CPN’04 UML and Petri Nets for Test Case Generation University of Geneva D.Buchs, L.Lúcio, L.Pedro.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Design by Contract.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
SATEL Semi Automatic TEsting Language University of Geneva Levi Lúcio, Didier Buchs M-TOOS, Portland 4/30/2015.
1 Software Engineering Lecture 11 Software Testing.
Use Case Model. C-S 5462 Use case model describes what the user expects the system to do –functional requirements may describe only the functionalities.
Use Case Modeling SJTU. Unified Modeling Language (UML) l Standardized notation for object-oriented development l Needs to be used with an analysis and.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Theory of Testing and SATEL. 2 Presentation Structure Theory of testing SATEL (Semi-Automatic TEsting Language) –Test Intentions –SATEL semantics –CO-OPN.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Informatics 43 – May 7, Restatement of Goals for Testing Want to verify software’s correctness  Need to test  Need to decide on test cases  No.
Component-Level Design
1 From UML (Fondue) to COOPN An iterative approach applying MDA techniques.
1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
SATEL Semi Automatic TEsting Language University of Geneva Levi Lúcio VALID Meeting - Besançon 10/3/06.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Object Specification Moving towards a more precise specification of software.
1 From UML (Fondue) to COOPN. Luis Pedro2 Outline Transformation Approach COOPN2 Meta Model TOC for Models2005 paper.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
System/Software Testing
1COM6030 Systems Analysis and Design © University of Sheffield 2005 COM 6030 Software Analysis and Design Lecture 4 - System modelling Dr Richard Clayton.
1 UML and Petri Nets for Test Case Generation From Fondue to CO-OPN: (my) first iteration.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Java Language and SW Dev’t
Overview of Software Testing 07/12/2013 WISTPC 2013 Peter Clarke.
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
1 CMPT 275 Software Engineering Requirements Analysis Phase Requirements Analysis Activity (Identifying Objects, Scenarios) Janice Regan,
Introduction to Formal Methods Based on Jeannette M. Wing. A Specifier's Introduction to Formal Methods. IEEE Computer, 23(9):8-24, September,
SOFTWARE DESIGN (SWD) Instructor: Dr. Hany H. Ammar
Automatic Test Generation from here until the end (of my Phd.) University of Geneva Levi Lúcio SMV & Les Diablerets.
1 Levi Lúcio © A Test Selection Language for CO-OPN Specifications Levi Lúcio, Luis Pedro and Didier Buchs University of Geneva.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Conceptual Modelling – Behaviour
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Lecture 1 Introduction Figures from Lewis, “C# Software Solutions”, Addison Wesley Richard Gesick.
Black Box Testing Techniques Chapter 7. Black Box Testing Techniques Prepared by: Kris C. Calpotura, CoE, MSME, MIT  Introduction Introduction  Equivalence.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
An Ontological Framework for Web Service Processes By Claus Pahl and Ronan Barrett.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
4. The process specification (プロセス仕様) You will learn: (次の内容を学び) The concept of process specification (プロセス 仕様の概念) Notations for process specification (プロセス.
Software Testing Input Space Partition Testing. 2 Input Space Coverage Four Structures for Modeling Software Graphs Logic Input Space Syntax Use cases.
FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.
1 Kyung Hee University Statecharts Spring Kyung Hee University Specifying Objects’ Behaviour  Interaction diagrams show message-passing behaviour.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Requirements Engineering-Based Conceptual Modelling From: Requirements Engineering E. Insfran, O. Pastor and R. Wieringa Presented by Chin-Yi Tsai.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Protocols Software Engineering II Wirfs Brock et al, Designing Object-Oriented Software, Prentice Hall, Mitchell, R., and McKim, Design by Contract,
Systems Analysis and Design in a Changing World, Fourth Edition
Class Design I Class Contracts Readings: 2 nd Ed: Section 9.5, Advanced Topic nd Ed: Section 8.5, Advanced Topic 8.2 Some ideas come from: “Practical.
Software Testing and Quality Assurance 1. What is the objectives of Software Testing?
1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
From requirements to specification Specification is a refinement of requirements Can be included together as Software Requirements Specifications (SRS)
Analysis Classes Unit 5.
A Methodology and a Framework for Test Case Generation
Use Case Model.
Input Space Partition Testing CS 4501 / 6501 Software Testing
Graph Coverage for Specifications CS 4501 / 6501 Software Testing
Component-Level Design
Component-Level Design
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Software Engineering System Modeling Chapter 5 (Part 1) Dr.Doaa Sami
Applying Use Cases (Chapters 25,26)
Presentation transcript:

CPN’04 UML and Petri Nets for Test Case Generation University of Geneva D.Buchs, L.Lúcio, L.Pedro

CPN’04 D. Buchs, L.Lúcio, L.Pedro 2 Tutorial roadmap Introduction to (our) Model- Based test case generation User’s viewpoint – from a UML specification to test cases Demo Developer’s viewpoint – OO Petri Nets to enable state space exploration Conclusion & Questions?

