inf4290-wbt
TRANSCRIPT
-
8/12/2019 INF4290-WBT
1/64
!Lionel Briand 20101
Software Verification and Validation
Prof. Lionel Briand
Ph.D., IEEE Fellow
-
8/12/2019 INF4290-WBT
2/64
!Lionel Briand 20102
White-Box Testing
-
8/12/2019 INF4290-WBT
3/64
!Lionel Briand 20103
Specification
System
Implementation
Missing functionality:Cannot be revealed by white-box techniques
Unexpected functionality:Cannot be revealed by black-box techniques
-
8/12/2019 INF4290-WBT
4/64
!Lionel Briand 20104
Develop an initialTest suite using BB
techniques
Apply BB coveragecriteria to enhance it
Enhance the Test suiteusing WB techniques
Apply WB coveragecriteria to enhance it
Analyze the parts ofthe code uncoveredby BB test suite
-
8/12/2019 INF4290-WBT
5/64
!Lionel Briand 20105
Greatest common divisor (GCD) program
read(x);
read(y);
while x "y loop
if x>y then
x := x y;
else
y := y x;
end if;
end loop;
gcd := x;
x y
x = y
x "y
-
8/12/2019 INF4290-WBT
6/64
!Lionel Briand 20106
Directed graph Nodes are blocks of sequential statements Edges are transfers of control Edges may be labeled with predicate
representing the condition of controltransfer There are several conventions for flow
graph models with subtle differences(e.g., hierarchical CFGs, concurrent CFGs)
x y
x = y
x "y
-
8/12/2019 INF4290-WBT
7/64
!Lionel Briand 20107
If-Then-Else While loop Switch
-
8/12/2019 INF4290-WBT
8/64
!Lionel Briand 20108
[year < 1][month in (1,3,5,7,10,12)]
n=31
throw2 n=28return
throw1
n=29
n=30[month in (4,6,9,11)][month == 2] [leap(year)]
-
8/12/2019 INF4290-WBT
9/64
!Lionel Briand 20109
Control flow Coverage
Depending on the (adequacy) criteria to cover(traverse)CFGs, we can have different types of control flowcoverage:
Statement/Node Coverage Edge Coverage Condition Coverage Path Coverage
Discussed in detail next x yx = y
x "y
-
8/12/2019 INF4290-WBT
10/64
!Lionel Briand 201010
Statement/Node Coverage
Hypothesis: Faults cannot be discovered ifthe statements containing them are notexecuted
Statement coverage criteria: Equivalent tocovering all nodes in CFG
Executing a statement is a weak guaranteeof correctness, but easy to achieve
In general, several inputs execute thesame statements
An important question in practice is: howcan we minimize (the number of) testcases so we can achieve a given statementcoverage ratio?
x y
x = y
x "y
-
8/12/2019 INF4290-WBT
11/64
!Lionel Briand 201011
Incompleteness of Statement/NodeCoverage
Though often used, statement coverage is a weakguarantee of fault detection
An example:if x < 0 then
x := -x;
end if
z := x;
A negative x would result in the coverageof all statements.
But not exercising x >= 0 is an importantcase.
Doing nothing for the case x >= 0 may turn
out to be wrong and need to be tested.
-
8/12/2019 INF4290-WBT
12/64
!Lionel Briand 201012
Based on the program structure, thecontrol flow graph (CFG)
Edge coverage criterion: Select a testset Tsuch that, by executing P for eachtest case tin T, each edge of Ps controlflow graph is traversed at least once
We need to exercise all conditions thattraverse the control flow of theprogram with true and false values
x yx = y
x "y
-
8/12/2019 INF4290-WBT
13/64
!Lionel Briand 201013
Example: Searching for an element in a tableDerivation of the test set in the next slide
counter:= 0;found := false;
if number_of_items "0 thencounter :=1;
while (not found) and counter
-
8/12/2019 INF4290-WBT
14/64
!Lionel Briand 201014
Examples Control Flow Graph
while
if
found := true
init
counter++
if
if
elsethen
-
8/12/2019 INF4290-WBT
15/64
!Lionel Briand 201015
We choose a test set with two test cases:1. One table with 0 items and,2. A table with 3 items, the second element being the desired one
For the second test case, the while loop body is executed twice,once executing the if-then branch.
