Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Owen O’Malley, QSS Lawrence Markosian, QSS Peter Mehlitz,

Slides:



Advertisements
Similar presentations
Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Advertisements

Verification and Validation
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.
CEN nd Lecture CEN 4021 Software Engineering II Instructor: Masoud Sadjadi Software Process Models.
Alternate Software Development Methodologies
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Software Construction
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
Software testing.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Software Testing and Quality Assurance
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
SQM - 1DCS - ANULECTURE Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.
Testing an individual module
Functional Testing.
Introduction to Software Testing
Software System Integration
1 Software Testing Techniques CIS 375 Bruce R. Maxim UM-Dearborn.
Chapter 13 & 14 Software Testing Strategies and Techniques
Chapter 24 - Quality Management Lecture 1 1Chapter 24 Quality management.
Effective Methods for Software and Systems Integration
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
S/W Project Management
S/W Project Management Software Process Models. Objectives To understand  Software process and process models, including the main characteristics of.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
Software testing techniques 3. Software testing
Chapter 8 – Software Testing Lecture 1 1Chapter 8 Software testing The bearing of a child takes nine months, no matter how many women are assigned. Many.
Chapter 2: Software Process Omar Meqdadi SE 2730 Lecture 2 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
CEN rd Lecture CEN 4021 Software Engineering II Instructor: Masoud Sadjadi Phases of Software.
INT-Evry (Masters IT– Soft Eng)IntegrationTesting.1 (OO) Integration Testing What: Integration testing is a phase of software testing in which.
1 Software testing. 2 Testing Objectives Testing is a process of executing a program with the intent of finding an error. A good test case is in that.
10 Software Architecture CSCU 411 Software Engineering.
Large Scale Software Systems Derived from Dr. Fawcett’s Notes Phil Pratt-Szeliga Fall 2010.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
1 Introduction to Software Engineering Lecture 1.
Software Testing Reference: Software Engineering, Ian Sommerville, 6 th edition, Chapter 20.
1 Threads Chapter 11 from the book: Inter-process Communications in Linux: The Nooks & Crannies by John Shapley Gray Publisher: Prentice Hall Pub Date:
Systems Analysis and Design in a Changing World, Fourth Edition
March 2004 At A Glance NASA’s GSFC GMSEC architecture provides a scalable, extensible ground and flight system approach for future missions. Benefits Simplifies.
Controls design Controls are “the plan of organization and all the methods and measures to safeguard its assets, check the accuracy and reliability of.
Software Safety Case Why, what and how… Jon Arvid Børretzen.
Chapter 6 CASE Tools Software Engineering Chapter 6-- CASE TOOLS
Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
Software Engineering1  Verification: The software should conform to its specification  Validation: The software should do what the user really requires.
ISBN Prentice-Hall, 2006 Chapter 8 Testing the Programs Copyright 2006 Pearson/Prentice Hall. All rights reserved.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
1 Software Testing Strategies: Approaches, Issues, Testing Tools.
Test Plan: Introduction o Primary focus: developer testing –Implementation phase –Release testing –Maintenance and enhancement o Secondary focus: formal.
USING MODEL CHECKING TO DISCOVER AUTOMATION SURPRISES Java class User: - getExpectation() - checkExpectation() FAULTY EXECUTION start incrMCPAlt pullAltKnob.
Higher Computing Science 2016 Prelim Revision. Topics to revise Computational Constructs parameter passing (value and reference, formal and actual) sub-programs/routines,
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Howard Hu, JSC.
Reachability Testing of Concurrent Programs1 Reachability Testing of Concurrent Programs Richard Carver, GMU Yu Lei, UTA.
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
Software Testing Reference: Software Engineering, Ian Sommerville, 6 th edition, Chapter 20.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
Group mambers: Maira Naseer (BCS ).
Chapter 8 – Software Testing
Chapter 13 & 14 Software Testing Strategies and Techniques
Software System Integration
Software testing.
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Dynamic Program Analysis
Software Testing “If you can’t test it, you can’t design it”
Chapter 7 Software Testing.
Presentation transcript:

Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Owen O’Malley, QSS Lawrence Markosian, QSS Peter Mehlitz, CSC Masoud Mansouri-Semani, CSC Howard Hu, JSC Tanya Lippencott, GDDS Mark Coats, GDDS

Program Model Checking Case Studies and Practitioner’s Guide Objectives ► Overall objectives ▀ Assemble the emerging best practices in program model checking ▀ Demonstrate and validate their use in several case studies ▀ Document the results in a Practitioner’s Guide for Program Model Checking ► Year 1 - Analysis & Baseline ▀ Determine critical requirements and verification coverage requirements for initial case study ▀ Set up test environment for the selected application at Ames ▀ Apply and document basic model checking techniques and determine coverage of verification goals.

