22 research outputs found
Diagrammatic Languages and Formal Verification : A Tool-Based Approach
The importance of software correctness has been accentuated as a growing number of safety-critical systems have been developed relying on software operating these systems. One of the more prominent methods targeting the construction of a correct program is formal verification. Formal verification identifies a correct program as a program that satisfies its specification and is free of defects. While in theory formal verification guarantees a correct implementation with respect to the specification, applying formal verification techniques in practice has shown to be difficult and expensive. In response to these challenges, various support methods and tools have been suggested for all phases from program specification to proving the derived verification conditions. This thesis concerns practical verification methods applied to diagrammatic modeling languages.
While diagrammatic languages are widely used in communicating system design (e.g., UML) and behavior (e.g., state charts), most formal verification platforms require the specification to be written in a textual specification language or in the mathematical language of an underlying logical framework. One exception is invariant-based programming, in which programs together with their specifications are drawn as invariant diagrams, a type of state transition diagram annotated with intermediate assertions (preconditions, postconditions, invariants). Even though the allowed program statesâcalled situationsâare described diagrammatically, the intermediate assertions defining a situationâs meaning in the domain of the program are still written in conventional textual form. To explore the use of diagrams in expressing the intermediate assertions of invariant diagrams, we designed a pictorial language for expressing array properties. We further developed this notation into a diagrammatic domain-specific language (DSL) and implemented it as an extension to the Why3 platform. The DSL supports expression of array properties. The language is based on Reynoldsâs interval and partition diagrams and includes a construct for mapping array intervals to logic predicates.
Automated verification of a program is attained by generating the verification conditions and proving that they are true. In practice, full proof automation is not possible except for trivial programs and verifying even simple properties can require significant effort both in specification and proof stages. An animation tool which supports run-time evaluation of the program statements and intermediate assertions given any user-defined input can support this process. In particular, an execution trace leading up to a failed assertion constitutes a refutation of a verification condition that requires immediate attention. As an extension to Socos, a verificion tool for invariant diagrams built on top of the PVS proof system, we have developed an execution model where program statements and assertions can be evaluated in a given program state. A program is represented by an abstract datatype encoding the program state, together with a small-step state transition function encoding the evaluation of a single statement. This allows the programâs runtime behavior to be formally inspected during verification. We also implement animation and interactive debugging support for Socos.
The thesis also explores visualization of system development in the context of model decomposition in Event-B. Decomposing a software system becomes increasingly critical as the system grows larger, since the workload on the theorem provers must be distributed effectively. Decomposition techniques have been suggested in several verification platforms to split the models into smaller units, each having fewer verification conditions and therefore imposing a lighter load on automatic theorem provers. In this work, we have investigated a refinement-based decomposition technique that makes the development process more resilient to change in specification and allows parallel development of sub-models by a team. As part of the research, we evaluated the technique on a small case study, a simplified version of a landing gear system verification presented by Boniol and Wiels, within the Event-B specification language.Vikten av programvaras korrekthet har accentuerats dÄ ett vÀxande antal sÀkerhetskritiska system, vilka Àr beroende av programvaran som styr dessa, har utvecklas. En av de mer framtrÀdande metoderna som riktar in sig pÄ utveckling av korrekt programvara Àr formell verifiering. Inom formell verifiering avses med ett korrekt program ett program som uppfyller sina specifikationer och som Àr fritt frÄn defekter. Medan formell verifiering teoretiskt sett kan garantera ett korrekt program med avseende pÄ specifikationerna, har tillÀmpligheten av formella verifieringsmetod visat sig i praktiken vara svÄr och dyr. Till svar pÄ dessa utmaningar har ett stort antal olika stödmetoder och automatiseringsverktyg föreslagits för samtliga faser frÄn specifikationen till bevisningen av de hÀrledda korrekthetsvillkoren. Denna avhandling behandlar praktiska verifieringsmetoder applicerade pÄ diagrambaserade modelleringssprÄk.
Medan diagrambaserade sprĂ„k ofta anvĂ€nds för kommunikation av programvarudesign (t.ex. UML) samt beteende (t.ex. tillstĂ„ndsdiagram), krĂ€ver de flesta verifieringsplattformar att specifikationen kodas medelst ett textuellt specifikationsspĂ„k eller i sprĂ„ket hos det underliggande logiska ramverket. Ett undantag Ă€r invariantbaserad programmering, inom vilken ett program tillsammans med dess specifikation ritas upp som sk. invariantdiagram, en typ av tillstĂ„ndstransitionsdiagram annoterade med mellanliggande logiska villkor (förvillkor, eftervillkor, invarianter). Ăven om de tillĂ„tna programtillstĂ„ndenâsk. situationerâbeskrivs diagrammatiskt Ă€r de logiska predikaten som beskriver en situations betydelse i programmets domĂ€n fortfarande skriven pĂ„ konventionell textuell form. För att vidare undersöka anvĂ€ndningen av diagram vid beskrivningen av mellanliggande villkor inom invariantbaserad programming, har vi konstruerat ett bildbaserat sprĂ„k för villkor över arrayer. Vi har dĂ€refter vidareutvecklat detta sprĂ„k till ett diagrambaserat domĂ€n-specifikt sprĂ„k (domain-specific language, DSL) och implementerat stöd för det i verifieringsplattformen Why3. SprĂ„ket lĂ„ter anvĂ€ndaren uttrycka egenskaper hos arrayer, och Ă€r baserat pĂ„ Reynolds intevall- och partitionsdiagram samt inbegriper en konstruktion för mappning av array-intervall till logiska predikat.
Automatisk verifiering av ett program uppnÄs genom generering av korrekthetsvillkor och Ätföljande bevisning av dessa. I praktiken kan full automatisering av bevis inte uppnÄs utom för trivial program, och Àven bevisning av enkla egenskaper kan krÀva betydande anstrÀngningar bÄde vid specifikations- och bevisfaserna. Ett animeringsverktyg som stöder exekvering av sÄvÀl programmets satser som mellanliggande villkor för godtycklig anvÀndarinput kan vara till hjÀlp i denna process. SÀrskilt ett exekveringspÄr som leder upp till ett falskt mellanliggande villkor utgör ett direkt vederlÀggande (refutation) av ett bevisvillkor, vilket krÀver omedelbar uppmÀrksamhet frÄn programmeraren. Som ett tillÀgg till Socos, ett verifieringsverktyg för invariantdiagram baserat pÄ bevissystemet PVS, har vi utvecklat en exekveringsmodell dÀr programmets satser och villkor kan evalueras i ett givet programtillstÄnd. Ett program representeras av en abstrakt datatyp för programmets tillstÄnd tillsammans med en small-step transitionsfunktion för evalueringen av en enskild programsats. Detta möjliggör att ett programs exekvering formellt kan analyseras under verifieringen. Vi har ocksÄ implementerat animation och interaktiv felsökning i Socos.
