Testing, Debugging, Program Verification

Similar documents
Software Engineering

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

Unit-testing with JML

Testing, Debugging, and Verification

Tool-Assisted Unit-Test Generation and Selection Based on Operational Abstractions

InvGen: An Efficient Invariant Generator

Specification and Analysis of Contracts Lecture 1 Introduction

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Software Engineering Techniques

Unified Static and Runtime Verification of Object-Oriented Software

Introduction to Computers and Programming. Testing

Code Contracts User Manual

Software Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.

Introducing Formal Methods. Software Engineering and Formal Methods

Programming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions

Rigorous Software Development CSCI-GA

Formal Engineering for Industrial Software Development

Software Testing. Quality & Testing. Software Testing

Testing of the data access layer and the database itself

The Best Software Testing Arie Van Deursen TU Delft, 2011

High Integrity Software Conference, Albuquerque, New Mexico, October 1997.

Outline. 1 Denitions. 2 Principles. 4 Implementation and Evaluation. 5 Debugging. 6 References

Statically Checking API Protocol Conformance with Mined Multi-Object Specifications Companion Report

Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification

Designing with Exceptions. CSE219, Computer Science III Stony Brook University

Design by Contract beyond class modelling

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

Static Program Transformations for Efficient Software Model Checking

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Outline. Computer Science 331. Stack ADT. Definition of a Stack ADT. Stacks. Parenthesis Matching. Mike Jacobson

Data Flow Static Code Analysis Best Practices

Software testing. Objectives

Know or Go Practical Quest for Reliable Software

Open-source Versus Commercial Software: A Quantitative Comparison

CS510 Software Engineering

Automated Detection of Non-Termination and NullPointerExceptions for Java Bytecode

Designing and Writing a Program DESIGNING, CODING, AND DOCUMENTING. The Design-Code-Debug Cycle. Divide and Conquer! Documentation is Code

Logistics. Software Testing. Logistics. Logistics. Plan for this week. Before we begin. Project. Final exam. Questions?

Automatic Verification of Data-Centric Business Processes

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Logic in general. Inference rules and theorem proving

Writing Self-testing Java Classes with SelfTest

Global Constraints in Software Testing Applications

Rigorous Software Development CSCI-GA

Automatic Test Data Synthesis using UML Sequence Diagrams

Cassandra. References:

Model Checking: An Introduction

VDM vs. Programming Language Extensions or their Integration

introduction to program monitoring

Algorithmic Software Verification

Standard for Software Component Testing

Programming Language Rankings. Lecture 15: Type Inference, polymorphism & Type Classes. Top Combined. Tiobe Index. CSC 131! Fall, 2014!

Computer Programming I

Computing Concepts with Java Essentials

T Safety Critical Systems Case Study 2: B Method - Basic Concepts

Object-Oriented Design Lecture 4 CSU 370 Fall 2007 (Pucella) Tuesday, Sep 18, 2007

Lecture Notes on Linear Search

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

Software Testing. Jeffrey Carver University of Alabama. April 7, 2016

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

DEFINING CONTRACTS WITH DIFFERENT TOOLS IN SOFTWARE DEVELOPMENT

2. The Language of First-order Logic

Runtime monitoring of Java programs by Abstract State Machines

Fail early, fail often, succeed sooner!

Environment Modeling for Automated Testing of Cloud Applications

Introduction to Static Analysis for Assurance

Java SE 8 Programming

National University of Ireland, Maynooth MAYNOOTH, CO. KILDARE, IRELAND. Testing Guidelines for Student Projects

CS 2112 Spring Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

Approach of Unit testing with the help of JUnit

Unit Testing & JUnit

Unit Testing. and. JUnit

Software Verification and Testing. Lecture Notes: Temporal Logics

Relational Databases

Fully Abstract Operation Contracts

Software safety - DEF-STAN 00-55

Unit Testing with Monkeys Karl-Mikael Björklid University of Jyväskylä Department of Mathematical Information Technology

Chapter II. Controlling Cars on a Bridge

Scalable Automated Symbolic Analysis of Administrative Role-Based Access Control Policies by SMT solving

CHAPTER 7 GENERAL PROOF SYSTEMS

Software Development Phases

COMPUTER SCIENCE. Paper 1 (THEORY)

Examples of Design by Contract in Java

Software Testing Modeling Tools

Mathematical Reasoning in Software Engineering Education. Peter B. Henderson Butler University

CSE 308. Coding Conventions. Reference

CS 451 Software Engineering Winter 2009

Appendix... B. The Object Constraint

CPSC 330 Software Engineering

Introduction to Programming System Design. CSCI 455x (4 Units)

Plan-Space Search. Searching for a Solution Plan in a Graph of Partial Plans

Getting Started with the Internet Communications Engine

Coverability for Parallel Programs

Chapter 15 Functional Programming Languages

Department of Computing Science and Mathematics University of Stirling

Aspects for Testing Aspects?

Temporal Logics. Computation Tree Logic

PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE

Software Engineering. How does software fail? Terminology CS / COE 1530

1. Properties of Transactions

Transcription:

Testing, Debugging, Program Verification Automated Test Case Generation, Part I Wolfgang Ahrendt & Vladimir Klebanov & Moa Johansson 10 December 2012 TDV: ATCG I /GU 2012-12-10 1 / 1

Introduction With JML we can formally specify program behavior. How to make (further) use of it? Automated Test Case Generation (ATCG) Tool support for creating test cases Ensuring test case coverage methodically and reliably View JML-annotated code as formal description of all anticipated runs General ATCG Approach 1. Specialize contract/code to representative selection of concrete runs 2. Turn these program runs into executable test cases TDV: ATCG I /GU 2012-12-10 2 / 1

Ideas Behind Automated Test Generation Ideas common to systematic (automated) test generation Formal analysis of specification and/or code yields enough information to produce test cases Systematic algorithms give certain coverage guarantees Post conditions can be turned readily into test oracles Mechanic reasoning technologies achieve automation: constraint solving logic-based deduction symbolic execution model finding TDV: ATCG I /GU 2012-12-10 3 / 1

Automated Test Generation Framework: Unit Tests Most ATCG methods focus on Unit Testing (and so do we): Test a single method or function, the implementation under test (IUT) Create test cases for most popular Java unit test framework: Junit Components of Test Cases in Unit Testing 1. Setup test data: test fixture/preamble creates program state from which IUT is started 2. Invoke IUT 3. Inspect result: test oracle issues verdict whether test succeeded: PASS or FAIL TDV: ATCG I /GU 2012-12-10 4 / 1

Reminder: Black box vs White Box Testing Black box testing Implementation is unknown, test data generated from spec, randomly, etc. White box (aka glass box) testing Implementation is analyzed to generate test data for it. Specific Pros and Cons Black box testing does not require source code Black box testing can be irrelevant/insufficient for IUT White box testing can use full information from code White box testing does require source or byte code TDV: ATCG I /GU 2012-12-10 5 / 1

Program States and JML Expressions Reminder A given program state s makes a boolean JML expression true or false (assuming \old is not used) Example Assume that int[] ar has value {1,2} in state s Then ar.length == 2 && search(ar, 1)== 0 is true in state s (search is binary search, has signature int search(int[] ar, int elem)) TDV: ATCG I /GU 2012-12-10 6 / 1

Program States and Test Cases Basic Assumption: A desired program state can be constructed by suitable fixture/preamble Example Assume that int[] ar has value {1,2} in s This state can be constructed by the following fixture: int [] ar = {1,2}; Further Assumption: Initialization code (fixture) can be computed automatically from s (not trivial: might need to add constructors, getter/setter methods, etc.) TDV: ATCG I /GU 2012-12-10 7 / 1

Automated Test Generation Methods Methods derived from black box testing The implementation is unknown, test data generated from spec, randomly, etc. Generate test cases from analysing formal specification or formal model of IUT Methods derived from white box testing The implementation is analyzed to generate test data for it Code-based test generation that uses symbolic execution of IUT (next lecture) TDV: ATCG I /GU 2012-12-10 8 / 1

Specification-/Model-Based Test Generation Generate test cases from analysing formal specification or formal model of IUT Black box technology with according pros and cons Many tools, commercial as well as academic: JMLUnit, JMLUnitNG, BZ-TT, JML-TT, UniTesK, JTest, TestEra, Cow Suite, UTJML,... Various specification languages: B, Z, Statecharts, JML,... Detailed formal specification/system model required (here: JML) TDV: ATCG I /GU 2012-12-10 9 / 1

