450 likes | 674 Views
Model-Based Testing with Labelled Transition Systems. specification. Testing. Testing: checking or measuring some quality characteristics of an executing object by performing experiments in a controlled way w.r.t. a specification. tester. IUT. Types of Testing. Level of detail. system.
E N D
specification Testing Testing: checking or measuring some quality characteristicsof an executing objectby performing experimentsin a controlled wayw.r.t. a specification tester IUT
Types of Testing Level of detail system integration module unit Accessibility portability white box black box maintainability efficiency usability reliability functionality Characteristics
IUTconftomodel test tool test generation tool IUT passes tests TTCN testcases TTCN test execution tool passfail Automated Model-Based Testing Automated Model-Based Testing model IUT confto model IUT
Towards Model Based Testing • Increase in complexity, and quest for higher quality software • testing effort grows exponentially with complexity • testing cannot keep pace with development • More abstraction • less detail • model-based development • Checking quality • practice: testing - ad hoc, too late, expensive, lot of time • research: formal verification - proofs, model checking, . . . . with disappointing practical impact
Towards Model Based Testing • Model based testing has potential to combine • practice - testing • theory - formal methods • Model Based Testing : • testing with respect to a (formal) model / specification state model, pre/post, CSP, Promela, UML, Spec#, . . . . • promises better, faster, cheaper testing: • algorithmic generation of tests and test oracles : tools • formal and unambiguous basis for testing • measuring the completeness of tests • maintenance of tests through model modification
informal world formalizable validation formalverification world of models real world testing A Model-Based Development Process informalrequirements specification design model-based code realization
m modcheck s model checker m sat s specification s sat m modcheck s model m of i m modcheck s sound complete formal world real world implementationi Formal Verification sat assumption: m is valid model of i
correctness of test generation ? specification s test generation IUTconfto s confto IUTpasses Ts test suite TS formal world test execution real world IUT passes Ts implementation i IUT fails Ts implementationi Formal Testing IUT
Approaches to Model-Based Testing Several modelling paradigms: • Finite State Machine • Pre/post-conditions • Labelled Transition Systems • Programs as Functions • Abstract Data Type testing • . . . . . . . Labelled Transition Systems
model tests IUT test execution pass / fail Model-Based Testing for LTS Involves: • model / specification • implementation IUT + models of IUTs • correctness • tests • test generation • test execution • test result analysis testgeneration confto
initial states0 S states transitionsT S (L{}) S actions !coffee !alarm ?coin ?button ?button Models of Specifications:Labelled Transition Systems Labelled Transition System S, L, T, s0
?kwart ?dub?kwart ?dub ?dub !coffee !choc !tea !tea ?dub?kwart ?dub ?dub ?dub ?dub ?kwart !coffee !coffee !choc !tea Example Models (Input-Enabled) Transition Systems
CorrectnessImplementation Relationioco iiocos =defStraces (s) : out (iafter ) out (safter) Intuition: i ioco-conforms to s, iff • if i produces output x after trace , then s can produce x after • if i cannot produce any output after trace , then s cannot produce any output after (quiescence)
