2
Issues in Software Testing with Model Checkers Vadim Okun Paul E. Black National Institute of Standards and Technology Gaithersburg, MD 20899 {vokun1,paul.black}@nist.gov I. GENERATING SOFTWARE TESTS Most software developers consider formal methods too hard and tedious to use in practice. Instead of using formal methods, developers test software. Model checking is a “light-weight” formal method to check the truth (or falsity) of statements. We use the SMV model checker as part of a highly automated test generation tool, which we hope will motivate practitioners to use formal methods more. For instance, an organization is more likely to expend the considerable effort to develop a formal specification if, with a little extra effort, it can also get tests. In this paper we present some approaches to use model checkers to generate tests. Model checking is being applied to test generation and coverage evaluation [3], [4], [7]. In both uses, one first decides on a notion of what properties of a design must be exercised to constitute thorough testing. This notion leads to test criteria. One applies the chosen test criteria to the specification to derive test requirements, i.e., a set of individual properties to be tested, represented as temporal logic formulas [2]. To generate tests, the requirements must be negative requirements, that is, they are considered satisfied if the corresponding formulas are inconsistent with the state machine. They must also be of a form that a single counterexample demonstrates the inconsistency (exhaustive enumeration is needed to show inconsistency of an existential requirement). For instance, if the criterion is state coverage, the negative requirements are that the machine is never in state 1, never in state 2, etc. When the model checker finds an inconsistent formula, it produces a counterexample. Again, for state coverage, a counterexample gives stimulus to put the machine in state 1 (if it is reachable), another to put the machine in state 2, etc. Counterexamples are automatically turned into executable tests. An alternative approach is developing a special tool, based on an existing model checker, to generate counterexamples that have properties, such as fault visibility (Section V), especially useful for test generation. This tool could benefit from most of the technology of existing model checkers. We are not yet pursuing this line of research due to lack of resources. II. ABSTRACTION FOR TESTING Since complete detailed designs are typically too big to check, abstractions, or reductions, are used. Abstractions for test generation can use a different soundness rule [1] than for property checking. Informally, counterexamples generated from the reduced specification must be valid traces in the original specification. Of course, reduction details must be kept to turn counterexamples into tests. Different test requirements may call for different reductions. One such sound reduction, called “finite focus” [1], reduces a large or infinite domain to a small subset of values. These values can be indicated by an analyst according to their testing importance. This reduction mechanically modifies both the state machine and test requirements. In addition to using abstractions, we often start with a high- level design. III. HIGHER LEVEL SPECIFICATIONS SMV’s description language is too low level for wide-spread use. A popular system must get state machines from higher level descriptions such as MATLAB stateflows, SCR, HOL, or UML state diagrams. Theorem provers and model checkers complement each other in description and analysis tasks. Static (or functional) aspects of a system are best described and analyzed with a theorem prover, while a model checker is well suited for dealing with dynamic (or behavioral) parts. HOL provides a higher level of language constructs than does SMV. A proposed test generation framework [8] starts with a system model in HOL, mechanically converts a part of the model to SMV, generates test cases for the static (HOL) and dynamic (SMV) parts separately, and integrates the tests. Portions of an HOL specification of a secure operating system model were converted to SMV using a prototype translator tool [8]. We also generated tests from the SMV model automatically. In the future, we hope to generate test cases from HOL specifications and integrate the test sets from HOL and SMV. IV. DERIVING LOGIC CONSTRAINTS Mutation adequacy [5] is a test criterion that naturally yields negative requirements. The specification-based mutation criterion [2] requires tests to distinguish between the original state machine description and its mutants, that is, ones that differ from the original by exactly one syntactic change. Consider the following fragment of a state machine description in SMV. next(state) := case state = ready & req : busy; ... esac;

Issues in Software Testing with Model Checkers

Embed Size (px)

Citation preview

Page 1: Issues in Software Testing with Model Checkers

Issues in Software Testing with Model CheckersVadim Okun Paul E. Black

National Institute of Standards and TechnologyGaithersburg, MD 20899

{vokun1,paul.black}@nist.gov

I. GENERATING SOFTWARE TESTS

Most software developers consider formal methods too hardand tedious to use in practice. Instead of using formal methods,developers test software. Model checking is a “light-weight”formal method to check the truth (or falsity) of statements.We use the SMV model checker as part of a highly automatedtest generation tool, which we hope will motivate practitionersto use formal methods more. For instance, an organization ismore likely to expend the considerable effort to develop aformal specification if, with a little extra effort, it can also gettests. In this paper we present some approaches to use modelcheckers to generate tests.

