Effective Infinite-State Model Checking by Input Equivalence Class Partitioning

In this paper, it is shown how a complete input equivalence class testing strategy developed by the second author can be effectively used for infinite-state model checking of system models with infinite input domains but finitely many internal state values and finite output domains. This class of systems occurs frequently in the safety-critical domain, where controllers may input conceptually infinite analogue data, but make a finite number of control decisions based on inputs and current internal state. A variant of Kripke Structures is well-suited to provide a behavioural model for this system class. It is shown how the known construction of specific input equivalence classes can be used to abstract the infinite input domain of the reference model into finitely many classes. Then quick checks can be made on the implementation model showing that the implementation is not I/O-equivalent to the reference model if its abstraction to observable minimal finite state machines has a different number of states or a different input partitioning as the reference model. Only if these properties are consistent with the reference model, a detailed equivalence check between the abstracted models needs to be performed. The complete test suites obtained as a by-product of the checking procedure can be used to establish counter examples showing the non-conformity between implementation model and reference model. Using various sample models, it is shown that this approach outperforms model checkers that do not possess this equivalence class generation capability.

[1]  A. W. Roscoe Understanding Concurrent Systems , 2010, Texts in Computer Science.

[2]  Frits W. Vaandrager,et al.  Testing timed automata , 1997, Theor. Comput. Sci..

[3]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[4]  Bernhard K. Aichernig,et al.  Model-Based Mutation Testing of Hybrid Systems , 2009, FMCO.

[5]  Anne Elisabeth Haxthausen,et al.  Complete Model-Based Equivalence Class Testing for the ETCS Ceiling Speed Monitor , 2014, ICFEM.

[6]  Martin Sulzmann,et al.  Model Checking DSL-Generated C Source Code , 2012, SPIN.

[7]  Tsun S. Chow,et al.  Testing Software Design Modeled by Finite-State Machines , 1978, IEEE Transactions on Software Engineering.

[8]  Jan Peleska,et al.  A Real-World Benchmark Model for Testing Concurrent Real-Time Systems in the Automotive Domain , 2011, ICTSS.

[9]  Florian Lorber,et al.  Time for Mutants - Model-Based Mutation Testing with Timed Automata , 2013, TAP@STAF.

[10]  Rajeev Alur,et al.  Decision Problems for Timed Automata: A Survey , 2004, SFM.

[11]  Jan Peleska,et al.  Model-based testing strategies and their (in)dependence on syntactic model representations , 2018, International Journal on Software Tools for Technology Transfer.

[12]  Jan Peleska,et al.  Complete model-based equivalence class testing for nondeterministic systems , 2016, Formal Aspects of Computing.

[13]  Jürgen Dingel,et al.  Model Checking for Infinite State Systems Using Data Abstraction, Assumption-Commitment Style reasoning and Theorem Proving , 1995, CAV.

[14]  A. W. Roscoe,et al.  FDR3: a parallel refinement checker for CSP , 2015, International Journal on Software Tools for Technology Transfer.

[15]  Jan Peleska,et al.  Experimental Evaluation of a Novel Equivalence Class Partition Testing Strategy , 2015, TAP@STAF.

[16]  M. P. Vasilevskii Failure diagnosis of automata , 1973 .

[17]  Bernhard K. Aichernig,et al.  MoMut::UML Model-Based Mutation Testing for UML , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[18]  Jan Peleska,et al.  Complete model-based equivalence class testing , 2014, International Journal on Software Tools for Technology Transfer.