The edge coverage criterion is fulfilled and the error is NOTdiscovered by the test set...
while (not found) and counter
-
8/12/2019 INF4290-WBT
16/64
!Lionel Briand 201016
We need to further strengthen the edge coverage criterion Condition Coverage (CC) Criterion: Select a test set T such
that, by executing Pfor each element in T, each edge of Pscontrol flow graph is traversed, and all possible values of the
constituents of compound conditions(defined below) areexercised at least once Compound conditions: C1and C2or C3 where Cis are
relational expressions or Boolean variables (atomic conditions) Another version: Modified Condition-Decision Coverage (MC
/DC) Criterion: Only combinations of values such that every Ci
drives the overall condition truth value twice (true and false). Examples next
-
8/12/2019 INF4290-WBT
17/64
!Lionel Briand 201017
Two equivalent programs: though you would write the leftone
Edge coverage would not compulsorily cover the hidden edges in the right one Example: C2 = falsemight not be covered
Condition coverage would cover C2 = false
if c1 and c2 thenst;
else
sf;end if;
if c1 thenif c2 thenst;
elsesf;end if;
elsesf;
end if;
-
8/12/2019 INF4290-WBT
18/64
!Lionel Briand 201018
Use in industry: The international standard DO-178B forAirborne Systems Certification (since 1992) requirestesting the airborne software systems with MC/DCcoverage.
Example : A$(B%C), e.g., in a while loop, Deriving a modified condition /decisioncriterion (MC/DC) Test suite:Take a pair for each constituent:
A: (1,5), or (2,6), or (3,7) B: (2,4) C: (3,4)
Two minimal sets to cover the MCC: (2,3,4,6) or (2,3,4,7)
That is 4 test cases instead of 8 forall possible combinations.
ABC Results Corresponding negateCase
1 TTT T A (5)
2 TTF T A (6), B (4)
3 TFT T A (7), C (4)
4 TFF F B (2), C (3)
5 FTT F A (1)
6 FTF F A (2)
7 FFT F A (3)
8 FFF F -
-
8/12/2019 INF4290-WBT
19/64
!Lionel Briand 201019
A Real Example: MC/DC coverage in MilitarySoftware
Consider the controller SW of a modern tank with three guns
(x, y, z) is the 3D coordinate of a hit target (e.g., from the GPS unit) The SW has the following requirements:
R1.1: Invoke method Fire1(firing with gun #1) when (x y)AND (previous direction of the gun=East).
R1.2: Invoke Fire2when (x
-
8/12/2019 INF4290-WBT
20/64
!Lionel Briand 201020
MC/DC coverage: Example (contd.)
-
8/12/2019 INF4290-WBT
21/64
!Lionel Briand 201021
MC/DC coverage: Example (contd.)
Verify that the following test suite of four tests, executed inthe given order, is adequate with respect to statement, anddecision (edge) coverage criteria but not with respect to thecondition coverage criterion.
Draw a CFG for this program and verify that all statements arecovered.
We assess the decision (edge) and condition coverage here
-
8/12/2019 INF4290-WBT
22/64
!Lionel Briand 201022
Path Coverage Criterion: Select a test setT such that, by executing Pfor each testcase tin T, all paths leading from theinitial to the final node of Ps control flowgraph are traversed
In practice, however, the number of pathsis too large, if not infinite (e.g., when wehave loops)
Some paths are infeasible (e.g., notpractical given the systems business logic)
It may be important to determine criticalpaths, leading to more system load,security intrusions, etc.
x yx = y
x "y
-
8/12/2019 INF4290-WBT
23/64
!Lionel Briand 201023
Path Coverage - Example
if x "0 then
y := 5;
else
z := z x;
end if;
if z > 1 then
z := z / x;
else
z := 0;end if;
Let us compare how the followingtwo test sets cover this CFG:
T1 (test set) =
{TC11:,
TC12:}
T2 =
{TC21:,
TC22:}
See next
-
8/12/2019 INF4290-WBT
24/64
!Lionel Briand 201024
Path Coverage ExampleT1s coverage
if x "0 then
y := 5;
else
z := z x;
end if;
if z > 1 then
z := z / x;
else
z := 0;
end if;
T1s coverage:
T1 (test set) ={TC11:,TC12:}
T1 executes all edgesbut!
Do you see any testing issue(uncovered paths which canbe sources of failure)?
T1 executes all edgesand all conditions butdoes not test risk ofdivision by 0. (Seethe redpath)
-
8/12/2019 INF4290-WBT
25/64
!Lionel Briand 201025
Path Coverage ExampleT2s coverage
if x "0 then
y := 5;
else
z := z x;end if;
if z > 1 then
z := z / x;
else
z := 0;
end if;
T2s coverage:
T2 ={TC21:,TC22:}
T2 would find the problem(triggering division by 0) byexercising the remaining
possible flows of controlthrough the programfragment.
-
8/12/2019 INF4290-WBT
26/64
!Lionel Briand 201026
Path Coverage - Example
T1 (test set) =
{TC11:,TC12:}
T1 executes all edges but donot show risk of division by 0
T2 = {TC21:,TC22:}
T2 would find the problem byexercising the remainingpossible flows of controlthrough the program fragment
Observation:
T1 &T2 -> all paths
covered
-
8/12/2019 INF4290-WBT
27/64
!Lionel Briand 201027
In practice, however, the number of paths can be too large, ifnot infinite(e.g., when we have loops) 'Impractical
An pragmatic heuristic: Look for conditions that executeloops Zero times A maximum number of times A average number of times (statistical criterion)
For example, in the array search algorithm Skipping the loop (the table is empty) Executing the loop once or twice and then finding the element Searching the entire table without finding the desired element
-
8/12/2019 INF4290-WBT
28/64
!Lionel Briand 201028
Path Coverage Dealing with LoopsAnother Example: Power Function
Program computing
Z=X^Y
BEGINread (X, Y) ;
W = abs(Y) ;Z = 1 ;WHILE (W 0) DO
Z = Z * X ;W = W - 1 ;ENDIF (Y < 0) THEN
Z = 1 / Z ;ENDprint (Z) ;END
1
2
3 4
5
6
read(X,Y)
W=abs(Y)Z=1
Z=Z*X
W=W-1
W!0 W=0
Y
-
8/12/2019 INF4290-WBT
29/64
!Lionel Briand 201029
Path Coverage comparison with allbranches and all statements
All paths Infeasible path
1 '2 '4 '5 '6, Why infeasible? The way Y and W relate.
Potentially large number of paths (depends on Y) As many ways to iterate2 '(3 '2)* as values of Abs(Y)
All branches Two test cases are enough
Y0 : 1 '2 '(3 '2)* '4 '6
All statements One test case is enough
Y
-
8/12/2019 INF4290-WBT
30/64
!Lionel Briand 201030
To find test inputs that will execute an arbitrarystatement Q within a program source, the tester mustwork backward from Q through the programs flow ofcontrol to an input statement
For simple programs, this amounts to solving a set ofsimultaneous inequalities in the input variables of theprogram, each inequality describing the proper paththrough one conditional
An example next
-
8/12/2019 INF4290-WBT
31/64
!Lionel Briand 201031
int z;
scanf(%d%d, &x, &y);
if (x > 3) {
z = x+y;
y+= x;
if (2*z == y) {
an example statement
/* e.g., we want this statement to be coveredby a test case */
Inequalities?. 2(x+y)=x+y
!x = -y
. x> 3
We can have manysolutions, e.g.:x = 4
y= -4
-
8/12/2019 INF4290-WBT
32/64
!Lionel Briand 201032
The presence of loops and recursion in the codemakes it very hard (and sometimes impossible)to write and solve the inequalities in general
Each pass through a loop may alter the values ofvariables that figure in a following conditionaland the number of passes cannot be determined
by static analysis in general
-
8/12/2019 INF4290-WBT
33/64
!Lionel Briand 201033
Control Flow CoverageReachability
Not all statements are usually reachable in real-world programs It is not always possible to decide automatically if a statement is
reachable and the percentage of reachable statements When one does not reach a 100% coverage, it is therefore difficult
to determine the reason Tools are needed to support this activity but it cannot be fully
automated Research focuses on search algorithms to help automate coverage Control flow testing is, in general, more applicable to testing in the
small
-
8/12/2019 INF4290-WBT
34/64
!Lionel Briand 201034
-
8/12/2019 INF4290-WBT
35/64
!Lionel Briand 201035
Definitions and uses
A program written in a procedural language, such as Cand Java, contains variables. Variables are defined by
assigning values to them and are used in expressions.
