Model Transformation Impact on Test Artifacts: An Empirical Study

Similar documents
Combinatorial Clause Coverage CoC

Logic Coverage. Moonzoo Kim School of Computing KAIST. The original slides are taken from Chap. 8 of Intro. to SW Testing 2 nd ed by Ammann and Offutt

Introduction to Software Testing Chapter 3, Sec# 1 & 2 Logic Coverage

Introduction to Software Testing Chapter 3.1, 3.2 Logic Coverage Paul Ammann & Jeff Offutt

Introduction to Software Testing Chapter 3.1, 3.2 Logic Coverage Paul Ammann & Jeff Offutt

Logic Coverage for Source Code

Testing: (A Little) Logic Coverage

Generating MC/DC Adequate Test Sequences Through Model Checking

COMP 3705 Advanced Software Engineering: Software Testing

Agenda. Predicate Testing. CSE 5321/4321, Ali Sharifara, UTA

Error Detection Rate of MC/DC for a Case Study from the Automotive Domain

Model Driven Development with xtuml and BridgePoint

Smart Test Case Quantifier Using MC/DC Coverage Criterion

Introduc)on to So,ware Tes)ng (2nd edi(on) Overview Graph Coverage Criteria. Paul Ammann & Jeff OffuA. hap:// so,waretest/

Lecture 2. White- box Tes2ng and Structural Coverage (see Amman and Offut, Chapter 2)

Role of Executable UML in MDA. Presented by Shahid Alam

Advanced Test Coverage Criteria: Specify and Measure, Cover and Unmask

First Steps Towards Conceptual Schema Testing

Introduction to Software Testing Chapter 3, Sec# 3.3 Logic Coverage for Source Code

Lecture 2. White- box Tes2ng and Structural Coverage (see Amman and Offut, Chapter 2)

Logic Coverage from Source Code

Structural Testing. (c) 2007 Mauro Pezzè & Michal Young Ch 12, slide 1

Adding Formal Requirements Modeling to SysML

An Introduction to Model Driven Engineering (MDE) Bahman Zamani, Ph.D. bahmanzamani.com

Certification Authorities Software Team (CAST) Position Paper CAST-25

Specification Centered Testing

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

Practical Model-based Testing With Papyrus and RT-Tester

Don t Judge Software by Its (Code) Coverage

Synthesizing Communication Middleware from Explicit Connectors in Component Based Distributed Architectures

Experiments on the Test Case Length in Specification Based Test Case Generation

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

Applying ISO/IEC Quality Model to Quality Requirements Engineering on Critical Software

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Path Testing + Coverage. Chapter 8

Logic-based test coverage

NP-Completeness of 3SAT, 1-IN-3SAT and MAX 2SAT

Automatic Calculation of Coverage Profiles for Coverage-based Testing

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Algebraic Properties of CSP Model Operators? Y.C. Law and J.H.M. Lee. The Chinese University of Hong Kong.

Subject Software Testing Structural Testing

Model Checking of Statecharts using Automatic White Box Test Generation

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

Quality Indicators for Automotive Test Case Specifications

Logic-based test coverage

Test-Case Generation and Coverage Analysis for Nondeterministic Systems Using Model-Checkers

Automatic Generation of Test Vectors for SCR-Style Specifications

bahmanzamani.com Computer Engineering i Dept. University of Isfahan

Common Graphics Engine-1 Interface Software Development Plan

An Automated Testing Environment to support Operational Profiles of Software Intensive Systems

Review of Regression Test Case Selection Techniques

Model Checking DSL-Generated C Source Code

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

A PRACTICAL APPROACH TO MODIFIED CONDITION/DECISION COVERAGE

By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

Constructing Control Flow Graph for Java by Decoupling Exception Flow from Normal Flow

Modeling Systems Using Design Patterns

Necessary test cases for Decision Coverage and Modied Condition / Decision Coverage

