### **Test and Verification**

#### **Brian Nielsen**

bnielsen@cs.aau.dk





# **Preliminary Plan**

| No. | Dat8 | SW8 | SP2 | Lecture<br>date         | Lecture<br>room      | Exercise<br>room       | Lecturer | Slides                             | Subject                                                                                                                                 |
|-----|------|-----|-----|-------------------------|----------------------|------------------------|----------|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
| 1.  |      |     |     | Feb 5                   | 0.2.12<br>8.15-10.00 | PC-Lab                 | BN       | Introduction                       | Introduction                                                                                                                            |
| 2.  |      |     | •   | Feb 7                   | 0.2.12<br>8.15-10.00 | PC-Lab                 | BN       | Modelling in<br>UPPAAL             | Modelling in UPPAAL. Timed Automata.                                                                                                    |
| З.  |      |     |     | Feb 12                  | 0.2.12<br>8.15-10.00 | PC-Lab                 | AD       | Engine and<br>Options              | Verification Engine and Options of<br>UPPAAL                                                                                            |
| 4   |      |     | •   | Feb 14                  | NO LECTURE           | Group Rooms<br>+PC-Lab | BN       | Hand in<br>March ??                | Modelling Exercise                                                                                                                      |
| 5.  |      |     | •   | 19 Feb                  | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | BN       | testiniru                          | Introduction to testing                                                                                                                 |
| 6.  | •    |     |     | 21 Feb                  | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | ASk      | <u>whitebox</u><br><u>blackbox</u> | Classical Test 1+2:<br>( <u>Test case design teknikker I: Whitebox</u><br><u>Test case design teknikker II: Blackbox</u> +<br>Coverage) |
| 7.  | •    |     |     | 26 Feb                  | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | BN       |                                    | Test Driven Development + xUNIT                                                                                                         |
| 8.  |      |     | •   | 28 Feb                  | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | BN       | fsm-based                          | Model-Based Testing:<br>(FSM based and OO test)                                                                                         |
| 13. |      |     |     | March 6                 | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | AD       |                                    | Timed Games and Uppaal-TIGA                                                                                                             |
|     |      |     |     | 4 , 6, 11, 13<br>March, |                      |                        |          |                                    | BN Travelling                                                                                                                           |
| 9.  |      |     |     | 18 March                | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | BN       | RT-Test                            | Model-Based Testing:<br>(Online Realtime <u>Uppaal TRON)</u>                                                                            |

# **Preliminary Plan**

| No. | Dat8 | SW8 | SP2 | Lecture<br>date | Lecture<br>room      | Exercise<br>room       | Lecturer         | Slides                                | Subject                                                       |
|-----|------|-----|-----|-----------------|----------------------|------------------------|------------------|---------------------------------------|---------------------------------------------------------------|
|     |      |     |     | 20 March        |                      |                        |                  |                                       | Påske                                                         |
| 10  |      | •   | •   | NO LECTURE      | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | BN               | Hand in<br>??                         | Testing Exercise                                              |
| 11. |      |     |     |                 | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | Andrezej/Ulrik ? |                                       | <u>VisualState I</u>                                          |
| 12. |      |     |     |                 | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | Andrezej/Urrik?  |                                       | <u>VisualState II</u>                                         |
|     |      |     |     | May 1           |                      |                        |                  |                                       | St. Kr Himmelfart                                             |
| 14  |      |     |     | May 13          | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | Juhan Ernits9    |                                       | Model Based Testing at Microsoft (with C#<br>and NModel)      |
| 15  |      |     |     | May 15          | 0.2.12<br>8.15-10.00 | Group Rooms<br>+PC-Lab | Juhan Ernits?    |                                       | Model Based Testing at Microsoft (with C#<br>and NModel)      |
| ??  |      | •   |     |                 | 8.15-10.00           | Group Rooms<br>+PC-Lab | KGL              | Probabilistic<br>Modeling &<br>Logics | Performance Modelling:<br><u>Probabilistic Model Checking</u> |
| ??  |      |     |     |                 | ??<br>8.15-10.00     | Group Rooms<br>+PC-Lab | Guest            |                                       | SW Test in Practice (TK-Validate)                             |

