Generated Path Conditions for Timed Systems

1
Generated Path Conditions for Timed Systems

• Doron Peled
• Dept. of Computer ScienceUniversity of Warwick
• United Kingdom
• Joint work with Saddek Bensalem, Hongyang
  Qu,Stavros Tripakis

IFM 2005
2
Testers Goals

• Help in selecting test cases.
• Visual, by clicking on a path in flow chart.
• According to intuition about potential errors.
• According to some formal specification.
• Performing tests
• Forcing an execution (even when nondeterminism
  exists).
• Calculating the probability of a path.

3
Architecture
Test Selector
Executor
Visual Selection
Model Checker
Add Synchro.
transitions
Counter-exampletest case
code
compiler
Calculate Weakest Precondition
SatSolver
Flow graph
Calculate Probability
4
Unit testing Selection of test cases (for
white-box testing)

• The main problem is to select a good coverage
• criterion. Some standard options are
• Cover all paths of the program.
• Execute every statement at least once.
• Each decision (diamond node on flow chart) has a
  true or false value at least once.
• Each condition predicate is taking each truth
  value at least once.
• Check all possible combinations of conditions in
  each decision.

5
How to cover the executions?

• if (Agt1)(B0) then XX/A
• if (A2)(Xgt1) then XX1
• Choose values for A,B,X at the beginning that
  would force the right path/conditions/predicates.
• Value of X may change, depending on A,B.
• What do we want to cover? Paths? Statements?
  Conditions?

6
Statement coverageExecute every statement at
least once

• By choosing
• A2,B0,X3
• each statement will be chosen.
• The case where the tests fail is not checked!

• if (Agt1)(B0) then XX/A
• if (A2)(Xgt1) then XX1

Now x1.5
7
Decision coverageEach decision (diamond node in
flow graph) tested with true and false outcome at
least once.

• Can be achieved using
• A3,B0,X3
• A2,B1,X1
• Problem Does not test individual predicates.
  E.g., when Xgt1 is erroneous in second decision.

• if (Agt1)(B0) then XX/A
• if (A2)(Xgt1) then XX1

8
PreliminaryRelativizing assertions

• ?(B) x1 y1 x2 y2 /\ y2 gt 0
• Relativize ??B) w.r.t. the assignment becomes
  ??B) Y\g(X,Y)
• (I.e., ?( B) expressed w.r.t. variables at A.)
• ? ?(B)A ?x10 x2 x1 /\ x1gt0
• Think about two sets of variables,beforex, y,
  z, afterx,y,z.
• Rewrite ?(B) using after, and the assignment as a
  relation between the set of variables. Then
  eliminate after by substitution.
• Here x1y1 x2 y2 /\ y2gt0 /\x1x1 /\
  x2x2 /\ y10 /\ y2x1now eliminate x1, x2,
  y1, y2.

A
Yg(X,Y)
(y1,y2)(0,x1)
B
A
(y1,y2)(0,x1)
B
9
Verification conditions tests
B
T
F

• ??C) is transformed to ??B) t(X,Y) /\ ??C)
• ??D) is transformed to ??B)?t(X,Y) /\ ??D)
• ??B) ??D) /\ ?y2?x2

t(X,Y)
C
D
B
F
T
y2gtx2
D
C
10
How to find values for coverage?

• Put true at end of path.
• Propagate path backwards.
• On assignment, relativize expression.
• On yes edge of decision node, add decision as
  conjunction.
• On no edge, add negation of decision as
  conjunction.
• Can be more specific when calculating condition
  with multiple condition coverage.

yes
Agt1/\B0
no
XX/A
yes
A2\/Xgt1
true
no
XX1
true
11
How to find values for coverage?
(A?2 /\ X/Agt1) /\ (Agt1 B0)
yes
Agt1/\B0
A?2 /\X/Agt1
no
Need to find a satisfying assignment A3, X6,
B0 Can also calculate path condition forwards.
XX/A
A ? 2/\Xgt1
yes
A2\/Xgt1
true
no
XX1
true
12
Some real life story

• An expert programmer inspects the code of NASA
  MER.
• He observes through his experience and intuition
  that some execution path is suspicious.
• He decides how to force this path to execute,
  e.g., by figuring some inputs and initial values.
• He executes the path, showing his supervisor the
  presence of an error.
• We want to build some tools to help him with this
  process.
• Well use LTL to help with formalizing the
  intuition on where the error is.

