Syntactic Abstraction of B Models to Generate Tests

In a model-based testing approach as well as for the verification of properties, B models provide an interesting solution. However, for industrial applications, the size of their state space often makes them hard to handle. To reduce the amount of states, an abstraction function can be used, often combining state variable elimination and domain abstractions of the remaining variables. This paper complements previous results, based on domain abstraction for test generation, by adding a preliminary syntactic abstraction phase, based on variable elimination. We define a syntactic transformation that suppresses some variables from a B event model, in addition to a method that chooses relevant variables according to a test purpose. We propose two methods to compute an abstraction A of an initial model M. The first one computes A as a simulation of M, and the second one computes A as a bisimulation of M. The abstraction process produces a finite state system. We apply this abstraction computation to a Model Based Testing process.Comment: Tests and Proofs 2010, Malaga : Spain (2010

PLTL Partitioned Model Checking for Reactive Systems under Fairness Assumptions

We are interested in verifying dynamic properties of finite state reactive systems under fairness assumptions by model checking. The systems we want to verify are specified through a top-down refinement process. In order to deal with the state explosion problem, we have proposed in previous works to partition the reachability graph, and to perform the verification on each part separately. Moreover, we have defined a class, called Bmod, of dynamic properties that are verifiable by parts, whatever the partition. We decide if a property P belongs to Bmod by looking at the form of the Buchi automaton that accepts the negation of P. However, when a property P belongs to Bmod, the property f => P, where f is a fairness assumption, does not necessarily belong to Bmod. In this paper, we propose to use the refinement process in order to build the parts on which the verification has to be performed. We then show that with such a partition, if a property P is verifiable by parts and if f is the expression of the fairness assumptions on a system, then the property f => P is still verifiable by parts. This approach is illustrated by its application to the chip card protocol T=1 using the B engineering design language

Generating Tests from {B} Specifications and Test Purposes

International audienceThis paper is about generating tests from test purposes, in addition to structural tests. We present a method that re-uses a behavioural model and an abstract test concretization layer developed for structural testing, and relies on additional test purposes. We propose, in the B framework, a process of test generation that uses the symbolic animation mechanisms of LTG (Leirios Test Generator) based on constraint solving, and guided by the test purposes. We build for that a B animable model that is the synchronized product of a behavioural B abstract model and a test purpose described as a labelled transition system. We prove the correctness of this method, and illustrate it by means of the IAS case study. IAS is a smart-card application dedicated to the operations of Identification, Authentication and electronic Signature

Partitioned {PLTL} Model-Checking for Refined Transition Systems

International audienceThis paper is about the verification of dynamic properties by model-checking for finite state reactive systems. Properties are expressed as PLTL formulae. Systems are specified through a top-down refinement process. In order to cope with the state explosion problem, we propose partitioning the state space to be verified and to verify the properties independently on each part. Properties that are such that if they hold on every part then they hold for the whole system are called verifiable by parts. In a previous paper, we presented a class of interesting PLTL properties that are always verifiable by parts. That is, they are verifiable by parts with any partitioning of the state space. In addition to these properties, some properties are verifiable by parts on a system provided with a particular partitioning. In this paper, we propose a partitioning of the state space of a system that is guided by the refinement process. We introduce an extended class of PLTL properties that are verifiable by parts with regard to this partitioning. This class includes the first one. In particular, the new class includes liveness properties under fairness assumptions. This class is defined from Buchi automata that accept the language of the negations of the properties. Our work is illustrated by its application to a chip card protocol called T=1. This protocol is specified through successive refinements

Génération de tests à partir de critères dynamiques de sélection et par abstraction

International audienceCet article présente une méthode de génération assistée de tests. Elle applique des critères dynamiques de sélection des tests (TP) sur un modèle formel comportemental (M) utilisé auparavant, par exemple par LTG, pour générer des tests fonctionnels à partir de critères statiques de sélection. On peut appliquer à M un critère dynamique de sélection TP mais ceci nécessite de représenter M par un automate. Pour des applications réelles, sa taille en nombre d'états et de transitions est beaucoup trop grande (voir infinie) pour être utilisable. Nous proposons une méthode pour extraire une abstraction de M à partir d'un objectif de test TP. Nous effectuons un produit synchronisé de cette abstraction avec TP afin de cibler les exécutions du système sous test qui satisfont TP. Puis nous générons des tests abstraits symboliques à partir de ce modèle réduit en appliquant les critères de couverture tous les états ou toutes les transitions. Cet ensemble de tests est valué à partir de M, concrétisé puis exécuté sur l'implémentation sous test. Cette méthode est proposée pour compléter la méthode BZ-TT de génération de tests à partir de critères statiques de sélection. L'utilisateur obtient des tests complémentaires en fournissant un critère dynamique de sélection. La méthode réutilise M, la couche de concrétisation des tests et l'infrastructure d'exécution des tests. L'originalité de l'approche est de construire une abstraction du modèle issue automatiquement de l'analyse statique d'un objectif de test formalisant des besoins de test d'une propriété dynamique du système

