Section: New Results
Test Generation on Enumerative and Symbolic Models
Symbolic Test Generation and Selection
For several years we address the generation of symbolic test cases for testing the conformance of a black-box implementation with respect to a specification. More specifically, the problem we consider is the off-line selection of test cases according to a test purpose, which is here a set of scenarii of interest that one wants to observe during test execution. In  and  , we extend them in the context of infinite-state symbolic models (IOSTS), by showing how approximate fixpoint computations can be used in a conservative way. The same kind of technique is also adapted for test selection with respect to safety properties and its combination with verification (see 6.2.2 ). When dealing with non-deterministic IOSTS specifications, off-line test selection involves a determinisation phase, which is not always feasible for IOSTS. However a determinisation procedure which terminates for a sub-class of IOSTS has been identified (see 6.4.1 ).
Instead of considering the extension of the finite-state IOLTS model with variables, one can also consider the extension of the IOLTS model with recursion, which corresponds to a pushdown system. A preliminary study was done in 2004 with the master thesis of Liva Randriamanohisoa. One of the problems still to be solved is the determinisation of a pushdown system which may be necessary when testing under partial observation. When pushdown automata are deterministic however, test selection techniques with test purposes can be used with some adaptations. This is the object of Camille Constant's PhD.
This year, we also started some work on testing the conformance of open networks with their security properties. This is part of Jeremy Dubreil and Hatem Hamdi's PhDs.
From Safety Verification to Safety Testing
In this work we describe a methodology integrating verification and conformance testing for the formal validation of reactive systems. A specification of a system - an extended input-output automaton, which may be infinite-state - and a set of safety properties (``nothing bad ever happens'') and possibility properties (``something good may happen'') are assumed. The properties are first tentatively verified on the specification using automatic techniques based on approximated state-space exploration, which are sound, but, as a price to pay for automation, are not complete for the given class of properties. Because of this incompleteness and of state-space explosion, the verification may not succeed in proving or disproving the properties. However, even if verification did not succeed, the testing phase can proceed and provide useful information about the implementation. Test cases are automatically and symbolically generated from the specification and the properties, and are executed on a black-box implementation of the system. The test execution may detect violations of conformance between implementation and specification; in addition, it may detect violation/satisfaction of the properties by the implementation and by the specification. In this sense, testing completes verification. The approach is illustrated on simple examples and on a Bounded Retransmission Protocol  .