Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aug./Sept. 2008 Algebriac Testing 1 Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments Hong Zhu.

Similar presentations

Presentation on theme: "Aug./Sept. 2008 Algebriac Testing 1 Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments Hong Zhu."— Presentation transcript:

1 Aug./Sept Algebriac Testing 1 Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments Hong Zhu Dept. of Computing and Electronics, Oxford Brookes University, Oxford, OX33 1HX, UK

2 Aug./Sept Algebriac Testing Outline Background Motivation Related works Overview of the approach Specification language CASOCC Testing tool CASCAT Empirical evaluation Conclusion and future work

3 Aug./Sept Algebriac Testing Challenges in testing components Components often have no user interface Developers spend as much time in writing test harness excessive overhead, inadequacy of testing, low effectiveness Components are usually delivered as executable code without the source code and design information White-box testing, model-driven testing methods not applicable contains no instrumentation Internal behaviour observation and test adequacy measurement are virtually impossible Existing approaches to the problems Self-testing, e.g. (Beydeda, 2006): yet to be adopted by the industry Specification-based testing: design-by-contract, FSM, etc.

4 Aug./Sept Algebriac Testing Algebraic specification A signature: a set of sorts and a set of operators on the sorts A set of axioms: in the form of conditional equations Spec NAT Sorts: nat; Operators: zero: -> nat; succ: nat -> nat; Axioms: zero succ(x); succ(x) = succ(y) => x=y; End NAT Algebraic specification (AS) emerged in the 1970s. In the past three decades, it has developed into a mature formal method.

5 Aug./Sept Algebriac Testing Basic idea of algebraic testing S: stack, n: integer, S.push(n).height() = S.height()+1 By substituting constants into variables, we can generate test cases A ground term corresponds to a sequence of procedure/ method/ operation calls Checking the equivalence between the values of the left and right hand sides is to check the correctness of test results

6 Aug./Sept Algebriac Testing Related works Work /System Entities tested Test case generation Result checking DAISTS Gonnon et al ADT Manually scripted ground terms substituted into axioms Manual program LOFT Gaudel et al ADT All ground terms up to certain complexity substituted to axioms; random values assigned to variables of predefined sorts. Observation contexts ASTOOT / LOBAS Doong & Frankl,1994 Class Rewriting ground terms into their normal forms using the axioms Manual program Daistish Hughes & Stotts 1996 Class Manually scripted ground terms substituted into axioms Manual program TACCLE Chen et al. 1998, 2001 Class, Cluster Ground normal forms substituted in axioms + path coverage Observation context

7 Aug./Sept Algebriac Testing Overview of the proposed approach Sorts to represent all types of software entities: ADT, Class, Component Test case generation: Composition of observation contexts and axioms with ground normal forms substituted into non- primitive variables and random values for primitive variables Test oracle: Direct checking since test cases are checkable

8 Aug./Sept Algebriac Testing CASOCC specification language Spec Stack observable F; import Int, String; operations creator create: String->Stack; constructor push: Stack,Int ->Stack; transformer pop: Stack->Stack; observer getId: Stack->String; top: Stack->Int; height: Stack->Int; vars S: Stack; n: Int; x: String; axioms 1: create(x).getId() = x; 2: findByPrimaryKey(x).getId() = x; 3: create(x).height() = 0; 4: S.push(n) = S; if S.height() = 10; 5: S.pop() = S; if S.height() = 0; 6: S.push(n).pop() = S; if S.height() < 10; 7: S.push(n).top() = n; if S.height() < 10; 8: S.push(n).height() =S.height()+1; if S.height() < 10; 9: S.pop().height() = S.height()-1; if S.height() >0; end

9 Aug./Sept Algebriac Testing Behavioural semantics and observable sorts Definition 1. (Observable sort) In an AS, a sort s is an observable sort implies that there is an operation _ == _ : s s Bool such that for all ground terms t and t of sort s, E ( (t == t) = true) E ( t=t ). An algebra A (i.e. a software entity) is a correct implementation of an observable sort s if for all ground terms t and t of sort s, A (t=t) A ( (t == t) = true) Pre-defined sorts of Java primitive classes and data types are observable.

