A novel method for derivation of a test with guaranteed coverage for LTS Текст научной статьи по специальности «Математика»

A novel method for derivation of a test with guaranteed coverage for LTS

Gromov M.L.

Abstract—The paper addresses the problem of the relationship between tests with the guaranteed fault coverage which are derived from two models of finite transition systems: LTS with inputs and outputs and input/output FSM. On one hand, there are well developed methods for deriving such finite tests against FSM while the model of input/output LTSs lacks such methods. On the other hand, almost all FSM-based methods return preset test suites and there are no good FSM-based methods for deriving adaptive tests. For deriving adaptive tests, it is worth to use LTS model where all the methods return adaptive test suites. We propose the transformation between two models and show how a complete test suite with respect to one model can be transformed into a complete test suite with respect to another model.

the notions used in the paper. Section III defines the transformation of an LTS to an FSM. In Section IV, we define a fault model for LTSs and FSMs and complete test suites with respect to such models. Subsection IV-C shows how an LTS-based complete test suite can be derived using FSM-based derivation methods. Section V concludes the paper with the discussion on the future work.

II. Definitions

In this section, we briefly remind basic definitions for

a labelled transition system (LTS), taken from [1] and a finite state machine (FSM), taken from [2].

I. Introduction

Testing software systems, it is often necessary to take into account potential nondeterministic behaviour, when for a given input sequence several output sequences can be produced. For example, the nondeterminism in the specification can be used for the description of implementation options and/or allowable interleaving of outputs. In this, paper we allow an implementation to be less deterministic as its specification. Testing a reactive system, two finite transition models are widely used for such test derivation. Those are Labelled Transition Systems (LTS) with inputs and outputs [1] and input/output Finite State Machines (FSM) [2]. Corresponding conformance relations are the so-called ioco relation for LTSs and the reduction relation for FSMs. However, the model of input/output LTSs lacks methods for deriving finite test suites with the guaranteed fault coverage while there are well developed FSM-based methods for deriving such finite tests. On the other hand, the need for adaptive tests for nondeterministic machines has widely been discussed in various work but almost all FSM-based methods return preset test suites and thus, for deriving adaptive tests, it is worth to use LTS model where all the methods return adaptive test suites. Here by testing we understand an experiment with an implementation, and preset test means, that all input sequences to apply and output sequences to observe are given beforehand, while adaptive test imply that the next input action depends on the previous input action reaction (so, preset test is an algorithm, which is convenient to give in the form of the same formal model in which specification is given) [3]. In this paper, we propose the transformation between two models and show how a complete finite test suite with respect to one model can be transformed into a complete finite test suite with respect to another model, that is, in fact, we propose a method how finite LTS-based test suites with the guaranteed fault coverage can be derived. This paper is organised as follows. Section II presents

A. Labelled transition system

Definition 1: A (finite, deterministic) Labelled Transition System (LTS) with inputs I and outputs O is a quintuple (S, 1,O,A, s0), where S is a non-empty, finite set of states with the initial state s0 e S; I and O are disjoint finite sets representing the set of input actions and output actions, respectively. We denote their union by A. The transition relation A C S x A x S defines a function, mapping subset of S x A to S.

Let L = (S, 1,O,A, s0) be an LTS, and s, s',... range over S. Throughout this paper, we use the following conventions: for all actions a, we write s ^ s' iff (s, a, s') e A, and s ^ iff for all s' e S s ^ s' does not hold.

In ioco-based testing theory [1] the notion of quiescence is added to an LTS as follows:

Definition 2: A state s e S of an LTS L = (S, I, O, A, s0) is called quiescent - notation 5(s) - if for all a e O, s ^.

Informally, a quiescent state is a state where LTS refuses to provide outputs. Let 5 e A be a fresh label representing the possibility to observe quiescence; A^ abbreviates A U {5}. Let ct, ct',... range over A|, actions a range over A^, and S', S'',... C S. We generalise the transition relation A to A C SxA| x S, and write s ==» s' iff (s, ct, s') e A. We define A as the smallest relation satisfying the following four rules:

s =» s' A s'^ s'' s =» s' 5(s')

a-a '; s > s''

a-5

Like for ^, we write s =

if

s' for some s'. For the simplicity of presentation, we introduce the following notations.

1) [s]a =f {s' e S | s =^- s'}; generalised: [S']a =f UsGS' Is]a;

2) out(s) d=f {a e O | s }U{5 | 5(s)}; generalised:

out(S') d=f usGs' out(s);

s

s

s

s

3) in(s) = {a e I | s

Uses'in(s);

4) s-traces(s) =f {ct e A* | s

5) traces(s) = s-traces(s) 0 A*;

6) der(s) d=f UaeA* [s]a; generalised: der(S') d=f

Uses'der(s);

7) init(s) = {a e Ag | s —}.

The conformance relation iocop is defined as follows:

Definition 3: Let Li = (Si, I, O, Ai, s0i) and L2 = (S2,I, O, A2, s02) be two LTSs. LTS L1 is in iocop relation with L2 - notation L1 iocop L2 - when the following holds

Vct e s-traces(s02) :

(if soi =» then in([soi]a) 2 in([s02]a))A A(out([soi]a) C out([so2]a))

Note, that our definition of conformance relation is different from the classical ioco definition [1] that requires the LTS Li to be input-enabled. However original ioco relation is not reflexive, while iocop is reflexive. Moreover, for an input-enabled Li it holds that Li ioco L2 Li iocop L2.

B. Finite State Machine

Definition 4: An (observable) Finite State Machine (FSM) with the set of inputs I and the set of outputs O is a quintuple (T, I, O, ^, t0), where T is a non-empty, finite set of states with initial state t0 e T; I and O are disjoint finite sets representing the set of input actions and output actions, respectively. We denote their union by A. The transition relation ^ C T x I x O x T defines a function, mapping a subset of T x I x O to T.

Let F = (T, I,O,^,t0) be an FSM, and t,t',... range over T. Throughout this paper, we use the following conventions: for all input-output pair (i, o) e I x O, we

}; generalised: in(S')

" };

def

write t

i/o

and t

t =» t' A t'

i/o

t''

t

n-i/o

t''

U

teT'

[t]n

2) out(t,i)

def

out(T',i) = UteT, out(t);

{o e O | t

i/o

}; generalised:

6) init(t) = {(i,o) e I x O| t —

}.

In this paper we extend the well-known quasi-reduction between FSMs, since the old notion [2] is incorrect for partial non-deterministic FSMs with non-harmonised traces.

Definition 5: Let Fi = (Ti,1, O,^i,t0i) and F2 = (T2,I,O,^2,t02) be two FSMs. FSM Fi is quasireduction of F2 - notation Fi < F2 - when the following holds

Vn e Tr(to2) :

(if toi =^ then in([toi]n) 2 in([to2]n))A A(init([toi]a) 0 (in(t2) x O) C init([to2]a))

III. LTS TO FSM TRANSFORMATION Given LTS L = (S, I, O, A, s0), we build an FSM FL = (s,i£ ,O£(S ,M, so), where £i,£o e A are fresh input and output actions (here and later in the paper we assume, that I£ = IU {ei}, O£g = O U {eo, 5}), and ^ is defined by following rules:

a 'a — t

s —— s' A a e I

s —■ s' A a e O

5(s)

iff for all

t' iff (t, i, o, t') e ^,

t e T t -i/— t' does not hold.

Let n, n',... range over (I x O)*, input actions i range over I, output actions o range over O, and T', T'',... C T. We generalise the transition relation ^ to MC T x (I x O)* x T, and write t =» t' iff (t, ct, t') e M. We define M as the smallest relation satisfying the following four rules:

Similar to —, we write t =^ if t =^ t' for some t'. For ease of use, we introduce the following notations.

1) [t]n = {t' e T | t =»t'}; generalised: [T']n d=f

3) in(t) =f {i e I | t -—}; generalised: in(T') d=f UteT'in(t);

4) Tr(t) =f {n e (I x O)* | t =^};

5) der(t) d=f Une(/xO)* [t]n; generalised: der(T') d=f UteT'der(t);

(s,a,eo,s') e ^ (s,ei,a,s') e ^ (s,ei, 5, s) e ^

Note, that according to our transformation in FSM F£L there are no transitions with labels ei/eo, ii/i2, oi/o2, ii/oi, oi/ii, where ii,i2 e I, oi,o2 e Og.

The following theorem holds:

Theorem 1: Let Li = (Si,I,O, Ai, s0i) and L2 = (S2,I,O, A2,s02) be two LTSs. Then Li iocop L2 iff

fL 1 ^ fL2

£ ~ £

IV. Fault models and complete tests A 4 fault model and a complete test for an LTS

Definition 6: Given deterministic LTS

L = (S, I, O, A, s0), Lg is an LTS (S, I, Og, Ag,s0), for which Ag = A U {(s, 5, s)|5(s)}.

LTS Lg differs from L only by added loops with labels 5 for quiescent states. It is known [1], that s-traces(L) = traces (Lg).

Definition 7: An LTS test case is a finite LTS C = (V, I, Og ,AC , v0), which satisfies the following conditions:

1) V 2 {pass, fail}.

2) Transition graph of the LTS C is acyclic.

3) For each v e V\{pass, fail} either init(v) = Og, or init(v) = {i}, i e I holds.

4) init(pass) = init(fail) = 0.

A finite set of test cases we call a test suite.

Note, that in practice we are interested only in finite test suites and thus consider only this kind of tests.

Definition 8: An LTS L = (S, I, O,A, s0) passes a test case C = (V, I, Og ,AC ,v0) iff none of sequences ct e s-traces(L) takes LTS C from the initial state to the state fail, that is (S x {fail}) 0 der(Lg 0 C) = 0.

Definition 9: An LTS fault model is a triple (LM, iocop , EL), where LM is the LTS-specification (or simply specification), EL is a set of LTSs with input alphabet I and output alphabet O, which called the fault domain, such that for any LTS L' e EL holds: for each ct e s-traces(LM) if L' =», then in([L']a) 2 in([LM]a).

Definition 10: A test suite T = {Ci,..., Cn} is complete with respect to the fault model (LM, iocop , EL) iff for each LTS L' e EL that is not in the iocop relation with LM there exists such a test case Ck e T that L' does not pass (fails) Ck.

B. Fault models and complete test for an FSM

Definition 11: An FSM test case is FSM C =

(V, I, O, , v0), which satisfies following conditions:

1) V 2 {pass, fail}.

2) Transition graph of the FSM C is acyclic.

3) For each v e V \ {pass, fail} holds |in(v)| = 1 and out(v,i) = O, where in(v) = {i}.

4) init(pass) = init(fail) = 0.

A finite set of test cases we call a test suite.

Definition 12: An FSM F = (T, I, O,^,t0) passes a test case C = (V, I, Og ,^C ,v0) iff none of input-output sequences n e Tr(F) takes FSM C from the initial state to the state fail, that is (T x {fail}) 0der(F0C) = 0.

Definition 13: An FSM fault model is a triple (FM, -<

, EF ), where FM is the FSM-specification (or simply specification), EF is a set of FSMs with input alphabet I and output alphabet O, called the fault domain, such that for any FSM F' e EF holds: for each n e Tr(FM) if F' =», then in([F']n) 2 in([FM}v).

Definition 14: A test suite T = {Ci,...,Cn} is a complete with respect to the fault model (FM, <, EF) iff for each FSM F' e EF that is not in the relation < with FM there exists such a test case Ck e T that F' fails Ck.

C. The complete test derivation for an LTS, based on a complete test for an FSM

To the best of our knowledge, there are no methods for the complete finite test derivation for an LTS fault model (L, ioco, EL), while for the FSM fault model (F, -<, EF) such methods are well-known (for example [2]).

We now show, how results of Section III can be used to derive complete finite test for an LTS fault model (L, ioco, EL).

Given LTS fault model ML = (L, ioco, EL), where EL = {Li,L2,...}, apply the transformation, described in Section III, obtain an FSM fault model MF = (FeL, <

, EF), where EF = {FeLl,FeL2,...} and derive a complete finite test suite TF for MF. For each test case CFe = (V,I£,O£g,^,v0) from TF we build an LTS V(CFe) = (V,I,Og, A,v0), using the following rules for A:

in('ii) = {*} C / A v > v'

(v,i, v') e A

in(v) = {ei} A v - ’ /o> v' A o = eo (v, o, v') e A

It is possible to show, that V(CFe) is an LTS test case, and moreover the following statement holds:

Theorem 2: Given an LTS fault model M L = (L,ioco,EL), where EL = {Li,L2,...}, let TF = {Ci,...,Cn} be a complete test suite for the FSM fault model MF = (FeL,^,EF), where EF =

{FeLl ,FeL2 ,...}. Then V(Tf ) = {V(Ci),..., V(C„)} is a complete test for the LTS fault model ML.

V. Conclusion and future work

In this paper, we have shown how, using an FSM fault model and complete finite test for, complete finite test for an LTS fault model. The converse seems also to be possible: there can be define such a transformation of an FSM to an LTS and an LTS test case to an FSM test case, that using those and some test suite for an LTS fault model we can get a test suite for an original FSM fault model. This is one of the directions of our future work.

Another part of our future work is application of obtained results to the general case of non-deterministic LTSs and unobservable FSMs.

References

[1] J. Tretmans. Test generation with inputs, outputs and repetitive quiescence. Software—Concepts and Tools, 17(3):103-120, 1996.

[2] A. Petrenko and N. Yevtushenko. Conformance tests as checking experiments for partial nondeterministic fsm. In Proceedings of the 5th International Workshop on Formal Approaches to Testing of Software (Fates 2005), volume 3997 of LNCS, pages 118-133, 2005.

[3] R. Alur, C. Courcoubetis, and M. Yannakakis. Distinguishing tests for nondeterministic and probabilistic machines. In 27th ACM Symp.on Theory of Comp., pages 363-372, 1995.