Harmonization of usability measurements in ISO9126 software engineering standards

Software Testing TEST CASE SELECTION AND ADEQUECY TEST EXECUTION

Formal Verification for safety critical requirements From Unit-Test to HIL

Structural Testing. Testing Tactics. Why Structural? Structural white box. Functional black box. Structural white box. Functional black box

5th World Congress for Software Quality Shanghai, China November 2011

automatisiertensoftwaretests

How useful is the UML profile SPT without Semantics? 1

Static Safety Analysis of UML Action Semantics for Critical Systems Development

Part I: Preliminaries 24

Introduction to Dynamic Analysis

Using Code Coverage to Improve the Reliability of Embedded Software. Whitepaper V

Test Automation. 20 December 2017

Software Language Engineering of Architectural Viewpoints

Fault Evaluator Engine Expression DB Test DB Fault Generator Results Compact Windows Summary Window Detail Window Output Files CSV HTML Main Class Inp

Model Driven Engineering (MDE)

Leveraging DTrace for runtime verification

CODE / CONFIGURATION COVERAGE

IJREAS Volume 2, Issue 2 (February 2012) ISSN: COMPARING MANUAL AND AUTOMATIC NORMALIZATION TECHNIQUES FOR RELATIONAL DATABASE ABSTRACT

Reading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Evaluation and Design Issues of Nordic DC Metadata Creation Tool

A UML SIMULATOR BASED ON A GENERIC MODEL EXECUTION ENGINE

Symbolic Evaluation/Execution

Model-Based Development of Embedded Systems with MDA and xtuml

SOFTWARE ENGINEERING

Class-Component Testability Analysis

Testing Tactics. Structural Testing. Why Structural? Why Structural? Functional black box. Structural white box. Functional black box

By Matthew Noonan, Project Manager, Resource Group s Embedded Systems & Solutions

2 nd UML 2 Semantics Symposium: Formal Semantics for UML

Metaheuristic Optimization with Evolver, Genocop and OptQuest

MSc Software Testing and Maintenance MSc Prófun og viðhald hugbúnaðar

ACCELERATING DO-254 VERIFICATION

Requirements Specifications

IBM Rational Rhapsody

CONSTRAINT SPECIFICATIONS USING PATTERNS IN OCL

Decision Management in the Insurance Industry: Standards and Tools

Proposal of a software coding analysis tool using symbolic execution for a railway system

USING GENERIC OBJECT INHERITANCE

FOUR INDEPENDENT TOOLS TO MANAGE COMPLEXITY INHERENT TO DEVELOPING STATE OF THE ART SYSTEMS. DEVELOPER SPECIFIER TESTER

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

On the Role of Formal Methods in Software Certification: An Experience Report

I. Khalil Ibrahim, V. Dignum, W. Winiwarter, E. Weippl, Logic Based Approach to Semantic Query Transformation for Knowledge Management Applications,

Transcription:

