Model checking of statecharts using automatic white box test generation
48th Midwest Symposium on Circuits and Systems, 2005.
This paper describes a model checking technique and tool for UML Statecharts based on automatic white box test-generation combined with automatic run-time monitoring of statechart assertions. The white box test generator is an automatically generated JUnit TestCase, which generates sequences of events, conditions, and input data for the System Under Test (SUT). It generates test sequences while observing the SUT's state, knowing the input events, conditions, and data objects that potentially
... ect the SUT's next state. The white box tester then chooses one of those events, conditions, and data objects, and fires the SUT, which in turn fires an embedded assertion for run-time monitoring. This combination of white box testing with assertion monitoring constitutes automatic model checking. The white-box tes-generator is also specification based in that the white box can be specified to be requirement assertions. Harel Statecharts and Statechart Specifications Harel statecharts have been described in numerous papers and books since first published by Harel [Ha] and later incorporated into the OMT methodology and eventually into the UML standard, (e.g. [Br, RB]). Statecharts extend finite state diagrams with hierarchy (state nesting), concurrence, and history states. Harel Statecharts are typically used for design analysis and modeling; for example, Brugge suggests using statecharts in the design analysis phase of an object oriented UML based design methodology [Br]. The tools described in this paper rely on an automata theoretic semantics for statecharts described in [D3]. The StateRover tool described in this paper is a code generator and visual debug animator for UML statecharts extended with features such as mixed flowcharts and statecharts, substatecharts, and critical regions. In addition, the StateRover supports run-time monitoring by providing a code generator for deterministic and non-deterministic Harel statecharts assertions as well as temporal logic assertions. In [D3] Drusinsky described TLCharts, a hybrid of non-deterministic Harel statecharts and temporal logic conditions on statechart transitions and as statechart actions. The StateRover tool provides support for a subset of the TLCharts specification language where temporal logic assertions can only be specified in states and not as statechart transition guards. Run-time Monitoring and Run-time Execution Recovery Run-time Execution Monitoring (REM) is class of methods of tracking the temporal behavior of an underlying application. REM methods range from simple print-statement logging methods to run-time tracking of complex formal requirements (e.g., written in temporal logic) for verification purposes. Recently, NASA used REM for the verification of flight code for the Deep Impact project [DG]. The U.S. Missile Defense Agency (MDA) is currently applying REM to the verification of a new Ballistic Missile Defense System [Ca]. Published REM methods typically use temporal logic, Metric Temporal Logic (MTL), and regular expressions as a specification language [D1]. The StateRover tool described in this paper uses non-deterministic 327 0-7803-9197-7/05/$20.00