Specification-Based Test Generation Cont d We use design-by-contract and JML as formal specification methodology: View JML method contract as formal description of all anticipated runs Specification-Based Test Generation Approach Look at one method and its JML contract at a time (unit testing) 1. Specialize JML contract to representative selection of concrete runs concentrate on precondition (requires clause) assumption: precondition of contract specifies all anticipated input analysis of implicit and explicit logical disjunctions in precondition choose representative value for each atomic disjunct 2. Turn these representative program runs into executable test cases 3. Synthesize test oracle from postcondition of contract TDV: ATCG I /GU 2012-12-10 10 / 1

Contracts and Test Cases /*@ public normal_behavior @ requires Pre; @ ensures Post; @*/ public void m() {... }; All prerequisites for intended behavior contained in requires clause Unless doing robustness testing, consider behavior violating preconditions irrelevant Test Generation Principle 1 (Relevance) State at start of IUT execution must make required precondition true TDV: ATCG I /GU 2012-12-10 11 / 1

Multi-Part Contracts and Test Cases /*@ public normal_behavior @ requires Pre 1 ; @ ensures Post 1 ; @ also @... @ also @ public normal_behavior @ requires Pre n ; @ ensures Post n ; @*/ public void m() {... }; Test Generation Principle 2 (Contract Coverage) There must be at least one test case for each operation contract TDV: ATCG I /GU 2012-12-10 12 / 1

Example public class Traffic { private /*@ spec_public @*/ boolean red, green, yellow; private /*@ spec_public @*/ boolean drive, brake, halt; /*@ public normal_behavior @ requires red yellow green; @ ensures \old(red) ==> halt && @ \old(yellow) ==> brake; } @*/ public boolean setaction() { // implementation } Which test cases should be generated? TDV: ATCG I /GU 2012-12-10 13 / 1

Data-Driven Test Case Generation Generate a test case for each possible value of each input variable Combinatorial explosion (already 2 6 cases for our simple example) Infinitely many test cases for unbounded data structures Some resulting test cases unrelated to specification or IUT Only feasible in connection with selection and bounding principles Restriction to test cases that satisfy precondition (Principle 1)? Insufficient (still too many), but gives the right clue! TDV: ATCG I /GU 2012-12-10 14 / 1

Disjunctive Partitioning /*@ public normal_behavior @ requires red yellow green; @ ensures \old(red) ==> halt && @ \old(yellow) ==> brake; @*/ Disjunctive analysis of precondition suggests minimum of three test cases that relate to precondition TDV: ATCG I /GU 2012-12-10 15 / 1

Disjunctive Normal Form Definition (Disjunctive Normal Form (DNF)) A requires clause of a JML contract is in Disjunctive Normal Form (DNF) when it has the form C 1 C 2 C n where each C i does not contain an explicit or implicit disjunction. Test Generation Principle 3 (Disjunctive Coverage) For each disjunct D of precondition in DNF create a test case whose initial state makes D true and as many other disjuncts as possible false Example @ requires red yellow green; Gives rise to three test cases red=true; yellow=green=false;, etc. TDV: ATCG I /GU 2012-12-10 16 / 1

Disjunctive Normal Form Definition (Disjunctive Normal Form (DNF)) A requires clause of a JML contract is in Disjunctive Normal Form (DNF) when it has the form C 1 C 2 C n where each C i does not contain an explicit or implicit disjunction. Test Generation Principle 3 (Disjunctive Coverage) For each disjunct D of precondition in DNF create a test case whose initial state makes D true and as many other disjuncts as possible false Importance of Establishing DNF Syntactically Implicit logical disjunctions must be made explicit by computing DNF: Replace A ==> B with!a B, etc. TDV: ATCG I /GU 2012-12-10 16 / 1

Test Coverage Criteria Example requires red yellow green; is true even for red=yellow=green=true; Possible to generate a test case for each state making precondition true How many different test cases to generate? Logic Expression Coverage Criteria Create test cases that make parts of precondition true At least one test per spec case (Decision Coverage) One for each disjunct (Clause Coverage) what we go for All disjunct combinations (Multiple Condition Coverage) Criteria based on making predicates true/false, etc. TDV: ATCG I /GU 2012-12-10 17 / 1

