Using formal methods to support testing

Formal methods and testing are two important approaches that assist in the development of high quality software. While traditionally these approaches have been seen as rivals, in recent years a new consensus has developed in which they are seen as complementary. This article reviews the state of the art regarding ways in which the presence of a formal specification can be used to assist testing

Reachability of Communicating Timed Processes

We study the reachability problem for communicating timed processes, both in discrete and dense time. Our model comprises automata with local timing constraints communicating over unbounded FIFO channels. Each automaton can only access its set of local clocks; all clocks evolve at the same rate. Our main contribution is a complete characterization of decidable and undecidable communication topologies, for both discrete and dense time. We also obtain complexity results, by showing that communicating timed processes are at least as hard as Petri nets; in the discrete time, we also show equivalence with Petri nets. Our results follow from mutual topology-preserving reductions between timed automata and (untimed) counter automata.Comment: Extended versio

Generalising feature interactions in email

We report on a property-based approach to feature interaction analysis for a client-server email system. The model is based upon Hall's email model presented at FIW'00, but the implementation is at a lower level of abstraction, employing non-determinism and asynchronous communication; it is a challenge to avoid deadlock and race conditions. The analysis is more extensive in two ways: interaction analysis is fully automated, based on model-checking the entire state-space, and results are scalable, that is they generalise to email systems consisting of any number of email clients. Abstraction techniques are used to prove general results. The key idea is to model-check a system consisting of a constant number (m) of client processes, in parallel with a mailer process and an ``abstract'' process which represents the product of any number of other (unfeatured, isomorphic) client processes. We give a lower bound for the value of m. All of the models -- for any specified set of client processes and selected features -- are generated automatically using Perl scripts

On the use of observation equivalence in synthesis abstraction

In a previous paper we introduced the notion of synthesis abstraction, which allows efficient compositional synthesis of maximally permissive supervisors for large-scale systems of composed finite-state automata. In the current paper, observation equivalence is studied in relation to synthesis abstraction. It is shown that general observation equivalence is not useful for synthesis abstraction. Instead, we introduce additional conditions strengthening observation equivalence, so that it can be used with the compositional synthesis method. The paper concludes with an example showing the suitability of these relations to achieve substantial state reduction while computing a modular supervisor

Conflict-preserving abstraction of discrete event systems using annotated automata

This paper proposes to enhance compositional verification of the nonblocking property of discrete event systems by introducing annotated automata. Annotations store nondeterministic branching information, which would otherwise be stored in extra states and transitions. This succinct representation makes it easier to simplify automata and enables new efficientmeans of abstraction, reducing the size of automata to be composed and thus the size of the synchronous product state space encountered in verification. The abstractions proposed are of polynomial complexity, and they have been successfully applied to model check the nonblocking property of the same set of large-scale industrial examples as used in related work

Seven abstraction rules preserving generalised nonblocking

This working paper proposes a compositional approach to verify the generalised nonblocking property of discrete-event systems. Generalised nonblocking is introduced in [15] to overcome weaknesses of the standard nonblocking check in discrete-event systems and increase the scope of liveness properties that can be handled. This paper addresses the question of how generalised nonblocking can be verified efficiently. The explicit construction of the complete state space is avoided by first composing and simplifying individual components in ways that preserve generalised nonblocking. The paper extends and generalises previous results about compositional verification of standard nonblocking and lists a new set of computationally feasible abstraction rules for standard and generalised nonblocking

Compositional nonblocking verification with always enabled events and selfloop-only events

This paper proposes to improve compositional nonblocking verification through the use of always enabled and selfloop-only events. Compositional verification involves abstraction to simplify parts of a system during verification. Normally, this abstraction is based on the set of events not used in the remainder of the system, i.e., in the part of the system not being simplified. Here, it is proposed to exploit more knowledge about the system and abstract events even though they are used in the remainder of the system. Abstraction rules from previous work are generalised, and experimental results demonstrate the applicability of the resulting algorithm to verify several industrial-scale discrete event system models, while achieving better state-space reduction than before