Beruflich Dokumente
Kultur Dokumente
in
Ingegneria Informatica
Module B-Software Systems
Engineering
a.a. 2012-2013
Gigliola Vaglini
1 11
Software Testing
Lecture 11
Verification&Validation
Verification:
Are we building the software right?
The software should conform to its specification.
Validation:
Are we building the right software?
The software should do what the user really
requires.
3
V & V confidence
Aim of V & V is to establish confidence that the system is
fit for purpose.
Depends on systems purpose, user expectations and
marketing environment
Software purpose
The level of confidence depends on how critical the software is to an
organisation.
User expectations
Users may have low expectations of certain kinds of software.
Marketing environment
Getting a product to market early may be more important than finding
defects in the program.
Verification theory
P : D R.
P(d) is a correct result if it satisfies
the program specification, i.e.
ok(P,d)=true
P is correct (written ok(P)) if
ok(P,d)=true for each dD
10
Program testing
Testing is intended to show that a program does what it is
intended to do and to discover program defects before it is put
into use.
When you test software, you execute a program using artificial
data.
You check the results of the test run for errors, anomalies or
information about the programs non-functional attributes.
11
12
13
An input-output model of
program testing
14
15
16
Advantages of inspections
During testing, errors can mask (hide) other errors.
Because inspection is a static process, you dont have to
be concerned with interactions between errors.
Incomplete versions of a system can be inspected without
additional costs. If a program is incomplete, then you need
to develop specialized test harnesses to test the parts that
are available.
As well as searching for program defects, an inspection
can also consider broader quality attributes of a program,
such as compliance with standards, portability and
maintainability.
17
18
19
La verifica nellingegneria
tradizionale
Quando si progettano ponti un test
assicura infinite situazioni corrette
Se un ponte pu sopportare un carico di
10000 tonnellate, pu sopportare
qualunque carico di peso inferiore
20
10
La verifica in SE
I programmi non hanno un comportamento
continuo
Verificare una funzione in un punto non
dice niente su tutti gli altri punti
A=/(x+20)
Ogni valore di x corretto eccetto x=-20
21
Tesi di Dijkstra
Program testing can be used to show the
presence of bugs, but never to show their
absence (Dijkstras thesis 1972)
Non vi garanzia che, se alla n-esima prova, un
modulo od un sistema ha risposto correttamente
(ovvero non sono stati pi riscontrati difetti),
altrettanto possa fare alla (n+1)-esima
Impossibile produrre tutte le possibili
configurazioni di valori di input (test case) in
corrispondenza di tutti i possibili stati interni di
un sistema software
22
11
23
24
12
Pessimistica inaccuratezza
Si possono non accettare programmi che possiedono
le propriet volute: tecniche di analisi automatica,
theorem proving
Propriet semplificate
Si riduce il grado di libert per semplificare le
propriet da verificare: model checking
25
26
13
The oracle
An oracle is any (human or mechanical)
agent which decides whether a program
behaves correctly in a given test, and
accordingly produces a verdict of pass
or fail.
There exist many different kinds of
oracles, and oracle automation can be
very difficult and expensive.
27
28
14
Stages of testing
Development testing, where the system is tested during
development to discover bugs and defects.
Release testing, where a separate testing team test a
complete version of the system before it is released to
users.
User testing, where users or potential users of a system
test the system in their own environment.
29
Development testing
Development testing includes all testing activities that are
carried out by the team developing the system.
Unit testing, where individual program units or object classes are
tested. Unit testing should focus on testing the functionality of
objects or methods.
Component testing, where several individual units are integrated to
create composite components. Component testing should focus on
testing component interfaces.
System testing, where some or all of the components in a system
are integrated and the system is tested as a whole. System testing
should focus on testing component interactions.
30
15
Unit testing
One module is tested in isolation
It is a defect testing process: we are looking for logical
errors
It is performed directly by the module programmer
Units may be:
Individual functions or methods within an object
Object classes with several attributes and methods
Composite components with defined interfaces used
to access their functionality.
31
32
16
Automated testing
Whenever possible, unit testing should be automated so
that tests are run and checked without manual intervention.
In automated unit testing, you make use of a test
automation framework to write and run your program tests.
Unit testing frameworks provide generic test classes that
you extend to create specific test cases. They can then run
all of the tests that you have implemented and report, often
through some GUI, on the success of otherwise of the
tests.
33
34
17
Testing strategies
Partition testing, where you identify groups of inputs that
have common characteristics and should be processed in
the same way.
You should choose tests from within each of these groups.
36
18
Partition testing
Input data and output results often fall into different classes
where all members of a class are related.
Each of these classes is an equivalence partition or
domain where the program behaves in an equivalent way
for each class member.
Test cases should be chosen from each partition.
37
Equivalence partitioning
38
19
Equivalence partitions
39
40
20
41
21
43
Component testing
Software components are often composite components
that are made up of several interacting objects.
For example, in the weather station system, the reconfiguration
component includes objects that deal with each aspect of the
reconfiguration.
22
Interface testing
45
Interface testing
Objectives are to detect faults due to interface errors or
invalid assumptions about interfaces.
Interface types
Parameter interfaces Data passed from one method or procedure
to another.
Shared memory interfaces Block of memory is shared between
procedures or functions.
Procedural interfaces Sub-system encapsulates a set of procedures
to be called by other sub-systems.
Message passing interfaces Sub-systems request services from
other sub-systems
46
23
Interface errors
Interface misuse
A calling component calls another component and makes an error
in its use of its interface e.g. parameters in the wrong order.
Interface misunderstanding
A calling component embeds assumptions about the behaviour of
the called component which are incorrect.
Timing errors
The called and the calling component operate at different speeds
and out-of-date information is accessed.
47
48
24
System testing
System testing during development involves integrating
components to create a version of the system and then
testing the integrated system.
The focus in system testing is testing the interactions
between components.
System testing checks that components are compatible,
interact correctly and transfer the right data at the right time
across their interfaces.
System testing tests the emergent behaviour of a system.
49
System testing
applicato sul sistema software completo
ed integrato
L'obiettivo e' valutare l'adesione del ai
requisiti specificati
Lo esegue il team addetto al testing
(esterno al gruppo di sviluppo)
50
25
System testing
Testing with respect to
Functional requirements
Non functional requirements
51
Test di
Configurazione: tutti i comandi per
scambiare/cambiare le relazioni fisiche
logiche dei componenti HW
Recovery: capacit di reazione del sistema
a cadute
Stress: affidabilit in condizione di carico
limite
Sicurezza: invulnerabilit del sistema
rispetto ad accessi non autorizzati
52
26
Use-case testing
The use-cases developed to identify system interactions
can be used as a basis for system testing.
Each use case usually involves several system
components so testing the use case forces these
interactions to occur.
The sequence diagrams associated with the use case
documents the components and interactions that are being
tested.
53
Testing policies
Exhaustive system testing is impossible so testing policies
which define the required system test coverage may be
developed.
Examples of testing policies:
All system functions that are accessed through menus should be
tested.
Combinations of functions that are accessed through the same
menu must be tested.
Where user input is provided, all functions must be tested with both
correct and incorrect input.
54
27
Test-driven development
Test-driven development (TDD) is an approach to program
development in which you inter-leave testing and code
development.
Tests are written before code and passing the tests is the
critical driver of development.
You develop code incrementally, along with a test for that
increment. You dont move on to the next increment until
the code that you have developed passes its test.
TDD was introduced as part of Extreme Programming.
However, it can also be used in plan-driven development
processes.
55
Test-driven development
56
28
Simplified debugging
When a test fails, it should be obvious where the problem lies. The
newly written code needs to be checked and modified.
System documentation
The tests themselves are a form of documentation that describe
what the code should be doing.
58
29
Regression testing
Regression testing is the selective retesting of a
system or component to verify that modifications have
not caused unintended effects...
Regression testing is testing the system to check that
changes have not broken previously working code.
This kind of testing is easy to automatize: the new
program is executed with the old test data and the
results are compared against the old ones stored in a
data base.
59
60
30
Requirements tests
Set up a patient record with no known allergies. Prescribe medication for
allergies that are known to exist. Check that a warning message is not issued
by the system.
Set up a patient record with a known allergy. Prescribe the medication to that
the patient is allergic to, and check that the warning is issued by the system.
Set up a patient record in which allergies to two or more drugs are recorded.
Prescribe both of these drugs separately and check that the correct warning for
each drug is issued.
Prescribe two drugs that the patient is allergic to. Check that two warnings are
correctly issued.
Prescribe a drug that issues a warning and overrule that warning. Check that
the system requires the user to provide information explaining why the warning
was overruled.
61
Specific testing
Performance tests usually involve planning
a series of tests where the load is steadily
increased until the system performance
becomes unacceptable.
Stress testing is a form of performance
testing where the system is deliberately
overloaded to test its failure behaviour.
62
31
User testing
User or customer testing is a stage in the testing process in
which users or customers provide input and advice on
system testing.
User testing is essential, even when comprehensive
system and release testing have been carried out.
The reason for this is that influences from the users working
environment have a major effect on the reliability, performance,
usability and robustness of a system. These cannot be replicated in
a testing environment.
63
Beta testing
A release of the software is made available to users to allow them
to experiment and to raise problems that they discover with the
system developers.
Acceptance testing
Customers test a system to decide whether or not it is ready to be
accepted from the system developers and deployed in the customer
environment. Primarily for custom systems.
64
32
65
Acceptance testing
Acceptance testing checks the system
behavior against the customers
requirements; the customers undertake,
or specify, typical tasks to check that
their requirements have been met. This
testing activity may or may not involve
the developers of the system.
66
33
67
68
34
Testing theory
Lecture 12
70
35
Testing theory
Given a test T (T is a subset of D), T
is successful for P if ok(P,T),
otherwise it is called inadequate.
T is called ideal if ok(P,T) ok(P)
One goal of the testing theory is the
definition of methods to choice tests
that approximate the ideal tests.
71
36
73
37
75
38
Proof
If a failure exists, it will occurr for a
input datum d; C chooses at least a test T
containing d and thus T will cause the
failure.
On the other hand, not each test T
satisfying C contains d.
77
Howdens theorem
No algorithm exists for any P able to
define a finite ideal test (no consistent
and complete selection criterium
exists).
78
39
Howdens theorem
Non si dice che il criterio consistente e
completo non esiste (basta prendere il
criterio che seleziona tutti e soli i dati
che causano un malfunzionamento), dice
solo che non effettivo (non pu essere
tradotto in un algoritmo in grado di
produrre il risultato in un tempo finito)
Il teorema di HOWDEN corrisponde alla
tesi di Dijkstra
79
Indecidable problems
Indecidable problems are greatly
influencing testing
A problem is indecidable if it is possible
to prove that no algorithm exists
solving it
80
40
Problemi di decisione
81
Linguaggi computazionalmente
completi
Un linguaggio di programmazione si dice
computazionalmente completo se vi si
possono definire tutte le funzioni
ricorsive oppure tutte le funzioni
calcolabili da una Macchina di Turing
82
41
84
42
85
86
43
Indecidable problems
It is not possible to decide whether two
programs compute the same function or not
Consequence
Given a program C known correct (the
specification of P?) , we cannot prove
that P is correct through the proof of
the equivalence of P and C
87
Weyukers theorem
For each program P the following are
undecidable problems
at least an input datum exists that
causes the execution of instruction i or
of branch b.
at least an input datum exists that
causes the execution of all instructions of
P or of all branch of P
88
44
Weyukers theorem
Esiste un dato di ingresso che causa una particolare
sequenza di esecuzione di istruzioni?
Esiste un dato di ingresso che causi lesecuzione di
ogni possibile sequenza di istruzioni di un programma?
Questo teorema importante per i metodi di test
che richiedono lesecuzione di particolari elementi del
programma.
Tuttavia, dato un problema indecidibile, possibile
individuare sottoproblemi significativi decidibili, per i
quali possibile formulare algoritmi in grado di
risolvere parzialmente il problema.
Inoltre si possono sempre risolvere problemi
indecidibili in maniera creativa e non meccanica
89
Testing techniques
The main classification is based on how tests
are generated from the software engineers
intuition and experience, the specifications, the
code structure, the (real or artificial) faults to
be discovered, the field usage, or, finally, the
nature of the application.
