Formal methods: Model Checking and Testing

1
Formal methodsModel Checking and Testing

• Prof. Doron A. Peled
• University of Warwick, UK and
• Bar Ilan University, Israel

2
Some related books
Also
Mainly
3
Modeling Software Systems for Analysis
(Book Chapter 4)
4
Modelling and specification for verification and
validation

• How to specify what the software is supposed to
  do?
• Can we use the UML model or parts of it?
• How to model it in a way that allows us to check
  it?

5
Systems of interest

• Sequential systems.
• Concurrent systems (multi-threaded).
• Distributive systems.
• Reactive systems.
• Embedded systems (software hardware).

6
Sequential systems.

• Perform some computational task.
• Have some initial condition, e.g.,?0?i?n Ai
  integer.
• Have some final assertion, e.g., ?0?i?n-1
  Ai?Ai1.(What is the problem with this
  spec?)
• Are supposed to terminate.

7
Concurrent Systems

• Involve several computation agents.
• Termination may indicate an abnormal event
  (interrupt, strike).
• May exploit diverse computational power.
• May involve remote components.
• May interact with users (Reactive).
• May involve hardware components (Embedded).

8
Problems in modeling systems

• Representing concurrency- Allow one transition
  at a time, or- Allow coinciding transitions.
• Granularity of transitions.
• Assignments and checks?
• Application of methods?
• Global (all the system) or local (one thread at a
  time) states.

9
Modeling.The states based model.

• Vv0,v1,v2, - a set of variables, over some
  domain.
• p(v0, v1, , vn) - a parametrized assertion,
  e.g., v0v1v2 /\ v3gtv4.
• A state is an assignment of values to the program
  variables. For example sltv01,v23,v37,,v182gt
  
• For predicate (first order assertion) pp(s) is
  p under the assignment s.Example p is xgty /\
  ygtz. sltx4, y3, z5gt.Then we have 4gt3 /\ 3gt5,
  which is false.

10
State space

• The state space of a program is the set of all
  possible states for it.
• For example, if Va, b, c and the variables are
  over the naturals, then the state space includes
  lta0,b0,c0gt,lta1,b0,c0gt,
  lta1,b1,c0gt,lta932,b5609,c6658gt

11
Atomic Transitions

• Each atomic transition represents a small piece
  of code such that no smaller piece of code is
  observable.
• Is aa1 atomic?
• In some systems, e.g., when a is a register and
  the transition is executed using an inc command.

12
Non atomicity

• Execute the following when a0 in two concurrent
  processes
• P1aa1
• P2aa1
• Result a2.
• Is this always the case?

• Consider the actual translation
• P1load R1,a
• inc R1
• store R1,a
• P2load R2,a
• inc R2
• store R2,a
• a may be also 1.

13
Scenario
P2load R2,a inc R2 store
R2,a

• P1load R1,a
• inc R1
• store R1,a

a0 R10 R20 R11 R21 a1 a1
14
Representing transitions

• Each transition has two parts
• The enabling condition a predicate.
• The transformation a multiple assignment.
• For exampleagtb ? (c,d)(d,c)This transition
  can be executed in states where agtb. The result
  of executing it isswitching the value of c with
  d.

15
Initial condition

• A predicate I.
• The program can start from states s such that I
  (s) holds.
• For exampleI (s)agtb /\ bgtc.

16
A transition system

• A (finite) set of variables V over some domain.
• A set of states S.
• A (finite) set of transitions T, each transition
  e?t has
• an enabling condition e, and
• a transformation t.
• An initial condition I.

17
Example

• Va, b, c, d, e.
• S all assignments of natural numbers for
  variables in V.
• Tcgt0?(c,e)(c-1,e1),
  dgt0?(d,e)(d-1,e1)
• I ca /\ db /\ e0
• What does this transition system do?

18
The interleaving model

• An execution is a finite or infinite sequence of
  states s0, s1, s2,
• The initial state satisfies the initial
  condition, I.e., I (s0).
• Moving from one state si to si1 is by executing
  a transition e?t
• e (si), I.e., si satisfies e.
• si1 is obtained by applying t to si.

19
Example
Tcgt0?(c,e)(c-1,e1),
dgt0?(d,e)(d-1,e1) I ca /\ db /\ e0

• s0lta2, b1, c2, d1, e0gt
• s1lta2, b1, c1, d1, e1gt
• s2lta2, b1, c1, d0, e2gt
• s3lta2, b1 ,c0, d0, e3gt

20
The transitions

• T0PC0L0?PC0NC0
• T1PC0NC0/\Turn0?
• PC0CR0
• T2PC0CR0?
• (PC0,Turn)(L0,1)
• T3PC1L1?PC1NC1
• T4PC1NC1/\Turn1?
• PC1CR1
• T5PC1CR1?
• (PC1,Turn)(L1,0)

• L0While True do
• NC0wait(Turn0)
• CR0Turn1
• endwhile
• L1While True do
• NC1wait(Turn1)
• CR1Turn0
• endwhile

Initially PC0L0/\PC1L1
21
The state graphSuccessor relation between states.
22
Some observations

• Executions the set of maximal paths (finite or
  terminating in a node where nothing is enabled).
• Nondeterministic choice when more than a single
  transition is enabled at a given state. We have a
  nondeterministic choice when at least one node at
  the state graph has more than one successor.

23
Always (PC0CR0/\PC1CR1)(Mutual exclusion)
24
Always if Turn0 the at some point Turn1
25
Always if Turn0 the at some point Turn1
26
Interleaving semanticsExecute one transition at
a time.
Need to check the property for every possible
interleaving!
27
Interleaving semantics
28
Busy waiting

• T0PC0L0?PC0NC0
• T1PC0NC0/\Turn0?PC0CR0
• T1PC0NC0/\Turn1?PC0NC0
• T2PC0CR0?(PC0,Turn)(L0,1)
• T3PC1L1?PC1NC1
• T4PC1NC1/\Turn1?PC1CR1
• T4PC1NC1/\Turn0?PC1N1
• T5PC1CR1?(PC1,Turn)(L1,0)

• L0While True do
• NC0wait(Turn0)
• CR0Turn1
• endwhile
• L1While True do
• NC1wait(Turn1)
• CR1Turn0
• endwhile

Initially PC0L0/\PC1L1
29
Always when Turn0 then sometimes Turn1
Now it does not hold! (Red subgraph generates a
counterexample execution.)
30
Specification Formalisms

• (Book Chapter 5)

31
Properties of formalisms

• Formal. Unique interpretation.
• Intuitive. Simple to understand (visual).
• Succinct. Spec. of reasonable size.
• Effective.
• Check that there are no contradictions.
• Check that the spec. is implementable.
• Check that the implementation satisfies spec.
• Expressive.
• May be used to generate initial code.
• Specifying the implementation or its properties?

