Test Input Generation for Red-Black Trees using Abstraction

We consider the problem of test input generation for code that manipulates complex data structures. Test inputs are sequences of method calls from the data structure interface. We describe test input generation techniques that rely on state matching to avoid generation of redundant tests. Exhaustive techniques use explicit state model checking to explore all the possible test sequences up to predefined input sizes. Lossy techniques rely on abstraction mappings to compute and store abstract versions of the concrete states; they explore under-approximations of all the possible test sequences. We have implemented the techniques on top of the Java PathFinder model checker and we evaluate them using a Java implementation of red-black trees

Predicate Abstraction with Under-approximation Refinement

We propose an abstraction-based model checking method which relies on refinement of an under-approximation of the feasible behaviors of the system under analysis. The method preserves errors to safety properties, since all analyzed behaviors are feasible by definition. The method does not require an abstract transition relation to be generated, but instead executes the concrete transitions while storing abstract versions of the concrete states, as specified by a set of abstraction predicates. For each explored transition the method checks, with the help of a theorem prover, whether there is any loss of precision introduced by abstraction. The results of these checks are used to decide termination or to refine the abstraction by generating new abstraction predicates. If the (possibly infinite) concrete system under analysis has a finite bisimulation quotient, then the method is guaranteed to eventually explore an equivalent finite bisimilar structure. We illustrate the application of the approach for checking concurrent programs.Comment: 22 pages, 3 figures, accepted for publication in Logical Methods in Computer Science journal (special issue CAV 2005

ABSTRACT Test Input Generation for Red-Black Trees using Abstraction

We consider the problem of test input generation for code that manipulates complex data structures. Test inputs are sequences of method calls from the data structure interface. We describe test input generation techniques that rely on state matching to avoid generation of redundant tests. Exhaustive techniques use explicit state model checking to explore all the possible test sequences up to predefined input sizes. Lossy techniques rely on abstraction mappings to compute and store abstract versions of the concrete states; they explore under-approximations of all the possible test sequences. We have implemented the techniques on top of the Java PathFinder model checker and we evaluate them using a Java implementation of red-black trees

Model-Checking symbolique pour la vérification de systèmes et son application aux tables de décision et aux systèmes d'éditions collaboratives distribuées

Résumé Dans le cycle de vie de tout système logiciel, une phase cruciale de formalisation et de validation au moyen de vérification et/ou de test induit une identification d'erreurs probables infiltrées durant sa conception. Cette détection d'erreurs et leur correction sont avantageuses dans les premières phases de développement du système afin d'éviter tout retour aux travaux ardus d'analyse de spécifications et de modélisation du système précédant sa réalisation. Par conséquent, cette étape mise en oeuvre à travers des méthodes et des outils formels dans les phases amont de la conception contribue à augmenter la confiance des concepteurs et utilisateurs vis-à-vis de la fonctionnalité du système. L'objectif de cette maîtrise s'insère dans le cadre d'une recherche qui vise à exploiter une technique formelle spécifique d'analyse de programmes et de spécifications: l'exécution symbolique combinée au model-checking. Cette technique représente une approche émergente à laquelle les chercheurs ont porté une attention particulière ces dernières années. D'une part, l'exécution symbolique permet d'explorer les chemins d'exécution possibles d'un programme modélisant un système avec des variables d'entrée non initialisées, en d'autres termes en manipulant des variables abstraites ou "symboliques". Ces chemins caractérisent ainsi le comportement du programme de manière abstraite. D'autre part, le model-checking permet d'explorer systématiquement ces différents chemins d'exécution à l'aide d'une énumération exhaustive des états accessibles afin de générer ultérieurement des contreexemples en cas de violation de propriétés du système. De ce fait, l'exécution symbolique combinée au model-checking englobe les points forts de ces deux techniques octroyant aux concepteurs du système une compréhension accrue des situations d'erreur dans les contre-exemples ainsi générés.----------Abstract Verification is one crucial activity in any software life cycle. Its major role is to ensure an identification of potential design and implementation flaws integrated in the software system during its development process. Such an identification leads to eventual corrections in the early steps of the development cycle, thus avoiding tedious work otherwise required in the system requirements' reanalysis as well as in its remodelling preceding its deployment. As a consequence, the verification step is rigorously put into practice through formal methods and tools. Given such a formalisation contributes to give another level of insurance to both the system's designers and users. This thesis is related to a research which aims at applying one specific formal method in program and requirements analysis: symbolic execution intertwined with model checking. This technique has known a major development in the past few years, thus raising interest among researchers in the field. On one hand, symbolic execution explores all possible execution paths of a program modelling a system using uninitialised input variables. As its name implies, this specific execution deals with abstract or "symbolic" variables. Hence, those visited paths characterise the abstract program behaviour. On another hand, model checking ensures a systematic exploration of those different execution paths through an exhaustive visit of all reachable states. This approach is necessary for subsequent generation of counterexamples in case of property violations within the system. Therefore, symbolic execution along with model checking is a resulting approach enforced with advantages of both techniques. This yields a higher degree of interpreting the retrieved flaws provided through generated counterexamples, for even the most sophisticated systems