VerTeCS

Verification models and techniques applied to the

Testing and Control of reactive Systems

Thierry Jéron

IRISA/INRIA Rennes, France

http://www.irisa.fr/vertecs

Team : 4 Inria researchers, 1 Post Doc, 4 PhD, 1 Engineer

T

Ve

C

re

s

Main research activities

Verification of finite/infinite state systems

Controller synthesis for Discrete Event Systems

Model-based test generation

Model-based fault diagnosis

Verification

MP Verification

Model

M P ?⊨Y/N

(witnesses/diagnostic)

Prop

Model-checking

Abstract Interpretation

Theorem proving

Controler synthesis for DES

P

M x C

M

c

uc

Controlersynthesis

Prop

Build C s.t. M x C ⊨ P

Model

Testing

Vis(IUT)

fail

Vis(M)

TC

!otherwise

Test generation

ioco ?

Build TC s.t. TC sound / M & iocoTS={TC} is exhaustiveImpossible in practice⇒ selection

IUT

Model

TC||

IUT ioco S STraces(IUT) STraces(S).⋂ ! Straces(S)

Main research activities in test generation

Enumerative on-the-fly techniques → TGVoff-line selection of behaviors of vis(M) accepted by TP based on reachability & co-reachability analysis

Symbolic test generation techniques → STG off-line selection

by symbolic transformations and approximated analysis ∼ slicing of M wrt TD

execution : on-line constraint solving Methodological combination of V & T:

“test on IUT what you tried to verify on M” (Vlad’s talk)M P ? TC that detects ⊨ ⌝(I ioco S) and/or I ⊭ P ? For enumerative and symbolic techniques

Test selection by test purposefail

Vis(M)

!

Vis(M)

TPAcc

coreach(Acc)

TC

Vis(M) x TP

inconc

Pass

!

!otherwise

Coreach(Acc) not computable for (infinite) models with data ⇒ over-approximation needed

Test selection by approximate analysis

Wait Acc

*

⌝(p=2 x≥3)∧!ok(p)

Sink

*

p=2 x≥3∧!ok(p)

!err(p)

*

Idle RyRx Cmp

End

?start

x≥0?a(p)y:=p

?a(p)x:=p

!end

p=y-x ∧ -2≤p≤2!ok(p)

x<0 ∧ p=x!err(p)

y<0 ∧ p=y!err(p)

p=y-x ∧ ⌝(-2≤p≤2)!nok(p)

M

TP

IdleWait

RyWait

RxWait

CmpWait

EndWait

?start

x≥0?a(p)y:=p

?a(p)x:=p

!end p=2 x≥3 ∧ ∧p=y-x ∧ -2≤p≤2!ok(p)

x<0 ∧ p=x!err(p)

y<0 ∧ p=y!err(p)

p=y-x ∧ ⌝(-2≤p≤2)!nok(p)

Pass

-Sink ⌝(p=2 x≥3)∧

-2≤p≤2;!ok(p)

Syntactical productM x TP

Test selection by approximate analysis

IdleWait

RyWait

RxWait

CmpWait

EndWait

?start

x≥0?a(p)y:=p

?a(p)x:=p

!end p=2 x≥3∧∧ p=y-x

∧ -2≤p≤2;!ok(p)

x<0 ∧ p=x!err(p)

y<0 ∧ p=y!err(p)

p=y-x ∧ ⌝(-2≤p≤2)!nok(p)

RxAcc

-Sink ⌝(p=2 x≥3)∧

∧ p=y-x ∧ -2≤p≤2; !ok(p)

M x TP

⊤

⊥

⊤

⊥

x≥3 y-x=2 ∧ x≥3

IdleWait

RyWait

RxWait

CmpWait

EndWait

?start

p=x+2;?a(p)y:=p

p≥3?a(p)x:=p

!endp=2 x≥3∧∧ p=y-x

∧ -2≤p≤2;!ok(p)

x<0∧ p=x!err(p)

y<0∧ p=x!err(p)

p=y-x ∧ ⌝(-2≤p≤2)! nok(p)

Pass

-Sink ⌝(p=2 x≥3)∧

∧ p=y-x -2≤p≤2; !ok(p)

reach (Acc) computed by NBAC→ simplification

!otherwise

fail

coreach (Acc) computed by NBAC

→ guard strengthening

p=2!ok(p)

inconc

⊤ ⊤ x≥3x≥3 ∧y-x=2

⊤

⊥

TC

x≥3 ∧y-x=2

⊤

Test execution against IUT:check output / choose input valuesby on-line constraint solving

Perspectives linked with Artist

Extension of symbolic techniques to symbolic timed models

Testing of security policies: formalization of conformance, generation of attacks(Potestat French project with LSR, Verimag)

Tools extensions