Consistent Test Cases Example (Class invariant specified in JML) public class Traffic { /*@ public invariant (red ==>!green &&!yellow) && @ (yellow ==>!green &&!red) && @ (green ==>!yellow &&!red); @*/ private /*@ spec_public @*/ boolean red, green, yellow; /*@ public normal_behavior @ requires red yellow green; @... The program state red=yellow=green=true; violates the class invariant Test Generation Principle 4 (Consistency with Invariant) Generate test cases from states that do not violate the class invariant TDV: ATCG I /GU 2012-12-10 18 / 1

Dealing with Existential Quantification Example (Square root) /*@ public normal_behavior @ requires n>=0 && (\exists int r; r >= 0 && r*r == n); @ ensures... @*/ public static final int sqrt(int n) {... } Where is the disjunction in the precondition? Existential quantifier as disjunction Existentially quantified expression (\exists int r; P(r)) Rewrite as: P(MIN_VALUE)... P(0)... P(MAX_VALUE) Get rid of those P(i) that are false: P(0)... P(46340) Stil too many cases... TDV: ATCG I /GU 2012-12-10 19 / 1

Equivalence Classes on Large Input Domains Partition large/infinite domains in finitely many equivalence classes MIN VALUE negative values 0 positive values MAX VALUE 2 31 17 0 42 2 31 1... and create test case for only one representative of each Partitioning is a heuristic method Partitioning tries to achieve that the same computation path is taken for all input values within a potential equivalence class. Then, one value from each class is sufficient to check for defects. As we don t know the IUT, correct partitioning is in general unattainable Judicious selection and good heuristics can make it work in practice TDV: ATCG I /GU 2012-12-10 20 / 1

Go for Boundary Values Example (Square) /*@ public normal_behavior @ requires n>=0 && n*n >= 0; @ ensures \result >=0 && \result == n*n; @*/ public static final int square(int n) {... } Test Generation Principle 5 (Boundary Values) Include boundary values of ordered domains as class representatives Which are suitable boundary values for n in this example? But... domains may be non-continuous or non-ordered boundary values often expensive to compute TDV: ATCG I /GU 2012-12-10 21 / 1

Implicit Disjunctions, Part I Example (Binary search, target not found) /*@ public normal_behavior @ requires (\forall int i; 0 < i && i < array.length @ ==> array[i-1] <= array[i]); @ (\forall int i; 0 <= i && i < array.length @ ==> array[i]!= target); @ ensures \result == -1; @*/ int search( int array[], int target ) {... } No disjunction in precondition!? We can freely choose array, length, and target in precondition! TDV: ATCG I /GU 2012-12-10 22 / 1

Data Generation Principles Test Generation Principle 6 (Unbound Locations) Values of locations without explicit quantification can be freely chosen (Amounts to implicit existential quantification over possible values) How choose representatives from types of unbound locations? There are infinitely many different arrays... Before defining equivalence classes, need to enumerate all values TDV: ATCG I /GU 2012-12-10 23 / 1

Data Generation Principles Test Generation Principle 6 (Unbound Locations) Values of locations without explicit quantification can be freely chosen (Amounts to implicit existential quantification over possible values) Systematic enumeration of values by data generation principle Assume declaration: int[] ar;, then the array ar is 1. either the null array: int[] ar = null; 2. or the empty array of type int: int[] ar = new int[0]; 3. or an int array with one element 3.a int[] ar = { MIN VALUE }; 3.b... 3.ω int[] ar = { MAX VALUE }; 4. or an int array with two elements... n. or an int array with n 2 elements... TDV: ATCG I /GU 2012-12-10 23 / 1

Combining the Test Generation Principles Example (Binary search, target found) requires (\exists int i; 0 <= i && i < array.length && array[i] == target) && (\forall int i; 0 < i && i < array.length ==> array[i-1] <= array[i]); Apply test generation principles 1. Use data generation for unbound int array 2. Choose equivalence classes and representatives for: array type: int[] empty array, singleton, two elements usually, need to stop here... target: int (include boundaries) 3. Generate test cases that make precondition true TDV: ATCG I /GU 2012-12-10 24 / 1