32
A transition system

• A (finite) set of variables V.
• A set of states ?.
• A (finite) set of transitions T, each transition
  e?t has
• an enabling condition e and a transformation t.
• An initial condition I.
• Denote by R(s, s) the fact that s is a
  successor of s.

33
The interleaving model

• An execution is a finite or infinite sequence of
  states s0, s1, s2,
• The initial state satisfies the initial
  condition, I.e., I (s0).
• Moving from one state si to si1 is by executing
  a transition e?t
• e(si), I.e., si satisfies e.
• si1 is obtained by applying t to si.
• Lets assume all sequences are infinite by
  extending finite ones by stuttering the last
  state.

34
Temporal logic

• Dynamic, speaks about several worlds and the
  relation between them.
• Our worlds are the states in an execution.
• There is a linear relation between them, each two
  sequences in our execution are ordered.
• Interpretation over an execution, later over all
  executions.

35
LTL Syntax

• ? (?) ? ??/\ ? ????\/ ??????U???????????
  ??????????????????? O ? p
• ????????box, always, forever
• ???????diamond, eventually, sometimes
• O ?????nexttime
• ??U??????until
• Propositions p, q, r, Each represents some
  state property (xgty1, zt, at_CR, etc.)

36
Semantics over suffixes of execution

• ?????
• ????
• O ?
• ?U??

37
Combinations

• ltgtp p will happen infinitely often
• ltgtp p will happen from some point forever.
• (ltgtp) --gt (ltgtq) If p happens infinitely
  often, then q also happens infinitely often.

38
Some relations

• (a/\b)(a)/\(b)
• But ltgt(a/\b)?(ltgta)/\(ltgtb)
• ltgt(a\/b)(ltgta)\/(ltgtb)
• But (a\/b)?(a)\/(b)

39
What about

• (ltgtA)/\(ltgtB)ltgt(A/\B)?
• (ltgtA)\/(ltgtB)ltgt(A\/B)?
• (ltgtA)/\(ltgtB)ltgt(A/\B)?
• (ltgtA)\/(ltgtB)ltgt(A\/B)?

No, just lt--
Yes!!!
Yes!!!
No, just --gt
40
Can discard some operators

• Instead of ltgtp, write true U p.
• Instead of p, we can write ltgtp,or (true U
  p).Because pp.p means it is not true
  that p holds forever, or at some point p holds
  or ltgtp.

41
Formal semantic definition

• Let ? be a sequence s0 s1 s2
• Let ?i be a suffix of ? si si1 si2 (?0 ? )
• ?i p, where p a proposition, if sip.
• ?i ?/\? if ?i ? and ?i ?.
• ?i ?\/? if ?i ? or ?i ?.
• ?i ? if it is not the case that ?i ?.
• ?i ltgt? if for some j?i, ?j ?.
• ?i ? if for each j?i, ?j ?.
• ?i ?U ? if for some j?i, ?j?. and
  for each i?kltj, ?k ?.

42
Then we interpret

• For a statesp as in propositional logic.
• For an execution?? is interpreted over a
  sequence, as in previous slide.
• For a system/programP? holds if ?? for
  every sequence ? of P.

43
Spring Example
release
s1
s3
s2
pull
release
extended
extended
malfunction
r0 s1 s2 s1 s2 s1 s2 s1 r1 s1 s2 s3 s3 s3
s3 s3 r2 s1 s2 s1 s2 s3 s3 s3
44
LTL satisfaction by a single sequence
r2 s1 s2 s1 s2 s3 s3 s3
malfunction

• r2 extended ??
• r2 O extended ??
• r2 O O extended ??
• r2 ltgt extended ??
• r2 extended ??

r2 ltgt extended ?? r2 ltgt extended
?? r2 (extended) U malfunction ?? r2
(extended-gtO extended) ??
45
LTL satisfaction by a system
malfunction

• P extended ??
• P O extended ??
• P O O extended ??
• P ltgt extended ??
• P extended ??

P ltgt extended ?? P ltgt extended ?? P
(extended) U malfunction ?? P
(extended-gtO extended) ??
46
More specifications

• (PC0NC0 ? ltgt PC0CR0)
• (PC0NC0 U Turn0)
• Try at home- The processes alternate in
  entering their critical sections.- Each process
  enters its critical section infinitely often.

47
Proof system

• ltgtplt--gtp
• (p?q)?(p?q)
• p?(p/\Op)
• Oplt--gtOp
• (p?Op)?(p?p)
• (pUq)lt--gt(q\/(p/\O(pUq)))
• (pUq)?ltgtq

• propositional logic axiomatization.
• axiom _p_ p

48
Traffic light example

• Green --gt Yellow --gt Red --gt Green
• Always has exactly one light

((gr/\ye)/\(ye/\re)/\(re/\gr)/\(gr\/ye\/re))
Correct change of color
((grUye)\/(yeUre)\/(reUgr))
49
Another kind of traffic light

• Green--gtYellow--gtRed--gtYellow--gtGreen
• First attempt

(((gr\/re) U ye)\/(ye U (gr\/re)))
Correct specification
( (gr?(gr U (ye /\ ( ye U re )))) /\(re?(re
U (ye /\ ( ye U gr )))) /\(ye?(ye U (gr \/
re))))
50
Properties of sequential programs

• init-when the program starts and satisfies the
  initial condition.
• finish-when the program terminates and nothing is
  enabled.
• Partial correctness init/\(finish??)
• Termination init/\ltgtfinish
• Total correctness init/\ltgt(finish/\ ?)
• Invariant init/\?