CPN’04 D. Buchs, L.Lúcio, L.Pedro 3 Software Verification Software Validation: Are we producing the right product? as opposed to… Software Verification: Are we producing the product right? - Boehm Software verification deals with checking if a software system performs the specified functionalities correctly…

CPN’04 D. Buchs, L.Lúcio, L.Pedro 4 Software Verification (2) Ideally all the possible behaviors of a system would be checked:  Model Checkers  Theorem Provers allow exhaustive verification of a system… In the real world these methods are:  Difficult to map into complex software!  Do not model the real execution environment!  Costly! Testing remains the popular approach…

CPN’04 D. Buchs, L.Lúcio, L.Pedro 5 Types of Tests Program-based (white box) Specification-based (black box) Coverage of the code (instructions, paths, conditions…) Based on specification’s properties Good to detect unintended behaviors Does not detect unimplemented features Detects unimplemented features Can be reused in multiple implementations

CPN’04 D. Buchs, L.Lúcio, L.Pedro 6 Tutorial roadmap – Part I Our Model-Based test case generation User’s viewpoint – from a UML specification to test cases Demo Developer’s viewpoint – OO Petri Nets to enable state space exploration Questions?

CPN’04 D. Buchs, L.Lúcio, L.Pedro 7 Exhaustive test set - Definition The exhaustive set of tests for a given specification can be formalized as: T Exhaustive = {  formula,result  | formula  composition of  input,output  pairs result = true if formula models a valid behavior result = false if formula models an invalid behavior } The exhaustive test set describes fully the expected semantics of the specification, including valid and invalid behaviors…

CPN’04 D. Buchs, L.Lúcio, L.Pedro 8 Specification-Based Test Generation Specification (SP) Program (P) ╞ Exhaustive Test Set (T SP ) ╞O╞O ╞ : program P satisfies (has the same semantics as) specification SP; ╞ o : program P reacts according to test set T SP (as observed by an Oracle O).

CPN’04 D. Buchs, L.Lúcio, L.Pedro 9 Pertinence and Practicability According to the previous slide, the following formula holds: IF test set T SP is pertinent – valid and unbiased  valid – accepts all correct programs;  unbiased – accepts only correct programs; (P╞ SP) (P╞ o T SP ) But, exhaustive test sets are not practicable in the real world (infinite testing time)…

CPN’04 D. Buchs, L.Lúcio, L.Pedro 10 Test Selection We thus need a way of reducing the exhaustive (infinite) test set to a test set that is practicable, while keeping pertinence… How do we do this? By stating hypotheses about the behavior of the program – the idea is to find good hypotheses that generalize correctly the behavior of the SUT!

CPN’04 D. Buchs, L.Lúcio, L.Pedro 11 Stating Hypotheses Example: consider as SUT a (simplified) embedded controller for a drink vending machine: Drink Vending Machine insert_coin select_drink (X) accept_coin reject_coin give_drink not_enough_money Drinks available: Coke (2 coins), Water (1 coin)

CPN’04 D. Buchs, L.Lúcio, L.Pedro 12 Stating Hypotheses (2) Hypotheses 1: if the SUT works well for sequences of at least 3 operations, then the system works well (regularity); AND Hypotheses 2: if the system works well while choosing one kind of drink, then it will work well for choosing all kinds (uniformity). ,, true  Example test 1 ,, false  Example test 2

CPN’04 D. Buchs, L.Lúcio, L.Pedro 13 Where to find Hypotheses? From the Test Engineer  The knowledge of a test engineer about the functioning of the SUT should be used;  He/She can provide truthful generalizations about the behavior of the SUT! In the Specification  The specification contains an abstraction of all possible behaviors of the SUT;  It is possible complement user’s hypotheses automatically if the specification is formal!

CPN’04 D. Buchs, L.Lúcio, L.Pedro 14 Specification – Complementing human Hypotheses Example: imagine that from the two hypotheses in the last but one slide the test selection mechanism has chosen Water. There are then 3 interesting valid behaviors (tests): The buyer doesn’t insert enough coins, chooses Water and gets nothing; The buyer inserts enough coins, chooses Water and gets it; The buyer inserts too many coins, chooses Water, gets it and the change. The points of choice stated in the operation of the specification can be used to add further behavior classification that can be combined with the hypotheses stated by the test engineer. We call this sub-domain decomposition.