10 Aug./Sept Algebriac Testing Well founded formal specifications Let U be a set of specification units in CASOCC and S be a set of sorts. For each sort s S, there is a unit U s U that specifies the software entity corresponding to sort s. Let be the importation relation on S. Definition 2. (Well founded specifications) A sort s S is well founded if s is observable, or for all s in the import list of U s, s is an observable sort, or s is well founded. A specification U is well founded if and only if the importation relation is a pre-order on the set S of sorts, and all sorts s S are well founded.

11 Aug./Sept Algebriac Testing Well-structured formal specifications Definition 3. (Well structured specifications) A specification U in CASOCC is well structured if it satisfies the following conditions. (1) It is well founded; (2) For every user defined unit U s U, (a) there is at least one observer in U s ; (b) for every axiom E in U s, if the condition contains an equation =, we must have, where s is the sort of terms and. A practice implication: for all sorts there are finite lengths of observable contexts.

12 Aug./Sept Algebriac Testing Observation context Definition 1. (Observation context) A context of a sort c is a term C with one occurrence of a special variable of sort c. The value of a term t of sort c in the context of C, written as C[t], is the term obtained by substituting t into the special variable. An observation context oc of sort c is a context of sort c and the sort of the term oc is. To be consistent on notations, we write _.oc: c s to denote an observation context oc. An observation context is primitive if s is an observable sort. In such cases, we also say that the observation context is observable and call the context observable context for short.

13 Aug./Sept Algebriac Testing Form of observation context The general form of an observation context oc: _.f 1 (...).f 2 (...).....f k (...).obs(...) where f 1,..., f k are transformers of sort sc, obs is an observer of sort c, f 1 (...),..., f k (...) are ground terms. A sequence of observation contexts oc 1, oc 2, …, oc n, where _.oc 1 : c s 1, _.oc i : s i-1 s i, i =2,…,n, can be composed into an observation context _.oc 1.oc 2. ….oc n. Example: _.pop().pop().height()

14 Aug./Sept Algebriac Testing Checkable test cases Test cases: a test case is a triple, where T 1 and T 2 are ground terms C (optional) is a ground term of Boolean sort. It means that values of T 1 and T 2 should be equivalent if C evaluates to True. Definition 2. (Checkable test cases) A test case T 1 =T 2, [if C] is directly checkable (or simply checkable), if and only if (a) the sort of terms T 1 and T 2 is observable, and (b) the sort of equations in C is observable, if any. written T 1 =T 2, [if C]

15 Aug./Sept Algebriac Testing Test case generation algorithm (Skeleton) Input: Spec s: CASOCC specification unit of the main sort; Sigs s1, s2, …, sk: The signature of imported sorts; TC: A subset of axioms in s (* the axioms to be tested *); vc: Integer (*complexity upper bound of variables*); oc: Integer (*complexity upper bound of observation contexts*) ; rc: Integer (* the number of random values to be assigned to variables of primitive sorts*) Begin Step 1: Initialisation Step 2: Generate normal form terms for non-primitive variables Step 3: Generate random values for primitive variables Step 4: Substitute normal forms into axioms Step 5: Substitute random values into test cases Step 6: Compose test case with observation context Step 7: Output test set End

16 Aug./Sept Algebriac Testing Properties of the test case generation algorithm Theorem 1. The test case generation algorithm will always terminate if the specification is well founded. Theorem 2. The test cases generated are checkable, i.e. for all test cases generated by the algorithm, t 1, t 2 and c are of primitive or observable sorts. Theorem 3. The test cases are valid. That is, if the specification is well-structured and the observable sorts satisfy the constraints in Definition 1, we have the following properties. (a) The program correctly implements the specification with respect to the behavioural semantics of algebraic specifications implies that the evaluation of t 1 and t 2 using the program give equivalent results provided that c is evaluated to be true. (b) If the evaluation of t 1 and t 2 gives non-equivalent values in an implementation when c is evaluated to true, then there are faults in the program.

17 Aug./Sept Algebriac Testing Testing tool CASCAT CASOCC Spec Parser Test Case Generator Test Result Evaluator Component Spec in CASOCC Test Driver Test Cases J2EE Component Deployed on JBoss Platform Test Report CASCAT Tool

18 Aug./Sept Algebriac Testing

19 Aug./Sept Algebriac Testing Experiment 1: Evaluation of effectiveness The experiment process Selection of subject components: from well established public sources. Development of formal specification: based on the document and source code. Test case generation: automatically by the CASCAT tool from the specification. Validation of formal specification. The subject component is checked against its formal specification by executing the components on the test cases using the CASCAT tool. Fault injection: used MuJava. Eliminate equivalent mutants: manually examined Test execution. A mutant is classified as fault detected if at least on of the axioms of the component is violated or the execution is terminated abnormally.

