Project-VerTeCs:Underlying Models.

Inria / Raweb 2009
Presentation of the Project VerTeCs

Section: Scientific Foundations

Underlying Models.

The formal models we use are mainly automata-like structures such as labelled transition systems (LTS) and some of their extensions: an LTS is a tuple M = (Q, $\upper_lambda$ , $\rightarrow$ , q_o) where Q is a non-empty set of states; q_o $\in$ Q is the initial state; A is the alphabet of actions, $Im1 ${\#8594 \#8838 Q×\#923 ×Q}$$ is the transition relation. These models are adapted to testing and controller synthesis.

To model reactive systems in the testing context, we use Input/Output labeled transition systems (IOLTS for short). In this setting, the interactions between the system and its environment (where the tester lies) must be partitioned into inputs (controlled by the environment), outputs (observed by the environment), and internal (non observable) events modeling the internal behavior of the system. The alphabet $\upper_lambda$ is then partitioned into $Im2 ${\#923 _!\#8746 \#923 _?\#8746 \#119983 }$$ where $\upper_lambda$ _! is the alphabet of outputs, $\upper_lambda$ _? the alphabet of inputs, and $Im3 $\#119983 $$ the alphabet of internal actions.

In the controller synthesis theory, we also distinguish between controllable and uncontrollable events ( $\upper_lambda$ = $\upper_lambda$ _c $\cup$ $\upper_lambda$ _uc ), observable and unobservable events ( $Im4 ${\#923 =\#923 _O\#8746 \#119983 }$$ ).

In the context of verification, we also use Timed Automata. A timed automaton is a tuple $Im5 ${A=(L,X,E,\#8464 )}$$ where L is a set of locations, X is a set of clocks whose valuations are positive real numbers, $Im6 ${E\#8838 L×\#119970 (\#119987 )×}$$ 2^X×L is a finite set of edges composed of a source and a target state, a guard given by a finite conjunction of expressions of the form $Im7 ${x\#8764 c}$$ where x is a clock, c is a natural number and $Im8 ${\#8764 \#8712 {\lt ,\#8804 ,=,\#8805 ,\gt }}$$ , a set of resetting clocks, and $Im9 ${\#8464 :\#8466 \#8594 \#119970 (\#119987 )}$$ assigns an invariant to each location [37] . The semantics of a timed automaton is given by a (infinite states) labelled transition system whose states are composed of a location and a valuation of clocks.

Also, for verification purposes, we use graph grammars that are a general tool to define families of graphs. Such grammars are formed by a set of rules, left-hand sides being simply hyperedges and right-hand sides hypergraphs. For finite degree, these graph grammars characterise transition graphs of pushdown automata (each graph generated by such a grammar correspond to the transition graph of a pushdown automaton). They provide a simple yet powerfull setting to define and study infinite state systems.

In order to cope with more realistic models, closer to real specification languages, we also need higher level models that consider both control and data aspects. We defined (input-output) symbolic transition systems ((IO)STS), which are extensions of (IO)LTS that operate on data (i.e., program variables, communication parameters, symbolic constants) through message passing, guards, and assignments. Formally, an IOSTS is a tuple (V, $\upper_theta$ , $\upper_sigma$ , T) , where V is a set of variables (including a counter variable encoding the control structure), $\upper_theta$ is the initial condition defined by a predicate on V , $\upper_sigma$ is the finite alphabet of actions, where each action has a signature (just like in IOLTS, $\upper_sigma$ can be partitioned as e.g. $Im10 ${\#931 _?\#8746 \#931 _!\#8746 \#931 _\#964 }$$ ), T is a finite set of symbolic transitions of the form t = (a, p, G, A) where a is an action (possibly with a polarity reflecting its input/output/internal nature), p is a tuple of communication parameters, G is a guard defined by a predicate on p and V , and A is an assignment of variables. The semantics of IOSTS is defined in terms of (IO)LTS where states are vectors of values of variables, and transitions between them are labelled with instantiated actions (action with valued communication parameter). This (IO)LTS semantics allows us to perform syntactical transformations at the (IO)STS level while ensuring semantical properties at the (IO)LTS level. We also consider extensions of these models with added features such as recursion, fifo channels, etc. An alternative to IOSTS to specify systems with data variables is the model of synchronous dataflow equations.

Our research is based on well established theories: conformance testing, supervisory control, abstract interpretation, and theorem proving. Most of the algorithms that we employ take their origins in these theories:

graph traversal algorithms (breadth first, depth first, strongly connected components, ...). We use these algorithms for verification as well as test generation and control synthesis.
BDDs (Binary Decision Diagrams) algorithms, for manipulating Boolean formula, and their MTBDDs (Multi-Terminal Decision Diagrams) extension for manipulating more general functions. We use these algorithms for verification and test generation.
abstract interpretation algorithms, specifically in the abstract domain of convex polyhedra (for example, Chernikova's algorithm for the computation of dual forms). Such algorithms are used in verification and test generation.
logical decision algorithms, such as satisfiability of formulas in Presburger arithmetics. We use these algorithms during generation and execution of symbolic test cases.

Logo Inria