pp = !x LU{} . p!x Straces ( s ) = { (L{})* | s } pafter = { p’ | p p’ } out ( P) = { !xLU | p!x, pP } { | pp, pP } CorrectnessImplementation Relationioco iiocos =defStraces (s) : out (iafter ) out (safter)
?kwart ioco ioco ?dub?kwart ioco ioco ?dub ?dub s !coffee !choc !tea !tea ?dub?kwart ?dub ?dub ?dub ?dub ?kwart !coffee !coffee !choc !tea Implementation Relation ioco
!dub !kwart ?coffee ?tea fail fail !dub ?coffee ?tea pass pass fail Test Cases Model of a test case = transition system : • ‘quiescence’ label • tree-structured • finite, deterministic • final states pass and fail • from each state pass, fail : • either one input !a • or all outputs ?x and
1 end test case 3 observe output pass forbidden outputs allowed outputs ?y ?x 2 supply input fail fail T(S after !x) !a allowed outputs or : !xout(S) forbidden outputs or : !y out(S) T(S after ?a ) ioco Test Generation Algorithm Algorithm To generate a test case from transition system specification s0compute T(S), with S a set of states, and initially S = s0 after ; For T(S), apply the following recursively, non-deterministically:
?dub ?dub !dub !coffee ?coffee ?tea ?coffee ?tea pass fail pass fail fail Test Generation Example s test
i test ?dub ?dub !dub ?dub ?coffee ?dub !coffee ?tea ?dub pass fail ?coffee ti passi' ?tea ti pass fail pass i' fail dub dub coffee Test Execution Example Two test runs : i passes t
Test Result AnalysisCompleteness of ioco Test Generation For every test t generated with algorithm we have: • Soundness :twill never fail with correct implementationiiocos implies i passest • Exhaustiveness:each incorrect implementation can be detectedwith a generated testtiiocos implies t : ifailst
s LTS TsTTS IUT IMPS iIUTIOTS exec : TESTS IMPS (OBS) passes : IOTS TTS {pass,fail} pass / fail Formal Testing with Transition Systems Test hypothesis : IUTIMP . iIUT IOTS . tTTS . IUT passes t iIUT passes t gen : LTS(TTS) = ioco Proof soundness and exhaustiveness: iIOTS . ( tgen(s) . i passes t ) iiocos
Variations on a Theme iiocos Straces(s) : out ( iafter ) out ( safter) i ior s ( L {} )* : out ( iafter ) out ( safter) iioconfs traces(s) : out ( iafter ) out ( safter) iiocoFs F: out ( iafter ) out ( safter) imiocos multi-channel ioco iuiocos universal ioco iwiocos non-input-enabled ioco isiocos symbolic ioco i(r)tiocos (real) timed tioco (Aalborg, Twente, Grenoble, Bordeaux,. . . .) iiocors refinement ioco ihiocos hybrid ioco . . . . . .
Extensions Status test case with data ?coin1 n: int ? money ?coin2 ! money ? ?coin3 and action refinement [ n 35 ] -> [ n 50 ] -> ? button1 ? button2 ! button2 Vc := 0 c := 0 c := 0 Vt := 0 dVt/dt = 3 dVc/dt = 2 c < 10 c < 15 ? coffee [Vt= 15 ] -> [ c 5 ] -> [Vc= 10 ] -> ! coffee ! tea ? tea fail fail pass Testing Transition Systems: model and time and hybrid
but ?but ?ok ?but Xy Xy ?but ?but okerr okerr but !x ?but !err ?but !x !y ?but ?ok ?err ?but ?but ?ok ?err ?ok ?err !err !ok !x !y ?ok ?err ?ok ?err Component Based Testing i1iocos1 i2 ioco s2 i1||i2 ioco s1||s2
Compositional TestingComponent Based Testing i1 s1 i1 ioco s1 i2 s2 i2 ioco s2 i1 || i2 ioco s1 || s2 If s1, s2 input enabled - s1, s2 IOTS - then ioco is preserved !
?a ?a ?a ?b ?b !x !y !z Variations on a Theme: uioco iiocos Straces(s) : out ( iafter ) out ( s0after) s0 out ( s0after?b ) = but ?b Straces(s) : under-specification :anything allowed after ?b s1 s2 out ( s0after?a ?a ) = { !x }and ?a ?a Straces(s)but from s2 , ?a ?a is under-specified : anything allowed after ?a ?a ?