51
Automata over finite words

• Alt?, S, ?, I, Fgt
• ? (finite) - the alphabet.
• S (finite) - the states.
• ? ? S x ? x S - the transition relation.
• I ? S - the starting states.
• F ? S - the accepting states.

52
The transition relation

• (s0, a, s0)
• (s0, b, s1)
• (s1, a, s0)
• (s1, b, s1)

53
A run over a word

• A word over ?, e.g., abaab.
• A sequence of states, e.g. s0 s0 s1 s0 s0 s1.
• Starts with an initial state.
• Accepting if ends at accepting state.

54
The language of an automaton

• The words that are accepted by the automaton.
• Includes aabbba, abbbba.
• Does not include abab, abbb.
• What is the language?

55
Nondeterministic automaton

• Transitions (s0,a ,s0), (s0,b ,s0), (s0,a
  ,s1),(s1,a ,s1).
• What is the language of this automaton?

56
Equivalent deterministic automaton
s0
a
s1
a
a,b
a
a
s0
s1
b
b
57
Automata over infinite words

• Similar definition.
• Runs on infinite words over ?.
• Accepts when an accepting state occurs infinitely
  often in a run.

58
Automata over infinite words

• Consider the word abababab
• There is a run s0s0s1s0s1s0s1
• This run in accepting, since s0 appears
  infinitely many times.

59
Other runs

• For the word bbbbb the run is s0 s1 s1 s1 s1
  and is not accepting.
• For the word aaabbbbb , therun is s0 s0 s0 s0
  s1 s1 s1 s1
• What is the run for ababbabbb ?

60
Nondeterministic automaton

• What is the language of this automaton?
• What is the LTL specification if b -- PC0CR0,
  ab?

• Can you find a deterministic automaton with same
  language?
• Can you prove there is no such deterministic
  automaton?

61
No deterministic automaton for (ab)a?

• In a deterministic automaton there is one path
  for each run.
• After some sequence of as, i.e., aaaa must
  reach some accepting state.
• Now add b, obtaining aaaab.
• After some more as, i.e., aaaabaaaa must reach
  some accepting state.
• Now add b, obtaining aaaabaaaab.
• Continuing this way, one obtains a run that has
  infinitely many bs but reaches an accepting
  state(in a finite automaton, at least one would
  repeat) infinitely often.

62
Specification using Automata

• Let each letter correspond to some propositional
  property.
• Example a -- P0 enters critical section,
  b -- P0 does not enter section.
• ltgtPC0CR0

63
Mutual Exclusion

• a -- PC0CR0/\PC1CR1
• b -- (PC0CR0/\PC1CR1)
• c -- true
• (PC0CR0/\PC1CR1)

64
Apply now to our program

• T0PC0L0?PC0NC0
• T1PC0NC0/\Turn0?
• PC0CR0
• T2PC0CR0?
• (PC0,Turn)(L0,1)
• T3PC1L1?PC1NC1
• T4PC1NC1/\Turn1?
• PC1CR1
• T5PC1CR1?
• (PC1,Turn)(L1,0)

• L0While True do
• NC0wait(Turn0)
• CR0Turn1
• endwhile
• L1While True do
• NC1wait(Turn1)
• CR1Turn0
• endwhile

Initially PC0L0/\PC1L1
65
The state space
66
(PC0CR0/\PC1CR1)(Mutual exclusion)
67
(Turn0 --gt ltgtTurn1)
68
Interleaving semanticsExecute one transition at
a time.
Need to check the property for every possible
interleaving!
69
(Turn0 --gt ltgtTurn1)
70
Correctness condition

• We want to find a correctness condition for a
  model to satisfy a specification.
• Language of a model L(Model)
• Language of a specification L(Spec).
• We need L(Model) ? L(Spec).

71
Correctness
Sequences satisfying Spec
Program executions
All sequences
72
Incorrectness
Counter examples
Sequences satisfying Spec
Program executions
All sequences
73
Automatic Verification
(Book Chapter 6)
74
How can we check the model?

• The model is a graph.
• The specification should refer the the graph
  representation.
• Apply graph theory algorithms.

75
What properties can we check?

• Invariant a property that needs to hold in each
  state.
• Deadlock detection can we reach a state where
  the program is blocked?
• Dead code does the program have parts that are
  never executed.

76
How to perform the checking?

• Apply a search strategy (Depth first search,
  Breadth first search).
• Check states/transitions during the search.
• If property does not hold, report counter example!

77
If it is so good, why learn deductive
verification methods?

• Model checking works only for finite state
  systems. Would not work with
• Unconstrained integers.
• Unbounded message queues.
• General data structures
• queues
• trees
• stacks
• parametric algorithms and systems.

78
The state space explosion

• Need to represent the state space of a program in
  the computer memory.
• Each state can be as big as the entire memory!
• Many states
• Each integer variable has 232 possibilities. Two
  such variables have 264 possibilities.
• In concurrent protocols, the number of states
  usually grows exponentially with the number of
  processes.

79
If it is so constrained, is it of any use?

• Many protocols are finite state.
• Many programs or procedure are finite state in
  nature. Can use abstraction techniques.
• Sometimes it is possible to decompose a program,
  and prove part of it by model checking and part
  by theorem proving.
• Many techniques to reduce the state space
  explosion.

80
Depth First Search

• Procedure dfs(s)
• for each s such that R(s,s) do
• If new(s) then dfs(s)
• end dfs.

• Program DFS
• For each s such that Init(s)
• dfs(s)
• end DFS

81
Start from an initial state
Hash table
q1
q1
q3
q2
Stack
q1
q4
q5
82
Continue with a successor
Hash table
q1
q1 q2
q3
q2
Stack
q1 q2
q4
q5
83
One successor of q2.
Hash table
q1
q1 q2 q4
q3
q2
Stack
q1 q2 q4
q4
q5
84
Backtrack to q2 (no new successors for q4).
Hash table
q1
q1 q2 q4
q3
q2
Stack
q1 q2
q4
q5
85
Backtracked to q1
Hash table
q1
q1 q2 q4
q3
q2
Stack
q1
q4
q5
86
Second successor to q1.
Hash table
q1
q1 q2 q4 q3
q3
q2
Stack
q1 q3
q4
q5
87
Backtrack again to q1.
Hash table
q1
q1 q2 q4 q3
q3
q2
Stack
q1
q4
q5
88
How can we check properties with DFS?

