An Industry Proof-of-Concept Demonstration of MC/DC from Automated Combinatorial Testing

Similar documents
Using Code Coverage to Improve the Reliability of Embedded Software. Whitepaper V

Predicate Abstraction Daniel Kroening 1

MTAT : Software Testing

18-642: Unit Testing 1/31/ Philip Koopman

No Source Code. EEC 521: Software Engineering. Specification-Based Testing. Advantages

Specification-based test design

Black Box Testing. EEC 521: Software Engineering. Specification-Based Testing. No Source Code. Software Testing

Testing: Test design and testing process

MTAT : Software Testing

MTAT : Software Testing

Advanced Software Testing Understanding Code Coverage

MTAT : Software Testing

Vector Software. Using VectorCAST to Satisfy Software Verification and Validation for ISO W H I T E P A P E R

Verification and Test with Model-Based Design

Second assignment came out Monday evening. Find defects in Hnefetafl rules written by your classmates. Topic: Code Inspection and Testing

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

MTAT : Software Testing

Automated Test Generation using CBMC

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

Written exam TDDD04 Software Testing

Revisiting coverage criteria for Scade models Jean-Louis Colaço 7 December 2016

Loops! Loops! Loops! Lecture 5 COP 3014 Fall September 25, 2017

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Learning Recursion. Recursion [ Why is it important?] ~7 easy marks in Exam Paper. Step 1. Understand Code. Step 2. Understand Execution

LECTURE 5 Control Structures Part 2

Finite State Verification. CSCE Lecture 14-02/25/2016

Decision Making and Loops

Chapter 20. A Closer Look at All Pairs Testing. Software Testing: A Craftsman s Approach, 4 th Edition. Chapter 20 All Pairs Testing

CIS 890: Safety Critical Systems

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Genetic improvement of software: a case study

Testing & Symbolic Execution

MTAT : Software Testing

Java PathFinder JPF 2 Second Generation of Java Model Checker

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Imagining Tests as Interactions

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Finite State Verification. CSCE Lecture 21-03/28/2017

Property Verification for Generic Access Control Models 1

Styles and Conditional Features. Version: 7.3

By Matthew Noonan, Project Manager, Resource Group s Embedded Systems & Solutions


Chapter 9 Quality and Change Management

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Pearson Education 2007 Chapter 9 (RASD 3/e)

The Spin Model Checker : Part I/II

CS1622. Semantic Analysis. The Compiler So Far. Lecture 15 Semantic Analysis. How to build symbol tables How to use them to find

Chap 2. Introduction to Software Testing

Overview. State-of-the-Art. Relative cost of error correction. CS 619 Introduction to OO Design and Development. Testing.

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Tessy Frequently Asked Questions (FAQs)

Introduction to Software Testing Chapter 3, Sec# 1 & 2 Logic Coverage

Relational operators (1)

Testing: (A Little) Logic Coverage

Styles and Conditional Features

Part I: Preliminaries 24

Simulink Verification and Validation

F. Tip and M. Weintraub FUNCTIONAL TESTING

Repetition Structures

Condition-Controlled Loop. Condition-Controlled Loop. If Statement. Various Forms. Conditional-Controlled Loop. Loop Caution.

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution. Bin Lin Department of Computer Science Portland State University

automatisiertensoftwaretests

Automated Test Generation using Model-Checking: An Industrial Evaluation

Testing Tactics. Structural Testing. Why Structural? Why Structural? Functional black box. Structural white box. Functional black box

A Simple Tutorial on NuSMV

Softwaretechnik. Lecture 03: Types and Type Soundness. Peter Thiemann. University of Freiburg, Germany SS 2008

Structural Testing. Testing Tactics. Why Structural? Structural white box. Functional black box. Structural white box. Functional black box

5) I want to get this done fast, testing is going to slow me down.

Handout 5 cs180 - Programming Fundamentals Spring 15 Page 1 of 8. Handout 5. Loops.

Exceptions, Case Study-Exception handling in C++.

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

Automated Requirements-Based Testing

Lecture 18: Structure-based Testing

Jay Abraham 1 MathWorks, Natick, MA, 01760

Error Detection Rate of MC/DC for a Case Study from the Automotive Domain

NuSMV Hands-on introduction

Formal Semantics of Programming Languages

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

2015 The MathWorks, Inc. 1

6. Test-Adequacy. Assessment Using Control Flow and Data Flow. Andrea Polini

Formal Semantics of Programming Languages

Software Quality Assurance. David Janzen

Sequence structure. The computer executes java statements one after the other in the order in which they are written. Total = total +grade;

Scoping rules match identifier uses with identifier definitions. A type is a set of values coupled with a set of operations on those values.

Testing, Fuzzing, & Symbolic Execution

Static program checking and verification

Introduction to Programming

Software Testing part II (white box) Lecturer: Giuseppe Santucci

Quality Assurance = Testing? SOFTWARE QUALITY ASSURANCE. Meaning of Quality. How would you define software quality? Common Measures.

Sample Exam ISTQB Advanced Test Analyst Answer Rationale. Prepared By

Last Time: Rolling a Weighted Die

1- Write a single C++ statement that: A. Calculates the sum of the two integrates 11 and 12 and outputs the sum to the consol.

CIS 890: Safety Critical Systems

learning objectives learn about variables, their types and their values learn about different number representations

Who is our rival? Upcoming. Testing. Ariane 5 rocket (1996) Ariane 5 rocket 3/8/18. Real programmers need no testing!

MTAT Software Engineering

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

C07: Testing and JUnit

SFU CMPT Topic: Control Statements

Transcription:

An Industry Proof-of-Concept Demonstration of MC/DC from Automated Combinatorial Testing Redge Bartholomew

Software Defects Drive Development Cost especially for safety-critical, embedded systems NIST: combinatorial tests can detect most latent defects e.g., all 6-way combinations of input variable values NIST developed an approach to automating such testing generation, execution, analysis Many systems require structural coverage (e.g., MC/DC) An experiment gauged the effectiveness of NIST approach industry verification of a software radio s monitor & control loop 2

The Approach NIST/UT tool generates combinatorial test vectors; ACTS model checker generates counter examples; User provides test vector generator with input variable definitions & values utility finds/exports counter example states that contain ACTS vectors (i.e., test cases); test harness imports, executes, analyzes test cases; identifies failures; measures coverage. VectorCAST NuSMV User provides model & properties of inputs & expected outputs 3

Defining the Input Space ACTS model defines test inputs: more values yields better test coverage but also greatly increases the number of combinations. To prevent state space explosion, values are limited to equivalence class representatives. 9 vectors (rows) contain all 37 two-way combinations of values. 4

Defining the Expected Outputs Developer models inputoutput relationships MODULE main VAR a : {0,15,16; b : {255,256; c : {true,false; d : {-1,0,1; DEFINE e := case (c = true) : a + b; TRUE : c a * d; esac; When c = true, e = a + b, otherwise, e = a * d. SPEC AG!(a = 0 & b = 256 & c = false & d = -1) AG!(a = 0 & b = 255 & c = true & d = 0) AG!(a = 0 & b = 256 & c = true & d = 1) AG!(a = 15 & b = 255 & c = true & d = -1) AG!(a = 15 & b = 256 & c = false & d = 0) AG!(a = 15 & b = 255 & c = false & d = 1) AG!(a = 16 & b = 256 & c = true & d = -1) AG!(a = 16 & b = 255 & c = false & d = 0) AG!(a = 16 & b = 256 & c = true & d = 1) Property specifies negative of ACTS vector Utility creates properties from ACTS vectors 5

Creating & Exporting Test Cases Model checker generates a counter example for each property -- spec AG is false -> State: 2.1 <- a = 0 b = 255 c = true d = -1 e = 255 -> State: 2.2 <- a = 0 test case 2 b = 255 c = true ACTS vector 2 d = 0 e = 255 -- spec AG! Utility finds state containing ACTS vector, reformats & exports it 6

Unit Tests of Monitor & Control Loop 2775 tests generated, executed, analyzed in ~1hour 600 lines of C code with 34 inputs, 4 outputs of interest 200+ defects arbitrarily seeded across code versions All defects were detected; achieved 95% MC/DC There were issues e.g., state space explosion In addition to using equivalence class values used multiple sets of vectors limited to interacting variables only (test harness set non-interacting variables to default values) 7

Another Issue: MC/DC of Nested Decisions MC/DC tests every path of every condition/decision Each condition must independently affect the decision s outcome Accepted practice: execute each decision when all conditions are true, and when each condition is false but the others true In some cases, this was non-trivial e.g., when a loop decision was nested within a decision... that used the same condition variable as the loop decision 8

MC/DC of a Nested Decision The while-loop must be tested when: radio_state applications_running & no_waveform_available radio_state applications_running & = no_waveform_available radio_state = applications_running & no_waveform_available if (radio_state!= applications_running) { while ((radio_state!= applications_running) && (radio_state!= no_waveform_available)) {... radio_state = Current_Radio_State(); control loop The first two cases are ok; the third is a problem: radio_state s value must change within the loop but the toolset allows only 1 value/variable/vector and only 1 vector/test 9

Required a Runtime Work-Around Stub uses test-only variables to force decision outcomes if (radio_state!= APPLICATIONS_RUNNING) { while ((radio_state!= APPLICATIONS_RUNNING) && (radio_state!= NO_WAVEFORM_AVAILABLE)) {... radio_state = Current_Radio_State(); bool first_pass = true; int Current_Radio_State( void ) { int loop_condition; if (first_pass == true) { loop_condition = state_1; first_pass = false; else loop_condition = state_2; return loop_condition; stub control loop ACTS model 10

Summary: The Approach Was Effective Significant detection of latent defects Significant structural coverage Moderate effort Learning to properly define the input space Learning to write properties for expected outputs 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback