WO2000072146A1 - Analyzing an extended finite state machine system model - Google Patents

Analyzing an extended finite state machine system model Download PDF

Info

Publication number
WO2000072146A1
WO2000072146A1 PCT/US2000/014291 US0014291W WO0072146A1 WO 2000072146 A1 WO2000072146 A1 WO 2000072146A1 US 0014291 W US0014291 W US 0014291W WO 0072146 A1 WO0072146 A1 WO 0072146A1
Authority
WO
WIPO (PCT)
Prior art keywords
expression
model
paths
path
target
Prior art date
Application number
PCT/US2000/014291
Other languages
French (fr)
Inventor
Ron Kita
Kaare Klevjer
Original Assignee
Teradyne, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Teradyne, Inc. filed Critical Teradyne, Inc.
Priority to AU52863/00A priority Critical patent/AU5286300A/en
Publication of WO2000072146A1 publication Critical patent/WO2000072146A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3664Environments for testing or debugging software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites

Definitions

  • TestMaster® software 100 enables a designer to create 102 an extended finite state machine model of a system.
  • An extended finite state machine is represented by a directed graph that includes states interconnected by transitions.
  • the software 100 provides a graphical user interface that enables the designer to "draw" the model by defining the states and connecting them together with directional lines that represent transitions.
  • the model is independent of the system being modeled and can be created before or after the system is developed.
  • the software 100 detects 104 paths through the model states and transitions and generates 106 testing programs corresponding to each of the detected paths . Execution of the generated testing programs can identify system design flaws and highlight differences between the model created and the actual behavior of the underlying system.
  • an extended finite state machine model 108 of a system includes states 110-116 interconnected by transitions 118-124.
  • a model 108 includes states 110-116 and transitions 118-124 representing a bank machine system that dispenses cash to customers entering an authorized PIN (Personal Identification Number) .
  • PIN Personal Identification Number
  • the TestMaster® system automatically detects different paths through the model 108.
  • a path through the model can include model elements A - TAB - B - T B c - C - T CD - D. This path corresponds to a customer correctly entering an authorized PIN and successfully withdrawing cash.
  • a different path through the model can include model elements A - TAB - B - T B D - D. This model path corresponds to a customer who fails to correctly enter an authorized PIN.
  • TestMaster® offers many different procedures for detecting paths through a model. For example, a user can select from comprehensive, transition-based, N-switch, and quick-cover path detection.
  • Comprehensive path detection outputs a test for every possible path through the model.
  • Transition based path detection outputs tests such that each transition is included in at least one test.
  • N-switch path detection outputs tests such that each unique sequence of N+l transitions are included in at least one test.
  • a model can incorporate variables and expressions that further define the model's behavior.
  • the expressions can include operators, variables, and other elements such as the names of states, transitions, and/or sub-models.
  • the model element When a named state, transition, or sub-model is in included in an expression, the model element evaluates to TRUE when included in the path currently being detected. For example, in FIG. 2, an expression of " (A && B' " would evaluate to TRUE for path portion "A - T AE - B". As shown, expressions can use a PFL (Path Flow Language) syntax that resembles the C programming language. PFL and functions that can be called from PFL are described in The TestMaster® Reference Guide published by Teradyne®.
  • a model designer can associate the expressions with model elements to further define model behavior. For example, a designer can associate predicates and/or constraints with different states, transitions, and/or sub- models. Both predicates and constraints are evaluated during path detection and determine which transitions can be included in a path.
  • the model element associated with the predicate can be used in the path.
  • transition T BD 124 has an associated predicate 126 ("!OKPin") that determines when a path can include the transition.
  • the predicate 126 is a boolean expression that permits inclusion of the transition 124 m a path being detected when the boolean variable OKPm is FALSE and the path being detected has reached state B
  • a transition 123 can connect a state 114 to itself
  • a designer can specify a constraint expression 125 that limits use of a transition m a path.
  • the "Iterate(3)" expression associated with the transition 123 limits a path through the model to including transition 123 three times.
  • a model can also include one or more sub-models
  • the box labeled "EnterPIN" m FIG. 2 may be a sub-model 112 that includes additional states 128-136, transitions 138-150, and expressions.
  • the sub-model 112 sets 150 the model variable OKPm to TRUE when the customer PIN equals 1 148; otherwise, the sub-model sets the model variable OKPm to FALSE 146
  • Sub-models encourage modular system design and increase comprehension of a model ' s design
  • the sub-model is essentially replaced with the states and transitions included the sub-model.
  • a designer can define more than one transition 138-142 between states 128, 130.
  • a designer has defined three transitions between the "Entry” 128 and "PINEntry” 130 states that each set a PIN variable to different value
  • Defining multiple transitions between states increases the number of paths througn a model
  • paths through the sub-model 112 can include I - Tu t u - J - T JK - K - TKM - M, I - Tu(2) - J - T JL - L -T LM - M, and I - Tu(3) - J - Tj L - L - T LM - M.
  • the use of multiple transitions enables testing of different conditions within the same model .
  • a method of using a computer to analyze an extended finite state machine model of a system includes receiving at least one expression and corresponding expression target, determining paths of states and transitions through the model, and selecting paths such that the representation of paths satisfying the at least one expression the selected paths substantially corresponds to the expression target.
  • Embodiments may include one or more of the following features.
  • the representation may be a quantitative representation
  • the expression may include a boolean expression.
  • the expression may include a variable, an operator, a state, a transition, a sub-model, a table-model, and/or a requirement
  • the expression target may be a percentage Selecting may be done such that the percentage of selected paths satisfying the expression substantially corresponds to the expression target percentage. Selecting may include determining whether a path would improve the correspondence of the representation of paths satisfying the expression to the expression target .
  • Receiving at least one expression and corresponding expression target can include receiving more than one expression and corresponding expression target Selecting can include determining whether a path would improve the correspondence of the representation of paths to more than one expression target.
  • a computer program product disposed on a computer readable medium, for analyzing an extended finite state machine model of a system includes instructions for causing a processor to receive at least one expression and corresponding expression target, determine paths of states and transitions through the model, and select paths such that the representation of paths satisfying the at least one expression the selected paths substantially corresponds to the expression target.
  • FIG. 1 is a flowchart of a process for using an extended finite state machine model to generate tests for a system according to the PRIOR ART;
  • FIG. 2 is a diagram of an extended finite state machine model according to the PRIOR ART
  • FIGS. 3 and 4 are diagrams of paths through the extended finite state machine model of FIG. 2 according to the PRIOR ART ;
  • FIG. 5 is a diagram of a sub-model according to the PRIOR ART
  • FIG. 6 is a diagram of the extended finite state machine model that includes the states and transitions of the sub-model of FIG. 5 according to the PRIOR AR ;
  • FIG. 7 is a flowchart of a process for determining whether a system model satisfies system requirements
  • FIG. 8 is a screenshot of a table of system requirements used by the process of FIG. 7;
  • FIG. 9 is a screenshot of a requirements report produced by the process of FIG. 7;
  • FIG. 10 is a flowchart of a process for determining whether a system model satisfies specified assertions
  • FIG. 11 is a diagram of an extended finite state machine model that includes a table model element
  • FIG. 12 is a diagram of a table having rows incorporated into the model
  • FIG. 13 is a flowchart of a process for selecting a transition based on likelihood values associated with the transitions ;
  • FIG. 14 is a flowchart of a process for importing data and other information into an extended finite state machine model
  • FIG. 15 is a listing of a comma separated value file having values that can be imported into an extended finite state machine table model element
  • FIG. 16 is a flowchart of a process for detecting paths through a model that conform to a user specified mix of paths.
  • FIG. 17 is a diagram of a finite state machine model that includes model elements having target mix values.
  • the inventors have invented different mechanisms that enable testers, developers, and others to detect design and implementation flaws a system. These mechanisms can be included m TestMaster® or other software or hardware systems .
  • a process 200 enables users to specify 202 requirements as an expression of elements (e.g., variables, sub-models, states, and transitions) . For each path 204 through a model, the process 200 evaluates 206 all requirement expressions to determine which requirements are satisfied.
  • elements e.g., variables, sub-models, states, and transitions
  • the bank machine system functional specification may describe a requirement that no withdrawals should occur if a customer's PIN is not authorized.
  • a user can ensure compliance with this requirement by defining a boolean expression of "NOT (withdrawal AND (NOT OKPm) ) " .
  • NOT OKPm drawal AND
  • the requirement expressions defined for the model are evaluated. The path satisfies any requirement expression that evaluates to TRUE.
  • a user can specify and view requirement expressions via a graphical user interface.
  • the interface shown enables a user to specify each system requirement as a row m a table 222.
  • the table 222 includes columns for a requirement ID 208 and version number 210 for each requirement. This enables a user to quickly correlate requirements with their descriptions written documents and specify which collections of requirements should be used during path detection (e.g., only version 2 requirements need be satisfied) .
  • the requirement ID 208 can also be used as elements m other requirement expressions.
  • the table also includes columns for a prose description 212 of each requirement and the boolean requirement expression 216.
  • the table can also include a column 214 for specifying a system feature involved the requirement .
  • a feature may have more than one associated requirement.
  • a table column may permit a user to name the row for inclusion m other expressions.
  • a table can include a "source" column 218 for Hyperlinks (e.g., Universal Resource Locators) which link to external documents describing a requirement .
  • Hyperlinks e.g., Universal Resource Locators
  • the information included m the table 222 may be entered manually or imported, for example, from a database, spreadsheet, or a CSV (comma separated value) file. Similarly, the table 222 information may also be exported. Additionally, different requirements may be enabled or disabled by a user. Referring to FIG. 9, the process can generate a report 224 that describes tests that can be run to test the specified requirements. As shown, the report 224 may be a table that includes a row for each test generated and an indication of the different requirements satisfied by the test. For example, row 231 for test path 3 satisfies requirements 1.0.1 and 1.1.
  • the report 224 can also summarize test results, for example, by displaying the number of tests satisfying each requirement 226 or displaying the number of requirements a particular path satisfied 232.
  • the report enables a user to understand the completeness of a set of tests, to understand how many of the requirements have been included in the model, to perform optimization, and to detect tests that do not satisfy defined requirements. Based on the report the user can see which paths satisfied the requirement and use the testing programs generated for these paths to test the system being modeled.
  • the requirements feature described above can also limit (i.e., "filter”) the test scripts generated. For example, a user can specify that test scripts should only be generated for paths satisfying a particular requirement. Thus, only testing programs directed to testing particular features are generated.
  • assertions enable a user to specify an expression for
  • assertions represent expressions that should always be satisfied (e.g., TRUE) when evaluated. Failure to satisfy an assertion can represent significant model flaws needing immediate attention (e.g., when an abnormal or unexpected condition occurs) .
  • a process 240 for determining whether a model complies with a set of assertions includes receiving 242 assertion expressions.
  • a user can specify that an assertion expression be evaluated at different points in the model, for example, before or after entering a particular state, transition, or sub-mode1.
  • a designer can specify that an assertion expression should be automatically evaluated before and/or after entering every sub-model element. Additionally, a designer can specify that an assertion expression should be automatically evaluated after each path through the model is detected.
  • the process 240 can immediately alert 248 the user of the particular path and other model information that caused the assertion violation.
  • the process 240 can call a model debugger that enables a user to view model information such as the value of different variables, the assertion violated, and model elements in the path that violated an assertion. This enables a user to examine the model context that caused the assertion to fail.
  • the process 240 can further provide an error message and/or provide a display that highlights the path the caused the violation.
  • a graphical user interface provides a table 143 model element the user can include in a model.
  • the table 143 can specify multiple sets of data to be included in the generated test .
  • each row can include one or more variable value assignments, for example, each row can include a different value for the PIN model variable 250 and a name of the customer assigned that PIN (not shown) .
  • Each row can further include predicate 254 and/or constraint expressions 256.
  • the path detection instructions can select one or more of the rows for each path.
  • the table 143 provides a convenient mechanism for viewing and defining large sets of data.
  • the table also includes columns for specifying a source state and a destination state for each transition row (not shown) .
  • This enables an entire model to be displayed as one or more tables of rows.
  • the tables can be used to automatically generate a graphical display of a model.
  • a graphical model could be used to generate corresponding tables .
  • the equivalence of the model and the table enable a user to easily "flip" between the different model representations.
  • the table may offer a column for a name of the row (not shown) . The named model element can then be included in other expressions .
  • Each row of the table 143 can also include a likelihood value 252.
  • the likelihood values can be used to select a row from the table during path detection.
  • a process 258 for selecting a row based on likelihood values includes determining currently eligible rows 260, normalizing the likelihood values of the eligible transitions 262 to produce a probability for each eligible transition, and selecting a transition based on the produced probabilities.
  • PINs 001, 002, 003, and 004 represent eligible transitions because these transitions satisfy their associated predicate and/or constraint expression (s) .
  • the likelihood values in a table need not add to 1 or 100.
  • adding the likelihood values of the eligible rows yields a total of 160.
  • a row e.g, representing a transition
  • a sample set of ranges may be:
  • PIN 001 0 .000 0.062 (e.g. , 10/160)
  • PIN 002 0 .063 0.188 (e.g., 0.062 + 20/160)
  • PIN 003 0. .189 0.750 (e.g., 0.188 + 90/160)
  • PIN 004 0. .751 0.999 (e.g., 0.750 + 40/160)
  • a row can be selected by generating a random number between 0 and 1 and selecting the transition having a range covering the generated number. For example, a random number of 0.232 would result in the selection of the transition setting the PIN variable to "003".
  • Use of probabilities enables a model to be tested using data that reflects actual usage. Additionally, the use of probabilities enables a small set of rows to represent a large set of data. Further, normalizing likelihood values to produce probabilities enables the path detection instructions to process probabilities with different combinations of eligible rows.
  • probabilities and/or likelihood values can be assigned to transitions with or without the use of table model elements. Additionally, though the determination of eligible transitions and normalizing their respective likelihood values provides a designer with flexibility, these actions are not required to take advantage of the benefits of including probabilities in the model .
  • a process 250 enables users to import data into a model by specifying 252 an external information source for importing 254 into the model.
  • an external information source for importing 254 into the model.
  • a user can specify a file name of a CSV (Comma Separated Value) file.
  • the first line 266 of the CSV file defines table schema information such as the table variables and their corresponding data types. For example, as shown the variable named PIN has been type-cast as a number 268. Subsequent information in the CSV is paired with the variables defined in the first line 266.
  • the number 001 is paired with the variable PIN while the string "FirstPIN" is paired with the string variable named Otherlnformation .
  • a database or spreadsheet could also be used as a source of external data.
  • a user could specify a relational database view or table.
  • instructions can automatically access the database to obtain schema information for the table.
  • an SQL (Structured Query Language) select command can be used to determine the variables and data included in a particular table or view and output this information to a CSV file.
  • the instructions may support ODBC (Open Database Connectivity) drivers .
  • ODBC Open Database Connectivity
  • Importing data from an external source can relieve a user from having to define a large number of transitions between states by hand.
  • the importing capability is not limited to transitions.
  • the imported data can reflect actual testing conditions. For example, a log file produced by a system in actual use can provide a valuable source of data for the model .
  • a process 300 enables a user to control the mix of paths outputted during path detection.
  • the process 300 enables a user to specify 302 a desired mix of generated tests. For example, a user can specify a percentage (or ratio) of paths that include a particular model element or that satisfy a particular expression.
  • instructions track the current mix of paths (e.g. , how many paths are in the mix and how many paths include the model element) and determine 306 whether a newly detected path brings the mix closer to the user specified percentage (s) . If so, the newly detected path is saved in the mix. Otherwise, the path is discarded.
  • a bank machine model 320 includes states 322-330 that represent different bank machine transactions.
  • the mix of paths generated should include 40% 332 withdrawals 322 and 35% 334 checking-to- savings 330 transfers.
  • two paths have included withdrawals 332 (i.e., 22%) and three have included checking-to-savings 330 (i.e., 33%) transactions.
  • a path improves the mix of tests. For example, in the previous example, including the new path improved the percentage of withdrawals 332 from 22% to 33%, but would lower the percentage of checking-to-savings 330 transactions to 30%. Thus, saving the new path in the mix would bring the percentage of withdrawals 332 in the mix closer to the withdrawal target by 8% while bringing the percentage of checking-to-savings 330 by 3% away from its target .
  • One embodiment totals the amount each current percentage is from its target percentage and compares this to the same total if the current path were saved in the mix. If the total would be reduced by inclusion of the path, the path is saved in the mix. Additionally, in some embodiments, a user can specify that some target percentages take priority over others .
  • the specified targets need not add up to 100% as each test mix expression is independent of the other expressions. For example, as shown in FIG. 17, the targets only totalled 75%. This gives a user flexibility in using the test mix feature.
  • a user can generate tests for model features of interest without defining additional expressions to control model behavior. Additionally, the technique enables a user to produce tests relevant to areas of interest or that mimic behavior of interest .
  • the techniques described here are not limited to any particular hardware or software configuration; they may find applicability in any computing or processing environment .
  • the techniques may be implemented in hardware or software, or a combination of the two.
  • the techniques are implemented in computer programs executing on programmable computers that each include a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements) , at least one input device, and one or more output devices.
  • Program code is applied to data entered using the input device to perform the functions described and to generate output information.
  • the output information is applied to one or more output devices .
  • Each program is preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system.
  • the programs can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language .
  • Each such computer program is preferable stored on a storage medium or device (e.g., CD-ROM, embedded ROM, hard disk or magnetic diskette) that is readable by a general or special purpose programmable computer for configuring and operating the computer when the storage medium or device is read by the computer to perform the procedures described in this document.
  • the system may also be considered to be implemented as a computer-readable storage medium, configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner.

