

### **On-the-fly Test Synthesis** with TGV

Thierry Jéron Irisa / Inria Rennes http://www.irisa.fr/pampa, e-mail: Thierry.Jeron@irisa.fr



### Plan

- 1. Conformance Testing
- 2. The TGV project
- 3. Experiments and Industrial Transfer
- 4. Ongoing Work in Testing

# **1. Conformance Testing**

Testing problem: check if an implementation under test (IUT) of a reactive system conforms (or not) to its specification.
Black box testing: the source code of the IUT is unknown, only the interface can be controlled and observed by the tester.





### **Conformance testing**

o **Practice**: derive a set of test cases from the specification,

implement test cases in a tester,

try to find errors (test cases serve as oracles) or gain confidence.





### **Industrial Practice**

o Manual conception of test suites from informal specifications

- long and repetitive process,
   up to 30% of the cost of development process
- subject to errors : up to 20%
- no clear definition of conformance
- maintenance of test suites is difficult

⇒ Automation of test generation from formal specifications can be profit earning

### **Conformance testing of protocols**

- o Telecom is governed by standards:
  - Formal description techniques: Estelle, Lotos, SDL
  - ISO 9646: Conformance Testing Methodology and Framework
  - -> Test description langages: TTCN (Tree and Tabular Combined Notation), MSC (Message Sequence Charts),
  - Standardized protocols (in SDL in general)
  - Standardized test suites

#### o Difficulties for automation

- asynchronous communication
- non-determinism
- specificities of different levels: low level -> control

high level -> data

- large and detailed specifications
- constraint to produce test cases similar to manual ones

### **Structure of test cases (TTCN)**

- o Test Purpose: goal of the test case
- o Declarations (types, PCOs), constraints (variables and message parameters).

• **Behavior:** reactive program played by the **Tester** against the **IUT** Preamble: leads to the initial state of the test purpose Test body: checks the test purpose Postamble: back to a stable state or initial state after a verdict. Timers: observation of quiescence of the IUT.

#### o Verdicts:

FAIL: rejection (unauthorized timeout or unspecified input)
(PASS): Test Purpose reached, PASS: and back to a stable state
INCONCLUSIVE: specified input but Test Purpose not reachable
Test cases are re-run until a Fail or Pass verdict is reached

### **Example: A Simplified Phone Box**



**Test Purpose:** 

number and later connect







### **Automata Theoretic Methods**

o origin: hardware testing

o models: Mealy machines:  $s \xrightarrow{i/o} s'$ 

o fault model: output:  $s \xrightarrow{i/0} rio s'$ , transfer:  $s \xrightarrow{i/0} rio s''$ 

o hypothesis : Spec: input complete, deterministic, minimal, strongly connected IUT: input complete, deterministic, minimal (or < k), strongly connected

o test generation: one test case per transition: s apply i/ check o test suite: minimal length sequence with all elementary test cases algorithms: traveling salesman, flow graphs, linear programming

o different methods: TT, DS, UIO, W, etc, differ on checking sequences

o theoretical results: correction and exhaustivity for a fault model + hypothesis.

- strong hypothesis, algorithmic complexity, treatment of non determinism
- + completeness, checking sequences



### **Methods based on Labelled Transition Systems**

o origin: testing theory, canonical tester.

o models: LTS (not well adapted) or IOLTS:  $s \xrightarrow{?i} s' \xrightarrow{!o} s''$ 

o fault model <- > conformance relation between IUT and Spec difference between possible observations of IUT and Spec after same traces

o hypothesis : Spec: no hypothesis, IUT: input complete

o test generation: graph traversal algorithms, model-checking:

- random synthesis (Twente) and on-the-fly execution
- on-the-fly synthesis guided by a test purpose (TGV)

o theoretical results:

unbias: only non conformant IUT may be rejected exhaustiveness: all non conformant IUT may be rejected.

- no checking sequences
- + weak hypothesis, performant on-the-fly algorithms, test structure

# **2. The TGV project** (Test Generation with Verification technology)

o Joint project since 94: Verimag Grenoble - Irisa Rennes

o **Goal**: using on the fly model-checking techniques for efficient test case synthesis for conformance testing.

#### o **Participants**:

#### - Irisa Rennes:

Researchers: T. Jéron, C. Jard, V. Rusu, C. Viho Engineers: H. Kahlouche (Montréal), S. Simon, S. Ramangalahy Ph. D.: P. Morel, L. Nedelka, + training students

#### - Verimag Grenoble:

Researchers: J.-C. Fernandez (-> LSR), A. Kerbrat (Telelogic), J. Sifakis,

Ph. D. : M. Bozga, L. Ghirvu

- Inria Grenoble: assistance of H. Garavel for CADP



# **TGV main characteristics**

- o **Sound testing theory:** based on IOLTS and adapted from works of Brinksma and Tretmans (Univ. Twente) and Phalippou (Cnet Lannion)
- o **Algorithms:** on-the-fly model-checking lazzy construction of a partial state graph guided by a test purpose
- o **Test quality:** comparable with manual ones, minimize Inconclusive verdicts, unbias and (theoretical) exhaustiveness
- o Langage independant: same source code for SDL, Lotos,UML produces TTCN.
- o Case studies in different application domains: protocols, hardware, embedded systems.
- o **Distribution:** free version available in the CADP toolbox.
- o Industrial transfert: TestComposer (Verilog/Telelogic)



### **TGV functionalities**



# **Test Generation in TGV**

IRISA





### **Models: IOLTS**

o Transition systems with three kinds of transitions:

- input:  $s \xrightarrow{?x} s'$ , output:  $s \xrightarrow{!a} s'$ ,

internal action:  $s \xrightarrow{\tau} s'$ 

o Modelisation facilities:

- non-determinism (automata):



- observable "non-determinism":



# Quiescence

- o quiescence (absence of reaction) of a reactive system is observable by testing by the use of timers
- o possible quiescence must be computed on the specification





# **Test purposes**

#### Automata used to select behaviors of the specification:

- o Observable and internal actions (-> useful for testing in context)
- o Complete (implicitly => abstraction)
- o Two distinguished sets of trap states: Accept and Refuse
  - Pass <----> Accept Fail <--/--> Refuse (traversal cut)



Test purpose accepting sequences with  $\tau_1$  followed later by !b

Refuse allows to cut sequences with a  $\tau_2$  before any  $\tau_1$ 

### **Principle of on-the-fly generation**

o Test Purpose ---> Test Case = mirror image of the observable behavior of a the part of the Specification behavior selected by the Test Purpose.
 + a test case should be controlable

 $\Rightarrow Lazzy \text{ construction of the behavior of the Specification S,} its observable behavior (without internal action and deterministic) and Test Case selection according to Test Purpose Accept states.$ 

o Necessitates special algorithms and a particular tool architecture





- consider each Test Purpose TP as a property
- model-check S with TP
- generate all witnesses + output freedom of S internal actions
   --> Complete Test Graph
- add controlability: Test Case TC



 $\tau^*$ -reduction (local view)

IRISA



# $\tau^*$ -reduction and determinization





# **Elimination of controlability conflicts**

#### • In general CTG is not a test case: not controlable

Forbidden configurations: the tester controls its outputs

IRISA



• Conflicts resolution during DFS + completed by a reverse DFS of CTG



Pruning modifies reachability to initial state=> reachability problem

?z

- Several possible traversals: - breadth first starting from Pass states -> shortest paths
- depth first
- SCC (Tarjan) :

synthesis of information L2init in  $\rightarrow_{\text{CTG}}^{-1}$  -> garbage collection

IRISA

# **Functional architecture of TGV**



#### Each API provides the functions:

- init: initial state
- fireable(s): {fireable transitions in t}
- succ(s,t): state reached after t in s

#### The APIs of SP, SP<sub>vis</sub> provides also

- Accept(s)
- Reject(s)

The API of CTG or TG provides also

- Pass(s)
- Inconc(s)
- Fail(s)

### (Manual) Test case verification



Variant of TGV used for:

- Verification of unbias of (manual) test cases and correction in case of bias

TC biased if TC rejects a conformant IUT

- Refinement if permissiveness TC permissive if some of its transitions could produce a fail

Unbiased Test case TC' (TTCN)

o Semi-automatic generation: TC outputs proposed by user, inputs and verdicts computed according to Spec using  $\tau^*$ -reduction and determinization

#### 

# **Small example: initiator process of Inres in SDL**



#### 🔁 I R I S A **Complete state graph (not minimized)** pco !idat((. red .)) 6 pco?idatreq((. red .)) pco?idatreq((, white .)) pco liconconf pco?iconf pcolidis pco !idisind 3 pco !idisind 12 pco?idis pco.Hcon 10 9 pco !jdisind co lidisind nco idisin pco?idi pco pco?iconreq