Model checking is being applied to test generation andcoverage evaluation [3], [4], [7]. In both uses, one first decideson a notion of what properties of a design must be exercisedto constitute thorough testing. This notion leads to test criteria.

One applies the chosen test criteria to the specification toderive test requirements, i.e., a set of individual propertiesto be tested, represented as temporal logic formulas [2]. Togenerate tests, the requirements must be negative requirements,that is, they are considered satisfied if the correspondingformulas are inconsistent with the state machine. They mustalso be of a form that a single counterexample demonstratesthe inconsistency (exhaustive enumeration is needed to showinconsistency of an existential requirement). For instance, ifthe criterion is state coverage, the negative requirements arethat the machine is never in state 1, never in state 2, etc.

When the model checker finds an inconsistent formula,it produces a counterexample. Again, for state coverage, acounterexample gives stimulus to put the machine in state1 (if it is reachable), another to put the machine in state 2,etc. Counterexamples are automatically turned into executabletests.

An alternative approach is developing a special tool, basedon an existing model checker, to generate counterexamples thathave properties, such as fault visibility (Section V), especiallyuseful for test generation. This tool could benefit from mostof the technology of existing model checkers. We are not yetpursuing this line of research due to lack of resources.

II. ABSTRACTION FOR TESTING

Since complete detailed designs are typically too big tocheck, abstractions, or reductions, are used. Abstractions fortest generation can use a different soundness rule [1] thanfor property checking. Informally, counterexamples generatedfrom the reduced specification must be valid traces in the

original specification. Of course, reduction details must be keptto turn counterexamples into tests. Different test requirementsmay call for different reductions.

One such sound reduction, called “finite focus” [1], reducesa large or infinite domain to a small subset of values. Thesevalues can be indicated by an analyst according to their testingimportance. This reduction mechanically modifies both thestate machine and test requirements.

In addition to using abstractions, we often start with a high-level design.

III. HIGHER LEVEL SPECIFICATIONS

SMV’s description language is too low level for wide-spreaduse. A popular system must get state machines from higherlevel descriptions such as MATLAB stateflows, SCR, HOL,or UML state diagrams.

Theorem provers and model checkers complement eachother in description and analysis tasks. Static (or functional)aspects of a system are best described and analyzed witha theorem prover, while a model checker is well suited fordealing with dynamic (or behavioral) parts.

HOL provides a higher level of language constructs thandoes SMV. A proposed test generation framework [8] startswith a system model in HOL, mechanically converts a part ofthe model to SMV, generates test cases for the static (HOL)and dynamic (SMV) parts separately, and integrates the tests.

Portions of an HOL specification of a secure operatingsystem model were converted to SMV using a prototypetranslator tool [8]. We also generated tests from the SMVmodel automatically. In the future, we hope to generate testcases from HOL specifications and integrate the test sets fromHOL and SMV.

IV. DERIVING LOGIC CONSTRAINTS

Mutation adequacy [5] is a test criterion that naturallyyields negative requirements. The specification-based mutationcriterion [2] requires tests to distinguish between the originalstate machine description and its mutants, that is, ones thatdiffer from the original by exactly one syntactic change.Consider the following fragment of a state machine descriptionin SMV.

next(state) := casestate = ready & req : busy;...

esac;

Page 2: Issues in Software Testing with Model Checkers

One possible mutation is negating a boolean variable, as in

state = ready & !req : busy;

The specification-based mutation scheme in [2] expressesthe state machine in temporal logic, then systematically appliessmall changes to the temporal logic expressions yielding a setof mutant expressions. The model checker then finds coun-terexamples that detect inconsistent mutants. The mechanicalprocess of deriving temporal logic formulas from the statemachine description is called reflection. A possible reflectionfor the above SMV fragment is

AG (state=ready & req -> AX state=busy)

This form of reflection, called direct reflection, is straight-forward to derive. Suppose the SMV state machine descriptionhas the following case statement:

next(x) := case ... bi : vi; ... esac;

bi and vi are called guard and target, respectively.If the guards are a partition and the targets are pairwise

disjoint, a tighter reflection is possible:

AG ((bi → AX (x in vi)) & (!bi → AX !(x in vi)))

For instance, if the mutation is to bi to form bi’, the mutantformula is

AG ((bi’ → AX (x in vi)) & (!bi’ → AX !(x in vi)))

Moreover, as shown in [2], when the resulting counterex-ample includes an additional step, the clause

AG (bi ↔ bi’)

is a satisfactory implementation for mutations to bi.There are transformations to recast the guards to be a

partition and ways to cope with targets that are not pairwisedisjoint.

