- Modules should be independently testable.
- Testing should be thorough and systematic.
- Testing should be repeatable.
-
Top-down
- Top-level functions in the function calling hierarchy are tested first.
- Function stubs are written for lower-level functions that are called by functions above.
-
Bottom-up
- Lower-level functions in a function calling hierarchy are tested first.
- Function drivers are written for upper-level functions that call functions below.
-
Object-oriented
- All functions for a particular class are tested, independent of how they may be used in overall system.
- Stubs and drivers are written as necessary.
-
Hybrid
- A combination of top-down, bottom-up, and object-oriented testing is employed.
- This is a good practical approach.
-
Big-bang
- All functions are compiled together in one huge executable (typically the night before it's due).
- We cross our fingers and run it.
- When the big-bang fizzles, we enter the debugger and keep hacking until things appear to work.
-
For all modules to be separately designed and implemented, modular interfaces
should be designed cleanly and thoroughly.
- Don't fudge on function signature details or pre/postcondition logic; i.e., think clearly about these details before the implementation begins.
- Be clear on what needs to be public and what protected.
- Be prepared to write stubs and drivers for other people's modules so that independent testing can be achieved.
-
The same mathematical notation is used for both -- namely preconditions and
postconditions are associated with each functional unit.
- At the user-level, the pre- and postconditions are specified for each operation in the specification.
- At the system-level, the pre- and postconditions are specified for each function in the design.
-
Given the traceability between specification-level operations and design-level
functions, we observe that:
- Directly traceable functions in the model part of the design start with the same pre- and postconditions as the operations to which they trace.
- These pre- and post-conditions are strengthened by adding additional clauses that address implementation-level refinements.
- Non-traceable process must have pre- and postconditions specified by the designers.
- A precise definition of what a function does that helps clarify our thinking before coding.
- The basis for intelligent test case generation.
- The basis for program inspections, and the "cleanroom" approach to system testing.
- The basis for formal program verification.
- Formal specification has been shown to be cost effective given the benefits it provides for testing and verification.
-
As we'll discuss further in the next lecture, a formal function test consists
of the following elements:
- Test inputs within legal ranges, and expected output results.
- Test inputs outside of legal ranges, and expected output results.
- Test inputs on the boundaries of legal ranges, and expected output results.
- The formal preconditions are used to determine what the inputs should be.
- The formal postconditions are used to determine the expected results for the given inputs.
-
In order to verify a program formally, two forms of specification must be
provided:
- A formal specification of the given program
- A formal specification of the language in which the program is written in
- Hence, a formal program specification is an integral part of formal verification.
- We will discuss formal verification details in an upcoming lecture.
-
Black box testing
- Each function is viewed as a black box that can be given inputs to produce its outputs.
- The function is tested from the outside (specification) only, without looking at the code inside.
-
White-box testing
- Each function is viewed as a "white" (i.e., transparent) box containing code.
- The function is tested by supplying inputs that fully exercise the logic of its code.
- Specifically, each logical control path through the function is exercised at least once by some test.
- This is the kind of testing that is done informally during the course of system debugging.
-
Formal verification
- The pre- and postconditions of each function are treated as formal mathematical theorems.
- The body of the function is treated as a form of mathematical formula, given certain formal rules of program interpretation for the language in which the function is written.
- Verification entails proving that the precondition theorem implies the postcondition theorem, with respect to the mathematical interpretation of the function body.
-
At the specification level, failure of an operation precondition renders the
operation simply "undefined"
- For an abstract specification, this is a perfectly reasonable definition of precondition failure.
- However, at the design and implementation level, precondition failure must be dealt with more concretely.
- There are two basic approaches such concretization.
-
Approach 1: A precondition is a guaranteed assumption that will always
be true before a function to which it is attached is executed.
- This approach is can be called the "programming by contract" approach.
- In this approach, the code of the function does not enforce its own precondition, but rather the precondition must be enforced by all callers of the function.
- Such enforcement can be formally verified or implemented with runtime checks.
-
Approach 2: A precondition must be checked by the function to which it
is attached.
- This approach can be called the "defensive programming" approach.
- In this approach, the code of the function includes logic to enforce its precondition.
-
The enforcement can:
- Assert unconditional failure on any precondition violation.
- Return an appropriate "nil" value as the function return value or in an output parameter.
- Output an appropriate error report to stderr or the user view screen.
- Throw an appropriate exception (see below for further discussion).
-
In all but the first of these enforcement styles, the system-level
postcondition must be enhanced to specify both normal and exceptional output
behavior.
-
For example, suppose a function is specified initially as follows
void SomeDB::Add(Item* i) /* * pre: not Find(i); * post: (i in this'->data) and ... ; * */ -
If the exception handling approach to precondition enforcement is chosen, the
refined formal specification for this function is as follows
where AddException is a defined exception value.void SomeDB::Add(Item* i) /* * pre: not Find(i); * post: if (not Find(i) then * (i in this'->data) and ... ; * else * (this == this') and * (throw == AddException) * */
-
For example, suppose a function is specified initially as follows
- For each function, a list of test cases is be produced
- This list of cases constitutes the unit test plan for each function.
-
A unit test plan is defined in the following general tabular form:
Case No. Inputs Expected Output Remarks 1 parm 1 = ... ref parm 1 = ... ... ... parm m = ... ref parm n = ... return = ... data member a = ... data member a = ... ... ... data member z = ... data member z = ... n parm 1 = ... ref parm 1 = ... ... ... parm m = ... ref parm n = ... return = ... data member a = ... data member a = ... ... ... data member z = ... data member z = ... -
Note that
- The inputs for each case specify values for all input parameters as well as all referenced data members for that case.
- The outputs for each case specify values for all reference parameters, return value, and modified data members for that case.
- In any case, data members that are not explicitly mentioned in the inputs or outputs are assumed to be "don't care" -- i.e, not used as an input or not modified on output.
- One such test plan is written for each function in each class.
- In an object-oriented testing strategy, the unit test plans are included in the module test plan for a complete class.
- For a given class, write unit test plans for each member function.
- For the class as a whole, write a module test plan that invokes the unit test plans in a well-planned order.
-
General guidelines for module testing include the following:
- Start the module test plan by invoking the unit tests for the constructors, so that subsequent tests have member data values to work with.
- Next, unit test other constructive functions (i.e., functions that add and/or change member data) so that subsequent tests have data to work with.
- Unit test selector functions (i.e., functions that access but do not change data) on the results produced by constructive functions.
- Test certain function interleavings that might be expected to cause problems, such as interleaves of adds and deletes.
- Stress test the class by constructing an object several times larger than ever expected to be used in production.
-
Once the plan is established, write a test driver for all functions of the
class, where the driver:
- executes each function test plan,
- records the results,
- compares the results to the previous test run,
- reports the differences, if any
-
An concrete example of of a module test plan is in the Rolodex example testing
directory:
projects/work/rolodex/testing/design/RolodexTest.html
-
In terms of Java++ details
- Each class X in the system design has a companion testing class named XTest.
- A test class is a subclass of the class it tests.
- Each member function X.f has a companion unit test function named XTest.testF.
- The comment at the top of each test class describes the module test plan for that class.
- The comment for each unit test member function describes the unit test plans for the testing function.
- Once module test plans are executed, modules are integrated.
- Specifically, stub functions used in a unit or module test are replaced with the actual functions.
- Subsequently, the test plan for the top-most function(s) in a collection is rerun with the integrated collection modules.
- The integration continues in this manner until the entire system is integrated.
- Provide inputs where the precondition is true.
- Provide inputs where the precondition is false.
-
For preconditions or postconditions that define data ranges:
- Provide inputs below, within, and above each precondition range.
- Provide inputs that produce outputs below, within, and above each precondition range.
- For preconditions and postconditions with and/or logic, provide test cases that exercise each clause of the logic.
-
For classes that define some form of collection:
- Test all operations with an empty collection.
- Test all operations with a collection containing exactly one element and exactly two elements.
- Add a substantial number of elements, confirming state of collection after each addition.
- Delete each element, confirming state of collection after each delete.
- Repeat addition/deletion sequence two more times.
- A path is defined in terms of control flow through the logic of a function body.
- Each branching control construct defines a path separation point.
- By drawing the control-flow graph (i.e., flow chart) of a function, its paths are clearly exposed.
- To ensure full path coverage, each path is labeled with a number, so it can be referenced in white box tests.
- Provide inputs that exercise each function path at least once.
-
For loops
- provide inputs that exercise the loop zero times (if appropriate),
- one time
- two times
- a substantial number of times
- the maximum number of times (if appropriate).
-
Provide inputs that can reveal flaws in the implementation of a particular
algorithm, such as:
- particular operation sequences
- inputs of a particular size or range
- inputs that may cause overflow, underflow, or other abnormal behavior
- inputs that test well-known problem areas in particular algorithm
- In the methodology outlined here, we write purely black box tests.
- The tests are executed under the control of a path coverage analyzer.
- When (if) the analyzer reports one or more paths not being covered, we use "grey box" by analyzing the uncovered paths, and strengthening the black box tests to cover the path as necessary.
- Note is some cases, uncovered paths may be useless or dead code that can be removed, thus requiring no further tests.
-
A complete grey box test plan can have an additional column that indicates the
path each test case covers, as in:
where p is the number of the function path covered by the test.Test No. Inputs Expected Output Remarks Path i parm 1= ref parm 1 = p ... ... parm m = ref parm n =
- For collection classes, inputs and outputs can grow large.
- For convenience, such inputs and outputs can be specified as file data, instead of the result of calling a series of constructor functions in the context of a module test.
- When external test data files are used, they can be referred to in test plans and used during test execution.
- Once a test suite is defined, it must be executed.
-
To automate the testing process, and ensure that it is repeatable, a test
driver must be written as a stand-alone program.
- The test driver must execute all tests defined in the system test plan.
- It must record all results in an orderly manner, suitable for human inspection.
- The test driver must also provide a test result differencer that compares the results of successive test runs and summarizes differences.
-
For 509, this process is automated in a Makefile, as exemplified in
projects/alpha/rolodex/testing/implementation/Makefile
- To perform tests initially, before all tests are executed via the Makefile, a symbolic debugger such as jdb can be used to execute individual functions.
- With a UI toolkit such as Swing, concrete UI tests are performed in the same basic manner as other functional tests.
- User input, such as button pressing, is simulated by calling the interface function that is associated with the particular form of input, e.g., SomeButtonListener.actionPerformed.
- Outputs that represent screen contents are validated initially by human inspection of the screen.
- Ultimately, some machine-readable form of the screen output must be used to compare test results mechanically.
- Note that we will NOT do this level of testing in 509, but rather test the GUIs via human interaction.
- One might think if we do a really thorough job of function and class tests, integration should not reveal any further errors.
-
We know from experience that integration often does reveal additional flaws.
- In this sense, failures of integration testing can be viewed as unit test failures.
- That is, a flaw revealed by an integration test indicates an incompleteness of the test cases for some individual function.
- This should lead to an update of the appropriate function test plan
- In so doing, individual tests will become stronger.
-
Suppose we have the following
class SomeModestModel { public void doSomeModelThing(String name) { ... hdb.doSomeProcessThing(...); ... } protected HumongousDatabase hdb; } class HumongousDatabase { public void doSomeProcessThing(...) { ... } } - In such cases, it may be quite time consuming to implement a stub for the function HumongousDatabase.doSomeProcessThing.
- This is a place where bottom-up testing is appropriate.
- There are some these floating around at various institutions.
- They do informally what mere mortals need to do in a more systematic way.
- Ultimately, even the brightest hack will not be able to do all testing informally.
- As programs are built in larger teams, no single person can know enough about the entire system to test it alone.
- Therefore, team-constructed software must be team tested, in a systematic manner.