Model Transformation Impact on Test Artifacts: An Empirical Study Anders Eriksson Informatics Research Center University of Skövde, Sweden anders.eriksson@his.se Birgitta Lindström Sten F. Andler Informatics Research Center University of Skövde, Sweden Jeff Offutt Software Engineering George Mason University Fairfax, VA 22030-4444 USA ABSTRACT Development environments that support Model-Driven Development often focus on model-level functional testing, enabling verification of design models against their specifications. However, developers of safety-critical software systems are also required to show that tests cover the structure of the implementation. Unfortunately, the implementation structure can diverge from the model depending on choices such as the model compiler or target language. Therefore, structural coverage at the model level may not guarantee coverage of the implementation. We present results from an industrial experiment that demonstrates the model-compiler effect on test artifacts in xtuml models when these models are transformed into C++. Test artifacts, i.e., predicates and clauses, are used to satisfy the structural code coverage criterion, in this case MCDC, which is required by the US Federal Aviation Administration. The results of the experiment show not only that the implementation contains more test artifacts than the model, but also that the test artifacts can be deterministically enumerated during translation. The analysis identifies two major sources for these additional test artifacts. Categories and Subject Descriptors D.2 [Software]: Software Engineering; D.2.5 [Software Engineering]: Testing and Debugging; D.2.13 [Software Engineering]: Reusable SoftwareReuse models General Terms Verification, Experimentation, Design Keywords Model coverage, structural code coverage, xtuml, MCDC, model-driven development, model transformation Saab Aeronautics, Linköping anders.k.eriksson@saabgroup.com 1. INTRODUCTION In a Model-Driven Architecture (MDA), a platform-independent model (PIM) is initially expressed in a platform-independent modeling language, such as Executable UML [7]. Using a model compiler, the specification is transformed into a platform-specific model (PSM) or any code-level implementation. The code generator, i.e., the model compiler, is free to transform the design model in any way as long as the transformed program computes the same results as the original program specification. This can include reordering pieces of code as well as reducing the number of operations, replacing them or inserting new instructions [8]. Model-driven development (MDD) environments often focus on functional testing, enabling the verification of design models against their specifications. Sometimes we must also show that the tests cover the structure of the implementation. The design model is usually transformed to code, which is compiled and executed for structural coverage analysis. If the structural code coverage criteria are not met, additional tests are needed. It is however, not sufficient to generate any additional tests to cover the missing code structure. Instead tests for safety critical software in avionics must be designed from the specification [10]. Hence additional tests to achieve the required coverage must be created at the model level. Structural code coverage is not applied to safety-critical software just to satisfy structural coverage criteria. Instead, the structural coverage is used to measure how well tests derived from requirements exercise the code structure. With this approach it is possible to recognize unintended or missing functionality, which would not be possible if the only goal was to satisfy structural coverage. Functionality that is not described in the specifications should not be covered by tests, it should be removed from the code. Structural code coverage is analyzed at the code level while tests are designed at a model level, so time-consuming iterations between levels are required. Moreover, designing tests at the model level to cover the structure at the code level requires knowledge of the transformation. This violates one of the major benefits of MDD, the separation of abstraction layers. Hence, in a model-driven environment it is better to move as much testing activity from code level to model level as possible. However, before substituting the code-level activity with model-level activity, it is important to analyze how structural code coverage criteria should be applied in an MDD environment. 1

Kirner [5] identified four issues for determining structural code coverage at the model and code level: (i) The modeling language may use a different implementation style (e.g., data flow instead of control flow). (ii) The modeling language may use abstractions that hide details of the implementation, making it harder to identify structural entities to cover within the model. (iii) Code generation may be parameterizable (i.e., model semantics and implementation depend on the code generation settings). (iv) Many modeling environments are continuously being developed, so the semantics of language constructs change over time. Further, modeling languages are rarely standardized; each tool provider often has its own modeling language. These potential problems apply to both design models with automatic code generation and manual coding. We present results from an experiment that studies the effect of abstraction (ii) and parameterized code generation (iii). We investigate the influence on structural code-coverage within design models specified in executable and translatable UML (xtuml) [7]. Our approach is to analyze the predicates and clauses (collectively called test artifacts) that are involved in structural coverage criteria at both levels. We identify additional test artifacts that are created during transformation, and count how many clauses are in each predicate to estimate the number of test requirements for logic-based test criteria such as MCDC. We count the number of test artifacts, i.e., predicates and clauses rather than the number of test requirements or tests for two reasons. First, we want a measurement that is general and objective. Given the number of test artifacts it is possible to calculate the number of test requirements for various logic-based test criteria. Second, the number of test artifacts is more independent of process than the number of test cases since it is not obscured by the specific values of the tests. The size of a test suite depends heavily on how intelligently we select the tests, while the number of test artifacts is given by the structure. Section 2 of this paper gives the necessary background on logic-based testing criteria and xtuml. Section 3 presents related work. Section 4 introduces the industrial applications used and describes how the quantitative measurements are applied at both the model and code levels. Section 5 presents the results from our experiment and Section 6 summarizes our conclusions and suggests future work. 2. BACKGROUND Logical expressions are common to almost every type of software artifact. Several test criteria have been defined that are based on logical expressions. One of the most known criterion is the Modified Condition Decision Coverage (MCDC) [3], which is required by the US Federal Aviation Administration (FAA) for certifying safety critical software with the highest safety level in commercial avionics software [10]. The diversity in terminology and presentations has led to confusion among users of MCDC. To overcome these problems, Ammann et al. [1] integrated existing ideas of logicbased test criteria into a common unifying framework. This generic view of the structures is suitable for our study since it is independent of whether the logic expressions are derived from the model or code. 2.1 Logic Expression Criteria A predicate is an expression that evaluates to a Boolean value. Predicates consist of one or more clauses. A clause is a Boolean variable, non-boolean variables combined by a relational operator, or a call to a Boolean function. For example, the predicate p = (a < b D) f(x) contains three clauses: a relation expression (a<b), a Boolean variable D and a Boolean function call f (x). The most common logical operators in source code are negation ( ), and ( ) and or ( ). Other logical operators, implication ( ), exclusive or ( ) and equivalence ( ), are more common in specification languages. Logic-based test coverage criteria focus on covering clauses (clause coverage), predicates (predicate coverage), or subsets of evaluations of predicates (e.g., active clause coverage) [1]. Ammann et al. [1] presented three different interpretations of the MCDC definition, which they defined as GACC, CACC and RACC (see below), all variants of active clause coverage. As mentioned, we count the number of clauses and predicates and thus can compute the number of test requirements for clause coverage (CC) and predicate coverage (PC). We also calculate the number of clauses within each predicate and show by an example how this gives us the number of test requirements for active clause coverage. All three variants of active clause coverage generate the same number of test requirements (approximately two per clause) and all three produce redundant test requirements since each requirement specifies a row in a truth table and the same row can be needed for more than one clause. We will show this in the example. The definition used in the example, correlated active clause coverage (CACC), corresponds to masking MCDC [2]. Definition 1. [Correlated Active Clause Coverage (CACC)] For each p P and each major clause c i C p, choose minor clauses c j, j i so that c i determines p (c i is active). Then define two requirements for each c i : c i evaluates to true and c i evaluates to false. The values chosen for the minor clauses c j must cause p to be true for one value of the major clause c i and false for the other. [1] Consider the predicate p = a (b c). It has three clauses, thus we get six test requirements. Some are redundant, leaving four unique test requirements. To show a s independence, (b c) must be false while a is assigned the value true once and false once. The expression (b c) can be false in three ways, any of which can be used to show a s independent effect on the predicate evaluation. Consider the truth table in Table 1. The table shows the truth values for the individual clauses as well as the predicate. It also shows which clauses are active. For example p a 2

