Papers by Marie-Claude Gaudel
HAL (Le Centre pour la Communication Scientifique Directe), Jun 1, 2016
Path-biased random testing is an interesting alternative to classical path-based approaches faced... more Path-biased random testing is an interesting alternative to classical path-based approaches faced to the explosion of the number of paths, and to the weak structural coverage of random methods based on the input domain only. Given a graph representation of the system under test a probability distribution on paths of a certain length is computed and then used for drawing paths. A limitation of this approach, similarly to other methods based on symbolic execution and static analysis, is the existence of infeasible paths that often leads to a lot of unexploitable drawings. We present a prototype for pruning some infeasible paths, thus eliminating useless drawings. It is based on graph transformations that have been proved to preserve the actual behaviour of the program. It is driven by symbolic execution and heuristics that use detection of subsumptions and the abstract-check-refine paradigm. The approach is illustrated on some detailed examples.
Springer eBooks, 2014
Circus is a state-rich process algebra based on Z and CSP that can be used for testing. In this p... more Circus is a state-rich process algebra based on Z and CSP that can be used for testing. In this paper, we consider data-flow coverage. In adapting the classical results on coverage of programs to Circus models, we define a notion of specification traces, consider models with data-flow anomalies, and cater for the internal nature of state. Our results are a framework for data-flow coverage of such abstract models, a novel data-flow criterion suited to state-rich process models, and the conversion of specification traces into symbolic traces.
HAL (Le Centre pour la Communication Scientifique Directe), Jan 17, 2017
This report documents how we have implemented a trace generator for the Circus specification lang... more This report documents how we have implemented a trace generator for the Circus specification language using K, a rewrite-based executable semantic framework in which programming languages, type systems and formal analysis tools can be defined using configurations, computations and rules. This implementation is based on the operational semantics of Circus, that we have revisited to make it exploitable with K. The motivation of this work is the development of a test generation environment for Circus. Moreover, it may provide some inspiration to the developers of tools for specification languages based on process algebras.
Information & Software Technology, 2017
Context: The demand from industry for more dependable and scalable test-development mechanisms ha... more Context: The demand from industry for more dependable and scalable test-development mechanisms has fostered the use of formal models to guide the generation of tests. Despite many advancements having been obtained with state-based models, such as Finite State Machines (FSMs) and Input/Output Transition Systems (IOTSs), more advanced formalisms are required to specify large, state-rich, concurrent systems. Circus, a state-rich process algebra combining Z, CSP and a refinement calculus, is suitable for this; however, deriving tests from such models is accordingly more challenging. Recently, a testing theory has been stated for Circus, allowing the verification of process refinement based on exhaustive test sets. Objective: We investigate fault-based testing for refinement from Circus specifications using mutation. We seek the benefits of such techniques in test-set quality assertion and fault-based test-case selection. We target results relevant not only for Circus, but to any process algebra for refinement that combines CSP with a data language. Method: We present a formal definition for fault-based test sets, extending the Circus testing theory, and an extensive study of mutation operators for Circus. Using these results, we propose an approach to generate tests to kill mutants. Finally, we explain how prototype tool support can be obtained with the implementation of a mutant generator, a translator from Circus to CSP, and a refinement checker for CSP, and with a more sophisticated chain of tools that support the use of symbolic tests. Results: We formally characterise mutation testing for Circus, defining the exhaustive test sets that can kill a given mutant. We also provide a technique to select tests from these sets based on specification traces of the mutants. Finally, we present mutation operators that consider faults related to both reactive and data manipulation behaviour. Altogether, we define a new fault-based test-generation technique for Circus. Conclusion: We conclude that mutation testing for Circus can truly aid making test generation from state-rich model more tractable, by focussing on particular faults.
