Papers by Angelo Gargantini
International journal on software tools for technology transfer, May 17, 2024
Modern automotive systems with adaptive control features require rigorous analysis to guarantee c... more Modern automotive systems with adaptive control features require rigorous analysis to guarantee correct operation. We report our experience in modeling the automotive case study from the ABZ2020 conference using the ASMETA toolset, based on the Abstract State Machine formal method. We adopted a seamless system engineering method: from an incremental formal specification of high-level requirements to increasingly refined ASMETA models, to the C++ code generation from the model. Along this process, different validation and verification activities were performed. We explored modeling styles and idioms to face the modeling complexity and ensure that the ASMETA models can best capture and reflect specific behavioral patterns. Through this realistic automotive case study, we evaluated the applicability and usability of our formal modeling approach.
Springer eBooks, 2020
In the context of automotive domain, modern control systems are software-intensive and have adapt... more In the context of automotive domain, modern control systems are software-intensive and have adaptive features to provide safety and comfort. These software-based features demand software engineering approaches and formal methods that are able to guarantee correct operation, since malfunctions may cause harm/damage. Adaptive Exterior Light and the Speed Control Systems are examples of software-intensive systems that equip modern cars. We have used the Abstract State Machines to model the behaviour of both control systems. Each model has been developed through model refinement, following the incremental way in which functional requirements are given. We used the ASMETA tool-set to support the simulation of the abstract models, their validation against the informal requirements, and the verification of behavioural properties. In this paper, we discuss our modelling, validation and verification strategies, and the results (in terms of features addressed and not) of our activities. In particular, we provide insights on how we addressed the adaptive features (the adaptive high beam headlights and the adaptive cruise control) by explicitly modelling their software control loops according to the MAPE-K (Monitor-Analyse-Plan-Execute over a shared Knowledge) reference control model for self-adaptive systems.
Proceedings of the 23rd International Systems and Software Product Line Conference - Volume B
The variability of a Software Product Line is usually both described in the problem space (by usi... more The variability of a Software Product Line is usually both described in the problem space (by using a variability model) and in the solution space (i.e., the system implementation). If the two spaces are not aligned, wrong decisions can be done regarding the system configuration. In this work, we consider the case in which the variability model is not aligned with the solution space, and we propose an approach to automatically repair (possibly) faulty constraints in variability models. The approach takes as input a variability model and a set of combinations of features that trigger conformance faults between the model and the real system, and produces the repaired set of constraints as output. The approach consists of three major phases. First, it generates a test suite and identifies the condition triggering the faults. Then, it modifies the constraints of the variability model according to the type of faults. Lastly, it uses a logic minimization method to simplify the modified constraints. We evaluate the process on variability models of 7 applications of various sizes. An empirical analysis on these models shows that our approach can effectively repair constraints among features in an automated way. CCS CONCEPTS • Software and its engineering → Software product lines.
2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)
New tools for combinatorial test generation are proposed every year. However, different generator... more New tools for combinatorial test generation are proposed every year. However, different generators may have different performances on different models, in terms of the number of tests produced and generation time, so the choice of which generator has to be used can be challenging. Classical comparison between CIT generators considers only the number of tests composing the test suite. Still, especially when the time dedicated to testing activity is limited, generation time can be determinant. Thus, we propose a benchmarking framework including 1) a set of generic benchmark models, 2) an interface to easily integrate new generators, 3) methods to benchmark each generator against the others and to check validity and completeness. We have tested the proposed environment using five different generators (ACTS, CAgen, CASA, Medici, and PICT), comparing the obtained results in terms of the number of test cases and generation times, errors, completeness, and validity. Finally, we propose a CIT competition, between combinatorial generators, based on our framework.
