slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments PowerPoint Presentation
Download Presentation
Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments

Loading in 2 Seconds...

play fullscreen
1 / 55

Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments - PowerPoint PPT Presentation

  • Uploaded on

Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments. Hong Zhu Dept. of Computing and Electronics, Oxford Brookes University, Oxford, OX33 1HX, UK Email: Outline. Background Motivation Related works

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Automated Testing of Software Components Based on Algebraic Specifications -- Method, Tool And Experiments' - benjamin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Algebriac Testing

Automated Testing of Software Components Based on Algebraic Specifications-- Method, Tool And Experiments

Hong Zhu

Dept. of Computing and Electronics,

Oxford Brookes University,

Oxford, OX33 1HX, UK


  • Background
    • Motivation
    • Related works
    • Overview of the approach
  • Specification language CASOCC
  • Testing tool CASCAT
  • Empirical evaluation
  • Conclusion and future work

Algebriac Testing

challenges in testing components
Challenges in testing components
  • Components often have no user interface
    • Developers spend as much time in writing test harness
      • excessive overhead, inadequacy of testing, low effectiveness
  • Components are usually delivered as executable code
    • without the source code and design information
      • White-box testing, model-driven testing methods not applicable
    • contains no instrumentation
      • Internal behaviour observation and test adequacy measurement are virtually impossible
  • Existing approaches to the problems
    • Self-testing, e.g. (Beydeda, 2006): yet to be adopted by the industry
    • Specification-based testing: design-by-contract, FSM, etc.

Algebriac Testing

algebraic specification
Algebraic specification

Spec NAT

Sorts: nat;


zero: -> nat;

succ: nat -> nat;


zero  succ(x);

succ(x) = succ(y)

=> x=y;


  • A signature:
    • a set of sorts and
    • a set of operators on the sorts
  • A set of axioms:
    • in the form of conditional equations

Algebraic specification (AS) emerged in the 1970s. In the past three decades, it has developed into a mature formal method.

Algebriac Testing

basic idea of algebraic testing
Basic idea of algebraic testing

By substituting constants into variables, we can generate test cases

S: stack, n: integer,

S.push(n).height() = S.height()+1

Checking the equivalence between the values of the left and right hand sides is to check the correctness of test results

A ground term corresponds to a sequence of procedure/ method/ operation calls

Algebriac Testing

related works
Related works

Algebriac Testing

overview of the proposed approach
Overview of the proposed approach
  • Sorts to represent all types of software entities:
    • ADT, Class, Component
  • Test case generation:
    • Composition of observation contexts and axioms with ground normal forms substituted into non-primitive variables and random values for primitive variables
  • Test oracle:
    • Direct checking since test cases are checkable

Algebriac Testing

casocc specification language
Spec Stack

observable F;

import Int, String;



create: String->Stack;


push: Stack,Int ->Stack;


pop: Stack->Stack;


getId: Stack->String;

top: Stack->Int;

height: Stack->Int;


S: Stack; n: Int; x: String;


1: create(x).getId() = x;

2: findByPrimaryKey(x).getId() = x;

3: create(x).height() = 0;

4: S.push(n) = S;

if S.height() = 10;

5: S.pop() = S; if S.height() = 0;

6: S.push(n).pop() = S;

if S.height() < 10;

7: S.push(n).top() = n;

if S.height() < 10;

8: S.push(n).height() =S.height()+1;

if S.height() < 10;

9: S.pop().height() = S.height()-1;

if S.height() >0;


CASOCC specification language

Algebriac Testing

behavioural semantics and observable sorts
Behavioural semantics and observable sorts

Definition 1. (Observable sort)

In an AS <S, E>, a sort s is an observable sort implies that there is an operation _ == _ : ssBool such that for all ground terms t and t’ of sort s,

E|-( (t == t’) = true) E |- ( t=t’ ).

An algebra A (i.e. a software entity) is a correct implementation of an observable sort s if for all ground terms t and t’ of sort s,

A |= (t=t’) A|= ( (t == t’) = true) 

Pre-defined sorts of Java primitive classes and data types are observable.