### Plan

- Background
  - Research Group and Projects
- Why (and what) test and verification
- Model-based approach
  - Finite State Machines (review)
  - Interacting State Machines
- Verification=Model Checking (1st glance)

### Who are we?





### Lecturers



Alexandre David



... and guests



Brian Nielsen



Arne Skou



### **Research Profile** *Distributed Systems & Semantics Unit*





Center for Indlejrede Software Systemer

-

Las 4

### Why CISS ?

- 80% of all software is embedded
- Demands for increased functionality with minimal resources
- Requires multitude of skills
  - Software construction
  - Hardware platforms
  - Control theory
  - Comm. technology
  - **Goal**: Give a qualitative lift to current industrial practice





#### **CISS Structure**





### **Partners**

GateHouse

IAR Systems

- Aeromark
- Analog Devices Grundfos

- Blip Systems
- Danfoss
- Ericsson Telebit
- ETI
- Exhausto
- FOSS

- Motorola
- Panasonic
- **RTX** Telecom







- S-Card
- Simrad
  - Skov
- SpaceCom MAN B&W
- **TK Systemtest** Novo Nordisk
  - TDC Totalløsninger
  - Aalborg Industries





#### **Focus Areas**



#### **Focus Areas**



# Local $\rightarrow$ Regional $\rightarrow$ National DaNES

 Danish Network for Intelligent Embedded Systems

#### PARTNERS

- CISS, IMM, MCI, PAJ Systemteknik GateHouse A/S ICE Power Skov A/S Terma A/S Novo Nordisk A/S IO Technologies
- Funded by Højteknologifonden
- Budget
   63 MDKK / 4 years





#### Local → Regional → National

Danes





# Model Driven Development of Intelligent Embedded Systems | MoDES | Partners | Companies | Research Activities | Researchers | Events | Related Projects | Sponsors |



**Differential Equations** Markov Models Hybrid Automata Net Calculi Timed Automata Synchronous Models State/Event Models StateChart RT UML SDL Combinatorial Logic Higher Order Logic Concepts

#### MatLab

Simulink Java Ravenscar Stateflow Jitterbug TrueTime Reactis HyTech DTSA CheckMate Charon Esterel Cync Moby UPPAAL Rhapsody visualSTATE Teleogic Verilog Ptoiomi VHDL SystemC Zigbee SpecC Tools

RT Java Canbus PLC Embedded Linux Scheduling Windows CE TimeTrigger TCP/IP Bluetooth

Technologies





#### **Quantitative System Properties in Model-Driven-Design of Embedded Systems**



#### **Complex Systems**



#### A very complex system



Klaus Havelund, NASA



#### Spectacular software bugs Ariane 5

 The first Ariane 5 rocket was launched in June, 1996. It used software developed for the successful Ariane 4. The rocket carried two computers, providing a backup in case one computer failed during launch. Forty seconds into its maiden flight, the rocket veered off course and exploded. The rocket, along with \$500 million worth of satellites, was destroyed.



Ariane 5 was a much more powerful rocket and generated forces that were larger than the computer could handle. Shortly after launch, it received an input value that was too large. The main and backup computers shut down, causing the rocket to veer off course.



#### **Rotterdam Storm Surge Barrier**





#### **Spectacular software bugs U.S.S. Yorktown, U.S. Navy**

- In 1998, the USS Yorktown became the first ship to test the US Navy's Smart Ship program. The Navy planned to use off-theshelf computers and software instead of expensive U.S.S. Yorktown, courtesy of U.S. Navy custom-made machines. A sailor mistakenly entered a zero for a data value on a computer. Within minutes. Yorktown was dead in the water. It was several hours before the ship could move again.
- When the sailor entered the mistaken number, the computer tried to divide by zero, which isn't possible. The software didn't check to see if the inputs were valid before computing and generated an invalid answer that was used by another computer. The error cascaded several computers and eventually shut down the ship's engines.