B Model Slicing and Predicate Abstraction to Generate Tests

Accepted manuscript. Revised and extended version of a TAP'10 paper. To appear.International audienceIn a model-based testing approach as well as for the verification of properties, B models provide an interesting modeling solution. However, for industrial applications, the size of their state space often makes them hard to handle. To reduce the amount of states, an abstraction function can be used. The abstraction is often a domain abstraction of the state variables that requires many proof obligations to be discharged, which can be very time-consuming for real applications. This paper presents a contribution to this problem that complements an approach based on domain abstraction for test generation, by adding a preliminary syntactic abstraction phase, based on variable elimination. We define a syntactic transformation that suppresses some variables from a B event model, in addition to three methods that choose relevant variables according to a test purpose. In this way, we propose a method that computes an abstraction of a source model {\mathsf{M}} according to a set of selected relevant variables. Depending on the method used, the abstraction can be computed as a simulation or as a bisimulation of {\mathsf{M}}. With this approach, the abstraction process produces a finite state system. We apply this abstraction computation to a model-based testing process. We evaluate experimentally the impact of the model simplification by variables' elimination on the size of the models, on the number of proof obligations to discharge, on the precision of the abstraction and on the coverage achieved by the test generation

Associer des techniques de preuve et de résolution de contraintes pour la construction d'abstractions

National audienceCet article présente une méthode de génération assistée de tests. Elle applique des critères dynamiques de sélection des tests (TP) sur un modèle formel comportemental (M) utilisé auparavant, par exemple par LTG, pour générer des tests fonctionnels à partir de critères statiques de sélection. On peut appliquer à M un critère dynamique de sélection TP mais ceci nécessite de représenterM par un automate. Pour des applications réelles, sa taille en nombre d'états et de transitions est beaucoup trop grande (voir infinie) pour être utilisable. Nous proposons une méthode pour extraire une abstraction de M à partir d'un objectif de test TP. Nous effectuons un produit synchronisé de cette abstraction avec TP afin de cibler les exécutions du système sous test qui satisfont TP. Puis nous générons des tests abstraits symboliques à partir de ce modèle réduit en appliquant les critères de couverture tous les états ou toutes les transitions. Cet ensemble de tests est valué à partir de M, concrétisé puis exécuté sur l'implémentation sous test. Cette méthode est proposée pour compléter la méthode BZ-TT de génération de tests à partir de critères statiques de sélection. L'utilisateur obtient des tests complémentaires en fournissant un critère dynamique de sélection. La méthode réutilise M, la couche de concrétisation des tests et l'infrastructure d'exécution des tests. L'originalité de l'approche est de construire une abstraction du modèle issue automatiquement de l'analyse statique d'un objectif de test formalisant des besoins de test d'une propriété dynamique du système

Test Generation from Timed Pushdown Automata with Inputs and Outputs

International audienceWe consider in this paper the model of Timed Pushdown Automata with Inputs and Outputs (TPAIO), for which state reachability can only be solved in exponential time. We compute by means of a polynomial algorithm a reachability timed automaton (RTA), thus partial, of a TPAIO. When the algorithmis applied to untimed pushdown automata, the reachability is equivalent in both automata. But with the addition of clock constraints, reachability in the RTA is only a sufficient condition. To decide if a succession of timed transitions can be executed, we compute the backward closures of the clock constraints, and evaluate them by means of satisfiability decision procedures. Additionally, we compute a path table that relates a feasibletransition of the RTA to the corresponding path of the TPAIO. We accept the incompleteness of our method as a price to pay for efficiency. It can be used in test generation since testing is incomplete by nature. Test generation relies on unfolding the transitions of the reachability timed automaton thanks to the path table. Keywords: Timed Pushdown Automata; Reachability Timed Automata; Clock Constraints Backward Closure; Test Generationfrom Automata; Conformance Relation for TPAIO