The present invention relates to a semantic translation approach for diagrams associated with graphical modeling and simulation environments or tools. The semantic translation generates a model which may be used for further analysis such as test generation and formal verification.
Graphical modeling and simulation environments or tools allow users to construct and analyze models of processes or systems using diagrams. There are various examples of such tools commercially available. One such example is Simulink/Stateflow from The MathWorks, Inc. which is a popular commercial model-based development tool for many industrial domains. A further example of a graphical modeling and simulation environments is LabVIEW, available from National Instruments Corporation.
Typically, these diagrams describe computations or logic which can ultimately be implemented using application specific devices, computers, microcontrollers, FPGAs, integrated circuits, or computing devices. The diagrams are built using elements or blocks which are interconnected. The diagrams are created within a graphical modeling environment which defines the semantics for executing the diagrams. Software systems or descriptions of hardware systems may then be produced which exhibit the behavior of the model or portions thereof.
Although Simulink/Stateflow is designed for the simulation of the designs, it does not provide a model that makes it amenable for formal analysis such as verification and validation. For safety and security concerns, verification and testing must be performed on the Simulink/Stateflow designs and the generated code. What is needed is a way to translate a Stateflow chart into an Input/Output Extended Finite Automata (I/O-EFA) model which preserves discrete behaviors. Moreover, what is further needed is an automatic test generation approach for Simulink/Stateflow based on its translation to Input/Output Extended Finite Automata (I/O-EFA).
Therefore, it is a primary object, feature, or advantage of the present invention to improve over the state of the art.
It is a further object, feature, or advantage of the present invention to provide a semantic translation approach which is recursive.
It is a still further object, feature, or advantage of the present invention to provide a semantic translation approach which is amenable to automated test generation and verification.
It is a still further object, feature, or advantage of the present invention to provide a semantic translation approach which has no special restriction on the types of blocks.
It is a still further object, feature, or advantage of the present invention to provide a semantic translation approach which is sound and complete.
It is a still further object, feature, or advantage of the present invention to translate a chart comprising event-driven blocks, such as a Stateflow chart into an I/O-EFA that preserves the discrete behaviors.
A still further object, feature, or advantage of the present invention is to provide an automatic test generation approach for Simulink/Stateflow based on its translation to Input/Output Extended Finite Automata (I/O-EFA).
Yet another object, feature, or advantage of the present invention is to provide model translation for model-based test generation.
One or more of these and/or other objects, features, and advantages will become apparent from the specification and claims that follow. No single embodiment need exhibit each and every object, feature, or advantage. The present invention contemplates that different embodiments may have different objects, features, or advantages.
Stateflow, a graphical interface tool for Matlab, is a common choice for design of event-driven software and systems. In order for it's offline analysis (testing/verification) or online analysis (monitoring), the Stateflow model must be converted to a form that is amenable to formal analysis. According to one aspect of the present invention, we provide a systematic method, which translates Stateflow into a formal model, called Input/Output Extended Finite Automata (I/O-EFA). The translation method treats each state of the Stateflow model as an atomic module, and applies composition/refinement rules for each feature (such as state-hierarchy, local events) recursively to obtain the entire model. The size of the translated model is linear in the size of the Stateflow chart. Our translation method is sound and complete in the sense that it preserves the discrete behaviors as observed at the sample times. Further, the translation method has been implemented in a Matlab tool, which outputs the translated I/O-EFA model that can itself be simulated in Matlab.
According to another aspect of the present invention, method of translation of a chart associated with a graphical modeling environment into an input/output-extended finite automata (I/O-EFA) model is provided. The method includes receiving a representation of the chart and processing the representation of the chart with a computing device by (a) representing atomic models for each individual state of the chart, (b) applying composition rules to interconnect the atomic models while preserving state execution and transition behaviors to obtain the I/O-EFA model. The step of processing may further include incorporating additional features of the chart into the I/O-EFA model by refining the I/O-EFA model at locations where the features of the chart reside. The method may further include applying a composition rule to integrate the chart and a diagram into the I/O-EFA model, said diagram comprising a plurality of blocks and said diagram being associated with a graphical modeling environment in which blocks within the diagram define semantics for executing the diagram. The composition rules may include a first rule for modeling states with OR-substates and a second rule for modeling states with AND-substates. The atomic models may each be represented by a tuple.
