Theory and Practice of Co-verification Process: UniTesK Story RedVerst group of ISP RAS Alexander K. Petrenko Victor V. Kuliamin

Overview Introduction : Why co-verification? Main part : What is UniTesK? Case studies

Waterflow Process Model Requirements Design Implementation Testing Deployment

Iterative Process Model Requirements Design Implementation Testing Deployment InceptionElaborationConstructionTransition

CMM Certified Organizations According to Compiled List of Organizations Publicly Announced their Maturity Levels,

New Development Technologies Expansion According to “The Decision is in: Agile versus Heavy Methodologies” by Robert Charette, Cutter IT Journal, vol. 2, No Percent of organizations using modern development processes

Need for Quick Change Response According to “The Decision is in: Agile versus Heavy Methodologies” by Robert Charette, Cutter IT Journal, vol. 2, No Percent of organizations recognizing more than 50% of projects as agile

Inadequate Quality of Software LossPotential Cost Reduction Total Sales Software Vendors 21.2  10 9 $10.6  10 9 $180  10 9 $ Software Users 38.3  10 9 $11.7  10 9 $ Total 59.5  10 9 $22.2  10 9 $ The Economic Impacts of Inadequate Infrastructure for Software Testing, NIST Report, May 2002

Evolution of Testing Localization of errors Demonstration of errors –Testing is the process of executing a program or system with the intent of finding errors [Myers, 1979] –The purpose of testing is to show that a program has bugs [Hetzel, 1988] Evaluation of quality –Testing is the process of operating a system or component under specified conditions, observing or recording the results, and making an evaluation of some aspect of the system or component [IEEE 90]

Traditional Development Process Business Modeling Requirements Architecture Design Component Design Implementation Integration Deployment

Co-verification Development Process Business Modeling Requirements Architecture Design Component Design Implementation Integration Deployment

Main Part Overview Traditional approaches to verification UniTesK approach Example

Traditional Test Development E Requirements Elicitation Test Case Design Test Implementation Test Execution Test Result Analysis

Uniform Test Architecture UniTesK Approach Uniform Specification Extension Integration with Development Environments CTesK VDM++TesK Foundations Tools UniTesK Model Based Testing

Requirements Formalization Requirements Formal Specifications

Engineering Problems Specification technique should be suitable for –Easy transformation of requirements –Easy automation of further test development –Easy adaptation to needs of the industry –Functional test coverage definition Specification notation should require minimum education and special skills

Specification Techniques Executable Imperative state based specifications Constraints State based data type constraints, pre- and postconditions, internal invariants Axiomatic Action based axioms

Executable Specifications Are very close to some implementation –Are easy to use in the industry –Can be transformed into prototypes Are not close to requirements ( √¯ = e ½ln = lim(x n+1 = ½(x n +x/x n )) ) –Unsuitable for test coverage measurement –Can cause problems with conformance checking How to compare the results? Are highly reusable as executable code But are low reusable as criteria of correctness

Constraint Specifications Have the structure similar with implementation –Are easy to use in the industry But have different form Are close to requirements in most cases –Are easy to construct from requirements –Suitable for test coverage measurement –Counterexample: memory management subsystem Can be directly used in conformance checking Special constructs enabling reuse can be added

Axiomatic Specifications Are far from common implementations and have greatly different structure –Can hardly be introduced in the industry Are usually far from requirements –Are hard to develop in real-life projects –Can hardly be used for coverage measurement –But sometimes are the only appropriate form Can be used for conformance checking But sharpen error localization problems Reusability is a problem

Comparison of Specification Techniques

Comparison Results

Specification Notation Specification language –Suitable for capture abstract properties –Has formal semantics –Requires complex mediator layer for implementation –Requires special education, mastering is enduring Extension of programming language –Abstract concepts can be added by libraries –Ambiguous parts of language can be excluded –Complex mediators are not required –Mastering can be made more effective –Facilitates co-verification

UniTesK Specification Technique Uniform Test Architecture Uniform Specification Extension Integration with Development Environments CTesK VDM++TesK UniTesK Model Based Testing Uniform Specification Extension Constraint Specifications –Preconditions and postconditions of operations –Data type constraints Functional coverage description based on specification structure

UniTesK Specification Technique Constraint Specifications –Preconditions and postconditions of operations –Data type constraints specification Operation() pre block, returning Boolean value post block, returning Boolean value to refer to pre-value of expressions invariant Inv() block, returning Boolean value

void enq (Object obj, int priority) priority  [Min_Priority, Max_Priority] Object deq () int size () Priority Queue Example 5 deq ()enq () size () enq () 0 52

Uniform Test Architecture Uniform Specification Extension Integration with Development Environments CTesK VDM++TesK UniTesK Model Based Testing : Specification Extension of Java specification package pqueue; public class PQueueSpecification { specification public void enq(Object obj, int prty) reads obj, prty updates items.?, priorities.? { pre { return obj != null; } post { int i = 0; for(i = 0; i < items.size() && priorities.elementAt(i) > prty; i++ );...