• Invariants check that all reachable
  statessatisfy the invariant property. If not,
  showa path from an initial state to a bad state.
• Deadlocks check whether a state where noprocess
  can continue is reached.
• Dead code as you progress with the DFS, mark all
  the transitions that are executed at least once.

89
The state graphSuccessor relation between states.
90
(PC0CR0/\PC1CR1) is an invariant!
91
Want to do more!

• Want to check more properties.
• Want to have a unique algorithm to deal with all
  kinds of properties.
• This is done by writing specification in more
  complicated formalisms.
• We will see that in the next lecture.

92
(Turn0 --gt ltgtTurn1)
93
Convert graph into Buchi automaton
New initial state
94
Turn0 L0,L1
Turn1 L0,L1
Turn1 L0,L1
Turn0 L0,L1

• Propositions are attached to incoming nodes.
• All nodes are accepting.

95
Correctness condition

• We want to find a correctness condition for a
  model to satisfy a specification.
• Language of a model L(Model)
• Language of a specification L(Spec).
• We need L(Model) ? L(Spec).

96
Correctness
Sequences satisfying Spec
Program executions
All sequences
97
How to prove correctness?

• Show that L(Model) ? L(Spec).
• Equivalently ______Show that
  L(Model) ? L(Spec) Ø.
• Also can obtain L(Spec) by translating from LTL!

98
What do we need to know?

• How to intersect two automata?
• How to complement an automaton?
• How to translate from LTL to an automaton?

99
Intersecting M1(S1,?,T1,I1,A1) and
M2(S2,?,T2,I2,S2)

• Run the two automata in parallel.
• Each state is a pair of states S1 x S2
• Initial states are pairs of initials I1 x I2
• Acceptance depends on first component A1 x S2
• Conforms with transition relation(x1,y1)-a-gt(x2,
  y2) whenx1-a-gtx2 and y1-a-gty2.

100
Example (all states of second automaton
accepting!)
a
b,c
s0
s1
a
b,c
a
c
t0
t1
b
States (s0,t0), (s0,t1), (s1,t0),
(s1,t1). Accepting (s0,t0), (s0,t1). Initial
(s0,t0).
101
a
s0
b,c
s1
a
b,c
a
t0
c
t1
b
a
s0,t0
s0,t1
s1,t0
b
a
c
s1,t1
b
c
102
More complicated when A2?S2
a
b,c
s0
s1
a
s0,t0
a
b,c
s0,t1
b
a
a
s1,t1
c
c
t0
t1
c
b
Should we have acceptance when both components
accepting? I.e., (s0,t1)? No, consider (ba)?
It should be accepted, but never passes that
state.
103
More complicated when A2?S2
a
b,c
s0
s1
a
s0,t0
a
b,c
s0,t1
b
a
a
s1,t1
c
c
t0
t1
c
b
Should we have acceptance when at least one
components is accepting? I.e., (s0,t0),(s0,t1),(s
1,t1)?No, consider b c? It should not be
accepted, but here will loop through (s1,t1)
104
Intersection - general case
q0
q2
a, c
b
a
c, b
q3
q1
c
c
b
c
a
105
Version 0 to catch q0Version 1 to catch q2
Version 0
b
c
q0,q3
q1,q3
q1,q2
a
c
Move when see accepting of left (q0)
Move when see accepting of right (q2)
c
b
q0,q3
q1,q3
q1,q2
c
a
Version 1
106
Version 0 to catch q0Version 1 to catch q2
Version 0
b
c
q0,q3
q1,q3
q1,q2
a
c
Move when see accepting of left (q0)
Move when see accepting of right (q2)
c
b
q0,q3
q1,q3
q1,q2
c
a
Version 1
107
Make an accepting state in one of the version
according to a component accepting state
Version 0
c
q0,q3,0
q1,q3,0
q1,q2,0
a
c
a
b
c
b
q0,q3,1
q1,q3 ,1
q1,q2 ,1
c
Version 1
108
How to check for emptiness?
a
s0,t0
s0,t1
b
a
c
s1,t1
c
109
Emptiness...

• Need to check if there exists an accepting run
  (passes through an accepting state infinitely
  often).

110
Strongly Connected Component (SCC)

• A set of states with a path between each pair of
  them.

Can use Tarjans DFS algorithm for finding
maximal SCCs.
111
Finding accepting runs

• If there is an accepting run, then at least one
  accepting state repeats on it forever.
• Look at a suffix of this run where all the states
  appear infinitely often.
• These states form a strongly connected component
  on the automaton graph, including an accepting
  state.
• Find a component like that and form an accepting
  cycle including the accepting state.

112
Equivalently...

• A strongly connected component a set of nodes
  where each node is reachable by a path from each
  other node. Find a reachable strongly connected
  component with an accepting node.

113
How to complement?

• Complementation is hard!
• Can ask for the negated property (the sequences
  that should never occur).
• Can translate from LTL formula ? to automaton A,
  and complement A. Butcan translate ? into an
  automaton directly!

114
Model Checking under Fairness

• Express the fairness as a property f.To prove a
  property ? under fairness,model check f??.

Counter example
Fair (f)
Bad (?)
Program
115
Model Checking under Fairness

• Specialize model checking. For weak process
  fairness search for a reachable strongly
  connected component, where for each process P
  either
• it contains on occurrence of a transition from P,
  or
• it contains a state where P is disabled.

116
Translating from logic to automata
(Book Chapter 6)
117
Why translating?

• Want to write the specification in some logic.
• Want model-checking tools to be able to check the
  specification automatically.

118
Generalized Büchi automata

• Acceptance condition F is a setFf1 , f2 , ,
  fn where each fi is a set of states.
• To accept, a run needs to pass infinitely often
  through a state from every set fi .