Springer eBooks, 1995
The paper presents a theory of program testing based on formal specifications. The formal semanti... more The paper presents a theory of program testing based on formal specifications. The formal semantics of the specifications is the basis for a notion of an exhaustive test set. Under some minimal hypotheses on the program under test, the success of this test set is equivalent to the satisfaction of the specification. The selection of a finite subset of the exhaustive test set can be seen as the introduction of more hypotheses on the program, called selection hypotheses. Several examples of commonly used selection hypotheses are presented. Another problem is the observability of the results of a program with respect to its specification: contrary to some common belief, the use of a formal specification is not always sufficient to decide whether a test execution is a success. As soon as the specification deals with more abstract entities than the program, program results may appear in a form which is not obviously equivalent to the specified results. A solution to this problem is proposed in the case of algebraic specifications.
HAL (Le Centre pour la Communication Scientifique Directe), Sep 13, 2017
This extended abstract takes advantage of a theory of software testing based on formal specificat... more This extended abstract takes advantage of a theory of software testing based on formal specifications to point out the benefits and limits of the use of formal methods to this end. A notion of exhaustive test set is defined according to the semantics of the formal notation, the considered conformance relation, and some testability hypotheses on the system under test. This gives a framework for the formalisation of test selection, test execution, and oracles, and, moreover, leads to the explicitation of those hypotheses underlying test selection strategies, such as uniformity hypotheses or regularity hypotheses. This explicitation provides some guides to complementary proofs, or tests, or instrumentations of the system under test. This approach has been applied to various formalisms: axiomatic specifications of data types, model-based specifications, process algebras, transition systems, etc. It provides some guiding principles for the development of testing methods given a formal specification notation and an associated conformance/refinement relation. It is at the origin of the development of some test environments based on SMT solvers and theorem provers.
arXiv (Cornell University), Apr 16, 2013
Model checking and testing are two areas with a similar goal: to verify that a system satisfies a... more Model checking and testing are two areas with a similar goal: to verify that a system satisfies a property. They start with different hypothesis on the systems and develop many techniques with different notions of approximation, when an exact verification may be computationally too hard. We present some notions of approximation with their logic and statistics backgrounds, which yield several techniques for model checking and testing: Bounded Model Checking, Approximate Model Checking, Approximate Black-Box Checking, Approximate Model-based Testing and Approximate Probabilistic Model Checking. All these methods guarantee some quality and efficiency of the verification.
Circus is a state-rich process algebra based on Z and CSP that can be used for testing. In this p... more Circus is a state-rich process algebra based on Z and CSP that can be used for testing. In this paper, we consider data-flow coverage. In adapting the classical results on coverage of programs to Circus models, we define a notion of specification traces, consider models with data-flow anomalies, and cater for the internal nature of state. Our results are a framework for data-flow coverage of such abstract models, a novel data-flow criterion suited to state-rich process models, and the conversion of specification traces into symbolic traces.
Arch. Formal Proofs, 2012
The Circus specification language combines elements for complex data and behavior specifications,... more The Circus specification language combines elements for complex data and behavior specifications, using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and He’s unifying theories of programming (UTP). Isabelle/Circus is a formalization of the UTP and the Circus language in Isabelle/HOL. It contains proof rules and tactic support that allows for proofs of refinement for Circus processes (involving both data and behavioral aspects). This environment supports a syntax for the semantic definitions which is close to textbook presentations of Circus. These theories are presented with details in [9]. This document is a technical appendix of this report.
Lecture Notes in Computer Science, 1985
A B~C T We present a method and a tool for generating test sets from algebraic data type specific... more A B~C T We present a method and a tool for generating test sets from algebraic data type specifications. We give formal definitions of the basic concepts required in our approach of functional testing. Then we discuss the problem of testing algebraic data types implementations. This allows the introduction of additional hypotheses and thus the description of an effective method for generating test sets. The method can be improved by using PROLOG. Indeed, it turns out that PROLOG is a very well suited tool for generating test sets in this context. Applicability of the method is discussed and a complete example is given.