Testing Software and Systems, 2019
In this paper we propose a new approach to conformance testing based on Abstract State Machine (A... more In this paper we propose a new approach to conformance testing based on Abstract State Machine (ASM) model refinement. It consists in generating test sequences from ASM models and checking the conformance between code and models in multiple iterations. This process is applied at different models, starting from the more abstract model to the one that is very close to the code. The process consists of the following steps: (1) model the system as an Abstract State Machine, (2) generate test sequences based on the ASM model, (3) compute the code coverage using generated tests, (4) if the coverage is low refine the Abstract State Machine and return to step 2. We have applied the proposed approach to Antidote, an open-source implementation of IEEE 11073-20601 Personal Health Device (PHD) protocol which allows personal healthcare devices to exchange data with other devices such as small computers and smartphones.
Testing Software and Systems, 2018
The automatic transformation of models to code is one of the most important cornerstones in the m... more The automatic transformation of models to code is one of the most important cornerstones in the model-driven engineering paradigm. Starting from system models, users are able to automatically generate machine code in a seamless manner with an assurance of potential bug freeness of the generated code. Asm2C++ [4] is the tool that transforms Abstract State Machine models to C ++ code. However, no validation activities have been performed in the past to guarantee the correctness of the transformation process. In this paper, we define a mechanism to test the correctness of the model-to-code transformation with respect to two main criteria: syntactical correctness and semantic correctness, which is based on the definition of conformance between the specification and the code. Using this approach, we have devised a process able to test the generated code by reusing unit tests. Coverage measures give a user the confidence that the generated code has the same behavior as specified by the ASM model.
2018 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), 2018
According to best practices of model-driven engineering, the implementation of a system should be... more According to best practices of model-driven engineering, the implementation of a system should be obtained from its model through a systematic model-to-code transformation. Following the same approach, model-based testing suggests deriving also (unit) tests from abstract models. Previously, we have presented Asm2C++ [1]-a tool that translates Abstract State Machines (ASMs) to C ++ code. In this paper, we extend the Asm2C++ tool such that it can now automatically produce unit tests for the generated code. Abstract test sequences, either generated randomly or through model checking, are translated to concrete C ++ unit tests using the BOOST library. We also present some experiments that prove the feasibility of the proposed approach.
2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), 2020
Combinatorial Interaction Testing has been applied to event-driven software systems by using as t... more Combinatorial Interaction Testing has been applied to event-driven software systems by using as test suite a set of sequences of inputs in desired combinations. This is generally called combinatorial sequence testing (CST). CST requires possibly new system models from which tests are generated and new test generation methods (or an adaptation of the classical ones). Finite State Machines (FSMs) can easily represent event-based systems where certain inputs are valid only in some states and such constraints can be represented by the incompleteness of the FSM. In this paper, we propose an approach to CST where tests are generated from FSMs which are represented by automata together with test requirements. First, automata can be used to check if test sequences contain invalid inputs. We propose three methods to repair tests with invalid inputs. Moreover, we can directly embed into automata the system constraints over the inputs during generations, to generate only valid test sequences. We compare our automata-based method with the standard approach of Sequences Covering Arrays (SCAs) that produces a set of sequences, all with the same length, composed by the permutation of all the events supported by the system. We found that generating only valid tests from automata provides several advantages w.r.t. repairing tests and SCAs.
Science of Computer Programming, 2018
Self-adaptive software systems are able to autonomously adapt their behavior at run-time to react... more Self-adaptive software systems are able to autonomously adapt their behavior at run-time to react to internal dynamics and to uncertain and changing environment conditions. Formal specification and verification of self-adaptive systems are tasks generally very difficult to carry out, especially when involving time constraints. In this case, in fact, the system correctness depends also on the time associated with events. This article introduces the Zone-based Time Basic Petri nets specification formalism. The formalism adopts timed adaptation models to specify self-adaptive behavior with temporal constraints, and relies on a zone-based modeling approach to support separation of concerns. Zones identified during the modeling phase can be then used as modules either in isolation, to verify intra-zone properties, or all together, to verify inter-zone properties over the entire system. In addition, the framework allows the verification of (timed) robustness properties to guarantee self-healing capabilities when higher levels of reliability and availability are required to the system, especially when dealing with time-critical systems. This article presents also the ZAFETY tool, a Java software implementation of the proposed framework, and the validation and experimental results obtained in modeling and verifying two time-critical self-adaptive systems: the Gas Burner system and the Unmanned Aerial Vehicle system.