Avhandlingen undersöker ocksÄ visualisering av systemutveckling i samband med modelluppdelning inom Event-B. Uppdelning av en systemmodell blir allt mer kritisk dÄ ett systemet vÀxer sig större, emedan belastningen pÄ underliggande teorembe visare mÄste fördelas effektivt. Uppdelningstekniker har föreslagits inom mÄnga olika verifieringsplattformar för att dela in modellerna i mindre enheter, sÄ att varje enhet har fÀrre verifieringsvillkor och dÀrmed innebÀr en mindre belastning pÄ de automatiska teorembevisarna. I detta arbete har vi undersökt en refinement-baserad uppdelningsteknik som gör utvecklingsprocessen mer kapabel att hantera förÀndringar hos specifikationen och som tillÄter parallell utveckling av delmodellerna inom ett team. Som en del av forskningen har vi utvÀrderat tekniken pÄ en liten fallstudie: en förenklad modell av automationen hos ett landningsstÀll av Boniol and Wiels, uttryckt i Event-B-specifikationsprÄket
Fundamental Approaches to Software Engineering
This open access book constitutes the proceedings of the 23rd International Conference on Fundamental Approaches to Software Engineering, FASE 2020, which took place in Dublin, Ireland, in April 2020, and was held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020. The 23 full papers, 1 tool paper and 6 testing competition papers presented in this volume were carefully reviewed and selected from 81 submissions. The papers cover topics such as requirements engineering, software architectures, specification, software quality, validation, verification of functional and non-functional properties, model-driven development and model transformation, software processes, security and software evolution
Domain- and Quality-aware Requirements Engineering for Law-compliant Systems
Titel in deutscher Ăbersetzung: DomĂ€nen- und qualitĂ€tsgetriebene Anforderungserhebung fĂŒr gesetzeskonforme Systeme
Der bekannte Leitsatz in der Anforderungserhebung und -analyse besagt, dass es schwierig ist, das richtige System zu bauen, wenn man nicht weiĂ, was das 'Richtige' eigentlich ist. Es existieren ĂŒberzeugende Belege, dass dieser Leitsatz die Notwendigkeit der Anforderungserhebung und -analyse exakt definiert
und beschreibt. Zum Beispiel ergaben Studien, dass das Beheben von Defekten in einer Software, die bereits produktiv genutzt wird, bis zu 80 mal so teuer ist wie das frĂŒhzeitige Beheben der korrespondierenden Defekte in den Anforderungen. Generell hat es sich gezeigt, dass das DurchfĂŒhren einer angemessenen
Anforderungserhebung und -analyse ein wichtiger Erfolgsfaktor fĂŒr
Softwareentwicklungsprojekte ist. WĂ€hrend der Progression von den initialen WĂŒnschen der beteiligten Interessensvertretern fĂŒr ein zu entwickelndes System zu einer Spezifikation fĂŒr eben dieses Systems mĂŒssen Anforderungsanalysten einen komplexen Entscheidungsprozess durchlaufen, der die initialen WĂŒnsche in
die Spezifikation ĂŒberfĂŒhrt. TatsĂ€chlich wird das Treffen von Entscheidungen als integraler Bestandteil der Anforderungsanalyse gesehen. In dieser Arbeit werden wir versuchen zu verstehen welche AktivitĂ€ten und Information von Nöten sind, um eine fundierte Auswahl von Anforderungen vorzunehmen, welche Herausforderungen damit verbunden sind, wie eine ideale Lösung zur Anforderungswahl aussehen könnte und in welchen Bereichen der aktuelle Stand der Technik in Bezug auf diese ideale Lösung lĂŒckenhaft ist.
Innerhalb dieser Arbeit werden wir die Informationen, die notwendig fĂŒr eine fundierte Anforderungsauswahl sind, identifizieren, einen Prozess prĂ€sentieren, um diese notwendigen Informationen zu sammeln, die Herausforderungen herausstellen, die durch diesen Prozess und die damit verbundenen AktivitĂ€ten adressiert werden und eine Auswahl von Methoden diskutieren, mit deren Hilfe man
die AktivitĂ€ten des Prozesses umsetzen kann. Die gesammelten Informationen werden dann fĂŒr eine automatisierte Anforderungsauswahl verwendet. FĂŒr die Auswahl kommt ein Optimierungsmodell, das Teil des Beitrags dieser Arbeit ist,
zum Einsatz. Da wir wĂ€hrend der Erstellung dieser Arbeit zwei groĂe LĂŒcken im Stand der Technik bezĂŒglich unseres Prozesses und der damit verbundenen AktivitĂ€ten identifiziert haben, prĂ€sentieren wir darĂŒber hinaus zwei neuartige Methoden fĂŒr die Kontexterhebung und die Erhebung von rechtlichen Anforderungen, um diese LĂŒcken zu schlieĂen. Diese Methoden sind Teil des Hauptbeitrags dieser
Arbeit.