According to another aspect of the present invention, a computer-readable storage medium storing computer-executable instructions that are executed on a processing device is provided. The computer-executable instructions include instructions for receiving a data representation of a chart, said chart comprising a plurality of states and said chart being associated with a graphical modeling environment and instructions for processing the data representation of the chart to translate the chart into an input/output-extended finite automata model. The instructions for processing the data representation of the chart to translate the chart into the input/output-extended finite automata model may provide for (a) representing atomic models for each individual state of the chart, (b) applying composition rules to interconnect the atomic models while preserving state execution and transition behaviors to obtain the I/O-EFA model. The composition rules may include a first rule for modeling states with OR-substates and a second rule for modeling states with AND-substates. The instructions for processing may further include instructions for incorporating additional features of the chart into the I/O-EFA model by refining the I/O-EFA model at locations where the features of the chart reside. The computer-readable storage medium may further include instructions for applying a composition rule to integrate the chart and a diagram into the I/O-EFA model, said diagram comprising a plurality of blocks and said diagram being associated with a graphical modeling environment in which blocks within the diagram define semantics for executing the diagram. Each of the atomic models may be represented by a tuple.
According to another aspect of the present invention, an automatic test generation approach for Simulink/Stateflow is provided which is based on its translation to Input/Output Extended Finite Automata (I/O-EFA). The test generation problem requires identifying the executable paths of the I/O-EFA model and also generating a test input for those paths. Note in order to execute a path, a certain sequence of other paths must be executed first, which we automatically identify. The approach is implemented by applying two different techniques, model checking and constraint solving. Both test generation implementations are validated by a case study. The results show that both implementations can generate test cases as expected and the implementation based on constraint solving is in general faster.
According to another aspect of the present invention, a method of translation of a diagram associated with a graphical modeling environment into an input/output-extended finite automata (I/O-EFA) model is provided. The method includes receiving a representation of the diagram. The method further includes processing the representation of the diagram with a computing device by representing atomic models for elements of the diagram and applying composition rules to interconnect the atomic models while preserving state execution and transition behaviors to obtain the I/O-EFA model. The method further includes generating a test for the I/O-EFA model using the computing device, and executing the test for the I/O-EFA model using the computing device.
Although the present invention may be used with diagrams from any number of graphical environments, Simulink/Stateflow (S/S) diagrams are used as representative examples of such diagrams. Simulink/Stateflow is a popular commercial model-based development tool for many industrial domains, such as power systems, aircraft, automotives and chemical plants. Simulink is much better for handling continuous systems, whereas Stateflow is much better for handling state based problems. Owing to the correctness, safety, security, etc. requirements of such systems, methods to analyze the system designs are needed. Simulink/Stateflow however has originally been designed for the simulation of the designs, and does not provide a model that makes it amenable for formal analysis such as verification and validation.
In our previous work [1], we introduced a recursive modeling method to translate Simulink diagram to Input/Output Extended Finite Automata (I/O-EFA), which is a formal model of a reactive untimed infinite state system, amenable to formal analysis. The present invention completes the modeling approach by further extending it to allow the translation of Stateflow charts that are event-driven blocks.
Stateflow, which has been adopted from StateChart, allows hierarchical modeling of discrete behaviors consisting of parallel and exclusive decompositions, with tedious semantics, which makes it challenging to capture and translate into formal models. Several authors have attempted different forms of Stateflow translation. Scaife et al. [2] translated a subset of Simulink/Stateflow into Lustre and verified the model using a model checking tool called Lesar. Gadkari et al. [3] proposed a translation from Simulink/Stateflow to Symbolic Analysis Laboratory (SAL). However, few of the prior works have considered the translation from Stateflow to an automaton, which preserves the discrete behaviors (behaviors observed at discrete time steps when the inputs are sampled and the outputs are computed).
In this work, we continue to use I/O-EFA as the target model for translation so as to retain consistency with our previous work that translated the Simulink diagrams. In order to have our modeling process recursive, we treat the individual states of a Stateflow chart to be the most elementary constructs for modeling, and define the atomic models for them. Next, two composition rules are defined to interconnect the simpler models to form the more complex models for the “AND” versus “OR” states, preserving their state execution and transition behaviors. By viewing the Stateflow chart's hierarchical structure as a tree, we recursively apply the two composition rules in a bottom-up algorithm to obtain the overall I/O-EFA model. Finally, the additional Stateflow features, such as event broadcasting and interlevel transitions, are incorporated by refining the model at locations where the features reside. Furthermore, a composition rule between Stateflow and Simulink models is introduced to combine them into a single complete model.
We have also implemented our algorithm into an automated translation tool SS2EFA, written in the Matlab script. A counter and a complex motor control system have been used as the case studies for the proposed translation method and the tool. The simulation results show that the translated model simulates correctly the original Simulink diagram at each time step. The contributions of the present invention include:
An I/O-EFA is a symbolic description of a reactive untimed infinite state system in form of an automaton, extended with discrete variables of inputs, outputs and data.
Definition 1 An I/O-EFA is a tuple P=(L, D, U, Y, Σ, Δ, L0, D0, Lm, E) where
I/O-EFA P starts from an initial location l0∈L0 with initial data d0∈D0. When at a state (l, d), a transition e∈E with oe=l is enabled, if the input σe arrives, and the data d and input u are such that the guard Ge(d, u) holds. P transitions from location σe to location te through the execution of the enabled transition e and at the same time the data value is updated to fe(d, u), whereas the output variable is assigned the value he(d, u) and a discrete output δe is emitted. In what follows below, the data update and output assignments are performed together in a single action.
States are the most basic components in a Stateflow chart in that a simplest Stateflow chart can just be a single state. Stateflow allows states to be organized hierarchically by allowing states to possess substates, and same holds for substates. A state that is down (resp., up) one step in the hierarchy is termed a substate (resp., superstate). We represent the most basic components of a Stateflow chart as atomic models, which are the smallest modules that are interconnected (following the semantics of the hierarchy and other Stateflow features as described in the following sections) to build the model of an overall Stateflow chart.
Consider a Simulink diagram of a counter system 10 shown in
The behavior of a Stateflow state comprises of three phases: entering, executing and exiting, where
According to the above behaviors, an individual state s of a Stateflow can be represented in the form of an I/O-EFA of
As can be seen from the figure, the atomic I/O-EFA model has three locations l0s, lis, lms for differentiating the activation versus the deactivation process, where the transition
The atomic model has internal data-variables das, dls, {de|oe=s} for controlling the execution flow, where
A formal description of this atomic model is given in the following algorithm.
Algorithm 1: A Stateflow state s can be represented as an I/O-EFA (Ls, Ds, −, −, −, −, {l0s}, D0s−, Es) where
Stateflow provides for hierarchical modeling of discrete behaviors by allowing a state to possess substates which can be organized into a tree structure. The root node of the tree is the Stateflow chart, the internal nodes are the substates of the Stateflow chart, and the leaves are the bottom-level states with no substates of their own. As described in the previous section, each state, which is a node of the tree, is modeled as an atomic model of the type shown in
In case of AND substates, all substates must be active simultaneously and must execute according to their execution order at each time step, whereas in case of OR substates, at most one of the substates can be active at each time step, and one of the substates is deemed default substate which gets activated at the first time step its superstate becomes active. For the execution order of a state with substates, two rules must be followed: 1) The substates can be executed only when their superstate is activated, and 2) A state finishes execution only when all its substates have been evaluated for execution.
After the execution of a transition labeled “entry” or “during” of a state, all its outgoing transitions are evaluated for enablement (if no outgoing transition is enabled, another execution of “during” action is performed). The enabled transition with the highest priority is selected for execution, and the particular transition is activated. Also the exit phase of the state is initiated. Exit phase generally has the following execution sequence: The condition action of the activated transition, the exit actions of the leaving state, the transition action of the activated transition and the entry action of the entering state. Furthermore, if there are multiple exit actions to be executed (i.e. the leaving state has substates), then those are ordered according to the following rule: The leaving state, along with all its substates, exits by starting from the last-entered state's exit action, and progressing in reverse order to the first-entered state's exit action.
With the above knowledge of the semantics of the AND/OR hierarchy, we can now model the hierarchical behaviors by defining the corresponding composition rules. We first introduce a few notations to make the presentation clearer.
Definition 2: A complex state ŝ is the state system consisting of the state s and all its immediate substates. ŝ is said to be an AND- (resp., OR-) complex state if it possesses AND (resp., OR) substates. We define |ŝ| to indicate the number of substates in the complex state ŝ.
A. Modeling State with OR-substates
Following the state transition semantics, the modeling rule for a state with OR-substates can be defined by the following algorithm. For an OR-complex state ŝ we use s* to denote its default state.
Algorithm 2: An OR-complex state ŝ can be represented as an I/O-EFA (Lŝ, Dŝ, −, −, −, −, {l0ŝ}, D0ŝ, −, Eŝ), where
For an AND-complex state ŝ, its substates, although simultaneously active, are executed in a certain order. With a slight abuse of notation we use r to denote the substate whose execution order is r among all the substates of ŝ. Also for simplicity of notation let k=|ŝ|. The modeling rule for a state with AND-substates is defined as follows.
Algorithm 3: An AND-complex state ŝ can be represented as an I/O-EFA (Lŝ, Dŝ, −, −, −, −, {l0ŝ}, D0ŝ, −, Eŝ), where
With the above two composition rules, an overall model of a Stateflow chart, capturing only the state hierarchy feature, can be obtained by applying the rules recursively, over the tree structure of the state hierarchy, in a bottom-up fashion.
Besides the state hierarchy, Stateflow provides many additional features, such as events, historical node and interlevel transitions. We capture these features into our model by refining the I/O-EFA model obtained by recursively applying Algorithms 1-3. We illustrate the model refinement by modeling one of the important features of Stateflow, namely a local event which is a commonly used event type.
A local event is triggered at a certain source state as part of one of the actions, where along with the event name, the destination states for the event broadcast are also specified. When an event is triggered, it is immediately broadcast to its destination state for evaluation. At this point, the destination state, including all of its substates, is executed by treating the event condition to be true in all of the guard conditions where it appears. Then the execution flow returns to the breakpoint where the event was triggered and resumes the execution.
The Stateflow event semantics permits an infinite chaining of events since each event can cause an action in its destination state that triggers a new or the same event. Such recursive behavior cannot be captured in the I/O-EFA modeling framework. However, practical systems avoid infinite chaining of events by way of satisfying the following requirements [3], which we assume to hold:
For local event ev that is triggered in some source state src of a Stateflow chart, let eev∈E be an edge that broadcasts the event ev. The model refinement step for modeling the local event behavior requires replacing the event-triggering edge eev with a pair of edges between the event source state src and the event destination state des, one in each direction (see
Algorithm 4: Given an I/O-EFA model (L, D, −, −, −, −, L0, D0, −, E) obtained from recursive application of Algorithms 1-3, an edge eev∈E that broadcasts an event ev to the destination state des, and a set of edges Eev in the destination state that receive the event (i.e., ∀e∈Eev:σe=ev), the refined I/O-EFA model is given by (L, D, −, −, −, −, L0, D0, −, E′), where
Recursive application of Algorithm 4 with respect to each event-triggering edge is required to complete the model-refinement step for modeling the local events. Additional features such as historical node and interlevel transitions can also be modeled by similar refinement steps, conforming to their respective Stateflow semantics. Due to space limitations, those are not included.
At the top level, a Stateflow chart is also a Simulink block (the distinction being that it is event-driven as opposed to time-driven). So to be consistent, at the very top level, the model of a Stateflow chart ought to resemble the model of a time-driven Simulink block as introduced in [1]. Accordingly, the model of a Stateflow chart obtained from applying Algorithms 1-4 is adapted by adding another layer as shown in
Algorithm 5: Given an I/O-EFA model (L, D, −, −, −, −, L0, D0, −, E) obtained from recursive application of Algorithms 1-4 and model refinement concerning other features, the final model of a Stateflow chart is composed of two I/O-EFAs connected through succession and time-advancement edges as in
Consider the counter system of
The Stateflow modeling approach described above, along with the Simulink modeling method of our previous work [1], written in the Matlab script, has been implemented in an automated translation tool SS2EFA. Upon specifying a source Simulink/Stateflow model file, the tool can be executed to output the corresponding I/O-EFA model in form of a “flat” Stateflow chart, which can itself be simulated in Matlab. The result of simulating the I/O-EFA is the same as that of simulating the source Simulink/Stateflow model.
The simulation result comparison between the I/O-EFA model of the counter (see
This example is of a servo velocity control system consisting of a controller, a fault monitor (both written in Stateflow), and a motor (written in Simulink). The Simulink/Stateflow diagram of the servo velocity control system is translated by our translation tool. The CPU time (using Intel Core 2 Duo P8400 2.27 GHz, 2 GB RAM) for the translation is 45.1 seconds and the translated model has 382 locations and 646 edges. The simulation result of the translated model (shown in
As previously explained, Simulink/Stateflow [4] is a model-based development tool, which is widely used in many industrial domains, such as power systems, nuclear plants, aircraft, and automotives. Code generators are used within the Simulink/Stateflow to automatically generate the embedded software for the target system from the Simulink/Stateflow diagram, and thereby considerably increasing the productivity.
The existing code generators cannot guarantee that the generated code complies correctly the functional behaviors specified in the design. Verification and testing of the generated code is necessary to find errors in the code generation process and thus avoid software faults in any future use of the system.
Model-based test generation is an essential step in the model-based development process. It aims to validate that the object code to be implemented in the target processor complies with the design requirements. For Simulink/Stateflow, model-based test generation intends to validate whether the generated code (for example ANSI C) preserves the functional behaviors of the Simulink/Stateflow diagram.
Several type of errors may occur in the implementation process from the Simulink/Stateflow diagram to the target code, such as:
A model-based approach to reveal these errors is to create a set of test cases from Simulink/Stateflow and then execute them on the generated code to see if the test passes. Any failed test cases can be used to find the errors introduced during the code generation process.