Lecture Notes in Computer Science, 2001
Deriving test cases from specifications is now recognised as a major application of formal method... more Deriving test cases from specifications is now recognised as a major application of formal methods to software development. Several methods have been proposed for various formalisms: behavioural descriptions such as transition systems, model-based specifications, algebraic specifications, etc. This article presents a general framework for test data selection from formal specifications. A notion of "exhaustive test set" is derived from the semantics of the formal notation and from the definition of a correct implementation. Then a finite test set is selected via some "selection hypotheses", This approach has been illustrated by its application to algebraic specifications, object-oriented Petri nets (CO-OPN2), LUSTRE, and full LOTOS.
13th International Symposium on Software Reliability Engineering, 2002. Proceedings.
Deriving test cases from formal specifications of communicating processes has been studied for a ... more Deriving test cases from formal specifications of communicating processes has been studied for a while. Several methods have been proposed for specifications based on FSM (Finite State Machines), LTS (Labelled Transition Systems), IOTS (Input Output Transition Systems), etc. However, most approaches are limited to a finite set of actions, excluding the possibility of communicating typed values between processes. This article presents a test derivation and selection method based on a model of communicating processes with inputs, outputs and data types, which is closer to actual implementations of communication protocols.
Lecture Notes in Computer Science, 2011
We are all faced up to a flowering of concepts and methods in the area of software verification a... more We are all faced up to a flowering of concepts and methods in the area of software verification and validation, due to significant advances in the domain. This paper considers the main terms and expressions currently in use on the subjects of model, specification, program, system, proof, checking, testing. Some analysis of the use and combination of these terms is sketched, pointing out some confusions and discrepancies. This leads to a plea for clarification of the taxonomy and terminology. The aim is a better identification of the general concepts and activities in the area, and the development of some uniform basic terminology helping communication and cooperation among the scientific and industrial actors.
TAPSOFT '95: Theory and Practice of Software Development, 1995
The paper presents a theory of program testing based on formal specifications. The formal semanti... more The paper presents a theory of program testing based on formal specifications. The formal semantics of the specifications is the basis for a notion of an exhaustive test set. Under some minimal hypotheses on the program under test, the success of this test set is equivalent to the satisfaction of the specification. The selection of a finite subset of the exhaustive test set can be seen as the introduction of more hypotheses on the program, called selection hypotheses. Several examples of commonly used selection hypotheses are presented. Another problem is the observability of the results of a program with respect to its specification: contrary to some common belief, the use of a formal specification is not always sufficient to decide whether a test execution is a success. As soon as the specification deals with more abstract entities than the program, program results may appear in a form which is not obviously equivalent to the specified results. A solution to this problem is proposed in the case of algebraic specifications.
Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)
We propose a new way of automating statistical structural testing, based on the combination of un... more We propose a new way of automating statistical structural testing, based on the combination of uniform generation of combinatorial structures, and of randomized constraint solving techniques. More precisely, we show how to draw test cases which balance the coverage of program structures according to structural testing criteria. The control flow graph is formalized as a combinatorial structure specification. This provides a way of uniformly drawing execution paths which have suitable properties. Once a path has been drawn, the predicate characterizing those inputs which lead to its execution is solved using a constraint solving library. The constraint solver is enriched with powerful heuristics in order to deal with resolution failures and random choice strategies.
Lecture Notes in Computer Science, 2012
, Marie-Claude.Gaudel, Burkhart.Wolff}@lri.fr Résumé Circus est un langage de spécification qui p... more , Marie-Claude.Gaudel, Burkhart.Wolff}@lri.fr Résumé Circus est un langage de spécification qui permet de spécifier des structures de données et des comportements complexes. Sa sémantique est basée sur le modèle UTP (unifying theories of programming) proposé par Hoare et He. Nous proposons, sur la base de Isabelle/UTP, notre théorie de la sémantique de UTP en Isabelle/HOL, une sémantique formelle mécanisée, basée sur une intégration superficielle (shallow-embedding) de Circus en Isabelle/UTP. Nous dérivons des règles de preuveà partir de cette sémantique et mettons en oeuvre des tactiques qui permettent d'écrire des preuves de raffinement sur des processus Circus (impliquantà la fois des données et des comportements complexes). Afin de faciliter son utilisation, l'environnement de preuve développé supporte une syntaxe très proche de la représentation textuelle de Circus.