Abstract

A method of using a computer to analyze an extended finite state machine model of a system includes receiving at least one expression and corresponding expression target, determining paths of states and transitions through the model, and selecting paths such that the representation of paths satisfying the at least one expression in the selected paths substantially corresponds to the expression target.

Description

Analyzing an Extended Finite State Machine System Model
Background of the Invention System testing contributes significantly to system development and maintenance costs. TestMaster® software sold by Teradyne® Software and System Test, Inc. of Nashua, NH can reduce testing costs while increasing testing quality. Referring to FIG. 1, TestMaster® software 100 enables a designer to create 102 an extended finite state machine model of a system. An extended finite state machine is represented by a directed graph that includes states interconnected by transitions. The software 100 provides a graphical user interface that enables the designer to "draw" the model by defining the states and connecting them together with directional lines that represent transitions.
The model is independent of the system being modeled and can be created before or after the system is developed. After the designer creates 102 the model, the software 100 detects 104 paths through the model states and transitions and generates 106 testing programs corresponding to each of the detected paths . Execution of the generated testing programs can identify system design flaws and highlight differences between the model created and the actual behavior of the underlying system.
Referring to FIG. 2, an extended finite state machine model 108 of a system includes states 110-116 interconnected by transitions 118-124. For example, as shown, a model 108 includes states 110-116 and transitions 118-124 representing a bank machine system that dispenses cash to customers entering an authorized PIN (Personal Identification Number) .
The TestMaster® system automatically detects different paths through the model 108. For example, as shown in FIG. 3, a path through the model can include model elements A - TAB - B - TBc - C - TCD - D. This path corresponds to a customer correctly entering an authorized PIN and successfully withdrawing cash. As shown in FIG. 4, a different path through the model can include model elements A - TAB - B - TBD - D. This model path corresponds to a customer who fails to correctly enter an authorized PIN.
TestMaster® offers many different procedures for detecting paths through a model. For example, a user can select from comprehensive, transition-based, N-switch, and quick-cover path detection. Comprehensive path detection outputs a test for every possible path through the model. Transition based path detection outputs tests such that each transition is included in at least one test. N-switch path detection outputs tests such that each unique sequence of N+l transitions are included in at least one test.
Comprehensive, transition, and N-switch path detection are currently implemented using a depth- first search. In contrast, quick-cover uses a "top-down" search and can output tests such that no transition is used more than a specified number of times. U.S. Patent Serial No.
08/658,344 entitled "Method and Apparatus for Adaptive Coverage in Test Generation" describes implementations of programs for detecting extended finite state machine paths. Referring again to FIG. 2, in addition to transitions and states, a model can incorporate variables and expressions that further define the model's behavior. TestMaster® can evaluate the expressions to assign variable values (e.g., y = mx + b) or to determine whether an expression is TRUE or FALSE (e.g., A AND (B OR C) ) . The expressions can include operators, variables, and other elements such as the names of states, transitions, and/or sub-models. When a named state, transition, or sub-model is in included in an expression, the model element evaluates to TRUE when included in the path currently being detected. For example, in FIG. 2, an expression of " (A && B' " would evaluate to TRUE for path portion "A - TAE - B". As shown, expressions can use a PFL (Path Flow Language) syntax that resembles the C programming language. PFL and functions that can be called from PFL are described in The TestMaster® Reference Guide published by Teradyne®.
A model designer can associate the expressions with model elements to further define model behavior. For example, a designer can associate predicates and/or constraints with different states, transitions, and/or sub- models. Both predicates and constraints are evaluated during path detection and determine which transitions can be included in a path.
When path detection instructions encounter a model element having an associated predicate, the predicate expression is evaluated. If the predicate evaluates to
TRUE, the model element associated with the predicate can be used in the path. For example, as shown in FIG. 2, transition TBD 124 has an associated predicate 126 ("!OKPin") that determines when a path can include the transition. As shown, the predicate 126 is a boolean expression that permits inclusion of the transition 124 m a path being detected when the boolean variable OKPm is FALSE and the path being detected has reached state B
Similarly, when path detection instructions encounter a model element having an associated constraint, the constraint expression is evaluated If the constraint evaluates to FALSE, the model element associated w th the constraint cannot be used m the path being detected. For example, as shown m FIG. 2, a transition 123 can connect a state 114 to itself To prevent a path from including a large or possibly infinite number of the same transition m a single path, a designer can specify a constraint expression 125 that limits use of a transition m a path. The "Iterate(3)" expression associated with the transition 123 limits a path through the model to including transition 123 three times. Thus, if evaluated at state C after looping around transition TCc three times, the constraint would evaluate to FALSE and prevent further use of the transition m the current path The constraint acts as a filter, eliminating generation of unwanted testing programs. Referring to FIG. 5, a model can also include one or more sub-models For example, the box labeled "EnterPIN" m FIG. 2 may be a sub-model 112 that includes additional states 128-136, transitions 138-150, and expressions. As shown, the sub-model 112 sets 150 the model variable OKPm to TRUE when the customer PIN equals 1 148; otherwise, the sub-model sets the model variable OKPm to FALSE 146
Sub-models encourage modular system design and increase comprehension of a model ' s design Referring to FIG. 6, when the software 100 detects different paths through the system, the sub-model is essentially replaced with the states and transitions included the sub-model.
