E. Brinksma. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....has been explored in [24] 20] and [23] in completely formal settings. In [24] abstractions of different levels are used as the basis of decomposition. In [20] a property holds true for a system (parallel composition of processes) if it holds true individually for its components, whereas in [23, Ch. 6] a property holds true for a LOTOS system defined in terms of a iconjunction of constraints if it holds true for each constraint individually. Here we regarded 11 decomposition the construction of a modular verification strategy as an informal design activity. As such, this activity ....

....development models for system specifications in Z [6] We used them here for describing modular correctness requirements, distinguishing between horizontal and vertical decompositions in task structures. A similar distinction between vertical and horizontal steps was suggested by Turner [33] within the context of the step wise refinement methodology for developing LOTOS specifications. 6 Conclusions and Future Work We presented a compositional methodology for the specification and verification of concurrent or distributed systems based on deciding semantic equivalences in SPIN. ....

[Article contains additional citation context not shown here]

E. Brinksma. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.

....true between the two input specifications. The flow diagram of the Spine tool is given in Fig. 7. Currently Spine is a prototype which supports only a particular class of behavioral relations. This class, while it includes such well known relations as trace equivalence [16] and testing equivalence [9,30], excludes some stronger relations such as observation (weak bisimulation) equivalence [46] which cannot be traced [8] Testing equivalence is not yet implemented in Spine. For more details about the Spine tool, the reader is referred to [21,24,23] To support relation checking it was necessary ....

....These works were discussed briefly in Section 1.1. The correctness criterion can be changed depending on which properties are of interest and the capabilities of the model checker used. For example, if liveness properties are of interest, failures equivalence [10] or testing equivalence [9] can be adopted as the correctness criterion; if fairness properties are important, # language equivalence [38] can be used. It is also possible to define the correctness criterion in terms of a behavioral preorder rather than an equivalence. A behavioral preorder captures the notion of a ....

[Article contains additional citation context not shown here]

E. Brinksma. On the existence of canonical testers. Memorandum INF-87-5, Depart- ment of Informatics, University of Twente, Netherlands, 1987.

.... which remains unsolved is the generation of an adequate set of testing scenarios from the formal specification [FaL 87, Sar 87, SBC 87, SaD 88, Hog 89, SiL 89, VCI 89, PhG 91] 3 In LOTOS, the concept of a canonical tester associated with a specification has been defined and studied in [BrS 86, Bri 87, Bri 88] and extended and brought into play in [Ald 89, Wez 89, WBL 91] The canonical tester is itself a LOTOS specification which describes how to test the implementations and find whether they are conforming to the specification. There is no particular selection of test scenario in the design ....

....is a conforming implementation of P but not of Q. This can be explained intuitively as follows: a valid implementation of Q may, or may not, accept b after a, but if b has been accepted, then, unlike valid implementations of P, it cannot refuse c just after. 6. A minimum canonical tester In [Bri 87] the concept of a canonical tester of a specification S has been introduced and denoted T (S) This T (S) is the specification of a tester which, when synchronized with an implementation I, may deadlock with I before reaching a correct final state if and only if I does not conform to S. It has ....

[Article contains additional citation context not shown here]

E. Brinksma, On the existence of canonical testers, Rept. No. INF-87-5, Twente University of Technology, Department of Informatics, Enschede, The Netherlands, January 1987.

....more suitable for specifying real world circuits. The formal basis of LOTOS allows verification of hardware designs. LOTOS inherits a well developed theory of equivalences and relations from the field of process algebra and has a well developed theory of testing and test derivation (e.g. Bri87] This offers interesting alternatives to other validation approaches. 4 Being an international standard, LOTOS is well supported by general purpose toolsets such as CADP (Csar Aldebaran Development Package [FGM 92] LOLA (LOTOS Laboratory [QPF89] and LITE (LotoSphere Integrated Tool ....

Ed Brinksma. On the existence of canonical testers. Technical Report INF-87-5, University of Twente, Enschede, Netherlands, January 1987.

....corresponding tasks into simpler, alternative subtasks proved successful; we were ultimately able to show our final design to be correct with a high degree of confidence. 10 Task or Subtask Verdict No. of states Mem Time Flat RTP Verif True 169 1313 4015 5649 1332 3:39 HLRTP LP Verif 69 [3 10 7 ] [9 10 9 ] HLRTP StdLSS Verif True 69 1960 3045 46715 1416 2:28 General LSS Verif 1037 [1 10 7 ] Simplex LSS Verif True 191 2031 10098 210845 1468 13:01 HalfDuplex LSS Verif True 20 458 5192 51633 1456 4:14 Link Subservice Verif True 1468 17:15 Modular HLRTP Verif ....

....upper bound values. 5 Background and Related Work The class of inductive relations was originally suggested in [10] This reference develops the foundations of the WPS model in a slightly di#erent setting . The WPS model results from an operational generalization of extended trace models [14, 15, 4, 3]. The semantic relations (equivalences and preorders) that underlie most of these models, as well as other semantic relations defined on the structure of a LTS, can be formulated as inductive relations using suitable transformations from LTS to WPS, provided that it is possible to give them a ....

E. Brinksma. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.

....between the two input specifications. The flow diagram of the Spine tool is given in Figure 11. Currently Spine is a prototype which supports only a particular class of behavioral relations. This class, while it includes such well known relations as trace equivalence [16] and testing equivalence [9, 29], excludes some stronger relations such as observation (weak bisimulation) equivalence [45] which cannot be traced [8] Testing equivalence is not yet implemented in Spine. For more details about the Spine tool, the reader is referred to [21, 23, 22] To support relation checking it was ....

....to express process interconnection structures graphically. The correctness criterion can be changed depending on which properties are of interest and the capabilities of the model checker used. For example, if liveness properties are of interest, failures equivalence [10] or testing equivalence [9] can be adopted as the correctness criterion; if fairness properties 30 are important, # language equivalence [37] can be used. It is also possible to define the correctness criterion in terms of a behavioral preorder rather than an equivalence. A behavioral preorder captures the notion of a ....

[Article contains additional citation context not shown here]

E. Brinksma. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.

....view, no distinction is made among divergent processes independent of their potential to also exhibit an external behavior during divergence. A compromise between these two extreme views has been achieved by a variation of the testing equivalence whose original version was proposed by Brinksma [4]. This latter equivalence due to Leduc [19] while being able to detect divergence of any form, rejects the catastrophic interpretation. For an early comparison of several di#erent treatments of divergence with respect to the underlying behavioral equivalences, see [7] An even more refined ....

....G 2 a b a b G 3 G 1 G 3 G 2 Figure 9: Transition graphs of a process which is nondeterministic in a and deterministic in b. of the hiding construct can easily be modified to conform to interpretation (I) 2 It should be pointed out that observation equivalence [21, 1] testing equivalence [4, 19], failure equivalence [6] and must testing equivalence [8, 14] are all based upon a form of external testing which is compatible with interpretation (I) rather than with interpretation (II) so the view adopted here unfortunately represents a deviation from the popular one. Before concluding this ....

[Article contains additional citation context not shown here]

Brinksma, E. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.

....has been proposed in [18] to express process interconnection structures graphically. 13 The correctness criterion can be changed depending on which properties are of interest and the capabilities of the model checker used. For example, if liveness properties are of interest testing equivalence [5] can be adopted as the correctness criterion; if fairness properties are important, # language equivalence [20] can be used. It is also possible to define the correctness criterion in terms of a behavioral preorder rather than an equivalence. A behavioral preorder captures the notion of a concrete ....

....equivalence [20] can be used. It is also possible to define the correctness criterion in terms of a behavioral preorder rather than an equivalence. A behavioral preorder captures the notion of a concrete system implementing, refining, or simulating an abstract system. Examples can be found in [12, 6, 5]. In this case, proof obligations would be derived from complete partial orders of modules rather than equivalence classes. The techniques presented for obligation decomposition and reduction can be adapted to a preorder based correctness criterion. An assume guarantee style reasoning was used in ....

E. Brinksma. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.

....rendez vous communication concept provides a way to formulate subtle expressions of communicative possibilities. A prime example of a process algebra is CCS [Milner1980] but there are others, either aimed at improving the theoretical foundations or aimed at improving the practical applicability [Brinksma1985, ISO1987, Bergstra1984, Milner1983] The theory of process algebras provides semantics preserving transformations on process expressions allowing one, among other things, to compose specifications in particular ways. Disadvantages are the arbitrary interleaving semantics of parallelism, which differs from ....

Brinksma1987c. H. Brinksma, "On the Existence of Canonical Testers," Memorandum INF-87-5, Twente University of Technology, Enschede Netherlands, 1987.

....view, no distinction is made among divergent processes independent of their potential to also exhibit an external behavior during divergence. A compromise between these two extreme views has been achieved by a variation of the testing equivalence whose original version was proposed by Brinksma [4]. This latter equivalence due to Leduc [19] while being able to detect divergence of any form, rejects the catastrophic interpretation. For an early comparison of several different treatments of divergence with respect to the underlying behavioral equivalences, see [7] An even more ....

.... that the expressiveness result of Section 6 is independent of the particular interpretation adopted, and the suggested semantics of the hiding construct can easily be modified to conform to interpretation (I) 2 It should be pointed out that observation equivalence [21, 1] testing equivalence [4, 19], failure equivalence [6] and must testing equivalence [8, 14] are all based upon a form of external testing which is compatible with interpretation (I) rather than with interpretation (II) so the view adopted here unfortunately represents a deviation from the popular one. Before concluding this ....

[Article contains additional citation context not shown here]

Brinksma, E. On the existence of canonical testers. Memorandum INF-87-5, Department of Informatics, University of Twente, Netherlands, 1987.

....and depends for its use on the skill of the test specifier in finding relevant paths. Furthermore, it depends on the use (or avoidance) of certain LOTOS specifications styles. Based on LOTOS theory, a formal method is being developed, for deriving test cases from specifications [Brink1][Brink2][E] L] W] So far, however, this method is of limited practical value because it only applies to a small subset of LOTOS. In [LS] a method which appears somewhat related to ours is presented, and is applied to the Alternating Bit Protocol. Hopefully, with further study it will become clear how ....

E. Brinksma. On the existence of canonical testers. Technical report, University of Twente, January 1987.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC