Presentation on theme: "Aug./Sept. 2008 Algebriac Testing 1 Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments Hong Zhu."— Presentation transcript:
Aug./Sept. 2008 Algebriac Testing 1 Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments Hong Zhu Dept. of Computing and Electronics, Oxford Brookes University, Oxford, OX33 1HX, UK Email: firstname.lastname@example.org@brookes.ac.uk
Aug./Sept. 2008 2 Algebriac Testing Outline Background Motivation Related works Overview of the approach Specification language CASOCC Testing tool CASCAT Empirical evaluation Conclusion and future work
Aug./Sept. 2008 3 Algebriac Testing Challenges in testing components Components often have no user interface Developers spend as much time in writing test harness excessive overhead, inadequacy of testing, low effectiveness Components are usually delivered as executable code without the source code and design information White-box testing, model-driven testing methods not applicable contains no instrumentation Internal behaviour observation and test adequacy measurement are virtually impossible Existing approaches to the problems Self-testing, e.g. (Beydeda, 2006): yet to be adopted by the industry Specification-based testing: design-by-contract, FSM, etc.
Aug./Sept. 2008 4 Algebriac Testing Algebraic specification A signature: a set of sorts and a set of operators on the sorts A set of axioms: in the form of conditional equations Spec NAT Sorts: nat; Operators: zero: -> nat; succ: nat -> nat; Axioms: zero succ(x); succ(x) = succ(y) => x=y; End NAT Algebraic specification (AS) emerged in the 1970s. In the past three decades, it has developed into a mature formal method.
Aug./Sept. 2008 5 Algebriac Testing Basic idea of algebraic testing S: stack, n: integer, S.push(n).height() = S.height()+1 By substituting constants into variables, we can generate test cases A ground term corresponds to a sequence of procedure/ method/ operation calls Checking the equivalence between the values of the left and right hand sides is to check the correctness of test results
Aug./Sept. 2008 6 Algebriac Testing Related works Work /System Entities tested Test case generation Result checking DAISTS Gonnon et al. 1981 ADT Manually scripted ground terms substituted into axioms Manual program LOFT Gaudel et al. 1991 ADT All ground terms up to certain complexity substituted to axioms; random values assigned to variables of predefined sorts. Observation contexts ASTOOT / LOBAS Doong & Frankl,1994 Class Rewriting ground terms into their normal forms using the axioms Manual program Daistish Hughes & Stotts 1996 Class Manually scripted ground terms substituted into axioms Manual program TACCLE Chen et al. 1998, 2001 Class, Cluster Ground normal forms substituted in axioms + path coverage Observation context
Aug./Sept. 2008 7 Algebriac Testing Overview of the proposed approach Sorts to represent all types of software entities: ADT, Class, Component Test case generation: Composition of observation contexts and axioms with ground normal forms substituted into non- primitive variables and random values for primitive variables Test oracle: Direct checking since test cases are checkable
Aug./Sept. 2008 9 Algebriac Testing Behavioural semantics and observable sorts Definition 1. (Observable sort) In an AS, a sort s is an observable sort implies that there is an operation _ == _ : s s Bool such that for all ground terms t and t of sort s, E ( (t == t) = true) E ( t=t ). An algebra A (i.e. a software entity) is a correct implementation of an observable sort s if for all ground terms t and t of sort s, A (t=t) A ( (t == t) = true) Pre-defined sorts of Java primitive classes and data types are observable.
Aug./Sept. 2008 10 Algebriac Testing Well founded formal specifications Let U be a set of specification units in CASOCC and S be a set of sorts. For each sort s S, there is a unit U s U that specifies the software entity corresponding to sort s. Let be the importation relation on S. Definition 2. (Well founded specifications) A sort s S is well founded if s is observable, or for all s in the import list of U s, s is an observable sort, or s is well founded. A specification U is well founded if and only if the importation relation is a pre-order on the set S of sorts, and all sorts s S are well founded.
Aug./Sept. 2008 11 Algebriac Testing Well-structured formal specifications Definition 3. (Well structured specifications) A specification U in CASOCC is well structured if it satisfies the following conditions. (1) It is well founded; (2) For every user defined unit U s U, (a) there is at least one observer in U s ; (b) for every axiom E in U s, if the condition contains an equation =, we must have, where s is the sort of terms and. A practice implication: for all sorts there are finite lengths of observable contexts.
