Download - Generated Path Conditions for Timed Systems
![Page 1: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/1.jpg)
IFM 2005, Eindhoven
Generated Path Conditions for Timed Systems
Doron PeledDept. of Computer ScienceUniversity of WarwickUnited KingdomJoint work with Saddek Bensalem, Hongyang Qu,Stavros Tripakis
IFM 2005
![Page 2: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/2.jpg)
IFM 2005, Eindhoven
Tester’s Goals Help in selecting test cases.
Visual, by clicking on a path in flow chart. According to intuition about potential
errors. According to some formal specification.
Performing tests Forcing an execution (even when
nondeterminism exists). Calculating the probability of a path.
![Page 3: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/3.jpg)
IFM 2005, Eindhoven
Architecture
compilercode
Test Selector
Visual Selection
Model Checker
Calculate Weakest Precondition
SatSolver
transitions
Flow graph
Executor
Add Synchro.
Calculate Probability
Counter-exampletest case
![Page 4: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/4.jpg)
IFM 2005, Eindhoven
Unit testing: Selection of test cases
(for white-box testing)The main problem is to select a good coveragecriterion. Some standard options are:
Cover all paths of the program. Execute every statement at least once. Each decision (diamond node on flow chart) has
a true or false value at least once. Each condition predicate is taking each truth
value at least once. Check all possible combinations of conditions in
each decision.
![Page 5: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/5.jpg)
IFM 2005, Eindhoven
How to cover the executions?if (A>1)&(B=0) then X=X/A; if (A=2)|(X>1) then X=X+1;
Choose values for A,B,X at the beginning that would force the right path/conditions/predicates.
Value of X may change, depending on A,B. What do we want to cover? Paths?
Statements? Conditions?
![Page 6: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/6.jpg)
IFM 2005, Eindhoven
Statement coverageExecute every statement at least onceBy choosingA=2,B=0,X=3each statement will
be chosen.The case where the
tests fail is not checked!
if (A>1)&(B=0) then X=X/A;
if (A=2)|(X>1) then X=X+1;
Now x=1.5
![Page 7: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/7.jpg)
IFM 2005, Eindhoven
Decision coverageEach decision (diamond node in flow graph) tested with true and false outcome at least once.
Can be achieved using A=3,B=0,X=3 A=2,B=1,X=1
Problem: Does not test individual predicates. E.g., when X>1 is erroneous in second decision.
if (A>1)&(B=0) then X=X/A;
if (A=2)|(X>1) then X=X+1;
![Page 8: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/8.jpg)
IFM 2005, Eindhoven
Preliminary:Relativizing assertions
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment
becomes B) [Y\g(X,Y)]e(B) expressed w.r.t. variables
at A.) (B)A =x1=0 * x2 + x1 /\ x1>=0Think about two sets of variables,
before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after by substitution.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1=x1’ /\ x2=x2’ /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 9: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/9.jpg)
IFM 2005, Eindhoven
Verification conditions: tests
C) is transformed to B)= t(X,Y) /\ C)
D) is transformed to B)=t(X,Y) /\ D)
B)= D) /\ y2x2y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 10: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/10.jpg)
IFM 2005, Eindhoven
How to find values for coverage?
•Put true at end of path.•Propagate path backwards.•On assignment, relativize expression.•On “yes” edge of decision node, add decision as conjunction.•On “no” edge, add negation of decision as conjunction.•Can be more specific when calculating condition with multiple condition coverage.
A>1/\B=0
A=2\/X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
![Page 11: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/11.jpg)
IFM 2005, Eindhoven
How to find values for coverage?
A>1/\B=0
A=2\/X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
A 2/\X>1
(A2 /\ X/A>1) /\ (A>1 & B=0)
A2 /\X/A>1Need to find a satisfying assignment:A=3, X=6, B=0Can also calculate path condition forwards.
![Page 12: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/12.jpg)
IFM 2005, Eindhoven
Some real life story An expert programmer inspects the code of NASA
MER. He observes through his experience and intuition
that some execution path is suspicious. He decides how to force this path to execute,
e.g., by figuring some inputs and initial values. He executes the path, showing his supervisor the
presence of an error. We want to build some tools to help him with this
process. We’ll use LTL to help with formalizing the
intuition on where the error is.
![Page 13: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/13.jpg)
IFM 2005, Eindhoven
Learning from another technique: Model Checking
Automaton description of a system B. LTL formula . Translate into an automaton P. Check whether L(B) L(P)=. If so, S satisfies . Otherwise, the intersection
includes a counterexample. Repeat for different properties.
¬
![Page 14: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/14.jpg)
IFM 2005, Eindhoven
Unit Testing Model Checking
Unit Checking
![Page 15: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/15.jpg)
IFM 2005, Eindhoven
New: Test case generation based on LTL specification
Compiler ModelChecker
Path conditioncalculation
First orderinstantiator
Testmonitoring
Transitions
Path Flow
chart
LTLAut
![Page 16: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/16.jpg)
IFM 2005, Eindhoven
Path conditions Path in flow chart multiple executions following
path. First order formula. All executions of a path must start with initial
values satisfying the path condition. In deterministic code, there can be only one
execution starting with particular values, hence all executions starting with initial values satisfying the path condition will follow that path.
In nondeterministic code, each such initial value has an execution following a path. May need to insert synchronizing code.
![Page 17: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/17.jpg)
IFM 2005, Eindhoven
Goals Verification of software. Compositional verification. Use only a unit of
code instead of the whole code. Parameterized verification. Verifies a
procedure with any value of parameters in “one shot”
Generating test cases via path conditions: A truth assignment satisfying the path condition. Helps derive the demonstration of errors.
Generating appropriate values to missing parameters.
![Page 18: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/18.jpg)
IFM 2005, Eindhoven
Spec: ¬at l2U (at l2/\ xy /\ (¬at l2/\(¬at l2U at l2 /\ x2y )))
Automatic translation of LTL formula into an automaton [Gerth et all]
LTL is interpreted over finite sequences.
Can use other (linear) specification.
Property specifies the path we want to find (SPIN: never claim),not the property that must hold for all paths (for this, take the negation).
¬at l2
at l2/\xy
¬at l2
at l2/\x2y
Observation:each node hasconjunctions of
predicates onprogram variables
and programcounters
![Page 19: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/19.jpg)
IFM 2005, Eindhoven
Divide and Conquer Intersect property automatonproperty automaton with the
flow chartflow chart, regardless of the statements and program variables expressions.
Add assertions from the property automaton to further restrict the path condition.
Calculate path conditions for sequences found in the intersection.
Calculate path conditions on-the-fly. Backtrack when condition is false.Thus, advantage to forward calculation of path conditions (incrementally).
![Page 20: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/20.jpg)
IFM 2005, Eindhoven
Spec: (only program counters here)¬at l2U (at l2/\ ¬at l2/\(¬at l2U at l2))
¬at l2
at l2
¬at l2
at l2
l2:x:=x+z
l3:x<t
l1:…
l2:x:=x+z
l3:x<t
l2:x:=x+z
XX==
at l2
at l2
¬at l2
Either all executions of a path satisfy the formula or none.
Sifts away paths not satisfying formula. Then calculate path condition.
![Page 21: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/21.jpg)
IFM 2005, Eindhoven
Spec: ¬at l2U (at l2/\ xy /\ (¬at l2/\(¬at l2U at l2 /\ x2y )))
¬at l2
at l2/\xy
¬at l2
at l2/\x2y
l2:x:=x+z
l3:x<t
l1:…
l2:x:=x+z
l3:x<t
l2:x:=x+z
XX==
xy
x2y
Only some executions of path may satisfy formula
Modify calculation of path condition to incorporate property
![Page 22: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/22.jpg)
IFM 2005, Eindhoven
Calculating the intersection of the property automaton and flow graph (abstract variables away).
¬a
a a
a
as1 s2
s3q2
q1
s1,q1
s1,q2 s3,q2
s2,q1Acceptance isdetermined by
propertyautomaton.
<>a
a a
¬a
![Page 23: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/23.jpg)
IFM 2005, Eindhoven
How to generate test cases Take the intersection of an LTL automaton (for a
never claim) with the flow graph. Some paths would be eliminated for not satisfying the assertions on the program counters.
Seeing same flow chart node does not mean a loop: program variables may value. Use iterative deepening.
For each initial path calculate the path condition. Backtrack if condition simplifies to false.
Report path condition based on flow graph path+LTL assertions.
Always simplify conditions!
![Page 24: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/24.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider (x=4)U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalse
![Page 25: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/25.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider x=4U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalse
![Page 26: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/26.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider x=4U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalseX=4
![Page 27: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/27.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider x=4U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalseX=4
X=4
![Page 28: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/28.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider x=4U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalseX=4
X=4
x<5
X=4
true
This is acontradiction
![Page 29: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/29.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider x=4U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalseX=5
X=4
![Page 30: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/30.jpg)
IFM 2005, Eindhoven
How the LTL formula directs the search
Consider x=4U (x=5/\o…)x=4
x=5x<5
x:=x+1y:=7
truefalseX=5
X=4
![Page 31: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/31.jpg)
IFM 2005, Eindhoven
Example: GCD l1:x:=a
l5:y:=z
l4:x:=y
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
l0
l7
![Page 32: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/32.jpg)
IFM 2005, Eindhoven
Example: GCD l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
Oops…with an error (l4 and l5 were switched).
l0
l7
![Page 33: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/33.jpg)
IFM 2005, Eindhoven
Why use Temporal specification Temporal specification for sequential
software? Deadlock? Liveness? – No! Captures the tester’s intuitionintuition about the
location of an error:“I think a problem may occur when the program runs through the main while loop twice, then the if condition holds, while t>17.”
![Page 34: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/34.jpg)
IFM 2005, Eindhoven
Example: GCD l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
l0
l7
a>0/\b>0/\at l0 /\at l7
at l0/\a>0/\b>0
at l7
![Page 35: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/35.jpg)
IFM 2005, Eindhoven
Example: GCD l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
l0
l7
a>0/\b>0/\at l0/\at l7
Path 1: l0l1l2l3l4l5l6l7a>0/\b>0/\a rem b=0
Path 2: l0l1l2l3l4l5l6l3l4l5l6l7 a>0/\b>0/\a rem b0
![Page 36: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/36.jpg)
IFM 2005, Eindhoven
Potential explosion
Bad point: potential explosionGood point: may be chopped on-the-fly
![Page 37: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/37.jpg)
IFM 2005, Eindhoven
Now we add time Detailed model, for each transition we
have 4 parameters [l, u, L, U]: l Needs to be enabled at least that much. u Cannot be enabled without taken longer
than that. L Least time for transformation to occur
(after been chosen). U Transformation cannot take more than
that.
![Page 38: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/38.jpg)
IFM 2005, Eindhoven
Translation to timed automatas1
at l
s3,at lx2<u2x1<u1s4,at lx2<u2
s2,at lx1<u1
c1c2x2:=
0
c1c2x1:=
0
c1c2x1:=0
c1c2x2:=0c1c2
x1:=0c1c2x2:=0
c1c2 c1c2
c1c2
x1,x2:=0 c1c2
c1c2 c1c2
Timing out the enabledness:Zero the counters,Cannot wait enabled too much.
![Page 39: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/39.jpg)
IFM 2005, Eindhoven
Translation to timed automatas1
at l
s3,at lx2<u2x1<u1
s6x2<U2
s5x1<U1
s4,at lx2<u2
s2,at lx1<u1
x1l1x1:=
0
x1l1x1:=
0
x2l2x2:=
0
x2l2x2:=
0
c1c2x2:=
0
c1c2x1:=
0
c1c2x1:=0
c1c2x2:=0c1c2
x1:=0c1c2x2:=0
c1c2 c1c2
c1c2
x1,x2:=0 c1c2
c1c2 c1c2
ac
ac bc bc
Can fire only if waited enough,Zero counters again.
![Page 40: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/40.jpg)
IFM 2005, Eindhoven
Translation to timed automatas1
at l
s3,at lx2<u2x1<u1
s8s7
s6x2<U2
s5x1<U1
s4,at lx2<u2
s2,at lx1<u1
x1L1 x2L2
x1l1x1:=
0
x1l1x1:=
0
x2l2x2:=
0
x2l2x2:=
0
c1c2x2:=
0
c1c2x1:=
0
c1c2x1:=0
c1c2x2:=0c1c2
x1:=0c1c2x2:=0
c1c2 c1c2
c1c2
x1,x2:=0 c1c2
c1c2 c1c2
ac
ac bc bc
af bf
Conditions on paths represented using (symbolic) DBMs.
![Page 41: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/41.jpg)
IFM 2005, Eindhoven
Should we really look at paths?
Its easy to select an interleaved sequence.
But due to time limitations, it may execute in a different order.
Just the order on events from the same process and using same variables is to be considered.
abcd
a bc d
Sameprocess
Samevariable
![Page 42: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/42.jpg)
IFM 2005, Eindhoven
Generate an automaton for all consistent interleavings
a bc d
a
a b
b
c
c
bddc
Intersect this automaton with automaton for system.Calculate “partial order” condition: start from leaves.When there is a choice, usedisjunct.
![Page 43: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/43.jpg)
IFM 2005, Eindhoven
Generate an automaton for all consistent interleavings
a
a b
b
c
c
bddc
![Page 44: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/44.jpg)
IFM 2005, Eindhoven
Generate an automaton for all consistent interleavings
a
a b
b
c
c
bddc
![Page 45: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/45.jpg)
IFM 2005, Eindhoven
Generate an automaton for all consistent interleavings
a
a b
b
c
c
bddc
![Page 46: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/46.jpg)
IFM 2005, Eindhoven
An example — a simple network protocol
![Page 47: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/47.jpg)
IFM 2005, Eindhoven
The flow charts
![Page 48: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/48.jpg)
IFM 2005, Eindhoven
Path — no timeout
![Page 49: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/49.jpg)
IFM 2005, Eindhoven
Precondition
The simplified precondition: l >= 110
![Page 50: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/50.jpg)
IFM 2005, Eindhoven
The diagrams
![Page 51: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/51.jpg)
IFM 2005, Eindhoven
The PET tool Basic mode: interactive choice of a path, calculating
of path conditions. Model checking mode. Iterative model checking mode: apply model
checking recursively to find successive segments, control backtracking.
Unit checking mode. Calculating path condition: simplify, simplify,
simplify.Use SML and HOL for rewriting and deciding on Pressburger arithmetic. Plan using other tools!
Problem: US patent 6,408,430 belongs to Lucent!
![Page 52: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/52.jpg)
IFM 2005, Eindhoven
![Page 53: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/53.jpg)
IFM 2005, Eindhoven
![Page 54: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/54.jpg)
IFM 2005, Eindhoven
![Page 55: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/55.jpg)
IFM 2005, Eindhoven
![Page 56: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/56.jpg)
IFM 2005, Eindhoven
![Page 57: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/57.jpg)
IFM 2005, Eindhoven
![Page 58: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/58.jpg)
IFM 2005, Eindhoven
![Page 59: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/59.jpg)
IFM 2005, Eindhoven
![Page 60: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/60.jpg)
IFM 2005, Eindhoven
![Page 61: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/61.jpg)
IFM 2005, Eindhoven
![Page 62: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/62.jpg)
IFM 2005, Eindhoven
![Page 63: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/63.jpg)
IFM 2005, Eindhoven
![Page 64: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/64.jpg)
IFM 2005, Eindhoven
![Page 65: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/65.jpg)
IFM 2005, Eindhoven
![Page 66: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/66.jpg)
IFM 2005, Eindhoven
Drivers and Stubs(skip)
Driver: represents the program or procedure that called our checked unit.
Stub: represents a procedure called by our checked unit.
In our approach: replace both of them with a formula representing the effect the missing code has on the program variables.
Integrate the driver and stub specification into the calculation of the path condition.
l1:x:=a
l5:x:=y
l4:y:=z
l3:z’=x rem y/\x’=x/\y’=x
l2:y:=b
l6:z=0? yesno
l0
l7
![Page 67: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/67.jpg)
IFM 2005, Eindhoven
Conclusions Model checking and testing have a lot in common. Can
use ideas from model checking for generating test cases. Integrate Formal Methods!
Unit Testing: Model checking of infinite state spaces.But: semidecidable: Don’t know when to stop search (undecideable), Don’t know when condition equivalent false
(undecideable). Tools, visual user interface. Generalization to real time systems. More tools:
automatic addition of synchronization.Calculate probability of execution.
![Page 68: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/68.jpg)
IFM 2005, Eindhoven
Some references Translating LTL into automata:
Gerth, Peled, Vardi, Wolper, Simple on-the fly automatic verification of temporal logic, PSTV 1995.
The PET tool:Gunter, Peled, Path Exploration Tool, Tacas 1999, LNCS 1579
Unit Checking:Gunter, Peled, Unit Checking: symbolic model checking for unit of code, LNCS 2772 (Z.M. birthday volume)
Forcing an execution under nondeterminism:Qu, Peled, Enforcing Concurrent Temporal Behavior, RV 2004
![Page 69: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/69.jpg)
IFM 2005, Eindhoven
Enforcing Executions: Goals Instrument a program in order to
demonstrate counterexamples. Inspect generated test cases. Studying the effect of added
synchronization/timing. Still allow other runs, selected runs
are enforced in a controlled way.
![Page 70: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/70.jpg)
IFM 2005, Eindhoven
Dekker’s mutual exclusion algorithmP1::c1:=1; while true do begin c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; while turn=2 do begin /* no-op */ end; c1:=0 end end; /* critical-section 1*/ c1:=1; turn:=2end
P2::c2:=1; while true do begin c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; while turn=1 do begin /* no-op */ end; c2:=0 end end; /* critical-section 2*/ c2:=1; turn:=1end
![Page 71: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/71.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 72: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/72.jpg)
IFM 2005, Eindhoven
Two scenarios from same initial state(P1(0):start) (P2(0):start) [P1(1):c1:=1] [P2(1):c2:=1]<p1(12):true?>yes[p1(2):c1:=0] [P2(2):c2:=0]<p1(8):c2=0?>yes <P2(8):c1=0?>yes<p1(7):turn=2?>no <p2(7):turn=1?>yes [p2(3):c2:=1]<p1(8):c2=0?>yes[P1(9):crit-1]
(p1(0):start) (p2(0):start)[p1(1):c1:=1] [P2(1):c2:=1] <P2(12):true?>yes<p1(12):true?>yes [P2(2):c2:=0] <P2(8):c1=0?>no [P2(9):crit-2]
Starting with same state, i.e., with turn=1 does not guarantee repeating the same run due to nondeterminism.
![Page 73: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/73.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
2nd scenario
![Page 74: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/74.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 75: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/75.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 76: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/76.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 77: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/77.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 78: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/78.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 79: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/79.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 80: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/80.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 81: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/81.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 82: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/82.jpg)
IFM 2005, Eindhoven
0:start P1 0:start P21:c1:=1 1:c2:=1
12:true?12:true?2:c2:=0
8:c1=0?9:crit-2Events (occurrences
ofactions) participating is 2nd scenario
![Page 83: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/83.jpg)
IFM 2005, Eindhoven
0:start P1 0:start P21:c1:=1 1:c2:=1
12:true?12:true?
2:c2:=0
8:c1=0?
9:crit-2
![Page 84: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/84.jpg)
IFM 2005, Eindhoven
0:start P1 0:start P21:c1:=1 1:c2:=1
12:true?12:true?
2:c2:=0
8:c1=0?
9:crit-2
Action e is dependent on event fif e and f use mutual variable (including program counter).Event (occurrence of action) e precedes event f if•e appears before f in run, and•e is dependent on f.
![Page 85: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/85.jpg)
IFM 2005, Eindhoven
0:start P1 0:start P21:c1:=1 1:c2:=1
12:true?12:true?
2:c2:=0
8:c1=0?
9:crit-2
Partial order semantics.Equivalent to set of all linearizations. Can define trace equivalencetrace equivalence between linearizations of the same partial order.
![Page 86: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/86.jpg)
IFM 2005, Eindhoven
0:start P1
0:start P2
1:c1:=1
1:c2:=1
12:true?
12:true?
2:c2:=0
8:c1=0?
9:crit-2
Traceequiv
0:start P1
0:start P2
1:c1:=1
1:c2:=1
12:true?
12:true?
2:c2:=0
8:c1=0?
9:crit-2
![Page 87: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/87.jpg)
IFM 2005, Eindhoven
Program transformation (I)For each dependent pair of events e and f of different processes, where e precedes f in run:Define a semaphore Vij
Add after e: Freeij : Vij: = Vij + 1Add before f: Waitij : wait Vij > 0; Vij: = Vij – 1
(After e, we signal f that it can continue)
![Page 88: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/88.jpg)
IFM 2005, Eindhoven
Program transformation (II)Add a counter counti for each process, counting up before each dependent event participating in previous transformation.counti := counti + 1Add after e: If counti =#e then Freeij
Add before f: If counti =#f then Freeij
Count also last event on run g and add: If counti =#g then halt process.
![Page 89: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/89.jpg)
IFM 2005, Eindhoven
Program transformation (III):To allow other executions when not tracing runs, add a variable checki.Wrap transformed segments Code with If checki then Code
Minimize synchronization. If we synchronized ef and fg (including the case of synchronization using process sequentiality), then we do not need to add synchronization fo eg (use Floyd-Warshall algorithm to calculate transitive closure of ).
![Page 90: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/90.jpg)
IFM 2005, Eindhoven
Boolean c1, c2, check1, check2;boolean V12 initially 0;integel (1..2) turn;
P1::c1:=1; if check1 then V12:=1; while true do begin if check1 then halt P1; c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; while turn=2 do begin /* no-op */ end; c1:=0 end end; /* critical-section 1*/ c1:=1; turn:=2 end
P2::c2:=1; while true do begin c2:=0; if check2 then begin wait V12>0; V12:=0 end while c1=0 do begin if turn=1 then begin c2:=1; while turn=1 do begin /* no-op */ end; c2:=0 end end; /* critical-section 2*/ if check2 then halt P2; c2:=1; turn:=1end
![Page 91: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/91.jpg)
IFM 2005, Eindhoven
Ultimately periodic sequences (skip)Prefix:(P1(0):start) (P2(0):start)[P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes<P1(12):true>yes[P1(2):c1:=0] [P2(2):c2:=0]<P1(8):c2=0?>yes <P2(8):c1=0?>yes<P1(7):turn=2?>no <P2(7)>turn=1?>yes [P2(3):c2:=1]
Periodic part: <p2(5):turn=1?>yes [P2(4): /* no-op */]
Generate graph G(P,E) for periodic part:
P – processes.E – an edge occurs from Pi to Pj if
there is a dependency between even e of Pi and f of Pj occurring later in the run.
What are the consequents of synchronizing after each period?
![Page 92: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/92.jpg)
IFM 2005, Eindhoven
There are three cases: (skip)1. The graph G includes all the processes
in one strongly connected component.Limited overtaking is not present.
2. The graph includes multiple components, including all processes.Unbounded overtaking is not present.
3. Not all processes are present.The run may be unfair to some processes.
![Page 93: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/93.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 94: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/94.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 95: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/95.jpg)
IFM 2005, Eindhoven
0:start P11:c1:=1
12:true?
10:c1:=1
9:crit-1
6:c1:=04:no-op
3:c1:=1
2:c1:=0 13:end
8:c2=0?
7:turn=2?
5:turn=2?11:turn:=2
yes
yes
yes
yes
no
no
no
no
0:start P21:c2:=1
12:true?
10:c1:=1
9:crit-2
6:c2:=04:no-op
3:c2:=1
2:c2:=0 13:end
8:c1=0?
7:turn=1?
5:turn=1?11:turn:=1
yes
yes
yes
yes
no
no
no
no
![Page 96: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/96.jpg)
IFM 2005, Eindhoven
Preserving the checked property (skip)
Sometimes not all the runs that are trace-equivalent to the original one preserve the checked property .
1. Use a specification formalism that is closed under trace equivalence, or check closeness [PWW98].
2. Add dependencies so that trace equivalence is refined.• Add dependency between actions when
switching an independent pair results in an equivalent run, but fails to satisfy the checked property.
• Or add dependencies between actions that may change propositions that appear in .
![Page 97: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/97.jpg)
IFM 2005, Eindhoven
Calculating the probability of a path. Continuous uniform distribution. Transitions have lower and upper
bound for execution [l,u]. f(x)= 1/(u-l) when lxu,
| 0 otherwise. Joint probability:
f1(y1)f2(y2)…fn(yn)dy1dy2…dynon constraint area.
![Page 98: Generated Path Conditions for Timed Systems](https://reader036.vdocuments.net/reader036/viewer/2022062810/56815c35550346895dca1c66/html5/thumbnails/98.jpg)
IFM 2005, Eindhoven
Example path ag.a[1,5]
b[2,5]
c[1,4]
g[2,6]
h[3,7]
a cg
bh
1xa5 2xg6xg7 (because of h)xg-xg4 (because of c)Now integrate on area.