View
29
Download
1
Category
Tags:
Preview:
DESCRIPTION
Conformance of Distributed Systems. H. Schlingloff Temporal Logic Theme Day LORIA, Nancy Dec. 10 th , 2002. Structure of my talk. Fraunhofer FIRST (not in this file!!!) SVT Conformance. SVT: Synthesis, Validation and Testing. Specification, Verification and Testing Theory - PowerPoint PPT Presentation
Citation preview
Conformance of Distributed Systems
H. Schlingloff Temporal Logic Theme Day
LORIA, NancyDec. 10th, 2002
SVT: Synthesis, Validation and Testing
• SVT
• founded June 2002
• 8 people permanent, plus 2 guests
• background knowledge in temporal logic, testing theory, compilers, formal semantics, theorem proving, and quantum computing
Specification, Verification and Testing Theory
Software Synthesis, Validation and Testing
Projects at FIRST-SVT
initial project
•Quasar joint project with TU Berlin (Th. Santen) and
FhG IESE (B. Paech) from requirements analysis to quality
assurance high-level state charts, test generation from
rhapsody diagrams case study: DaimlerChrysler door control unit CeBIT 2003 expo with Lego Mindstorms
Projects at FIRST-SVT (2)
additional projects• SiZeBa
certification of a fault-tolerant railway computer simulation of random errors standard technology (Pentium), long standing, high
reliability (<10-12/h), Chorus OS and Unix tools
• PoliTesS quality assurance within a large software project process improvement GUI testing (capture-replay) mass test data generation, load testing
Projects at FIRST-SVT (3)
new project
•O2Test cooperation with FhG FOKUS (I.
Schieferdecker) TTCN-3 based testing system for various
hardware several protocol stacks (GSM, GPRS, UMTS,
ISDN, voice, fax, ...) which have to interoperate
TTCN3 TRI JAVA FORTH HW
universities
spin-offs
research centers
universities
research centers
spin-offs
other countries Germany
basic research
applied research
market
knowledge
person to person
technologyproject to project
products
business to business
?
?
Cooperations
Theme: Temporal logic and Testing
•Behavioral specification of embedded systems
• Investigate languages and their properties
•Real time, data packets
•Derive test sequences from formulas
•Black box testing, refinement
Modal Logic and Simulations
Models: Labeled transition systems
• finite alphabets
• exactly one initial state
• image finiteness
qp,
pq
R
RS
R
R
Multimodal Logic
• propositional variables
• boolean connectives
• modal operators
• temporal operators, fixed point operators, path quantifiers, nominals, first order concepts, ...
.)()(),(;, uswqpqppp
pRpRR ,
...,, qp
Examples
qp,
pq
R
RS
R
R
qRpR
SR
• two formulas are equivalent if they have the same models
• two models are equivalent if they satisfy the same formulas
Bisimulations
A bisimulation is a relation between two models such that
• the initial states are related,
• related states have the same label, and
• related states allow the same transitions („local consistency“)
Segerberg 1968
Remark: one direction is simple, the other needs image finiteness
Two models are bisimilar iff they are modally equivalent
Two finite models are bisimilar iff they are µ-calculus equivalent
Simulations and Box-Logic
• a simulation is „half a bisimulation“:
M1 can be simulated by M2 if for every possible step of M1 there is a corresponding one of M2
(“a gameboy can be simulated by a PC”)M2 can simulate M1 if for every possible step of M1 there is a corresponding one of M2
• reflexive and transitive; abstraction hierarchy
• box-logic: „modal logic without diamonds“:
literals, RT ,,,,
Simulation Theorem (e.g., Long et al.)
•extensions for ACTL and others
M2 can simulate M1 iff each box-logic formula holding in M2 also holds in M1
Conformance
• relation between implementation and specification, commonly used for testing
• “implementation can be simulated by specification”
• more “global” than “local” consistency
• MI conforms to MS if every observable behavior of the implementation could also be observed of the specificationfor every possible sequence of actions of MI there is a corresponding one of MS
• formally: MI c MS iff
tr(MI): obs(MI after ) obs(Ms after )
(cf. Tretmans 96)
•usually, transition systems are considered to be deterministic and finite, hence this is “almost” the same as simulation
Observability
What is an observable behavior?
• An output visible at the interfaces
• An input sent to the system which is not accepted
Transition alphabet is partitioned into input, output and internal events
Composition of transition systems is defined as usual
Logics for conformance
•boxes for outputs, diamonds for input transitions
[request!] ackn? true
[request!] start reset? true
add U, µ etc. as necessary
Failures
•Within a transition system M, a failure is a sequence ´=(,x) such that M accepts but not ´
• In the composition of transition systems, a failure occurs if one component outputs x! and the other can not input x?
Timing failures
• In timed systems, there are even other sorts of failures: One component can send an output within a
certain interval, but the other cannot receive it continuously during this interval
One component expects an input, but this input is not provided in time
Conformance (again)
Implementation MI conforms to MS if it can safely replace the specification in every context:
•Whenever (MS||ME) is failure-free, then also (MI||ME) is failure-free
• (MI||ME) has a failure only if (MS||ME) has one
ME
MSMI
ME
Mirroring
The mirror of a transition system is the system with input and output reversed
For a suitable choice of alphabets and some other additional conditions, MI conforms to MS iff (MI|| MS
mirror) is failure free(the specification is a “most general environment” for the implementation)
Verification of conformance
•Compose MI with MSmirror and calculate
the failures
•Can be done on the fly, depth-first, with partial order reduction
Verification by conformance
• If MI conforms to MS then for every formula it holds that MS implies MI
MS MI c MS MI
•To show that MI find an abstraction MS such that MI c MS and show MS
•other direction does not hold in general
Testing with conformance
•Compose MSmirror with the (black box)
implementation
•Enumerate all paths through MSmirror
•Outputs of the testing system are inputs for the implementation and vice versa
•Failures are registered as testing results
Yet another conformance relation
•sS is equivalent to s’S if all input sequences starting at s and ’ starting at s’ generate the same output sequences.
•MI conforms to MS, if for each state s in MI there is a state s’ in MS such that s is equivalent to s’
Conformance with Petri nets
• replace “transition system” by “one-safe Petri net”, and replace “sequence” by “causal net”
• Ki is (weakly) simulating Ks if a mapping h: Ks Ki exists such that
x,x’ EsBs ((x, x’) Rs () (h(x), h(x’)) Ri )
• bI BI is (weakly) simulating condition bS BS if for all admissible inputs SEQ and executions KI[I,bI,SEQ, KS[S,bS,SEQ: KI is (weakly) simulating KS.
• I (weakly) conforms to S if bS BS ( bI BI (bI is (weakly) simulating bS))
Conformance checking
• Let H0 be the relation consisting of all pairs (bI,bS) BI BS. Hi+1 is constructed from Hi as follows:(bI,bS) Hi+1 iff
(bI,bS) Hi , and
eI bI , eS bS
(iKi(eI) = iKs(eS) oKi(eI) = oKS(eS) ) , and
eS bS bS’ eS
eI bI bI’ eI
: (bI’,bS’) Hi
• Let H be the relation reached upon stabilization. Then I conforms to S if
bS BS bI BI : (bI,bS) H
Test case generation
• Start with an arbitrary condition b and c(b) = {e | eb}
• The initial part of the execution is a copy of all conditions in c(b)
• Put a mark on all conditions in c(b)• Repeat indefinitely
Choose a maximal set of events which are either enabled in P, or can be enabled by putting a token on a condition which is not marked, such that the inputs of these events contain at most one input from each PCO and PO, respectively.
Put a mark on all conditions which have received a token, as well as on all conditions in the pre- and postset of an enabled transition.
Fire the chosen events in P, and extend the execution by appending a copy of all chosen events and their postsets to it.
Recommended