Analyzing an Extended Finite State Machine System Model
Background of the Invention System testing contributes significantly to system development and maintenance costs. TestMaster® software sold by Teradyne® Software and System Test, Inc. of Nashua, NH can reduce testing costs while increasing testing quality. Referring to FIG. 1, TestMaster® software 100 enables a designer to create 102 an extended finite state machine model of a system. An extended finite state machine is represented by a directed graph that includes states interconnected by transitions. The software 100 provides a graphical user interface that enables the designer to "draw" the model by defining the states and connecting them together with directional lines that represent transitions.
The model is independent of the system being modeled and can be created before or after the system is developed. After the designer creates 102 the model, the software 100 detects 104 paths through the model states and transitions and generates 106 testing programs corresponding to each of the detected paths . Execution of the generated testing programs can identify system design flaws and highlight differences between the model created and the actual behavior of the underlying system.
Referring to FIG. 2, an extended finite state machine model 108 of a system includes states 110-116 interconnected by transitions 118-124. For example, as shown, a model 108 includes states 110-116 and transitions 118-124 representing a bank machine system that dispenses cash to customers entering an authorized PIN (Personal
Identification Number) .
The TestMaster® system automatically detects different paths through the model 108. For example, as shown in FIG. 3, a path through the model can include model elements A - TAB - B - TBc - C - TCD - D. This path corresponds to a customer correctly entering an authorized PIN and successfully withdrawing cash. As shown in FIG. 4, a different path through the model can include model elements A - TAB - B - TBD - D. This model path corresponds to a customer who fails to correctly enter an authorized PIN.
TestMaster® offers many different procedures for detecting paths through a model. For example, a user can select from comprehensive, transition-based, N-switch, and quick-cover path detection. Comprehensive path detection outputs a test for every possible path through the model. Transition based path detection outputs tests such that each transition is included in at least one test. N-switch path detection outputs tests such that each unique sequence of N+l transitions are included in at least one test.
Comprehensive, transition, and N-switch path detection are currently implemented using a depth- first search. In contrast, quick-cover uses a "top-down" search and can output tests such that no transition is used more than a specified number of times. U.S. Patent Serial No.
08/658,344 entitled "Method and Apparatus for Adaptive Coverage in Test Generation" describes implementations of programs for detecting extended finite state machine paths. Referring again to FIG. 2, in addition to transitions and states, a model can incorporate variables
and expressions that further define the model's behavior. TestMaster® can evaluate the expressions to assign variable values (e.g., y = mx + b) or to determine whether an expression is TRUE or FALSE (e.g., A AND (B OR C) ) . The expressions can include operators, variables, and other elements such as the names of states, transitions, and/or sub-models. When a named state, transition, or sub-model is in included in an expression, the model element evaluates to TRUE when included in the path currently being detected. For example, in FIG. 2, an expression of " (A && B' " would evaluate to TRUE for path portion "A - TAE - B". As shown, expressions can use a PFL (Path Flow Language) syntax that resembles the C programming language. PFL and functions that can be called from PFL are described in The TestMaster® Reference Guide published by Teradyne®.
A model designer can associate the expressions with model elements to further define model behavior. For example, a designer can associate predicates and/or constraints with different states, transitions, and/or sub- models. Both predicates and constraints are evaluated during path detection and determine which transitions can be included in a path.
