Abstract
The purpose of testing a system with respect to a requirement is to refute the hypothesis that the system satisfies the requirement. We build a theory of tests and refutation based on the elementary notions of satisfaction and refinement. We use this theory to characterize the requirements that can be refuted through black-box testing and, dually, verified through such tests. We consider refutation in finite time and obtain the well-known finite falsifiability of hyper-safety temporal requirements as a special case. We extend our theory with computational constraints and separate refutation from enforcement in the context of temporal hyper-properties. Overall, our theory provides a basis to analyze the scope and reach of black-box tests and to bridge results from areas including testing, verification, and enforcement.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abadi, M., Lamport, L.: The existence of refinement mappings. In: LICS, pp. 165–175. IEEE (1988)
Alpern, B., Schneider, F.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985)
Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: CSFW 2004, pp. 100–114. IEEE Computer Society (2004)
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)
Damm, W., Harel, D.: LSCs: breathing life into message sequence charts. Formal Methods Syst. Des. 19(1), 45–80 (2001)
Dijkstra, E.W.: Notes on structured programming. Technical report T.H. Report 70-WSK-03, Technological University Eindhoven, April 1970
Emerson, E.A., Halpern, J.: “Sometimes” and “Not Never” revisited: on branching versus linear time temporal logic. J. ACM 33(1), 151–178 (1986)
Falcone, Y., Fernandez, J.-C., Jéron, T., Marchand, H., Mounier, L.: More testable properties. STTT 14(4), 407–437 (2012)
Gaudel, M.-C.: Testing can be formal, too. In: Mosses, P.D., Nielsen, M., Schwartzbach, M.I. (eds.) CAAP 1995. LNCS, vol. 915, pp. 82–96. Springer, Heidelberg (1995). doi:10.1007/3-540-59293-8_188
Goodenough, J., Gerhart, S.: Toward a theory of test data selection. IEEE Trans. Softw. Eng. 1(2), 156–173 (1975)
Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. 28(1), 175–205 (2006)
Hoare, C.A.R., Jifeng, H.: Unifying Theories of Programming. Prentice Hall, Englewood Cliffs (1998)
Larsen, K., Thomsen, B.: A modal process logic. In: LICS, pp. 203–210. IEEE (1988)
Morgan, C.: Programming from Specifications. Prentice Hall (1998)
Myers, G., Sandler, C., Badgett, T.: The Art of Software Testing. Wiley, Hoboken (2011)
Ngo, M., Massacci, F., Milushev, D., Piessens, F.: Runtime enforcement of security policies on black box reactive programs. In: POPL 2015, pp. 43–54. ACM (2015)
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (2005)
Pnueli, A.: The temporal logic of programs. In: FOCS 1977, pp. 46–57. IEEE (1977)
Popper, K.: Conjectures and Refutations: The Growth of Scientific Knowledge. Routledge, London (1963)
Rogers Jr., H.: Theory of Recursive Functions and Effective Computability. MIT Press, Cambridge (1987)
Segura, S., Fraser, G., Sanchez, A.B., Ruiz-Cortes, A.: A survey on metamorphic testing. IEEE Trans. Software Eng. 42(9), 805–824 (2016)
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_26
Sweeney, L.: K-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10(5), 557–570 (2002)
Tretmans, J.: Model based testing with labelled transition systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) Formal Methods and Testing. LNCS, vol. 4949, pp. 1–38. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78917-8_1
Glabbeek, R.J.: The linear time - branching time spectrum. In: Baeten, J.C.M., Klop, J.W. (eds.) CONCUR 1990. LNCS, vol. 458, pp. 278–297. Springer, Heidelberg (1990). doi:10.1007/BFb0039066
von Wright, G.H.: Deontic logic. Mind 60(237), 1–15 (1951)
Weyuker, E.J.: Axiomatizing software test data adequacy. IEEE Trans. Softw. Eng. 12(12), 1128–1138 (1986)
Acknowledgments
We thank E. Fang, M. Guarnieri, G. Petric Maretic, S. Radomirovic, C. Sprenger, and E. Zalinescu for their comments on the paper.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Proofs
A Proofs
We first present the proofs of the lemmas and theorems that are given in the paper. Afterwards, we formally state and prove the claim that a requirement is semi-monotone iff it is the intersection of its upper set and its lower set, which is mentioned in Sect. 5.