### Controlable test case produced on the fly





### **TTCN test case**

| +Bent Case Dynamic Behaviour                                                                                                             |                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                 |                                                                                                                                                    |          |
|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| Test Case Name                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                 |                                                                                                                                                    |          |
| Nr   Label                                                                                                                               | Behaviour Description                                                                                                                                                                                                                                                                                                                                                                                                              | l Constraints Ref                                                                                                               | l Verdict                                                                                                                                          | Comments |
| 1   L1<br>  2  <br>  3  <br>  4  <br>  5  <br>  6  <br>  7  <br>  8  <br>  9  <br>  10  <br>  11  <br>  12  <br>  13  <br>  14  <br>  15 | <pre>  pco! iconreq, St tidisind, St ticon<br/>  pco? icon, Cl ticon, Cl tidisind<br/>  pco! iconf, St ticonconf<br/>  pco? iconconf, Cl ticonconf<br/>  pco! idatreq, St tidisind, St tidat<br/>  pco? idat, Cl tidat, Cl tidisind<br/>  pco? idisind, Cl tidat, Cl tidisind<br/>  GOTO L1<br/>  ? tidat<br/>  ? tidisind<br/>  pco? idisind, Cl ticon, Cl tidisind<br/>  GOTO L1<br/>  ? ticon<br/>  ? ticon<br/>  ? ticon</pre> | iconreq0<br>  icon2<br>  iconf3<br>  iconconf4<br>  idatreq5<br>  idat6<br>  idisind1<br> <br> <br>  idisind1<br>  idisind1<br> | <br> <br> <br>  (PASS)<br> <br> <br>  FAIL<br>  FAIL<br> <br> |          |

# **3. Experiments and Industrial Transfert**

#### o **DREX protocol in SDL** (military version of D protocol)

- contract with French Army, CNET, Verilog, Cap Sesa, Verimag, Irisa.
- **5** service specification (1 per service):
  - 1 process, 35 SDL transitions, 1800 lines of SDL PR, 50 pages of SDL GR.



test case generation: first version of TGV on explicit graphs, 50 test purposes

o Cache coherency protocol of the Polykid architecture in Lotos Cooperation with Bull, INRIA Rhones-Alpes, Irisa

#### Lotos specification: 2000 lines (1800 ADT, 200 control), 1 process.

- test case generation:
  - "on the fly" with a connection to the Open Caesar Lotos simulator.
- test case execution:
  - on the Polykid architecture by a translation of test cases in C.
- results:
  - design and coding of a second version of TGV "on the fly"
  - use of TGV in a different application domain
  - complete chain from specification to test execution
  - work still continues on other architectures



#### **SSCOP** (continued)

#### o Test generation:

- connection of the on-the-fly version of TGV to the ObjectGéode simulator of Verilog.
- test generation from 50 complex test purposes.
- o Test case verification and correction (unbias and laxness)
  - from TTCN test suite translated into our input format (Lex,Yacc)
  - verification of test cases w.r.t SDL spec.
     using TGV\_VTS connected to ObjectGeode .
  - 110/250 test cases verified (valid PDU, no Invalid or Inoportune PDU)
     --> 16 erroneous test cases corrected

#### **o Protocol of an embedded network in the automotive area in SDL.**

 draft of the protocol: 2 processes, 1000 lines of SDL PR, 25 pages of SDL GR



- feasability of on-the-fly generation shown on a few test purposes
- connection of TGV "explicit" to SDT of Telelogic by a translation of the SDT state graph format into Aldebaran format.



The design, coding and validation of the algorithms of TGV was partially done at Irisa.

# 4. Ongoing Work in Testing

#### o Symbolic test generation for a better treatment of data in specifications

- combination of TGV techniques with constraint solving, static analysis and proof (PVS).
- application domains: protocols, smart cards, ....

#### o Distributed testing and asynchronous communication

- synthesis of distributed test cases from sequential ones,
- direct synthesis of distributed test cases (true concurrency models)
- results on respective powers of local synchronous testing and remote asynchronous testing using stamps

# o Test synthesis for distributed object oriented software - connection of TGV with our UML validation framework.

#### o Use of game theory for test generation

- testing = game between the system and the tester
- winning strategies = test cases with best possible control of the IUT.
- to be implemented in TGV

#### o Controler Synthesis and Test Synthesis