Algebriac Testing

well founded formal specifications
Well founded formal specifications

Let U be a set of specification units in CASOCC and S be a set of sorts. For each sort sS, there is a unit UsU that specifies the software entity corresponding to sort s.

Let  be the importation relation on S.

Definition 2. (Well founded specifications)

A sort sS is well founded if s is observable, or for all s’ in the import list of Us, s’ is an observable sort, or s’ is well founded.

A specification U is well founded if and only if the importation relation is a pre-order on the set S of sorts, and all sorts sS are well founded. 

Algebriac Testing

well structured formal specifications
Well-structured formal specifications

Definition 3. (Well structured specifications)

A specification U in CASOCC is well structured if it satisfies the following conditions.

(1) It is well founded;

(2) For every user defined unit Us U,

(a) there is at least one observer in Us;

(b) for every axiom E in Us, if the condition contains an equation t=t’, we must have, where s’ is the sort of terms t and t’. 

A practice implication: for all sorts there are finite lengths of observable contexts.

Algebriac Testing

observation context
Observation context

Definition 1. (Observation context)

A context of a sort c is a term C with one occurrence of a special variable of sort c. The value of a term t of sort c in the context of C, written as C[t], is the term obtained by substituting t into the special variable .

An observation contextoc of sort c is a context of sort c and the sort of the term oc is. To be consistent on notations, we write _.oc: cs to denote an observation context oc.

An observation context is primitive if s is an observable sort. In such cases, we also say that the observation context is observable and call the context observable context for short. 

Algebriac Testing

form of observation context
Form of observation context
  • The general form of an observation context oc:



    • f1, ..., fk are transformers of sort sc,
    • obs is an observer of sort c,
    • f1(...), ..., fk (...) are ground terms.
  • A sequence of observation contexts oc1, oc2, …, ocn , where _.oc1: cs1, _.oci: si-1si,i =2,…,n, can be composed into an observation context _.oc1.oc2. ….ocn.
  • Example:
    • _.pop().pop().height()

Algebriac Testing

checkable test cases
Checkable test cases

written T1=T2, [if C]

  • Test cases:
    • a test case is a triple <T1, T2, C>, where
      • T1 and T2 are ground terms
      • C (optional) is a ground term of Boolean sort.
    • It means that values of T1 and T2 should be equivalent if C evaluates to True.

Definition 2. (Checkable test cases)

A test case T1=T2, [if C]is directly checkable (or simply checkable), if and only if

(a) the sort of terms T1 and T2 is observable, and

(b) the sort of equations in C is observable, if any. 

Algebriac Testing

test case generation algorithm skeleton
Test case generation algorithm (Skeleton)


Spec s: CASOCC specification unit of the main sort;

Sigs s1, s2, …, sk: The signature of imported sorts;

TC: A subset of axioms in s (* the axioms to be tested *);

vc: Integer (*complexity upper bound of variables*);

oc: Integer (*complexity upper bound of observation contexts*) ;

rc: Integer (* the number of random values to be assigned to variables of primitive sorts*)


Step 1: Initialisation

Step 2: Generate normal form terms for non-primitive variables

Step 3: Generate random values for primitive variables

Step 4: Substitute normal forms into axioms

Step 5: Substitute random values into test cases

Step 6: Compose test case with observation context

Step 7: Output test set


Algebriac Testing

properties of the test case generation algorithm
Properties of the test case generation algorithm

Theorem 1. The test case generation algorithm will always terminate if the specification is well founded. 

Theorem 2. The test cases generated are checkable, i.e. for all test cases <t1=t2; if c> generated by the algorithm, t1, t2 and c are of primitive or observable sorts. 

Theorem 3. The test cases are valid. That is, if the specification is well-structured and the observable sorts satisfy the constraints in Definition 1, we have the following properties.

(a) The program correctly implements the specification with respect to the behavioural semantics of algebraic specifications implies that the evaluation of t1 and t2 using the program give equivalent results provided that c is evaluated to be true.