Lecture Notes in Computer Science, 2010
In this paper, we present various extensions of Isabelle/HOL by theories that are essential for s... more In this paper, we present various extensions of Isabelle/HOL by theories that are essential for several formal methods. First, we explain how we have developed an Isabelle/HOL theory for a part of the Unifying Theories of Programming (UTP). It contains the theories of alphabetized relations and designs. Then we explain how we have encoded first the theory of reactive processes and then the UTP theory for CSP. Our work takes advantage of the rich existing logical core of HOL. Our extension contains the proofs for most of the lemmas and theorems presented in the UTP book. Our goal is to propose a framework that will allow us to deal with formal methods that are semantically based, partly or totally, on UTP, for instance CSP and Circus. The theories presented here will allow us to make proofs about such specifications and to apply verified transformations on them, with the objective of assisting refinement and test generation.
Theoretical Computer Science, 2015
Theories for model-based testing identify exhaustive test sets: typically infinite sets of tests ... more Theories for model-based testing identify exhaustive test sets: typically infinite sets of tests whose execution establishes the conformance relation of interest. Practical techniques rely on selection strategies to identify finite subsets of these tests, and popular approaches are based on requirements to cover the model. In previous work, we have defined testing theories for refinement-based process algebra, namely, CSP and Circus, a state-rich process algebra. In this paper, we consider the selection of tests designed to establish traces refinement. In this case, conformance does not require that all traces of the model are available in the system under test, and this can raise challenges regarding coverage criteria for selection. To address these difficulties, we present a framework for formalising a variety of selection strategies. We exemplify its use in the formalisation of a selection criterion based on coverage of process communications for integration testing. We consider models written in Circus, whose symbolic testing theory facilitates the definition of uniformity and regularity hypotheses based on data operations, but also imposes extra challenges for selection of concrete tests. Our results, however, are relevant for any formalism where the conformance relation does not require all the traces of the specification to be executable by the system under test.
Science of Computer Programming, 1989
This paper relates an experiment in writing an algebraic specification of a rather complex exampl... more This paper relates an experiment in writing an algebraic specification of a rather complex example, namely a subset of the UNIX' file system. The PLUSS specification language, which is used for this experiment, provides a set of linguistic features which allow the modularization of such specifications and the definition of a flexible and convenient syntax for expressions and axioms (such as mixtix operators, overloading, coercions). This experiment was a way for evaluating the adequacy of these features to several criteria: mainly legibility and understandability, but also reusability of specifications. The paper presents the specification and discusses it with respect to these important points. * This work is partially supported by ESPRIT project No. 432 METEOR and CNRS GRECO de Programmation. ' UNIX is a trademark of Bell Laboratories.
Electronic Notes in Theoretical Computer Science, 2008
This paper describes a set of methods for randomly drawing traces in large models either uniforml... more This paper describes a set of methods for randomly drawing traces in large models either uniformly among all traces, or with a coverage criterion as target. Classical random walk methods have some drawbacks. In case of irregular topology of the underlying graph, uniform choice of the next state is far from being optimal from a coverage point of view. Moreover, for the same reason, it is generally not practicable to get an estimation of the coverage obtained after one or several random walks: it would require some complex global analysis of the model topology. We present here some methods that give up the uniform choice of the next state. These methods bias this choice according to the number of traces, or states, or transitions, reachable via each successor.
Uploads
Papers by Marie-Claude Gaudel