119
Translating into simple Büchi automaton
Version 0
b
c
q0
q2
q1
a
c
c
b
q0
q2
q1
c
a
Version 1
120
Translating into simple Büchi automaton
Version 0
c
q0
q2
q1
a
c
b
c
b
q0
q2
q1
c
a
Version 1
121
Translating into simple Büchi automaton
Version 0
c
q0
q2
q1
a
c
b
c
b
q0
q2
q1
c
a
Version 1
122
Preprocessing

• Convert into normal form, where negation only
  applies to propositional variables.
• ? becomes ltgt?.
• ltgt? becomes ?.
• What about (? U ?)?
• Define operator V such that ( ? U ??) (?) R
  (?),
• ( ? R ??) (?) U (?).

123
Semantics of pR q
p
p
p
p
p
p
p
p
p
q
q
q
q
q
q
q
q
q
p
p
p
p
p
q
q
q
q
q
124

• Replace true by false, and false by true.
• Replace (? \/ ?) by (?) /\ (?) and
  (? /\ ?) by (?) \/ (?)

125
Eliminate implications, ltgt,

• Replace ? -gt ? by ( ?) \/ ?.
• Replace ltgt? by (true U ?).
• Replace ? by (false R ?).

126
Example

• Translate ( ltgtP ) ? ( ltgtQ )
• Eliminate implication ( ltgtP ) \/ ( ltgtQ )
• Eliminate , ltgt( false R ( true U P ) ) \/ (
  false R ( true U Q ) )
• Push negation inwards(true U (false U P ) )
  \/ ( false V ( true U Q ) )

127
The data structure
Name
128
The main idea

• ? U ? ? \/ ( ? /\ O ( ? U ? ) )
• ? V ? ? /\ ( ? \/ O ( ? R ? ) )
• This separates the formulas to two partsone
  holds in the current state, and the otherin the
  next state.

129
How to translate?

• Take one formula from New and add it to Old.
• According to the formula, either
• Split the current node into two, or
• Evolve the node into a new version.

130
Splitting
Copy incoming edges, update other field.
131
Evolving
Copy incoming edges, update other field.
132
Possible cases

• ? U ? , split
• Add ? to New, add ? U ? to Next.
• Add ? to New.
• Because ?U ? ? \/ ( ? /\ O (?U ? )).
• ? R ? , split
• Add ???? to New.
• Add ? to New, ? R ? to Next.
• Because ? R ? ? /\ ( ? \/ O (? R ? )).

133
More cases

• ? \/ ?, split
• Add ? to New.
• Add ? to New.
• ? /\ ?, evolve
• Add ???? to New.
• O ?, evolve
• Add ? to Next.

134
How to start?
init
Incoming
New
Old
aU(bUc)
Next
135
init
Incoming
aU(bUc)
init
init
136
Incoming
aU(bUc)
bUc
init
init
Incoming
Incoming
aU(bUc)
aU(bUc)
c
b
(bUc)
137
When to stop splitting?

• When New is empty.
• Then compare against a list of existing nodes
  Nodes
• If such a with same Old, Next exists,just
  add the incoming edges of the new versionto the
  old one.
• Otherwise, add the node to Nodes. Generate a
  successor with New set to Next of father.

138
init
Incoming
a,aU(bUc)
Creating a successor node.
aU(bUc)
Incoming
aU(bUc)
139
How to obtain the automaton?
X

• There is an edge from node X to Y labeled with
  propositions P (negated or non negated), if X is
  in the incoming list of Y, and Y has propositions
  P in field Old.
• Initial node is init.

a, b, c
Node Y
140
The resulted nodes.
141
Initial nodes
a, aU(bUc)
b, bUc, aU(bUc)
c, bUc, aU(bUc)
b, bUc
c, bUc
All nodes with incoming edge from init.
142
Include only atomic propositions
a
c
Init
b
c
b
143
Acceptance conditions

• Use generalized Buchi automata, wherethere are
  several acceptance sets F1, F2, , Fn, and each
  accepted infinite sequence must include at least
  one state from each set infinitely often.
• Each set corresponds to a subformula of form ?U?.
  Guarantees that it is never the case that ?U?
  holds forever, without ?.

144
Accepting w.r.t. bU c
145
Acceptance w.r.t. aU (bU c)
146
Algorithmic Testing
147
Why testing?

• Reduce design/programming errors.
• Can be done during development,
  beforeproduction/marketing.
• Practical, simple to do.
• Check the real thing, not a model.
• Scales up reasonably.
• Being state of the practice for decades.

148
Part 1 Testing of black box finite state machine

• Wants to know
• In what state we started?
• In what state we are?
• Transition relation
• Conformance
• Satisfaction of a temporal property

• Know
• Transition relation
• Size or bound on size

149
Finite automata (Mealy machines)

• S - finite set of states. (size n)
• S set of inputs. (size d)
• O set of outputs, for each transition.
• (s0 ? S - initial state).
• d ? S ? S ? S - transition relation.
• ? ? S ? S ?O output on edge.
• Notation d(s,a1a2..an) d( (d(d(s,a1),a2)
  ),an)
• ?(s,a1a2..an) ?(s,a1)?(d(s,a1),a2)?(d(
  d(d(s,a1),a2) ),an)

150
Finite automata (Mealy machines)

• S - finite set of states. (size n)
• S set of inputs. (size d)
• O set of outputs, for each transition.
• (s0 ? S - initial state).
• ? S ? S ? S - transition relation.
• ? S ? S ?O output on edge.
• Ss1, s2, s3, Sa, b, O0,1.
• d(s1,a)s3 (also s1agts3),
• d(s1,b)s2,(also s1bgts2)
• ?(s1,a)0 , d(s1,b)1,
• d(s1,ab)s1, ?(s1,ab)01

151
Why deterministic machines?

• Otherwise no amount of experiments would
  guarantee anything.
• If dependent on some parameter (e.g.,
  temperature), we can determinize, by taking
  parameter as additional input.
• We still can model concurrent system. It means
  just that the transitions are deterministic.
• All kinds of equivalences are unified into
  language equivalence.
• Also connected machine (otherwise we may never
  get to the completely separate parts).

152
Determinism

• When the black box is nondeterministic, we might
  never test some choices.