Proof
(Lemma 3’s Proof). If no system satisfies R, then R is trivial. Suppose that some system S satisfies R. Then, every system in \(\lfloor {\lceil {S}\rceil }\rfloor \) satisfies R, because R is an obligation and a prohibition. As \(\lfloor {\lceil {S}\rceil }\rfloor =\mathcal {S}\), for any \(S\in \mathcal {S}\), we conclude that every system satisfies R. That is, R is trivial. \(\square \)
Proof
(Theorem 7’s Proof). Suppose R is \(\mathbf {T}\)-refutable, with \(\mathbf {T}=(T,\alpha )\). We prove that R is a prohibition. If R is empty, then R is a trivial prohibition. Assume that R is nonempty and let \(S\in R\). Now, suppose \(S'\preceq S\). All we need to prove is that \(S'\in R\). We present a proof by contradiction.
Assume that \(S'\not \in R\). Then \(\exists t\in T.\ \hat{\alpha }(t)\cap R=\emptyset \) simply because R is \(\mathbf {T}\)-refutable. Since \(\alpha \) is order-preserving and \(S'\preceq S\), we have \(t\in \alpha (S)\). Therefore, \(S\in \hat{\alpha }(t)\). This entails \(S\not \in R\), which contradicts the assumption \(S\in R\). We conclude that \(S'\in R\). Therefore, R is a prohibition.
Proof
(Lemma 9’s Proof). Fix a system model \(\mathsf {M}=(\mathcal {S},\preceq ,\bot ,\top )\), and assume that R is prohibition. We show that R is \(\mathbf {T}_r^\mathsf {M}\)-refutable, where \(\mathbf {T}_r^\mathsf {M}=(\mathcal {S},\lfloor {\cdot }\rfloor )\). Assume that some system S violates R. Since R is a prohibition, any system that abstracts S violates R. Moreover, \(S\in \lfloor {S}\rfloor \). We conclude that \(\exists S_w\in \lfloor {S}\rfloor .\ \lceil {S_w}\rceil \cap R=\emptyset \), namely \(S_w=S\). Therefore, R is \(\mathbf {T}_r^\mathsf {M}\)-refutable.
Proof
(Lemma 10’s Proof). Suppose R is a nontrivial obligation. We prove by contradiction that R is not refutable in any test setup.
Assume that R is \(\mathbf {T}\)-refutable in some test setup \(\mathbf {T}\). By Theorem 7, R is a prohibition. Then, R must be trivial by Lemma 3, because R is both a prohibition and an obligation. That R is a trivial contradicts the assumption that R is a nontrivial obligation. We conclude that R is not refutable in any test setup.
Proof
(Theorem 14’s Proof). Suppose R is \(\mathbf {T}\)-verifiable, with \(\mathbf {T}=(T,\alpha )\). We prove that R is an obligation. If R is empty, then R is a trivial obligation. Assume that R is nonempty and let \(S\in R\). Now, suppose \(S\preceq S'\). All we need to prove is that \(S'\in R\). Since R is \(\mathbf {T}\)-verifiable, from \(S\in R\) we conclude \(\exists t\in \alpha (S).\ \hat{\alpha }(S)\subseteq R\). As \(\alpha \) is order-preserving and \(S\preceq S'\), we have \(t\in \alpha (S')\). That is, \(S'\in \hat{\alpha }(S)\). We conclude that \(S'\in R\). Therefore, R is an obligation.
Proof
(Lemma 15’s Proof). Suppose R is a nontrivial prohibition. We prove by contradiction that R is not verifiable in any test setup.
Assume that R is \(\mathbf {T}\)-verifiable in some test setup \(\mathbf {T}\). By Theorem 14, R is an obligation. Then, R must be trivial by Lemma 3, because R is both a prohibition and an obligation. That R is a trivial contradicts the assumption that R is a nontrivial prohibition. We conclude that R is not verifiable in any test setup.
Proof
(Theorem 20’s Proof). We split the proof into several parts.
-
(1)
Suppose that a property \(\phi \) is \(\mathbf {T}_*\)-refutable. We show that \(\phi \) is safety. Assume that \(\pi \not \in \phi \), for some \(\pi \in \varSigma ^\omega \). Then, the system \(S_\pi =\{\pi \}\) violates \(\phi \). Now, by \(\phi \)’s \(\mathbf {T}_*\)-refutability, there exists a finite set t of \(\phi \)’s finite prefixes that demonstrates \(S_\pi \not \in R_\phi \), where \(R_\phi =\lfloor {\phi }\rfloor \). Let \(\sigma \) be the longest element in t; note that since \(\{\pi \}\) is a singleton, there always exists a single longest element in t. Then, for any \(\pi '\in \varSigma ^\omega \), the system \(S_{\pi '}=\{\sigma \pi '\}\) violates \(\phi \), simply because t belongs to \(\alpha (S_{\pi '})\). We conclude that \(\sigma \pi '\not \in \phi \), for all \(\pi '\in \varSigma ^\omega \). That is, \(\phi \) is a safety temporal property.