Referring again to FIG 5, a designer can define more than one transition 138-142 between states 128, 130. The designer can also associate expressions (e g , PIN = 1) with each transition 138-142, for example, to set model variables to different values For example, as shown, a designer has defined three transitions between the "Entry" 128 and "PINEntry" 130 states that each set a PIN variable to different value Defining multiple transitions between states increases the number of paths througn a model For example, paths through the sub-model 112 can include I - Tutu - J - TJK - K - TKM - M, I - Tu(2) - J - TJL - L -TLM - M, and I - Tu(3) - J - TjL - L - TLM - M. The use of multiple transitions enables testing of different conditions within the same model .
Summary of the Invention In general, m one aspect, a method of using a computer to analyze an extended finite state machine model of a system includes receiving at least one expression and corresponding expression target, determining paths of states and transitions through the model, and selecting paths such that the representation of paths satisfying the at least one expression the selected paths substantially corresponds to the expression target.
Embodiments may include one or more of the following features. The representation may be a quantitative representation The expression may include a boolean expression. The expression may include a variable, an operator, a state, a transition, a sub-model, a table-model, and/or a requirement The expression target may be a percentage Selecting may be done such that the percentage of selected paths satisfying the expression substantially corresponds to the expression target percentage. Selecting may include determining whether a path would improve the correspondence of the representation of paths satisfying the expression to the expression target . Receiving at least one expression and corresponding expression target can include receiving more than one expression and corresponding expression target Selecting can include determining whether a path would improve the correspondence of the representation of paths to more than one expression target. In general, m another aspect, a computer program product, disposed on a computer readable medium, for analyzing an extended finite state machine model of a system includes instructions for causing a processor to receive at least one expression and corresponding expression target, determine paths of states and transitions through the model, and select paths such that the representation of paths satisfying the at least one expression the selected paths substantially corresponds to the expression target.
Brief Description of the Drawings These and other features of the invention will become more readily apparent from the following detailed description when read together with the accompanying drawings, m which:
FIG. 1 is a flowchart of a process for using an extended finite state machine model to generate tests for a system according to the PRIOR ART;
FIG. 2 is a diagram of an extended finite state machine model according to the PRIOR ART;
FIGS. 3 and 4 are diagrams of paths through the extended finite state machine model of FIG. 2 according to the PRIOR ART ;
FIG. 5 is a diagram of a sub-model according to the PRIOR ART;
FIG. 6 is a diagram of the extended finite state machine model that includes the states and transitions of the sub-model of FIG. 5 according to the PRIOR AR ;
FIG. 7 is a flowchart of a process for determining whether a system model satisfies system requirements;
FIG. 8 is a screenshot of a table of system requirements used by the process of FIG. 7;
FIG. 9 is a screenshot of a requirements report produced by the process of FIG. 7;
FIG. 10 is a flowchart of a process for determining whether a system model satisfies specified assertions; FIG. 11 is a diagram of an extended finite state machine model that includes a table model element;
FIG. 12 is a diagram of a table having rows incorporated into the model;
FIG. 13 is a flowchart of a process for selecting a transition based on likelihood values associated with the transitions ;
FIG. 14 is a flowchart of a process for importing data and other information into an extended finite state machine model; FIG. 15 is a listing of a comma separated value file having values that can be imported into an extended finite state machine table model element;
FIG. 16 is a flowchart of a process for detecting paths through a model that conform to a user specified mix of paths; and
FIG. 17 is a diagram of a finite state machine model that includes model elements having target mix values.
Description of the Preferred Embodiments
Introduction
The inventors have invented different mechanisms that enable testers, developers, and others to detect design and implementation flaws a system. These mechanisms can be included m TestMaster® or other software or hardware systems .
Requirements and Assertions:
Referring to FIG. 7, prose descriptions of system requirements often appear m functional and design specifications or are included m requirement documents produced by a customer Requirements can also be gleaned from customers, bug-lists, etc. As shown m FIG. 7, a process 200 enables users to specify 202 requirements as an expression of elements (e.g., variables, sub-models, states, and transitions) . For each path 204 through a model, the process 200 evaluates 206 all requirement expressions to determine which requirements are satisfied.
For example, referring again to FIG. 2, the bank machine system functional specification may describe a requirement that no withdrawals should occur if a customer's PIN is not authorized. A user can ensure compliance with this requirement by defining a boolean expression of "NOT (withdrawal AND (NOT OKPm) ) " . After each path is detected through the model, the requirement expressions defined for the model are evaluated. The path satisfies any requirement expression that evaluates to TRUE.
Referring to FIG. 8, a user can specify and view requirement expressions via a graphical user interface. The interface shown enables a user to specify each system requirement as a row m a table 222. The table 222 includes columns for a requirement ID 208 and version number 210 for each requirement. This enables a user to quickly correlate requirements with their descriptions written documents and specify which collections of requirements should be used during path detection (e.g., only version 2 requirements need be satisfied) . The requirement ID 208 can also be used as elements m other requirement expressions.
The table also includes columns for a prose description 212 of each requirement and the boolean requirement expression 216. The table can also include a column 214 for specifying a system feature involved the requirement . A feature may have more than one associated requirement. Additionally, a table column may permit a user to name the row for inclusion m other expressions.
