Testing times: on model-driven test generation for non-deterministic real-time systems

Summary form only given. Although testing has always been the most important technique for the validation of software systems it has only become a topic of serious academic research in the past decade or so. In this period research on the use of formal methods for model-driven test generation and execution of functional test cases has led to a number of promising methods and tools for systematic black-box testing of systems, examples are based on A. Belinfante et al. (1999), J. Tretmans and E. Brinksma (2003), J.-C. Fernandez et al. (1996) and J.-C. Fernandez et al. (1997). Most of these approaches are limited to the qualitative behaviour of systems, and exclude quantitative aspects such as real-time properties. The explosive growth of embedded software, however, has also caused a growing need to extend existing testing theories to the testing of real-time reactive systems. In our presentation we present an extension of Tretmans' ioco theory for test generation as stated in J. Tretmans (1996) for input/output transition systems that includes real-time behaviour

Introduction to the ISO specification language LOTOS

LOTOS is a specification language that has been specifically developed for the formal description of the OSI (Open Systems Interconnection) architecture, although it is applicable to distributed, concurrent systems in general. In LOTOS a system is seen as a set of processes which interact and exchange data with each other and with their environment. LOTOS is expected to become an ISO international standard by 1988

Model checking embedded system designs

We survey the basic principles behind the application of model checking to controller verification and synthesis. A promising development is the area of guided model checking, in which the state space search strategy of the model checking algorithm can be influenced to visit more interesting sets of states first. In particular, we discuss how model checking can be combined with heuristic cost functions to guide search strategies. Finally, we list a number of current research developments, especially in the area of reachability analysis for optimal control and related issues

Testing real-time multi input-output systems

In formal testing, the assumption of input enabling is typically made. This assumption requires all inputs to be enabled anytime. In addition, the useful concept of quiescence is sometimes applied. Briefly, a system is in a quiescent state when it cannot produce outputs. In this paper, we relax the input enabling assumption, and allow some input sets to be enabled while others remain disabled. Moreover, we also relax the general bound M used in timed systems to detect quiescence, and allow different bounds for different sets of outputs. By considering the tioco-M theory, an enriched theory for timed testing with repetitive quiescence, and allowing the partition of input sets and output sets, we introduce the mtioco^M relation. A test derivation procedure which is nondeterministic and parameterized is further developed, and shown to be sound and complete wrt mtioco^

Conflicts and projections

This paper studies abstraction methods suitable to verify very large models of discrete-event systems to be nonconflicting. It compares the observer property to methods known from process algebra, namely to conflict equivalence and observation equivalence. The observer property is shown to be the property that corresponds to conflict equivalence in the case where natural projection is used for abstraction. In this case, the observer property turns out to be the least restrictive condition that can be imposed on natural projection to enable compositional reasoning about conflicts. The observer property is also shown to be closely related to observation equivalence. Several examples and propositions are presented to relate different aspects of these methods of abstraction

A Semantic Framework for Test Coverage

Since testing is inherently incomplete, test selection is of vital importance. Coverage measures evaluate the quality of a test suite and help the tester select test cases with maximal impact at minimum cost. Existing coverage criteria for test suites are usually defined in terms of syntactic characteristics of the implementation under test or its specification. Typical black-box coverage metrics are state and transition coverage of the specification. White-box testing often considers statement, condition and path coverage. A disadvantage of this syntactic approach is that different coverage figures are assigned to systems that are behaviorally equivalent, but syntactically different. Moreover, those coverage metrics do not take into account that certain failures are more severe than others, and that more testing effort should be devoted to uncover the most important bugs, while less critical system parts can be tested less thoroughly. This paper introduces a semantic approach to test coverage. Our starting point is a weighted fault model, which assigns a weight to each potential error in an implementation. We define a framework to express coverage measures that express how well a test suite covers such a specification, taking into account the error weight. Since our notions are semantic, they are insensitive to replacing a specification by one with equivalent behaviour.We present several algorithms that, given a certain minimality criterion, compute a minimal test suite with maximal coverage. These algorithms work on a syntactic representation of weighted fault models as fault automata. They are based on existing and novel optimization\ud problems. Finally, we illustrate our approach by analyzing and comparing a number of test suites for a chat protocol

Behavioural hybrid process calculus

Process algebra is a theoretical framework for the modelling and analysis of the behaviour of concurrent discrete event systems that has been developed within computer science in past quarter century. It has generated a deeper nderstanding of the nature of concepts such as observable behaviour in the presence of nondeterminism, system composition by interconnection of concurrent component systems, and notions of behavioural equivalence of such systems. It has contributed fundamental concepts such as bisimulation, and has been successfully used in a wide range of problems and practical applications in concurrent systems. We believe that the basic tenets of process algebra are highly compatible with the behavioural approach to dynamical systems. In our contribution we present an extension of classical process algebra that is suitable for the modelling and analysis of continuous and hybrid dynamical systems. It provides a natural framework for the concurrent composition of such systems, and can deal with nondeterministic behaviour that may arise from the occurrence of internal switching events. Standard process algebraic techniques lead to the characterisation of the observable behaviour of such systems as equivalence classes under some suitably adapted notion of bisimulation

Five years of observations of ozone profiles over Lauder, New Zealand

Altitude profiles of ozone (O3) over Lauder (45°S, 170°E) performed using a lidar, ozonesondes, and the satellite-borne Stratospheric Aerosol and Gas Experiment (SAGE II) instrument are presented. These data form one of the few long-term sets of O3 profiles at a Southern Hemisphere location. In the 5 years of data presented, the dominant variation is the annual cycle, the phase and amplitude of which differ below and above 27.5 km. Superposed are irregular episodic variations, caused by various processes. The first process studied is stratosphere-troposphere exchange, characterized by dry and O3-rich air residing in the troposphere, which was found in 21% of the measurements. The second relates to the positioning of the higher polar vortex over Lauder, often in combination with the exchange of air between midlatitude and subtropical stratospheric regions. We present examples of this which were observed over Lauder during the 1997 winter. This winter was selected for further study because of the record-low O3 amounts measured. The third process is mixing of O3-depleted vortex air with midlatitude air after the vortex breakup. We present one example, which shows that a filament originating from the depleted Antarctic vortex significantly lowers O3 amounts over Lauder around 27 November 1997. There is thus a connection between Antarctic O3 depletion and later decrease of O3 amounts at a Southern Hemisphere midlatitude location, namely Lauder