When path detection instructions encounter a model element having an associated predicate, the predicate expression is evaluated. If the predicate evaluates to
TRUE, the model element associated with the predicate can be used in the path. For example, as shown in FIG. 2, transition TBD 124 has an associated predicate 126 ("!OKPin") that determines when a path can include the transition. As shown, the predicate 126 is a boolean
expression that permits inclusion of the transition 124 m a path being detected when the boolean variable OKPm is FALSE and the path being detected has reached state B
Similarly, when path detection instructions encounter a model element having an associated constraint, the constraint expression is evaluated If the constraint evaluates to FALSE, the model element associated w th the constraint cannot be used m the path being detected. For example, as shown m FIG. 2, a transition 123 can connect a state 114 to itself To prevent a path from including a large or possibly infinite number of the same transition m a single path, a designer can specify a constraint expression 125 that limits use of a transition m a path. The "Iterate(3)" expression associated with the transition 123 limits a path through the model to including transition 123 three times. Thus, if evaluated at state C after looping around transition TCc three times, the constraint would evaluate to FALSE and prevent further use of the transition m the current path The constraint acts as a filter, eliminating generation of unwanted testing programs. Referring to FIG. 5, a model can also include one or more sub-models For example, the box labeled "EnterPIN" m FIG. 2 may be a sub-model 112 that includes additional states 128-136, transitions 138-150, and expressions. As shown, the sub-model 112 sets 150 the model variable OKPm to TRUE when the customer PIN equals 1 148; otherwise, the sub-model sets the model variable OKPm to FALSE 146
Sub-models encourage modular system design and increase comprehension of a model ' s design Referring to FIG. 6, when the software 100 detects different paths
through the system, the sub-model is essentially replaced with the states and transitions included the sub-model.
Referring again to FIG 5, a designer can define more than one transition 138-142 between states 128, 130. The designer can also associate expressions (e g , PIN = 1) with each transition 138-142, for example, to set model variables to different values For example, as shown, a designer has defined three transitions between the "Entry" 128 and "PINEntry" 130 states that each set a PIN variable to different value Defining multiple transitions between states increases the number of paths througn a model For example, paths through the sub-model 112 can include I - Tutu - J - TJK - K - TKM - M, I - Tu(2) - J - TJL - L -TLM - M, and I - Tu(3) - J - TjL - L - TLM - M. The use of multiple transitions enables testing of different conditions within the same model .
Summary of the Invention In general, m one aspect, a method of using a computer to analyze an extended finite state machine model of a system includes receiving at least one expression and corresponding expression target, determining paths of states and transitions through the model, and selecting paths such that the representation of paths satisfying the at least one expression the selected paths substantially corresponds to the expression target.
Embodiments may include one or more of the following features. The representation may be a quantitative representation The expression may include a boolean expression. The expression may include a variable, an
operator, a state, a transition, a sub-model, a table-model, and/or a requirement The expression target may be a percentage Selecting may be done such that the percentage of selected paths satisfying the expression substantially corresponds to the expression target percentage. Selecting may include determining whether a path would improve the correspondence of the representation of paths satisfying the expression to the expression target . Receiving at least one expression and corresponding expression target can include receiving more than one expression and corresponding expression target Selecting can include determining whether a path would improve the correspondence of the representation of paths to more than one expression target. In general, m another aspect, a computer program product, disposed on a computer readable medium, for analyzing an extended finite state machine model of a system includes instructions for causing a processor to receive at least one expression and corresponding expression target, determine paths of states and transitions through the model, and select paths such that the representation of paths satisfying the at least one expression the selected paths substantially corresponds to the expression target.
Brief Description of the Drawings These and other features of the invention will become more readily apparent from the following detailed description when read together with the accompanying drawings, m which:
FIG. 1 is a flowchart of a process for using an extended finite state machine model to generate tests for a
system according to the PRIOR ART;
FIG. 2 is a diagram of an extended finite state machine model according to the PRIOR ART;
FIGS. 3 and 4 are diagrams of paths through the extended finite state machine model of FIG. 2 according to the PRIOR ART ;
FIG. 5 is a diagram of a sub-model according to the PRIOR ART;
FIG. 6 is a diagram of the extended finite state machine model that includes the states and transitions of the sub-model of FIG. 5 according to the PRIOR AR ;
FIG. 7 is a flowchart of a process for determining whether a system model satisfies system requirements;
FIG. 8 is a screenshot of a table of system requirements used by the process of FIG. 7;
FIG. 9 is a screenshot of a requirements report produced by the process of FIG. 7;
FIG. 10 is a flowchart of a process for determining whether a system model satisfies specified assertions; FIG. 11 is a diagram of an extended finite state machine model that includes a table model element;
FIG. 12 is a diagram of a table having rows incorporated into the model;
FIG. 13 is a flowchart of a process for selecting a transition based on likelihood values associated with the transitions ;
FIG. 14 is a flowchart of a process for importing data and other information into an extended finite state machine model; FIG. 15 is a listing of a comma separated value file
having values that can be imported into an extended finite state machine table model element;
FIG. 16 is a flowchart of a process for detecting paths through a model that conform to a user specified mix of paths; and
FIG. 17 is a diagram of a finite state machine model that includes model elements having target mix values.
Description of the Preferred Embodiments
Introduction
The inventors have invented different mechanisms that enable testers, developers, and others to detect design and implementation flaws a system. These mechanisms can be included m TestMaster® or other software or hardware systems .
Requirements and Assertions:
Referring to FIG. 7, prose descriptions of system requirements often appear m functional and design specifications or are included m requirement documents produced by a customer Requirements can also be gleaned from customers, bug-lists, etc. As shown m FIG. 7, a process 200 enables users to specify 202 requirements as an expression of elements (e.g., variables, sub-models, states, and transitions) . For each path 204 through a model, the process 200 evaluates 206 all requirement expressions to determine which requirements are satisfied.
For example, referring again to FIG. 2, the bank machine system functional specification may describe a
requirement that no withdrawals should occur if a customer's PIN is not authorized. A user can ensure compliance with this requirement by defining a boolean expression of "NOT (withdrawal AND (NOT OKPm) ) " . After each path is detected through the model, the requirement expressions defined for the model are evaluated. The path satisfies any requirement expression that evaluates to TRUE.
Referring to FIG. 8, a user can specify and view requirement expressions via a graphical user interface. The interface shown enables a user to specify each system requirement as a row m a table 222. The table 222 includes columns for a requirement ID 208 and version number 210 for each requirement. This enables a user to quickly correlate requirements with their descriptions written documents and specify which collections of requirements should be used during path detection (e.g., only version 2 requirements need be satisfied) . The requirement ID 208 can also be used as elements m other requirement expressions.
The table also includes columns for a prose description 212 of each requirement and the boolean requirement expression 216. The table can also include a column 214 for specifying a system feature involved the requirement . A feature may have more than one associated requirement. Additionally, a table column may permit a user to name the row for inclusion m other expressions.
Further, a table can include a "source" column 218 for Hyperlinks (e.g., Universal Resource Locators) which link to external documents describing a requirement .
The information included m the table 222 may be entered manually or imported, for example, from a database,
spreadsheet, or a CSV (comma separated value) file. Similarly, the table 222 information may also be exported. Additionally, different requirements may be enabled or disabled by a user. Referring to FIG. 9, the process can generate a report 224 that describes tests that can be run to test the specified requirements. As shown, the report 224 may be a table that includes a row for each test generated and an indication of the different requirements satisfied by the test. For example, row 231 for test path 3 satisfies requirements 1.0.1 and 1.1.
The report 224 can also summarize test results, for example, by displaying the number of tests satisfying each requirement 226 or displaying the number of requirements a particular path satisfied 232. The report enables a user to understand the completeness of a set of tests, to understand how many of the requirements have been included in the model, to perform optimization, and to detect tests that do not satisfy defined requirements. Based on the report the user can see which paths satisfied the requirement and use the testing programs generated for these paths to test the system being modeled.
The requirements feature described above can also limit (i.e., "filter") the test scripts generated. For example, a user can specify that test scripts should only be generated for paths satisfying a particular requirement. Thus, only testing programs directed to testing particular features are generated.
Referring to FIG. 10, similar to requirements, assertions enable a user to specify an expression for
1C
evaluation. However, while a path through a perfectly designed model may not satisfy any requirement expressions, assertions represent expressions that should always be satisfied (e.g., TRUE) when evaluated. Failure to satisfy an assertion can represent significant model flaws needing immediate attention (e.g., when an abnormal or unexpected condition occurs) .
A process 240 for determining whether a model complies with a set of assertions includes receiving 242 assertion expressions. A user can specify that an assertion expression be evaluated at different points in the model, for example, before or after entering a particular state, transition, or sub-mode1. In another embodiment, a designer can specify that an assertion expression should be automatically evaluated before and/or after entering every sub-model element. Additionally, a designer can specify that an assertion expression should be automatically evaluated after each path through the model is detected.
When the process 240 determines 246 a path violates an assertion (i.e., the boolean assertion expression evaluates to FALSE) , the process 240 can immediately alert 248 the user of the particular path and other model information that caused the assertion violation. For example, the process 240 can call a model debugger that enables a user to view model information such as the value of different variables, the assertion violated, and model elements in the path that violated an assertion. This enables a user to examine the model context that caused the assertion to fail. The process 240 can further provide an error message and/or provide a display that highlights the
path the caused the violation.
Transition Tables:
Referring to FIG. 11, a graphical user interface provides a table 143 model element the user can include in a model. The table 143 can specify multiple sets of data to be included in the generated test .
Referring to FIG. 12, each row can include one or more variable value assignments, for example, each row can include a different value for the PIN model variable 250 and a name of the customer assigned that PIN (not shown) . Each row can further include predicate 254 and/or constraint expressions 256. The path detection instructions can select one or more of the rows for each path. Thus, the table 143 provides a convenient mechanism for viewing and defining large sets of data.
In another embodiment, the table also includes columns for specifying a source state and a destination state for each transition row (not shown) . This enables an entire model to be displayed as one or more tables of rows. The tables can be used to automatically generate a graphical display of a model. Similarly, a graphical model could be used to generate corresponding tables . The equivalence of the model and the table enable a user to easily "flip" between the different model representations. Additionally, the table may offer a column for a name of the row (not shown) . The named model element can then be included in other expressions .
Each row of the table 143 can also include a likelihood value 252. The likelihood values can be used to
select a row from the table during path detection. Referring also to FIG. 13, a process 258 for selecting a row based on likelihood values includes determining currently eligible rows 260, normalizing the likelihood values of the eligible transitions 262 to produce a probability for each eligible transition, and selecting a transition based on the produced probabilities.
For example, assume the TEST model variable is set to "1" in FIG. 12. Under this assumption, PINs 001, 002, 003, and 004 represent eligible transitions because these transitions satisfy their associated predicate and/or constraint expression (s) . As shown, the likelihood values in a table need not add to 1 or 100. For example, adding the likelihood values of the eligible rows (PINs 001, 002, 003, and 004) yields a total of 160. A row (e.g, representing a transition) can be selected by using the total likelihood value and the individual likelihood values of the eligible rows to dynamically create selection ranges for each row. For example, a sample set of ranges may be:
PIN=001 0 .000 0.062 (e.g. , 10/160)
PIN=002 0 .063 0.188 (e.g., 0.062 + 20/160)
PIN=003 0. .189 0.750 (e.g., 0.188 + 90/160)
PIN=004 0. .751 0.999 (e.g., 0.750 + 40/160)
Thereafter, a row can be selected by generating a random number between 0 and 1 and selecting the transition having a range covering the generated number. For example, a random number of 0.232 would result in the selection of the transition setting the PIN variable to "003". Use of
probabilities enables a model to be tested using data that reflects actual usage. Additionally, the use of probabilities enables a small set of rows to represent a large set of data. Further, normalizing likelihood values to produce probabilities enables the path detection instructions to process probabilities with different combinations of eligible rows.
Other embodiments can include variations of the features describe above. For example, probabilities and/or likelihood values can be assigned to transitions with or without the use of table model elements. Additionally, though the determination of eligible transitions and normalizing their respective likelihood values provides a designer with flexibility, these actions are not required to take advantage of the benefits of including probabilities in the model .
Importing Data into the Model :
The rows in the table and other model information can be hand entered by a user. Alternatively, a user can import the data from an external source. Referring to FIG. 14, a process 250 enables users to import data into a model by specifying 252 an external information source for importing 254 into the model. For example, referring to FIG. 15, for, a user can specify a file name of a CSV (Comma Separated Value) file. The first line 266 of the CSV file defines table schema information such as the table variables and their corresponding data types. For example, as shown the variable named PIN has been type-cast as a number 268. Subsequent information in the CSV is paired with the
variables defined in the first line 266. For example, the number 001 is paired with the variable PIN while the string "FirstPIN" is paired with the string variable named Otherlnformation . A database or spreadsheet could also be used as a source of external data. For example, a user could specify a relational database view or table. In response, instructions can automatically access the database to obtain schema information for the table. For example, an SQL (Structured Query Language) select command can be used to determine the variables and data included in a particular table or view and output this information to a CSV file. For interfacing with different types of data sources, the instructions may support ODBC (Open Database Connectivity) drivers .
Importing data from an external source can relieve a user from having to define a large number of transitions between states by hand. However, the importing capability is not limited to transitions. Additionally, the imported data can reflect actual testing conditions. For example, a log file produced by a system in actual use can provide a valuable source of data for the model .
Specifying a Mix of Paths: Referring to FIG. 16, a process 300 enables a user to control the mix of paths outputted during path detection. The process 300 enables a user to specify 302 a desired mix of generated tests. For example, a user can specify a percentage (or ratio) of paths that include a particular model element or that satisfy a particular expression.
During path detection, instructions track the current mix of paths (e.g. , how many paths are in the mix and how many paths include the model element) and determine 306 whether a newly detected path brings the mix closer to the user specified percentage (s) . If so, the newly detected path is saved in the mix. Otherwise, the path is discarded.
Many different procedures for determining whether a detected path brings the mix close to the user specified percentages could be used. For example, one procedure saves a detected path if the path satisfies any specified expression that is currently under-represented in the mix generated thus far. For example, referring to FIG. 17, a bank machine model 320 includes states 322-330 that represent different bank machine transactions. As shown, a user has specified that the mix of paths generated should include 40% 332 withdrawals 322 and 35% 334 checking-to- savings 330 transfers. Assume that after nine paths, two paths have included withdrawals 332 (i.e., 22%) and three have included checking-to-savings 330 (i.e., 33%) transactions. Further assume a newly generated path included the model elements A - TAB - B - TBF - F. This path includes a withdrawal 332, but no checking-to-savings 330 transactions. Since the running percentage of withdrawals 332 is only 22% as compared to a target of 40%, the new path will be included in the mix.
Other embodiments use different techniques for determining whether a path improves the mix of tests. For example, in the previous example, including the new path improved the percentage of withdrawals 332 from 22% to 33%, but would lower the percentage of checking-to-savings 330
transactions to 30%. Thus, saving the new path in the mix would bring the percentage of withdrawals 332 in the mix closer to the withdrawal target by 8% while bringing the percentage of checking-to-savings 330 by 3% away from its target . One embodiment totals the amount each current percentage is from its target percentage and compares this to the same total if the current path were saved in the mix. If the total would be reduced by inclusion of the path, the path is saved in the mix. Additionally, in some embodiments, a user can specify that some target percentages take priority over others .
The specified targets need not add up to 100% as each test mix expression is independent of the other expressions. For example, as shown in FIG. 17, the targets only totalled 75%. This gives a user flexibility in using the test mix feature.
By specifying a mix of paths, a user can generate tests for model features of interest without defining additional expressions to control model behavior. Additionally, the technique enables a user to produce tests relevant to areas of interest or that mimic behavior of interest .
Other Embodiments: The techniques described here are not limited to any particular hardware or software configuration; they may find applicability in any computing or processing environment . The techniques may be implemented in hardware or software, or a combination of the two. Preferably, the techniques are implemented in computer programs executing on programmable
computers that each include a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements) , at least one input device, and one or more output devices. Program code is applied to data entered using the input device to perform the functions described and to generate output information.
The output information is applied to one or more output devices .
Each program is preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the programs can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language . Each such computer program is preferable stored on a storage medium or device (e.g., CD-ROM, embedded ROM, hard disk or magnetic diskette) that is readable by a general or special purpose programmable computer for configuring and operating the computer when the storage medium or device is read by the computer to perform the procedures described in this document. The system may also be considered to be implemented as a computer-readable storage medium, configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner.
Other embodiments are within the spirit and scope of the appended claims .
- IS