Table 1: Truth table for predicate p. Entry a b c p = a (b c) p a p b p c 0 T T T T F F F 1 T T F T T F F 2 T F T T T F F 3 T F F T T F F 4 F T T T F T T 5 F T F F T F T 6 F F T F T T F 7 F F F F T F F is true if changing the value of a would affect the value of the predicate. Clause a can be made active by using any of rows {1,2,3} from Table 1 combined with any of rows {5,6,7}, i.e., a choice of nine combinations. Clauses b and c only have one pair of choices each, {4,6} and {4,5}. Hence, the test requirements must include rows 4, 5 and 6 to cover b and c. Given that we must choose {4,5,6}, we can simply add any entry from {1,2,3} in order to also cover a. This gives us three choices for minimal sets of rows, {1,4,5,6}, {2,4,5,6}, or {3,4,5,6}, to satisfy CACC for predicate p. To achieve 100% CACC coverage given a predicate with N clauses the minimal number of test requirements (TR) is N +1 and the maximal number is 2N [1]. Predicate Coverage (PC) requires just one pair of test requirements for predicate p, p = true and p = false. These can be satisfied by combining any of rows {0,1,2,3,4} with any of rows {5,6,7}. To achieve 100% PC coverage, we therefore get two test requirements per predicate. For each clause c, CC requires one test requirement such that c = true and one such that c = false. The test requirements for CC can be satisfied by combining two rows with different evaluations for all clauses, i.e., {0,7}, {1,6}, {2,5} or {3,4} in the example above. The number of test requirements for a given predicate is therefore 2, independent of the number of clauses. Stronger logic criteria such as CACC and MCDC are only needed when predicates have more than one clause. If a predicate has a single clause, CACC and MCDC (and CC) collapse to simply PC. 2.2 Abstraction Levels This study has two abstraction levels; the model level and the code level. Our models are expressed in xtuml, which is a profile of the UML that defines execution semantics for a selected translatable subset of UML. Decisions about the organizations of the hardware and software are abstracted away in an xtuml specification. Physically, an xtuml specification comprises a set of models represented as diagrams that describe and define concept and behavior of the system. The set of models are the class models, the state machines for classes and the states procedures 1. These three models 1 Example models can be seen in the BridgePoint modeling suite. http://www.mentor.com/products/sm form a complete definition of the subject matter under study and the existence of a defined dynamic semantics makes the three models computationally complete. This allows xtuml to be executed, verified, and translated into an implementation. 3. RELATED WORK Rajan et al. [9] presented an empirical study that measured the effect of program and model structures on MCDC test adequacy coverage. The study used six realistic systems from the civil avionics domain, specified in Simulink 2. The purpose of the study was to measure structural coverage on two versions of the implementation, with and without expression folding (i.e., inlined and non-inlined). The authors generated test suites that satisfied MCDC over a non-inlined implementation and then showed that these test suites did not satisfy MCDC for the inlined implementation. The average reduction in coverage was 29.5%, primarily because the non-inlined versions did not account for the effect of masking [2]. Rajan et al. believe there is a serious need for coverage criteria that account for masking irrespective of implementation structure, or alternatively, a canonical way of structuring code so that condition masking is revealed when measuring coverage using existing coverage criteria. While Rajan et al. [9] studied the effect on MCDC by different implementations, we study the effect on the test artifacts by the model transformation. One approach to handle structural coverage analysis at different design levels was taken by Kirner [5]. This research focuses on ensuring that the structural code coverage achieved at a higher abstraction level is preserved during transformation down to lower levels. To guarantee preservation of structural coverage, Kirner defined formal properties that have to be fulfilled during the transformation between different program representations. These formal properties have been used to automatically create coverage profiles that can extend compilers with the feature of preserving any given code coverage criteria by enabling only those code optimizations that preserve it [6]. While Kirner and Haas [6] discussed coverage preservation by constraining the transformation, we find that there may exist implicit test requirements in the xtuml model that are made explicit by the transformation. Similar approaches to ours regarding model-to-model transformation were by Friske and Schlingloff [4] and Weissleder [11], using state machines. Friske and Schlingloff instrumented conditions of the state machine transitions to simulate All-Transition with MCDC. Wiessleder presented a model transformation for simulating coverage criteria that showed that the all-transitions coverage criterion simulates MCDC. 4. EXPERIMENTAL DESIGN As mentioned previously, Kirner [5] identified some serious transformation issues concerning abstraction and parameterization that could affect test artifacts such as predicates and clauses. Such issues need to be investigated and addressed to apply structural code coverage criteria at a platform independent design level. The goal of our study is to investigate the impact that transformations have on test artifacts. The experiment is quantitative and assesses and 2 http://www.mathworks.com/products/simulink 3