153
Preliminaries separating sequences
Start with one block containing all states s1,
s2, s3.
154
A separate to blocks of states with different
output.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Two sets, separated using the string b s1, s3,
s2.
155
Repeat B Separate blocks based on moving to
different blocks.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Separate first block using b to three singleton
blocks.Separating sequences b, bb.Max rounds
n-1, sequences n-1, length n-1.For each pair
of states there is a separating sequence.
156
Want to know the state of the machine (at end)
Homing sequence.

• Depending on output, we would know in what state
  we are.
• Find a sequence µ such thatd(s, µ )?d(t, µ ) ?
  ?(s, µ )??(s, µ )
• So, given an input µ that is executed from state
  s, we look at a table of outputs and according to
  a table, know in which state r we ended.
• For any other state, the output will be different.

157
Want to know the state of the machine (at end)
Homing sequence.

• Algorithm Put all the states in one block
  (initially we do not know what is the current
  state).
• Then repeatedly partitions blocks of states, as
  long as they are not singletons, as follows
• Take a non singleton block, append a
  distinguishing sequence µ that separates at least
  two states in that block.
• Update each block to the states after executing
  µ.
• Max length (n-1)2 (Lower bound
  n(n-1)/2.)

158
Example (homing sequence)
s1, s2, s3
b
0
1
1
s1, s2 s3
b
1
1
0
s1 s2 s3
On input b and output 1, we still dont know if
we were in s1 or s3, i.e., if we are currently in
s2 or s1. So separate these cases with another b.
159
Synchronizing sequence

• One sequence takes the machine to the same final
  state, regardless of the initial state or the
  outputs.That is find a sequence µ such thatFor
  each states s, t, d(s, µ )d(t, µ )
• Not every machine has a synchronizing sequence.
• Can be checked whether exists and can be found in
  polynomial time.

160
Algorithm for synchronizing sequeneces
Construct a graph with ordered pairs of nodes
(s,t) such that (s,t)agt(s,t) when sagts,
tagtt.(Ignore self loops, e.g., on (s2,s2).)
a/0
s1
b/0
b/1
s1,s1
a/0
b
s2
s3
b/1
s2,s2
s1,s2
b
a/1
a
a
b
b
b
a
s3,s3
s2,s3
s1,s3
b
161
Algorithm continues (2)

• There is an input sequence from s?t to some r iff
  there is a path in this graph from (s,t) to
  (r,r).
• There is a synchronization sequence iff some node
  (r,r) is reachable from every pair of distinct
  nodes.
• In this case it is (s2,s2).

s1,s1
b
s2,s2
s1,s2
b
a
a
b
b
b
a
s3,s3
s2,s3
s1,s3
b
162
Algorithm continues (3)

• Notationd(S,x) t?s?S,d(s,x)t
• i1 SiS
• Take some nodes s?t?Si, and find a shortest path
  labeled xi to some (r,r).
• ii1 Sid(Si-1,x). If Sigt1,goto 4., else
  SS1, and goto 3.
• Concatenate x1x2xk.

s1,s1
b
s2,s2
s1,s2
b
a
a
b
b
b
a
s3,s3
s2,s3
s1,s3
b
Number of sequences n-1.Each of length
n(n-1)/2.Overall O(n(n-1)2/2).
163
Example

• (s2,s3)agt(s2,s2)
• x1a
• d(s1,s2,s3,a)s1,s2
• (s1,s2)bagt(s2,s2)
• x2ba
• d(s1,s2,ba)s2
• So x1x2aba is a synchronization sequence,
  bringing every state into state s2.

s1,s1
b
s2,s2
s1,s2
b
a
a
b
b
b
a
s3,s3
s2,s3
s1,s3
b
164
State identification

• Want to know in which state the system has
  started (was reset).
• Can be a preset distinguishing sequence (fixed),
  or a tree (adaptive).
• May not exist (PSPACE complete to check if preset
  exists, polynomial for adaptive).
• Best known algorithm exponential length for
  preset,polynomial for adaptive LY.

165
Sometimes cannot identify initial state
Start with ain case of being in s1 or s3 well
move to s1 and cannot distinguish.Start with
bIn case of being in s1 or s2 well move to s2
and cannot distinguish.
The kind of experiment we do affects what we can
distinguish. Much like the Heisenberg principle
in Physics.
166
So

• Well assume resets from now on!

167
Conformance testing

• Unknown deterministic finite state system B.
• Known n states and alphabet ?.
• An abstract model C of B. C satisfies all the
  properties we want from B. C has m states.
• Check conformance of B and C.
• Another version only a bound n on the number of
  states l is known.

?
168
Check conformance with a given state machine

• Black box machine has no more states than
  specification machine (errors are mistakes in
  outputs, mistargeted edges).
• Specification machine is reduced, connected,
  deterministic.
• Machine resets reliably to a single initial state
  (or use homing sequence).

169
Conformance testing Ch,V
a/1
?
b/1
a/1
b/1
?
b/1
a/1
Cannot distinguish if reduced or not.
170
Conformance testing (cont.)
?
b
b
a
a
a
?
a
b
b
a
a
b
Need bound on number of states of B.
171
PreparationConstruct a spanning tree
Given an initial state, we can reach any state of
the automaton.
172
How the algorithm works?
Reset

• According to the spanning tree, force a sequence
  of inputs to go to each state.
• From each state, perform the distinguishing
  sequences.
• From each state, make a single transition, check
  output, and use distinguishing sequences to check
  that in correct target state.

Reset
s1
b/1
a/1
s2
s3
Distinguishing sequences
173
Comments

1. Checking the different distinguishing sequences
   (m-1 of them) means each time resetting and
   returning to the state under experiment.
2. A reset can be performed to a distinguished state
   through a homing sequence. Then we can perform a
   sequence that brings us to the distinguished
   initial state.
3. Since there are no more than m states, and
   according to the experiment, no less than m
   states, there are m states exactly.
4. Isomorphism between the transition relation is
   found, hence from minimality the two automata
   recognize the same languages.