20 Aug./Sept Algebriac Testing The subjects: 1) Single Component Subjects Subject/Component#C#M#LSrcType Bank44322[28]Stateful Stock35250[30]BMP Product515278[31]CMP Cart56226[28]Stateful Count32101[31]Stateful LinkedList48155[32]Stateful Math37142[34]Stateless

21 Aug./Sept Algebriac Testing Subject/Component#C#M#LSrcType College Course35367[28]BMP Student35330[28]BMP Sales Customer37 350[28]BMP Order571082[28]BMP SalesRep35375[28]BMP Warehouse StorageBin35360[28]BMP Widget34291[28]BMP Gangster [27]CMP ReadAhead47234[27]Stateless SafeDriver RateTable316292[29]CMP Register*419293[29]CMP RateQuote35341[29]Stateful GeneralInfo*42290[29]Stateless Average Std Dev The subjects: 1) Multiple Components Subjects

22 Aug./Sept Algebriac Testing Results of the experiment Subject/Component #M#NEM#D Rate% Single component subjects Bank Stock Product Cart Count LinkedList Math Multiple component subjects College Course Student Sales Customer Order SalesRep Warehouse StorageBin Widget Gangster ReadAhead SafeDriver RateTable RateQuote Total Average Std Dev

23 Aug./Sept Algebriac Testing Main findings (1) The fault detecting ability is not sensitive to the scale of the subject under test. (Correlation coefficient =0.20)

24 Aug./Sept Algebriac Testing Main findings (2) The fault detecting ability decreases only slightly when testing multiple component subjects.

25 Aug./Sept Algebriac Testing Main findings (3) The method consistently detects significantly more faults in session beans than in BMP entities beans despite that entity beans are usually much less complex than session beans. This statement is supported by T-Test.

26 Aug./Sept Algebriac Testing Main findings (4) The development of axioms was less difficult than we expected. There is a simple pattern of axioms for entity beans despite their differences in semantics. Component#Crts#Con/Trans#Obs#AxiomsTime Bank112660m Cart222450m Count101135m Course212650m Customer223460m Gangster m GeneralInfo101130m LinkedList m Math115960m Order205560m Product m RateQuote104450m RateTable m ReadAhead106675m Register m SalesRep212340m Stock212565m StorageBin302440m Student212440m Widget202450m Average m

27 Aug./Sept Algebriac Testing Is algebraic testing practical? Cost of algebraic testing: Writing algebraic specification Deploy the component to component platform, such as JBoss Generation of test cases (automated by tool) Review of test report (checking correctness is done automatically) How expensive is writing algebraic specifications? Is writing algebraic specification learnable? What skill and knowledge are required to write algebraic specifications?

28 Aug./Sept Algebriac Testing How to write algebraic specifications (1) the description of the signature the identification of the operations, e.g. The signature of the operations can be derived from the type definitions of the methods given in the source code. the classification of operations Creators: create instances of the software entity and/or initialise the entity. They must have no parameters of the main sort, but result in the main sort. Constructors: construct the data structure by adding more elements to the data. A constructor must have a parameter of the main sort and results in the main sort. It may occur in the normal forms if the axioms are used as term rewriting rules. Transformers: manipulate the data structure without adding more data. Similar to constructors, a transformer must have the main sort as its parameter and results in the main sort. However, it cannot occur in any normal forms. Observers: enable the internal states or data in the software entity to be observed from the outside. Observers must have a parameter of the main sort but result in an imported sort.

