Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Systematic Evaluation of Black-Box Checking for Fast Bug Detection

Bram Pellen, María Belén Rodríguez, Frits Vaandrager, Petra van den Bos

TL;DR

The paper systematically evaluates black-box checking (BBC), which fuses active automata learning, model-based testing, and model checking, on 77 real benchmark models to assess its speed and effectiveness in bug detection. It confirms that applying model checking to all hypotheses dramatically speeds up bug discovery (BBC uses a small fraction of the queries required by learning-only approaches) and remains effective even when the full model cannot be learned, achieving 94% detection on challenging RERS benchmarks. The study further shows BBC outperforms standalone MBT in finding deep bugs, and that runtime monitoring provides a modest additional speedup. Overall, the work validates BBC as a powerful, practical approach for fast bug detection in black-box systems with available safety specifications, while outlining directions for enhancement and broader evaluation.

Abstract

Combinations of active automata learning, model-based testing and model checking have been successfully used in numerous applications, e.g., for spotting bugs in implementations of major network protocols and to support refactoring of embedded controllers. However, in the large majority of these applications, model checking is only used at the very end, when no counterexample can be found anymore for the latest hypothesis model. This contrasts with the original proposal of black-box checking (BBC) by Peled, Vardi & Yannakakis, which applies model checking for all hypotheses, also the intermediate ones. In this article, we present the first systematic evaluation of the ability of BBC to find bugs quickly, based on 77 benchmarks models from real protocol implementations and controllers for which specifications of safety properties are available. Our main finding are: (a) In cases where the full model can be learned, BBC detects violations of the specifications with just 3.4% of the queries needed by an approach in which model checking is only used for the full model. (b) Even when the full model cannot be learned, BBC is still able to detect many violations of the specification. In particular, BBC manages to detect 94% of the safety properties violations in the challenging RERS 2019 industrial LTL benchmarks. (c) Our results also confirm that BBC is way more effective than existing MBT algorithms in finding deep bugs in implementations.

Systematic Evaluation of Black-Box Checking for Fast Bug Detection

TL;DR

The paper systematically evaluates black-box checking (BBC), which fuses active automata learning, model-based testing, and model checking, on 77 real benchmark models to assess its speed and effectiveness in bug detection. It confirms that applying model checking to all hypotheses dramatically speeds up bug discovery (BBC uses a small fraction of the queries required by learning-only approaches) and remains effective even when the full model cannot be learned, achieving 94% detection on challenging RERS benchmarks. The study further shows BBC outperforms standalone MBT in finding deep bugs, and that runtime monitoring provides a modest additional speedup. Overall, the work validates BBC as a powerful, practical approach for fast bug detection in black-box systems with available safety specifications, while outlining directions for enhancement and broader evaluation.

Abstract

Combinations of active automata learning, model-based testing and model checking have been successfully used in numerous applications, e.g., for spotting bugs in implementations of major network protocols and to support refactoring of embedded controllers. However, in the large majority of these applications, model checking is only used at the very end, when no counterexample can be found anymore for the latest hypothesis model. This contrasts with the original proposal of black-box checking (BBC) by Peled, Vardi & Yannakakis, which applies model checking for all hypotheses, also the intermediate ones. In this article, we present the first systematic evaluation of the ability of BBC to find bugs quickly, based on 77 benchmarks models from real protocol implementations and controllers for which specifications of safety properties are available. Our main finding are: (a) In cases where the full model can be learned, BBC detects violations of the specifications with just 3.4% of the queries needed by an approach in which model checking is only used for the full model. (b) Even when the full model cannot be learned, BBC is still able to detect many violations of the specification. In particular, BBC manages to detect 94% of the safety properties violations in the challenging RERS 2019 industrial LTL benchmarks. (c) Our results also confirm that BBC is way more effective than existing MBT algorithms in finding deep bugs in implementations.

Paper Structure

This paper contains 20 sections, 4 equations, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Partial maps and sequences
  4. DFAs and Mealy machines
  5. Model checking
  6. Model-Based Testing
  7. Case Studies
  8. BLE.
  9. SSH (LTL).
  10. SSH (DFA).
  11. DTLS (Client & Server).
  12. RERS.
  13. Experimental Setup
  14. Black-box Checking
  15. Model-based Testing
  16. ...and 5 more sections

Figures (4)

  • Figure 1: Black-box checking for specification $\mathcal{S}$ and system under test SUT.
  • Figure 2: A Mealy machine (left) and the corresponding DFA (right).
  • Figure 3: Scatter plot showing the percentages of the number of learning and testing queries needed for BBC to find a bug, relative to the total number of learning and testing queries needed to learn the full model.
  • Figure 4: Scatter plot showing the mean number of queries needed for BBC to find a bug, compared to the mean number of tests MBT needs to find the same bug.

Theorems & Definitions (7)

  • definition thmcounterdefinition: DFA
  • definition thmcounterdefinition: Completion of a DFA
  • definition thmcounterdefinition: Mealy machine
  • definition thmcounterdefinition: From Mealy machines to DFAs
  • definition thmcounterdefinition: Specification
  • definition thmcounterdefinition: Complement
  • definition thmcounterdefinition: Product