compares the number of predicates and clauses at the model level and code level. 4.1 Subjects The empirical study used aviation system software developed in xtuml by Saab Aeronautics. Saab Aeronautics is responsible for development, production, marketing, selling and supporting of the Gripen fighter 3. Our subjects are six aviation applications for an updated version of the Gripen, developed by separate teams. Table 2 shows a summary of the six applications. The columns under Action Homes represent places in the application where the behavior is expressed in object action language (OAL), for example states and operations. One application, A6, is actually a part of the model compiler itself, the functionality that transforms the object action language constructs. The model compiler is modeled in xtuml and transformed into C++. 4.2 Tools and procedure The tools used in this experiment were the BridgePoint 4 product for the xtuml modeling environment and model compiler, and the compiler framework LLVM 5 for the C++ code analysis. These tools did not directly support our needs for data collection, so we developed plugins to add additional functionality. The model compiler used with BridgePoint is designed and developed within Saab Aeronautics, where the first author is one of the developers. The same configuration of the model compiler were used for all six applications. As mentioned, the data collection functionality is designed and implemented into BridgePoint and LLVM as plugins. Both plugins count all predicates and clauses, emitting their results as plain text files, as in Figure 1. The plugin for BridgePoint traverses the xtuml meta-model (populated with instances from the applications) for data collection. The plugin for LLVM traverses the in-memory abstract syntax tree (populated with instances from the generated C++ applications) for data collection. statement during data collection we can establish traceability between the code level and the model level. We counted how many additional predicates and clauses were created, identified which predicates and clauses were new, and were then able to trace them back to their origin in the xtuml model. This makes it easy to compare results from the code level with results from the model level. 5. RESULTS AND ANALYSIS Saab Aeronautics will not allow the xtuml models and the corresponding C++ code to be shown or explained in depth. Instead, the analysis will focus on general xtuml constructs and C++ constructs. Differences between the model and code levels regarding the number of predicates and clauses were inspected manually. This was done to recognize the structural constructs that are the sources for such differences. The differences are analyzed according to logic-based coverage criteria and how they influence the structural coverage analysis. 5.1 Data Analysis The results from our experiment show an increase in the number of test artifacts for all applications, as summarized in Table 3. Each cell contains two numbers. The first is the number of test artifacts in the xtuml model, and the second is the number of test artifacts in the C++ implementation. Except for A6, all increases were single-clause predicates, which, as stated in Section 2.1, are cheap and easy to test. Table 4 shows the effect on the number of test requirements for logic-based coverage criteria. Since we know the number of predicates P and clauses C, we can calculate the number of test requirements for each application for various logic-based criteria. 2*P in Table 4 refers to the maximum of test criteria for PC, CC. Finally, P+C refers to the minimum number for active clause coverage (CACC). 5.1.1 Explicit Predicates vs Implicit Predicates An analysis of the design model and the generated code shows that new predicates come from two sources. Most new predicates are in actions representing chained navigation of associations in the xtuml models, for example: select many Predicates related by Stmts->ACT_IF[R603]->V_VAL[R625]; The second source was iteration over instance sets, for example: Figure 1: Schematic view of the experimental setup. One important feature of the model compiler is that for every C++ function generated, a label with a unique identifier derived from the corresponding xtuml model element is emitted as the first statement in the outermost block of that function. By recognizing the label as an ordinary C++ label 3 http://saabgroup.com/air/gripen-fighter-system 4 http://www.mentor.com/products/sm 5 http://llvm.org for each Predicate in Predicates end for; The chained navigation statements are transformed into several actions in the C++ code, where each action handles one step in the chain. For example, consider the following object action code taken from the BridgePoint plugin developed for this experiment. Model Level (OAL): select many If_Stmts related by Stmts->ACT_IF[R603]; 4

Table 2: Summary of experimental subjects. Action Homes Applications Components Classes States Operations Others A1 9 61 117 133 60 A2 7 66 117 137 79 A3 3 12 15 29 6 A4 3 18 15 27 7 A5 3 36 81 112 28 A6 4 444 2 582 51 Total 29 637 347 1020 231 Table 3: Number of test artifacts in xtuml model vs C++ implementation. Model/Code Level Number of Predicates with n Clauses Applications Predicates Clauses 1 2 3 4 5 A1 235/293 243/301 229/287 4/4 2/2 0/0 0/0 A2 395/564 420/589 371/540 23/23 1/1 0/0 0/0 A3 30/35 30/35 30/35 0/0 0/0 0/0 0/0 A4 49/59 51/61 47/57 2/2 0/0 0/0 0/0 A5 121/123 121/123 121/123 0/0 0/0 0/0 0/0 A6 1127/2241 1218/2338 1050/2158 69/75 4/4 2/2 2/2 Total 1957/3315 2083/3447 1848/3200 98/104 7/7 2/2 2/2 This OAL statement will select all sub-types of Stmt that are If Stmt and add them to the instance set variable If Stmts, by navigating the association R603 within the meta-model for the OAL. The corresponding C++ code uses an iterator to loop through the start instance set Stmts for this chained navigation, thus introducing new predicates. Code Level (C++): If_Stmts.Clear(); for (Iterator Stmt = Stmts->begin(), E = Stmts->end(); Stmt!= E; ++Stmt) { If_Stmt = Stmt->If_Stmt_R603.SelectOne(); if (Exists(If_Stmt)) { If_Stmts.Add(If_Stmt); } } In this example, two new predicates are introduced by the transformation from model to code, Stmt!= E and Exists(If Stmt). The predicate Exists(If Stmt) is introduced because association R603 is conditional in the direction of navigation. This example shows that there are implicit predicates in the design model that are not affected by the logicbased criteria, i.e., they do not contain any test artifacts and will therefore not contribute any test requirements if a test criterion is applied at design model level. One approach to solve this shortcoming regarding the implicit predicates is to rewrite and reconstruct the structure of the action code to perform the chained navigation one step at the time, before applying the criterion at the model level. The result after applying the rewriting is as follow: Model Level (Original OAL): select many If_Stmts related by Stmts->ACT_IF[R603]; Model Level (Rewritten OAL): for each Stmt in Stmts select one If_Stmt related by Stmt->ACT_IF[R603]; if (not_empty If_Stmt) end if; end for; This rewrite assumes the expression Stmt in Stmts is a predicate that corresponds to a function that returns a Boolean value, which depends on whether the instance Stmt is a member of the instance set Stmts. This formulation is closer to the code level where a loop is used with an exit criterion. This example shows that it is possible to make implicit predicates explicit at the model level, i.e., without introducing any platform dependency. This solution would probably make the structural coverage at the model level closer to the coverage result obtained from the code level. However this is still only valid for this specific transformation of the xtuml models used in this experiment into C++. Other transformation solutions may hide the navigation functionality in library routines that are already tested. Our results address issue (ii) presented by Kirner [5], where the abstraction corresponds to the sources of implicit predicates. The transformation from implicit to explicit predicates and to an implementation will depend, as mentioned in Kirners issue (iii), to the parameters on the code generator. 5.2 Discussion of Validity Independent variables in this experiment are the six aviation applications specified in xtuml. The dependent variables of the experiment are the predicates and clauses generated in the implementation. One possible confounding variable in this experiment can be the design guide that is followed when specifying xtuml models according to the company s development process. The design guide includes restrictions for model constructs allowed in the xtuml models. Before 5