Further, a table can include a "source" column 218 for Hyperlinks (e.g., Universal Resource Locators) which link to external documents describing a requirement .
The information included m the table 222 may be entered manually or imported, for example, from a database, spreadsheet, or a CSV (comma separated value) file. Similarly, the table 222 information may also be exported. Additionally, different requirements may be enabled or disabled by a user. Referring to FIG. 9, the process can generate a report 224 that describes tests that can be run to test the specified requirements. As shown, the report 224 may be a table that includes a row for each test generated and an indication of the different requirements satisfied by the test. For example, row 231 for test path 3 satisfies requirements 1.0.1 and 1.1.
The report 224 can also summarize test results, for example, by displaying the number of tests satisfying each requirement 226 or displaying the number of requirements a particular path satisfied 232. The report enables a user to understand the completeness of a set of tests, to understand how many of the requirements have been included in the model, to perform optimization, and to detect tests that do not satisfy defined requirements. Based on the report the user can see which paths satisfied the requirement and use the testing programs generated for these paths to test the system being modeled.
The requirements feature described above can also limit (i.e., "filter") the test scripts generated. For example, a user can specify that test scripts should only be generated for paths satisfying a particular requirement. Thus, only testing programs directed to testing particular features are generated.
Referring to FIG. 10, similar to requirements, assertions enable a user to specify an expression for
1C evaluation. However, while a path through a perfectly designed model may not satisfy any requirement expressions, assertions represent expressions that should always be satisfied (e.g., TRUE) when evaluated. Failure to satisfy an assertion can represent significant model flaws needing immediate attention (e.g., when an abnormal or unexpected condition occurs) .
A process 240 for determining whether a model complies with a set of assertions includes receiving 242 assertion expressions. A user can specify that an assertion expression be evaluated at different points in the model, for example, before or after entering a particular state, transition, or sub-mode1. In another embodiment, a designer can specify that an assertion expression should be automatically evaluated before and/or after entering every sub-model element. Additionally, a designer can specify that an assertion expression should be automatically evaluated after each path through the model is detected.
When the process 240 determines 246 a path violates an assertion (i.e., the boolean assertion expression evaluates to FALSE) , the process 240 can immediately alert 248 the user of the particular path and other model information that caused the assertion violation. For example, the process 240 can call a model debugger that enables a user to view model information such as the value of different variables, the assertion violated, and model elements in the path that violated an assertion. This enables a user to examine the model context that caused the assertion to fail. The process 240 can further provide an error message and/or provide a display that highlights the path the caused the violation.
Transition Tables:
Referring to FIG. 11, a graphical user interface provides a table 143 model element the user can include in a model. The table 143 can specify multiple sets of data to be included in the generated test .
Referring to FIG. 12, each row can include one or more variable value assignments, for example, each row can include a different value for the PIN model variable 250 and a name of the customer assigned that PIN (not shown) . Each row can further include predicate 254 and/or constraint expressions 256. The path detection instructions can select one or more of the rows for each path. Thus, the table 143 provides a convenient mechanism for viewing and defining large sets of data.
In another embodiment, the table also includes columns for specifying a source state and a destination state for each transition row (not shown) . This enables an entire model to be displayed as one or more tables of rows. The tables can be used to automatically generate a graphical display of a model. Similarly, a graphical model could be used to generate corresponding tables . The equivalence of the model and the table enable a user to easily "flip" between the different model representations. Additionally, the table may offer a column for a name of the row (not shown) . The named model element can then be included in other expressions .
Each row of the table 143 can also include a likelihood value 252. The likelihood values can be used to select a row from the table during path detection. Referring also to FIG. 13, a process 258 for selecting a row based on likelihood values includes determining currently eligible rows 260, normalizing the likelihood values of the eligible transitions 262 to produce a probability for each eligible transition, and selecting a transition based on the produced probabilities.
For example, assume the TEST model variable is set to "1" in FIG. 12. Under this assumption, PINs 001, 002, 003, and 004 represent eligible transitions because these transitions satisfy their associated predicate and/or constraint expression (s) . As shown, the likelihood values in a table need not add to 1 or 100. For example, adding the likelihood values of the eligible rows (PINs 001, 002, 003, and 004) yields a total of 160. A row (e.g, representing a transition) can be selected by using the total likelihood value and the individual likelihood values of the eligible rows to dynamically create selection ranges for each row. For example, a sample set of ranges may be:
PIN=001 0 .000 0.062 (e.g. , 10/160)
PIN=002 0 .063 0.188 (e.g., 0.062 + 20/160)
PIN=003 0. .189 0.750 (e.g., 0.188 + 90/160)
PIN=004 0. .751 0.999 (e.g., 0.750 + 40/160)
Thereafter, a row can be selected by generating a random number between 0 and 1 and selecting the transition having a range covering the generated number. For example, a random number of 0.232 would result in the selection of the transition setting the PIN variable to "003". Use of probabilities enables a model to be tested using data that reflects actual usage. Additionally, the use of probabilities enables a small set of rows to represent a large set of data. Further, normalizing likelihood values to produce probabilities enables the path detection instructions to process probabilities with different combinations of eligible rows.
Other embodiments can include variations of the features describe above. For example, probabilities and/or likelihood values can be assigned to transitions with or without the use of table model elements. Additionally, though the determination of eligible transitions and normalizing their respective likelihood values provides a designer with flexibility, these actions are not required to take advantage of the benefits of including probabilities in the model .
Importing Data into the Model :
The rows in the table and other model information can be hand entered by a user. Alternatively, a user can import the data from an external source. Referring to FIG. 14, a process 250 enables users to import data into a model by specifying 252 an external information source for importing 254 into the model. For example, referring to FIG. 15, for, a user can specify a file name of a CSV (Comma Separated Value) file. The first line 266 of the CSV file defines table schema information such as the table variables and their corresponding data types. For example, as shown the variable named PIN has been type-cast as a number 268. Subsequent information in the CSV is paired with the variables defined in the first line 266. For example, the number 001 is paired with the variable PIN while the string "FirstPIN" is paired with the string variable named Otherlnformation . A database or spreadsheet could also be used as a source of external data. For example, a user could specify a relational database view or table. In response, instructions can automatically access the database to obtain schema information for the table. For example, an SQL (Structured Query Language) select command can be used to determine the variables and data included in a particular table or view and output this information to a CSV file. For interfacing with different types of data sources, the instructions may support ODBC (Open Database Connectivity) drivers .
Importing data from an external source can relieve a user from having to define a large number of transitions between states by hand. However, the importing capability is not limited to transitions. Additionally, the imported data can reflect actual testing conditions. For example, a log file produced by a system in actual use can provide a valuable source of data for the model .
Specifying a Mix of Paths: Referring to FIG. 16, a process 300 enables a user to control the mix of paths outputted during path detection. The process 300 enables a user to specify 302 a desired mix of generated tests. For example, a user can specify a percentage (or ratio) of paths that include a particular model element or that satisfy a particular expression. During path detection, instructions track the current mix of paths (e.g. , how many paths are in the mix and how many paths include the model element) and determine 306 whether a newly detected path brings the mix closer to the user specified percentage (s) . If so, the newly detected path is saved in the mix. Otherwise, the path is discarded.
Many different procedures for determining whether a detected path brings the mix close to the user specified percentages could be used. For example, one procedure saves a detected path if the path satisfies any specified expression that is currently under-represented in the mix generated thus far. For example, referring to FIG. 17, a bank machine model 320 includes states 322-330 that represent different bank machine transactions. As shown, a user has specified that the mix of paths generated should include 40% 332 withdrawals 322 and 35% 334 checking-to- savings 330 transfers. Assume that after nine paths, two paths have included withdrawals 332 (i.e., 22%) and three have included checking-to-savings 330 (i.e., 33%) transactions. Further assume a newly generated path included the model elements A - TAB - B - TBF - F. This path includes a withdrawal 332, but no checking-to-savings 330 transactions. Since the running percentage of withdrawals 332 is only 22% as compared to a target of 40%, the new path will be included in the mix.
Other embodiments use different techniques for determining whether a path improves the mix of tests. For example, in the previous example, including the new path improved the percentage of withdrawals 332 from 22% to 33%, but would lower the percentage of checking-to-savings 330 transactions to 30%. Thus, saving the new path in the mix would bring the percentage of withdrawals 332 in the mix closer to the withdrawal target by 8% while bringing the percentage of checking-to-savings 330 by 3% away from its target . One embodiment totals the amount each current percentage is from its target percentage and compares this to the same total if the current path were saved in the mix. If the total would be reduced by inclusion of the path, the path is saved in the mix. Additionally, in some embodiments, a user can specify that some target percentages take priority over others .
The specified targets need not add up to 100% as each test mix expression is independent of the other expressions. For example, as shown in FIG. 17, the targets only totalled 75%. This gives a user flexibility in using the test mix feature.
By specifying a mix of paths, a user can generate tests for model features of interest without defining additional expressions to control model behavior. Additionally, the technique enables a user to produce tests relevant to areas of interest or that mimic behavior of interest .
Other Embodiments: The techniques described here are not limited to any particular hardware or software configuration; they may find applicability in any computing or processing environment . The techniques may be implemented in hardware or software, or a combination of the two. Preferably, the techniques are implemented in computer programs executing on programmable computers that each include a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements) , at least one input device, and one or more output devices. Program code is applied to data entered using the input device to perform the functions described and to generate output information.
The output information is applied to one or more output devices .
Each program is preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the programs can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language . Each such computer program is preferable stored on a storage medium or device (e.g., CD-ROM, embedded ROM, hard disk or magnetic diskette) that is readable by a general or special purpose programmable computer for configuring and operating the computer when the storage medium or device is read by the computer to perform the procedures described in this document. The system may also be considered to be implemented as a computer-readable storage medium, configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner.
Other embodiments are within the spirit and scope of the appended claims .
- IS