V. FAULT VISIBILITY

To detect an implementation error, a test case must causean internal fault to propagate to a visible output. Consider thefollowing fragment of a state machine description

next(t) := case ... f(i) : v; ... esac;next(o) := case ... g(t) : w; ... esac;

In the example, i is an input variable, t is an intermediatevariable, o is an output variable. Suppose that mutationreplaced the formula f(i) with f’(i). In the case of directreflection, the corresponding mutant formula is

AG (f’(i) -> t = v)

Often, the model checker will find a counterexample thatwill show inconsistency in the intermediate variable t but notin the output variable o. Such a test is of little value.

We proposed two methods [6] to guarantee that tests causedetectable output failures. The first method, in-line expansion,uses only the reflections of the transition relation involvingoutput variables. In these temporal logic formulas, any internalvariable is replaced in-line with a copy of its transition relation.This substitution is repeated until the formulas are comprised

exclusively of input and output variables, hence the modelchecker finds counterexamples that affect the outputs. For theabove example, the mutant formula is

AG (f’(i) -> AX (g(v) -> AX o = w))

Since only input and output appear, the model checker findscounterexamples that affect the output. The method may leadto an exponential increase in the number or size of logicalformulas.

The second method, state machine duplication, duplicatesthe state machine and combines the two machines ensuringthat the duplicate always takes the same transitions as theoriginal. The next step is to mutate the duplicate, then assertthat the visible outputs of the original and the mutant areidentical over the combined state machine. If the mutanthas an observable fault, the model checker will produce acounterexample leading to the state where the original andthe mutant differ in an output value.

Of course, duplication of the state machine increases thesize of the state space. Dependency analysis by slicing is oneway to improve scalability. Our experiments suggest that bothin-line expansion and state machine duplication methods arevery effective for generating black-box tests.

VI. CONCLUSIONS

We believe that there are benefits of applying model check-ing to software testing. While some issues raised in thispaper are specific to test generation, others have much incommon with the more mainstream uses of model checkers.The opportunities for future work include devising new ab-straction techniques geared toward test generation, integrationwith higher-level languages, and developing a counterexamplegenerator that guarantees propagation of faults to the visibleoutputs.

REFERENCES

[1] P. Ammann and P. E. Black. Abstracting formal specifications to generatesoftware tests via model checking. In Proc. 18th Digital Avionics SystemsConference (DASC99), volume 2, page 10.A.6. IEEE, Oct 1999. AlsoNIST IR 6405.

[2] P. Ammann, P. E. Black, and W. Ding. Model checkers in softwaretesting. Technical Report NIST-IR-6777, National Institute of Standardsand Technology, February 2002.

[3] P. E. Ammann, P. E. Black, and W. Majurski. Using model checking togenerate tests from specifications. In Proceedings of the Second IEEEInternational Conference on Formal Engineering Methods (ICFEM’98),pages 46–54. IEEE Computer Society, December 1998.

[4] J. Callahan, F. Schneider, and S. Easterbrook. Automated software testingusing model-checking. In Proc. 1996 SPIN Workshop, Rutgers, NJ, Aug1996. Also WVU TR #NASA-IVV-96-022.

[5] R. A. DeMillo, R. J. Lipton, and F. G. Sayward. Hints on test dataselection: Help for the practicing programmer. IEEE Comp, 11(4):34–41,1978.

[6] V. Okun, P. E. Black, and Y. Yesha. Testing with model checker: Insuringfault visibility. In Proc. 2002 WSEAS International Conference on SystemScience, Applied Mathematics and Computer Science, Oct 2002.

[7] S. Rayadurgam and M. P.E. Heimdahl. Coverage based test-case genera-tion using model checkers. In 8

th Annual IEEE International Conferenceand Workshop on the Engineering of Computer Based Systems (ECBS),Apr. 2001.

[8] D. Zhou and P. E. Black. Translating HOL to specifications for the modelchecker SMV. In TPHOLs 2001, pages 400–415, Sep 2001.