-
Oracles
- What are they? Someone(thing) who (that) knows the answer.
- They are used primarily in test plan generation to define expected results.
- They are also used to analyze incorrect test results.
-
When an oracle takes on mythic proportions:
- When building a truly experimental piece of code for which the result is not yet known.
- I.e., the code is designed to tell us something we don't already know the answer to.
- Such cases are actually pretty rare.
- There's also a bit of mythicness to looking up the answer in a book (e.g., a trig function) or using someone else's (mathematical) theory we don't really understand ourselves.
-
Regression testing
- This the name given to the style of testing that we will employ that runs all tests in a suite whenever any change is made to any part of the system
- Typically full regression tests are run at release points for the system.
- There is ongoing research aimed at "smart" regression testing, where not all tests need to be run if it can be proved that a given change cannot possibly certain areas of the system.
-
Mutation testing
- This is a means to test tests.
- It employs a strategy where a program is mutated by changing the sense of some piece of logic
- For example, suppose the test in an if statement coded as "if (x < y)" is changed to "if (x >= y)".
- When such a mutation is made and a previously successful set of tests are run, the tests should fail in the places where the mutated code produces an incorrect result.
-
If a set of previously successful tests do not fail on a mutated program, then
one of two possibilities exists:
- The tests are too weak to detect a failure that should have been tested, in which case the tests need to be strengthened.
- The mutated section of code was "dead" in that it did not compute a meaningful result, in which case the code should be removed.
-
Generally, the first of these to possibilities is the case.
-
Mutation testing can be used systematically in such a way that mutations are
made in some non-random fashion.
- Such systematic mutation provides a measure of testing effectiveness.
- This measure can be used to test the effectiveness of different testing strategies, about which we will say more next week.
-
As outlined above, the following is the general strategy for test plan design
and implementation in Java:
- Each class X in the system design has a companion testing class named XTest.
- A test class is a subclass of the class it tests.
- Each member function X.f has a companion unit test function named XTest.testF.
- The comment at the top of each test class describes the module test plan for that class.
- The comment for each unit test member function describes the unit test plans for the testing function.
- Attached to the notes is an example that shows the rolodex model class and the companion test class.
-
Testing directory structure
-
Figure 1 shows the details of the testing directory structure in the context of
a normal project directory (without package subdirectories).
Figure 1: Testing directory structure.
- The variable $PLATFORM refers to the one or more subdirectories that contain platform-specific testing files (e.g., class, SUN4G, SUN4K, HP700).
-
The contents of the testing subdirectories are as follows:
DIRECTORY or FILE DESCRIPTION ======================================================================== *Test.java Implementation of module testing plans. Per the project testing methodology, each testing class is a subclass of the design/implementation class that it tests. input Test data input files used by scripts. These include both black-box and white-box input data, as appropriate. This subdir will be empty in cases where testing is performed entirely programatically, i.e., the testing scripts construct all test input data dynamically within the script, rather than inputing from test data files. output-good Output results from the last good run of the tests. These are results that have been confirmed to be correct. Note that these good results are platform independent. I.e., the correct results should be the same across all platforms. output-prev-good Previous good results, in case current results are erroneously deemed good. Note that this dir is superfluous if version control of test results is properly employed. However this directory remains as a backup to avoid nasty data loss in case version control has not been kept up to date. $PLATFORM/output Current platform-specific output results. These are the results produced by issuing a make command in a platform-specific directory. Note that current results are maintained separately in each platform-specific subdir. This allows for the case that current testing results differ across platforms. I.e., an implementation may work properly on one platform, but not on another. $PLATFORM/diffs Differences between current and good results. $PLATFORM/Makefile Makefile to compile tests, execute tests, and difference current results with good results. $PLATFORM/.make* Shell scripts called from the Makefile to perform specific testing tasks. $PLATFORM/*.class Test implementation object files.
-
Figure 1 shows the details of the testing directory structure in the context of
a normal project directory (without package subdirectories).
index | lectures | handouts | examples | doc