Unsere Lösung fĂŒr der Erhebung des Kontext fĂŒr ein zu entwickelndes System ermöglicht das Etablieren eines domĂ€nenspezifischen Kontextes unter Zuhilfenahme von Mustern fĂŒr verschiedene DomĂ€nen. Diese Kontextmuster erlauben eine strukturierte Erhebung und Dokumentation aller relevanten Interessensvertreter
und technischen EntitĂ€ten fĂŒr ein zu entwickelndes System. Sowohl die
Dokumentation in Form von grafischen Musterinstanzen und textuellen Vorlageninstanzen als auch die Methode zum Sammeln der notwendigen Informationen sind expliziter Bestandteil jedes Kontextmusters. ZusĂ€tzlich stellen wir auch Hilfsmittel fĂŒr die Erstellung neuer Kontextmuster und das Erweitern der in
dieser Arbeit prĂ€sentierten Kontextmustersprache zur VerfĂŒgung.
Unsere Lösung fĂŒr die Erhebung von rechtlichen Anforderungen basiert auch auf Mustern und stellt eine Methode bereit, welche es einem erlaubt, die relevanten Gesetze fĂŒr ein zu erstellendes System, welches in Form der funktionalen Anforderungen bereits beschrieben sein muss, zu identifizieren und welche die bestehenden funktionalen Anforderungen mit den rechtlichen Anforderungen verknĂŒpft. Diese Methode beruht auf der Zusammenarbeit zwischen
Anforderungsanalysten und Rechtsexperten und schlieĂt die VerstĂ€ndnislĂŒcke zwischen ihren verschiedenartigen Welten.
Wir veranschaulichen unseren Prozess unter der Zuhilfenahme eines durchgehenden Beispiels aus dem Bereich der service-orientierten Architekturen. ZusÀtzlich prÀsentieren wir sowohl die Ergebnisse der Anwendung unseres Prozesses (bzw. Teilen davon) auf zwei reale FÀlle aus den Bereichen von Smart Grids und Wahlsystemen, als auch alle anderen Ergebnisse der wissenschaftlichen Methoden, die wir genutzt haben, um unsere Lösung zu fundieren und validieren.The long known credo of requirements engineering states that it is challenging to build the right system if you do not know what right is. There is strong evidence that this credo exactly defines and describes the necessity of requirements engineering. Fixing a defect when it is already fielded is reported to be up to eighty times more expensive than fixing the corresponding requirements defects early on. In general, conducting sufficient requirements engineering has shown to be a crucial success factor for software development projects. Throughout the progression from initial stakeholders' wishes regarding the system-to-be to a specification for the
system-to-be requirements engineers have to undergo a complex decision process for forming the actual plan connecting stakeholder wishes and the final specification. Indeed, decision making is considered to be an inherent part of requirements engineering. In this thesis, we try to understand which activities and information are needed for selecting requirements, which the challenges are, how an ideal solution for selecting requirements would look like, and where the current state of the art is deficient regarding the ideal solution.
Within this thesis we identify the information necessary for an informed requirements selection, present a process in which one collects all the necessary information, highlight the challenges to be addressed by this process and its activities, and a selection of methods to conduct the activities of the process. All the collected information is then used for an automated requirements selection using an optimization model which is also part of the contribution of this thesis. As we identified two major gaps in the state of the art considering the proposed process and its activities, we also present two
novel methods for context elicitation and for legal compliance requirements elicitation to fill the gaps as part of the main contribution.
Our solution for context elicitation enables a domain-specific context
establishment based on patterns for different domains. The context patterns allow a structured elicitation and documentation of relevant stakeholders and technical entities for a system-to-be. Both, the documentation in means of graphical pattern instances and textual template instances as well as the method for collecting the necessary information are explicitly given in each context pattern. Additionally, we also provide the means which are necessary to derive new context patterns and extend our context patterns language which is part of this thesis.