#### Spectacular software bugs Moon or Missiles

 The United States established the Ballistic Missile Early Warning System (BMEWS) during the Cold War to detect a Soviet missile attack. On October 5, 1960 the BMEWS radar at Thule, Greenland detected something. Its computer control system decided the signal was made by hundreds of missiles





The radar had actually detected the Moon rising over the horizon. Unfortunately, the BMEWS computer had not been programmed to understand what the moon looked like as it rose in the eastern sky, so it interpreted the huge signal as Soviet missiles. Luckily for all of us, the mistake was realized in time.



#### Spectacular software bugs Therac 25

- The Therac-25 radiation therapy machine was a medical device that used beams of electrons or photons to kill cancer cells.
   Between 1985-1987, at least six people got very sick after Therac-25 treatments. Four of them died. The manufacturer was confident that their software made it impossible for the machine to harm patients.
- The Therac-25 was withdrawn from use after it was determined that it could deliver fatal overdoses under certain conditions. The software would shut down the machine before delivering an overdose, but the error messages it displayed were so unhelpful that operators couldn't tell what the error was, or how serious it was. In some cases, operators ignored the message completely.

"Malfunction 54" "H-tillt"

*IEEE Computer*, Vol. 26, No. 7, July 1993, pp. 18-41



#### Spectacular Software Bugs .... continued

- INTEL Pentium II floating-point division 470 Mill US \$
- Baggage handling system, Denver 1.1 Mill US \$/day for 9 months
- Mars Pathfinder
- .....



### Why T&V?



 Errors in (Embedded) software are extremely expensive

#### \*\*\* STOP: 0x0000000R (0x802aa502,0x00000002,0x00000000,0xFA84001C) IRQL NOT LESS OR EQUAL\*\*\* Address fa84001c has base at fa840000 - i8042prt.SYS

CPUID: GenuineIntel 5.2.c irgl:1f SYSVER 0xF0000565

| Dll Base | Date Stamp | p - Name       | Dll Base | Date Stamp - Name             |
|----------|------------|----------------|----------|-------------------------------|
| 80100000 | 2be154c9   | - ntoskrnl.exe | 80400000 | 2bc153b0 - hal.dll            |
| 80200000 | 2bd49628   | - ncrc710.sys  | 8025c000 | 2bd49688 - SCSIPORT.SYS       |
| 80267000 | 2bd49683   | - scsidisk.sys | 802a6000 | 2bd496b9 - Fastfat.sys        |
| fa800000 | 2bd49666   | - Floppy.SYS   | fa810000 | 2bd496db - Hpfs_Rec.SYS       |
| fa820000 | 2bd49676   | - Null.SYS     | fa830000 | 2bd4965a - Beep.SYS           |
| fa840000 | 2bdaab00   | - i8042prt.SYS | fa850000 | 2bd5a020 - SERMOUSE.SYS       |
| fa860000 | 2bd4966f   | - kbdclass.SYS | fa870000 | 2bd49671 - MOUCLASS.SYS       |
| fa880000 | 2bd9c0be   | - Videoprt.SYS | fa890000 | 2bd49638 - NCR77C22.SYS       |
| fa8a0000 | 2bd4a4ce   | – Vga. SYS     | fa8b0000 | 2bd496d0 - Msfs.SYS           |
| fa8c0000 | 2bd496c3   | - Npfs.SYS     | fa8e0000 | 2bd496c9 - Ntfs.SYS           |
| fa940000 | 2bd496df   | - NDIS.SYS     | fa930000 | 2bd49707 - wdlan.sys          |
| fa970000 | 2bd49712   | - TDI.SYS      | fa950000 | 2bd5a7fb - nbf.sys            |
| fa980000 | 2bd72406   | - streams.sys  | fa9b0000 | 2bd4975f - ubnb.sys           |
| fa9c0000 | 2bd5bfd7   | - mcsxns.sys   | fa9d0000 | 2bd4971d - netbios.sys        |
| fa9e0000 | 2bd49678   | - Parallel.sys | fa9f0000 | 2bd4969f - serial.SYS         |
| faa00000 | 2bd49739   | - mup.sys      | faa40000 | 2bd4971f - SMBTRSUP.SYS       |
| faa10000 | 2bd6f2a2   | - srv.sys      | faa50000 | 2bd4971a - afd. <i>sys</i>    |
| faa60000 | 2bd6fd80   | - rdr.sys      | faaa0000 | 2bd49735 - bowser. <i>sys</i> |
|          |            |                |          |                               |

