Description

Black Box Checking Book: Part 9 Model Checking Limited state depiction of a framework B . LTL equation . Make an interpretation of into a machine P . Check whether L( B ) L( P )=. Provided that this is true, S fulfills . Something else, the crossing point incorporates a counterexample. Rehash for various properties.

Transcripts

Discovery Checking Book: Chapter 9

Model Checking Finite state depiction of a framework B . LTL recipe ïª. Make an interpretation of ïïª into a machine P . Check whether L( B ) ï L( P )=ï. Provided that this is true, S fulfills ïª. Something else, the crossing point incorporates a counterexample. Rehash for distinctive properties. ïª ï

Buchi automata ( w - automata) S - limited arrangement of states. ( B has l ï£ n states) S 0 ï S - introductory states. ( P has m states) S - limited letters in order. (contains p letters) d ï S ï\' S ï\' S - move connection. F ï S - tolerating states. Tolerating run: passes a state in F interminably regularly. Framework automata: F=S , deterministic.

Example: check ï¿ an a <> ï a ï a ï an, a

a ï an a ï an Example: check <> ï a ï <> ï a

Example: check Â<> a ï an, a <> Â ~ a ï a ï a Use programmed interpretation calculations, e.g., [Gerth,Peled,Vardi,Wolper 95]

a c b System

Every component in the item is a counter sample for the checked property. an a s 1 s 2 q 1 ï a b c a ï a q 2 s 3 a s 1 ,q 1 s 2 ,q 1 Acceptance is dictated via machine P . b a s 1 ,q 2 s 3 ,q 2 c

ï» Testing Unknown deterministic limited state framework B . Known: n states and letter set ï. A theoretical model C of B . C fulfills every one of the properties we need from B . Check conformance of B and C . Another form: just a bound n on the quantity of states l is known.

Given Finite state framework B . Move connection of B known. Property speak to via machine P . Check if L( B ) ï L( P )= ï . Chart hypothesis or BDD systems. Intricacy: polynomial. Obscure Finite state framework B . Letters in order and number of conditions of B or upper bound known. Detail given as a theoretical framework C. Check if B ï» C . Unpredictability: polynomial if number states known. Exponential generally. Model Checking/Testing

Property speak to via robot P . Check if L( B ) ï L( P )= ï . Diagram hypothesis methods. Obscure Finite state framework B . Letters in order and Upper bound on Number of conditions of B known. Multifaceted nature: exponential. Discovery checking ïª ï

Combination lock robot Accepts just words with a particular addition ( cdab in the illustration). c d a b s 1 s 2 s 3 s 4 s 5

ï» b an a b a b a ï» a b Conformance testing Cannot recognize if decreased or not.

a b a Conformance testing (cont.) When the black box is nondeterministic, we may never test a few decisions.

a Conformance testing (cont.) ï» b an a ï» a b an a b Need: bound on number of conditions of B .

Need dependable RESET a b s 1 s 2 an a s 3

Vasilevskii calculation Known machine A has l states. Discovery machine has up to n states. Check every move. Watch that there are no "combination lock" slips. Many-sided quality: O(l 2 n p n-l+1 ). At the point when n=l : O(l 3 p).

reset an a b c attempt c attempt b an a b c an a b c b c come up short Experiments

Simpler issue: gridlock? Nondeterministic calculation: figure a way of length ï£ n from the introductory state to a halt state. Straight time, logarithmic space. Deterministic calculation: methodicallly attempt ways of length ï£ n , in a steady progression (and utilization reset ), until stop is come to. Exponential time, direct space.

Deadlock unpredictability Nondeterministic calculation: Linear time, logarithmic space. Deterministic calculation: Exponential ( p n-1 ) time, direct space. Lower bound: Exponential time (use mix lock automata). How can this acclimate with what we think about multifaceted nature hypothesis?

Modeling discovery checking Cannot model utilizing Turing machines: not all the data about B is given. Just sure analyses are permitted. We take in the model as we make the investigations. Can utilize the model of recreations of deficient data .

Games of deficient data Two players: $-player, ï¢ - player (here, deterministic). Limitedly numerous arrangements C. Counting: Initial C i , Winning : W + and W - . An equality connection @ on C (the $-player can\'t recognize proportional states). Names L on moves (attempt a , reset , achievement , come up short ). The $-player has the moves marked the same from setups that are comparable. Technique for the $-player: will prompt a setup in W + ï W - . Can\'t recognize identical conf. Nondet. procedure : closes with W + . Can recognize.

Modeling BBC as diversions Each arrangement contains a machine and its present state (and that\'s only the tip of the iceberg). Moves of the $-player are marked with attempt a , reset ... Moves of the ï¢ - player with achievement , fall flat . c 1 @ c 2 when the automata in c 1 and c 2 would react in the same route to the investigations in this way.

An innocent method for BBC Learn first the dark\'s structure box. At that point apply the crossing point. Specify automata with ï£ n states (without rehashing isomorphic automata). For a current automata and new automata , develop a recognizing arrangement. One and only of them survives. Unpredictability: O(( n+1 ) p ( n+1 )/n !)

On-the-fly procedure Systematically (as in the gridlock case), discover two arrangements v 1 and v 2 of length <= m n . Applying v 1 to P conveys us to a state t that is tolerating. Applying v 2 to P takes us back to t . Apply v 1 (v 2 ) n+1 to B . On the off chance that this succeeds, there is a cycle in the crossing point marked with v 2 , with t as the P (tolerating) part. Many-sided quality: O ( n 2 p 2mn m ).

Learning a robot Use Angluinâs calculation for taking in a machine. The learning calculation questions whether a few strings are in the robot B . It can likewise guess a machine M i and requests a counterexample. It then produces a robot with more states M i+1 et cetera.

A technique taking into account learning Start the learning calculation. Inquiries are just investigations to B . For a guessed robot M i , check if M i ï P = ï If along these lines, we check conformance of M i with B (Vasilevskii calculation). In the event that nonempty, it contains some v 1 (v 2 ) w . We test B with v 1 (v 2 ) n+1 . On the off chance that this succeeds: blunder, generally, this is a counterexample for M i .

Black Box Checking Strategy Incremental learning inconsistency false negative Model Path Model Checking no counterexample discovery testing Comparing counterexample System real blunder conformance built up Report lapse No mistake discovered

Complexity l - genuine size of B . n - an upper bound of size of B . p - size of letter set. Lower bound: reachability is like stop. O(l 3 p l + l 2 mn) if there is a blunder. O(l 3 p l + l 2 n p n-l+1 + l 2 mn) if there is no lapse. On the off chance that n is not known, check while time permits.

Some investigations Basic framework written in SML (by Alex Groce, CMU). Try different things with discovery utilizing Unix I/O. Permits sans model checking of C code with between procedure correspondence. Incorporating tried code in SML with BBC program as one procedure.

Conclusions Black box checking is a mix of testing and model checking. On the off chance that a tight bound on size of B is given: learn B to begin with, then do model checking. Tight lower b