Statement x = y+ zdefines variable xand uses
variablesyandzStatement scanf (%d %d, &x, &y)definesvariablesxandy
Statementprintf (Output: %d \n, x+y)uses variablesxandy
A parameter xpassed as call-by-value to a function,is considered as a use of (or a reference to) x
A parameter xpassed as call-by-reference,can serve as a definition and use of x
-
8/12/2019 INF4290-WBT
36/64
!Lionel Briand 201036
Definitions and uses: Pointers
Consider the following sequence of statements that use pointers.
The first of the above statements defines a pointer variablezthe second defines yand uses zthe third defines xthrough the pointer variable z, andthe last defines yand uses xaccessed through the pointervariablez
Variable zis a pointer pointing to variable xandcontains the memory address of variable x.*zretrieves the value at the memory address pointedby variable z. Consequently, *z= 25 is to assign 25 tothe memory address pointed by variable z. That is, toassign 25 to variable x.
y=*z+1 is to define as the sum of 1 andthe value at the memory address pointedby variable z, i.e., the value of x
-
8/12/2019 INF4290-WBT
37/64
!Lionel Briand 201037
Definitions and uses: Arrays
Arrays are also tricky. Consider the following declarationand two statements in C:
The first statement defines variable A.The second statement defines Aand uses i, x, and y.
Alternate: second statement defines A[i]and not the entire
array A.The choice of whether to consider the entire array Aasdefined or the specific element depends upon how stringent isthe requirement for coverage analysis.
-
8/12/2019 INF4290-WBT
38/64
!Lionel Briand 201038
c-use
Uses of a variable that occurs within an expression as partof an assignment statement, in an output statement, as aparameter within a function call, and in subscriptexpressions, are classified as c-use, where the c in c-use
stands for computational.How many c-usesofxcan you find in the followingstatements?
-
8/12/2019 INF4290-WBT
39/64
!Lionel Briand 201039
p-use
The occurrence of a variable in an expression used as acondition in a branch statement such as an ifand a while, isconsidered as a p-use.The p in p-use stands forpredicate.
How many p-usesofzand xcan you find in the followingstatements?
-
8/12/2019 INF4290-WBT
40/64
!Lionel Briand 201040
p-use: possible confusion
Consider the statement:
The use of Ais clearly a p-use.
Is the use of x in the subscript, a c-use or a p-use?
-
8/12/2019 INF4290-WBT
41/64
!Lionel Briand 201041
c-uses within a basic block
While there are two definitions of pin this block, only thesecond definition will propagate to the next block. The firstdefinition of pis considered localto the block while thesecond definition is global.We are concerned with global definitions, and uses.
Consider the basic block
Note that yand zare global uses; their definitions flow into thisblock from some other block.
-
8/12/2019 INF4290-WBT
42/64
!Lionel Briand 201042
Data Flow Analysis - FACTORIALExample
1.public int factorial(int n){2. int i, result= 1;3. for (i=2; i
-
8/12/2019 INF4290-WBT
43/64
!Lionel Briand 201043
Data Flow AnalysisBasic Formal Definitions
Definition (defining) node:Node n (CFG(P)is a definingnode of the variable v (V, written as DEF(v, n), iff (ifand only if) the value of the variable vis defined in thestatement corresponding to node n
Usage (use) node:Node n (CFG(P)is a usage node of thevariable v (V, written as USE(v, n),iff the value of thevariable vis used in the statement corresponding tonode n
Predicate and Computation use:A usage node USE(v, n)isa predicate use (denoted as P-Use) iff the statement nis a predicate statement, otherwise USE(v, n)is acomputation use (denoted as C-use)
-
8/12/2019 INF4290-WBT
44/64
!Lionel Briand 201044
Data Flow Analysis - Basic DefinitionsII
PATHS(P): the set of all CFPs in program P definition-use (du)-path: A definition-use path with
respect to a variable v(denoted du-path) is a path inPATHS(P)such that, for some v (V, there aredefinition and usage nodes DEF(v, m)and USE(v, n)suchthat mand nare initial and final nodes of the path.
definition-clear (dc)-path: A definition-clear path withrespect to a variable v(denoted dc-path) is a definition-use path in PATH(P)with initial and final nodes DEF(v,m)and USE(v, n)such that no other node in the path is a
defining node of v.