(b) If the evaluation of t1 and t2 gives non-equivalent values in an implementation when c is evaluated to true, then there are faults in the program. 

Algebriac Testing

testing tool cascat

Component Spec in CASOCC

J2EE Component Deployed on JBoss Platform

Test Report

CASOCC Spec Parser

Test Driver

Test Result Evaluator

Test Case Generator

Test Cases


Testing tool CASCAT

Algebriac Testing

experiment 1 evaluation of effectiveness
Experiment 1: Evaluation of effectiveness
  • The experiment process
    • Selection of subject components:
      • from well established public sources.
    • Development of formal specification:
      • based on the document and source code.
    • Testcase generation:
      • automatically by the CASCAT tool from the specification.
    • Validation of formal specification.
      • The subject component is checked against its formal specification by executing the components on the test cases using the CASCAT tool.
    • Fault injection: used MuJava.
    • Eliminate equivalent mutants: manually examined
    • Test execution.
      • A mutant is classified as fault detected if at least on of the axioms of the component is violated or the execution is terminated abnormally.

Algebriac Testing

results of the experiment
Results of the experiment

Algebriac Testing

main findings 1
Main findings (1)
  • The fault detecting ability is not sensitive to the scale of the subject under test. (Correlation coefficient =0.20)

Algebriac Testing

main findings 2
Main findings (2)
  • The fault detecting ability decreases only slightly when testing multiple component subjects.

Algebriac Testing

main findings 3
Main findings (3)
  • The method consistently detects significantly more faults in session beans than in BMP entities beans despite that entity beans are usually much less complex than session beans.

This statement is supported by T-Test.

Algebriac Testing

main findings 4
Main findings (4)
  • The development of axioms was less difficult than we expected.
  • There is a simple pattern of axioms for entity beans despite their differences in semantics.

Algebriac Testing

is algebraic testing practical
Is algebraic testing practical?
  • Cost of algebraic testing:
    • Writing algebraic specification
    • Deploy the component to component platform, such as JBoss
    • Generation of test cases (automated by tool)
    • Review of test report (checking correctness is done automatically)
  • How expensive is writing algebraic specifications?
  • Is writing algebraic specification learnable?
  • What skill and knowledge are required to write algebraic specifications?

Algebriac Testing

how to write algebraic specifications 1
How to write algebraic specifications (1)
  • the description of the signature
    • the identification of the operations, e.g.
      • The signature of the operations can be derived from the type definitions of the methods given in the source code.
    • the classification of operations
      • Creators: create instances of the software entity and/or initialise the entity. They must have no parameters of the main sort, but result in the main sort.
      • Constructors: construct the data structure by adding more elements to the data. A constructor must have a parameter of the main sort and results in the main sort. It may occur in the normal forms if the axioms are used as term rewriting rules.
      • Transformers: manipulate the data structure without adding more data. Similar to constructors, a transformer must have the main sort as its parameter and results in the main sort. However, it cannot occur in any normal forms.
      • Observers: enable the internal states or data in the software entity to be observed from the outside. Observers must have a parameter of the main sort but result in an imported sort.

Algebriac Testing

how to write algebraic specifications 2
How to write algebraic specifications (2)
  • the determination of the axioms
    • For each setter setX(v) (set the value of attribute X to v),

s,v. (s.setX(v).getX = v), Ifpre-condsetX(v)

s,v. (s.setX(v).getY = s.getY),

where X Y.

    • For each getter getX (get the value of attribute X)

s,v. (s.[getX] = s),

    • For each creator C(x1,x2,…, xn)
    • x1,…, xn. . C(x1,…, xn).getXi = xi, If pre-cond C(x1,…, xn)
    • For each constructor and transformer F(x),

s,x. (s.F(x).getX) = f(x, s.getX), if pre-condF(x),

    • For each operation P(x) that involves more than one parts A and B:

s,x,y. (s. [A.P (x)].B = s.B.Q(y)), if pre-condA.P(x)

Algebriac Testing

experiment 2 cost of writing algebraic spec
Experiment 2: Cost of writing algebraic spec
  • Subjects:
    • Students of computer science (35, year 3)
    • Mathematics course: Advanced University Mathematics Part A and Part B and Discrete Mathematics.
    • Programming courses: C++ Programming, Java Programming and Data Structure
    • No exposure to formal methods

Table 1. Statistic Data of Student Capability

Algebriac Testing

process of the experiment
Process of the experiment

Lesson 0:

  • Introduction to formal methods.

Lesson 1:

  • Introduced to algebraic specification and the CASOCC specification language.
  • An example formal specification of stacks
  • A brief introduction to software component for the first class test
  • The first class test (individual and independent)

Lesson 2:

  • Sample answer to the class test question 1
  • A brief introduction to software component for the second class test
  • The second class test (also individual and independent)

Lesson 3:

  • Sample answer to the second class test question
  • A brief introduction to software component for the third class test
  • The third class test (also individual and independent)

Lesson 4:

  • Sample answer to the previous class test
  • A brief introduction to software component for the final class test
  • The final class test

Algebriac Testing

marking scheme of class tests
Marking scheme of class tests
  • Correctness of the answer: 50%.
    • It is assess according to the correctness of the signature and axioms in the student’s work.
    • Minor syntax errors that can be detected by CASCAD tool is deduced by 20%
    • Incorrect axioms were given no marks.
  • Completeness of the axiom system: 50%.
    • It is assessed according to the coverage of the operations by the axioms.
    • The coverage of each operation was given the equal number of marks.

Algebriac Testing

recording times
Recording times
  • The time that each student took to complete the class test was recorded in the experiment.
    • The students were given no limit on the time to complete the class tests.
    • The students were asked to hand in their work as soon as possible.
    • The students were briefed about the function and the interface of the component before started to work on the class test question.

The time taken to write the algebraic specification excludes the time to understand the components.

Algebriac Testing

components used in class tests
Components Used in Class Tests

[1] 周长发, Java数值计算算法编程,电子工业出版社,2007.

[2] Bodoff, S. et al. 2004. The J2EE Tutorial, 2nd Edt., Pearson 2004.

Algebriac Testing

main findings 137
Main Findings 1

Is writing algebraic specifications learnable?

Algebriac Testing

distributions of grades in class tests
Distributions of Grades in Class Tests

The students’ learning experience is not hard. They attained the knowledge and skill of algebraic specification in just a few lessons.

Algebriac Testing

main findings 240
Main Findings 2

How expensive to write an algebraic specification for a software component?

Algebriac Testing

changes in the distributions of times
Changes in the distributions of times

On average a student took about half hour to complete the writing of an algebraic specification for a typical software component.

Algebriac Testing

main findings 342
Main Findings 3

Does writing algebraic specification need good mathematical skills?

Correlation Coefficients

Algebriac Testing

cluster analysis
Cluster analysis

We divide the students into the following four groups and calculated their scores in class tests.

  • P>M: More capable of programming than mathematics.
  • P<M: More capable in mathematics than programming
  • P~M High: Equally capable of programming and mathematics
  • P~M Lower: Equally incapable of programming and mathematics

Algebriac Testing

The students’ performances in class tests are more closely related to their programming capability than to mathematics knowledge and skills.
  • Notes:
    • the link between students’ performance in class tests and programming capability should be interpreted as their capability of learning algebraic specification rather than their final attainment.
    • the link is not strong since the absolute values of the correlation coefficients are in the range from 0.41 to 0.52.

Algebriac Testing

main findings 445
Main Findings 4

Is writing algebraic formal specifications a job only for the most capable?

Algebriac Testing


Writing algebraic specification must be the job of the most capable programmers. However, there is a potential bias.

The average scores and average times contain the results of the first and second class tests. Thus, they do not reflect the situation after the students completed their training.

Algebriac Testing

(a) Relationship between final class test score and programming capability

y = -0.0002x2 - 0.0148x + 98.405 (3)

(b) Relationship between final class test times and programming capability

y = 0.0017x2 - 0.4558x + 56.043 (4)

After taking three lessons and class tests, the students are capable of writing algebraic specifications of almost equal quality, but the most capable ones took slightly less time.