CPN’04 D. Buchs, L.Lúcio, L.Pedro 15 Applying Hypotheses We use a formal language to describe tests (HML) and defined a language to apply constraints (hypotheses) to those tests; Of course, the final test set will be pertinent (valid and unbiased) only when all the hypotheses correspond to valid generalizations of the behavior of the program! Test Engineer Specification (with behavior) Hypotheses on Program behavior

CPN’04 D. Buchs, L.Lúcio, L.Pedro 16 Test set Reduction Process Reduce Test set Increase hypothesis H0H0 H1H1 … H k-1 HkHk T0T0 T1T1 … T k-1 TkTk Oracle hypothesis and exhaustive test set defined hypothesis and practicable test set

CPN’04 D. Buchs, L.Lúcio, L.Pedro 17 Full Picture Does P satisfy SP? PSP Test Selection (Hypotheses H Application) Execution of P using T Oracle P satisfies, or not, T! P does not satisfy SPUndefinedP satisfies SP! P satisfies, or not, H Test Set T noinconclusiveyes noyes Correction of P Test Procedure

CPN’04 D. Buchs, L.Lúcio, L.Pedro 18 Oracle The Oracle is a decision procedure that decides whether a test was successful or not… Drink Vending Machine ,, false  Oracle Test Program Yes (test passes) No (test doesn’t pass)

CPN’04 D. Buchs, L.Lúcio, L.Pedro 19 Oracle Hypotheses Example: An operation was performed on a web page and after 40 seconds there is still no reply… Direct observation of the “real world” is not always possible… In this case the Oracle has to perform assumptions in order to make a decision about a test! Example Oracle hypotheses: if in a test there is a delay of more than 30 seconds then the test doesn’t pass.

CPN’04 D. Buchs, L.Lúcio, L.Pedro 20 Tutorial roadmap – Part II Introduction to (our) Model- Based test case generation User’s viewpoint – from a UML specification to test cases Demo Developer’s viewpoint – OO Petri Nets to enable state space exploration Conclusion & Questions?

CPN’04 D. Buchs, L.Lúcio, L.Pedro 21 Full picture – again… Tests Model Selection Criteria Test Driver SUT (implementation) Oracle Test Results + + Hypotheses about SUT behavior Test validation + Spec. hypotheses Subject of part III of this tutorial!

CPN’04 D. Buchs, L.Lúcio, L.Pedro 22 The eBanking System Example The login includes two identification steps: 1. Provide a login and a password; 2. Respond correctly to a challenge posed by the system; The user becomes blocked after 3 wrong passwords or 5 wrong challenges. We wish to generate tests for an eBanking system allowing users to login and to perform transactions between accounts…

CPN’04 D. Buchs, L.Lúcio, L.Pedro 23 Providing the Model… Model Tests Selection Criteria Test Driver SUT (implementation) Oracle Test Results + + Tests Selection Criteria Test Driver SUT (implementation) Oracle Test Results + + Test Validation + Spec. hypotheses

CPN’04 D. Buchs, L.Lúcio, L.Pedro 24 Providing the Model The Modelling Language UML (Fondue specification) Software development process for reactive systems Purpose is to produce a description of:  The problem domain  The functional requirements of the system What it provides  Concept Model: Static structure of the information in the system  Behavior Model: Input and Output communication of the system Uses UML (Class / Collaboration / State) and OCL

CPN’04 D. Buchs, L.Lúcio, L.Pedro 25 Providing the Model Expressing Model Semantics Describes operations on the system by operation schemas which specify operations by pre- and post conditions using OCL System State pre-condition System State post-condition Output Event State change implies changing objects, attributes and relations described by the class model … OCL Operation Schema For X Operation X

CPN’04 D. Buchs, L.Lúcio, L.Pedro 26 Providing the Model – Example Environment (Collaboration) Model > eBanking User sendChallengeNumber errorUserName errorPasswd errorChallenge errorUserBlocked errorPaymentCreation loginUserName loginPasswd loginChallenge createPayment giveDetailsBeneficiary

CPN’04 D. Buchs, L.Lúcio, L.Pedro 27 Providing the Model – Example Concept (Class) Model User 0.. * > eBanking userName : String Passwd : Passwd Name : String loginTentativeNumber : Int userState: bool eUser id : CardId expirationDate: Date ChallengeCard position : ChallengeId anserPosition: String ChallengeCardElement position 1 table > HasSessionId

CPN’04 D. Buchs, L.Lúcio, L.Pedro 28 Providing the Model Operation Model loginUserName Operation: System:loginPassword(Passwd: Passwd) Description: This operation checks that the password (Passwd) is the correct one for a userName previouly given and valid. The maximum number of tentatives is 3. If this Number exceeds 3 the user will be blocked. User Cases: Authenticate in the site; Aliases: u: SystemUser Is sender.SystemUser; -> the user that corresponds to the Sender Messages: User::{errorPasswd; sendChallengeNumber} Pre: u.isDefined(); -- u exists Post: If u.Passwd <> Passwd then -- if password is not correct u.numberLogin = + 1 and -- increment number of tried sender^errorPasswd() -- the user is informed that the password is not correct if u.numberLogin = 3 then -- if exceeds the number of allowed tentatives u.state = UserState::blocked and -- user is blocked u.numberLogin = 0 -- reset number of tried logins end else -- password is correct u.numberLogin = 0 and -- reset number of tried logins sender^sendChallengeNumber(u.caseNumber) -- send the challenge number endif;

CPN’04 D. Buchs, L.Lúcio, L.Pedro 29 Tests Selection Criteria Oracle Test Results + + Model - SUT Mapping… Model Test Driver SUT (implementation) Tests Selection Criteria Oracle Test Results + + Operation’s signatures SUT Interface Mapping

CPN’04 D. Buchs, L.Lúcio, L.Pedro 30 Model – SUT Mapping The Test Driver The Test Driver is the piece of software that allows executing (abstract) tests on the SUT; Each model operation and operation output has to be connected with an SUT operation and output respectively; Heterogeneous SUT interfaces:  Programmatic APIs  Web pages  Specialized graphical interfaces  Command line

CPN’04 D. Buchs, L.Lúcio, L.Pedro 31 Model – SUT Mapping Example loginUserName loginPasswd loginChallenge createPayment giveDetailsBeneficiary User does not exist! sendChallengeNumber errorUserName errorPasswd errorChallenge errorUserBlocked errorPaymentCreation Model’s Operations Operations’ Output

CPN’04 D. Buchs, L.Lúcio, L.Pedro 32 Model Tests Selection Criteria Test Driver SUT (implementation) Oracle Test Results + + Model Tests Selection Criteria SUT (implementation) Test Results + + Providing the Oracle Hypotheses Observability hypotheses Observes

CPN’04 D. Buchs, L.Lúcio, L.Pedro 33 Providing the Oracle Hypotheses Observing test results The Oracle will observe the driver while it applies pairs to the SUT; When the output does not correspond exactly to what was expected, the Oracle Hypotheses provide an error margin… If the output goes outside the established hypotheses, the test result is undefined!

CPN’04 D. Buchs, L.Lúcio, L.Pedro 34 Model Tests Test Driver SUT (implementation) Oracle Test Results + + Providing Hypotheses about the SUT Tests Test Driver SUT (implementation) Oracle Test Results + + Selection Criteria Model Tests Test Driver SUT (implementation) Oracle Test Results + + Hypotheses about SUT behavior

CPN’04 D. Buchs, L.Lúcio, L.Pedro 35 Providing Hypotheses about the SUT The Hypotheses’ language We are concentrating both the languages to:  Express hypotheses – or constraints on tests  Express tests (in the theory, HML) in Prolog!... Example: produce a set of tests where the user logs in and inserts a password. Only one login and one password should be used and the test should represent a valid specification behavior. tests(L) :- pattern(_,and(ev(loginUserName(Name),_),ev(loginPasswd(Passwd),_)),L), uniform(L),valid(L,true). [with(loginUserName(lucio), []), with(loginPasswd(‘wrong_pass'), [errorPasswd])]; [with(loginUserName(lucio), []), with(loginMotPasse(‘good_pass'), [sendChallengeNumber(X)])]; Result

CPN’04 D. Buchs, L.Lúcio, L.Pedro 36 Providing Hypotheses about the SUT The Hypotheses’ language (2) Using Prolog we can now express hypotheses on: action sequences:  Pattern of paths based on regular expressions: Zero or more times the same operation(s): * One or more times the same operation(s): + Logical operators between operation sequences: AND,OR variable value domains: Explore all possible values of a given domain; Regularity hypotheses:  Constrain the values of a domain. Uniformity hypotheses:  Choose only one value belonging to a variable’s domain

CPN’04 D. Buchs, L.Lúcio, L.Pedro 37 User Intervention - Summary Tests Model Selection Criteria Test Driver SUT (implementation) Oracle Test Results + +

CPN’04 D. Buchs, L.Lúcio, L.Pedro 38 Tutorial roadmap – Demo Introduction to (our) Model- Based test case generation User’s viewpoint – from a UML specification to test cases Demo Developer’s viewpoint – OO Petri Nets to enable state space exploration Conclusion & Questions?

CPN’04 D. Buchs, L.Lúcio, L.Pedro 39 Tutorial roadmap – Part III Introduction to (our) Model- Based test case generation User’s viewpoint – from a UML specification to test cases Demo Developer’s viewpoint – OO Petri Nets to enable state space exploration Conclusion & Questions?

CPN’04 D. Buchs, L.Lúcio, L.Pedro 40 Tests Selection Criteria Test Driver SUT Oracle Test Results + + Model Test case generation Machinery Tests Selection Criteria Test Driver SUT Oracle Test Results + + Model Syntactic test creation Test validation Subdomain decomposition

CPN’04 D. Buchs, L.Lúcio, L.Pedro 41 Operational specification model Syntactically building tests while applying hypotheses isn’t a problem…... but validating tests requires an operational specification model! …also required to find sub-domains for operation’s parameters!

CPN’04 D. Buchs, L.Lúcio, L.Pedro 42 Operational specification model: UML→CO-OPN→Prolog CO-OPN is a formal OO specification language based on:  ADTs : data types (no persistent state);  Petri Nets : behavior and concurrency handling. We have already a tool that translates CO- OPN into an operational Prolog model! UMLCO-OPNProlog ExistsUnder Construction

CPN’04 D. Buchs, L.Lúcio, L.Pedro 43 CO-OPN Notion of Contexts / Classes / Objects / Data Types (ADTs) Class Example – bank account PIN (ADT) Money (ADT) balance numbercreate (n) n get_number (n) nn get_balance (b) withdraw (m) b b b b - m Contexts are equivalent to classes without places: Coordinate behavior between other classes or contexts; Make a clear distinction between coordination and computational features.

CPN’04 D. Buchs, L.Lúcio, L.Pedro 44 UML (Fondue) → CO-OPN Environment model → CO-OPN context; 1 concept model class → 1 CO-OPN class  Attributes are places  Getter and Setter methods are added to the classes OCL operations → pre/post condition state change coded on context’s coordination logic. Ideally there would be a refinement of the UML (Fondue) specification that would decompose OCL operations into classes’ methods!...

CPN’04 D. Buchs, L.Lúcio, L.Pedro 45 UML (Fondue) → CO-OPN Example Imagine an OCL operation add_money(m) that simply adds a given amount of money m to an account: Coordination expression: add_money(m) with account.get(q).. account.put(m+q) put (t) q tq q get (q) put(m+q) add_money (m) account

CPN’04 D. Buchs, L.Lúcio, L.Pedro 46 CO-OPN → Prolog CO-OPN is finally translated into Prolog (no details given in this tutorial); Test cases are also generated in Prolog format; We have built an engine in Prolog capable of holding the object representation of the specification and changing it by applying operations; This approach allows us to validate a test, i.e. knowing whether a behavior is valid or not!

CPN’04 D. Buchs, L.Lúcio, L.Pedro 47 Tests Selection Criteria Test Driver SUT Oracle Test Results + + Model Test case generation Machinery Subdomain decomposition Syntactic test creation Test validation Subdomain decomposition

CPN’04 D. Buchs, L.Lúcio, L.Pedro 48 Subdomain decomposition with Prolog We wish to find which are the possible behaviors of an operation; Prolog’s backtracking mechanism is very useful for that task… Int foo (int a) { 1a++; 2if (a>10) 3...; 4else 5...; 6return a } a:  PC: True a:  +1 PC: True (1) a:  PC:  a:  PC:  (2 -true)(2 - false) The constraints in PC (Path Condition) define a decomposition of the domains of the operation’s entry parameters… backtracking point

CPN’04 D. Buchs, L.Lúcio, L.Pedro 49 Tutorial roadmap - Questions? Introduction to (our) Model- Based test case generation User’s viewpoint – from a UML specification to test cases Demo Developer’s viewpoint – OO Petri Nets to enable state space exploration Conclusion & Questions?

CPN’04 D. Buchs, L.Lúcio, L.Pedro 50 Tutorial Conclusion

CPN’04 D. Buchs, L.Lúcio, L.Pedro 51 Questions?