Table 4: Impact on test requirements for logic-based criteria. Test Requirements Model Level Code Level Increase (%) Applications 2*P P+C 2*P P+C 2*P P+C A1 470 478 586 594 25 24 A2 790 815 1128 1153 43 41 A3 60 60 70 70 17 17 A4 98 100 118 120 20 20 A5 242 242 246 246 2 2 A6 2254 2345 4482 4579 99 95 Total 3914 4040 6630 6762 69 67 the xtuml models are translated into C++ code, system design decisions are specified as markings in the model to the model compiler. These markings reflect the underlying platform; most of these markings are about partitioning and scheduling of applications on the platform and should therefore not affect the number of predicates and clauses in the C++ implementation. Only one model compiler was used for the transformation. Hence, our results might not be valid for other transformations. However, the idea regarding model-to-model transformation making the implicit predicates explicit is applicable to any application specified as an xtuml model. 6. CONCLUSIONS AND FUTURE WORK This paper presents results from an industrial experiment to investigate whether coverage-based tests designed from a model will achieve the same level of coverage in the generated code. The test artifacts, predicates and clauses, are used in structural coverage criteria for safety-critical software. Such criteria are required by the US Federal Aviation Administration (FAA) for certifying safety critical parts of the avionics software in commercial aircraft [10]. This is an important issue because it is much more cost-effective to design tests at the model level than at the code level, so positive results can lead to significant savings. The experiment found an increase in the number of test artifacts and test requirements for all experimental subjects. Analysis found how implicit predicates hidden in typical statements in the object action language (OAL) create hidden control flows and loops, which account for most of the new predicates. A positive result is that the new predicates can be deterministically and fully determined during model to code transformation. Thus, most of the test design can be carried out at the model level, and the resulting tests can be augmented with additional tests from the new predicates. An additional positive result is that most of the new predicates are single-clause, so few additional tests will be needed and the additional test design activity is quite cheap. One additional future step is to analyze the opportunity to use our knowledge about implicit predicates to automatically generate the test cases to cover them. One important question is whether this is valid according to certifying regulations. 7. ACKNOWLEDGEMENTS This work was supported in part by the Research Grant 2010-01252 from the VINNOVA (Swedish Governmental Agency for Innovation Systems). 8. REFERENCES [1] P. Ammann, J. Offutt, and H. Huang. Coverage criteria for logic expression. In Proceedings of the 14th International Symposium on Software Reliability Engineering, pages 99 107. IEEE Computer Society Press, November 2003. [2] J. J. Chilenski. An investigation of three forms of the modified condition decision coverage (MCDC) criterion. Technical report, Office of Aviation Research, 2001. [3] J. J. Chilenski and S. P. Miller. Applicability of modified condition/decision coverage to software testing. Software Engineering Journal, 9(5):193 200, sep 1994. [4] M. Friske and B.-H. Schlingloff. Improving Test Coverage for UML State Machines Using Transition Instrumentation. In SAFECOMP 07, volume 4680 of LNCS, pages 301 314. Springer Berlin / Heidelberg, 2007. [5] R. Kirner. Towards preserving model coverage and structural code coverage. EURASIP Journal on Embedded Systems, 2009:6:1 6:16, January 2009. [6] R. Kirner and W. Haas. Automatic calculation of coverage profiles for coverage-based testing, 2009. Vienna University of Technology, Vienna, Austria, raimund@vmars.tuwien.ac.at. [7] S. J. Mellor and M. J. Balcer. Executable UML: A Foundation for Model Driven Architecture. Boston: Addison Wesley, ISBN 0-201-74804-5, 2002. [8] S. S. Muchnick. Advanced Compiler Design and Implementation. San Diego: Academic Press, ISBN 1-55860-320-4, 1997. [9] A. Rajan, M. W. Whalen, and M. P. Heimdahl. The Effect of Program and Model Structure on MC/DC Test Adequacy Coverage. In ICSE 08, pages 161 170, New York, NY, USA, 2008. ACM. [10] RTCA. RTCA Inc. DO-178B: Software Considerations In Airborne Systems and Equipment Certification. Requirements and Technical Concepts for Aviation. 1992. [11] S. Weissleder. Simulated Satisfaction of Coverage Criteria on UML State Machines. In ICST 10, pages 117 126, april 2010. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback