white-box testing by combining deduction-based ...key/keysymposium07/slides/gladisch-testing.pdf ·...

Report

Post on 26-Jan-2020

7 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

White-box Testing by Combining

Deduction-based Specification Extraction andBlack-box Testing

Bernhard Beckert, Christoph Gladisch

www.key-project.org

6th KeY Symposium 2007

Nomborn, GermanyJune 14, 2007

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Two Kinds of Specifications

Requirement Specificaiton

Given by the user

Role: To be tested or verified

Full Specifictaion

Must comply with the IUT (Impl. Under Test)

Reflects the structure of the program

Can be extracted automatically

Tool Chain

Tool Chain

Tool Chain

Benefits

Using of existing Black-box Testing Tools for White-boxtesting

Separation of concerns - Modularity

Combination of Coverage Criteria

Benefits

Using of existing Black-box Testing Tools for White-boxtesting

Separation of concerns - Modularity

Combination of Coverage Criteria

Benefits

Using of existing Black-box Testing Tools for White-boxtesting

Separation of concerns - Modularity

Combination of Coverage Criteria

Benefits

Using of existing Black-box Testing Tools for White-boxtesting

Separation of concerns - Modularity

Combination of Coverage Criteria

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

The KeYSystem

Program Variable = non-rigid Function Symbol

(prog .var .) a = a (logic const.)o.a = a(o)

Modal Operators

[p]φ 〈p〉φ {a := b}φ〈o.a = t;u.b = s〉φ {a(o) := t || b(u′) := s ′}φ

{for x ; fx := gx}φ {fn := gn||..||f0 := g0}φ

Sequent Calculus Rules

Γ, c = true =⇒ 〈p〉φ,∆ Γ, c = false =⇒ 〈q〉φ,∆

Γ =⇒ 〈if(c){p}else{q}..〉φ,∆

Example IUTpubli lass AbsDiff{publi stati int d;

/*@ public normal_behavior

@ requires true;

@ ensures d==x-y || d==y-x;

@ ensures d>=x-y && d>=y-x;

@*/publi stati void diff(int x, int y){if(x<y) d=y;else d=x;if(d<=y)d=d-x;else d=d-y;

}

}

Specification Extraction (Structural properties)

x < y, x ≤ y

=⇒ {d := y-x}∆

*

x < y, x > y

=⇒ {d := y-x}∆

. . .

x < y =⇒ {d := y}[if . . .]∆

(B3) (B4)

x ≥ y =⇒{d := x}[if . . .]∆

=⇒ [if(x<y)d=y;else d=x; if(d<=y). . .]∆

B1: req x<y && y<=y ens d=\old(y-x); alsoB3: req x>=y && x<=y ens d=\old(x-y); alsoB4: req x>=y && x>y ens d=\old(x-y);

Specification Extraction (Structural properties)

x < y, x ≤ y

=⇒ {d := y-x}∆

*

x < y, x > y

=⇒ {d := y-x}∆

. . .

x < y =⇒ {d := y}[if . . .]∆

(B3) (B4)

x ≥ y =⇒{d := x}[if . . .]∆

=⇒ [if(x<y)d=y;else d=x; if(d<=y). . .]∆

B1: req x<y && y<=y ens d=\old(y-x); alsoB3: req x>=y && x<=y ens d=\old(x-y); alsoB4: req x>=y && x>y ens d=\old(x-y);

Specification Extraction (Structural properties)

x < y, y ≤ y

=⇒ {d := y-x}∆

*

x < y, x > y

=⇒ {d := y-x}∆

. . .

x < y =⇒ {d := y}[if . . .]∆

(B3) (B4)

x ≥ y =⇒{d := x}[if . . .]∆

=⇒ [if(x<y)d=y;else d=x; if(d<=y). . .]∆

B1: req x<y && y<=y ens d=\old(y-x); alsoB3: req x>=y && x<=y ens d=\old(x-y); alsoB4: req x>=y && x>y ens d=\old(x-y);

Specification Extraction (Structural properties)

x < y, y ≤ y

=⇒ {d := y-x}∆

*

x < y, x > y

=⇒ {d := y-x}∆

. . .

x < y =⇒ {d := y}[if . . .]∆

(B3) (B4)

x ≥ y =⇒{d := x}[if . . .]∆

=⇒ [if(x<y)d=y;else d=x; if(d<=y). . .]∆

B1: req x<y && y<=y ens d=\old(y-x); alsoB3: req x>=y && x<=y ens d=\old(x-y); alsoB4: req x>=y && x>y ens d=\old(x-y);

Example IUTpubli lass AbsDiff{publi stati int d;

/*@ public normal_behavior

& requires true;

@ ensures d==x-y || d==y-x;

@ ensures d>=x-y && d>=y-x;

@*/publi stati void diff(int x, int y){

...

}

}

Example IUT

/*@ public normal_behavior

@ requires true;

@ ensures d==x-y || d==y-x;

@ ensures d>=x-y && d>=y-x;

@ also@ requires y < x;

@ ensures d == \old(x - y);

@ also@ requires y == x;

@ ensures d == \old(0);

@ also@ requires y > x;

@ ensures d == \old(y - x);

@*/

Example IUT

/*@ public normal_behavior

@ requires y < x && true;

@ ensures d == \old(x - y)

@ && (d==x-y || d==y-x) && d>=x-y && d>=y-x;

@ also@ requires y == x && true;

@ ensures d == \old(0)

@ && (d==x-y || d==y-x) && d>=x-y && d>=y-x;

@ also@ requires y > x && true;

@ ensures d == \old(y - x)

@ && (d==x-y || d==y-x) && d>=x-y && d>=y-x;

@*/

Using the extracted Post Condition

Requirement Specificationrequires true;ensures (d==x-y || d==y-x) && d>=x-y && d>=y-x

&& d!=MAX_INT;

With Full Specificationrequires true && y < x;ensures (d==x-y || d==y-x) && d>=x-y && d>=y-x

&& d!=MAX_INT && d == \old(x - y);also...

Using the extracted Post Condition

Requirement Specificationrequires true;ensures (d==x-y || d==y-x) && d>=x-y && d>=y-x

&& d!=MAX_INT;

With Full Specificationrequires true && y < x;ensures (d==x-y || d==y-x) && d>=x-y && d>=y-x

&& d!=MAX_INT && d == \old(x - y);also...

Using the extracted Post Condition

Requirement Specificationrequires true;ensures (d==x-y || d==y-x) && d>=x-y && d>=y-x

&& d!=MAX_INT;

With Full Specificationrequires true && y < x;ensures (d==x-y || d==y-x) && d>=x-y && d>=y-x

&& d!=MAX_INT && d == \old(x - y);also...

Loops

while (k<n) {if (j=7) {

j = 0;

line = new Line(line);

}

line.buf[j]=a[k];

k++; j++;

}

Loops (Unfolding)

if (k<n)

{if(j=7){..};if(j>7||k>n)..;line.buf[j]=a[k]; k++; j++;if(k<n)

{if(j=7){..}; if(j>7||k>n)..;line.buf[j]=a[k]; k++; j++;

...while(k<n){...}}

}

Contracts Program Replacements

Contracts Program Replacements

Contracts Program Replacements

Contracts Program Replacements

Contracts Program Replacements

Contracts Program Replacements

Contracts Program Replacements

Traditional Contract Rule

Pre =⇒ PreC , 〈p〉Post

PostC =⇒ Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

Traditional Contract Rule

Pre =⇒ PreC , 〈p〉Post

PostC =⇒ Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

Traditional Contract Rule

Pre =⇒ PreC , 〈p〉Post

PostC =⇒ Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

Traditional Contract Rule

Pre =⇒ PreC , 〈p〉Post

PostC =⇒ Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

Traditional Contract Rule

Pre =⇒ PreC , 〈p〉Post

PostC =⇒ Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

Traditional Contract Rule

. . .

PostC =⇒ Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC ,Pre =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

KeY’s Contract Rule

. . .

