Академический Документы
Профессиональный Документы
Культура Документы
October, 2007
Testing based on Finite State Models Testing based on Finite State Models
The finite state machine (FSM) model An infinite fault model Conformance relations: based on I/O sequences Testing based on FSM specifications Fault model Test derivation methods Transition Tour State identification methods Fault coverage guarantees Overview and assumptions Testing based on partially specified behavior Testing against non-deterministic specifications Testing non-deterministic FSMs with input queuing Coverage analysis
FSM
S1 is an initial state
t1: 1/1 S1 t2: 2/2 t8: 2/2 S4 t7: 1/2 t6: 2/2 t3:1/1 S2 t4: 2/2 T1: 1/1 Is a transition it has a starting state S1, and an ending state S2 S3 t5: 1/2 Its label is t1 The input is 1 and an output 1 / separates the input from the output
S2 t4: 2/2
S3 t5: 1/? ?
Ds S x X : Ds --> S : Ds --> Y
Fault Model for Finite State Machine (FSM) Fault Model for Finite State Machine (FSM)
1) Output fault: point a in FSM fault model. 2) Transfer fault: point b in FSM fault model. 3) Transfer fault with additional states: point c in FSM fault model. 4) Additional or missing transitions: point d in FSM fault model. 5) additional or missing states
t1: 1/2 t1: 1/1 S1 t2: 2/2 t8: 2/2 S4 t7: 1/2 t6: 2/2 t3:1/1 S2 t4: 2/2 t8: 2/2 S3 t5: 1/2 S4 t7: 1/2 t6: 2/2 S1 t2: 2/2 t3:1/1 S2 t4: 2/2
S3 t5: 1/2
Specification
Transfer fault on t2
The ending state is now S3
t1: 1/1 t1: 1/1 S1 t2: 2/2 t8: 2/2 S4 t7: 1/2 t6: 2/2 t3:1/1 S2 t4: 2/2 t8: 2/2 S4 S3 t5: 1/2 t7: 1/2 t6: 2/2 S1 t2: 2/2 t3:1/1 S2 t4: 2/2
S3 t5: 1/2
Specification
IUT
S3
S3 t5: 1/? ?
Specification
IUT
Example of implementation with additional Example of implementation with additional state state
Specification
S0
Impl. 1
b/f c/f a/e S1 a/f
b/e c/e I0
b/f
c/e b/e S2
c/e b/f
a/f
Impl. 2
Io b/f I3 a/e c/e b/e c/e
I2 a/f
A test suite is a set of input sequences starting from the initial state of the machine TS = { r.1.1.2.1, r.2.2.1.2.2}
S3
Test Case
r.1.1.2.1 r.2.2.1.2.2
MS
1.1.2.2 2.2.1.2.2
MI
1.1.2.2 2.2.1.2.2 Conforming Pass TS
MI
1.1.2.2 2.2.2.2.2 Non-conforming Fail to pass TS
No limitation on the number of such changes allows for an infinite set of possible implementations !!!
S3 t5: 1/? ?
Fault model for FSM specifications Fault model for FSM specifications
IDISreq/DR IDISreq/DR IDISreq/DR DT0/IDATind,AK0
s1
CR/ICONind
s2
ICONresp/CC DT0/AK0
s3
DT1/IDATind,AK1 DT1/AK1
s4
For the given transition: change the output (output fault) change the next state (transfer fault) if a new state can be added, then assume an upper bound on the number of states in implementations.
mutations
For the example above, there are (SxO)SxI = 4x74x5=2820 mutants with up to 4 states. Among them, 36 mutants represent single (output or transfer) faults, as only 9 transitions are specified. An example of a very specific fault domain: Only the transitions related to data transfer may be faulty. These are 4 transitions. This results in only 284 mutants (faulty implementations in DT0/AK0 mplf).
