Antoine Rollet

Runtime enforcement of timed properties revisited

Runtime enforcement is a powerful technique to ensure that a running system satisfies some desired properties. Using an enforcement monitor, an (untrustworthy) input execution (in the form of a sequence of events) is modified into an output sequence that complies with a property. Over the last decade, runtime enforcement has been mainly studied in the context of untimed properties. This paper deals with runtime enforcement of timed properties by revisiting the foundations of runtime enforcement when time between events matters. We propose a new enforcement paradigm where enforcement mechanisms are time retardants: to produce a correct output sequence, additional delays are introduced between the events of the input sequence. We consider runtime enforcement of any regular timed property defined by a timed automaton. We prove the correctness of enforcement mechanisms and prove that they enjoy two usually expected features, revisited here in the context of timed properties. The first one is soundness meaning that the output sequences (eventually) satisfy the required property. The second one is transparency, meaning that input sequences are modified in a minimal way. We also introduce two new features, (i) physical constraints that describe how a time retardant is physically constrained when delaying a sequence of timed events, and (ii) optimality, meaning that output sequences are produced as soon as possible. To facilitate the adoption and implementation of enforcement mechanisms, we describe them at several complementary abstraction levels. Our enforcement mechanisms have been implemented and our experimental results demonstrate the feasibility of runtime enforcement in a timed context and the effectiveness of the mechanisms.

Runtime Enforcement of Timed Properties

Runtime enforcement is a powerful technique to ensure that a running system respects some desired properties. Using an enforcement monitor, an (untrustworthy) input execution (in the form of a sequence of events) is modified into an output sequence that complies to a property. Runtime enforcement has been extensively studied over the last decade in the context of untimed properties.

Enforcement of Timed Properties with Uncontrollable Events

This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in modifying the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regular timed property over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms satisfy important properties, namely soundness and compliance - meaning that enforcement mechanisms output correct executions that are close to the input execution. We discuss the conditions for a property to be enforceable with uncontrollable events, and we define enforcement mechanisms that modify executions to obtain a correct output, as soon as possible. Moreover, we synthesise sound and compliant descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation.

Conformance testing of variable driven automata

In this paper, we address the conformance testing problem for timed constrained critical systems. We propose a new model adapted to describe such systems. The model is called Variable Driven Timed Automata (VDTA) and is a variant of timed automata in which events are variable assignments and all transitions are urgent. We present a sound and exhaustive on the fly testing algorithm for such systems. As an application of our approach, we propose a case study on a “Bi-manual command” system.

A pragmatic approach for testing robustness on real-time component based systems

Summary form only given. In this paper, we suggest a realistic methodology for testing robustness of real-time component-based systems (RTCBS). A RTCBS system is described as a collection of components where each component is specified by a nominal and a degraded specification, modeled as a timed input-output automaton (TIOA). Further, the communication of the whole system is also specified by its nominal and degraded specification. We extract test sequences from the nominal specification and we inject automatically faults in order to model hostile environments. Then, we present an adequate test architecture consisting of the system under test (SUT) of components, and a distributed tester that consists of a set of coordinating testers. Each tester is dedicated to test a single SUT component. A test execution algorithm with an approach to handle testers coordination and execution delay is presented. Testing the SUT is divided into two phases. In the first phase, the tester tests the robustness of each component in isolation. If all components are robust according to the inserted hazards, in the second phase, we use the nominal and degraded specification of the whole system to check the robustness of communications between components.

A Formal Approach to Test the Robustness of Embedded Systems using Behaviour Analysis

Robustness is an important feature required for embedded systems. This paper presents a methodology to test robustness of such systems. We investigate system behaviour aspects. We handle two formal specifications : a nominal one which describes the system behaviour in normal conditions and a degraded one which describes the behaviour in critical conditions. Both are described as Labelled Transition Systems for the untimed systems and as Timed Automata for timed systems. We extract test sequences from the nominal or from the degraded specification. We perform fault injection on these test sequences. Finally, we submit these sequences to the Implementation Under Test (IUT) and then we analyze its behaviour using adequate robustness relations.

Optimal Enforcement of (Timed) Properties with Uncontrollable Events

This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in defining and using mechanisms that modify the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regular (timed) property described by a deterministic automaton over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms should satisfy important properties, namely soundness, compliance, and optimality - meaning that enforcement mechanisms should output as soon as possible correct executions that are as close as possible to the input execution. We define the conditions for a property to be enforceable with uncontrollable events. Moreover, we synthesise sound, compliant, and optimal descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation.

Constraint-based BMC: a backjumping strategy

Safety property checking is mandatory in the validation process of critical software. When formal verification tools fail to prove some properties, the automatic generation of counterexamples for a given loop depth is an important issue in practice. We investigate in this paper the capabilities of constraint-based bounded model checking for program verification and counterexample generation on real applications. We introduce dynamic post-condition variable-driven strategy (DPVS), a new backjumping strategy we developed to handle an industrial application from a car manufacturer, the Flasher Manager. This backjumping strategy is used to search a faulty path and to collect the constraints of such a path. The simplified control flow graph (CFG) of the program is explored in a backward way, starting from the post-condition and jumping to the most promising node where the variables of the post-condition are defined. In other words, the constraints are collected by exploring the CFG in a dynamic and non-sequential backward way. The Flasher Manager application has been designed and simulated using the Simulink platform. However, this module is concretely embedded as a C program in a car computer, thus we have to check that the safety properties are preserved on this C code. We report experiments on the Flasher Manager with our constraint-based bounded model checker, and with CBMC, a state-of-the-art bounded model checker. Experiments show that DPVS and CBMC have similar performances on one property of the Flasher Manager; DPVS outperforms CBMC to find a counterexample for two properties; two of the properties of the Flasher Manager remain intractable for CBMC and DPVS.

Remote Testing of Timed Specifications

We present a study and a testing framework on black box remote testing of real-time systems using Uppaal-TIGA. One of the essential challenges of remote testing is the communication latency between the tester and the system under test (SUT) that may lead to interleaving of inputs and outputs. This affects the generation of inputs for the SUT and the observation of outputs that may trigger a wrong test verdict. We model the overall test setup using Timed Input-Output Automata (TIOA) and present an adapted asynchronous semantics with explicit communication delays. We propose the \(\varDelta\)-testability criterion for the requirement model where \(\varDelta\) describes the communication latency. The test case generation problem is then reduced into a controller synthesis problem. We use Uppaal-TIGA for this purpose to solve a timed game with partial observability between the tester and the communication media together with the SUT. The objective of the game corresponds to a test purpose.

Test Selection for Data-Flow Reactive Systems Based on Observations

Conformance testing amounts to verifying adequacy between the behaviors and the specified behaviors of an implementation. In this paper, we handle model-based conformance testing for data-flow critical systems with time constraints. Specifications are described with a formal model adapted for such systems and called Variable Driven Timed Automata (VDTA). VDTA are inspired by timed automata but they use input/output communication variables, allowing clear and short specifications. We present a conformance relation for this model and we propose a symbolic test selection algorithm based on a test purpose. The selection algorithm computes the variations on inputs allowing to reach an expected state of the implementation. Then we propose an on-line testing algorithm.