Model State Definition public class PQueueSpecification { // List of elements of the queue public Vector items = new Vector(); // Accompanying list of their priorities public IntList priorities = new IntList(); }

Data Integrity Constraints : Lists are not Null public class PQueueSpecification { public List items = new List(); public IntList priorities = new IntList(); invariant ListsAreNotNull() { return items != null && priorities != null; }

Data Integrity Constraints : Lists’ Sizes are Equal public class PQueueSpecification { invariant ListsSizesAreEqual() { return items.size() == priorities.size(); }

Data Integrity Constraints : Priorities Lie in the Range public class PQueueSpecification { public static int Min_Priority; public static int Max_Priority; invariant PrioritiesLieInTheRange() { for(int i = 0; i < priorities.size(); i++) { if( priorities.get(i) < Min_Priority || priorities.get(i) > Min_Priority ) return false; } return true; }

Data Integrity Constraints : Priorities do not Increase public class PQueueSpecification { invariant PrioritiesDoNotIncrease() { for(int i = 1; i < priorities.size(); i++) { if( priorities.get(i-1) < priorities.get(i) ) return false; } return true; }

Operation Specification : size() Method public class PQueueSpecification { specification public int size () reads this.? { pre { return true; } post { return size == items.size(); } } }

Operation Specification : enq() Method public class PQueueSpecification { specification public void enq (Object obj, int prty) reads obj, prty updates this.? { pre { return obj != null; } post { int i = 0; for(i = 0; i = prty; i++ ); PQueueSpecification new_state = new_state.items.add(i, obj); new_state.priorities.add(i, prty); return this.equals(new_state); }

Auxiliary Methods public class PQueueSpecification { public boolean equals (PQueueSpecification other) { return items.equals(other.items) && priorities.equals(other.priorities); } public Object clone () { PQueueSpecification result = new PQueueSpecification(); result.items = (List)items.clone(); result.priorities = (IntList)priorities.clone(); return result; }

Operation Specification : deq() Method public class PQueueSpecification { specification public Object deq () updates this.? { post { if(items.isEmpty()) return deq == null && items.isEmpty(); else { PQueueSpecification new_state = Object result = new_state.items.first(); new_state.items.removeFirst(); new_state.priorities.removeFirst(); return this.equals(new_state) && deq == result; }

Coverage Tasks Definition Requirements Formal Specifications pre post Test Case Formal Specifications pre post

Engineering Problems More than one coverage metrics is needed Automatic coverage goals extraction Enabling test designer to introduce additional goals

Several Levels of Coverage Metrics Formal Specifications pre post

Definition of Coverage Tasks : Functionality Branches Functional coverage description based on specification structure post if(a || b)... branch “Case 1”;... else if(!c && d)... branch “Case 2”;... else... branch “Case 3”;... BranchesDisjuncts Case 1 a !a  b Case 2 !a  !b  !c  d Case 3 !a  !b  c !a  !b  !c  !d

public class PQueueSpecification { specification public int size () reads this.? { pre { return true; } post { branch “Single branch”; return size == items.size(); } Functionality Branches in size() Method

specification public void enq (Object obj, int prty) reads obj, prty updates this.? { pre { return obj != null; } post { int i = 0; for(i = 0; i = prty; i++ ); branch “Single branch”; PQueueSpecification new_state = new_state.items.add(i, obj); new_state.priorities.add(i, prty); return this.equals(new_state); } Functionality Branches in enq() Method

specification public Object deq () updates this.? { post { if(items.isEmpty()) { branch “Empty queue”; return deq == null && items.isEmpty(); } else { branch “Nonempty queue”; PQueueSpecification new_state = Object result = new_state.items.firstElement(); new_state.items.removeFirstElement(); new_state.priorities.removeFirstElement(); return this.equals(new_state) && deq == result; } Functionality Branches in deq() Method

