Natalia Ioustinova

Timed verification with µCRL

μCRL is a process algebraic language for specification and verification of distributed systems. μCRL allows to describe temporal properties of distributed systems but it has no explicit reference to time. In this work we propose a manner of introducing discrete time without extending the language. The semantics of discrete time we use makes it possible to reduce the time progress problem to the diagnostics of “no action is enabled” situations. The synchronous nature of the language facilitates the task. We show some experimental verification results obtained on a timed communication protocol.

Closing Open SDL-Systems for Model Checking with DTSpin

Model checkers like Spin can handle closed reactive systems, only. Thus to handle open systems, in particular when using assume guarantee reasoning, we need to be able to close (sub-)systems, which is commonly done by adding an environment process. For models with asynchronous message-passing communication, however, modelling the environment as separate process will lead to a combinatorial explosion caused by all combinations of messages in the input queues.In this paper we describe the implementation of a tool which automatically closes DTPromela translations of SDL-specifications by embedding the timed chaotic environment into the system. To corroborate the usefulness of our approach, we compare the state space of models closed by embedding chaos with the state space of the same models closed with chaos as external environment process on some simple models and on a case study from a wireless ATM medium-access protocol.

TTCN-3 Testing of Hoorn-Kersenboogerd Railway Interlocking

Railway control systems are safety-critical, so we have to ensure that they are designed and implemented correctly. Testing these systems is a key issue. Prior to system testing, the software of a railway control system is tested separately from the hardware. The interlocking is a layer of railway control systems that guarantees safety. It allows to execute commands given by a user only if they are safe; unsafe commands are rejected. Railway interlockings are central to efficient and safe traffic management for railway infrastructure managers and operators. European integration requires new standards for specification and testing interlockings. Here we propose an approach to testing interlockings with TTCN-3 and give an example for its application. The code of interlockings is simulated during test execution. For assessing the quality of the tests, we propose an approach inspired by the classification tree method

Data abstraction and constraint solving for conformance testing

Conformance testing is one of the most rigorous and well-developed testing techniques. Model-based test generation is an essential phase of the conformance testing approach. The main problem in this phase is the explosion of the number of test cases, often caused by large or infinite data domains for input and output data. In this paper we propose a test generation framework based on the use of data abstraction and constraint solving to suppress the number of test cases. The approach is evaluated on the CEPS (common electronic purse specifications) case study.

Automatic Model-Based Generation of Parameterized Test Cases Using Data Abstraction

Developing test suites is a costly and error-prone process. Model-based test generation tools facilitate this process by automatically generating test cases from system models. The applicability of these tools, however, depends on the size of the target systems. Here, we propose an approach to generate test cases by combining data abstraction, enumerative test generation and constraint-solving. Given the concrete specification of a possibly infinite system, data abstraction allows to derive an abstract system, which is finite and thus suitable for the automatic generation of abstract test cases with enumerative tools. To execute abstract test cases, we have to instantiate them with concrete data. For data selection we make use of constraint-solving techniques.

Using fairness to make abstractions work

Abstractions often introduce infinite traces which have no corresponding traces at the concrete level and may lead to failure of the verification. Refinement does not always help to eliminate those traces. In this paper, we consider a timer abstraction that introduces a cyclic behaviour on abstract timers and we show how one can exclude cycles by imposing a strong fairness constraint on the abstract model. By employing the fact that the loop on the abstract timer is a self-loop, we render the strong fairness constraint into a weak fairness constraint and embed it into the verification algorithm. We implemented the algorithm in the DTSpin model checker and showed its efficiency on case studies. The same approach can be used for other data abstractions that introduce self-loops.

Simulated time for testing railway interlockings with TTCN-3

Railway control systems are timed and safety-critical. Testing these systems is a key issue. Prior to system testing, the software of a railway control system is tested separately from the hardware. Here we show that real time and scaled time semantics are inefficient for testing this software. We provide a time semantics with simulated time and show that this semantics is more suitable for testing of software of railway control systems. TTCN-3 is a standardized language for specifying and executing test suites. It supports real time and scaled time but not simulated time. We provide a solution that allows simulated time testing with TTCN-3. Our solution is based on Dijkstras distributed termination detection algorithm. The solution is implemented and can be reused for simulated time testing of other systems with similar characteristics.

Refinement and Verification Applied to an In-Flight Data Acquisition Unit

In order to optimise maintenance and increase safety, the Royal Netherlands Navy initiated the development of a multi-channel on-board data acquisition system for its Lynx helicopters. This AIDA (Automatic In-flight Data Acquisition) system records usage and loads data on main rotor, engines and airframe. We used refinement in combination with model checking to arrive at a formally verified prototype implementation of the AIDA system, starting from the functional requirements.

TTCN-3 for distributed testing embedded software

A blade grinding mechanism for a razor consists of a razor dock, at least two razor blades located in the razor dock, and two grinding means located respectively below each of the razor blades in the razor dock. The grinding means has a grinding surface corresponding to the blade edge of the razor blade. After the razor has been used for shaving beards, both of the grinding means can be used to clear the residual beard debris, and be moved to the left and right side to grind and sharpen the blade edge of the razor blade.

Synchronous Closing and Flow Analysis for Model Checking Timed Systems

Formal methods, in particular model checking, are increasingly accepted as integral part of system development. With large software systems beyond the range of fully automatic verification, however, a combination of decomposition and abstraction techniques is needed. To model check components of a system, a standard approach is to close the component with an abstraction of its environment, as standard model checkers often do not handle open reactive systems directly. To make it useful in practice, the closing of the component should be automatic, both for data and for control abstraction. Specifically for model checking asynchronous open systems, external input queues should be removed, as they are a potential source of a combinatorial state explosion.