Aug./Sept. 2008 12 Algebriac Testing Observation context Definition 1. (Observation context) A context of a sort c is a term C with one occurrence of a special variable of sort c. The value of a term t of sort c in the context of C, written as C[t], is the term obtained by substituting t into the special variable. An observation context oc of sort c is a context of sort c and the sort of the term oc is. To be consistent on notations, we write _.oc: c s to denote an observation context oc. An observation context is primitive if s is an observable sort. In such cases, we also say that the observation context is observable and call the context observable context for short.
Aug./Sept. 2008 13 Algebriac Testing Form of observation context The general form of an observation context oc: _.f 1 (...).f 2 (...).....f k (...).obs(...) where f 1,..., f k are transformers of sort sc, obs is an observer of sort c, f 1 (...),..., f k (...) are ground terms. A sequence of observation contexts oc 1, oc 2, …, oc n, where _.oc 1 : c s 1, _.oc i : s i-1 s i, i =2,…,n, can be composed into an observation context _.oc 1.oc 2. ….oc n. Example: _.pop().pop().height()
Aug./Sept. 2008 14 Algebriac Testing Checkable test cases Test cases: a test case is a triple, where T 1 and T 2 are ground terms C (optional) is a ground term of Boolean sort. It means that values of T 1 and T 2 should be equivalent if C evaluates to True. Definition 2. (Checkable test cases) A test case T 1 =T 2, [if C] is directly checkable (or simply checkable), if and only if (a) the sort of terms T 1 and T 2 is observable, and (b) the sort of equations in C is observable, if any. written T 1 =T 2, [if C]
Aug./Sept. 2008 15 Algebriac Testing Test case generation algorithm (Skeleton) Input: Spec s: CASOCC specification unit of the main sort; Sigs s1, s2, …, sk: The signature of imported sorts; TC: A subset of axioms in s (* the axioms to be tested *); vc: Integer (*complexity upper bound of variables*); oc: Integer (*complexity upper bound of observation contexts*) ; rc: Integer (* the number of random values to be assigned to variables of primitive sorts*) Begin Step 1: Initialisation Step 2: Generate normal form terms for non-primitive variables Step 3: Generate random values for primitive variables Step 4: Substitute normal forms into axioms Step 5: Substitute random values into test cases Step 6: Compose test case with observation context Step 7: Output test set End
Aug./Sept. 2008 16 Algebriac Testing Properties of the test case generation algorithm Theorem 1. The test case generation algorithm will always terminate if the specification is well founded. Theorem 2. The test cases generated are checkable, i.e. for all test cases generated by the algorithm, t 1, t 2 and c are of primitive or observable sorts. Theorem 3. The test cases are valid. That is, if the specification is well-structured and the observable sorts satisfy the constraints in Definition 1, we have the following properties. (a) The program correctly implements the specification with respect to the behavioural semantics of algebraic specifications implies that the evaluation of t 1 and t 2 using the program give equivalent results provided that c is evaluated to be true. (b) If the evaluation of t 1 and t 2 gives non-equivalent values in an implementation when c is evaluated to true, then there are faults in the program.
Aug./Sept. 2008 17 Algebriac Testing Testing tool CASCAT CASOCC Spec Parser Test Case Generator Test Result Evaluator Component Spec in CASOCC Test Driver Test Cases J2EE Component Deployed on JBoss Platform Test Report CASCAT Tool
Aug./Sept. 2008 19 Algebriac Testing Experiment 1: Evaluation of effectiveness The experiment process Selection of subject components: from well established public sources. Development of formal specification: based on the document and source code. Test case generation: automatically by the CASCAT tool from the specification. Validation of formal specification. The subject component is checked against its formal specification by executing the components on the test cases using the CASCAT tool. Fault injection: used MuJava. Eliminate equivalent mutants: manually examined Test execution. A mutant is classified as fault detected if at least on of the axioms of the component is violated or the execution is terminated abnormally.
