Structural test coverage criteria for lustre programs
Proceedings of the 10th international workshop on Formal methods for industrial critical systems
Automated Measure of Structural Coverage for LUSTRE Programs: a Case Study
AST '07 Proceedings of the Second International Workshop on Automation of Software Test
| Hi-index | 0.00 |
Adequacy criteria for structural testing techniques aredefined in terms of coverage (e.g. of statements orbranches). For black-box testing, such criteria, makingtesters able to decide when to stop testing, are more difficultto define. In this paper, we propose such a definition forthe particular case of specification-based testing techniquesfor synchronous software supplied by the Lutess testing environment.Lutess provides a framework for automaticallybuilding generators interacting with the software under testand feeding it with test input sequences. It requires a Lustrespecification of both the software environment and thesoftware safety properties. This specification is translatedinto an input-output automaton. A critical situation occurswhen a safety property can be violated unless the softwarereacts adequately. Such situations correspond to particularstates of the specification automaton, called suspectstates. Suspect states definition can be used in two complementaryways: First, to design testing techniques able toreach several such states during testing. Second, to assessthe thoroughness of a test input sequence in terms of coveredsuspect states. The above techniques are illustratedon a telephony software specification developed for the firstFeature Interaction Detection Contest and involving 12 differenttelephone features. The thoroughness of the Lutesstesting strategies is assessed as their ability to lead the softwareinto suspect states.