13
Learning from another technique Model Checking

• Automaton description of a system B.
• LTL formula ?. Translate ?? into an automaton P.
• Check whether L(B) ? L(P)?.
• If so, S satisfies ?. Otherwise, the intersection
  includes a counterexample.
• Repeat for different properties.

?
?
14
Unit Testing
Model Checking
15
New Test case generation based on LTL
specification
LTL?Aut
Model Checker
Path
Path condition calculation
Flowchart
Compiler
Transitions
First order instantiator
Test monitoring
16
Path conditions

• Path in flow chart ? multiple executions
  following path.
• First order formula.
• All executions of a path must start with initial
  values satisfying the path condition.
• In deterministic code, there can be only one
  execution starting with particular values, hence
  all executions starting with initial values
  satisfying the path condition will follow that
  path.
• In nondeterministic code, each such initial value
  has an execution following a path. May need to
  insert synchronizing code.

17
Goals

• Verification of software.
• Compositional verification. Use only a unit of
  code instead of the whole code.
• Parameterized verification. Verifies a procedure
  with any value of parameters in one shot
• Generating test cases via path conditions A
  truth assignment satisfying the path condition.
  Helps derive the demonstration of errors.
• Generating appropriate values to missing
  parameters.

18
Spec at l2U (at l2/\ x?y /\ ?(at l2/\(at
l2U at l2 /\ x?2?y )))

• Automatic translation of LTL formula into an
  automaton Gerth et all
• LTL is interpreted over finite sequences.
• Can use other (linear) specification.
• Property specifies the path we want to find
  (SPIN never claim),not the property that must
  hold for all paths (for this, take the negation).

Observationeach node hasconjunctions of
predicates onprogram variables and
programcounters
19
Divide and Conquer

• Intersect property automaton with theflow chart,
  regardless of the statements and program
  variables expressions.
• Add assertions from the property automaton to
  further restrict the path condition.
• Calculate path conditions for sequences found in
  the intersection.
• Calculate path conditions on-the-fly. Backtrack
  when condition is false.Thus, advantage to
  forward calculation of path conditions
  (incrementally).

20
Spec (only program counters here)at l2U (at
l2/\? at l2/\(at l2U at l2))
at l2
l2xxz
at l2
X

at l2
at l2
l3xltt
at l2
at l2
l2xxz
Either all executions of a path satisfy the
formula or none.
at l2
Sifts away paths not satisfying formula. Then
calculate path condition.
21
Spec at l2U (at l2/\ x?y /\ ?(at l2/\(at
l2U at l2 /\ x?2?y )))
x?y
l2xxz
at l2
X

at l2/\ x?y
l3xltt
x?2?y
at l2
l2xxz
at l2/\ x?2?y
Only some executions of path may satisfy formula
Modify calculation of path condition to
incorporate property
22
Calculating the intersection of the property
automaton and flow graph (abstract variables
away).
a
a
a
?ltgt?a
s1
s2
q1
q2
?a
s3
a
a
a
Acceptance isdetermined bypropertyautomaton.
s2,q1
s1,q1
s1,q2
s3,q2
a
23
How to generate test cases

• Take the intersection of an LTL automaton (for a
  never claim) with the flow graph. Some paths
  would be eliminated for not satisfying the
  assertions on the program counters.
• Seeing same flow chart node does not mean a loop
  program variables may value. Use iterative
  deepening.
• For each initial path calculate the path
  condition. Backtrack if condition simplifies to
  false.
• Report path condition based on flow graph
  pathLTL assertions.
• Always simplify conditions!

24
How the LTL formula directs the search
Consider (x4)U (x5/\o)
x4
xlt5
true
false
x5
xx1
y7
25
How the LTL formula directs the search
Consider x4U (x5/\o)
x4
xlt5
true
false
x5
xx1
y7
26
How the LTL formula directs the search
Consider x4U (x5/\o)
x4
X4
xlt5
true
false
x5
xx1
y7
27
How the LTL formula directs the search
Consider x4U (x5/\o)
x4
X4
xlt5
true
false
x5
X4
xx1
y7
28
How the LTL formula directs the search
Consider x4U (x5/\o)
x4
X4
xlt5
true
false
x5
X4
This is acontradiction
xx1
y7
X4
xlt5
true
29
How the LTL formula directs the search
Consider x4U (x5/\o)
x4
X5
xlt5
true
false
x5
X4
xx1
y7
30
How the LTL formula directs the search
Consider x4U (x5/\o)
x4
X5
xlt5
true
false
x5
X4
xx1
y7
31
Example GCD
l0
l1xa
l2yb
l3zx rem y
l4xy
l5yz
l6z0?
yes
no
l7
32
Example GCD
l0
l1xa
l2yb
Oopswith an error (l4 and l5 were switched).
l3zx rem y
l4yz
l5xy
l6z0?
yes
no
l7
33
Why use Temporal specification

• Temporal specification for sequential software?
• Deadlock? Liveness? No!
• Captures the testers intuition about the
  location of an errorI think a problem may
  occur when the program runs through the main
  while loop twice, then the if condition holds,
  while tgt17.

34
Example GCD
l0
l1xa
l2yb
agt0/\bgt0/\at l0 /\?at l7
l3zx rem y
at l0/\agt0/\bgt0
l4yz
l5xy
l6z0?
yes
no
at l7
l7
35
Example GCD
l0
l1xa
l2yb
agt0/\bgt0/\at l0/\?at l7
l3zx rem y
Path 1 l0l1l2l3l4l5l6l7agt0/\bgt0/\a rem
b0 Path 2 l0l1l2l3l4l5l6l3l4l5l6l7
agt0/\bgt0/\a rem b?0
l4yz
l5xy
l6z0?
yes
no
l7
36
Potential explosion
Bad point potential explosion Good point may be
chopped on-the-fly
37
Now we add time

• Detailed model, for each transition we have 4
  parameters l, u, L, U
• l Needs to be enabled at least that much.
• u Cannot be enabled without taken longer
  than that.
• L Least time for transformation to occur
  (after been chosen).
• U Transformation cannot take more than that.

38
Translation to timed automata
s1at l
?c1?c2x20
?c1?c2x20
c1??c2x10
c1??c2x10
c1?c2 x1,x20
?c1??c2
?c1??c2
?c1??c2
s3,at lx2ltu2x1ltu1
c1??c2
?c1?c2
s4,at lx2ltu2
s2,at lx1ltu1
c1?c2x20
c1?c2x10
Timing out the enablednessZero the
counters,Cannot wait enabled too much.
39
Translation to timed automata
s1at l
?c1?c2x20
?c1?c2x20
c1??c2x10
c1??c2x10
c1?c2 x1,x20
?c1??c2
?c1??c2
?c1??c2
s3,at lx2ltu2x1ltu1
c1??c2
?c1?c2
s4,at lx2ltu2
s2,at lx1ltu1
c1?c2x20
c1?c2x10
ac
x1?l1x10
bc
x1?l1x10
x2?l2x20
x2?l2x20
bc
s5x1ltU1
ac
s6x2ltU2
Can fire only if waited enough,Zero counters
again.
40
Translation to timed automata
s1at l
?c1?c2x20
?c1?c2x20
c1??c2x10
c1??c2x10
c1?c2 x1,x20
?c1??c2
?c1??c2
?c1??c2
s3,at lx2ltu2x1ltu1
c1??c2
?c1?c2
s4,at lx2ltu2
s2,at lx1ltu1
c1?c2x20
c1?c2x10
ac
x1?l1x10
bc
x1?l1x10
x2?l2x20
x2?l2x20
bc
s5x1ltU1
ac
s6x2ltU2
x1?L1
x2?L2
Conditions on paths represented using (symbolic)
DBMs.
af
bf
s8
s7
41
Should we really look at paths?

• Its easy to select an interleaved sequence.
• But due to time limitations, it may execute in a
  different order.
• Just the order on events from the same process
  and using same variables is to be considered.

a
a
b
b
c
d
c
Samevariable
d
Sameprocess
42
Generate an automaton for all consistent
interleavings
a
b
a
b
c
d
a
b
c
Intersect this automaton with automaton for
system.Calculate partial order condition
start from leaves.When there is a choice,
usedisjunct.
c
b
d
d
c
43
Generate an automaton for all consistent
interleavings
a
b
a
b
c
c
b
d
d
c
44
Generate an automaton for all consistent
interleavings
a
b
a
b
c
c
b
d
d
c
45
Generate an automaton for all consistent
interleavings
a
b
a
b
c
c
b
d
d
c
46
An example a simple network protocol
47
The flow charts
48
Path no timeout
49
Precondition

• The simplified precondition l gt 110

50
The diagrams
51
The PET tool

• Basic mode interactive choice of a path,
  calculating of path conditions.
• Model checking mode.
• Iterative model checking mode apply model
  checking recursively to find successive segments,
  control backtracking.
• Unit checking mode.
• Calculating path condition simplify, simplify,
  simplify.Use SML and HOL for rewriting and
  deciding on Pressburger arithmetic. Plan using
  other tools!
• Problem US patent 6,408,430 belongs to Lucent!