| Address  | dword du | np Build | 1 [1381] |          |          | - Name          |
|----------|----------|----------|----------|----------|----------|-----------------|
| fe9cdaec | fa84003c | fa84003c | 00000000 | 00000000 | 80149905 | - i8042prt.SYS  |
| fe9cdaf8 | 8025dfe0 | 8025dfe0 | ff8e6b8c | 80129c2c | ff8e6b94 | - SCSIPORT. SYS |
| fe9cdb10 | 8013e53a | 8013e53a | ff8e6b94 | 00000000 | ff8e6b94 | - ntoskrnl.exe  |
| fe9cdb18 | 8010a373 | 8010a373 | ff8e6df4 | ff8e6f60 | ff8e6c58 | - ntoskrnl.exe  |
| fe9cdb38 | 80105683 | 80105683 | ff8e6f60 | ff8e6c3c | 8015ac7e | - ntoskrnl.exe  |
| fe9cdb44 | 80104722 | 80104722 | ff8e6df4 | ff8e6f60 | ff8e6c58 | - ntoskrnl.exe  |
| fe9cdb4c | 8012034c | 8012034c | 00000000 | 80088000 | 80106fc0 | - ntoskrnl.exe  |

### Why T&V?



- Errors in (Embedded) software are extremely expensive
- 30-40% of development time spent on (often adhoc) testing.
- There is a enormous potential for improved methods and tools.
- "Time-to-market" can be reduced through earli verification and performance analysis

### **Testing vs. Verification**



### **Verification and Test**



#### **Test versus Verification**



CENTER FOR INDLEJREDE SOFTWARE SYSTEME



#### 2<sup>n</sup> sequences of length n

Deadlock identified by VERIFICATION after sequence of 2000 msgs / < 1min.

### **More complex systems**



### A simple program



Which values may x take ?



### Another simple program

```
int x=0;
Process P
    do
        x:=x+1
    10 times
( P || P )
```

What are the possible final values of x ?

```
int x=0;
Process P
int r
    do
        r:=x; r++; x:=r
    10 times
( P || P )
Atomic stm.
```

## Model-based Approach





## **Suggested Solution?**

### Model based

# validation, verfication and testing of software and hardware



#### Introducing, Detecting and Repairing Errors Liggesmeyer 98



#### Introducing, Detecting and Repairing Errors Liggesmeyer 98



#### **Model-Driven Development**



#### **Real-time Systems**





#### **Real-time Modeling**



#### **Real-time Model-checking**



### **Real-time Controller Synthesis**



#### **Real-time Model-Based Testing**



#### **Real-time Monitoring**



#### Models

- A model is a simplified representation of the real world.
- Used gain confidence in the adequacy and validity of a proposed system
- Models selected aspects
- Removes irrelevant details

#### Model

#### Realization







#### Models

- Abstractions of the problem-space, not solution space
- Domain Specific Modeling Languages
  - Simulink/StateFlow
  - UML,
- Early exploration of design-alternatives
- Automatic transformation
  - Correctness-by-*construction* vs. Correctness-by-*correction*

# Model-based vs. MDD

- Model Driven Development:
  - Model is the center of focus from analysis to execution
  - Model is gradually refined / transformed into solution
- Model-based Development:
  - (Unrelated) models used to support selected development activities where appropriate

#### How?

#### **Unified Model = State Machine**!



Control states





# Tamagotchi



CISS

#### **SYNCmaster**



CISS

### **Digital Watch**





CISS



# SPIN, Gerald Holzmann $\triangleright$ Qo

CISS

# visualSTATE vvs

w Baan Visualstate, DTU (CIT project)



