272: Software Engineering

Fall 2012

Instructor: Tevfik Bultan

Lecture 5: Testing Overview, Foundations

 Verification, Validation, Testing
• Verification: Demonstration of consistency, completeness, and
correctness of the software artifacts at each stage of and between
each stage of the software life-cycle.
– Different types of verification: manual inspection, testing, formal
methods
– Verification answers the question: Am I building the product right?
• Validation: The process of evaluating software at the end of the
software development to ensure compliance with respect to the
customer needs and requirements.
– Validation can be accomplished by verifying the artifacts produced
at each stage of the software development life cycle
– Validation answers the question: Am I building the right product?
• Testing: Examination of the behavior of a program by executing the
program on sample data sets.
– Testing is a verification technique used at the implementation
stage.
 Software Testing
• Goal of testing
– finding faults in the software
– demonstrating that there are no faults in the software (for the test
cases that has been used during testing)

• It is not possible to prove that there are no faults in the software using
testing

• Testing should help locate errors, not just detect their presence
– a “yes/no” answer to the question “is the program correct?” is not
very helpful

• Testing should be repeatable

– could be difficult for distributed or concurrent software
– effect of the environment, uninitialized variables
 Testing Software is Hard
• If you are testing a bridge’s ability to sustain weight, and you test it
with 1000 tons you can infer that it will sustain weight  1000 tons

• This kind of reasoning does not work for software systems

– software systems are not linear nor continuous

• Exhaustively testing all possible input/output combinations is too

expensive
– the number of test cases increase exponentially with the number
of input/output variables
 Some Definitions
• Let P be a program and let D denote its input domain

• A test case t is an element of input domain t  D

– a test case gives a valuation for all the input variables of the
program

• A test set T is a finite set of test cases, i.e., a subset of D, T  D

• The basic difficulty in testing is finding a test set that will uncover the
faults in the program

• Exhaustive testing corresponds to setting T = D

 Exhaustive Testing is Hard

• Number of possible test cases

int max(int x, int y) (assuming 32 bit integers)
{ – 232  232 = 264
if (x > y)
• Do bigger test sets help?
return x;
else – Test set
return x; {(x=3,y=2), (x=2,y=3)}
} will detect the error
– Test set
{(x=3,y=2),(x=4,y=3),(x=5,y=1)}
will not detect the error although
it has more test cases
• The power of the test set is not
determined by the number of test
cases
• But, if T1  T2, then T2 will detect
every fault detected by T1
 Exhaustive Testing
• Assume that the input for the max procedure was an integer array of
size n
– Number of test cases: 232 n

• Assume that the size of the input array is not bounded

– Number of test cases: 

