Results 1  10
of
16
ModelBased Testing of ObjectOriented Reactive Systems with Spec Explorer
, 2007
"... Testing is one of the costliest aspects of commercial software development. Modelbased testing is a promising approach addressing these deficits. At Microsoft, modelbased testing technology developed by the Foundations of Software Engineering group in Microsoft Research has been used since 2003. T ..."
Abstract

Cited by 34 (8 self)
 Add to MetaCart
(Show Context)
Testing is one of the costliest aspects of commercial software development. Modelbased testing is a promising approach addressing these deficits. At Microsoft, modelbased testing technology developed by the Foundations of Software Engineering group in Microsoft Research has been used since 2003. The second generation of this tool set, Spec Explorer, deployed in 2004, is now used on a daily basis by Microsoft product groups for testing operating system components,.NET framework components and other areas. This chapter provides a comprehensive survey of the concepts of the tool and their foundations. 1
An SMT approach to bounded reachability analysis of model programs
 In FORTE
, 2008
"... Abstract. Model programs represent transition systems that are used to specify expected behavior of systems at a high level of abstraction. The main application area is applicationlevel network protocols or protocoldata types such as sets and maps, and comprehensions to express complex state upda ..."
Abstract

Cited by 16 (10 self)
 Add to MetaCart
(Show Context)
Abstract. Model programs represent transition systems that are used to specify expected behavior of systems at a high level of abstraction. The main application area is applicationlevel network protocols or protocoldata types such as sets and maps, and comprehensions to express complex state updates. Such models are mainly used in modelbased testing as inputs for test case generation and as oracles during conformance testing. Correctness assumptions about the model itself are usually expressed through state invariants. An important problem is to validate the model prior to its use in the abovementioned contexts. We introduce a technique of using Satisfiability Modulo Theories or SMT to perform bounded reachability analysis of a fragment of model programs. We use the Z3 solver for our implementation and benchmarks, and we use AsmL as the modeling language. The translation from a model program into a verification condition of Z3 is incremental and involves selective quantifier instantiation of quantifiers that result from the comprehension expressions. 1
The ChurchTuring Thesis over Arbitrary Domains
, 2008
"... The ChurchTuring Thesis has been the subject of many variations and interpretations over the years. Specifically, there are versions that refer only to functions over the natural numbers (as Church and Kleene did), while others refer to functions over arbitrary domains (as Turing intended). Our pu ..."
Abstract

Cited by 15 (9 self)
 Add to MetaCart
(Show Context)
The ChurchTuring Thesis has been the subject of many variations and interpretations over the years. Specifically, there are versions that refer only to functions over the natural numbers (as Church and Kleene did), while others refer to functions over arbitrary domains (as Turing intended). Our purpose is to formalize and analyze the thesis when referring to functions over arbitrary domains. First, we must handle the issue of domain representation. We show that, prima facie, the thesis is not well defined for arbitrary domains, since the choice of representation of the domain might have a nontrivial influence. We overcome this problem in two steps: (1) phrasing the thesis for entire computational models, rather than for a single function; and (2) proving a “completeness” property of the recursive functions and Turing machines with respect to domain representations. In the second part, we propose an axiomatization of an “effective model of computation” over an arbitrary countable domain. This axiomatization is based on Gurevich’s postulates for sequential algorithms. A proof is provided showing that all models satisfying these axioms, regardless of underlying data structure, are of equivalent computational power to, or weaker than, Turing machines.
The hidden computation steps of turbo Abstract State Machines
 Abstract State Machines — Advances in Theory and Applications, 10th International Workshop, ASM 2003
, 2003
"... Abstract. Turbo Abstract State Machines are ASMs with parallel and sequential composition and possibly recursive submachine calls. Turbo ASMs are viewed as blackboxes that can combine arbitrary many steps of one or more submachines into one big step. The intermediate steps of a turbo ASM are not ob ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Turbo Abstract State Machines are ASMs with parallel and sequential composition and possibly recursive submachine calls. Turbo ASMs are viewed as blackboxes that can combine arbitrary many steps of one or more submachines into one big step. The intermediate steps of a turbo ASM are not observable from outside. It is not even clear what exactly the intermediate steps are, because the semantics of turbo ASMs is usually defined inductively along the call graph of the ASM and the structure of the rule bodies. The most important application of turbo ASMs are recursive algorithms. Such algorithms can directly be simulated on turbo ASMs without transforming them into multiagent (distributed) ASMs. In this article we analyze the hidden intermediate steps of turbo ASMs and characterize them using PAR/SEQ trees. We also address the problem of the reserve in the presence of recursion and sequential composition. 1
Protocol Modeling with Model Program Composition
"... Abstract. Designing and interoperability testing of distributed, applicationlevel network protocols is complex. Windows, for example, supports currently more than 200 protocols, ranging from simple protocols for email exchange to complex ones for distributed file replication or real time communicat ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Designing and interoperability testing of distributed, applicationlevel network protocols is complex. Windows, for example, supports currently more than 200 protocols, ranging from simple protocols for email exchange to complex ones for distributed file replication or real time communication. To fight this increasing complexity problem, we introduce a methodology and formal framework that uses model program composition to specify behavior of such protocols. A model program can be used to specify an increment of protocol functionality with a coherent purpose, which can be understood and analyzed separately. The overall behavior of a protocol can be defined by a composite model program, which defines how the individual parts interoperate. 1
Symbolic Bounded Model Checking of Abstract State Machines
, 2009
"... Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets or sequences. The availability of highlevel data types allow state elements to be represented both abstractly and faithfully at the same time. Asm ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
(Show Context)
Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets or sequences. The availability of highlevel data types allow state elements to be represented both abstractly and faithfully at the same time. AsmL is a rich ASMbased specification and programming language. In this paper we look at symbolic analysis of model programs written in AsmL with a background T of linear arithmetic, sets, tuples, and maps. We first provide a rigorous account for the update semantics of AsmL in terms of T, and formulate the problem of bounded path exploration of model programs, or the problem of Bounded Model Program Checking (BMPC) as a satisfiability modulo T problem. Then we investigate the boundaries of decidable and undecidable cases for BMPC. In a general setting, BMPC is shown to be highly undecidable, it is effectively equivalent to satisfiability in secondorder Peano arithmetic with sets (Σ1 1complete); and even when restricting to finite sets the problem is as hard as the halting problem of
Bounded reachability of model programs
, 2008
"... Model programs represent labeled transition systems and are used to specify expected behavior of systems at a high level of abstraction. Such programs are common as highlevel executable specifications of complex protocols. Model programs typically use abstract data types such as sets and maps, and ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
(Show Context)
Model programs represent labeled transition systems and are used to specify expected behavior of systems at a high level of abstraction. Such programs are common as highlevel executable specifications of complex protocols. Model programs typically use abstract data types such as sets and maps, and comprehensions to express complex state updates. Such models are mainly used in modelbased testing as inputs for test case generation and as oracles during conformance testing. Correctness assumptions about the model itself are usually expressed through state invariants. An important problem is to validate the model prior to its use in the abovementioned contexts. We introduce a technique of using Satisfiability Modulo Theories or SMT to perform bounded reachability of a fragment of model programs. We analyze the bounded reachability problem and prove decidability and undecidability results of restricted cases of this problem. We use the Z3 solver for our implementation and benchmarks,
ModelBased Testing of Cryptographic Protocols
 In Trustworthy Global Computing, International Symposium, TGC 2005, Revised Selected Papers
, 2005
"... Abstract. Modeling is a popular way of representing the behavior of a system. A very useful type of model in computing is an abstract state machine which describes transitions over first order structures. The general purpose modelbased testing tool SpecExplorer (used within Microsoft, also availabl ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Modeling is a popular way of representing the behavior of a system. A very useful type of model in computing is an abstract state machine which describes transitions over first order structures. The general purpose modelbased testing tool SpecExplorer (used within Microsoft, also available externally) uses such a model, written in AsmL or Spec#, to perform a search that checks that all reachable states of the model are safe, and also to check conformance of an arbitrary.NET implementation to the model. Spec Explorer provides a variety of ways to cut down the state space of the model, for instance by finitizing parameter domains or by providing predicate abstraction. It has already found subtle bugs in production software. First order structures and abstract state machines over them are also a useful way to think about cryptographic protocols, since models formulated in these terms arise by natural abstraction from computational cryptography.
A Formalization of the ChurchTuring Thesis for StateTransition Models
"... Abstract. Our goal is to formalize the ChurchTuring Thesis for a very large class of computational models. Specifically, the notion of an “effective model of computation ” over an arbitrary countable domain is axiomatized. This is accomplished by modifying Gurevich’s “Abstract State Machine ” postu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Our goal is to formalize the ChurchTuring Thesis for a very large class of computational models. Specifically, the notion of an “effective model of computation ” over an arbitrary countable domain is axiomatized. This is accomplished by modifying Gurevich’s “Abstract State Machine ” postulates for statetransition systems. A proof is provided that all models satisfying our axioms, regardless of underlying data structure—and including all standard statetransition models—are equivalent to (up to isomorphism), or weaker than, Turing machines. To allow the comparison of arbitrary models operating over arbitrary domains, we employ a quasiordering on computational models, based on their extensionality. LCMs can do anything that could be described as “rule of thumb ” or “purely mechanical”.... This is sufficiently well established that it is now agreed amongst logicians that “calculable by means of an LCM” is the correct accurate rendering of such phrases. 1
Using Satisfiability Modulo Theories to Analyze Abstract State Machines
"... Abstract. We look at a fragment of ASMs used to model protocollike aspects of software systems. Such models are used industrially as part of documentation and oracles in modelbased testing of applicationlevel network protocols. Correctness assumptions about the model are often expressed through s ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We look at a fragment of ASMs used to model protocollike aspects of software systems. Such models are used industrially as part of documentation and oracles in modelbased testing of applicationlevel network protocols. Correctness assumptions about the model are often expressed through state invariants. An important problem is to validate the model prior to its use as an oracle. We discuss a technique of using Satisfiability Modulo Theories or SMT to perform bounded reachability analysis of such models. We use the Z3 solver for our implementation and we use AsmL as the modeling language. Protocols are abundant; we rely on the reliable sending and receiving of email, multimedia, and business data. But protocols, such as the Windows network file protocol SMB (Server Message Block), can be very complex and hard to get right. Model programs have proven to be a useful way to model the behavior of such protocols and it is an emerging practice in the software industry [6,9, 11] to use model programs for documentation and behavioral specification of