52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
Drivers and Stubs(skip)
l0
l1xa

• Driver represents the program or procedure that
  called our checked unit.
• Stub represents a procedure called by our
  checked unit.
• In our approach replace both of them with a
  formula representing the effect the missing code
  has on the program variables.
• Integrate the driver and stub specification into
  the calculation of the path condition.

l2yb
l3zx rem y /\xx/\yx
l4yz
l5xy
l6z0?
yes
no
l7
67
Some references

• Translating LTL into automataGerth, Peled,
  Vardi, Wolper, Simple on-the fly automatic
  verification of temporal logic, PSTV 1995.
• The PET toolGunter, Peled, Path Exploration
  Tool, Tacas 1999, LNCS 1579
• Unit CheckingGunter, Peled, Unit Checking
  symbolic model checking for unit of code, LNCS
  2772 (Z.M. birthday volume)
• Forcing an execution under nondeterminismQu,
  Peled, Enforcing Concurrent Temporal Behavior, RV
  2004

68
Enforcing Executions Goals

• Instrument a program in order to demonstrate
  counterexamples.
• Inspect generated test cases.
• Studying the effect of added synchronization/timin
  g.
• Still allow other runs, selected runs are
  enforced in a controlled way.

69
Dekkers mutual exclusion algorithm

• P1c11
• while true do
• begin
• c10
• while c20 do
• begin
• if turn2 then
• begin
• c11
• while turn2 do
• begin / no-op / end
• c10
• end
• end
• / critical-section 1/
• c11
• turn2
• end

P2c21 while true do begin c20
while c10 do begin if turn1 then
begin c21
while turn1 do begin / no-op /
end c20 end end
/ critical-section 2/ c21 turn1 end
70
(No Transcript)
71
Two scenarios from same initial state

• (P1(0)start)
• (P2(0)start)
• P1(1)c11
• P2(1)c21
• ltp1(12)true?gtyes
• p1(2)c10
• P2(2)c20
• ltp1(8)c20?gtyes
• ltP2(8)c10?gtyes
• ltp1(7)turn2?gtno
• ltp2(7)turn1?gtyes
• p2(3)c21
• ltp1(8)c20?gtyes
• P1(9)crit-1

• (p1(0)start)
• (p2(0)start)
• p1(1)c11
• P2(1)c21
• ltP2(12)true?gtyes
• ltp1(12)true?gtyes
• P2(2)c20
• ltP2(8)c10?gtno
• P2(9)crit-2

Starting with same state, i.e., with turn1 does
not guarantee repeating the same run due to
nondeterminism.
72
0start P1
0start P2
2nd scenario
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
73
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
74
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
75
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
76
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
77
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
78
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
79
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
80
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
81
0start P1
0start P2
1c11
1c21
12true?
12true?
2c20
8c10?
Events (occurrences ofactions) participating is
2nd scenario
9crit-2
82
0start P1
0start P2
1c11
1c21
12true?
12true?
2c20
8c10?
9crit-2
83
0start P1
0start P2
1c11
1c21
12true?
12true?
2c20

• Action e is dependent on event fif e and f use
  mutual variable (including program counter).
• Event (occurrence of action) e precedes event f
  if
• e appears before f in run, and
• e is dependent on f.