Program Model Checking Case Studies and Practitioner’s Guide Initial Case Study: Shuttle Abort Flight Manager (SAFM) ► SAFM provides situational awareness and decision support for shuttle pilots in case of an abort prior to orbit. ▀ abort performance assessment during powered flight ▀ landing site evaluation and monitoring during glided flight ► Developed by NASA Johnson Space Center and General Dynamics Decision Systems ► Runs on-board shuttle and on the ground ► About 38K SLOC C++ ► Scheduled to fly in 2006

Model Checking as a Best Practice ► Model checking best practices must address: ▀ Identifying critical components and properties ▀ Constructing test drivers and environment models ▀ Developing “models” or abstractions of system ▀ Tuning model checking algorithms/tools ▀ Assessing verification results – coverage and error reports ► Apply model checking a part of integrated best practices: ▀ Manual and automated software inspections ▀ Testing ▀ Model-checking

Program Model Checking Case Studies and Practitioner’s Guide Accomplishments ► Evaluation of SAFM source code and requirements for applicability to model checking & identify critical issues ▀ Identified Sequencer as a critical subsystem where model checking can be applied ▀ Manual and automated code inspections ► Hosted SAFM test lead at ARC for a week and to elicit requirements and design properties that are currently unchecked. ▀ Identified critical properties ► Set up SAFM build & test environment at ARC ▀ Gathered data on existing test coverage

Identifying Critical Subsystem - Sequencer ► Focus on the Executive Controller and Sequencer ▀ Top level control logic for SAFM including error handling ▀ Manages evaluation of the various potential abort scenarios ▀ Complex scenario interactions that are difficult to test Scenario Input Manager Output Manager Exec Controller Sequencer System Software Calls

Model Checking - Sequencer ► Use non-determinism to simplify the input and state space ▀ “Stub-out” most of the numeric computation and replace with non-deterministic choice ▀ Abstract data values by collapsing multiple floating point values into a single boolean. ► Example properties: ▀ Child scenarios don’t use data from unavailable or invalid parents ▀ How many scenarios can run in the same cycle?

► Properties: “low level” requirements that characterize valid sequences of program states (“executions”) ► Many application specific properties: ▀ All dynamic memory (de)allocation must happen during initialization and shutdown ▀ No scenario uses data from a parent scenario that was not applicable or valid ► General properties: ▀ No memory leaks ▀ No array bounds overflows Critical Properties

► Manual inspections discovered: ▀ Duplicated code and data ▀ Inconsistencies between the description of functions and their implementations - maintainability issue ► Automated inspections discovered: ▀ Incorrect overloading of binary & instead of unary & ▀ Single argument constructors that are not explicit ▀ Missing assignment operator (e.g. += when + is defined) ▀ Missing inverse operator (e.g. >= when < is defined) ► Similar issues in the System Software Manual and Automated Code Inspection

Program Model Checking Case Studies and Practitioner’s Guide Approach - Testing ► Ported the subsystem (L2) test driver to run under Unix (e.g. Linux and Mac OS) and added additional testing flexibility ► Applied testing tools ▀ Memcheck (array bounds and memory leaks) ▀ Gcov (statement coverage and counts) ▀ Kcachegrind (performance measurements) ► Used test data from General Dynamics that was generated by shuttle simulator

Testing - Code Coverage ► Used GNU’s gcov tool to determine code coverage of the current set of test cases. ► Statement coverage after running all test cases was 83%. ► Some surprising hotspots involved getting mnemonic names (~2 billion times) and string comparison on mnemonic names (~1.5 billion times).

Testing - Verifying Properties ► All dynamic memory allocations happen during SafmInitialize and all deallocations happen during ~SafmExecutiveController ▀ Overloaded operator new and delete ▀ Used control flags to ensure they weren’t called at the wrong time ► No memory leaks ▀ Used valgrind and only found 1 leak in the testing stubs

► Model Checking (MC): systematically check all transitions of an automaton for property violations ► Program Model Checking (PMC): execute all potential execution sequences (paths) of a program ► PMC measure of choice when not all execution paths can be tested: Concurrency (scheduler not controllable in test) ► BUT: SAFM has no internal concurrency (threads)… Approaches - Model Checking

► SMC also good for checking program responses to non- deterministic input → very suitable for SAFM (GNC input data variations) ► BUT: model checkers usually do this by enumerating all possible input values → not feasible for infinite value sets like float intervals Approaches - Model Checking

► JPF solution for SAFM: Heuristic Choice Generators Approaches - Model Checking

Lessons Incountered To Date ► C++ is a new platform for shuttle software and has many pitfalls for even experienced programmers ► Testing and model checking effort significantly eased with good design. ▀ Coding standards can encourage good design, but need to be flexible to handle special cases. (e.g. a friend class to enhance data visibility during testing) ► Difficulty in testing and sustaining engineering arises from— ▀ An impoverished development environment for flight software ▀ “Distance” between development environment and runtime environment ► Development team support is required for obtaining required domain expertise ► Goals for model checking must be carefully selected ► Understand where model checking fits into overall verification program

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.