29 Aug./Sept Algebriac Testing How to write algebraic specifications (2) the determination of the axioms For each setter setX(v) (set the value of attribute X to v), s,v. (s.setX(v).getX = v), If pre-cond setX(v) s,v. (s.setX(v).getY = s.getY), where X Y. For each getter getX (get the value of attribute X) s,v. (s.[getX] = s), For each creator C(x 1,x 2,…, x n ) x 1,…, x n.. C(x 1,…, x n ).getX i = x i, If pre-cond C(x1,…, xn) For each constructor and transformer F(x), s,x. (s.F(x).getX) = (x, s.getX), if pre-cond F(x), For each operation P(x) that involves more than one parts A and B: s,x,y. (s. [A.P (x)].B = s.B.Q(y)), if pre-cond A.P(x)

30 Aug./Sept Algebriac Testing Experiment 2: Cost of writing algebraic spec Subjects: Students of computer science (35, year 3) Mathematics course: Advanced University Mathematics Part A and Part B and Discrete Mathematics. Programming courses: C++ Programming, Java Programming and Data Structure No exposure to formal methods Mathematics Courses Programming Courses All Courses Average Standard Deviation Table 1. Statistic Data of Student Capability

31 Aug./Sept Algebriac Testing Distribution of capabilities

32 Aug./Sept Algebriac Testing Math CoursesProg CoursesAll Courses Average StDev

33 Aug./Sept Algebriac Testing Process of the experiment Lesson 0: Introduction to formal methods. Lesson 1: Introduced to algebraic specification and the CASOCC specification language. An example formal specification of stacks A brief introduction to software component for the first class test The first class test (individual and independent) Lesson 2: Sample answer to the class test question 1 A brief introduction to software component for the second class test The second class test (also individual and independent) Lesson 3: Sample answer to the second class test question A brief introduction to software component for the third class test The third class test (also individual and independent) Lesson 4: Sample answer to the previous class test A brief introduction to software component for the final class test The final class test

34 Aug./Sept Algebriac Testing Marking scheme of class tests Correctness of the answer: 50%. It is assess according to the correctness of the signature and axioms in the students work. Minor syntax errors that can be detected by CASCAD tool is deduced by 20% Incorrect axioms were given no marks. Completeness of the axiom system: 50%. It is assessed according to the coverage of the operations by the axioms. The coverage of each operation was given the equal number of marks.

35 Aug./Sept Algebriac Testing Recording times The time that each student took to complete the class test was recorded in the experiment. The students were given no limit on the time to complete the class tests. The students were asked to hand in their work as soon as possible. The students were briefed about the function and the interface of the component before started to work on the class test question. The time taken to write the algebraic specification excludes the time to understand the components.

36 Aug./Sept Algebriac Testing Components Used in Class Tests Component FunctionSourceNumber of Operations Numerical operations on complex numbers Java programming textbook [1] 13 Bank account operationsJ2EE Tutorial [2]12 Gangster database operations J2EE Tutorial16 Operations on Linked Lists Classic textbooks, and also [17] 8 [1], Java [2] Bodoff, S. et al The J2EE Tutorial, 2nd Edt., Pearson 2004.

37 Aug./Sept Algebriac Testing Main Findings 1 Is writing algebraic specifications learnable?

38 Aug./Sept Algebriac Testing Changes in the distributions of scores

39 Aug./Sept Algebriac Testing Distributions of Grades in Class Tests GradeAverageTest 1Test 2Test 3Test 4 A B B43522 C F The students learning experience is not hard. They attained the knowledge and skill of algebraic specification in just a few lessons.

40 Aug./Sept Algebriac Testing Main Findings 2 How expensive to write an algebraic specification for a software component?

41 Aug./Sept Algebriac Testing Changes in the distributions of times On average a student took about half hour to complete the writing of an algebraic specification for a typical software component.

42 Aug./Sept Algebriac Testing Main Findings 3 Does writing algebraic specification need good mathematical skills? Average Times StDev of Times Average Scores StDev of Scores Mathematics Courses Programming Courses All Courses Correlation Coefficients

43 Aug./Sept Algebriac Testing Cluster analysis We divide the students into the following four groups and calculated their scores in class tests. P>M: More capable of programming than mathematics. PM P

44 Aug./Sept Algebriac Testing The students performances in class tests are more closely related to their programming capability than to mathematics knowledge and skills. Notes: the link between students performance in class tests and programming capability should be interpreted as their capability of learning algebraic specification rather than their final attainment. the link is not strong since the absolute values of the correlation coefficients are in the range from 0.41 to 0.52.

45 Aug./Sept Algebriac Testing Main Findings 4 Is writing algebraic formal specifications a job only for the most capable?

46 Aug./Sept Algebriac Testing Writing algebraic specification must be the job of the most capable programmers. However, there is a potential bias. The average scores and average times contain the results of the first and second class tests. Thus, they do not reflect the situation after the students completed their training.

47 Aug./Sept Algebriac Testing

48 Aug./Sept Algebriac Testing (a) Relationship between final class test score and programming capability y = x x (3) (b) Relationship between final class test times and programming capability y = x x (4) After taking three lessons and class tests, the students are capable of writing algebraic specifications of almost equal quality, but the most capable ones took slightly less time. Writing algebraic specifications can be a job for any well trained software developer rather than just for the few most capable ones.

49 Aug./Sept Algebriac Testing General conclusions of experiment 2 Conclusion 1 (Learnability): Writing algebraic specification is learnable for ordinary software developers. Conclusion 2 (Independence of mathematical skills) The knowledge and skill of programming is more important than mathematics to writing algebraic specifications of software components. Conclusion 3 (Cost efficiency): Writing algebraic specification can be as cost efficient as programming in high level programming languages. Conclusion 4 (Equality in performance): Writing algebraic specification can be a skill of every well trained software developer. Although their efficiency in writing algebraic specifications depends on their capabilities, there should be no significantly different from each other on the quality.

50 Aug./Sept Algebriac Testing Limitations of the conclusions 1 The conclusions are only applicable to writing algebraic formal specifications. They do not necessarily imply that writing formal specifications in other formalisms has the same properties. Further research: to investigate whether the same claim can be made to other formalisms such as Z, Petri-nets, process algebras like CSP, CCS and -calculus, and labelled transition system in general. A notable advantage of algebraic specification is that the syntax and semantics of axioms are simple and easy to understand. They use little mathematics notations.

51 Aug./Sept Algebriac Testing Limitations of the conclusions 2 The conclusions are only applicable to writing formal specification They do not necessarily imply that other formal development activities have the same properties, such as reasoning about software properties, proving software correctness, deriving software using formal specifications. These activities may well require much deeper understanding of the theories of formal methods and the semantics of formal specification languages. They may also rely on skills of using software tools that supports formal methods.

52 Aug./Sept Algebriac Testing Conclusion Summary: A technique of automated component testing based on algebraic specifications. A specification language CASOCC An algorithm to generate checkable test cases. An automated prototype testing tool CASCAT for EJB components. Advantages: AS are independent of the implementation, thus suitable for components A high degree of automation No need of the availability and uses of the full set of axioms of all constituent and dependent entities Can focus on a subset of functions and properties of the component A high fault detecting ability Scalable and practically usable Cost efficient

53 Aug./Sept Algebriac Testing Future work More experiments with multiple components subjects Extending the tool from testing EJB 2.0 component to EJB 3.0, i.e. to directly support message driven components Extending the technique for testing web services and concurrent systems

54 Aug./Sept Algebriac Testing References Gonnon, J., McMullin, P. and Hamlet, R., Data-Abstraction Implementation, Specification and Testing, ACM TOPLAS 3(3), 1981, Bernot, G., Gaudel, M. C., and Marre, B., Software testing based on formal specifications: a theory and a tool, Software Engineering Journal, Nov. 1991, Doong,K. & Frankl, P., The ASTOOT approach to testing object- oriented programs, ACM TSEM3(2),1994, Hughes, M. and Stotts, D., Daistish: systematic algebraic testing for OO programs in the presence of side-effects. ISSTA96, Chen, H.Y., et al., In black and white: an integrated approach to class-level testing of object-oriented programs, ACM TSEM 7(3), 1998, Chen,H.Y., Tse,T.H. & Chen,T.Y., TACCLE: a methodology for object-oriented software testing at the class and cluster levels, ACM TSEM 10(1), 2001,

55 Aug./Sept Algebriac Testing Kong, L., Zhu, H., and Zhou, B Automated Testing EJB Components Based on Algebraic Specifications. Proc. of COMPSAC07, Vol. 2, Yu, B., Kong, L., Zhang, Y., and Zhu, H Testing Java Components Based on Algebraic Specifications. Proc. of ICST08 (April 2008),

Download ppt "Aug./Sept. 2008 Algebriac Testing 1 Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments Hong Zhu."

Similar presentations

Ads by Google