1018 3 in 1 Checkers Chess, Checkers, Chineses Checkers ... · Title: 1018_3 in 1_ Checkers_ Chess, Checkers, Chineses Checkers_Thumbnail_INS Created Date: 4/4/2017 3:37:37 PM

1018 3 in 1 Checkers Chess, Checkers, Chineses Checkers ... · Title: 1018_3 in 1_ Checkers_ Chess, Checkers, Chineses Checkers_Thumbnail_INS Created Date: 4/4/2017 3:37:37 PM

Documents
Checkers Promotion

Checkers Promotion

Documents
Borehole Yield and Quality Testing at Checkers Constantia ... · one borehole at Checkers Constantia, Cape Town. The borehole (CC_BH01), was tested by GEOSS during January 2019, details

Borehole Yield and Quality Testing at Checkers Constantia ... · one borehole at Checkers Constantia, Cape Town. The borehole (CC_BH01), was tested by GEOSS during January 2019, details

Documents
Slide 1Module Testing Meeting Jan. 29, 2002CMS Module Testing Issues-Anthony Affolder CMS Module Testing Issues From a CDF Testing Experience Perspective

Slide 1Module Testing Meeting Jan. 29, 2002CMS Module Testing Issues-Anthony Affolder CMS Module Testing Issues From a CDF Testing Experience Perspective

Documents
CMS Module Testing Issues

CMS Module Testing Issues

Documents
Region Retailer Name · 2020. 8. 6. · Gauteng Checkers N/Mead Square Gauteng Checkers Bryanston Gauteng Checkers Emmerentia Gauteng Checkers Cresta Gauteng Checkers Brooklyn Gauteng

Region Retailer Name · 2020. 8. 6. · Gauteng Checkers N/Mead Square Gauteng Checkers Bryanston Gauteng Checkers Emmerentia Gauteng Checkers Cresta Gauteng Checkers Brooklyn Gauteng

Documents
Checkers 2014

Checkers 2014

Documents
CHECKERS CATALOG

CHECKERS CATALOG

Documents
A Comparative Study of Software Model Checkers as Unit Testing Tools

A Comparative Study of Software Model Checkers as Unit Testing Tools

Documents
Checkers memorandum

Checkers memorandum

Education
Laboratory issues in coagulation testing

Laboratory issues in coagulation testing

Documents
Emerging Issues in Drug Testing

Emerging Issues in Drug Testing

Documents
A Comparative Study of Software Model Checkers as Unit Testing Tools an Industrial Case Study

A Comparative Study of Software Model Checkers as Unit Testing Tools an Industrial Case Study

Documents
1 Software Testing Strategies: Approaches, Issues, Testing Tools

1 Software Testing Strategies: Approaches, Issues, Testing Tools

Documents
Giant Chinese Checkers

Giant Chinese Checkers

Documents
Arabic spell checkers

Arabic spell checkers

Education
Pervasive Checkers

Pervasive Checkers

Documents
COVID-19 Testing Sites - Midwest SafetyVM48 Checkers VersaMAT®, black, 4 x 8 ft CV48 Checkers VersaMAT®, clear, 4 x 8 ft Cable Protectors Cover hoses and cables to eliminate tripping

COVID-19 Testing Sites - Midwest SafetyVM48 Checkers VersaMAT®, black, 4 x 8 ft CV48 Checkers VersaMAT®, clear, 4 x 8 ft Cable Protectors Cover hoses and cables to eliminate tripping

Documents
Lasker Checkers Chess

Lasker Checkers Chess

Documents
Checkers Rag

Checkers Rag

Documents
Chess Checkers Board · Chess/Checkers Board

Chess Checkers Board · Chess/Checkers Board

Documents
Checkers Fundamentals

Checkers Fundamentals

Documents
ETHICAL ISSUES IN PSYCHOLOGICAL TESTING

ETHICAL ISSUES IN PSYCHOLOGICAL TESTING

Documents
Automated Software Testing with Model Checkers

Automated Software Testing with Model Checkers

Documents
Checkers Training Document_Jeans

Checkers Training Document_Jeans

Documents
CHECKERS - Constant Contact

CHECKERS - Constant Contact

Documents
1/26 Writing II Word processors Spell checkers Grammar checkers

1/26 Writing II Word processors Spell checkers Grammar checkers

Documents
Checkers Cheaters

Checkers Cheaters

Documents
Checkers solved!

Checkers solved!

Documents
Checkers Samples

Checkers Samples

Documents