DT0/IDATind,AK0
s3
DT1/IDATind,AK1 DT1/AK1
s4
S3
<qe
t1: 1/1 S1 t2: 2/2 t8: 2/2 S4 t7: 1/2 t6: 2/2 t3:1/1 S2
not <qe
2/2.1/1.2/1 t1: 1/1
M2
S1 t2: 2/2 t4: 2/2 t8: 2/2 S4 t7: 1/2 t5: 1/2 t6: 2/1
S3
S3 t5: 1/2
M1
M1
For a given FSM S, a transition tour is a sequence which takes the FSM S from the initial state, traverses every transition at least once, and returns to the initial state . Fault detection power Detects all output errors, There is no guarantee that all transfer errors can be detected.
b/y
I1
b/x 3
1
b/x
1
b/x
The implementation I1 contains an output error. Our transition tour will detect it.
2
a/y
I2
3
b/x
The implementation I2 contains a transfer error. Our transition tour will not detect it.
DS method Example
S
b/y a/x a/x b/y a/x
2
a/y b/y
2
a/y a/x b/y
Impl. I2
1
b/x
3
b/x
The specification S A distinguishing sequence is : b.b If we apply it from : state 1 we obtain y.y state 2 we obtain y.x state 3 we obtain x.y
A test case which allow the detection of the transfer error is : a.b.b.b If we apply it from the initial state of : the specification we obtain x.x.y.y the implementation we obtain x.x.x.x
DS method
2
b/y a/x a/x b/y a/y
1
b/x
Phase 1: Identification of all states/ State cover From state 1, we can reach state 2 with b/y and state 3 with a/x We assume that the reset exist, Q = { , a, b} DS = b.b Test suite = {r.b.b, r.a.b.b, r.b.b.b} Phase 2, to cover all transitions for output faults and transfer faults P = { , a, b, a.b, a.a, b.b, b.a} Test suite:{r.b.b, r.a.b.b, r.b.b.b, r.a.b.b.b, r.a.a.b.b, r.b.b.b.b, r.b.a.b.b}
General methodology for state identification based methods A) Test generation based on Specification
A-1) Find the Q set or the State cover: minimal inputs that reach a state from the initial one A-2) Find the P set or Transition cover: that will cover all remaining transitions Generate Test Suites using Q and P sets
B) Fault detection
B-1) Apply the generated test suites to the specification to obtain Expected Outputs B-2) Apply the generated test suites to the implementation to obtain Observed Outputs Compare the expected and observed outputs (test results) If they are different then the verdict is fail otherwise it is a pass for the applied test suites.
DS method Example
The test cases are : state 1: a.b.b b.b.b state 3 : a.a.b.b a.b.b.b state 2 : b.a.b.b b.b.b.b Test case structure: preamble.tested transition.state identification
The UIO-method can be applied if for each state of the specification, there is an input sequence such that the output produced by the machine, when it is initially in the given state, is different than that of all other states. The UIOv-method is a variant of the UIO-method. it check the uniqueness of the applied identification sequences on the implementation, meaning that each identification sequence must be applied on each state of the implementation and the outputs are compared with those expected from the specification.
2
a/y
1
b/x
UIO sequences are : state 1 : a.b state 2 : a.a state 3 : a A transition cover set is : P={e, a, a.b, a.a, b, b.a, b.b} The test sequences generated by the UIO-method are : r.a.b, r.a.a, r.a.b.a.b, r.a.a.a.a, r.b.a.a, r.b.a.a.b, r.b.b.a
The specification S
We assume the existence of a reset transition with no output (r/-) leading to the initial state for every state of S
The W-method involves two sets of input sequences : W-set is a characteristic set of the minimal FSM, and consists of input sequences that can distinguish between the behaviors of every pair of states P-set is a set of input sequences such that for each transition from state A to state B on input x, there are input sequences p and p.x in P such that p takes the FSM from the initial state into state A.
W method Example
b/f a/e
1
a/f c/e b/e c/e
2
c/f
A characterization set is W={a, b} W1 state 1 : a/e, W2 state 2 : a/f, b/f W3 state 3 : b/e W = Union of all Wi
b/f
a/f
A transition cover set for the specification S is : P={e, a, b, c, b.a, b.b, b.c, c.a, c.b, c.c}
The specification S We assume the existence of a reset transition with no output (r/-) leading to the initial state for every state of S The W-method generates the following test sequences: (P.W) = r.a, r.b, r.a.a, r.a.b, r.b.a, r.b.b, r.c.a, r.c.b, r.b.a.a, r.b.a.b, r.b.b.a, r.b.b.b, r.b.c.a, r.b.c.b, r.c.a.a, r.c.a.b, r.c.b.a, r.c.b.b, r.c.c.a, r.c.c.b
This method is a generalization of the UIOv method which is always applicable. It is as the same time an optimization of the W-method. The main advantage of the Wp-method, over the W-method, is to reduce the length of the test suite. Instead of using the set W to check each reached state si, only a subset of W is used in certain cases. This subset Wi depends on the reached state si, and is called an identification set for the state si.
2 f f
3 f
Derivation of W
a b
e
f
1
a/f c/e b/e c/e
2
c/f
b/f
A characterization set is W={a, b} for W method for state 1 : a/e for state 2 : a/f, b/f for state 3 : b/e The identification sets are : W1={a}, distinguishes the state 1 from all other states W2={a, b}, distinguishes the state 2 from all other states W3={b}, distinguishes the state 3 from all other states
a/f
The specification S We assume the existence of a reset transition with no output (r/-) leading to the initial state for every state of S
Phase 2 : (P-Q).Wi ={r.a.a2, r.a.b2, r.b.c.a2, r.b.c.b2, r.b.a.a1, r.b.b.b3, r.c.a.b3, r.c.c.a2, r.c.c.b2, r.c.b.a1}
2
a/f c/e c/e b/f a/f c/f
b/e
The application of the test sequences obtained in Phase 2 leads to the following sequences of outputs : e.f, e.f, f.f.f, f.f.f, f.f.e, f.f.e, e.f.f, e.e.f, e.e.f, e.e.e The output printed in bigger size is different from the one expected according to the specification. Therefore, the transfer error in the implementation is detected by this test sequence.
A faulty implementation I I contains a transfer error 2a/f->1 (fat arrow) instead of 2-a/f->2 as defined in the specification S
Test derivation based on FSM (Resum) Test derivation based on FSM (Resum)
Transition tour guaranteed coverage only for output faults Methods using state identification with coverage guarantee for output and transfer faults. Three cases: number of states same for implementation I and specification S number of states for I possibly larger than for S, but bounded coverage only for a selected set of transitions (fault function) Methods without coverage guarantee Hand made test suite without test derivation procedure Single long test sequence vs. set of shorter test cases (e.g. test case for specific transition, test purpose) Usually, each test case requires reset to initial state; correct reset assumption
S3
Transition tour TT: t1, t4, t3, t9, t2, t3, t6, t7, t8 TT (input/expected output): a/1.b/2.a/1.a/2.b/2.a/1.b/2.a/2.b/2
DS Method
Assume that Reset transition r/- exist Q1) Verify if a.a is a DS for S and explain why? Q2) Find a DS different from a.a with length 2 for S
S0 b/1 S4 a/0
a/0 b/0
S1 b/1
W method
Assume that the reset exist and it brings the machine from any state to the initial state. a) Find characterization set W and generate the set of test cases for the specification S using the W method. b) Does S have a DS sequence? If not explain why?
S2
W method
a/0 S0 b/0 S1 b/1 b/0 a/0
S0 : b/1 S1 : a/1 S2 : a/0, b/0 W= U Wi W={a, b} Q = { ,a,b} State Cover P = { ,a, b, a.b, a.a, b.a, b.b} transition Cover P-Q = { a.b, a.a, b.a, b.b}
a/1
S2
Phase 1 , Q.W = {r.a, r.b, r.a.a, r.a.b, r.b.a, r.b.b} Phase 2, (P-Q).W = {r.a.b.a, r.a.b.b, r.a.a.a, r.a.a.b, r.b.a.a, r.b.a.b, r.b.b.a, r.b.b.b}
Examples Suite
Transition tour:
S0 b/0
a/0
Input
a.b.a.b.a.b 0.1.0.0.1.0
b/1 b/0
Output
a/1
S1
S2
a/0
Specification S
0.1 1.0
Comment: a as input at each state will loop on the state, sequence of a.a. cannot be a DS, the output will be 0.0.. or 1.1
Q set: permits to reach each state from the initial state Q = { , b,b.b} The first b to reach the state S2
S0 b/0
a/0
b.b to reach the state S1. P set is transition cover, permits to execute each transition at least one starting from the
b/1 b/0
a/1
S1
S2
a/0
initial state
S0
a b b a b a b b b b
How to derive P set: find all Path starting from the size1 and up and each transition should be traversed at least once
The goal of the Phase 1 is identification of the states in the implementation DS = a.b, Q = { , b,b.b}, P = {, a, b, b.a, b.b, b.b.a, b.b.b} Phase 1 Q.DS = {r.a.b, r.b.a.b, r.b.b.a.b} Expected output of phase 1is: {-.0.1, -.1.0.0, -.1.0.1.0} Phase 2 ( DS in bold) P.DS= {r.a.b, r.a.a.b,r.b.a.b, r.b.a.a.b, r.b.b.a.b, r.b.b.a.a.b, r.b.b.b.a.b} {-,0.1, -.0.0.1, -.1.0.0.0, -.1.0.1.0, -.1.0.1.1.0, -.1.0.0.0.1}
S0 b/0
a/0
b/1 b/0
Note that, the test suites for phase 1 and 2 should be Derived from the specification and applied to the implementation to check it for output and transfer faults.
a/0
a/1
S1
S2
Specification S
Implementation I
a/0
S0 b/0
a/0
S0
a/1
S1
S2
The implementation I has a transfer fault, the fault is not detected by Transition tour. Transition tour detects all output faults but Doesnt guarantee the detection of transfer faults
S0
a/0
Implementation I
The goal of the Phase 1 is identification of the states in the implementation DS = a.b, Q = { , b,b.b}, P = {, a, b, b.a, b.b, b.b.a, b.b.b} Phase 1 Q.DS = {r.a.b, r.b.a.b, r.b.b.a.b} Expected output of phase 1is: {-.0.1, -.1.0.0, -.1.0.1.0} {-.0.1, -.1.0.0, -.1.0.1.0} ) observed outputs from I Phase 2 ( DS in bold) P.DS= {r.a.b, r.a.a.b, r.b.a.a.b, r.b.b.a.b, r.b.b.a.a.b, r.b.b.b.a.b} {-.0.1, -.0.0.1, -.1.0.0.0, -.1.0.1.0, -.1.0.1.1.0, -.1.0.0.0.1} expected output {-.0.1, -.0.0.1, -.1.0.0.0, -.1.0.1.0, -.1.0.1.1.0, -.1.0.0.0.0}observed output from I, transfer fault detected
Specification S
S0
c/1
a/0
a/1
C/0
b/0
c/0
S2
b/0
b/0
S1
a/0
a.b.a.b.c.a.c.b.c 0.0.0.0.0.1.1.0.0
0 0
1 0
completeness: completely specified or partially specified connectedness: strongly connected or initialy connected reducibility: reduced or non-reduced determinism: deterministic or non-deterministic
13
r/- t3:1/1
t6: 2/2 S3
15
Example:
Equipment to test Entity N+1
SAP Entity N
SAP Entity N
SAP Entity N
Methods for Fault Coverage Evaluation Methods for Fault Coverage Evaluation
The definition of fault coverage always depends on fault model! Exhaustive mutation analysis Monte-Carlo simulation method Deciding completeness minimize an FSM which is given in the form of the TS, if its minimal form is equivalent to the given FSM then TS is complete (the max # states is assumed), otherwise it is not complete [see Yao] Structural Analysis it evaluates the fault coverage of a given test suite by directly analyzing the test suite against the given FSM. Count the number of states distinguished and transitions checked by the test suite. A numeric measure easy to evaluate (linear complexity) [see Yao] Different possible measures compare number of implementations (common approach) compare the log of number of implementations (corresponds to counting transitions covered) [called order coverage by Yao]