Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1
Agenda ACG, 31/05/ Introduction Reo Semantics of Reo Automata-based Process algebra-based Input-output conformance (ioco) theory Using ioco to test Reo Tool support Related work Conclusions and future work
ACG, 31/05/ Introduction Reo is a channel-based coordination language Components or services are coordinated by Reo connectors Primitive connectors with just two ends are called channels Connectors can be composed to form more complex connectors Channels are user-defined Nodes implement a fixed routing policy
ACG, 31/05/ Constraint automata Constraint automaton A = (S, N, →, s 0 ) consists of a set of states S, a set of port names N, a transition relation → ⊆ S × 2 N × DC × S, where DC is the set of data constraints over a finite data domain Data, an initial state s 0 ∈ S. Two operators on CA are defined: product and port hiding A CA for a Reo connector can be computed as product of CA for individual channels.
ACG, 31/05/ Basic Reo channels and nodes
ACG, 31/05/ Constraint automata for basic channels and nodes
ACG, 31/05/ Process algebra mCRL2 Actions are atomic events Processes are the active entities defined as expressions over actions and other processes Multiaction: a|b (synchronized actions) Alternative composition: a + b (nondeterministic choice) Sequential composition: a.b (b started after a) Conditional: exp → a ◊ b (if-then-else) At operator: a c t (action a happens at time t) Summation: ∑ d ∈ D a(d) (a(d 1 ) + a(d 2 ) + a(d 3 )…) Parallel composition: a||b (interleavings a.b + b.a + a|b) Renaming: ρ R (a) where R is a set of renamings of the form b → c, meaning that every occurrence of b in a is replaced by c Hiding: τ H (a) renames all actions of H in a to τ Restriction (allow): ∇ R (a) where R specifies which actions are allowed to occur in a Blocking: ∂ B (a) where B is a set of actions that is not allowed to occur in a Communication: Γ C (p), where C is a set of allowed communications of the form a 0 |...|a n → c, n ≥1 which means that every group of actions a 0 |...|a n within a multiaction is replaced by an action c
ACG, 31/05/ From CA to mCRL2 Data flow observed at a channel end = mCRL2 action
ACG, 31/05/ Correctness
ACG, 31/05/ Correctness
Why do we need testing for Reo? ACG, 31/05/ Circuit design is error-prone It is not a trivial task to design a Reo connector with a certain behavior Model-checking is not always feasible (e.g., data-aware models with infinite domains) When Reo is used for workflow and dataflow design, how do we assure the quality of workflow/dataflow implementations?
Specification: Reo ACG, 31/05/
Implementation: extension of BPEL ACG, 31/05/ <bpws:process exitOnStandardFault="yes" name="separation_of_duty_V_001“ suppressJoinFailure="yes" targetNamespace= … …
ACG, 31/05/ Examples of wrong connector implementations
Input-output conformance theory ACG, 31/05/ Model-based testing aims at automatically generating test suits from software models J. Tretmans (2008): Model Based Testing with Labelled Transition Systems. In: Formal Methods and Testing, LNCS 4949, Springer, pp. 1–38. Formal, specification-based active, black-box, functionality testing
Labelled transition systems ACG, 31/05/
Language with LTS as operational semantics ACG, 31/05/
Sequences of observable actions ACG, 31/05/
Some definitions: tau-abstracted sequence of observable actions ACG, 31/05/
Some useful definitions ACG, 31/05/
LTL with Inputs/Outputs and Input-Output Transition Systems (IOTS) ACG, 31/05/
Input-output transition systems ACG, 31/05/ Two ways to convert LTL with I/O to IOTS: 1. Angelic completion: add self-loops to every reachable state 2. Demonic completion: add a chaos state χ such that all non-specified inputs lead to χ, once in χ any behavior is possible.
Quiescent and suspension traces ACG, 31/05/ Extend traces with observations of quiescence: Traces that can contain the quiescence action are called suspension traces:
Quiescence ACG, 31/05/ The occurrence of θ in a test indicates the detection of quiescence δ
Test case ACG, 31/05/ A tester should not offer more than one input at a time:
Examples of test cases ACG, 31/05/
The ioco relation ACG, 31/05/
Example ACG, 31/05/
Compositional testing ACG, 31/05/
Example ACG, 31/05/
Test execution ACG, 31/05/
Test generation ACG, 31/05/
Application of ioco to testing Reo Reo is a language with LTS semantics We can associate mCRL2 processes with each state of a Reo circuit {A,B,C} → A|B|C – a unique action (can be renamed e.g., to ABC) Extend CA/LTS with Input/Output actions Is Reo implementation input enabled? Specification: CA, implementation: Reo Specification: Reo, implementation: Reo Specification: Reo, implementation: BPEL, Java, etc. ACG, 31/05/
ACG, 31/05/ CA with Inputs and Outputs Encoding for boundary nodes:
Input/Output CA ACG, 31/05/ We can apply angelic completion to a CA with I/O without changing the functional behavior of the circuit it specifies Every boundary node A has associated Input and Output actions: A circuit cannot accept ?A through its input port A without observing !A An environment cannot observe !B on the circuit output port B before ?B What happens with pending requests if the circuit cannot process them?
ACG, 31/05/ Compositional testing for Reo
Tool support ACG, 31/05/ specification (s) Implementation (i)
ACG, 31/05/ Test case simulation
Related work ACG, 31/05/ B. K. Aichernig, F. Arbab, L. Astefanoaei, F. S. de Boer, M. Sun & J. Rutten: Fault-Based Test Case Generation for Component Connectors. In: Third IEEE International Symposium on Theoretical Aspects of Software Engineering, (2009), pp. 147–154. S. Meng, F. Arbab, B. K. Aichernig, L. A ş tef ă noaei, Frank S. de Boer, J. Rutten, “Connectors as designs: Modeling, refinement and test case generation,Science of Computer Programming, (2011). Considers connectors as designs A prototype tool for test case generation developed in Maude “An approach based on I/O FSM is not appropriate for generating test cases for connectors, since it assumes that a pair of input and output constitutes an atomic action of a system, in other words, that the system cannot accept the next input before producing the output in reaction to the previous input. In Reo, such assumptions do not hold.”
Future work ACG, 31/05/ Testing Java code generation for Reo Testing data-aware Reo: J. Tretmans L. Frantzen & T. A.C. Willemse (2005): Test Generation Based on Symbolic Speci fi cations. In J. Grabowski & B. Nielsen, editors: Proc. FATES 2004, LNCS 3395, Springer, pp. 1–15. Testing timed Reo: Brinksma E. Brandan Briones, L. (2005): A Test Generation Framework for quiescent Real-Time Systems. In J. Grabowski & B. Nielsen, editors: Proc. FATES 2004, LNCS 3395, Springer, pp. 64–78.