s0 ?a ?a s1 s2 ?a ?b ?b Utraces(s) = { Straces (s) | 1?a2=,s': s1s' s'?a } !x !y !z Variations on a Theme: uioco iuiocos Utraces(s) : out ( iafter ) out ( s0after) Now s is under-specified in s2 for ?a :anything is allowed. ioco uioco
?a LI LILU ?a ?a ?b ?b !x !y !z Variations on a Theme: uioco iuiocos Utraces(s) : out ( iafter ) out ( s0after) s0 ?b s1 s2 ?a Alternatively, via chaos process for under-specified inputs
methodinvocation methodcall methodreturn methodinvocations IUTcomponent IUTcomponent IUTcomponent methodinvocations || methodcalled methodreturned IUTcomponent methodsinvoked Testing Components
methodreturn methodcall specification s LTS(LI, LU) IUTcomponent tester methodreturn methodcall Testing Components LI = offered methods calls used methods returns LU= offered methods returns used methods calls
Input-enabledness:s of IUT, ?a LI : ? methodreturn methodcall IUTcomponent ?a s tester methodcall methodreturn Testing Components No ! ?
saftermusta? = s’ ( s s’ s’ a? ) CorrectnessImplementation Relationwioco iuiocos =defUtraces (s) : out (iafter ) out (safter) iwiocos =defUtraces (s) : out (iafter ) out (safter) and in (iafter ) in (safter) in (safter ) = { a? LI | safter musta? }
s LTS TsTTS IUT IMPS iIUTIOTS exec : TESTS IMPS (OBS) passes : IOTS TTS {pass,fail} pass / fail Formal Testing with Transition Systems Test hypothesis : IUTIMP . iIUT IOTS . tTTS . IUT passes t iIUT passes t gen : LTS(TTS) = ioco Proof soundness and exhaustiveness: iIOTS . ( tgen(s) . i passes t ) iiocos
IUT ?a s Test Assumption output x? LU IUT input a?LI quiescence Sequencing of inputs, outputs, and : Input-enabledness: s of IUT, ?a LI : IUTbehaves as an IOTS (input-enabled LTS)
S1 S1 S2 S2 environment environment Comparing Transition SystemsTesting Equivalences • Suppose an environment interacts with the systems: • the environment tests the system as black boxby observing and actively controlling it; • the environment acts as a tester; • Two systems are equivalent if they pass the same tests.
Formal Testing : Test Assumption Test assumption : IUT . iIUTMOD.tTEST . IUTpassestiIUTpassest IUT iIUT test t test t
? IUT passes Ts IUTconfto s Completeness of Formal Testing IUTpasses Ts t Ts . IUTpasses t IUTpasses Tsdef t Ts . IUTpasses t t Ts . iIUTpasses t Test hypothesis : t TEST . IUT passes t iIUT passes t Proof obligation : i MOD . ( t Ts . i passes t ) i imp s iIUT imp s Definition : IUTconfto s IUTconfto s
ioco ?dub ?dub s !coffee !choc !tea !tea Test Assumption More tests may be needed, starting in initial state: meta-assumption: reliable restart
ioco ?dub !choc !tea ?dub ?dub ioco !choc !tea Alternative Test Assumption Test: 1. do ?dub2. make core dump 3. make many copies of core dump 4. continue test with each copy An “Ambramsky”-test can distinguish them
?dub ?dub ioco ?dub ?kwart ?kwart ?kwart ?kwart !choc !tea !choc !tea ioco Alternative Test Assumption With test ?dub.?kwart.undo you can distinguish them
Concluding • Testing can be formal, too (M.-C. Gaudel, TACAS'95) • Testing shall be formal, too • A test generation algorithm is not just another algorithm : • Proof of soundness and exhaustiveness • Definition of test assumption and implementation relation • For labelled transition systems : • ioco for expressing conformance between imp and spec • a sound and exhaustive test generation algorithm • tools generating and executing tests:TGV, TestGen, Agedis, TorX, . . . .
Perspectives Model based formal testing can improve the testing process : • model is precise and unambiguous basis for testing • design errors found during validation of model • longer, cheaper, more flexible, and provably correct tests • easier test maintenance and regression testing • automatic test generation and execution • full automation : test generation + execution + analysis • extra effort of modelling compensated by better tests