- Hierarchical state systems
- Flat state systems
- Multiple and interrelated state machines
- Supports UML notation
- Device driver access





#### **ESTEREL**





JPPAAL

CISS

### NModel

```
FSM(0,
```

```
AcceptingStates(), Transitions(
```

```
t(0,ShowTitles(),1),
```

```
t(1,SortByFirst(),2),
```

```
t(2,SortByMostRecent(),3),
```

```
t(3, ShowText(), 4)),
```

```
Vocabulary("ShowTitles", "ShowText",
```

```
"SelectMessages","SelectTopics",
"SortByFirst","SortByMostRecent")
```





#### **`State Explosion'** problem



#### M1 x M2



# **Train Simulator**

#### VVS visualSTATE



CISS

#### **Modelling and Analysis**



#### Tools: UPPAAL, visualSTATE, ESTEREL, SPIN, Statemate, FormalCheck, VeriSoft, Java Pathfinder,...

#### Modelling and Analysis BRICS



#### Tools: UPPAAL, visualSTATE, ESTEREL, SPIN, Statemate, FormalCheck, VeriSoft, Java Pathfinder,...

Most fundamentae model in Computer Science: Kleene og Moore

# **Finite State Machines**

- Language versus behaviour
- Determinism versus non-determinism
- Composition and operations
- Variants of state machines
   Moore, Mealy, IO automater, UML ....

#### **Model of Computation**

- Set of states
- A start state
- An input-alfabet
- A transition funktion, mapping input symbols and state to next state
- One ore more accept states.
- Computation starts from start state with a given input string (read from left to right)

#### 0, 1, 2, 0, 1, 2, 0, 1,

#### Modulo 3 counter



#### Variants

inputstreng inc inc dec inc inc dec inc

Machines may have actions/output associated with state– Moore Machines.





#### Varianter

Machines may have actions/output associated with med transitions – Mealy Machiner.

Transitions unconditional of input (nul-transitions).

Several transitions for given for input and state (non-determinisme). inputstreng inc inc dec inc inc dec inc



1212021 outputstreng

#### Variants

Symbols of alphabet patitioned in input- and output-actions (IO-automata)





# Interacting State Machines





# **Home-Banking**?

int accountA, accountB; //Shared global variables
//Two concurrent bank costumers

```
Thread costumer1 () { Thread costumer2 () {
    int a,b; //local tmp copy int a,b;
```

| a=accountA;    | a=accountA;     |
|----------------|-----------------|
| b=accountB;    | b=accountB;     |
| a=a-10;b=b+10; | a=a-20; b=b+20; |
| accountA=a;    | accountA=a;     |
| accountB=b;    | accountB=b;     |
| }              | }               |

Are the accounts in balance after the transactions?

## **Home Banking**



A[] (pc1.finished and pc2.finished) imply (accountA+accountB==200)?
CISS

# **Home Banking**

int accountA, accountB; //Shared global variables
Semaphore A,B; //Protected by sem A,B
//Two concurrent bank costumers

```
Thread costumer1 () { Thread costumer2 () {
    int a,b; //local tmp copy int a,b;
```

```
wait(A);
                             wait(B);
wait(B);
                             wait(A);
a=accountA;
                              a=accountA;
b=accountB;
                             b=accountB;
a=a-10; b=b+10;
                             a=a-20; b=b+20;
accountA=a;
                             accountA=a;
accountB=b;
                             accountB=b;
signal(A);
                             signal(B);
signal(B);
                              signal(A);
```

## **Semaphore FSM Model**







#### **Composition** *IO Automater (2-vejs synkronisering)*



#### **Composition** *IO Automater (2-vejs synkronisering)*



### **Semaphore Solution?**





- 1. Consistency? (Balance)
- 2. Race conditions?
- 3. Deadlock?

1. A[] (mc1.finished and mc2.finished) imply (accountA+accountB==200) ✓
2. E<> mc1.critical\_section and mc2.critical\_section ✓
3. A[] not (mc1.finished and mc2.finished) imply not deadlock .