400 likes | 514 Views
Input-output conformance testing for channel-based connectors. Natallia Kokash (Accepted for PACO’2011). 1. Agenda. Introduction Reo Semantics of Reo Automata-based Process algebra-based Input-output conformance ( ioco ) theory Using ioco to test Reo Tool support Related work
E N D
Input-output conformance testing for channel-based connectors Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/2011 1
Agenda • Introduction • Reo • Semantics of Reo • Automata-based • Process algebra-based • Input-output conformance (ioco) theory • Using ioco to test Reo • Tool support • Related work • Conclusions and future work ACG, 31/05/2011
Introduction • Reo is a channel-based coordination language • Components or services are coordinated by Reo connectors • Primitive connectors with just two ends are called channels • Connectors can be composed to form more complex connectors • Channels are user-defined • Nodes implement a fixed routing policy ACG, 31/05/2011
Constraint automata • Constraint automaton A = (S, N , →, s0) consists of • a set of states S, • a set of port names N , • a transition relation → ⊆ S × 2N × DC × S, where DC is the set of data constraints over a finite data domain Data, • an initial state s0 ∈ S. • Two operators on CA are defined: product and port hiding • A CA for a Reo connector can be computed as product of CA for individual channels. ACG, 31/05/2011
Basic Reo channels and nodes ACG, 31/05/2011
Constraint automata for basic channels and nodes ACG, 31/05/2011
Process algebra mCRL2 • Actions are atomic events • Processes are the active entities defined as expressions over actions and other processes • Multiaction:a|b(synchronized actions) • Alternative composition:a + b (nondeterministic choice) • Sequential composition:a.b (b started after a) • Conditional:exp → a ◊b(if-then-else) • At operator: act (actiona happens at time t) • Summation:∑d∈Da(d) (a(d1) + a(d2) + a(d3)…) • Parallel composition:a||b (interleavings a.b + b.a + a|b) • Renaming:ρR(a) where Ris a set of renamings of the form b → c, meaning that every occurrence of b in a is replaced by c • Hiding:τH(a) renames all actions of H in a to τ • Restriction (allow):∇R(a) where R specifies which actions are allowed to occur in a • Blocking:∂B(a) where B is a set of actions that is not allowed to occur in a • Communication:ΓC(p), where C is a set of allowed communications of the form a0|...|an→ c, n ≥1 which means that every group of actions a0|...|an within a multiaction is replaced by an action c ACG, 31/05/2011
From CA to mCRL2 Data flow observed at a channel end = mCRL2 action ACG, 31/05/2011
Correctness ACG, 31/05/2011
Correctness ACG, 31/05/2011
Why do we need testing for Reo? • Circuit design is error-prone • It is not a trivial task to design a Reo connector with a certain behavior • Model-checking is not always feasible (e.g., data-aware models with infinite domains) • When Reo is used for workflow and dataflow design, how do we assure the quality of workflow/dataflow implementations? ACG, 31/05/2011
Specification: Reo ACG, 31/05/2011
Implementation: extension of BPEL • <bpws:process exitOnStandardFault="yes" name="separation_of_duty_V_001“ suppressJoinFailure="yes" • targetNamespace=http://www.iaas.uni-stuttgart.de/pf/separation_of_duty • … • <bpws:variables> • <bpws:variable name=“Clerk1"/> • <bpws:variable name=“Clerk2"/> • <bpws:variable name=“ProcessRequest"/> • <bpws:variable name=“Authorize"/> • </bpws:variables> • <bpws:sequence name="Process Fragement: Separation of duty"> • <bpws:scope name="Scope"> • <bpws:flow name="Flow"> • <bpws:links> • <bpws:link name="link1"/> <bpws:link name="link2"/> <bpws:link name="link3"/> <bpws:link name="link4"/> • </bpws:links> • <bpws:sources> <bpws:source linkName="link1"/> </bpws:sources> • <bpws:invoke name=“Task1"> • <bpws:targets> <bpws:target linkName="link1"/> </bpws:targets> • <bpws:sources> <bpws:source linkName="link2"/> </bpws:sources> • </bpws:invoke> • … • <bpws:invoke name=“Task2“> • <bpws:targets> <bpws:target linkName="link3"/> </bpws:targets> • <bpws:sources> <bpws:source linkName="link4"/> </bpws:sources> • </bpws:invoke> • </bpws:flow> • </bpws:scope> • </bpws:sequence> • </bpws:process> ACG, 31/05/2011