Additional Coverage Tasks : enq()

Additional Coverage Tasks : deq()

Definition of Coverage Tasks : Marked Paths post if(a || b || c) { BranchesMarked PathsDisjuncts Case 1 “a holds”; “Case 1”a “Case 1” !a  b !a  !b  c branch “Case 1”;... } if(a) mark “a holds”;

Marked Paths in enq() Method post { int i = 0; for(i = 0; i = prty; i++ ); if( items.isEmpty() ) mark "Insertion in the empty queue"; else if( prty > priorities.maximum() ) mark "Insertion in the head"; else if( prty == priorities.maximum() && prty == priorities.minimum() ) mark "Insertion with single existing priority"; else if( prty == priorities.maximum() ) mark "Insertion with maximum priority"; else if( prty < priorities.minimum() ) mark "Insertion in the tail with new priority"; else if( prty == priorities.minimum() ) mark "Insertion with minimum priority"; else if( !priorities.contains(prty) ) mark "Insertion in the middle with new priority"; else mark "Insertion in the middle with existing priority"; branch “Single branch”;... }

post { if(items.isEmpty()) { branch “Empty queue”;... } else { if( items.size() == 1 ) mark "Single element in the queue"; else if( !(priorities.maximum() == priorities.get(1)) ) mark "Single element with maximum priority, several elements in the queue"; else if( priorities.toSet().size() > 1 ) mark "Several elements with maximum priority, there are other priorities"; else mark "Several elements in the queue with the same priority"; branch “Nonempty queue”;... } Marked Paths in deq() Method

Test Implementation Test Case Formal Specifications pre post Test Program Test Scenario

Engineering Problems Test construction technique should ensure coverage goals achievement Enabling test designer to introduce additional tests Tests should be decoupled with implementation

Overview of UniTesK Approach to Test Implementation Test construction technique : traversal of FSM –FSM is constructed in so far that its traversal ensures coverage FSM represented implicitly as test scenario –Implicit representation saves a lot of work –Test scenarios can be Generated on the base of templates and specifications Developed manually Developed in mixed way Mediators are used to decouple test scenarios and implementation –The same three ways to develop mediators

Uniform Test Architecture Uniform Specification Extension Integration with Development Environments CTesK VDM++TesK UniTesK Model Based Testing UniTesK Test Architecture From specification we can generate oracle to check the conformance of system behaviour The entire test is constructed as a test sequence intended to achieve some coverage –Test sequence required is produced on-the-fly during test execution as a transition tour of FSM model

Test sequence construction UniTesK Test Architecture Oracle Target system Test Engine Test Action Iterator Specification

Test Sequence Construction Test Engine Test Action Iterator

Problems of State Machine Construction Implicit specifications are hard to resolve Nondeterminism Huge numbers of states and transitions

Factorization Based on Coverage Goals I. B. Bourdonov, A. S. Kossatchev, V. V. Kuliamin. Using Finite State Machines in Program Testing. Programming and Computer Software, Vol. 26, No. 2, 2000, pp Helps to cope with state explosion and nondeterminism

Implicit State Machine Description Allows not to resolve implicit constraints Makes factorization easier

State Machine Construction Based on Coverage Goals states parameters operation domain defined by precondition coverage goals

Test Sequence Construction for Implicit FSM Test Engine Test Action Iterator

Test Scenario Test sequence construction Oracle Target system Test Engine Test Action Iterator Specification Test Scenario

Priority Queue Example : enq() Coverage Goals if( items.isEmpty() ) mark "Insertion in the empty queue"; else if( prty > priorities.maximum() ) mark "Insertion in the head"; else if( prty == priorities.maximum() && prty == priorities.minimum() ) mark "Insertion with single existing priority"; else if( prty == priorities.maximum() ) mark "Insertion with maximum priority"; else if( prty < priorities.minimum() ) mark "Insertion in the tail with new priority"; else if( prty == priorities.minimum() ) mark "Insertion with minimum priority"; else if( !priorities.contains(prty) ) mark "Insertion in the middle with new priority"; else mark "Insertion in the middle with existing priority"; States: Arguments: Empty queue Single priority is used At least two priorities are used At least three priorities are used At least three different priorities should be provided 

