1.08k likes | 1.1k Views
Black Box Checking. Doron Peled, University of Warwick. Why testing?. Reduce design/programming errors. Can be done during development, before production/marketing. Practical, simple to do. Check the real thing, not a model. Scales up reasonably. Being state of the practice for decades.
E N D
Black Box Checking Doron Peled, University of Warwick
Why testing? • Reduce design/programming errors. • Can be done during development, beforeproduction/marketing. • Practical, simple to do. • Check the real thing, not a model. • Scales up reasonably. • Being state of the practice for decades.
Part 1: Testing of black box finite state machine Wants to know: In what state we started? In what state we are? Transition relation Conformance Satisfaction of a temporal property Know: Transition relation Size or bound on size
Finite automata (Mealy machines) S - finite set of states. (size n) S– set of inputs. (size d) O– set of outputs, for each transition. (s0S - initial state). • S S S - transition relation. S S O – output on edge.
Why deterministic machines? • Otherwise no amount of experiments would guarantee anything. • If dependent on some parameter (e.g., temperature), we can determinize, by taking parameter as additional input. • We still can model concurrent system. It means just that the transitions are deterministic. • All kinds of equivalences are unified into language equivalence. • Also: connected machine (otherwise we may never get to the completely separate parts).
a/1 b/1 a/1 Determinism When the black box is nondeterministic, we might never test some choices.
Preliminaries: separating sequences b/1 s1 s2 a/0 b/1 b/0 a/0 s3 a/0 Start with one block containing all states {s1, s2, s3}.
A: separate to blocks of states with different output. b/1 s1 s2 a/0 b/1 b/0 a/0 s3 a/0 Two sets, separated using the string b {s1, s3}, {s2}.
Repeat B: Separate blocks based on moving to different blocks. b/1 s1 s2 a/0 b/1 b/0 a/0 s3 a/0 Separate first block using b to three singleton blocks.Separating sequences: b, bb.Max rounds: n-1, sequences: n-1, length: n-1.For each pair of states there is a separating sequence.
Want to know the state of the machine (at end). Homing sequence. Depending on output, would know in what state we are. Algorithm: Put all the states in one block (initially we do not know what is the state). Then repeatedly partitions blocks of states, as long as they are not singletons, as follows: • Take a non singleton block, append a distinguishing sequence that separates at least two states. • Update all blocks to the states after executing . Max length: (n-1)2 (Lower bound: n(n-1)/2.)
b/1 s1 s2 a/0 b/1 b/0 a/0 s3 a/0 Example (homing sequence) {s1, s2, s3} b 1 1 0 {s1, s2} {s3} b 1 1 0 {s1} {s2} {s3} On input b and output 1, still don’t know if was in s1or s3, i.e., if currently in s2 or s1.So separate these cases with another b.
Synchronizing sequence • One sequence takes the machine to the same final state, regardless of the initial state or the outputs. • Not every machine has a synchronizing sequence. • Can be checked whether exists and can be found in polynomial time.
State identification: • Want to know in which state the system has started (was reset). • Can be a preset distinguishing sequence (fixed), or a tree (adaptive). • May not exist (PSPACE complete to check if preset exists, polynomial for adaptive). • Best known algorithm: exponential length for preset,polynomial for adaptive [LY].
b/1 a/1 b/1 s1 s2 a/1 a/1 s3 b/0 Sometimes cannot identify initial state Start with a:in case of being in s1or s3we’ll move to s1and cannot distinguish.Start with b:In case of being in s1or s2we’ll move to s2 and cannot distinguish. The kind of experiment we do affects what we can distinguish. Much like the Heisenberg principle in Physics.
Conformance testing • Unknown deterministic finite state system B. • Known: n states and alphabet . • An abstract model C of B. C satisfies all the properties we want from B. C has m states. • Check conformance of B and C. • Another version: only a bound n on the number of states l is known.
b/1 a/1 b/1 s1 s2 ?= a/1 a/1 s3 b/0 Check conformance with a given state machine • Black box machine has no more states than specification machine (errors are mistakes in outputs, mistargeted edges). • Specification machine is reduced, connected, deterministic. • Machine resets reliably to a single initial state (or use homing sequence).
a/1 a/1 b/1 b/1 Conformance testing [Ch,V] a/1 b/1 b/1 a/1 a/1 b/1 Cannot distinguish if reduced or not.
a Conformance testing (cont.) b b a a a a b b a a b Need: bound on number of states of B.
b/1 a/1 b/1 s1 s1 s2 a/1 b/1 a/1 s3 s2 a/1 s3 b/0 Preparation:Construct a spanning tree
How the algorithm works? Reset or homing According to the spanning tree, force a sequence of inputs to go to each state. • From each state, perform the distinguishing sequences. • From each state, make a single transition, check output, and use distinguishing sequences to check that in correct target state. Reset or homing s1 a/1 b/1 s3 s2 Distinguishing sequences
Comments • Checking the different distinguishing sequences (m-1 of them) means each time resetting and returning to the state under experiment. • A reset can be performed to a distinguished state through a homing sequence. Then we can perform a sequence that brings us to the distinguished initial state. • Since there are no more than m states, and according to the experiment, no less than m states, there are m states exactly. • Isomorphism between the transition relation is found, hence from minimality the two automata recognize the same languages.
Combination lock automaton • Assume accepting states. • Accepts only words with a specific suffix (cdab in the example). c d a b s1 s2 s3 s4 s5 Any other input
When only a bound on size of black box is known… • Black box can “pretend” to behave as a specification automaton for a long time, then upon using the right combination, make a mistake. a/1 Pretends to be S1 b/1 a/1 b/1 b/1 s1 s2 a/1 a/1 s3 Pretends to be S3 b/0
Conformance testing algorithm [VC] Reset or homing Reset or homing • The worst that can happen is a combination lock automaton that behaves differently only in the last state. The length of it is the difference between the size n of the black box and the specification m. • Reach every state on the spanning tree and check every word of length n-m+1 or less. Check that after the combination we are at the state we are supposed to be, using the distinguishing sequences. • No need to check transitions: already included in above check. • Complexity: m2 n dn-m+1 Probabilistic complexity: Polynomial. s1 a/1 b/1 s3 s2 Words of length n-m+1 Distinguishing sequences
Model Checking • Finite state description of a system B. • LTL formula . Translate into an automaton P. • Check whether L(B) L(P)=. • If so, S satisfies . Otherwise, the intersection includes a counterexample. • Repeat for different properties.
Buchi automata (w-automata) S - finite set of states. (B has l n states) S0S - initial states. (P has m states) S - finite alphabet. (contains p letters) d S SS - transition relation. F S - accepting states. Accepting run: passes a state in F infinitely often. System automata: F=S, deterministic, one initial state. Property automaton: not necessarily deterministic.
Example: check a a <>a a a, a
a a a a Example: check <>a <>a
Example: check <>a a, a <>a a a Use automatic translation algorithms, e.g., [Gerth,Peled,Vardi,Wolper 95]
a c b System
Every element in the product is a counter example for the checked property. a a <>a s1 s2 q1 a c b a a s3 q2 a s1,q1 s2,q1 Acceptance isdetermined byautomaton P. b a s1,q2 s3,q2 c
Given Finite state system B. Transition relation of B known. Property represent by automaton P. Check if L(B) L(P)=. Graph theory or BDD techniques. Complexity: polynomial. Unknown Finite state system B. Alphabet and number of states of B or upper bound known. Specification given as an abstract system C. Check if B C. Complexity: polynomial if number states known. Exponential otherwise. Model Checking / Testing
Property represent by automaton P. Check if L(B) L(P)=. Graph theory techniques. Unknown Finite state system B. Alphabet and Upper bound on Number of states of B known. Complexity: exponential. Black box checking [PVY]
reset a a b b c c try c try b a a b b c c a a b c b c fail Experiments
Simpler problem: deadlock? • Nondeterministic algorithm:guess a path of length n from the initial state to a deadlock state.Linear time, logarithmic space. • Deterministic algorithm:systematically try paths of length n, one after the other (and use reset), until deadlock is reached.Exponential time, linear space.
Deadlock complexity • Nondeterministic algorithm:Linear time, logarithmic space. • Deterministic algorithm:Exponential (p n-1) time, linear space. • Lower bound: Exponential time (usecombination lock automata). • How does this conform with what we know about complexity theory?
Modeling black box checking • Cannot model using Turing machines: not all the information about B is given. Only certain experiments are allowed. • We learn the model as we make the experiments. • Can use the model of games of incomplete information.
Games of incomplete information • Two players: $-player, -player (here, deterministic). • Finitely many configurations C. Including:Initial Ci , Winning : W+ and W- . • An equivalence relation @ on C (the $-player cannot distinguish between equivalent states). • Labels L on moves (try a, reset, success, fail). • The $-player has the moves labeled the same from configurations that are equivalent. • Deterministic strategy for the $-player: will lead to a configuration in W+ W-. Cannot distinguish between equivalent configurations. • Nondeterministic strategy: Can distinguish between equivalent configurations..
Modeling BBC as games • Each configuration contains an automaton and its current state (and more). • Moves of the $-player are labeled withtry a, reset... Moves of the -player withsuccess, fail. • c1@ c2 when the automata in c1and c2 would respond in the same way to the experiments so far.
A naive strategy for BBC • Learn first the structure of the black box. • Then apply the intersection. • Enumerate automata with n states (without repeating isomorphic automata). • For a current automata and newautomata, construct a distinguishing sequence. Only one of them survives. • Complexity: O((n+1)p (n+1)/n!)
On-the-fly strategy • Systematically (as in the deadlock case), find two sequences v1 and v2 of length <=m n. • Applying v1 to P brings us to a state t that is accepting. • Applying v2 to P brings us back to t. • Apply v1 v2 n to B. If this succeeds,there is a cycle in the intersection labeled with v2, with t as the P (accepting) component. • Complexity: O(n2p2mnm). v1 v2
Learning an automaton • Use Angluin’s algorithm for learning an automaton. • The learning algorithm queries whether some strings are in the automaton B. • It can also conjecture an automaton Miand asks for a counterexample. • It then generates an automaton with more states Mi+1and so forth.
A strategy based on learning • Start the learning algorithm. • Queries are just experiments to B. • For a conjectured automaton Mi , check if Mi P = • If so, we check conformance of Mi with B ([VC] algorithm). • If nonempty, it contains some v1 v2w . We test B with v1 v2n. If this succeeds: error, otherwise, this is a counterexample for Mi .
Complexity • l - actual size of B. • n - an upper bound of size of B. • d - size of alphabet. • Lower bound: reachability is similar to deadlock. • O(l 3 d l + l 2mn) if there is an error. • O(l 3 d l + l 2 n dn-l+1+ l 2mn) if there is no error. If n is not known, check while time allows. • Probabilistic complexity: polynomial.
Some experiments • Basic system written in SML (by Alex Groce, CMU). • Experiment with black box using Unix I/O. • Allows model-free model checking of C code with inter-process communication. • Compiling tested code in SML with BBC program as one process.
Conclusions • Black Box Checking: automatic verification of unspecified system. • A hard problem, exponential in number of states, but polynomial on average. • Implemented, tested. • Another use: when the model is given, but is not exact.
Part 2: Software testing • Testing is not about showing that there are no errors in the program. • Testing cannot show that the program performs its intended goal correctly. So, what is software testing? Testing is the process of executing the program in order to find errors. A successful test is one that finds an error.
Some software testing stages • Unit testing – the lowest level, testing some procedures. • Integration testing – different pieces of code. • System testing – testing a system as a whole. • Acceptance testing – performed by the customer. • Regression testing – performed after updates. • Stress testing – checking the code under extreme conditions. • Mutation testing – testing the quality of the test suite.
Some drawbacks of testing • There are never sufficiently many test cases. • Testing does not find all the errors. • Testing is not trivial and requires considerable time and effort. • Testing is still a largely informal task.