Combining the Test Generation Principles Example (Binary search, target found) requires (\exists int i; 0 <= i && i < array.length && array[i] == target) && (\forall int i; 0 < i && i < array.length ==> array[i-1] <= array[i]); empty array: precondition cannot be made true, no test case singleton array, target must be the only array element array = { 0 }; target = 0; array = { 1 }; target = 1; two-element sorted array, target occurs in array array = { 0,0 }; target = 0; array = { 0,1 }; target = 0; array = { 1,1 }; target = 1; TDV: ATCG I /GU 2012-12-10 24 / 1

Implicit Disjunctions, Part II Example (List Copy) /*@ public normal_behavior @ requires true; // src, dst non-nullable by default @ ensures... @*/ static void java.util.collections.copy(list src, List dst) Aliasing and Exceptions In Java object references src, dst can be aliased, ie, src==dst Aliasing usually unintended exclusion often forgotten in contract Preconditions can be (unintentionally) too weak Exception thrown when src.length > dst.length TDV: ATCG I /GU 2012-12-10 25 / 1

Implicit Disjunctions, Part II Example (List Copy) /*@ public normal_behavior @ requires true; // src, dst non-nullable by default @ ensures... @*/ static void java.util.collections.copy(list src, List dst) Test Generation Principle 7 (Aliasing, Exceptions) Generate test cases that enforce/prevent aliasing and throwing exceptions (when not excluded by contract) TDV: ATCG I /GU 2012-12-10 25 / 1

The Postcondition as Test Oracle Oracle Problem in Automated Testing How to determine automatically whether a test run succeeded? The ensures clause of a JML contract provides verdict on success provided that requires clause is true for given test case Test Generation Principle 1 (Relevance) State at start of IUT execution must make required precondition true Test Generation Principle 8 (Oracle Synthesis) Use ensures clauses of contracts (and class invariant) as test oracles TDV: ATCG I /GU 2012-12-10 26 / 1

Executable JML Expressions How to determine whether a JML expression is true in a program state? It is expensive to check whether a JML expression is true in a state Corresponds to first-order model checking, because JML FOL PSPACE-complete problem, efficient solutions exist only for special cases Identify a syntactic fragment of JML that can be mapped into Java TDV: ATCG I /GU 2012-12-10 27 / 1

Executable JML Expressions How to determine whether a JML expression is true in a program state? Example \exists int i; 0 <= i && i < ar.length && ar[i] == target is of the form \exists int i; guard(i) && test(i) guard() is Java guard expression with fixed upper/lower bound test() is executable Java expression Guarded existential JML quantifiers as Java (Example) for ( int i = 0; 0 <= i && i < ar. length ; i ++) { i f (ar[i ]== target ) { return true ; } } return f a l s e ; TDV: ATCG I /GU 2012-12-10 27 / 1

Executable JML Expressions How to determine whether a JML expression is true in a program state? Example \exists int i; 0 <= i && i < ar.length && ar[i] == target is of the form \exists int i; guard(i) && test(i) guard() is Java guard expression with fixed upper/lower bound test() is executable Java expression Guarded existential JML quantifiers as Java (General) for ( int i = lowerbound; guard(i); i ++) { i f (test(i)) { return true ; } } return f a l s e ; TDV: ATCG I /GU 2012-12-10 27 / 1

Executable JML Expressions How to determine whether a JML expression is true in a program state? Example \exists int i; 0 <= i && i < ar.length && ar[i] == target is of the form \exists int i; guard(i) && test(i) guard() is Java guard expression with fixed upper/lower bound test() is executable Java expression Guarded JML quantifiers as Java Universal quantifiers treated similarly (exercise) Alternative JML syntax for quantifiers ok as well: \exists int i; guard(i) ; test(i) TDV: ATCG I /GU 2012-12-10 27 / 1

Summary Black box vs White box testing Black box testing Specification/Model-based Test Generation Systematic test case generation from JML contracts guided by a few Test Generation Principles Only generate test cases that make precondition true Each operation contract and each disjunction in precondition gives rise to a separate test case Coverage criteria, clause coverage Large/infinite datatypes represented by class representatives Values of free variables supplied by Data Generation Principle Create separate test cases for potential aliases and exceptions Postconditions of contract and class invariants provide test oracle Turn pre- and postconditions into executable Java code TDV: ATCG I /GU 2012-12-10 28 / 1

What Next? Remaining Problems of ATCG 1. How to automate specification-based test generation? 2. Generated test cases bear no relation to implementation TDV: ATCG I /GU 2012-12-10 29 / 1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information