Priority Queue Example : deq() Coverage Goals if(items.isEmpty()) branch “Empty queue”; else if( items.size() == 1 ) mark "Single element in the queue"; else if( !(priorities.maximum() == priorities.get(1)) ) mark "Single element with maximum priority, several elements in the queue"; else if( priorities.toSet().size() > 1 ) mark "Several elements with maximum priority, there are other priorities"; else mark "Several elements in the queue with the same priority"; States: Empty queue Single element in the queue Single element with maximum priority, several priorities Several elements with maximum priority, several priorities Several elements with the single used priority

Priority Queue Example : Analysis of Determinism 0 : Empty queue 1 : Single element in the queue 2 : Several elements with single used priority 012 deq() To make the behavior deterministic we should split this state according to the number of elements

Priority Queue Example : Analysis of Determinism 0,1,2, … : Number of elements with maximum priority A : Single element with maximum priority, several priorities 0123 deq() To make the behavior deterministic we should split this state according to the number of elements with the next priority A … And so on, for all priorities (by induction)

Priority Queue Example : Resulting State Resulting state S : int → int is map from integers to integers, where key is priority value is the number of queue elements having such the priority

Reference to Specification Object scenario public class PQueueTestScenario { // Reference to the object under test public PQueueSpecification queue; }

State Construction Method scenario public class PQueueTestScenario { public AbstractGenState getGenState() { IntToIntMapGenState state = new IntToIntMapGenState(); for(int p = PQueueSpecification.Min_Priority; p < queue.priorities.toSet().size(); p++ ) { int n = queue.priorities.numberOf(p); if( n != 0 ) state.put(p, n); } return state; }

Definition of Test Actions : size() method scenario public class PQueueTestScenario { scenario public boolean size() { queue.size(); return true; }

Definition of Test Actions : enq() method scenario public class PQueueTestScenario { scenario public boolean enq() { Object arg = new Object(); iterate( int priority = PQueueSpecification.Min_Priority; priority <= PQueueSpecification.Max_Priority; priority++; queue.priorities.toSet().size() <= 3 || queue.priorities.contains(priority) && queue.priorities.numberOf(priority) < 2 ) { queue.enq(param, priority); } return true; }

Definition of Test Actions : deq() method scenario public class PQueueTestScenario { scenario public boolean deq() { queue.deq(); return true; }

Using Nondeterministic FSMs : Bounded Queue add Empty Single element Intermediate Almost full Full remove Empty Single element Intermediate Almost full Full fill empty

Testing Concurrency Fair Concurrency Axiom : Concurrent execution of several operations is correct if and only if it is equivalent to somehow ordered one So, to test the concurrent execution of calls we should check that it behaves like some sequence of the same calls –The system can be modeled as an ordinary FSM –Test engine generates pairs, triples, and so on, of concurrent actions System not satisfying Fair Concurrency Axiom should be modeled as asynchronous FSM

Possible behavior: input: aba ouput: yyx xxyxyyyx xyyyxy all possible outputs: { x*yx*yy*x(x*y)?, x*yy*xx*y } Asynchronous FSM Some transitions are fired by a stimulus Some transitions are fired along with a reaction Some transitions are empty, modeling internal operation a/ /x /y b/ a/ /y /x b/

Engineering Problems Tests and implementation should be decoupled –Tests can be reused many times –Easy regression testing Specification should be as abstract as possible Specification should be even more reusable than tests

Test sequence construction Oracle Mediator Mediator decouples specification and implementation Mediator Target system

Mediator Construction Mediator Target system Oracle Mediator in Extended Language Specification Test Engine Test Action Iterator Test Scenario

Open State Testing Mediator constructs new model state only on the base of new implementation state Requires: Implementation state should be accessible by public fields or reliable observers Implies: Current model state actually corresponds to implementation one –Detected failure demonstrates a fault in the last operation –Transition tour is sufficient to ensure reliability Mediator Target system call response get state construct new model state state data

Hidden State Testing Mediator constructs new model state on the base of old one and implementation call results Implies: Current model state is actually a hypothesis –Detected failure can be manifestation of a fault in any previously called operation –Transition tour is insufficient to ensure reliability Mediator Target system call response construct new model state

Mediator for Priority Queue mediator public class PQueueMediator // Extends specification class extends PQueueSpecification { // Reference to an implementation object implementation public PriorityQueue target; }

Mediator Methods (Open State Testing) mediator public class PQueueMediator { public int size() { return target.size(); } public void enq(Object obj, int prty) { target.enq(obj, prty); } public Object deq() { return target.deq(); }