Our solution for legal compliance requirements elicitation is a pattern-based and guided method which lets one identify the relevant laws for a system-to-be, which is described in means of functional requirements, and which intertwines the functional requirements with the according legal requirements. This method relies on the collaboration of requirements engineers and legal experts, and
bridges the gap between their distinct worlds.
Our process is exemplified using a running example in the domain of service oriented architectures. Additionally, the results of applying (parts of) the process to real life cases from the smart grid domain and voting system domain are presented, as well as all other results from the scientific means we took to ground and validate the proposed solutions
Hybrid model checking approach to analysing rule conformance applied to HIPAA privacy rules, A
2017 Summer.Includes bibliographical references.Many of today's computing systems must show evidence of conformance to rules. The rules may come from business protocol choices or from multi-jurisdictional sources. Some examples are the rules that come from the regulations in the Health Insurance Portability and Accountability Act (HIPAA) protecting the privacy of patient information and the Family Educational Rights and Privacy Act (FERPA) protecting the privacy of student education records. The rules impose additional requirements on already complex systems, and rigorous analysis is needed to show that any system implementing the rules exhibit conformance. If the analysis finds that a rule is not satisfied, we adjudge that the system fails conformance analysis and that it contains a fault, and this fault must be located in the system and fixed. The exhaustive analysis performed by Model Checking makes it suitable for showing that systems satisfy conformance rules. Conformance rules may be viewed in two, sometimes overlapping, categories: process- aware conformance rules that dictate process sequencing, and data-aware conformance rules that dictate acceptable system states. Where conformance rules relate to privacy, the analysis performed in model check- ing requires the examination of fine-grained structural details in the system state for showing conformance to data-aware conformance rules. The analysis of these rules may cause model checking to be intractable due to a state space explosion when there are too many system states or too many details in a system state. To over- come this intractable complexity, various abstraction techniques have been proposed that achieve a smaller abstracted system state model that is more amenable to model checking. These abstraction techniques are not useful when the abstractions hide the details necessary to verify conformance. If non-conformance occurs, the abstraction may not allow isolation of the fault. In this dissertation, we introduce a Hybrid Model Checking Approach (HMCA) to analyse a system for both process- and data-aware conformance rules without abstracting the details from a system's detailed process- and data models. Model Checking requires an analysable model of the system under analysis called a program graph and a representation of the rules that can be checked on the program graph. In our approach, we use connections between a process-oriented (e.g. a Unified Modelling Language (UML) activity model) and a data-oriented (e.g. UML class model) to create a unified paths-and-state system model. We represent this unified model as a UML state machine. The rule-relevant part of the state machine along with a graph-oriented formalism of the rules are the inputs to HMCA. The model checker uses an exhaustive unfolding of the program graph to produce a transition system showing all the program graph's reachable paths and states. Intractable complexity during model checking is encountered when trying to create the transition system. In HMCA, we use a divide and conquer approach that applies a slicing technique on the program graph to semi- automatically produce the transition system by analysing each slice individually, and composing its result with the results from other slices. Our ability to construct the transition system from the slices relieves a traditional model checker of that step. We then return to use model checking techniques to verify whether the transition system satisfies the rules. Since the analysis involves examining system states, if any of the rules are not satisfied, we can isolate the specific location of the fault from the details contained in the slices. We demonstrate our technique on an instance of a medical research system whose requirements include the privacy rules mandated by HIPAA. Our technique found seeded faults for common mistakes in logic that led to non-conformance and underspecification leading to conflicts of interests in personnel relationships
Computing repairs for constraint violations in UML/OCL conceptual schemas
Updating the contents of an information base may violate some of the constraints defined over the schema. The classical way to deal with this problem has been to reject the requested update when its application would lead to some constraint violation. We follow here an alternative approach aimed at automatically computing the repairs of an update, i.e., the minimum additional changes that, when applied together with the requested update, bring the information base to a new state where all constraints are satisfied. Our approach is independent of the language used to define the schema and the constraints, since it is based on a logic formalization of both, although we apply it to UML and OCL because they are widely used in the conceptual modeling community. Our method can be used for maintaining the consistency of an information base after the application of some update, and also for dealing with the problem of fixing up non-executable operations. The fragment of OCL that we use to define the constraints has the same expressiveness as relational algebra and we also identify a subset of it which provides some nice properties in the repair-computation process. Experiments are conducted to analyze the efficiency of our approach.Peer ReviewedPostprint (author's final draft