• The point is, naive exhaustive testing is pretty hopeless

 Random Testing
• Use a random number generator to generate test cases

• Derive estimates for the reliability of the software using some

probabilistic analysis

• Coverage is a problem
 Generating Test Cases Randomly

bool isEqual(int x, int y) • If we pick test cases randomly it is

{ unlikely that we will pick a case where
if (x = y) x and y have the same value
z := false; • If x and y can take 232 different values,
else there are 264 possible test cases. In 232
z := false;
of them x and y are equal
return z;
} – probability of picking a case where
x is equal to y is 2-32
• It is not a good idea to pick the test
cases randomly (with uniform
distribution) in this case
• So, naive random testing is pretty
hopeless too
 Types of Testing
• Functional (Black box) vs. Structural (White box) testing
– Functional testing: Generating test cases based on the
functionality of the software
– Structural testing: Generating test cases based on the structure of
the program
– Black box testing and white box testing are synonyms for
functional and structural testing, respectively.
• In black box testing the internal structure of the program is
hidden from the testing process
• In white box testing internal structure of the program is taken
into account
• Module vs. Integration testing
– Module testing: Testing the modules of a program in isolation
– Integration testing: Testing an integrated set of modules
 Functional Testing, Black-Box Testing
• Functional testing:
– identify the the functions which software is expected to perform
– create test data which will check whether these functions are
performed by the software
– no consideration is given how the program performs these
functions, program is treated as a black-box: black-box testing
– need an oracle: oracle states precisely what the outcome of a
program execution will be for a particular test case. This may not
always be possible, oracle may give a range of plausible values
• A systematic approach to functional testing: requirements based
testing
– driving test cases automatically from a formal specification of the
functional requirements
 Domain Testing
• Partition the input domain to equivalence classes
• For some requirements specifications it is possible to define
equivalence classes in the input domain
• Here is an example: A factorial function specification:
– If the input value n is less than 0 then an appropriate error
message must be printed. If 0  n < 20, then the exact value n!
must be printed. If 20  n  200, then an approximate value of n!
must be printed in floating point format using some approximate
numerical method. The admissible error is 0.1% of the exact
value. Finally, if n > 200, the input can be rejected by printing an
appropriate error message.
• Possible equivalence classes: D1 = {n<0}, D2 = {0  n < 20}, D3 = {20
 n  200}, D4 = {n > 200}
• Choose one test case per equivalence class to test
 Equivalence Classes
• If the equivalence classes are disjoint, then they define a partition of
the input domain
• If the equivalence classes are not disjoint, then we can try to minimize
the number of test cases while choosing representatives from
different equivalence classes
• Example: D1 = {x is even}, D2 = {x is odd}, D3 = {x  0}, D4={x > 0}
– Test set {x=48, x= –23} covers all the equivalence classes
• On one extreme we can make each equivalence class have only one
element which turns into exhaustive testing
• The other extreme is choosing the whole input domain D as an
equivalence class which would mean that we will use only one test
case
 Testing Boundary Conditions
• For each range [R1, R2] listed in either the input or output
specifications, choose five cases:
– Values less than R1 R1 R2
– Values equal to R1
– Values greater than R1 but less than R2
– Values equal to R2
– Values greater than R2
• For unordered sets select two values
– 1) in, 2) not in
• For equality select 2 values
– 1) equal, 2) not equal
• For sets, lists select two cases
– 1) empty, 2) not empty
 Testing Boundary Conditions
• For the factorial example, ranges for variable n are:
– [, 0], [0,20], [20,200], [200, ]
– A possible test set:
• {n = -5, n=0, n=11, n=20, n= 25, n=200, n= 3000}
– If we know the maximum and minimum values that n can take we
can also add those n=MIN, n=MAX to the test set.
 Structural Testing, White-Box Testing
• Structural Testing
– the test data is derived from the structure of the software

– white-box testing: the internal structure of the software is taken

into account to derive the test cases

• One of the basic questions in testing:

– when should we stop adding new test cases to our test set?
– Coverage metrics are used to address this question
 Coverage Metrics
• Coverage metrics
– Statement coverage: all statements in the programs should be
executed at least once
– Branch coverage: all branches in the program should be
executed at least once
– Path coverage: all execution paths in the program should be
executed at lest once
• The best case would be to execute all paths through the code, but
there are some problems with this:
– the number of paths increases fast with the number of branches in
the program
– the number of executions of a loop may depend on the input
variables and hence may not be possible to determine
– most of the paths can be infeasible
Statement Coverage

• Choose a test set T such

that by executing program bool isEqual(int x, int y)
P for each test case in T, {
if (x = y)
each basic statement of P
z := false;
is executed at least once else
• Executing a statement once z := false;
and observing that it return z;
behaves correctly is not a }
guarantee for correctness,
int max(int x, int y)
but it is an heuristic
{
– this goes for all testing if (x > y)
efforts since in general return x;
checking correctness is else
undecidable return x;
}
 Statement Coverage

areTheyPositive(int x, int y) Following test set will give us statement

{ coverage:
if (x >= 0) T1 = {(x=12,y=5), (x= 1,y=35),
print(“x is positive”); (x=115,y=13),(x=91,y= 2)}
else
print(“x is negative”); There are smaller test cases which will
if (y >= 0) give us statement coverage too:
print(“y is positive”); T2 = {(x=12,y=  5), (x= 1,y=35)}
else
print(“y is negative”); There is a difference between these two
} test sets though
 Statement vs. Branch Coverage

assignAbsolute(int x)
{ Consider this program segment, the test set
if (x < 0) T = {x=1} will give statement coverage,
x := -x; however not branch coverage
z := x;
}
B0
Control Flow Graph: (x < 0)

true false
B1 Test set {x=1} does not
x := -x execute this edge, hence, it
does not give branch coverage

B2
z := x
 Control Flow Graphs (CFGs)
• Nodes in the control flow graph are basic blocks
– A basic block is a sequence of statements always entered at the
beginning of the block and exited at the end
• Edges in the control flow graph represent the control flow

if (x < y) { B0 (x < y)
x = 5 * y; Y N
x = x + 3;
} x = 5 * y B1 B2 y = 5
else x = x + 3
y = 5;
x = x+y;

x = x+y B3

• Each block has a sequence of statements

• No jump from or to the middle of the block
• Once a block starts executing, it will execute till the end
 Branch Coverage
• Construct the control flow graph

• Select a test set T such that by executing program P for each test
case d in T, each edge of P’s control flow graph is traversed at least
once