Model State Synchronization Method (Open State Testing) mediator public class PQueueMediator { public void mapStateUp() { items.clear(); priorities.clear(); if( target != null ) { for(int i = target._clusters.size()- 1; i >= 0; i--) { Vector v = (Vector)target._clusters.elementAt(i); for(int j = 0; j < v.size(); j++) { items.add(v.elementAt(j)); priorities.add(i); }

Mediator Methods (Hidden State Testing) mediator public class PQueueMediator { public int size() { return target.size(); } public void enq(Object obj, int prty) { target.enq(obj, prty); items.add(obj); priorities.add(prty); } public Object deq() { Object result = target.deq(); items.removeFirst(); priorities.removeFirst(); return result; }

Test Scenario Initialization scenario public class PQueueTestScenario { public PQueueTestScenario() { setTestEngine ( new DeterministicFSM_TestEngine() ); PQueueMediator.initClassState(); queue = PQueueMediator.create(new PriorityQueue()); queue.attachOracle(); }

UniTesK Practice Overview UniTesK tools UniTesK history Training courses QUTILUI project Other case studies

UniTesK Tools CTesK Uniform Test Architecture Uniform Specification Extension Integration with Development Environments CTesK VDM++TesK UniTesK Model Based Testing

UniTesK History pre-UniTesK 1994 – 1996 ISP RAS – Nortel Networks contract on functional test suite development for Switch Operating System kernel –Few hundreds of bugs found in the OS kernel, which had been 10 years in use About 600K lines of Nortel code tested by 2000 But failed to be introduced in Nortel processes

UniTesK Tools History 2000 –Conception 2001 Prototype –CTesK Lite 2002 –VDM++ TesK Product –CTesK Full

Sqrt Specification in and Extended C class SqrtSpecification { specification static double sqrt(double x) reads x { pre { return x >= 0; } post { if(x == 0) { branch "Zero argument"; return sqrt == 0; } else { branch "Positive argument"; return sqrt >= 0 && Math.abs((sqrt*sqrt-x)/x < epsilon; } specification double SQRT(double x) reads (double)x { pre { return x >= 0.; } coverage ZP { if(x == 0.) return (ZERO, "Zero argument"); else return (POS, "Positive argument"); } post { if(coverage(ZP, ZERO)) return SQRT == 0.; else return SQRT >= 0. && abs((SQRT*SQRT - x)/x) < epsilon; }

Training Courses

QUTILUI Project Goal Redesign of SOS Queue Manipulation Utilities Subsystem Activities –Requirements elicitation –Specification development –Specification review –Architecture design –Component design –Implementation –Testing and debugging

QUTILUI Project Results Bugs removed –No one found! Implementation size 25% decrease Design documentation appeared –It was actual! Tests demonstrated conformance with requirements

Other UniTesK Case Studies Debug API for mpC Workshop –Test system runtime support –Components of translator CTesK –Abstract types –Test system runtime support

References 1.A. K. Petrenko, V. V. Kuliamin, I. B. Bourdonov, A. S. Kossatchev. Experiences in using testing tools and technology in real-life applications. Proceedings of SETT’01, India, Pune, V. V. Kuliamin, I. B. Bourdonov, A. S. Kossatchev. Using Finite State Machines in Program Testing. "Programmirovanije", 2000, No. 2 (Russian). Programming and Computer Software, Vol. 26, No. 2, 2000, pp (English) 3.A.K.Petrenko, V.V.Kuliamin, I.B.Burdonov, A.V.Demakov, A.A.Jarov, A.S.Kossatchev, S.V.Zelenov. : extension of Java for real-life specification and testing. Proceedings of PSI’01, Novosibirsk, LNCS, Vol. 2244, 2001, pp A.K.Petrenko, V.V.Kuliamin, I.B.Bourdonov, A.S.Kossatchev. UniTesK Test Suite Architecture. Proceedings of FME’2002, LNCS vol.2391, 2002, pp A.Petrenko, A.Vorobiev. Industrial Experience in Using Formal Methods for Software Development in Nortel Networks. Proceedings of Testing Computer Software Conference - TCS 2000, Washington, June, A.K.Petrenko. Specification Based Testing: Towards Practice. Proceedings of PSI’01, Novosibirsk, LNCS, Vol. 2244, 2001, pp V. V. Kuliamin, I. B. Bourdonov, A. S. Kossatchev, A. V. Maximov. Testing Programs Modeled by Nondeterministic Finite State Machine. (see white papers on