Pre, {for x ; f (x) := f sk(x)}PostC=⇒ {for x ; f (x) := f sk(x)}Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

Pre,PreC → 〈p〉PostC =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

where {forx .f (x) := f sk(x)} abbrev.{for x0,1. . . . x0,n0

.f0(x0,1, . . . , x0,n0) := f sk

0(x0,1, . . . , x0,n0

)}...{for xm,1. . . . xm,nm

.fm(xm,1, . . . , xm,nm) := f sk

m (xm,1, . . . , xm,nm)}

KeY’s Contract Rule

. . .

Pre, {for x ; f (x) := f sk(x)}PostC=⇒ {for x ; f (x) := f sk(x)}Post

〈p〉PostC ,Pre =⇒ 〈p〉Post

Pre,PreC → 〈p〉PostC =⇒ 〈p〉Post

PreC → 〈p〉PostC︸ ︷︷ ︸

Contract

=⇒ Pre → 〈p〉Post

where {forx .f (x) := f sk(x)} abbrev.{for x0,1. . . . x0,n0

.f0(x0,1, . . . , x0,n0) := f sk

0(x0,1, . . . , x0,n0

)}...{for xm,1. . . . xm,nm

.fm(xm,1, . . . , xm,nm) := f sk

m (xm,1, . . . , xm,nm)}

Explicit Structural Coverage

Pre, {for x ; f (x) := f sk(x)}PostC=⇒ {for x ; f (x) := f sk(x)}Post

Explicit Structural Coverage

Pre, {for x ; f (x) := f sk(x)}PostC=⇒ {for x ; f (x) := f sk(x)}Post

Explicit Structural Coverage

Pre, {for x ; f (x) := f sk(x)}PostC=⇒ {for x ; f (x) := f sk(x)}Post

Loops (Invariants)

while (k<n) {if (j=7) {

j = 0;

line = new Line(line);

}

line.buf[j]=a[k];

k++; j++;

}

Invariant:0 ≤ k ≤ n ∧ 0 ≤ j ≤ n ∧ j ≤ 7

Loops (Invariants)

while (k<n) {if (j=7) {

j = 0;

line = new Line(line);

}

line.buf[j]=a[k];

k++; j++;

}

Invariant:0 ≤ k ≤ n ∧ 0 ≤ j ≤ n ∧ j ≤ 7

Requirement Specification from a ReferenceImplementation

Requirement Specification from a ReferenceImplementation

Conclusion

Enrich existing Requirement Specification with ProgramStructure

Use Black-box Testing tool for White-box testing

Tools that use Symbolic Execution can be extended

An Importer and Exporter for a Specification language has tobe implemented

Conclusion

Enrich existing Requirement Specification with ProgramStructure

Use Black-box Testing tool for White-box testing

Tools that use Symbolic Execution can be extended

An Importer and Exporter for a Specification language has tobe implemented

Conclusion

Enrich existing Requirement Specification with ProgramStructure

Use Black-box Testing tool for White-box testing

Tools that use Symbolic Execution can be extended

An Importer and Exporter for a Specification language has tobe implemented

Conclusion

Enrich existing Requirement Specification with ProgramStructure

Use Black-box Testing tool for White-box testing

Tools that use Symbolic Execution can be extended

An Importer and Exporter for a Specification language has tobe implemented

Conclusion

Enrich existing Requirement Specification with ProgramStructure

Use Black-box Testing tool for White-box testing

Tools that use Symbolic Execution can be extended

An Importer and Exporter for a Specification language has tobe implemented

White-box Testing by Combining Deduction-basedSpecification Extraction and Black-box Testing

top related

combining deduction and abduction: toward an … ·...
Documents
allowable deduction
Education
iowa capital gain deduction - washburn university school...
Documents
deduction and induction elementary deduction, my dear...
Documents
e deduction server
Technology
induction ~ deduction
Documents
modals of deduction
Education
deduction of i.t
Documents
inference and deduction
Documents
manage customer deduction
Documents
combining workflow management and process …...combining...
Documents
tax deduction
Documents
combining deduction and abduction: toward an...
Documents
natural deduction
Documents
logical deduction type4
Documents
instructions for wage deduction a. beginning a wage...
Documents
the characteristics of an experimental hypothesis the...
Documents
1 deduction
Documents
logical deduction
Documents
induction and deduction
Documents