B0
(x < 0)

true false
B1 Test set {x=1} does not
x := -x execute this edge, hence, it
does not give branch coverage

Test set {x= 1, x=2}gives

B2 both statement and branch
z := x coverage
 Path Coverage
• Select a test set T such that by executing program P for each test
case d in T, all paths leading from the initial to the final node of P’s
control flow graph are traversed
 Path Coverage
B0
areTheyPositive(int x, int y)
(x >= 0)
{
if (x >= 0) true false
print(“x is positive”); B1 B2
else print(“x is p”) print(“x is n”)
print(“x is negative”);
if (y >= 0)
print(“y is positive”); B3
else (y >= 0)
print(“y is negative”); true false
} B4 B5
Test set: print(“y is p”) print(“y is n”)
T2 = {(x=12,y=  5), (x= 1,y=35)}
gives both branch and statement B6
coverage but it does not give path coverage
return
Set of all execution paths: {(B0,B1,B3,B4,B6), (B0,B1,B3,B5,B6), (B0,B2,B3,B4,B6),
(B0,B2,B3,B5,B6)}
Test set T2 executes only paths: (B0,B1,B3,B5,B6) and (B0,B2,B3,B4,B6)
 Path Coverage
B0
areTheyPositive(int x, int y)
(x >= 0)
{
if (x >= 0) true false
print(“x is positive”); B1 B2
else print(“x is p”) print(“x is n”)
print(“x is negative”);
if (y >= 0)
B3
print(“y is positive”);
else (y >= 0)
print(“y is negative”); true false
} B4 B5
print(“y is p”) print(“y is n”)
Test set:
T1 = {(x=12,y=5), (x= 1,y=35),
(x=115,y=13),(x=91,y= 2)} B6
gives both branch, statement and path return
coverage
 Path Coverage
• Number of paths is exponential in the number of conditional
branches
– testing cost may be expensive

• Note that every path in the control flow graphs may not be executable
– It is possible that there are paths which will never be executed
due to dependencies between branch conditions

• In the presence of cycles in the control flow graph (for example loops)
we need to clarify what we mean by path coverage
– Given a cycle in the control flow graph we can go over the cycle
arbitrary number of times, which will create an infinite set of paths
– Redefine path coverage as: each cycle must be executed 0, 1, ...,
k times where k is a constant (k could be 1 or 2)
 Condition Coverage
• In the branch coverage we make sure that we execute every branch at
least once
– For conditional branches, this means that, we execute the TRUE
branch at least once and the FALSE branch at least once
• Conditions for conditional branches can be compound boolean
expressions
– A compound boolean expression consists of a combination of
boolean terms combined with logical connectives AND, OR, and
NOT
• Condition coverage:
– Select a test set T such that by executing program P for each test
case d in T, (1) each edge of P’s control flow graph is traversed at
least once and (2) each boolean term that appears in a branch
condition takes the value TRUE at least once and the value FALSE
at least once
• Condition coverage is a refinement of branch coverage (part (1) is
same as the branch coverage)
 Condition Coverage
T = {(x=1, y=1), (x=1, y=1)} will achieve
statement, branch and path coverage, however
something(int x) T will not achieve condition coverage
{ because the boolean term (y < x) never
if (x < 0 || y < x) evaluates to true. This test set satisfies part (1)
{ but does not satisfy part (2).
y := -y;
x := -x; B0 T = {(x=1, y=1), (x=1, y=0)}
} (x < 0 || y < x) will not achieve condition coverage
z := x; either. This test set satisfies part (2)
} true false but does not satisfy part (1). It does
B1 not achieve branch coverage since
y := -y; both test cases take the true branch,
x := -x; and, hence, it does not achieve
condition coverage by definition.
Control Flow Graph B2
T = {(x=1, y=2), {(x=1, y=1)}
z := x
achieves condition coverage.
Multiple Condition Coverage
• Multiple Condition Coverage requires that all possible combination of truth
assignments for the boolean terms in each branch condition should
happen at least once
• For example for the previous example we had:
x < 0 && y < x

term1 term2
• Test set {(x=1, y=2), (x=1, y=1)}, achieves condition coverage:
– test case (x=1, y=2) makes term1=true, term2=true, and the whole
expression evaluates to true (i.e., we take the true branch)
– test case (x=1, y=1) makes term1=false, term2=false, and the whole
expression evaluates to false (i.e., we take the false branch)
• However, test set {(x=1, y= 2), (x=1, y=1)} does not achieve multiple
condition coverage since we did not observe the following truth
assignments
– term1=true, term2=false
– term1=false, term2=true
 Types of Testing
• Unit (Module) testing
– testing of a single module in an isolated environment

• Integration testing
– testing parts of the system by combining the modules

• System testing
– testing of the system as a whole after the integration phase

• Acceptance testing
– testing the system as a whole to find out if it satisfies the
requirements specifications
 Types of Testing
• Unit (Module) testing
– testing of a single module in an isolated environment

• Integration testing
– testing parts of the system by combining the modules

• System testing
– testing of the system as a whole after the integration phase

• Acceptance testing
– testing the system as a whole to find out if it satisfies the
requirements specifications
 Unit Testing
• Involves testing a single isolated module

• Note that unit testing allows us to isolate the errors to a single module
– we know that if we find an error during unit testing it is in the
module we are testing

• Modules in a program are not isolated, they interact with each other.
Possible interactions:
– calling procedures in other modules
– receiving procedure calls from other modules
– sharing variables

• For unit testing we need to isolate the module we want to test, we do

this using two things
– drivers and stubs
 Drivers and Stubs
• Driver: A program that calls the interface procedures of the module
being tested and reports the results

– A driver simulates a module that calls the module currently being

tested

• Stub: A program that has the same interface as a module that is

being used by the module being tested, but is simpler.

– A stub simulates a module called by the module currently being

tested

– Mock objects: Create an object that mimics only the behavior

needed for testing
•
 Drivers and Stubs

Module
Driver Stub
procedure Under Test procedure
call call

access to global
variables

• Driver and Stub should have the same interface as the modules they replace

• Driver and Stub should be simpler than the modules they replace
 Integration Testing
• Integration testing: Integrated collection of modules tested as a group
or partial system

• Integration plan specifies the order in which to combine modules into

partial systems

• Different approaches to integration testing

– Bottom-up
– Top-down
– Big-bang
– Sandwich
 Module Structure

A B
• We assume that
the uses hierarchy is
a directed acyclic graph.
• If there are cycles merge
D them to a single module

level 1 C H

level 0 E F G I

• A uses C and D; B uses D; C uses E and F; D uses F, G, H and I; H uses I

• Modules A and B are at level 3; Module D is at level 2
Modules C and H are at level 1; Modules E, F, G, I are at level 0
• level 0 components do not use any other components
• level i components use at least one component on level i-1 and no
component at a level higher than i-1
 Bottom-Up Integration
• Only terminal modules (i.e., the modules that do not call other
modules) are tested in isolation

• Modules at lower levels are tested using the previously tested higher
level modules

• Non-terminal modules are not tested in isolation

• Requires a module driver for each module to feed the test case input
to the interface of the module being tested
– However, stubs are not needed since we are starting with the
terminal modules and use already tested modules when testing
modules in the lower levels
Bottom-up Integration

A B

C H

E F G I
 Top-down Integration
• Only modules tested in isolation are the modules which are at the
highest level

• After a module is tested, the modules directly called by that module

are merged with the already tested module and the combination is
tested

• Requires stub modules to simulate the functions of the missing

modules that may be called
– However, drivers are not needed since we are starting with the
modules which is not used by any other module and use already
tested modules when testing modules in the higher levels
Top-down Integration

A B

C
H

E F G I
 Other Approaches to Integration
• Sandwich Integration
– Compromise between bottom-up and top-down testing
– Simultaneously begin bottom-up and top-down testing and meet
at a predetermined point in the middle

• Big Bang Integration

– Every module is unit tested in isolation
– After all of the modules are tested they are all integrated together
at once and tested
– No driver or stub is needed
– However, in this approach, it may be hard to isolate the bugs!
 System Testing, Acceptance Testing
• System and Acceptance testing follows the integration phase
– testing the system as a whole

• Test cases can be constructed based on the the requirements

specifications
– main purpose is to assure that the system meets its requirements

• Manual testing
– Somebody uses the software on a bunch of scenarios and records
the results
– Use cases and use case scenarios in the requirements
specification would be very helpful here
– manual testing is sometimes unavoidable: usability testing
 System Testing, Acceptance Testing
• Alpha testing is performed within the development organization

• Beta testing is performed by a select group of friendly customers

• Stress testing
– push system to extreme situations and see if it fails
– large number of data, high input rate, low input rate, etc.
 Regression testing
• You should preserve all the test cases for a program

• During the maintenance phase, when a change is made to the

program, the test cases that have been saved are used to do
regression testing
– figuring out if a change made to the program introduced any faults

• Regression testing is crucial during maintenance

– It is a good idea to automate regression testing so that all test
cases are run after each modification to the software

• When you find a bug in your program you should write a test case
that exhibits the bug
– Then using regression testing you can make sure that the old
bugs do not reappear
 Test Plan
• Testing is a complicated task
– it is a good idea to have a test plan

• A test plan should specify

– Unit tests
– Integration plan
– System tests
– Regression tests
 Test Driven Development
• A style of programming that has become popular with agile software
development approaches such as extreme programming

• Basic idea: Write the test cases before writing the code
– Test first, code second

• Divide the implementation to small chunks

– First write the test that tests the next functionality
– Check if the test fails (it should, since the functionality is not
implemented yet)
– Then, write the code to implement the functionality
– Run all the tests and make sure that the code passes all the tests
 Mutation Analysis
• Mutation analysis is used to figure out the quality of a test set
• Mutation analysis creates mutants of a program by making changes
to the program (change a condition, change an assignment, etc.)
• Each mutant program and the original program are executed using
the test set
• If a mutant and the original program give different results for a test
case then the test set detected that the mutant is different from the
original program, hence the mutant is said to be dead
• If test set does not detect the difference between the original program
and some mutants, these mutants are said to be live
• We want the test set to kill as many mutants as possible
– Mutant programs can be equivalent to the original program, hence
no test set can kill them
 Formalizing Testing
• The terminology used for testing is not always consistent

• The paper titled “Programs, Tests, and Oracles: The Foundations of

Testing Revisited” tries to clarify some of the concepts about testing
– It particularly focuses on the formalization of oracles
 Formalizing Testing
• Basic concepts in testing:

– P, Programs: This is the code, the implementation that we wish to

test

– T, Tests: T is a set of tests. Each test t  T defines all the inputs to

the program, so that given a test t, we can run the program p
using t

– S, Specifications: These are the specifications that characterize

the correct behavior of the program; they may not be written down

– O, Oracle: Oracle is used to determine if a test case passes or

fails
 Formalizing Testing

Syntactic structure may guide

Observability of P limits the P test selection
information available to O Semantic determines propagation
of errors for each test
P attempts
to implement S
Combination of
and T determine Tests suggest variables
O the effectiveness
T
worth observing
of testing

O approximates S Tests are designed to distinguish

incorrect P from S
S S may guide test selection
 Formalizing Testing
• A testing system consists of (P, S, T, O, corr, corrt)
– S is a set of specificaitons
– P is a set of programs
– T is a set of tests
– O is a set of oracles
– corr  P × S
– corrt  T × P × S

corr(p, s) is returns true if the program p is correct with respect to s

corrt(t, p, s) is true if and only if the specification h holds for program p
when running test t
for all p  P, for all s  S, corr(p,s)  for all t  T corrt(t, p, s)

– These functions are not known and are just theoretical concepts
used for defining properties of oracles
 Formalizing Oracles
• An oracle o  O identifies which tests pass and which tests fail
o(t, p) means that the test t passes for program p based on oracle o

• An oracle is complete with respect to p and s for t if:

corrt(t, p, s)  o(t, p)

• An oracle is sound with respect to p and s for t if:

o(t, p)  corrt(t, p, s)

• An oracle is perfect with respect to p and s if :

for all t, o(t, p) if and only if corrt(t, p, s)

• Most oracles used in testing techniques are complete. However, in

practice oracles are rarely sound.
 Oracle Comparisons
• Given a test set TS, oracle o1 has greater power than oracle o2
(denoted as o1 TS o2) for program p and specification s if:

for all t  TS, o1(t, p)  o2(t, p)

• Assuming that the oracles are both complete, a more powerful oracle
can catch more errors

• In some cases an oracle o1 can be more powerful than another oracle

o2 for all possible test sets. In such cases, o1 has power universally
greater than o2 (denoted as o1  o2)
 Test Adequacy
• Based on this formal framework, test and oracle adequacy can be
defined as predicates:

• Test adequacy criterion: TC  P × S × 2T

• Oracle adequacy criterion: OC  P × S × O

• Complete adequacy criterion: TOC  P × S × 2T × O

• Complete adequacy criterion underlines the fact that the adequacy of

testing must take into account both the tests and the oracles
• Effectiveness of testing depends on both the tests and the oracles
 Test Adequacy for Mutation Testing
• If we consider the method used to distinguish the mutants M from the
program p as an oracle, we can formulate the mutation testing
approaches using complete adequacy criterion

• For the set of mutants M, mutation adequacy MutM is satisfied for

program p, specification s, test set TS, and oracle o if:

MutM(p, s, TS, o)  for all m  M, there exists a t  TS: o(t, m)

In other words, for each mutant m  M, there exists a test t such that
the oracle o signals a fault.