Examples of wrong connector implementations ACG, 31/05/2011
Input-output conformance theory • Model-based testing aims at automatically generating test suits from software models • J. Tretmans (2008): Model Based Testing with Labelled Transition Systems. In: Formal Methods and Testing, LNCS 4949, Springer, pp. 1–38. • Formal, specification-based active, black-box, functionality testing ACG, 31/05/2011
Labelled transition systems ACG, 31/05/2011
Language with LTS as operational semantics ACG, 31/05/2011
Sequences of observable actions ACG, 31/05/2011
Some definitions: tau-abstracted sequence of observable actions ACG, 31/05/2011
Some useful definitions ACG, 31/05/2011
LTL with Inputs/Outputs and Input-Output Transition Systems (IOTS) ACG, 31/05/2011
Input-output transition systems Two ways to convert LTL with I/O to IOTS: 1. Angelic completion: add self-loops to every reachable state • 2. Demonic completion: add a chaos state χ such that all non-specified inputs lead to χ, once in χ any behavior is possible. ACG, 31/05/2011
Quiescent and suspension traces Extend traces with observations of quiescence: Traces that can contain the quiescence action are called suspension traces: ACG, 31/05/2011
Quiescence The occurrence of θ in a test indicates the detectionof quiescence δ ACG, 31/05/2011
Test case A tester should not offer more than one input at a time: ACG, 31/05/2011
Examples of test cases ACG, 31/05/2011
The iocorelation ACG, 31/05/2011
Example ACG, 31/05/2011
Compositional testing ACG, 31/05/2011
Example ACG, 31/05/2011
Test execution ACG, 31/05/2011
Test generation ACG, 31/05/2011
Application of ioco to testing Reo • Reo is a language with LTS semantics • We can associate mCRL2 processes with each state of a Reo circuit • {A,B,C}→ A|B|C – a unique action (can be renamed e.g., to ABC) • Extend CA/LTS with Input/Output actions • Is Reo implementation input enabled? • Specification: CA, implementation: Reo • Specification: Reo, implementation: Reo • Specification: Reo, implementation: BPEL, Java, etc. ACG, 31/05/2011
CA with Inputs and Outputs Encoding for boundary nodes: ACG, 31/05/2011
Input/Output CA • Every boundary node A has associated Input and Output actions: • A circuit cannot accept?A through its input port A without observing!A • An environment cannot observe !B on the circuit output port B before ?B • What happens with pending requests if the circuit cannot process them? We can apply angelic completion to a CA with I/O without changing the functional behavior of the circuit it specifies ACG, 31/05/2011
Compositional testing for Reo ACG, 31/05/2011
Tool support specification (s) Implementation (i) ACG, 31/05/2011
Test case simulation ACG, 31/05/2011
Related work • B. K. Aichernig, F. Arbab, L. Astefanoaei, F. S. de Boer, M. Sun & J. Rutten: Fault-Based Test Case Generation for Component Connectors. In: Third IEEE International Symposium on Theoretical Aspects of Software Engineering, (2009), pp. 147–154. • S. Meng, F. Arbab, B. K. Aichernig, L. Aştefănoaei, Frank S. de Boer, J. Rutten, “Connectors as designs: Modeling, refinement and test case generation,Science of Computer Programming, (2011). • Considers connectors as designs • A prototype tool for test case generation developed in Maude • “An approach basedon I/O FSM is not appropriate for generating test cases for connectors, since it assumes that a pair of input and output constitutes an atomic action of a system, in other words, that the system cannot accept the next input before producing the output in reaction to the previous input. In Reo, such assumptions do not hold.” ACG, 31/05/2011
Future work • Testing Java code generation for Reo • Testing data-aware Reo: • J. Tretmans L. Frantzen & T. A.C. Willemse (2005): Test Generation Based on Symbolic Specifications. In J. Grabowski & B. Nielsen, editors: Proc. FATES 2004, LNCS 3395, Springer, pp. 1–15. • Testing timed Reo: • Brinksma E. Brandan Briones, L. (2005): A Test Generation Framework for quiescent Real-Time Systems. In J. Grabowski & B. Nielsen, editors: Proc. FATES 2004, LNCS 3395, Springer, pp. 64–78. ACG, 31/05/2011