Conformance of Distributed Systems

H. Schlingloff Temporal Logic Theme Day

LORIA, NancyDec. 10th, 2002

Structure of my talk

•Fraunhofer FIRST (not in this file!!!)

•SVT

•Conformance

SVT: Synthesis, Validation and Testing

• SVT

• founded June 2002

• 8 people permanent, plus 2 guests

• background knowledge in temporal logic, testing theory, compilers, formal semantics, theorem proving, and quantum computing

Specification, Verification and Testing Theory

Software Synthesis, Validation and Testing

Projects at FIRST-SVT

initial project

•Quasar joint project with TU Berlin (Th. Santen) and

FhG IESE (B. Paech) from requirements analysis to quality

assurance high-level state charts, test generation from

rhapsody diagrams case study: DaimlerChrysler door control unit CeBIT 2003 expo with Lego Mindstorms

Projects at FIRST-SVT (2)

additional projects• SiZeBa

certification of a fault-tolerant railway computer simulation of random errors standard technology (Pentium), long standing, high

reliability (<10-12/h), Chorus OS and Unix tools

• PoliTesS quality assurance within a large software project process improvement GUI testing (capture-replay) mass test data generation, load testing

Projects at FIRST-SVT (3)

new project

•O2Test cooperation with FhG FOKUS (I.

Schieferdecker) TTCN-3 based testing system for various

hardware several protocol stacks (GSM, GPRS, UMTS,

ISDN, voice, fax, ...) which have to interoperate

TTCN3 TRI JAVA FORTH HW

universities

spin-offs

research centers

universities

research centers

spin-offs

other countries Germany

basic research

applied research

market

knowledge

person to person

technologyproject to project

products

business to business

?

?

Cooperations

Theme: Temporal logic and Testing

•Behavioral specification of embedded systems

• Investigate languages and their properties

•Real time, data packets

•Derive test sequences from formulas

•Black box testing, refinement

Modal Logic and Simulations

Models: Labeled transition systems

• finite alphabets

• exactly one initial state

• image finiteness

qp,

pq

R

RS

R

R

Multimodal Logic

• propositional variables

• boolean connectives

• modal operators

• temporal operators, fixed point operators, path quantifiers, nominals, first order concepts, ...

.)()(),(;, uswqpqppp

pRpRR ,

...,, qp

Examples

qp,

pq

R

RS

R

R

qRpR

SR

• two formulas are equivalent if they have the same models

• two models are equivalent if they satisfy the same formulas

Bisimulations

A bisimulation is a relation between two models such that

• the initial states are related,

• related states have the same label, and

• related states allow the same transitions („local consistency“)

Segerberg 1968

Remark: one direction is simple, the other needs image finiteness

Two models are bisimilar iff they are modally equivalent

Two finite models are bisimilar iff they are µ-calculus equivalent

Simulations and Box-Logic

• a simulation is „half a bisimulation“:

M1 can be simulated by M2 if for every possible step of M1 there is a corresponding one of M2

(“a gameboy can be simulated by a PC”)M2 can simulate M1 if for every possible step of M1 there is a corresponding one of M2

• reflexive and transitive; abstraction hierarchy

• box-logic: „modal logic without diamonds“:

literals, RT ,,,,

Simulation Theorem (e.g., Long et al.)

•extensions for ACTL and others

M2 can simulate M1 iff each box-logic formula holding in M2 also holds in M1

Conformance

• relation between implementation and specification, commonly used for testing

• “implementation can be simulated by specification”

• more “global” than “local” consistency

• MI conforms to MS if every observable behavior of the implementation could also be observed of the specificationfor every possible sequence of actions of MI there is a corresponding one of MS

• formally: MI c MS iff

tr(MI): obs(MI after ) obs(Ms after )

(cf. Tretmans 96)

•usually, transition systems are considered to be deterministic and finite, hence this is “almost” the same as simulation

Observability

What is an observable behavior?

• An output visible at the interfaces

• An input sent to the system which is not accepted

Transition alphabet is partitioned into input, output and internal events

Composition of transition systems is defined as usual

Logics for conformance

•boxes for outputs, diamonds for input transitions

[request!] ackn? true

[request!] start reset? true

add U, µ etc. as necessary

Failures

•Within a transition system M, a failure is a sequence ´=(,x) such that M accepts but not ´

• In the composition of transition systems, a failure occurs if one component outputs x! and the other can not input x?

Timing failures

• In timed systems, there are even other sorts of failures: One component can send an output within a

certain interval, but the other cannot receive it continuously during this interval

One component expects an input, but this input is not provided in time

Conformance (again)

Implementation MI conforms to MS if it can safely replace the specification in every context:

•Whenever (MS||ME) is failure-free, then also (MI||ME) is failure-free

• (MI||ME) has a failure only if (MS||ME) has one

ME

MSMI

ME

Mirroring

The mirror of a transition system is the system with input and output reversed

For a suitable choice of alphabets and some other additional conditions, MI conforms to MS iff (MI|| MS

mirror) is failure free(the specification is a “most general environment” for the implementation)

Verification of conformance

•Compose MI with MSmirror and calculate

the failures

•Can be done on the fly, depth-first, with partial order reduction

Verification by conformance

• If MI conforms to MS then for every formula it holds that MS implies MI

MS MI c MS MI

•To show that MI find an abstraction MS such that MI c MS and show MS

•other direction does not hold in general

Testing with conformance

•Compose MSmirror with the (black box)

implementation

•Enumerate all paths through MSmirror

•Outputs of the testing system are inputs for the implementation and vice versa

•Failures are registered as testing results

Yet another conformance relation

•sS is equivalent to s’S if all input sequences starting at s and ’ starting at s’ generate the same output sequences.

•MI conforms to MS, if for each state s in MI there is a state s’ in MS such that s is equivalent to s’

Conformance with Petri nets

• replace “transition system” by “one-safe Petri net”, and replace “sequence” by “causal net”

• Ki is (weakly) simulating Ks if a mapping h: Ks Ki exists such that

x,x’ EsBs ((x, x’) Rs () (h(x), h(x’)) Ri )

• bI BI is (weakly) simulating condition bS BS if for all admissible inputs SEQ and executions KI[I,bI,SEQ, KS[S,bS,SEQ: KI is (weakly) simulating KS.

• I (weakly) conforms to S if bS BS ( bI BI (bI is (weakly) simulating bS))

Conformance checking

• Let H0 be the relation consisting of all pairs (bI,bS) BI BS. Hi+1 is constructed from Hi as follows:(bI,bS) Hi+1 iff

(bI,bS) Hi , and

eI bI , eS bS

(iKi(eI) = iKs(eS) oKi(eI) = oKS(eS) ) , and

eS bS bS’ eS

eI bI bI’ eI

: (bI’,bS’) Hi

• Let H be the relation reached upon stabilization. Then I conforms to S if

bS BS bI BI : (bI,bS) H

Test case generation

• Start with an arbitrary condition b and c(b) = {e | eb}

• The initial part of the execution is a copy of all conditions in c(b)

• Put a mark on all conditions in c(b)• Repeat indefinitely

Choose a maximal set of events which are either enabled in P, or can be enabled by putting a token on a condition which is not marked, such that the inputs of these events contain at most one input from each PCO and PO, respectively.

Put a mark on all conditions which have received a token, as well as on all conditions in the pre- and postset of an enabled transition.

Fire the chosen events in P, and extend the execution by appending a copy of all chosen events and their postsets to it.