Examples next
-
8/12/2019 INF4290-WBT
45/64
!Lionel Briand 201045
Simple Example
if (max>0)
max=lencopy()
Definition of len, max, save[],
including max=0 andlen=getLine()
len=getLine()
if (len>=max)
while (len>0)
end
print
definitionof max
definitionof len
p-useof len
p-useof max
c-useof len
6
5
4
2
3
1
8
7
1-2, 1-2-3, 1-2-3-4, 5-2, 5-2-3, 1-2-3-4-5-2 are du-paths wrt variable len.They are, except for 1-2-3-4-5-2, definition-clear wrt variable len.
-
8/12/2019 INF4290-WBT
46/64
!Lionel Briand 201046
Data flow graph
A data-flow graph of a program, denoted as def-usegraph, captures the flow of definitions (denotes as defs)and uses across basic blocks in a program.It is similar to a control flow graph of a program in thatthe nodes, edges, and all paths in the control flow graphare preserved in the data flow graph.Attach defs, c-use and p-use to each node in the graph.Label each edge with the condition which when true causesthe edge to be taken.We use di(x) to refer to the definition of variable xatnode i. Similarly, ui(x) refers to the use of variable xatnode i.
-
8/12/2019 INF4290-WBT
47/64
!Lionel Briand 201047
Data flow graph: Example
-
8/12/2019 INF4290-WBT
48/64
!Lionel Briand 201048
Def-clear path
Any path starting from a node atwhich variable xis defined andending at a node at which xis used,without redefining xanywhere elsealong the path, is a def-clear pathfor x.
Path 2-5 is def-clear for variable zdefined at node 2 and used at node5. Path 1-2-5 is NOT def-clear forvariable zdefined at node 1 andused at node 5.
Thus definition of z at node 2 is live atnode 5 while that at node 1 is not liveat node 5.
-
8/12/2019 INF4290-WBT
49/64
!Lionel Briand 201049
Def-use pairs
Def of a variable at line l1and its use at line l2 constitute adef-use pair. l1and l2can be the same.dcu (di (x)) or dcu(x, i) denotes the set of all nodes wherethe definition of x at node i is live and used.dpu (di (x)) or dpu(x,i) denotes the set of all edges (k, l)such that there is a def-clear path from node i to edge (k,l) and xis used at node k.
We say that a def-use pair (di(x), uj(x)) is covered when adef-clear path that includes nodes ito nodejis executed.
If uj(x) is a p-use then all edges of the kind (j, k) must alsobe taken during some executions for the def-use pair to becovered.
-
8/12/2019 INF4290-WBT
50/64
!Lionel Briand 201050
Def-use pairs (example)
-
8/12/2019 INF4290-WBT
51/64
!Lionel Briand 201051
Data Flow Analysis Data Flow Coverage Criteria (I)
all-Definitions criterion:The test set T satisfies the all-Definitionscriterionfor the program P iff for every variable v (V, T containsdefinition-clear paths from every defining node of v to a use of v.
all-Uses criterion: The test set T satisfies the all-Usescriterionforthe program P iff for every variable v (V, T contains at least onedefinition-clear path from every defining node of v to everyreachable use of v.
all-P-Uses/Some C-Uses criterion: The test set T satisfies the all-P-Uses/Some C-Uses criterionfor the program P iff for everyvariable v (V, T contains at least one definition clear path fromevery defining node of v to every predicate use of v, and if adefinition of v has no P-Uses, there is a definition-clear path to atleast one computation use.
-
8/12/2019 INF4290-WBT
52/64
!Lionel Briand 201052
Data Flow Analysis Data Flow Coverage Criteria(II)
all-C-Uses/Some P-Uses criterion: The test set T satisfies the all-C-Uses/Some P-Uses criterionfor the program P iff for everyvariable v (V, T contains at least one definition-clear path fromevery defining node of v to every computation use of v, and if adefinition of v has no C-Uses, there is a definition-clear path to at
least one predicate use. all-DU-Paths criterion: The test set T satisfies the all-DU-Pathscriterionfor the program P iff for every variable v (V, T containsall definition-clear paths from every defining node of v to everyreachable use of v, and that these paths are either single loopstraversals, or they are cycle free.