Tests and Proofs, 2019
Timed automata (TAs) are a widely used formalism to specify systems having temporal requirements.... more Timed automata (TAs) are a widely used formalism to specify systems having temporal requirements. However, exactly specifying the system may be difficult, as the user may not know the exact clock constraints triggering state transitions. In this work, we assume the user already specified a TA, and (s)he wants to validate it against an oracle that can be queried for acceptance. Under the assumption that the user only wrote wrong guard transitions (i. e., the structure of the TA is correct), the search space for the correct TA can be represented by a Parametric Timed Automaton (PTA), i. e., a TA in which some constants are parametrized. The paper presents a process that (i) abstracts the initial (faulty) TA tainit in a PTA pta; (ii) generates some test data (i. e., timed traces) from pta; (iii) assesses the correct evaluation of the traces with the oracle; (iv) uses the IMITATOR tool for synthesizing some constraints ϕ on the parameters of pta; (v) instantiate from ϕ a TA tarep as final repaired model. Experiments show that the approach is successfully able to partially repair the initial design of the user.
Communications in Computer and Information Science, 2018
In this paper, we present the AsmetaVBDD tool that automatically translates the scenarios written... more In this paper, we present the AsmetaVBDD tool that automatically translates the scenarios written in the AValLa language (used by the asmeta validator (AsmetaV)) into Behavior-Driven Development scenarios for C ++ .
Lecture Notes in Computer Science, 2016
Formal models are a rigorous way to specify informal system requirements. However, they are not w... more Formal models are a rigorous way to specify informal system requirements. However, they are not widely used in practice, since they are considered difficult to develop and understand. Visualization is often considered a good means for people to communicate and to get a common understanding. We here make a proposal of a visual notation for Abstract State Machines (ASMs), and we introduce visual trees that visualize ASM transition rules. In addition to these graphical components that are based only on the syntactical structure of the model, we also present visual patterns that permit to visualize part of the behavior of the machine. A tool is also available to graphically represent ASM models using the proposed notation.
Lecture Notes in Computer Science, 2016
The paper presents our efforts in defining UASM, a unified syntax for Abstract State Machines (AS... more The paper presents our efforts in defining UASM, a unified syntax for Abstract State Machines (ASMs), based on the syntaxes of two of the main ASM frameworks, CoreASM and ASMETA, which have been adapted to accept UASM as input syntax of all their validation and verification tools.
Behavioral Modeling for Embedded Systems and Technologies
In the embedded system and System-on-Chip (SoC) design area, the increasing technological complex... more In the embedded system and System-on-Chip (SoC) design area, the increasing technological complexity coupled with requests for more performance and shorter time to market have caused a high interest for new methods, languages and tools capable of operating at higher levels of abstraction than the conventional system level. This chapter presents a model-driven and tool-assisted development process of SoCs, which is based on high-level UML design of system components, guarantees SystemC code generation from graphical models, and allows validation of system behaviors on formal models automatically derived from UML models. An environment for system design and analysis is also presented, which is based on a UML profile for SystemC and the State Machine formal method.
Lecture Notes in Computer Science, 2013
LTL specifications are commonly used in runtime verification to describe the requirements about t... more LTL specifications are commonly used in runtime verification to describe the requirements about the system behavior. Efficient techniques derive, from LTL specifications, monitors that can check if system executions respect these properties. In this paper we present an online testing approach which is based on LTL properties of Java programs. We present an algorithm able to derive and execute test cases from monitors for LTL specifications. Our technique actively tests a Java class, avoids false failures, and it is able to check the correctness of the outputs also in the presence of nondeterminism. We devise several coverage criteria and strategies for visiting the monitors, providing different qualities in terms of test size, testing time, and fault detection capability.
