1 / 30

Conformance of Distributed Systems

Conformance of Distributed Systems. H. Schlingloff Temporal Logic Theme Day LORIA, Nancy Dec. 10 th , 2002. Structure of my talk. Fraunhofer FIRST (not in this file!!!) SVT Conformance. SVT: Synthesis, Validation and Testing. Specification, Verification and Testing Theory

indira-eaton
Download Presentation

Conformance of Distributed Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conformance of Distributed Systems H. Schlingloff Temporal Logic Theme Day LORIA, Nancy Dec. 10th, 2002

  2. Structure of my talk • Fraunhofer FIRST (not in this file!!!) • SVT • Conformance

  3. SVT: Synthesis, Validation and Testing Specification, Verification and Testing Theory Software Synthesis, Validation and Testing • SVT • founded June 2002 • 8 people permanent, plus 2 guests • background knowledge in • temporal logic, • testing theory, • compilers, • formal semantics, • theorem proving, and • quantum computing

  4. Projects at FIRST-SVT initial project • Quasar • joint project with TU Berlin (Th. Santen) and FhG IESE (B. Paech) • from requirements analysis to quality assurance • high-level state charts, test generation from rhapsody diagrams • case study: DaimlerChrysler door control unit • CeBIT 2003 expo with Lego Mindstorms

  5. Projects at FIRST-SVT (2) additional projects • SiZeBa • certification of a fault-tolerant railway computer • simulation of random errors • standard technology (Pentium), long standing, high reliability (<10-12/h), Chorus OS and Unix tools • PoliTesS • quality assurance within a large software project • process improvement • GUI testing (capture-replay) • mass test data generation, load testing

  6. Projects at FIRST-SVT (3) new project • O2Test • cooperation with FhG FOKUS (I. Schieferdecker) • TTCN-3 based testing system for various hardware • several protocol stacks (GSM, GPRS, UMTS, ISDN, voice, fax, ...) which have to interoperate • TTCN3  TRI  JAVA  FORTH  HW

  7. universities universities research centers research centers spin-offs spin-offs Cooperations Fraunhofer FIRST: international technology transfer other countries Germany knowledge basic research person to person ? technology applied research project to project ? products market business to business

  8. Theme: Temporal logic and Testing • Behavioral specification of embedded systems • Investigate languages and their properties • Real time, data packets • Derive test sequences from formulas • Black box testing, refinement

  9. Modal Logic and Simulations Models: Labeled transition systems • finite alphabets • exactly one initial state • image finiteness

  10. Multimodal Logic • propositional variables • boolean connectives • modal operators • temporal operators, fixed point operators, path quantifiers, nominals, first order concepts, ...

  11. Examples • two formulas are equivalent if they have the same models • two models are equivalent if they satisfy the same formulas

  12. Bisimulations A bisimulation is a relation between two models such that • the initial states are related, • related states have the same label, and • related states allow the same transitions („local consistency“)

  13. Segerberg 1968 Remark: one direction is simple, the other needs image finiteness Two models are bisimilar iff they are modally equivalent Two finite models are bisimilar iff they are µ-calculusequivalent

  14. Simulations and Box-Logic • a simulation is „half a bisimulation“: M1 can be simulated by M2 if for every possible step of M1 there is a corresponding one of M2 (“a gameboy can be simulated by a PC”) M2 can simulate M1 if for every possible step of M1 there is a corresponding one of M2 • reflexive and transitive; abstraction hierarchy • box-logic: „modal logic without diamonds“: literals,

  15. Simulation Theorem (e.g., Long et al.) • extensions for ACTL and others M2 can simulate M1 iff each box-logic formula holding in M2 also holds in M1

  16. Conformance • relation between implementation and specification, commonly used for testing • “implementation can be simulated by specification” • more “global” than “local” consistency • MI conforms to MS if every observable behavior of the implementation could also be observed of the specification for every possible sequence of actions of MI there is a corresponding one of MS

  17. formally: MI c MSiff tr(MI): obs(MIafter )  obs(Msafter ) (cf. Tretmans 96) • usually, transition systems are considered to be deterministic and finite, hence this is “almost” the same as simulation

  18. Observability What is an observable behavior? • An output visible at the interfaces • An input sent to the system which is not accepted  Transition alphabet is partitioned into input, output and internal events Composition of transition systems is defined as usual

  19. Logics for conformance • boxes for outputs, diamonds for input transitions [request!] ackn? true [request!] start  reset? true add U, µ etc. as necessary

  20. Failures • Within a transition system M, a failure is a sequence ´=(,x) such that M accepts  but not ´ • In the composition of transition systems, a failure occurs if one component outputs x! and the other can not input x?

  21. Timing failures • In timed systems, there are even other sorts of failures: • One component can send an output within a certain interval, but the other cannot receive it continuously during this interval • One component expects an input, but this input is not provided in time

  22. Conformance (again) Implementation MI conforms to MS if it can safely replace the specification in every context: • Whenever (MS||ME) is failure-free, then also (MI||ME) is failure-free • (MI||ME) has a failure only if (MS||ME) has one MI MS ME ME

  23. Mirroring The mirror of a transition system is the system with input and output reversed For a suitable choice of alphabets and some other additional conditions,MI conforms to MSiff (MI|| MSmirror) is failure free (the specification is a “most general environment” for the implementation)

  24. Verification of conformance • Compose MI with MSmirror and calculate the failures • Can be done on the fly, depth-first, with partial order reduction

  25. Verification by conformance • If MI conforms to MS then for every formula  it holds that MS   implies MI   MS    MIc MS MI   • To show that MI   find an abstraction MS such that MIc MS and show MS   • other direction does not hold in general

  26. Testing with conformance • Compose MSmirror with the (black box) implementation • Enumerate all paths through MSmirror • Outputs of the testing system are inputs for the implementation and vice versa • Failures are registered as testing results

  27. Yet another conformance relation • sS is equivalent to s’S if all input sequences  starting at s and ’ starting at s’ generate the same output sequences. • MI conforms to MS, if for each state s in MI there is a state s’ in MS such that s is equivalent to s’

  28. Conformance with Petri nets • replace “transition system” by “one-safe Petri net”, and replace “sequence” by “causal net” • Ki is (weakly) simulating Ks if a mapping h: KsKi exists such that  x,x’ EsBs ((x, x’)  Rs () (h(x), h(x’))  Ri ) • bI BI is (weakly) simulating condition bS BS if for all admissible inputs SEQ and executions KI[I,bI,SEQ, KS[S,bS,SEQ: KI is (weakly) simulating KS. • I (weakly) conforms to S if  bS BS ( bI BI (bI is (weakly) simulating bS))

  29. Conformance checking • Let H0 be the relation consisting of all pairs (bI,bS)  BI BS. Hi+1 is constructed from Hi as follows: (bI,bS)  Hi+1iff • (bI,bS)  Hi , and •  eI bI, eS bS (iKi(eI) = iKs(eS)oKi(eI) = oKS(eS) ) , and •  eS bS bS’ eSeI bIbI’ eI: (bI’,bS’) Hi • Let H be the relation reached upon stabilization. Then I conforms to S if  bS BS bI BI : (bI,bS)  H

  30. Test case generation • Start with an arbitrary condition b and c(b) = {e | eb} • The initial part of the execution is a copy of all conditions in c(b) • Put a mark on all conditions in c(b) • Repeat indefinitely • Choose a maximal set of events which are either enabled in P, or can be enabled by putting a token on a condition which is not marked, such that the inputs of these events contain at most one input from each PCO and PO, respectively. • Put a mark on all conditions which have received a token, as well as on all conditions in the pre- and postset of an enabled transition. • Fire the chosen events in P, and extend the execution by appending a copy of all chosen events and their postsets to it.

More Related