-
8/12/2019 INF4290-WBT
53/64
!Lionel Briand 201053
POWER Example
1
2
3 4
5
6
read(X,Y)W=abs(Y)Z=1
Z=Z*XW=W-1
W!0 W=0
Y
-
8/12/2019 INF4290-WBT
54/64
!Lionel Briand 201054
Data Flow Analysis (DFA) Discussion
In DFA, we generate test data according to the way datais manipulated in the program
DFA can help us define intermediary CFA criteriabetween all-nodes testing (possibly too weak) and all-paths testing (often impossible)
But we need effective tool support for DFA if we wantto use it extensively.
-
8/12/2019 INF4290-WBT
55/64
!Lionel Briand 201055
The subsumption relationshipsAll paths
All definition-use paths
All uses
All computational/some predicate uses
All computational uses
All definitions
All predicate/some computational uses
All predicate uses
Edge (Branch)
Statement(possibly too weak)
(possibly too tough. Often impossible)
-
8/12/2019 INF4290-WBT
56/64
!Lionel Briand 201056
Data Flow Analysis - Measuring CodeCoverage
One advantage of structural criteria is that theircoverage can be measured automatically
To control testing progress
To assess testing completeness in terms of remainingfaults and reliability
High coverage is not a guarantee of fault-free software,just an element of information to increase ourconfidence -> statistical models
-
8/12/2019 INF4290-WBT
57/64
!Lionel Briand 201057
Analysis of test coverage dataTest Productivity
-
8/12/2019 INF4290-WBT
58/64
!Lionel Briand 201058
Coverage %
FaultDetectionscore %
0
100
100
Criterion 1
Criterion 2
-
8/12/2019 INF4290-WBT
59/64
!Lionel Briand 201059
Hutchins, Foster, Goradia, Ostrand, Experiments on the Effectiveness ofDataflow- and Control flow-Based Test Adequacy Criteria, proceedings ofthe International Conference on Software Engineering, 1994
The All-Edges and All-DU coverage criteria were applied to 130 faultyversions of 7 C programs (141-512 LOC) by seeding realistic faults The 130 faults were created by 10 different people, mostly withoutknowledge of each others work; their goal was to be as realistic as possible.
The test generation procedure was designed to produce a wide range bothof test size and test coverage percentages, i.e., at least 30 test sets foreach 2% coverage interval for each program
They examined the relationship between fault detection and test setcoverage / size
-
8/12/2019 INF4290-WBT
60/64
!Lionel Briand 201060
-
8/12/2019 INF4290-WBT
61/64
!Lionel Briand 201061
Analysis of test coverage dataResults of Hutchins et al.s work
Both coverage criteria performed better than randomtest selection especially DU-coverage
Significant improvements occurred as coverage increasedfrom 90% to 100%
100% coverage alone is not a reliable indicator of theeffectiveness of a test set especially edge coverage
Wide variation in test effectiveness for a given coveragecriteria
As expected, on average, achieving all-DU coveragerequired significantly larger test sets with all-Edgecoverage
-
8/12/2019 INF4290-WBT
62/64
!Lionel Briand 201062
A short Background on Eclipse, andJUnit
Eclipse is a very popular Integrated DevelopmentEnvironment (IDE) written primarily in and intended forJava.
But it is now used for developing in many other languagestoo, phpUnit, NUnit, .
If you go to the SW industry, you are most probablygoing to see/use it!
JUnit is a unit testing framework for Java. It is extremely popular in the SW industry. Check the web:
en.wikipedia.org/wiki/List_of_unit_testing_frameworks www.junit.org en.wikipedia.org/wiki/JUnit
-
8/12/2019 INF4290-WBT
63/64
!Lionel Briand 201063
A short Background on CodeCover
CodeCover is an open-source code coverage tool for Javaunder Eclipse.
It can be used inside Eclipse. http://www.codecover.org There are many other code coverage tool out there, but
this is one of the lightest and powerful ones.
See the list @ http://java-source.net/open-source/code-coverage
-
8/12/2019 INF4290-WBT
64/64
64
Demo of Eclipse and JUnit
T={t1: , t2: } T = {sumTestCase, productTestCase}