Lecture Notes in Computer Science, 2020
Even though the formal method community tends to overlook the problem, formal methods are sometim... more Even though the formal method community tends to overlook the problem, formal methods are sometimes difficult to use and not accessible to average users. On one hand, this is due to the intrinsic complexity of the methods and, therefore, some level of required expertise is unavoidable. On the other hand, however, the methods are sometimes hard to use because of lack of a user-friendly tool support. In this paper, we present our experience in addressing usability when developing a framework for the Abstract State Machines (ASMs) formal method. In particular, we discuss how we enhanced modeling, validation, and verification activities of an ASM-based development process. We also provide a critical review of which of our efforts have been more successful as well as those that have not obtained the results we were expecting. Finally, we outline other directions that we believe could further lower the adoption barrier of the method.
2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW), 2015
It has been widely observed that there is no a single best CIT generation algorithm; instead, dif... more It has been widely observed that there is no a single best CIT generation algorithm; instead, different algorithms perform best in terms of test suite size and time, also depending on different combinatorial models. Rather than following the traditional approach of leaving the choice of the best generator for a given class of models and for given testing requirements to the user, we want to automate the algorithm selection process among a given set of techniques (called portfolio). The proposed approach takes as input a distribution of combinatorial models and their test suites generated using several tools, then, using data-mining techniques, it permits to predict the algorithm that performs better given the cost estimated to execute a single test and the model characteristics. As predictors, we decide to use decision trees because they have been one of the most widely used decision support tool for many years. Their attraction lies in the simplicity of the resulting model, where a decision tree (at least one that is not too large) is quite easy to view, understand, and, importantly, explain even if it may not always deliver the best performances. We demonstrate the effectiveness of our approach to automated algorithm selection in extensive experimental results on data sets including models commonly presented in literature.
Lecture Notes in Computer Science, 2014
The use of general descriptive names, registered names, trademarks, service marks, etc. in this p... more The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.
2013 IEEE Sixth International Conference on Software Testing, Verification and Validation, 2013
In this paper the CITLAB tool for Combinatorial Interaction Testing is presented. The tool allows... more In this paper the CITLAB tool for Combinatorial Interaction Testing is presented. The tool allows importing/exporting models of combinatorial problems from/to different application domains, by means of a common interchange syntax notation and a corresponding interoperable semantic metamodel. Moreover, the tool is a framework allowing embedding and transparent invocation of multiple, different implementations of combinatorial algorithms. CITLAB has been designed tightly integrated with the Eclipse IDE framework, by means of its plug-in extension mechanism. It is intended to easy the spread of CIT testing both in industrial practice and in academic research, by allowing users and researchers to apply multiple test suite generation algorithms, each with its peculiarities, on the same problem models, and let them compare the results in order to select the one that best fits their needs, while alleviating from the pain of knowing all the different details and notations of the underlying CIT tools.
2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops, 2013
Feature models are commonly used to represent product lines and systems with a set of features in... more Feature models are commonly used to represent product lines and systems with a set of features interrelated each others. Test generation from feature models, i.e. generating a valid and representative subset of all the possible product configurations, is still an open challenge. A common approach is to build combinatorial interaction test suites, for instance achieving pairwise coverage among the features. In this paper we show how standard feature models can be translated to combinatorial interaction models in our framework CITLAB, with all the advantages of having a combinatorial testing environment (in terms of a clear semantics, editing facilities, language for seeds and test goals, and generation algorithms). We present our translation which gives a precise semantics to feature models and it tries to minimize the number of parameter and constraints while preserving the original semantics of the feature model. Experiments show the advantages of our approach.
Uploads
Papers by Angelo Gargantini