Aug./Sept. 2008 20 Algebriac Testing The subjects: 1) Single Component Subjects Subject/Component#C#M#LSrcType Bank44322Stateful Stock35250BMP Product515278CMP Cart56226Stateful Count32101Stateful LinkedList48155Stateful Math37142Stateless
Aug./Sept. 2008 22 Algebriac Testing Results of the experiment Subject/Component #M#NEM#D Rate% Single component subjects Bank 423723 62.2 Stock 232213 59.1 Product 1814 100.0 Cart 887 87.5 Count 1398 88.9 LinkedList 33 32 97.0 Math 9873 100.0 Multiple component subjects College Course 24 14 58.3 Student 25 15 60.0 Sales Customer 40 27 67.5 Order 575334 64.2 SalesRep 24 14 58.3 Warehouse StorageBin 464427 61.4 Widget 342820 71.4 Gangster 988 100.0 ReadAhead 353331 93.9 SafeDriver RateTable 4836 100.0 RateQuote 272220202 91.8 Total 849731598 81.8 Average 47.240.633.2 79.0 Std Dev 59.947.744.9 17.6
Aug./Sept. 2008 23 Algebriac Testing Main findings (1) The fault detecting ability is not sensitive to the scale of the subject under test. (Correlation coefficient =0.20)
Aug./Sept. 2008 24 Algebriac Testing Main findings (2) The fault detecting ability decreases only slightly when testing multiple component subjects.
Aug./Sept. 2008 25 Algebriac Testing Main findings (3) The method consistently detects significantly more faults in session beans than in BMP entities beans despite that entity beans are usually much less complex than session beans. This statement is supported by T-Test.
Aug./Sept. 2008 26 Algebriac Testing Main findings (4) The development of axioms was less difficult than we expected. There is a simple pattern of axioms for entity beans despite their differences in semantics. Component#Crts#Con/Trans#Obs#AxiomsTime Bank112660m Cart222450m Count101135m Course212650m Customer223460m Gangster25201990m GeneralInfo101130m LinkedList12516100m Math115960m Order205560m Product23101470m RateQuote104450m RateTable2771480m ReadAhead106675m Register2891790m SalesRep212340m Stock212565m StorageBin302440m Student212440m Widget202450m Average1.75 4.606.8582.25m
Aug./Sept. 2008 27 Algebriac Testing Is algebraic testing practical? Cost of algebraic testing: Writing algebraic specification Deploy the component to component platform, such as JBoss Generation of test cases (automated by tool) Review of test report (checking correctness is done automatically) How expensive is writing algebraic specifications? Is writing algebraic specification learnable? What skill and knowledge are required to write algebraic specifications?
Aug./Sept. 2008 28 Algebriac Testing How to write algebraic specifications (1) the description of the signature the identification of the operations, e.g. The signature of the operations can be derived from the type definitions of the methods given in the source code. the classification of operations Creators: create instances of the software entity and/or initialise the entity. They must have no parameters of the main sort, but result in the main sort. Constructors: construct the data structure by adding more elements to the data. A constructor must have a parameter of the main sort and results in the main sort. It may occur in the normal forms if the axioms are used as term rewriting rules. Transformers: manipulate the data structure without adding more data. Similar to constructors, a transformer must have the main sort as its parameter and results in the main sort. However, it cannot occur in any normal forms. Observers: enable the internal states or data in the software entity to be observed from the outside. Observers must have a parameter of the main sort but result in an imported sort.
Aug./Sept. 2008 29 Algebriac Testing How to write algebraic specifications (2) the determination of the axioms For each setter setX(v) (set the value of attribute X to v), s,v. (s.setX(v).getX = v), If pre-cond setX(v) s,v. (s.setX(v).getY = s.getY), where X Y. For each getter getX (get the value of attribute X) s,v. (s.[getX] = s), For each creator C(x 1,x 2,…, x n ) x 1,…, x n.. C(x 1,…, x n ).getX i = x i, If pre-cond C(x1,…, xn) For each constructor and transformer F(x), s,x. (s.F(x).getX) = (x, s.getX), if pre-cond F(x), For each operation P(x) that involves more than one parts A and B: s,x,y. (s. [A.P (x)].B = s.B.Q(y)), if pre-cond A.P(x)
Aug./Sept. 2008 30 Algebriac Testing Experiment 2: Cost of writing algebraic spec Subjects: Students of computer science (35, year 3) Mathematics course: Advanced University Mathematics Part A and Part B and Discrete Mathematics. Programming courses: C++ Programming, Java Programming and Data Structure No exposure to formal methods Mathematics Courses Programming Courses All Courses Average76.4474.5975.51 Standard Deviation 9.677.347.83 Table 1. Statistic Data of Student Capability
Aug./Sept. 2008 31 Algebriac Testing Distribution of capabilities
Aug./Sept. 2008 33 Algebriac Testing Process of the experiment Lesson 0: Introduction to formal methods. Lesson 1: Introduced to algebraic specification and the CASOCC specification language. An example formal specification of stacks A brief introduction to software component for the first class test The first class test (individual and independent) Lesson 2: Sample answer to the class test question 1 A brief introduction to software component for the second class test The second class test (also individual and independent) Lesson 3: Sample answer to the second class test question A brief introduction to software component for the third class test The third class test (also individual and independent) Lesson 4: Sample answer to the previous class test A brief introduction to software component for the final class test The final class test
Aug./Sept. 2008 34 Algebriac Testing Marking scheme of class tests Correctness of the answer: 50%. It is assess according to the correctness of the signature and axioms in the students work. Minor syntax errors that can be detected by CASCAD tool is deduced by 20% Incorrect axioms were given no marks. Completeness of the axiom system: 50%. It is assessed according to the coverage of the operations by the axioms. The coverage of each operation was given the equal number of marks.