Since Simulink/Stateflow has originally been designed for the simulation purposes, automated test generation for Simulink/Stateflow diagram is greatly needed to identify the errors. Several authors have tried different ways of test generation and verification for Simulink/Stateflow diagram. Scaife et al. [2] are able to translate a subset of Simulink/Stateflow into Lustre and verify the model using a model checking tool called Lesar. Gadkari et al. [3] have translated Simulink/Stateflow to a formal language, called Symbolic Analysis Laboratory (SAL), and they generate test cases based on SAL model checking Reactis [5] and TVEC [6] are two popular commercial tools for automated test generation for Simulink/Stateflow models. In our case, we derive the test suite based on the translation from Simulink/Stateflow to an automaton, which preserves the discrete behaviors (behaviors observed at discrete time steps when the inputs are sampled and the outputs are computed).
In our previous works [1] [7] [8] and as explained above, we introduced a recursive method to translate a Simulink/Stateflow diagram to an Input/Output Extended Finite Automata (I/O-EFA), which is a formal model of reactive untimed infinite state system, amenable to formal analysis. It captures each computation cycle of Simulink/Stateflow in form of an automata extended with data-variables to capture internal states and also the input and output variables. One aspect of the present invention provides a method to generate test cases for the Simulink/Stateflow diagram based on the corresponding I/O-EFA derived using the approach of [1] [7] [8]. To provide coverage for all computation flows of a Simulink/Stateflow diagram which corresponds to the execution paths in the translated I/O-EFA model, each execution path is analyzed for feasibility and reachability, and test cases are generated accordingly. The test generation approach is implemented by using two techniques, model-checking and constraint solving using mathematical optimization. The model-checking based implementation abstracts the I/O-EFA and checks each execution path for eventual reachability (note in order to execute a path some other sequence of paths may have to be executed in earlier cycles and hence the requirement of eventual reachability); while the constraint solving based implementation recursively evaluates the longer and longer path-sequences and the associated predicate for reachability. The test cases are generated from the counterexamples (resp. path-sequence predicates) for the case of model-checking (resp. constraint solving) process.
We have integrated the translation tool along with both the test generation implementations into an automated test generation tool, written in Matlab script. A simple example of a counter has been used as the case study to validate and compare the test generation implementations. The test generation results show that both of the implementation methods can generate the expected test cases while the constraint solving based approach is in general faster. The contributions of this aspect of the present invention are:
As previously explained, an I/O-EFA is a symbolic description of a reactive untimed infinite state system in form of an automaton, extended with discrete variables of inputs, outputs and data. In addition to the description provided above, for notational convenience, if d∈D and u∈U is such that for an edge e∈E, Ge(d, u) hold, then letting d′:=fe(d, u) and y:=he(d, u), we write
to denote the state transition from (oe, d) to (te, d′) under the input (σe, u) and producing the output (δe, y).
Our previous works [1] [7] [8] and our work above presented a translation approach from a Simulink/Stateflow diagram to an I/OEFA model while preserving the discrete behaviors observed at sample times. In such an I/O-EFA model, each transition sequence from the initial location l0 back to the initial location l0 through the time advancement edge e=(lm, l0, −, −, −, −, {k:=k+1}) represents a computation sequence of the Simulink/Stateflow diagram at a sampling time. Note for the time advancement edge e, it holds that he≡{k:=k+1} that advances the discrete time counter by a single step. Such a transition sequence is called a computation path as defined next.
Definition 3: A computation path (or simply a c-path) π in an I/O-EFA P=(L, D,
Our test generation approach is to find a set of input sequences, also called test cases, which execute a certain set of computation sequences specified by a desired coverage criterion. For this, first the paths, representing those computation sequences, are located in the I/O-EFA model, and next the input sequences which activate those paths are obtained. Our previous Simulink/Stateflow to I/O-EFA translation approach formalizes and automates this mapping from computation sequences of Simulink/Stateflow diagram to the c-paths in the translated I/O-EFA model.
Consider the Simulink diagram Ψ of a bounded counter shown in
Some of the computation sequences involving certain sequence of Simulink/Stateflow computations may not be possible. This property is made transparent in our I/O-EFA by showing conflict among the conditions along the corresponding c-paths. In Example 4, five out of 18 computation sequences are possible and the corresponding five c-paths in I/O-EFA are valid. As an example consider an invalid computation sequence “subsystem disabled” and “saturation reaches upper limit”. Since the disabled subsystem generates an initial output 2, which is within the saturator's limit, the saturator cannot reach its upper limit. This conflict also shows up in the corresponding c-path π5=e2e8e9e12e13e19e20e21 over the edges e2 and e9, where y5(k):=2 on edge e2, whereas y5(k)>7 on edge e9.
Besides the conflict among the conditions along the edges of a path, some of the impossibilities of certain computation sequences are caused by the initial condition of the system. Consider the saturation condition y5(k)<−0.5 in Example 4. None of the computation sequences with this saturation condition can be executed, since the counter output starts from zero and increments by one each time it counts, and thus the count can never be less than zero. The I/O-EFA model also captures these impossible computation sequences by showing the corresponding c-paths as unreachable from the initial conditions.
Based on the above discussion, the test generation problem for Simulink/Stateflow can be converted to finding the input sequences that execute the corresponding c-paths in the I/OEFA. We obtain the feasible and reachable paths and choose a subset of these paths satisfying a desired coverage criterion.
In summary, our I/O-EFA based test generation for Simulink/Stateflow has the following steps.
The translation method is implemented in our previous work. The remaining challenges to implement this test generation approach are listed as follows.
In the next section, we discuss the implementations of our I/O-EFA based test generation approach to deal with these challenges.
The proposed test generation approach for Simulink/Stateflow has been implemented by applying two different methods. Our previous translation tool SS2EFA has been integrated with these two implementations to support the translation from Simulink/Stateflow diagram to I/O-EFA. The following discussion focuses on the part of test generation to be executed following the translation step.
A. Implementation using Model-Checking
Model-checking is a method to check automatically whether a model of a system meets a given specification. NuSMV [9] is an open source symbolic model checker, which supports the CTL and LTL expressed specification analysis and provides interface to Matlab, so that the test generation tool (written in Matlab script) can call NuSMV for model-checking
In this implementation, paths in I/O-EFA are checked against the abstracted I/O-EFA model in NuSMV for feasibility and reachability. Since NuSMV only allows for the representation of finite state systems, the translated I/O-EFA is first converted into a finitely abstracted transition system as defined in Definition 4 below.
The finite abstraction of the model is based on the implementation requirements. Most of the real world systems have finite data space and running time. The finite abstraction is implemented in NuSMV input language as described below.
Definition 4: Given an I/O-EFA P=(L, D, U, Y, Σ, Δ, L0, D0, Lm, E), its finite abstracted transition system Pf is a tuple Pf=(S, Uf, Yf, Σ, Ef, S0), where
The corresponding NuSMV file is used to check if the c-paths in the I/O-EFA model are reachable. This is done as an instance of finding a counterexample as prescribed in the following algorithm.
Algorithm 6: A c-path π=e0π . . . e|π|−1π of an I/O-EPA P=(L, D, U, Y, Σ, Δ, L0, D0, Lm, E) is determined to be reachable if in the finite abstraction Pf|=Φ holds, where Φ is the CTL formula EF(e0πΛEX(e1πΛ . . . EXe|π|−1π) . . . ), meaning path π can eventually be activated in the finite abstraction Pf. An input sequence that makes it eventually executable is found as a counterexample to the model-checking problem Pf=Φ.
If a counterexample for Pf|=Φ is found, then Pf|=Φ holds, and the sequence of inputs within the counterexample is a test case activating the path π. The final test suite is the set of input sequences obtained from a subset of reachable paths Π satisfying a desired coverage criterion.
In summary, the model-checking based test generation implementation generates the test cases by the following steps.
The above implementation utilizes the existing model checker NuSMV and automates the test generation for Simulink/Stateflow. However, model-checking process is time-consuming as the state space explodes and the finite abstraction may also cause problems in the test generation. So we investigate another approach as described next.
B. Implementation using Constraint Solving
Mathematical optimization is used to check feasibility of a set of constraints and to select a best element from a set of available alternatives. The standard form of an optimization problem is:
where
Finding whether a c-path π of an I/O-EFA is reachable can be converted to a constraint solving problem, which is an optimization problem without regard to an objective value as follows:
where, Pπ(x) is called the path-predicate of the path π. It is a set of conditions activating the path π. The above constraint solving problem has solution if the path predicate Pπ(x) is satisfiable (does not equate to False). The path predicate Pπ along with its data dπ and output yπ can be obtained as follows.
Algorithm 7: For a path π=e0π . . . e|π|−1π, its path-predicate Pπ can be computed recursively backward, and data dπ and output yπ can be computed recursively forward as:
Base step:
P|π|π(d, u, y):=True;
d0π(d, u, y):=d;
y0π(d, u, y):=y
Recursion step:
Pj−1π(d, u, y):=Ge
dj+1π(d, u, y):=fe
yj+1π(d, u, y):=he
Termination step:
Pπ(d, u, y):=P0π(d, u, y);
dπ(d, u, y):=d|π|π(d, u, y);
yπ(d, u, y):=d|π|π(d, u, y).
Note: If any of Ge is undefined, it is simply assumed true, ie, Ge(d, u, y)=True, and similarly if any of he is undefined, then it is simply assumed to be the same as identity, ie, he(d, u, y)=y.