Animation-Based Service Specification, Verification and Validation
[Context] With the expansion of services and service science, service systems have become an important abstraction for the service revolution. Service is defined as the application of resources (including competences, skills, and knowledge) to make changes that have value for another (system). The service system is a configuration of people, technologies, and other resources that interact with other service systems to create mutual value. Many systems can be viewed as service systems, including families, cities, and companies, among many others. Therefore, services became very important for unifying concepts from various disciplines. Service specifications are used to represent service systems on different levels of abstraction: from business down to IT. [Motivation and Problem] Traditionally, high-level service specifications are used only for communication among different participants, to catalyze the discussions between them; but only the specifications modeling IT systems have enough details to be simulated and executed. As a consequence, it becomes difficult to create precise high-level specifications and make sure that the implemented services are those that correspond to the business needs, potentially leading to severe project problems. Therefore, the challenge is to create abstract, yet precise service specifications, while keeping the relation between specifications at different levels of abstraction. [Idea and Results] In this work, we use formal methods and code generation techniques to create service-prototypes from service specifications at any level of abstraction, keeping the relations between different specifications. Stakeholders can try out the prototypes and give feedback regarding services that are being provided. This way, prototypes are used to validate the specifications and detect inconsistencies and unexpected behavior. [Contribution] The contributions of our work are threefold. First, we provide the visual formalism for service specification and simulation, by adding the necessary concepts to the existing method SEAM. Second, we define two design spirals: for service specification and for service validation and verification. The service specification spiral enables us to keep the relation between several service specifications. It includes steps with explicit design decisions on how to refine high-level specifications in order to include all the details necessary for providing the identified services. The validation and verification spiral is used to validate and verify specifications at any level of abstraction. Finally, it provides an environment that enables the simulation and prototyping of service specifications that are then used for their validation and verification. [Relevance] In addition to the theoretical contribution to the knowledge base of service design, we also provide the tools and guidelines that help business and IT analysts create and validate the service model, as confirmed by a survey conducted with practitioners. We illustrate the application of this work with a case study based on a consulting project we conducted at EPFL
Modeling and Analysis of Software Product Line Variability in Clafer
Both feature and class modeling are used in Software Product Line (SPL) engineering to model variability. Feature models are used primarily to represent user-visible characteristics (i.e., features) of products; whereas class models are often used to model types of components and connectors in a product-line architecture.
Previous works have explored the approach of using a single language to express both configurations of features and components. Their goal was to simplify the definition and analysis of feature-to-component mappings and to allow modeling component options as features. A prominent example of this approach is cardinality-based feature modeling, which extends feature models with multiple instantiation and references to express component-like, replicated features. Another example is to support feature modeling in a class modeling language, such as UML or MOF, using their profiling mechanisms and a stylized use of composition. Both examples have notable drawbacks: cardinality-based feature modeling lacks a constraint language and a well-defined semantics; encoding feature models as class models and their evolution bring extra complexity.
This dissertation presents Clafer (class, feature, reference), a class modeling language with first-class support for feature modeling. Clafer can express rich structural models augmented with complex constraints, i.e., domain, variability, component models, and meta-models. Clafer supports: (i) class-based meta-models, (ii) object models (with uncertainty, if needed), (iii) feature models with attributes and multiple instantiation, (iv) configurations of feature models, (v) mixtures of meta- and feature models and model templates, and (vi) first-order logic constraints.
Clafer also makes it possible to arrange models into multiple specialization and extension layers via constraints and inheritance. On the other hand, in designing Clafer we wanted to create a language that builds upon as few concepts as possible, and is easy to learn. The language is supported by tools for SPL verification and optimization.
We propose to unify basic modeling constructs into a single concept, called clafer. In other words, Clafer is not a hybrid language. We identify several key mechanisms allowing a class modeling language to express feature models concisely. We provide Clafer with a formal semantics built in a novel, structurally explicit way. As Clafer subsumes cardinality-based feature modeling with attributes, references, and constraints, we are the first to precisely define semantics of such models.
We also explore the notion of partial instantiation that allows for modeling with uncertainty and variability. We show that Object-Oriented Modeling (OOM) languages with no direct support for partial instances can support them via class modeling, using subclassing and strengthening multiplicity constraints. We make the encoding of partial instances via subclassing precise and general. Clafer uses this encoding and pushes the idea even further: it provides a syntactic unification of types and (partial) instances via subclassing and redefinition.
We evaluate Clafer analytically and experimentally. The analytical evaluation shows that Clafer can concisely express feature and meta-models via a uniform syntax and unified semantics. The experimental evaluation shows that: 1) Clafer can express a variety of realistic rich structural models with complex constraints, such as variability models, meta-models, model templates, and domain models; and 2) that useful analyses can be performed within seconds
Scalable Model-based Robustness Testing: Novel Methodologies and Industrial Application
Embedded systems, as for example communication and control systems, are being increasingly used in our daily lives and hence require thorough and systematic testing before their actual use. Many of these systems interact with their environment and, therefore, their functionality is largely dependent on this environment whose behavior can be unpredictable. Robustness testing aims at testing the behavior of a system in the presence of faulty situations in its operating environment (e.g., sensors and actuators). In such situations, the system should gracefully degrade its performance instead of abruptly stopping execution. To systematically perform robustness testing, one option is to resort to Model-Based Robustness Testing (MBRT), which is a systematic, rigorous, and automated way of conducting robustness testing. However, to successfully apply MBRT in industrial contexts, new technologies need to be developed to scale to the complexity of real industrial systems. This thesis presents a solution for MBRT on industrial systems, including scalable robustness modeling and executable test case generation.
One important contribution of this thesis is a scalable RobUstness Modeling Methodology (RUMM), which is achieved using Aspect-Oriented Modeling (AOM). It is a complete, automated, and practical methodology that covers all features of state machines and aspect concepts necessary for MBRT. Such methodology, relying on a standard (Unified Modeling Language or UML) and using the target notation as the basis to model the aspects themselves, is expected to make the practical adoption of robustness modeling easier in industrial contexts. The applicability of the methodology is demonstrated using an industrial case study. Results showed that the approach significantly reduced modeling effort (98% on average), improved separation of concerns, and eased model evolution. The approach is further empirically evaluated using two controlled experiments involving human subjects and results showed that the proposed methodology significantly improves the readability of models as compared to modeling using standard UML notations.
Another important contribution of this thesis is an efficient approach for solving constraints (written in Objects Constraint Language (OCL)) on the operating environment of a system, which is mandatory for emulating faulty situation in the environment for the purpose of MBRT. A set of novel heuristics is devised for various OCL constructs, which are required for the application of search algorithms. The heuristics have been empirically evaluated on an industrial case study for robustness testing and the results showed to be very promising and significantly better than the existing works in the literature on OCL constraint solvers.
A final contribution of the thesis is robustness test case generation from the models developed using RUMM. Test case generation also includes scripts generation for environment emulation, which is mandatory for automated robustness testing again using an industrial case study. In preliminary experiments, the execution of test cases found one critical, robustness fault in a deployed industrial system