Verification Using Test Generation Techniques Vlad Rusu IRISA/INRIA, Rennes, France rusu@irisa.fr Abstract. Applying formal methods to testing has recently become a popular research topic. In this paper we explore the opposite approach, namely, applying testing techniques to formal verification. The idea is to use symbolic test generation to extract subgraphs (called components) from a specification and to perform the verification on the components rather than on the whole system. This may considerably reduce the ver- ification effort and, under reasonable sufficient conditions, a safety prop- erty verified on a component also holds on the whole specification. We demonstrate the approach by verifying an electronic purse system using our symbolic test generation tool STG and the PVS theorem prover. Keywords: Formal verification, conformance testing, electronic purse. 1 Introduction Formal verification and testing are two complementary approaches for ensuring that computer systems operate correctly. In verification, a formal specification of the system is proved correct with respect to some higher-level requirements. In testing, sample runs are executed and an oracle decides whether an error was detected. In conformance testing [18,26] the external, observable traces of a black-box implementation of the system are tested for conformance with respect to a formal specification, and the oracle and sample runs are automatically computed from the specification. Test generation tools [4,20] for conformance testing have been developed based on enumerative model-checking algorithms. As specifications are usually large (typically, extended state machines with tens of variables and hundreds of transitions) the enumerative algorithms suffer from the state-explosion problem. Recently, symbolic test generation techniques [23] have been proposed to tackle this problem. For conformance testing to produce trustworthy results, i.e., to be exempt of false positives and false negatives, it is essential that that the formal specifica- tion of the system meets its requirements. Otherwise, the following undesirable scenario can happen. Assume that we (an independent third-party testing lab- oratory) have to test the conformance of a black-box implementation I of a system developed by a software company, with respect to a standard provided by a normalization body. The standard includes a large state machine S and some requirements P describing what S is supposed to do. Assume that the im- plementation I does satisfy P , but, because of an error, the formal specification S L.-H. Eriksson and P. Lindsay (Eds.): FME 2002, LNCS 2391, pp. 252–271, 2002. c  Springer-Verlag Berlin Heidelberg 2002