Aug./Sept. 2008 35 Algebriac Testing Recording times The time that each student took to complete the class test was recorded in the experiment. The students were given no limit on the time to complete the class tests. The students were asked to hand in their work as soon as possible. The students were briefed about the function and the interface of the component before started to work on the class test question. The time taken to write the algebraic specification excludes the time to understand the components.
Aug./Sept. 2008 36 Algebriac Testing Components Used in Class Tests Component FunctionSourceNumber of Operations Numerical operations on complex numbers Java programming textbook  13 Bank account operationsJ2EE Tutorial 12 Gangster database operations J2EE Tutorial16 Operations on Linked Lists Classic textbooks, and also  8 , Java 2007.  Bodoff, S. et al. 2004. The J2EE Tutorial, 2nd Edt., Pearson 2004.
Aug./Sept. 2008 37 Algebriac Testing Main Findings 1 Is writing algebraic specifications learnable?
Aug./Sept. 2008 38 Algebriac Testing Changes in the distributions of scores
Aug./Sept. 2008 39 Algebriac Testing Distributions of Grades in Class Tests GradeAverageTest 1Test 2Test 3Test 4 A81253133 B+230420 B43522 C020000 F011100 The students learning experience is not hard. They attained the knowledge and skill of algebraic specification in just a few lessons.
Aug./Sept. 2008 40 Algebriac Testing Main Findings 2 How expensive to write an algebraic specification for a software component?
Aug./Sept. 2008 41 Algebriac Testing Changes in the distributions of times On average a student took about half hour to complete the writing of an algebraic specification for a typical software component.
Aug./Sept. 2008 42 Algebriac Testing Main Findings 3 Does writing algebraic specification need good mathematical skills? Average Times StDev of Times Average Scores StDev of Scores Mathematics Courses -0.440.340.10-0.10 Programming Courses -0.520.410.46-0.44 All Courses -0.520.400.28-0.27 Correlation Coefficients
Aug./Sept. 2008 43 Algebriac Testing Cluster analysis We divide the students into the following four groups and calculated their scores in class tests. P>M: More capable of programming than mathematics. P<M: More capable in mathematics than programming P~M High: Equally capable of programming and mathematics P~M Lower: Equally incapable of programming and mathematics Avg. Math Avg. Prog Avg. All Avg. Score Avg. Final Score #Stds P>M69.7877.4473.6190.8296.916 P<M84.3174.9279.6285.4495.9713 P~M (higher)77.5077.8377.6787.2396.468 P~M (lower)67.5868.6768.1385.4995.508
Aug./Sept. 2008 44 Algebriac Testing The students performances in class tests are more closely related to their programming capability than to mathematics knowledge and skills. Notes: the link between students performance in class tests and programming capability should be interpreted as their capability of learning algebraic specification rather than their final attainment. the link is not strong since the absolute values of the correlation coefficients are in the range from 0.41 to 0.52.
Aug./Sept. 2008 45 Algebriac Testing Main Findings 4 Is writing algebraic formal specifications a job only for the most capable?
Aug./Sept. 2008 46 Algebriac Testing Writing algebraic specification must be the job of the most capable programmers. However, there is a potential bias. The average scores and average times contain the results of the first and second class tests. Thus, they do not reflect the situation after the students completed their training.
Aug./Sept. 2008 48 Algebriac Testing (a) Relationship between final class test score and programming capability y = -0.0002x2 - 0.0148x + 98.405(3) (b) Relationship between final class test times and programming capability y = 0.0017x2 - 0.4558x + 56.043(4) After taking three lessons and class tests, the students are capable of writing algebraic specifications of almost equal quality, but the most capable ones took slightly less time. Writing algebraic specifications can be a job for any well trained software developer rather than just for the few most capable ones.
Aug./Sept. 2008 49 Algebriac Testing General conclusions of experiment 2 Conclusion 1 (Learnability): Writing algebraic specification is learnable for ordinary software developers. Conclusion 2 (Independence of mathematical skills) The knowledge and skill of programming is more important than mathematics to writing algebraic specifications of software components. Conclusion 3 (Cost efficiency): Writing algebraic specification can be as cost efficient as programming in high level programming languages. Conclusion 4 (Equality in performance): Writing algebraic specification can be a skill of every well trained software developer. Although their efficiency in writing algebraic specifications depends on their capabilities, there should be no significantly different from each other on the quality.
Aug./Sept. 2008 50 Algebriac Testing Limitations of the conclusions 1 The conclusions are only applicable to writing algebraic formal specifications. They do not necessarily imply that writing formal specifications in other formalisms has the same properties. Further research: to investigate whether the same claim can be made to other formalisms such as Z, Petri-nets, process algebras like CSP, CCS and -calculus, and labelled transition system in general. A notable advantage of algebraic specification is that the syntax and semantics of axioms are simple and easy to understand. They use little mathematics notations.
Aug./Sept. 2008 51 Algebriac Testing Limitations of the conclusions 2 The conclusions are only applicable to writing formal specification They do not necessarily imply that other formal development activities have the same properties, such as reasoning about software properties, proving software correctness, deriving software using formal specifications. These activities may well require much deeper understanding of the theories of formal methods and the semantics of formal specification languages. They may also rely on skills of using software tools that supports formal methods.
Aug./Sept. 2008 52 Algebriac Testing Conclusion Summary: A technique of automated component testing based on algebraic specifications. A specification language CASOCC An algorithm to generate checkable test cases. An automated prototype testing tool CASCAT for EJB components. Advantages: AS are independent of the implementation, thus suitable for components A high degree of automation No need of the availability and uses of the full set of axioms of all constituent and dependent entities Can focus on a subset of functions and properties of the component A high fault detecting ability Scalable and practically usable Cost efficient
Aug./Sept. 2008 53 Algebriac Testing Future work More experiments with multiple components subjects Extending the tool from testing EJB 2.0 component to EJB 3.0, i.e. to directly support message driven components Extending the technique for testing web services and concurrent systems
Aug./Sept. 2008 54 Algebriac Testing References Gonnon, J., McMullin, P. and Hamlet, R., Data-Abstraction Implementation, Specification and Testing, ACM TOPLAS 3(3), 1981, 211-223. Bernot, G., Gaudel, M. C., and Marre, B., Software testing based on formal specifications: a theory and a tool, Software Engineering Journal, Nov. 1991, 387- 405. Doong,K. & Frankl, P., The ASTOOT approach to testing object- oriented programs, ACM TSEM3(2),1994, 101-130 Hughes, M. and Stotts, D., Daistish: systematic algebraic testing for OO programs in the presence of side-effects. ISSTA96, 53-61. Chen, H.Y., et al., In black and white: an integrated approach to class-level testing of object-oriented programs, ACM TSEM 7(3), 1998, 250-295. Chen,H.Y., Tse,T.H. & Chen,T.Y., TACCLE: a methodology for object-oriented software testing at the class and cluster levels, ACM TSEM 10(1), 2001, 56-109.
Aug./Sept. 2008 55 Algebriac Testing Kong, L., Zhu, H., and Zhou, B. 2007. Automated Testing EJB Components Based on Algebraic Specifications. Proc. of COMPSAC07, Vol. 2, 717-722. Yu, B., Kong, L., Zhang, Y., and Zhu, H. 2008. Testing Java Components Based on Algebraic Specifications. Proc. of ICST08 (April 2008), 190-199.