-
(2)
Suppose that \(\phi \) is safety. We show that \(\phi \) is \(\mathbf {T}_*\)-refutable. Assume that a system S violates \(\phi \). That is, \(\exists \pi \in S.\ \pi \not \in \phi \). Since \(\phi \) is safety, a finite prefix of \(\pi \), say \(\sigma \), satisfies the following condition: \(\forall \pi '\in \varSigma ^\omega .\ \sigma \pi '\not \in \phi \). Now, define the observation \(t\in T_*\) as \(\{\sigma \}\). Note that \(t\in \alpha (S)\), and moreover \(\hat{\alpha }(t)\cap R_\phi =\emptyset \) due to the above condition. This shows that \(\phi \) is \(\mathbf {T}_*\)-refutable.
-
(3)
Any temporal property \(\phi \) is \(\mathbf {T}_r\)-refutable because \(R_\phi \)’s satisfaction is abstraction-closed, for any \(\phi \). Then, by Lemmas 3 and 15, any \(\mathbf {T}_r\)-verifiable or \(\mathbf {T}_*\)-verifiable property must be trivial.
Theorem 26
A requirement R is semi-monotone iff \(R=\lfloor {R}\rfloor \wedge \lceil {R}\rceil \).
Proof
We split the proof into two parts, reflecting the theorem’s two statements.
-
(1)
Assume that R is semi-monotone. We show that \(R=\lfloor {R}\rfloor \wedge \lceil {R}\rceil \). Clearly \(R\subseteq \lceil {R}\rceil \wedge \lfloor {R}\rfloor \), for any requirement R. All we need to prove is that \(\lceil {R}\rceil \wedge \lfloor {R}\rfloor \subseteq R\). If \(\lceil {R}\rceil \wedge \lfloor {R}\rfloor =\emptyset \), then the claim trivially holds. Suppose \(S\in \lceil {R}\rceil \wedge \lfloor {R}\rfloor \) for some system S. From \(S\in \lceil {R}\rceil \), we conclude \(\exists S_-\in R.\ S_-\preceq S\). Similarly, from \(S\in \lfloor {R}\rfloor \), we conclude \(\exists S_+\in R.\ S\preceq S_+\). In short, we have \(S_-\preceq S\preceq S_+\), \(S_-\in R\), and \(S_+\in R\). Then, Lemma 27 below implies that \(S\in R\), simply because R is semi-monotone. Therefore, if R is semi-monotone, then \(R=\lceil {R}\rceil \wedge \lfloor {R}\rfloor \).
-
(2)
Assume that \(R=\lfloor {R}\rfloor \wedge \lceil {R}\rceil \). We prove that R is semi-monotone. Note that for any requirement Q, the requirement \(\lfloor {Q}\rfloor \) is a prohibition, hence monotone. Moreover, \(\lceil {Q}\rceil \) is an obligation, hence monotone. Therefore, \(\lfloor {Q}\rfloor \wedge \lceil {Q}\rceil \) is semi-monotone, that is the intersection of two monotone requirements, for any requirement Q. In particular, R is semi-monotone because \(R=\lfloor {R}\rfloor \wedge \lceil {R}\rceil \).
Lemma 27
If R is a semi-monotone requirement, then for any three systems \(S_-\), S, and \(S_+\) the following condition holds.
Proof
Either (1) R is monotone, that is R is the conjunction of two prohibitions or the conjunction of two obligations, or (2) R is the conjunction of a prohibition P and an obligation O. The lemma’s claim is immediate for case (1). Let us consider case (2). Suppose \(S_-\preceq S\preceq S_+\ \wedge \ S_-\in R\ \wedge \ S_+\in R\). Note that \(S_-\in R\) implies that \(S_-\in O\). Then, \(S_-\preceq S\) implies that \(S\in O\). Similarly, \(S_+\in R\) implies that \(S_+\in P\). Then, \(S\preceq S_+\) implies that \(S\in P\). These two statements show that \(S\in P\wedge O\). That is, \(S\in R\).
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Dashti, M.T., Basin, D. (2017). Tests and Refutation. In: D'Souza, D., Narayan Kumar, K. (eds) Automated Technology for Verification and Analysis. ATVA 2017. Lecture Notes in Computer Science(), vol 10482. Springer, Cham. https://doi.org/10.1007/978-3-319-68167-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-68167-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68166-5
Online ISBN: 978-3-319-68167-2
eBook Packages: Computer ScienceComputer Science (R0)