresh for tomorrow? Peter Martin, The Age Invisible? Invisible? Invisible? When searching for

Fresh for tomorrow? Peter Martin, The Age Invisible? Invisible? Invisible? When searching for an analogy to describe the government, the first thing that comes to a government ministers mind is a company. Invisible? When searching for

638 views • 37 slides
THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING LOGIC Peter Olveczky University of Oslo FMfun19, December 3, 2019 OUTLINE How to introduce formal methods to undergraduates? Fun!

1.95k views • 171 slides
State-Based Testing Part C Test Cases Generating test cases for complex behaviour

State-Based Testing Part C Test Cases Generating test cases for complex behaviour

State-Based Testing Part C Test Cases Generating test cases for complex behaviour Reference: Robert V. Binder Testing Object-Oriented Systems: Models, Patterns, and Tools Addison-Wesley, 2000, Chapter 7

1.09k views • 44 slides
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004 Purpose of the Course - Giving some insights about Formal Methods - Showing that Formal Methods can be made practical - Illustrating Formal Methods

1.25k views • 112 slides
Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

F F F Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T M&&T June 27, 03 Formal Methods && Tools Group - ISTI CNR CAF - 1 F F F Outline Overview of the Formal Methods

276 views • 23 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw

The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw

The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw Department of Computer Science University of Leicester September 4, 2010 B ACKGROUND Test Adequacy Assessing the ability of a test set to identify

295 views • 25 slides
set list tuple set set() Sets methods .intersection() .union() .difference() set sets

set list tuple set set() Sets methods .intersection() .union() .difference() set sets

set list tuple set set() Sets methods .intersection() .union() .difference() set sets methods .add() .update() .remove() .discard() list comprehension lists generators generator list next() list list list list 1 - 1 -

985 views • 61 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
Summary of topics Sets COMP2111 Week 2 Formal languages Term 1, 2020 Discrete Mathematics

Summary of topics Sets COMP2111 Week 2 Formal languages Term 1, 2020 Discrete Mathematics

Summary of topics Sets COMP2111 Week 2 Formal languages Term 1, 2020 Discrete Mathematics Recap Relations Functions Propositional Logic 1 2 Summary of topics Sets A set is defined by the collection of its elements. Sets are typically

464 views • 31 slides
Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in Mathematics January 8, 2020 1 / 35 marijn@cmu.edu Computer-Aided Mathematics Chromatic Number of the Plane Clausal Proof Optimization

634 views • 52 slides

More recommend