Sometimes these techniques are classified as
white-box, if the tests rely on information
about how the software has been designed or
coded, or as black-box if the test cases rely
only on the input/output behavior.
90
45
White-box testing
Coverage criteria
Statement coverage
Edge coverage
Condition coverage
Path coverage
Data flow (syntactic dependency)
coverage
91
92
46
93
Testing process
Planning the quality
94
47
95
48
97
Test plan
Test design specification
Test case specification
Test procedure
Test item transmittal report
Tests execution
Test log
Test incident report
Tests end
98
49
Test plan
The Test plan is a document describing
the scope, approach, resources, and
schedule of intended testing activities.
It identifies test items, the features
to be tested, the testing tasks, who
will do each task, and any risks
requiring contingency planning.
99
Introduction
50
102
51
103
Testing Tasks
Identify tasks necessary to prepare for and perform testing
Identify all task interdependencies
Identify any special skills required
104
52
53
Responsibilities
Identify groups responsible for managing, designing, preparing,
executing, witnessing, checking and resolving
Identify groups responsible for providing the test items
identified in the Test Items section
Identify groups responsible for providing the environmental
needs identified in the Environmental Needs section
107
Approvals
108
54
109
110
55
111
56
113
114
57
115
116
58
117
118
59
119
120
60
121
122
61
123
124
62
Cleanroom
125
Il processo Cleanroom
Il Cleanroom Software Engineering process
un processo di sviluppo teso a produrre
software con un livello certificabile di
reliability.
Il processo fu sviluppato da Harlan Mills e altri
allIBM nella met degli anni 80.
Cleanroom mira alla prevenzione dei difetti,
piuttosto che alla loro rimozione (il nome
richiama le camere pulite usate nellindustria
elettronica per prevenire lintroduzione di
difetti nella fabbricazione di circuiti integrati).
126
63
Principi base
Lo sviluppo del software basato sulluso di metodi formali.
La verifica che la specifica rispettata dal progetto realizzata
tramite team review.
Limplementazione sviluppata in modo incrementale con un
controllo di qualit statistico.
127
128
64
Extreme programming
129
Extreme programming
Extreme Programming (XP) una
metodologia di tipo agile: cio mette
laccento pi sulladattabilit che sulla
predicibilit.
Successivi cambiamenti dei requisiti sono
visti come naturali durante il progetto,
anzi pi naturali che il tentativo di
definire tutti i requisiti allinizio.
130
65
Scopo
The main aim of XP is to reduce the cost of
change. In traditional system development
methods the cost of changing the requirements
at a later stage will be high.
XP sets out to reduce the cost of change by
introducing basic values, principles and
practices.
By applying XP, a system development project
should be more flexible with respect to
changes.
131
Principi base
XP fornisce un insieme di pratiche che
incoraggiano particolari valori.
I valori sono 5
Communication
Simplicity
Feedback
Courage
Respect (the latest value)
132
66
133
134
67
Basic techniques
Graphs
135
Grafi utilizzati
CFG(P)
Execution tree
CDG(P)
Grafi di dominanza
Grafi di dipendenza
DFD(P)
..
136
68
137
138
69
Definizione di un CFG
Dato un programma P, CFG(P)=<N, AC,
nI,nF>, dove
Costruzione di un CFG
Un CFG pu essere costruito in modo
strutturato
Si definiscono i sottografi delle varie
strutture di controllo
Si compongono i sottografi
140
70
141
142
71
Alcune definizioni
143
Semplificazioni
Un nodo ed il suo successore immediato che
hanno entrambi un solo punto dingresso ed un
solo punto di uscita si possono ridurre ad un solo
nodo nel grafo
La riduzione pu essere applicata n volte
(sequenze di nodi); il nodo risultante pu essere
etichettato con le etichette dei nodi in esso
ridotti
I self-loops possono essere sostituiti da un solo
nodo (loop naturale ha una sola uscita e un solo
ingresso)
144
72
145
Accompagnano i CFG
Il CFG rappresenta la struttura del
programma
Si possono associare ai CFG altri grafi (in
generale alberi) che rappresentano altri
aspetti, anche dinamici, legati
allesecuzione
146
73
Esecuzioni simboliche
In realt i programmi vengono eseguiti in
modo simbolico (o astratto)
Valori simbolici per le variabili si
propagano lungo i cammini di esecuzione
Gli statement si considerano eseguibili
solo se gli input soddisfano determinate
condizioni
Come si caratterizzano queste condizioni?
147
Path conditions
Una Path Condition (pc), per un determinato statement,
indica le condizioni che gli input devono soddisfare
affinch unesecuzione percorra un cammino lungo cui lo
statement sia eseguito.
Una pc unespressione Booleana sugli input simbolici di
un programma; allinizio dellesecuzione simbolica essa
assume il valore vero (pc:= true ).
Per ogni condizione che si incontrer lungo lesecuzione,
pc assumer differenti valori a seconda dei differenti
casi relativi ai diversi cammini dellesecuzione.
148
74
Evoluzione di una pc
149
Esempio
150
75
151
Execution tree
Ogni foglia dello execution tree rappresenta
un cammino percorso per classi di valori di
input (pc associata)
Le pc associate a due differenti foglie sono
distinte
Non esistono esecuzioni per cui sono vere
contemporaneamente pi pc (per linguaggi di
programmazione sequenziali).
Se loutput ad ogni foglia corretto allora il
programma corretto.
152
76
Cammini eseguibili
'cammino eseguibile un cammino per il
quale esiste un insieme di dati di
ingresso che soddisfa la path condition
'cammino non eseguibile' ( 'infeasible
path') un cammino per il quale non
esiste un insieme di dati di ingresso che
soddisfa la path condition
153
Call-Direct-Graph CDG(P)
154
77
Esempio
155
156
78
Relazione di dominanza
157
Dominatori
158
79
Dominatori
159
Esempio
160
80
Dominanza diretta
161
162
81
163
Postdominanza
Dato un grafo CFG(P) = <N, AC, nI, nF>, e
due nodi n, m N: m postdomina n se e
solo se per ogni cammino in CFG(P) del
tipo n=p0, p1,..., pk=nF, m{p1,..., pk}
La relazione di postdominanza transitiva
e non riflessiva
164
82
Postdominatori
165
Postdominatori
166
83
Esempio
167
Postdominanza diretta
168
84
169
170
85
In pratica
171
172
86
In pratica
173
Esempio
174
87
CD Graph
Le dipendenze sul controllo possono
essere espresse mediante apposito
grafo.
Ogni arco del grafo etichettato con
vero, falso o incond indicando una
dipendenza sul controllo per valore di un
predicato uguale a vero o falso, oppure
per ogni valore, rispettivamente.
175
Regioni
Affinch ogni nodo predicato abbia al pi due
archi uscenti (luno etichettato con vero e
laltro con falso), ulteriori nodi, chiamati nodi
regione, vengono inseriti nel grafo.
I nodi regione riassumono linsieme delle
dipendenze sul controllo per ogni predicato.
Gli archi uscenti da un nodo regione sono
etichettati con incond.
176
88
CD Graph
177
Esempio
178
89
Propriet
179
DF Graph
Al grafo del controllo viene associata una
relazione che descrive il flusso dei dati e che
rappresentata levoluzione del valore delle
variabili in base alle operazioni eseguite sulla
variabile stessa in ogni istruzione:
180
90
Esempio
181
Relazione DEF_USO
182
91
Variabili live
Definizione: la variabile x live al nodo v
se esiste un cammino nel CFG da v a n tale
che x non ridefinito in tale cammino, e n
usa x.
Propriet: la relazione lvx non riflessiva
n transitiva.
183
Esempio
184
92
Testing strutturale
185
93
Statement coverage
Edge coverage
Condition coverage
Path coverage
Data flow (syntactic dependency)
coverage
187
188
94
189
190
95
191
192
96
193
194
97
195
196
98
197
198
99
100
201
101
102
Cammini esemplari
Un cammino privo di circuiti detto cammino
elementare
Il numero di cammini elementari in un grafo finito
206
103
207
V(G) = P + 1
P: n.ro di predicati in G
104
209
210
105
211
212
106
213
107