174
Combination lock automaton

• Assume accepting states.
• Accepts only words with a specific suffix (cdab
  in the example).

b
d
c
a
s1
s2
s3
s4
s5
Any other input
175
When only a bound on size of black box is known

• Black box can pretend to behave as a
  specification automaton for a long time, then
  upon using the right combination, make a mistake.

Pretends to be S1
a/1
b/1
a/1
b/1
s1
s2
b/1
a/1
a/1
s3
Pretends to be S3
b/0
176
Conformance testing algorithm VC
Reset
Reset

• The worst that can happen is a combination lock
  automaton that behaves differently only in the
  last state. The length of it is the difference
  between the size n of the black box and the
  specification m.
• Reach every state on the spanning tree and check
  every word of length n-m1 or less. Check that
  after the combination we are at the state we are
  supposed to be, using the distinguishing
  sequences.
• No need to check transitions already included in
  above check.
• Complexity m2 n dn-m1 Probabilistic complexity
  Polynomial.

s1
b/1
a/1
s2
s3
Words of length ?n-m1
Distinguishing sequences
177
Model Checking

• Finite state description of a system B.
• LTL formula ?. Translate ?? into an automaton P.
• Check whether L(B) ? L(P)?.
• If so, S satisfies ?. Otherwise, the intersection
  includes a counterexample.
• Repeat for different properties.

?
?
178
Buchi automata (w-automata)

• S - finite set of states. (B has l ? n states)
• S0 ? S - initial states. (P has m states)
• S - finite alphabet. (contains p letters)
• d ? S ? S ? S - transition relation.
• F ? S - accepting states.
• Accepting run passes a state in F infinitely
  often.

System automata FS, deterministic, one initial
state. Property automaton not necessarily
deterministic.
179
Example check ?a
a
ltgt?a
?a
?a, a
180
Example check ltgt?a
?ltgt?a
181
Example check ? ltgta
?a, a
ltgt??a
?a
?a
Use automatic translation algorithms, e.g.,
Gerth,Peled,Vardi,Wolper 95
182
System
183
Every element in the product is a counter example
for the checked property.
a
a
?ltgt?a
s1
s2
q1
?a
c
b
a
?a
s3
q2
a
s1,q1
s2,q1
Acceptance isdetermined byautomaton P.
b
a
s1,q2
s3,q2
c
184
Model Checking / Testing

• Given Finite state system B.
• Transition relation of B known.
• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory or BDD techniques.
• Complexity polynomial.

• Unknown Finite state system B.
• Alphabet and number of states of B or upper bound
  known.
• Specification given as an abstract system C.
• Check if B ?C.
• Complexity polynomial if number states known.
  Exponential otherwise.

185
Black box checking PVY

• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory techniques.

• Unknown Finite state system B.
• Alphabet and Upper bound on Number of states of B
  known.
• Complexity exponential.

??
?
186
Experiments
187
Simpler problem deadlock?

• Nondeterministic algorithmguess a path of
  length ? n from the initial state to a deadlock
  state.Linear time, logarithmic space.
• Deterministic algorithmsystematically try paths
  of length ?n, one after the other (and use
  reset), until deadlock is reached.Exponential
  time, linear space.

188
Deadlock complexity

• Nondeterministic algorithmLinear time,
  logarithmic space.
• Deterministic algorithmExponential (p n-1)
  time, linear space.
• Lower bound Exponential time (usecombination
  lock automata).
• How does this conform with what we know about
  complexity theory?

189
Modeling black box checking

• Cannot model using Turing machines not all the
  information about B is given. Only certain
  experiments are allowed.
• We learn the model as we make the experiments.
• Can use the model of games of incomplete
  information.

190
Games of incomplete information

• Two players -player, ?-player (here,
  deterministic).
• Finitely many configurations C.
  IncludingInitial Ci , Winning W and W- .
• An equivalence relation _at_ on C (the -player
  cannot distinguish between equivalent states).
• Labels L on moves (try a, reset, success, fail).
• The -player has the moves labeled the same from
  configurations that are equivalent.
• Deterministic strategy for the -player will
  lead to a configuration in W ? W-. Cannot
  distinguish between equivalent configurations.
• Nondeterministic strategy Can distinguish
  between equivalent configurations..

191
Modeling BBC as games

• Each configuration contains an automaton and its
  current state (and more).
• Moves of the -player are labeled withtry a,
  reset... Moves of the ?-player withsuccess,
  fail.
• c1 _at_ c2 when the automata in c1 and c2 would
  respond in the same way to the experiments so far.

192
A naive strategy for BBC

• Learn first the structure of the black box.
• Then apply the intersection.
• Enumerate automata with ?n states (without
  repeating isomorphic automata).
• For a current automata and new automata,
  construct a distinguishing sequence. Only one of
  them survives.
• Complexity O((n1)p (n1)/n!)

193
On-the-fly strategy

• Systematically (as in the deadlock case), find
  two sequences v1 and v2 of length ltm n.
• Applying v1 to P brings us to a state t that is
  accepting.
• Applying v2 to P brings us back to t.
• Apply v1 v2 n to B. If this succeeds,there is a
  cycle in the intersection labeled with v2, with t
  as the P (accepting) component.
• Complexity O(n2p2mnm).

v1
v2
194
Learning an automaton

• Use Angluins algorithm for learning an
  automaton.
• The learning algorithm queries whether some
  strings are in the automaton B.
• It can also conjecture an automaton Mi and asks
  for a counterexample.
• It then generates an automaton with more states
  Mi1 and so forth.

195
A strategy based on learning

• Start the learning algorithm.
• Queries are just experiments to B.
• For a conjectured automaton Mi , check if Mi ? P
  ?
• If so, we check conformance of Mi with B (VC
  algorithm).
• If nonempty, it contains some v1 v2w . We test B
  with v1 v2n. If this succeeds error, otherwise,
  this is a counterexample for Mi .

196
Complexity

• l - actual size of B.
• n - an upper bound of size of B.
• d - size of alphabet.
• Lower bound reachability is similar to deadlock.
• O(l 3 d l l 2mn) if there is an error.
• O(l 3 d l l 2 n dn-l1 l 2mn) if there is no
  error.
• If n is not known, check while time allows.
• Probabilistic complexity polynomial.

197
Some experiments

• Basic system written in SML (by Alex Groce, CMU).
• Experiment with black box using Unix I/O.
• Allows model-free model checking of C code with
  inter-process communication.
• Compiling tested code in SML with BBC program as
  one process.

198
Part 2 Software testing(Book chapter 9)

• Testing is not about showing that there are no
  errors in the program.
• Testing cannot show that the program performs its
  intended goal correctly.
• So, what is software testing?
• Testing is the process of executing the program
  in order to find errors.
• A successful test is one that finds an error.

199
Some software testing stages

• Unit testing the lowest level, testing some
  procedures.
• Integration testing different pieces of code.
• System testing testing a system as a whole.
• Acceptance testing performed by the customer.
• Regression testing performed after updates.
• Stress testing checking the code under extreme
  conditions.
• Mutation testing testing the quality of the
  test suite.

200
Some drawbacks of testing

• There are never sufficiently many test cases.
• Testing does not find all the errors.
• Testing is not trivial and requires considerable
  time and effort.
• Testing is still a largely informal task.

201
Black-Box (data-driven, input-output) testing

• The testing is not based on the structure of the
  program (which is unknown).
• In order to ensure correctness, every possible
  input needs to be tested - this is impossible!
• The goal to maximize the number of errors found.

202
testing
White Box

• Is based on the internal structure of the
  program.
• There are several alternative criterions for
  checking enough paths in the program.
• Even checking all paths (highly impractical) does
  not guarantee finding all errors (e.g., missing
  paths!)

203
Some testing principles

• A programmer should not test his/her own program.
• One should test not only that the program does
  what it is supposed to do, but that it does not
  do what it is not supposed to.
• The goal of testing is to find errors, not to
  show that the program is errorless.
• No amount of testing can guarantee error-free
  program.
• Parts of programs where a lot of errors have
  already been found are a good place to look for
  more errors.
• The goal is not to humiliate the programmer!

204
Inspections and Walkthroughs

• Manual testing methods.
• Done by a team of people.
• Performed at a meeting (brainstorming).
• Takes 90-120 minutes.
• Can find 30-70 of errors.

205
Code Inspection

• Team of 3-5 people.
• One is the moderator. He distributes materials
  and records the errors.
• The programmer explains the program line by line.
• Questions are raised.
• The program is analyzed w.r.t. a checklist of
  errors.

206
Checklist for inspections

• Data declaration
• All variables declared?
• Default values understood?
• Arrays and strings initialized?
• Variables with similar names?
• Correct initialization?

• Control flow
• Each loop terminates?
• DO/END statements match?
• Input/output
• OPEN statements correct?
• Format specification correct?
• End-of-file case handled?

207
Walkthrough

• Team of 3-5 people.
• Moderator, as before.
• Secretary, records errors.
• Tester, play the role of a computer on some test
  suits on paper and board.

208
Selection of test cases (for white-box testing)

• The main problem is to select a good coverage
• criterion. Some options are
• Cover all paths of the program.
• Execute every statement at least once.
• Each decision has a true or false value at least
  once.
• Each condition is taking each truth value at
  least once.
• Check all possible combinations of conditions in
  each decision.

209
Cover all the paths of the program
Infeasible. Consider the flow diagram on the
left. It corresponds to a loop. The loop body has
5 paths. If the loops executes 20 times there are
520 different paths! May also be unbounded!
210
How to cover the executions?

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END
• Choose values for A,B,X.
• Value of X may change, depending on A,B.
• What do we want to cover? Paths? Statements?
  Conditions?

211
Statement coverageExecute every statement at
least once

• By choosing
• A2,B0,X3
• each statement will be chosen.
• The case where the tests fail is not checked!

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

Now x1.5
212
Decision coverageEach decision has a true and
false outcome at least once.

• Can be achieved using
• A3,B0,X3
• A2,B1,X1
• Problem Does not test individual conditions.
  E.g., when Xgt1 is erroneous in second decision.

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

213
Decision coverage

• A3,B0,X3?

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

Now x1
214
Decision coverage

• A2,B1,X1 ?
• The case where A?1 and the case where xgt1 where
  not checked!

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2)(Xgt1) THEN XX1
  END

215
Condition coverageEach condition has a true and
false value at least once.

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

• For example
• A1,B0,X3
• A2,B1,X0
• lets each condition be true and false once.
• Problemcovers only the path where the first test
  fails and the second succeeds.

216
Condition coverage

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

• A1,B0,X3 ?

217
Condition coverage

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

• A2,B1,X0 ?
• Did not check the first THEN part at all!!!
• Can use conditiondecision coverage.

218
Multiple Condition CoverageTest all combinations
of all conditions in each test.

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

• Agt1,B0
• Agt1,B?0
• A?1,B0
• A?1,B?0
• A2,Xgt1
• A2,X?1
• A?2,Xgt1
• A?2,X?1

219
A smaller number of cases

• A2,B0,X4
• A2,B1,X1
• A1,B0,X2
• A1,B1,X1
• Note the X4 in the first
• case it is due to the fact
• that X changes before
• being used!

• IF (Agt1) (B0) THEN XX/A
  END
• IF (A2) (Xgt1) THEN XX1
  END

Further optimization not all combinations.For C
/\ D, check (C, D), (?C, D), (C, ?D).For C \/ D,
check (?C, ?D), (?C, D), (C, ?D).
220
PreliminaryRelativizing assertions(Book
Chapter 7)
A

• ?(B) x1 y1 x2 y2 /\ y2 gt 0
• Relativize ??B) w.r.t. the assignment becomes
  ??B) Y\g(X,Y)
• (I.e., ?( B) expressed w.r.t. variables at A.)
• ? ?(B)A ?x10 x2 x1 /\ x1gt0
• Think about two sets of variables,beforex, y,
  z, afterx,y,z.
• Rewrite ?(B) using after, and the assignment as a
  relation between the set of variables. Then
  eliminate after.
• Here x1y1 x2 y2 /\ y2gt0 /\x1x1 /\
  x2x2 /\ y10 /\ y2x1now eliminate x1, x2,
  y1, y2.

Yg(X,Y)
(y1,y2)(0,x1)
B
A
(y1