## TEAMOD Test and Model Checking

Bachelor and Master Project Bachelor Project: Winter Semester 2018/19 – Summer Semester 2019 Master Project: Winter Semester 2019/20 – Summer Semester 2020 Jan Peleska and Wen-ling Huang {jp,huang}@cs.uni-bremen.de

## Background

 Embedded control systems are omnipresent in our daily life





## Background

- The growing complexity of embedded applications leads to an dramatic increase of verification costs
- These costs will further increase with autonomous systems deployment
  - Robots
  - Vehicles
  - Cars
  - Ships
  - Trains

### We can efficiently handle low complexity . . .

... but are not yet prepared for the complexity of future applications



## TEAMOD Objectives

- Bounded model checking
- Model-based testing

#### Model



#### **Bounded model checking**

#### Test model (SysML)

#### Semantic representation





## TEAMOD Objectives

- Bounded model checking and model-based testing should be integrated in a common tool platform
  - Model checking is needed to verify the test model
  - Model-in-the-loop testing is a light-weight version of model checking

## **TEAMOD Bachelor Project**

- Three sub-projects
  - Methods
  - System under test development
  - Modelling, bounded model checking, and model-based testing

#### **Development**

#### Märklin Modelleisenbahn

#### Märklin Central Station 6021!







#### Hardware-in-the-loop test





#### Test engine

#### System under test

## TEAMOD Master Project

- Four sub-projects
  - Algorithms
  - Autonomous train control
  - Safety monitor development
  - Graphical interfaces for scenario-based testing

#### **Algorithms**

#### 1. Theory



Fig. 1. Commuting diagrams reflecting the satisfaction condition

Given a pair  $(T, T^*)$  fulfilling the satisfaction condition, this allows to translate complete testing theories existing in  $Sig_2$  to likewise complete testing theories in (sub-domains of)  $Sig_1$ .

**Theorem 2.1** Suppose that  $TS_2 : F_2 \to \mathbb{P}(TC(Sig_2))$  with  $F_2 \subseteq F(Sig_2, \leq)$  is a sound (respectively exhaustive, complete) testing theory. Define

 $F_1 = \{ (\mathcal{S}, \leq_1, Dom_1) \in F(\underline{Sig_1}, \leq_1) \mid \exists Dom_2 \subseteq Sig_2 : T(Dom_1) \subseteq Dom_2 \land (T(\mathcal{S}), \leq_2, Dom_2) \in F_2 \}.$ 

Then  $TS_1: F_1 \to \mathbb{P}(TC(Sig_1))$  defined by<sup>2</sup>

 $\mathsf{TS}_1(\mathcal{S}, \leq_1, Dom_1) = T^*(\mathsf{TS}_2(T(\mathcal{S}), \leq_2, Dom_2)),$ 

such that  $T(Dom_1) \subseteq Dom_2$ , is a sound (respectively exhaustive, complete) testing theory.

*Proof* Suppose  $TS_2$  is sound (exhaustive). Let  $\mathcal{F}_1 = (S, \leq_1, Dom_1) \in F_1$  and  $\mathcal{F}_2 = (T(S), \leq_2, Dom_2) \in F_2$  be any fault models in  $F_1$  and  $F_2$  respectively, satisfying  $TS_1(\mathcal{F}_1) = T^*(TS_2(\mathcal{F}_2))$ . Let  $S' \in Dom_1$ . Then  $T(S') \in Dom_2$ , and

 $\begin{array}{ll} \mathcal{S}' \leq_1 \mathcal{S} \iff T(\mathcal{S}') \leq_2 T(\mathcal{S}) & \text{[satisfaction condition SC1]} \\ \Rightarrow \forall U \in \mathrm{TS}_2(\mathcal{F}_2) : T(\mathcal{S}') \underline{\mathrm{pass}}_2 U & [\mathrm{TS}_2 \text{ is sound}; (" \Leftarrow " : \mathrm{TS}_2 \text{ is exhaustive})] \\ (\Leftarrow) \\ \Leftrightarrow \forall U \in \mathrm{TS}_2(\mathcal{F}_2) : \mathcal{S}' \underline{\mathrm{pass}}_1 T^*(U) & \text{[satisfaction condition SC2]} \\ \Leftrightarrow \mathcal{S}' \underline{\mathrm{pass}}_1 T^*(\mathrm{TS}_2(\mathcal{F}_2)) & \\ \Leftrightarrow \mathcal{S}' \underline{\mathrm{pass}}_1 \mathrm{TS}_1(\mathcal{F}_1) & [\mathrm{TS}_1(\mathcal{F}_1) = T^*(\mathrm{TS}_2(\mathcal{F}_2))] \end{array}$ 

Hence  $TS_1(\mathcal{F}_1)$  is a sound (exhaustive) test suite for any fault model  $\mathcal{F}_1 \in F_1$ . Consequently,  $TS_1$  is sound (exhaustive). Since completeness is the combination of soundness and exhaustiveness, this proves the theorem.

#### 2. Algorithm design

8. For each  $(i, j) \in J$ , collect all disjuncts

$$g_{i'.i'_1...i'_{n'}} \wedge (\mathbf{m}, \mathbf{y}) = (\mathbf{d}_{i'}, \mathbf{e}_{i'}) \wedge (\mathbf{m}', \mathbf{y}') = (\mathbf{d}_{i'_{n'}}, \mathbf{e}_{i'_{n'}}) \wedge (\mathbf{x}' = \mathbf{x})$$

satisfying  $i'.i'_1...i'_{n'} \in \text{RTR}_{i,j}$  and consequently i' = i,  $i'_{n'} = j$  and merge them into a single disjunct

$$g_{i,j} \wedge (\mathbf{m}, \mathbf{y}) = (\mathbf{d}_i, \mathbf{e}_i) \wedge (\mathbf{m}', \mathbf{y}') = (\mathbf{d}_j, \mathbf{e}_j) \wedge (\mathbf{x}' = \mathbf{x})$$

where

$$g_{i,j} \equiv \bigvee_{i' \cdot i'_1 \cdots i'_{n'} \in \operatorname{RTR}_{i,j}} g_{i' \cdot i'_1 \cdots i'_{n'}}$$

9. Terminate by returning  $\mathcal{R}$ .

#### 3. Programming

void RttTgenGenerator::generateTestCases() {

```
// The root of the test procedure tree carries the memory state before
tprocRoot = [&] {
    auto mSys = static_cast< RttTgenConcreteLatticeMemory* >(system->get
    mSys->setParentSystem(system);
    return new RttTgenTestProcTree(mSys, 0, true, 0);
}();
currentTprocNode = tprocRoot;
remainingSimulationSteps = parms->getSimSteps();
// Initialise interpreters
sim = new simlib::Simulator(*system);
```

```
sim = new simlib::Simulator(*system);
sim->setAddGoalsUnordered(additionalGoals->getUnordered());
sim->setAddGoalsOrdered(additionalGoals->getOrdered());
sim->setTestCaseDb(tcDb);
sim->setParms(parms);
nextTimeTickFromSimulator = 0;
```

Autonomous train control & Safety monitor Märklin Modelleisenbahn

# <image>

#### Märklin Central Station 6021!



#### Safety monitor





#### **Graphical interfaces for scenario-based testing**



## Accompanying Lectures

- **Test automation** [highly recommended]
- Theory of reactive systems
- Systems of high quality, safety, and security
- Specification of embedded systems
- Operating systems
- Real-time operating systems development