8c10?
9crit-2
84
Partial order semantics. Equivalent to set of all
linearizations. Can define trace equivalence
between linearizations of the same partial order.
85
0start P2
0start P2
1c21
1c21
12true?
12true?
0start P1
0start P1
Traceequiv
2c20
2c20
1c11
1c11
12true?
8c10?
8c10?
12true?
9crit-2
9crit-2
86
Program transformation (I)
For each dependent pair of events e and f of
different processes, where e precedes f in
run Define a semaphore Vij Add after e
Freeij Vij Vij 1 Add before f
Waitij wait Vij gt 0 Vij Vij 1 (After e,
we signal f that it can continue)
87
Program transformation (II)
Add a counter counti for each process, counting
up before each dependent event participating in
previous transformation. counti counti 1 Add
after e If counti e then Freeij Add
before f If counti f then Freeij Count
also last event on run g and add If counti
g then halt process.
88
Program transformation (III)
To allow other executions when not tracing runs,
add a variable checki. Wrap transformed segments
Code with If checki then Code Minimize
synchronization. If we synchronized e?f and f?g
(including the case of synchronization using
process sequentiality), then we do not need to
add synchronization fo e?g (use Floyd-Warshall
algorithm to calculate transitive closure of ?).
89
Boolean c1, c2, check1, check2boolean V12
initially 0integel (1..2) turn
P2c21 while true do begin c20
if check2 then begin wait V12gt0
V120 end while c10 do begin
if turn1 then begin
c21 while turn1 do
begin / no-op / end c20
end end / critical-section 2/ if
check2 then halt P2 c21 turn1 end

• P1c11
• if check1 then V121
• while true do
• begin
• if check1 then halt P1
• c10
• while c20 do
• begin
• if turn2 then
• begin
• c11
• while turn2 do
• begin / no-op / end
• c10 end
• end
• / critical-section 1/
• c11
• turn2 end

90
Ultimately periodic sequences (skip)

• Prefix
• (P1(0)start)
• (P2(0)start)
• P1(1)c11
• P2(1)c21
• ltP2(12)truegtyes
• ltP1(12)truegtyes
• P1(2)c10
• P2(2)c20
• ltP1(8)c20?gtyes
• ltP2(8)c10?gtyes
• ltP1(7)turn2?gtno
• ltP2(7)gtturn1?gtyes
• P2(3)c21

• Periodic part
• ltp2(5)turn1?gtyes
• P2(4) / no-op /
• Generate graph G(P,E) for periodic part
• P processes.
• E an edge occurs from Pi to Pj if there is a
  dependency between even e of Pi and f of Pj
  occurring later in the run.
• What are the consequents of synchronizing after
  each period?

91
There are three cases (skip)

• The graph G includes all the processes in one
  strongly connected component.Limited overtaking
  is not present.
• The graph includes multiple components, including
  all processes.Unbounded overtaking is not
  present.
• Not all processes are present.The run may be
  unfair to some processes.

92
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
93
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
94
0start P1
0start P2
1c11
1c21
yes
yes
12true?
no
12true?
no
Unfair to process P1
2c10
13end
2c20
13end
8c20?
8c10?
no
no
yes
yes
no
no
9crit-1
9crit-2
7turn2?
7turn1?
yes
yes
10c11
10c11
3c11
3c21
11turn2
11turn1
5turn2?
5turn1?
no
no
yes
yes
6c10
4no-op
6c20
4no-op
95
Preserving the checked property (skip)

• Sometimes not all the runs that are
  trace-equivalent to the original one preserve the
  checked property ?.
• Use a specification formalism that is closed
  under trace equivalence, or check closeness
  PWW98.
• Add dependencies so that trace equivalence is
  refined.
• Add dependency between actions when switching an
  independent pair results in an equivalent run,
  but fails to satisfy the checked property.
• Or add dependencies between actions that may
  change propositions that appear in ?.

96
Calculating the probability of a path.

• Continuous uniform distribution.
• Transitions have lower and upperbound for
  execution l,u.
• f(x) ? 1/(u-l) when l?x?u, 0
  otherwise.
• Joint probability ??????f1(y1)f2(y2)fn(yn)dy1dy
  2dynon constraint area.

97
Example path ag.
g2,6
a1,5
c1,4
h3,7
b2,5
a
c
1?xa?5 2?xg?6xg?7 (because of h)xg-xg?4
(because of c)Now integrate on area.
g
b
h
98
Conclusions

• Model checking and testing have a lot in common.
  Can use ideas from model checking for generating
  test cases.
• Unit Testing Model checking of infinite state
  spaces.But semidecidable
• Dont know when to stop search (undecideable),
• Dont know when condition equivalent false
  (undecideable).
• Tools, visual user interface.
• Generalization to real time systems.
• Automatic addition of synchronization.
• Calculate probability of execution.