Writing algebraic specifications can be a job for any well trained software developer rather than just for the few most capable ones.

Algebriac Testing

general conclusions of experiment 2
General conclusions of experiment 2
  • Conclusion 1 (Learnability): Writing algebraic specification is learnable for ordinary software developers.
  • Conclusion 2 (Independence of mathematical skills) The knowledge and skill of programming is more important than mathematics to writing algebraic specifications of software components.
  • Conclusion 3 (Cost efficiency): Writing algebraic specification can be as cost efficient as programming in high level programming languages.
  • Conclusion 4 (Equality in performance): Writing algebraic specification can be a skill of every well trained software developer. Although their efficiency in writing algebraic specifications depends on their capabilities, there should be no significantly different from each other on the quality.

Algebriac Testing

limitations of the conclusions 1
Limitations of the conclusions 1

The conclusions are only applicable to writing algebraic formal specifications.

  • They do not necessarily imply that writing formal specifications in other formalisms has the same properties.
  • Further research: to investigate whether the same claim can be made to other formalisms such as Z, Petri-nets, process algebras like CSP, CCS and -calculus, and labelled transition system in general.

A notable advantage of algebraic specification is that the syntax and semantics of axioms are simple and easy to understand. They use little mathematics notations.

Algebriac Testing

limitations of the conclusions 2
Limitations of the conclusions 2

The conclusions are only applicable to writing formal specification

  • They do not necessarily imply that other formal development activities have the same properties, such as
    • reasoning about software properties,
    • proving software correctness,
    • deriving software using formal specifications.

These activities may well require much deeper understanding of the theories of formal methods and the semantics of formal specification languages. They may also rely on skills of using software tools that supports formal methods.

Algebriac Testing

  • Summary:
    • A technique of automated component testing based on algebraic specifications.
      • A specification language CASOCC
      • An algorithm to generate checkable test cases.
      • An automated prototype testing tool CASCAT for EJB components.
  • Advantages:
    • AS are independent of the implementation, thus suitable for components
    • A high degree of automation
    • No need of the availability and uses of the full set of axioms of all constituent and dependent entities
    • Can focus on a subset of functions and properties of the component
    • A high fault detecting ability
    • Scalable and practically usable
    • Cost efficient

Algebriac Testing

future work
Future work
  • More experiments with multiple components subjects
  • Extending the tool from testing EJB 2.0 component to EJB 3.0, i.e. to directly support message driven components
  • Extending the technique for testing web services and concurrent systems

Algebriac Testing


Gonnon, J., McMullin, P. and Hamlet, R., Data-Abstraction Implementation, Specification and Testing, ACM TOPLAS 3(3), 1981, 211-223.

Bernot, G., Gaudel, M. C., and Marre, B., Software testing based on formal specifications: a theory and a tool, Software Engineering Journal, Nov. 1991, 387- 405.

Doong,K. & Frankl, P., The ASTOOT approach to testing object-oriented programs, ACM TSEM3(2),1994, 101-130

Hughes, M. and Stotts, D., Daistish: systematic algebraic testing for OO programs in the presence of side-effects. ISSTA’96, 53-61.

Chen, H.Y., et al., In black and white: an integrated approach to class-level testing of object-oriented programs, ACM TSEM 7(3), 1998, 250-295.

Chen,H.Y., Tse,T.H. & Chen,T.Y., TACCLE: a methodology for object-oriented software testing at the class and cluster levels, ACM TSEM 10(1), 2001, 56-109.

Algebriac Testing

Kong, L., Zhu, H., and Zhou, B. 2007. Automated Testing EJB Components Based on Algebraic Specifications. Proc. of COMPSAC’07, Vol. 2, 717-722.
  • Yu, B., Kong, L., Zhang, Y., and Zhu, H. 2008. Testing Java Components Based on Algebraic Specifications. Proc. of ICST’08 (April 2008), 190-199. 

Algebriac Testing