This paper addresses the analysis of slope-parametric hybrid automata: finding conditions on the ... more This paper addresses the analysis of slope-parametric hybrid automata: finding conditions on the slopes of the automaton variables, for some safety property to be verified. The problem is shown decidable in some practical situations (e.g. finding the running speeds of tasks in a real time application, for all tasks to respect their deadlines). The resolution technique generalizes polyhedral-based symbolic analysis and it involves reasoning about polyhedra with parametric shapes.
We present some new decidability results on the verification of hybrid automata by symbolic analy... more We present some new decidability results on the verification of hybrid automata by symbolic analysis (abstract interpretation using polyhedra). The results include defining a class of hybrid automata for which all properties expressed in the real-time temporal logic Tctl are decidable. The obtained class of automata is shown powerful enough to model reactive applications in which every task eventually terminates within uniformly-bounded time. Indeed, the restrictions we use for obtaining decidability have a physical meaning, and they all impose some kind of uniformity to the runs of hybrid automata.
Verifying Time-bounded Properties for ELECTRE Reactive Programs with Stopwatch Automata
We present the automatic verification of time-bounded properties of programs written in the react... more We present the automatic verification of time-bounded properties of programs written in the reactive language Electre. For this, Electre programs are translated into so-called stopwatch automata, automata with chronometers to measure time. Properties are expressed in the logic TCTL and model-checking algorithms are used to verify those properties on Electre stopwatch automata. We argue that timebounded TCTL is decidable on stopwatch automata.
Test generation is a program-synthesis problem: starting from the formal specification of a syste... more Test generation is a program-synthesis problem: starting from the formal specification of a system under test, and from a test purpose describing a set of behaviours to be tested, compute a reactive program that observes an implementation of the system to detect non- conformant behaviour, while trying to control it towards satisfying the test purpose. In this paper we describe an approach for generating sym- bolic test cases, in the form of input-output automata with variables and parameters.
We present work we are engaged in to develop symbolic test generation techniques and apply those ... more We present work we are engaged in to develop symbolic test generation techniques and apply those techniques to testing of smart card applications. Beginning with (1) a system specification and (2) a test purpose expressed as symbolic labelled-transition-systems, we automatically derive tests to check conformance of an implementation to the behaviors of the specification selected by the test purpose. We present an example taken from a case-study we are developing based on the application of these techniques to the CEPS e-purse specifications.
This paper addresses the problem of generating symbolic test cases for testing the conformance of... more This paper addresses the problem of generating symbolic test cases for testing the conformance of a black-box implementation with respect to a specification, in the context of reactive systems. The challenge we consider is the selection of test cases according to a test purpose, which is here a set of scenarios of interest that one wants to observe during test execution. Because of the interactions that occur between the test case and the implementation, test execution can be seen as a game involving two players, in which the test case attempts to satisfy the test purpose. Efficient solutions to this problem have been proposed in the context of finite-state models, based on the use of fixpoint computations. We extend them in the context of infinite-state symbolic models, by showing how approximate fixpoint computations can be used in a conservative way. The second contribution we provide is the formalization of a quality criterium for test cases, and a result relating the quality of a generated test case to the approximations used in the selection algorithm.
A methodology that combines verification and conformance testing for validating safety requiremen... more A methodology that combines verification and conformance testing for validating safety requirements of reactive systems is presented. The requirements are first automatically verified on the system’s specification. Then, test cases are automatically derived from the specification and the requirements, and executed on a black-box implementation of the system. The test cases attempt to push the implementation into violating a requirement. We show that an implementation conforms to its specification if and only if it passes all the test cases generated in this way.
We define a symbolic determinisation procedure for a class of infinite-state systems, which consi... more We define a symbolic determinisation procedure for a class of infinite-state systems, which consists of automata extended with symbolic variables that may be infinite-state. The subclass of extended automata for which the procedure terminates is characterised as bounded lookahead extended automata. It corresponds to automata for which, in any location, the observation of a bounded-length trace is enough to infer the first transition actually taken. We discuss applications of the algorithm to the verification, testing, and diagnosis of infinite-state systems.
This paper presents a combination of verification and conformance testing techniques for the form... more This paper presents a combination of verification and conformance testing techniques for the formal validation of reactive systems. A formal specification of a system, which may be infinite-state, and a set of safety properties are assumed. Each property is verified on the specification using automatic techniques based on abstract interpretation, which are sound, but, as a price to pay for automation, are not necessarily complete. Next, for each property, a test case is automatically generated from the specification and the property, and is executed on a black-box implementation of the system to detect violations of the property by the implementation and non-conformances between implementation and specification. If the verification step did not conclude, the test execution may also detect violations of the property by the specification.
Compositionality and abstraction are key ingredients for the successful verification of complex i... more Compositionality and abstraction are key ingredients for the successful verification of complex infinite-state systems. In this paper we present an approach based on these ingredients and on theorem proving for verifying communication protocols. The approach is implemented in PVS. It is demonstrated here by verifying the data transfer function of the SSCOP protocol, an ATM protocol whose main requirement is to perform a reliable data transfer over an unreliable communication medium.
We report on a tool we have developed that implements conformance testing techniques to automatic... more We report on a tool we have developed that implements conformance testing techniques to automatically derive symbolic tests cases from formal operational specifications. We demonstrate the application of the techniques and tools on a simple example and present case studies for the CEPS (Common Electronic Purse Specification) and for the file system of the 3GPP (Third Generation Partnership Project) card.
We study the reachability problem for hybrid automata. Automatic approaches, which attempt to con... more We study the reachability problem for hybrid automata. Automatic approaches, which attempt to construct the reachable region by symbolic execution, often do not terminate. In these cases, we require the user to guess the reachable region, and we use a theorem prover (Pvs) to verify the guess. We classify hybrid automata according to the theory in which their reachable region can be de ned nitely. This is the theory in which the prover needs to operate in order to verify the guess. The approach is interesting, because an appropriate guess can often be deduced by extrapolating from the rst few steps of symbolic execution.
Applying formal methods to testing has recently become a popular research topic. In this paper we... more Applying formal methods to testing has recently become a popular research topic. In this paper we explore the opposite approach, namely, applying testing techniques to formal verification. The idea is to use symbolic test generation to extract subgraphs (called components) from a specification and to perform the verification on the components rather than on the whole system. This may considerably reduce the verification effort and, under reasonable sufficient conditions, a safety property verified on a component also holds on the whole specification. We demonstrate the approach by verifying an electronic purse system using our symbolic test generation tool STG and the PVS theorem prover.
Uploads
Papers by vlad rusu