Constraint solving problem is constructed to check if Pπ(d, u, y)≠False, in which case, the path π is feasible. The feasible paths obtained in Algorithm 7 are the candidate paths for test generation. They are further checked to see if they can be reached from the initial condition, i.e. if there exists a feasible path-sequence Π starting at the initial condition and ending with the path under evaluation for reachability. The algorithm to determine the feasibility and reachability of a path-sequence Π is as follows.
Algorithm 8: Given a path-sequence Π=π0 . . . π starting at the initial condition I(d, u, y) ending with the path π, the feasibility/reachability of Π can be checked recursively backward as:
Base step:
P|Π|Π(d, u, y):=Pπ;
Recursion step:
Pj−1Π(d, u, y):=Pj−1π
Termination condition:
If Pj┌(d, u, y)=False, then Π is infeasible and also unreachable, stop;
If PjΠ(d, u, y)≠False and j≠0, then decrement j and return to recursion step;
If j=0, then Π is reachable if PjΠ(d, u, y)ΛI(d, u, y)≠False, stop.
Given a feasible path π, if none of the path-sequence with |Π|<=steplimit ending with π is reachable, π is unreachable within the steplimit. Otherwise, π is reachable. Note steplimit is the test case length requirement of the system.
Given a feasible path-sequence Π=π0 . . . π ending with path π, a test input sequence tπ=u0 . . . u|Π|−1 activating the reachable path π is obtained by letting uj∈Pπ
The constraint solving based test suite is derived with an open source optimization tool CVX [10], written in Matlab. Our test generation tool calls the CVX tool to check the feasibility of the problem.
In summary, this constraint solving based test generation implementation generates the test cases using the following steps.
The above implementation applies the constraint solving to solve for the recursively obtained path predicates. This method does not require finite abstraction of the data space and loading of the model in another tool. This implementation is thus exact (requiring no abstraction) and is able to generate test cases faster than the implementation based on the model checker.
Both of the test generation implementations described above, as well as the Simulink/Stateflow to I/O-EFA translation tool, have been incorporated in an automated test generation tool. Upon specifying a source Simulink/Stateflow model file, both of our implementation methods can be executed to output the test suite for the corresponding Simulink/Stateflow diagram.
Consider the I/O-EFA model (see
The test generation time (using Intel Core 2 Duo P8400 2.27 GHz, 2 GB RAM) is 349.3 seconds and the results are as expected.
Consider the same I/O-EFA model (see
The test generation time (using Intel Core 2 Duo P8400 2.27 GHz, 2 GB RAM) is 102.7 seconds and the results are as expected.
The two test generators provide identical test cases regarding the same Simulink/Stateflow diagram and specifications. Constraint solving based implementation is able to obtain the result about two times faster than model checker based implementation.
We presented a translation approach from Stateflow chart to Input/Output Extended Finite Automata (I/O-EFA). A Stateflow state, which is the most basic component of Stateflow chart, is modeled as an atomic model. The composition rules for AND/OR hierarchy are defined to connect the atomic state models. An overall I/O-EFA model is obtained by recursively applying the two composition rules in a bottom-up fashion over the tree structure of the state hierarchy. Rules for further refining the model to incorporate other Stateflow features such as events, historical information, interlevel transitions, etc. have been developed. Finally, the Stateflow model is adapted to resemble a Simulink model, since at the highest level a Stateflow chart is a block in the Simulink library. The size of the translated model is linear in the size of the Stateflow chart. Both the Stateflow and Simulink translation approaches have been implemented in an automated translation tool SS2EFA. The translated I/O-EFA models are validated to preserve the discrete behaviors of the original Simulink/Stateflow models. The translated I/O-EFA models can be used for further formal analysis such as verification and test generation. Generally, for test generation, certain set of the computational paths within one time step are extracted according to the coverage criterion, and checked for their feasibility. The input sequences that can achieve the feasible paths are the test cases.
We also presented an Input/Ouput Extended Finite Automata (I/O-EFA) based test generation approach for Simulink/Sateflow. While preserving the discrete behaviors, a Simulink/Stateflow diagram is translated to an I/O-EFA model, with each path of the I/O-EFA model representing a computation sequence of the Simulink/Stateflow diagram. Paths are inspected for feasibility and reachability. They are further used for test generation and model soundness analysis. Two techniques, model-checking and constraint solving, are applied to implement this approach. Modelchecker based implementation maps I/O-EFA to a finite abstracted transition system modeled in NuSMV file. Test cases are generated by checking each path in I/O-EFA against the model in NuSMV. Constraint solving based implementation utilizes two algorithms to recursively compute the path and path-sequence predicate respectively for capturing the feasibility problems. Test cases are obtained from the predicates of the reachable paths. The performance of both implementations was evaluated with a case study. The results showed that both implementations can generate the expected results and the implementation based on constraint solving is superior to the implementation based on model checker with respect to the speed of test generation.
Although various embodiments have been shown and described in detail, the present invention is not to be limited to the specific embodiments shown as the present invention contemplates numerous variations, options, and alternatives in its implementation as may be appropriate in various situations. For example, the present invention contemplates that different types of diagrams or charts may be used, including diagrams and charts from various graphical modeling environments. The methodology may be implemented in various types of computing devices using any number of types of software to provide instruction sets for performing the logic of the methodologies described herein.
All references set forth herein are incorporated by reference in their entireties.
This application is a Continuation-in-Part of U.S. Ser. No. 13/165,907 filed Jun. 22, 2011 which claims priority under 35 U.S.C. §119 of a provisional application Ser. No. 61/357,568 filed Jun. 23, 2010, all of which are hereby incorporated by reference in its entirety.
This invention was made with government support under Grant No. NSF-CCF-0811541 awarded by the National Science Foundation. The government has certain rights in the invention.
Number | Name | Date | Kind |
---|---|---|---|
7093231 | Nuss | Aug 2006 | B2 |
7496892 | Nuss | Feb 2009 | B2 |
7698668 | Balasubramanian et al. | Apr 2010 | B2 |
8260597 | Raghavan et al. | Sep 2012 | B1 |
20080086705 | Balasubramanian et al. | Apr 2008 | A1 |
Entry |
---|
Agrawal, Aditya et al., “Semantic Translation of Simulink/Stateflow Models to Hybrid Automata Using Graph Transformations”, Electronic notes in Theoretical Computer Science, 109 (2004) 43-56. |
Alur, Rajeev et al., “Symbolic Analysis for Improving Simulation Coverage of Simulink/Stateflow Models”, EMSOFT'08, Oct. 19-24, 2008, Atlanta, GA, ACM 978-1-60558-468-3/08/10, 10 pages. |
Caspi, Paul et al., “From Simulink to SCADEL/Lustre to TTA: a Layered Approach for Distributed Embedded Applications*”, LCTES'03, Jun. 11-13, 2003, San Diego, CA, ACM 1-58113-647-1/03/0006, pp. 89-99. |
CVX: Matlab Software for Disciplined Convex Programming, Version 1.22 (May 2012, Build 835). http://cvxr.com/cvx [retrieved from Internet on Jul. 12, 2012]. |
Gadkari, Ambar A. et al., “Automatic Generation of Test-Cases Using Model Checking for SL/SF Models”, 4th International Workshop on Model Driven Engineering, Verification and Validation, 2007, pp. 33-42. |
Jersak, Marek et al., “Embedded System Design using the SPI Workbench”, Design Languages 2000, pp. 153-163. |
Li, Meng et al., “Stateflow to Extended finite Automata Translation” 2011 35th IEEE Annual Computer Software and Applications Conference Workshops, (COMP-SACW), pp. 1-6. |
MathWorks, Simulink “Simulation and Model-Based Design”, http://mathworks.com/products/simulink/index.html?sec=add on [retrieved from Internet on Jul. 12, 2012], 2 pages. |
NuSMV: a new symbolic model checker, http://nusmv.fbk.eu/ [retrieved from Internet on Jul. 12, 2013] 3 pages. |
Reactive Systems, Inc., Reactis V2012, How Do You Develop Software?, http://www.reactive-systems.com/ [retrieved from Internet on Jul. 12, 2012] 1 page. |
Scaife, N. et al., “Defining and Translating a “Safe” Subset of Simulink/Stateflow into Lustre”, EMSOFT '04: Proceedings of the 4th ACM International conference on Embedded Software, New York, NY: ACM, 2004, pp. 259-268. |
T-VEC: We cover all Boundaries, http://t-vec.com [retrieved from Internet on Jul. 12, 2012], 1 page. |
Tripakis, Stavros et al., “Translating Discrete-Time Simulink to Lustre”, ACM Transactions on Embedded Computing Systems, vol. 4, No. 4, Nov. 2005, pp. 779-818. |
Zhou, Changyan et al., “Modeling Simulink diagrams using Input/Output Extended Finite Automata”, 2009 33rd Annual IEEE International Computer Software and Applications Conference, pp. 462-467. |
Zhou, Changyan et al., “Semantic Translation of Simulink Diagrams to Input/Output Extended Finite Automata”, Discrete Event Dyn Syst (2012) 22:223-247. |
Number | Date | Country | |
---|---|---|---|
61357568 | Jun 2010 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13165907 | Jun 2011 | US |
Child | 13538472 | US |