Claims

What is claimed is: 1. A method of using a computer to analyze an extended finite state machine model of a system, the model having states interconnected by transitions, the method comprising: receiving at least one expression and corresponding expression target; determining paths of states and transitions through the model; and selecting paths such that the representation of paths satisfying the at least one expression in the selected paths substantially corresponds to the expression target.
2. The method of claim 1, wherein the representation comprises a quantitative representation.
3. The method of claim 1, wherein the expression comprises a boolean expression.
4. The method of claim 1, wherein the expression comprises at least one of the following: a variable, an operator, a state, a transition, a sub-model, a table-model, and a requirement .
5. The method of claim 1, wherein the expression target comprises a percentage.
6. The method of claim 5, wherein selecting comprises selecting such that the percentage of selected paths satisfying the expression substantially corresponds to the expression target percentage.
7. The method of claim 1, wherein selecting comprises determining whether a path would improve the correspondence of the representation of paths satisfying the expression to the expression target .
8. The method of claim 1, wherein receiving at least one expression and corresponding expression target comprises receiving more than one expression and corresponding expression target.
9. The method of claim 8, wherein selecting comprises determining whether a path would improve the correspondence of the representation of paths to more than one expression target .
10. A computer program product, disposed on a computer readable medium, for analyzing an extended finite state machine model of a system, the model having states interconnected by transitions, the computer program product including instructions for causing a processor to: receive at least one expression and corresponding expression target; determine paths of states and transitions through the model; and select paths such that the representation of paths satisfying the at least one expression in the selected paths substantially corresponds to the expression target.
11. The computer program product of claim 10, wherein the representation comprises a quantitative representation.
12. The computer program product of claim 10, wherein the expression comprises a boolean expression.
13. The computer program product of claim 10, wherein the expression comprises at least one of the following: a variable, an operator, a state, a transition, a sub-model, a table-model, and a requirement.
14. The computer program product of claim 10, wherein the expression target comprises a percentage.
15. The computer program product of claim 10, wherein the instructions for selecting comprise instructions for selecting such that the percentage of selected paths satisfying the expression substantially corresponds to the expression target percentage.
16. The computer program product of claim 10, wherein the instructions for selecting comprise instructions for determining whether a path would improve the correspondence of the representation of paths satisfying the expression to the expression target.
17. The computer program product of claim 10, wherein the instructions for receiving at least one expression and corresponding expression target comprise instructions for receiving more than one expression and corresponding expression target .
18. The computer program of claim 17, wherein the instructions for selecting comprise instructions for determining whether a path would improve the correspondence of the representation of paths to more than one expression target .
PCT/US2000/014291 1999-05-25 2000-05-24 Analyzing an extended finite state machine system model WO2000072146A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU52863/00A AU5286300A (en) 1999-05-25 2000-05-24 Analyzing an extended finite state machine system model

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US31820599A 1999-05-25 1999-05-25
US09/318,205 1999-05-25

Publications (1)

Publication Number Publication Date
WO2000072146A1 true WO2000072146A1 (en) 2000-11-30

Family

ID=23237119

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/014291 WO2000072146A1 (en) 1999-05-25 2000-05-24 Analyzing an extended finite state machine system model

Country Status (2)

Country Link
AU (1) AU5286300A (en)
WO (1) WO2000072146A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014155050A2 (en) * 2013-03-28 2014-10-02 Randomize Limited Method and apparatus for testing electronic systems

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5394347A (en) * 1993-07-29 1995-02-28 Digital Equipment Corporation Method and apparatus for generating tests for structures expressed as extended finite state machines
US5500941A (en) * 1994-07-06 1996-03-19 Ericsson, S.A. Optimum functional test method to determine the quality of a software system embedded in a large electronic system
EP0869433A2 (en) * 1997-03-31 1998-10-07 Siemens Corporate Research, Inc. A test development system and method for software with a graphical user interface

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5394347A (en) * 1993-07-29 1995-02-28 Digital Equipment Corporation Method and apparatus for generating tests for structures expressed as extended finite state machines
US5500941A (en) * 1994-07-06 1996-03-19 Ericsson, S.A. Optimum functional test method to determine the quality of a software system embedded in a large electronic system
EP0869433A2 (en) * 1997-03-31 1998-10-07 Siemens Corporate Research, Inc. A test development system and method for software with a graphical user interface

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
L. APFELBAUM: "Spec-based tests make sure telecom software works", IEEE SPECTRUM, vol. 34, no. 11, 11 November 1987 (1987-11-11), pages 77 - 83, XP002149691 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014155050A2 (en) * 2013-03-28 2014-10-02 Randomize Limited Method and apparatus for testing electronic systems
WO2014155050A3 (en) * 2013-03-28 2014-11-27 Randomize Limited Method and apparatus for testing electronic systems
US9740599B2 (en) 2013-03-28 2017-08-22 Randomize Limited Directed random sequence generation method and apparatus for testing software

Also Published As

Publication number Publication date
AU5286300A (en) 2000-12-12

Similar Documents

Publication Publication Date Title
Palomba et al. On the diffusion of test smells in automatically generated test code: An empirical study
AU2010350247B2 (en) Code inspection executing system for performing a code inspection of ABAP source codes
US8359576B2 (en) Using symbolic execution to check global temporal requirements in an application
US8683446B2 (en) Generation of test cases for functional testing of applications
Mirshokraie et al. Guided mutation testing for javascript web applications
US11449370B2 (en) System and method for determining a process flow of a software application and for automatically generating application testing code
US6694290B1 (en) Analyzing an extended finite state machine system model
US9081595B1 (en) Displaying violated coding rules in source code
US7882495B2 (en) Bounded program failure analysis and correction
US20060156286A1 (en) Dynamic source code analyzer
US8555234B2 (en) Verification of soft error resilience
US7895575B2 (en) Apparatus and method for generating test driver
WO2009095741A1 (en) Selective code instrumentation for software verification
US6853963B1 (en) Analyzing an extended finite state machine system model
US11481311B2 (en) Automatic evaluation of test code quality
Granda et al. What do we know about the defect types detected in conceptual models?
Podelski et al. Classifying bugs with interpolants
Abdeen et al. An approach for performance requirements verification and test environments generation
US6704912B2 (en) Method and apparatus for characterizing information about design attributes
Baudry Testing model transformations: A case for test generation from input domain models
WO2000072146A1 (en) Analyzing an extended finite state machine system model
Odermatt et al. Static analysis warnings and automatic fixing: A replication for c# projects
WO2018154784A1 (en) Effect extraction device, effect extraction program, and effect extraction method
Haller The test data challenge for database-driven applications.
Ali et al. Explication and Monitoring of Quality of Experience (QOE) in Android

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP