rob oshana southern methodist university software testing

Rob OshanaSouthern Methodist

University

SoftwareTesting

Why do we Test ?

• Assess Reliability

• Detect Code Faults

Industry facts

Software testing accounts for 50% of pre-release costs,and 70% of post-release costs [Cigital

Corporation]

30-40% of errors detected after deployment are run-time errors [U.C. Berkeley, IBM’s TJ Watson

Lab]

The amount of software in a typical device doubles every 18 months [Reme Bourguignon, VP of Philips

Holland]

Defect densities are stable over the last 20 years : 0.5 - 2.0 sw failures / 1000 lines [Cigital

Corporation]

Critical SW Applications

Critical software applications which have failed :

Mariner 1 NASA 1962Missing ‘-’ in ForTran code Rocket bound for Venus destroyed

Therac 25 Atomic Energy of Canada Ltd 1985-87Data conversion error Radiation therapy machine for cancer

Long Distance Service AT&T 1990A single line of bad code Service outages up to nine hours long

Patriot Missiles U.S. military 1991Endurance errors in tracking system 28 US soldiers killed in barracks

Tax Calculation Program InTuit 1995Incorrect results SW vendor payed tax penalties for users

Good and successful testing

• What is a good test case?

• A goodgood test case has a high probability of finding an as-yet undiscovered errorundiscovered error

• What is a successful test case?

• A successful testsuccessful test is one that uncovers an as-yet undiscovered errorundiscovered error

Understands the systembut, will test “gently”and, is driven by “delivery”

Must learn about the system, but, will attempt to break it and, is driven by quality

developer independent tester

Who tests the software better ?

Testability – can you develop a program for testability?

• Operability - “The better it works, the more efficiently it can be tested”

• Observability - the results are easy to see, distinct output is generated for each input, incorrect output is easily identified

• Controllability - processing can be controlled, tests can be automated & reproduced

• Decomposability - software modules can be tested independently

• Simplicity - no complex architecture and logic

• Stability - few changes are requested during testing

• Understandability - program is easy to understand

Did You Know...

• Testing/Debugging can worsen reliability?

• We often chase the wrong bugs?

• Testing cannot show the absence of faults, only the existence?

• The cost to develop software is directly proportional to the cost of testing?– Y2K testing cost $600 billion

Did you also know...

• The most commonly applied software testing techniques (black box and white box) were developed back in the 1960’s

• Most Oracles are human (error prone)!!

• 70% of safety critical code can be exceptions– this is the last code written!

Testing Problems

• Time

• Faults hides from tests

• Test Management costs

• Training Personnel

• What techniques to use

• Books and education

“Errors are more common, more pervasive, and more troublesome in software than with other technologies”

David Parnas

What is testing?

• How does testing software compare with testing students?

What is testing?

• “Software testing is the process of comparing the invisible to the ambiguous as to avoid the unthinkable.” James Bach, Borland corp.

What is testing?

• Software testing is the process of predicting the behavior of a product and comparing that prediction to the actual results." R. Vanderwall

Purpose of testing

• Build confidence in the product

• Judge the quality of the product

• Find bugs

Finding bugs can be difficult

x

x

x

x

x

x

x

x

x

x

x

Mine field

A path through themine field (use case) A path through the

mine field (use case)

Why is testing important?

• Therac25: Cost 6 lives

• Ariane 5 Rocket: Cost $500M

• Denver Airport: Cost $360M

• Mars missions, orbital explorer & polar lander: Cost $300M

Why is testing so hard?

Reasons for customer reported bugs

• User executed untested code• Order in which statements were executed

in actual use different from that during testing

• User applied a combination of untested input values

• User’s operating environment was never tested

Interfaces to your software

• Human interfaces

• Software interfaces (APIs)

• File system interfaces

• Communication interfaces– Physical devices (device drivers)– controllers

Selecting test scenarios

• Execution path criteria (control)– Statement coverage– Branching coverage

• Data flow – Initialize each data structure– Use each data structure

• Operational profile • Statistical sampling….

What is a bug?

• Error: mistake made in translation or interpretation ( many taxonomies exist to describe errors)

• Fault: manifestation of the error in implementation (very nebulous)

• Failure: observable deviation in behavior of the system

Example

• Requirement: “print the speed, defined as distance divided by time”

• Code: s = d/t; print s

Example

• Error; I forgot to account for t = 0

• Fault: omission of code to catch t=0

• Failure: exception is thrown

Severity taxonomy

• Mild - trivial

• Annoying - minor

• Serious - major

• Catastrophic - Critical

• Infectious - run for the hills

What is your taxonomy ?

IEEE 1044-1993

Life cycle

Requirements

Design

Code

Testing

error

error

error

Errors can be introduced ateach of these stages

Resolve

Isolate

Classify

error

error

error

error

Testing and repair process can bejust as error prone as the developmentProcess (more so ??)

Ok, so lets just design our systems with “testability” in

mind…..

Testability

• How easily a computer program can be tested (Bach)

• We can relate this to “design for testability” techniques applied in hardware systems

JTAG

A standard Integrated Circuit

CoreIC

Logic

Test access portcontroller

Test mode Select (TMS)

Test clock (TCK)

Test data out (TDO)

Test data in (TDI)

BoundaryScan cells

BoundaryScan path

I/O pads

Data in

Data out

TDI TDOcell

Operability

• “The better it works, the more efficiently it can be tested”– System has few bugs (bugs add

analysis and reporting overhead)– No bugs block execution of tests– Product evolves in functional stages

(simultaneous development and testing)

Observability

• “What you see is what you get”– Distinct output is generated for each input– System states and variables are visible and

queriable during execution– Past system states are ….. (transaction logs)– All factors affecting output are visible

Observability

– Incorrect output is easily identified– Internal errors are automatically

detected through self-testing mechanisms

– Internal errors are automatically reported

– Source code is accessible

Visibility Spectrum

DSPvisibility

GPPvisibility

Factoryvisibility

End customervisibility

Controllability

• “The better we can control the software, the more the testing can be automated and optimized”– All possible outputs can be generated

through some combination of input– All code is executable through some

combination of input

Controllability

– SW and HW states and variables can be controlled directly by the test engineer

– Input and output formats are consistent and structured

Decomposability

• “By controlling the scope of testing, we can more quickly isolate problems and perform smarter testing”– The software system is built from

independent modules– Software modules can be tested

independently

Simplicity

• “The less there is to test, the more quickly we can test it”– Functional simplicity (feature set is

minimum necessary to meet requirements)

– Structural simplicity (architecture is modularized)

– Code simplicity (coding standards)

Stability

• “The fewer the changes, the fewer the disruptions to testing”– Changes to the software are infrequent,

controlled, and do not invalidate existing tests

– Software recovers well from failures

Understandability

• “The more information we have, the smarter we will test”– Design is well understood– Dependencies between external, internal, and

shared components are well understood– Technical documentation is accessible, well

organized, specific and detailed, and accurate

“Bugs lurk in corners and congregate at boundaries”

Boris Beizer

Types of errors

• What is a Testing error?– Claiming behavior is erroneous when it

is in fact correct– ‘fixing’ this type of error actually breaks

the product

Errors in classification

• What is a Classification error ?– Classifying the error into the wrong

category

• Why is this bad ?– This puts you on the wrong path for a

solution

Example Bug Report

• “Screen locks up for 10 seconds after ‘submit’ button is pressed”

• Classification 1: Usability Error • Solution may be to catch user events and

present an hour-glass icon• Classification 2: Performance error• solution may be a modification to a sort

algorithm (or visa-versa)

Isolation error

• Incorrectly isolating the erroneous modules

• Example: consider a client server architecture. An improperly formed client request results in an improperly formed server response

• The isolation determined (incorrectly) that the server was at fault and was changed

• Resulted in regression failure for other clients

Resolve errors

• Modifications to remediate the failure are themselves erroneous

• Example: Fixing one fault may introduce another

What is the ideal test case?

• Run one test whose output is "Modify line n of module i."

• Run one test whose output is "Input Vector v produces the wrong output"

• Run one test whose output is "The program has a bug" (Useless, we know this)

More realistic test case

• One input vector and expected output vector– A collection of these make of a Test Suite

• Typical (naïve) Test Case– Type or select a few inputs and observe output– Inputs not selected systematically– Outputs not predicted in advance

Test case definition

• A test case consists of;– an input vector– a set of environmental conditions– an expected output.

• A test suite is a set of test cases chosen to meet some criteria (e.g. Regression)

• A test set is any set of test cases

Testing Software Intensive Systems

V&V

• Verification– are we building the product right?

• Validation– are we building the right product?– is the customer satisfied?

• How do we do it?• Inspect and Test

What do we inspect and test?

• All work products!

• Scenarios

• Requirements

• Designs

• Code

• Documentation

Defect Testing

A Testing Test

• Problem– A program reads three integer values from

the keyboard separated by spaces. The three values are interpreted as representing the lengths of the sides of a triangle. The program prints a message that states whether the triangle is scalene, isosceles or equilateral.

• Write a set of test cases to adequately test this program

Static and Dynamic V&V

Requirementsspecification

High-Leveldesign

Detaileddesign

Program

Static Verification

Dynamic Verification

Prototype

Techniques

• Static Techniques– Inspection– Analysis– Formal verification

• Dynamic Techniques– Testing

SE-CMMPA 07: Verify & Validate

System• Verification: perform comprehensive

evaluations to ensure that all work products meet requirements– Address all work products: from user

needs an expectations through production and maintenance

• Validation - meeting customer needs - continues throughout product lifecycle

V&V Base Practices

• Establish plans for V&V– objectives, resources, facilities, special equipment– come up with master test plan

• Define the work products to be tested (requirements, design, code) and the methods (reviews, inspections, tests) that will be used to verify

• Define verification methods– test case input, expected results, criteria– connect requirements to tests

V&V Base Practices...• Define how to validate the system

– includes customer as user/operator– test conditions– test environment– simulation conditions

• Perform V&V and capture results– inspection results; test results; exception reports

• Assess success– compare results against expected results– success or failure?

Testing is...

• The process of executing a program with the intent of finding defects

• This definition implies that testing is a destructive process - often going against the grain of what software developers do, i.e.. construct and build software

• A successful test run is NOT one in which no errors are found

Test Cases

• A successful test case finds an error

• An unsuccessful test case is one that causes the program to produce the correct result

• Analogy: feeling ill, going to the doctor, paying $300 for a lab test only to be told that you’re OK!

Testing demonstrates the presence not the absence of

faults

Iterative Testing Process

Acceptancetesting

Sub systemtesting

Unittesting

Moduletesting

Systemtesting

Component TestingIntegration Testing

User Testing

It is impossible to completely test a program

Testing and Time

• Exhaustive testing is impossible for any program with low to moderate complexity

• Testing must focus on a subset of possible test cases

• Test cases should be systematically derived, not random

Testing Strategies• Top Down testing

– use with top-down programming; stubs required; difficult to generate output

• Bottom Up testing– requires driver programs; often combined with top-down testing

• Stress testing– test system overload; often want system to fail-soft rather than

shut down– often finds unexpected combinations of events

Test-Support Tools

• Scaffolding– code created to help test the software

• Stubs– a dummied-up low-level routine so it

can be called by a higher level routine

Stubs Can Vary in Complexity

• Return, no action taken• Test the data fed to it• Print/echo input data• Get return values from interactive input• Return standard answer• Burn up clock cycles• Function as slow, fat version of ultimate

routine

Driver Programs

• Fake (testing) routine that calls other real routines

• Drivers can:– call with fixed set of inputs

– prompt for input and use it

– take arguments from command line

– read arguments from file

• main() can be a driver - then “remove” it with preprocessor statements. Code is unaffected

System Tests Should be Incremental

A

B

test 1test 2

Modules


A

B

test 1test 2

test 3C

Modules


A

B

test 1test 2

test 3test 4C

D

Modules

Not Big-Bang

Approaches to Testing• White Box testing

– based on the implementation - the structure of the code; also called structural testing

• Black Box testing– based on a view of the program as a function of

Input and Output; also called functional testing

• Interface Testing– derived from program specification and

knowledge of interfaces

White Box (Structural) Testing

• Testing based on the structure of the code

…

if x then j = 2else k = 5…...

start with actual program code

White Box (Structural) Testing

• Testing based on the structure of the code

…

if x then j = 2else k = 5…...

Test data

Tests

Test output

White Box Technique:Basis Path Testing

• Objective-– test every independent execution path through

the program• If every independent path has been executed

then every statement will be executed• All conditional statements are tested for

both true and false conditions• The starting point for path testing is the flow

graph

Flow Graphs

if then else

Flow Graphs

if then else loop while

Flow Graphs

if then else loop while case of

1)j = 2;

2) k = 5;

3) read (a);

4) if a=2

5) then j = a

6) else j = a*k;

7) a = a + 1;

8) j = j + 1;

9) print (j);

How many paths thru this program?

1) j = 2;

2) k = 5;

3) read (a);

4) if a=2

5) then j = a

6) else j = a*k;

7) a = a + 1;

8) j = j + 1;

9) print (j);

1, 2, 3

4

5 6

7,8,9

How many paths thru this program?

How Many Independent Paths?

• An independent path introduces at least one new statement or condition to the collection of already existing independent paths

• Cyclomatic Complexity (McCabe)

• For programs without GOTOs,Cyclomatic Complexity

= Number of decision nodes + 1

also called predicate nodes

The Number of Paths

• Cyclomatic Complexity gives an upper bound on the number of tests that must be executed in order to cover all statements

• To test each path requires– test data to trigger the path– expected results to compare against

1) j = 2;

2) k = 5;

3) read (a);

4) if a=2

5) then j = a

6) else j = a*k;

7) a = a + 1;

8) j = j + 1;

9) print (j);

1, 2, 3

4

5 6

7,8,9

1) j = 2;

2) k = 5;

3) read (a);

4) if a=2

5) then j = a

6) else j = a*k;

7) a = a + 1;

8) j = j + 1;

9) print (j);

1, 2, 3

4

5 6

7,8,9

Test 1input: 2

expected output: 3

1) j = 2;

2) k = 5;

3) read (a);

4) if a=2

5) then j = a

6) else j = a*k;

7) a = a + 1;

8) j = j + 1;

9) print (j);

1, 2, 3

4

5 6

7,8,9

Test 1input: 2

expected output: 3

Test 2input: 10

expected output: 51

What Does Statement Coverage Tell You?

• All statements have been executed at least once

so?

What Does Statement Coverage Tell You?

• All statements have been executed at least once

Coverage testing may lead to the false illusion that the software has been comprehensively tested

The Downside of Statement Coverage

• Path testing results in the execution of every statement

• BUT, not all possible combinations of paths thru the program

• There are an infinite number of possible path combinations in programs with loops

The Downside of Statement Coverage

• The number of paths is usually proportional to program size making it useful only at the unit test level

Black Box Testing

Forget the code details!

Forget the code details!

Treat the program as a

Black Box

In Out

Black Box Testing

• Aim is to test all functional requirements

• Complementary, not a replacement for White Box Testing

• Black box testing typically occurs later in the test cycle than white box testing

Defect Testing Strategy

Input Test Data Locate inputs

causingerroneous output

OutputOutput indicating defects

Black Box Techniques

• Equivalence partitioning

• Boundary value testing

Equivalence Partitioning

• Data falls into categories

• Positive and Negative Numbers

• Strings with & without blanks

• Programs often behave in a comparable way for all values in a category -- also called an equivalence class

invalid input valid input

System

invalid input valid input

System

Choose test cases from partitions

Specification determines Equivalence Classes

• Program accepts 4 to 8 inputs

• Each is 5 digits greater than 10000




less than 4 4 thru 8 more than 8




less than 4 4 thru 8 more than 8

less than 10000

10000 thru 99999

more than 99999

Boundary Value Analysis • Complements equivalence partitioning• Select test cases at the boundaries of a

class• Range Boundary a..b

– test just below a and just above b

• Input specifies 4 values– test 3 and 5

• Output that is limited should be tested above and below limits

Other Testing Strategies

• Array testing

• Data flow testing

• GUI testing

• Real-time testing

• Documentation testing

Arrays

• Test software with arrays of one value

• Use different arrays of different sizes in different tests

• Derive tests so that the first, last and middle elements are tested

Data Flow testing

• Based on the idea that data usage is at least as error-prone as control flow

• Boris Beizer claims that at least half of all modern programs consist of data declarations and initializations

Data Can Exist in One of Three States

• Defined– initialized, not used

a = 2

• Usedx = a * b + c;

z = sin(a)

• Killedfree (a)– end of for loop or block where is was defined

Entering & Exiting

• Terms describing context of a routine before doing something to a variable

• Entered– control flow enter the routine before

variable is acted upon

• Exited– control flow leaves routine immediately

after variable is acted upon

Data Usage Patterns

• Normal– define variable; use one or more times;

perhaps killed

• Abnormal Patterns– Defined-Defined– Defined-Exited

• if local, why?

– Defined-Killed• wasteful if not strange

More Abnormal Patterns

• Entered-Killed• Entered-Used

– should be defined before use

• Killed-Killed– double kills are fatal for pointers

• Killed-Used– why really are you using?

• Used-Defined– what’s its value?

Define-Use Testingif (condition-1)

x = a;

elsex = b;

if (condition-2)y = x + 1;

elsey = x - 1;

Path Testing

Test1: condition-1 TRUE

condition-2 TRUE

Test2: condition-1 FALSE

condition-2 FALSE

WILL EXERCISE EVERY LINE OF CODE … BUT will NOT test the DEF-USE combinations

x=a / y = x-1

x=b/ y = x + 1

GUIs

• Are complex to test because of their event driven character

• Windows– move, resized and scrolled– regenerate when overwritten and then

recalled– menu bars change when window is active– multiple window functionality available?

GUI.. Menus

• Menu bars in context?

• Submenus - listed and working?

• Are names self explanatory?

• Is help context sensitive?

• Cursor changes with operations?

Testing Documentation

• Great software with lousy documentation can kill a product

• Documentation testing should be part of every test plan

• Two phases– review for clarity– review for correctness

Documentation Issues

• Focus on functional usage?• Are descriptions of interaction

sequences accurate• Examples should be used• Is it easy to find how to do something• Is there trouble shooting section• Easy to look up error codes• TOC and index

Real-Time Testing

• Needs white box and black box PLUS– consideration of states, events,

interrupts and processes

• Events will often have different effects depending on state

• Looking at event sequences can uncover problems

Real-Time Issues• Task Testing

– test each task independently

• Event testing– test each separately; then in context of state

diagrams;– scenario sequences and random sequences

• Intertask testing– Ada rendezvous– message queuing; buffer overflow

Other Testing Terms

• Statistical testing– running the program against expected usage

scenarios

• Regression testing– retesting the program after modification

• Defect testing– trying to find defects (aka bugs)

• Debugging• the process of discovering and removing defects

Summary V&V

• Verification– Are we building the system right?

• Validation– Are we building the right system?

• Testing is part of V&V• V&V is more than testing... • V&V is plans, testing, reviews, methods,

standards, and measurement

Testing Principles

• The necessary part of a test case is a definition of the expected output or result– the eye often sees what it wants to see

• Programmers should avoid testing their own code

• Organizations should not test their own programs

• Thoroughly inspect the results of each test

Testing Principles

• Test invalid as well as valid conditions

• The portability of errors in a section code is proportional to the number of errors already found there

Testing Principles• Tests should be traceable to customer

requirements• Tests should be planned before testing begins• The Pareto principle applies - 80% of all errors

is in 20% of the code• Begin small, scale up• Exhaustive testing is not possible• The best testing is done by a 3rd party

Guidelines• Testing capabilities is more important than

testing components– users have a job to do; tests should focus on

things that interfere with getting the job done, not minor irritations

• Testing old capabilities is more important then testing new features

• Testing typical situations is more important than testing boundary conditions

System Testing

Ian Summerville

System Testing

• Testing the system as a whole to validate that it meets its specification and the objectives of its users

Development testing

• Hardware and software components should be tested;– as they are developed

– as sub-systems are created.

• These testing activities include:– Unit testing. – Module testing– Sub-system testing

Development testing

• These tests do not cover:– Interactions between components or

sub-systems where the interaction causes the system to behave in an unexpected way

– The emergent properties of the system

System testing• Testing the system as a whole instead of

individual system components• Integration testing

– As the system is integrated, it is tested by the system developer for specification compliance

• Stress testing– The behavior of the system is tested under

conditions of load

System testing

• Acceptance testing– The system is tested by the customer to

check if it conforms to the terms of the development contract

• System testing reveals errors which were undiscovered during testing at the component level

System Test Flow

Requirementsspecification

Systemdesign

Detaileddesign

Acceptancetest plan

SystemIntegrationtest plan

Sub-systemIntegrationtest plan

Service Acceptancetest

SystemIntegrationtest

Sub-systemIntegrationtest

Unit code and test

Systemspecification

Integration testing• Concerned with testing the system

as it is integrated from its components

• Integration testing is normally the most expensive activity in the systems integration process

Integration testing

• Should focus on – Interface testing where the interactions

between sub-systems and components are tested

– Property testing where system properties such as reliability, performance and usability are tested

Integration Test Planning• Integration testing is complex and time-

consuming and planning of the process is essential

• The larger the system, the earlier this planning must start and the more extensive it must be

• Integration test planning may be the responsibility of a separate IV&V (verification and validation) team– or a group which is separate from the development

team

Test planning activities• Identify possible system tests using the

requirements document

• Prepare test cases and test scenarios to run these system tests

• Plan the development, if required, of tools such as simulators to support system testing

• Prepare, if necessary, operational profiles for the system

• Schedule the testing activities and estimate testing costs

Interface Testing

• Within a system there may be literally hundreds of different interfaces of different types. Testing these is a major problem.

• Interface tests should not be concerned with the internal operation of the sub-system although they can highlight problems which were not discovered when the sub-system was tested as an independent entity.

Two levels of interface testing

• Interface testing during development when the developers test what they understand to be the sub-system interface

• Interface testing during integration where the interface, as understood by the users of the subsystem, is tested.

Two levels of interface testing

• What developers understand as the system interface and what users understand by this are not always the same thing.

Interface Testing

TestCases

A B

C

Interface Problems

• Interface problems often arise because of poor communications within the development team or because of poor change management procedures

• Typically, an interface definition is agreed but, for good reasons, this has to be chanegd during development

Interface Problems

• To allow other parts of the system to cope with this change, they must be informed of it

• It is very common for changes to be made and for potential users of the interface to be unaware of these changes – problems arise which emerge during

interface testing

What is an interface?• An agreed mechanism for

communication between different parts of the system

• System interface classes– Hardware interfaces

• Involving communicating hardware units

– Hardware/software interfaces• Involving the interaction between hardware

and software

What is an interface?

– Software interfaces• Involving communicating software

components or sub-systems

– Human/computer interfaces• Involving the interaction of people and the

system

– Human interfaces• Involving the interactions between people in

the process

Hardware interfaces

• Physical-level interfaces– Concerned with the physical connection of

different parts of the system e.g. plug/socket compatibility, physical space utilization, wiring correctness, etc.

• Electrical-level interfaces– Concerned with the electrical/electronic

compatibility of hardware units i.e. can a signal produced by one unit be processed by another unit

Hardware interfaces

• Protocol-level interfaces– Concerned with the format of the

signals communicated between hardware units

Software interfaces

• Parameter interfaces– Software units communicate by setting

pre-defined parameters

• Shared memory interfaces– Software units communicate through a

shared area of memory– Software/hardware interfaces are

usually of this type

Software interfaces

• Procedural interfaces– Software units communicate by calling

pre-defined procedures

• Message passing interfaces– Software units communicate by passing

messages to each other

Parameter Interfaces

Subsystem 1 Subsystem 2

Parameterlist

Shared Memory Interfaces

Shared memory area

SS1 SS2 SS3

Procedural Interfaces

Subsystem 1 Subsystem 2Defined procedures(API)

Message Passing Interfaces

Subsystem 1 Subsystem 2

Exchangedmessages

Interface errors

• Interface misuse– A calling component calls another

component and makes an error in its use of its interface e.g. parameters in the wrong order

• Interface misunderstanding– A calling component embeds

assumptions about the behavior of the called component which are incorrect

Interface errors

• Timing errors– The calling and called component

operate at different speeds and out-of-date information is accessed

Stress testing• Exercises the system beyond its

maximum design load– The argument for stress testing is that system

failures are most likely to show themselves at the extremes of the system’s behavior

• Tests failure behavior– When a system is overloaded, it should

degrade gracefully rather than fail catastrophically

Stress testing

• Particularly relevant to distributed systems– As the load on the system increases, so

too does the network traffic. At some stage, the network is likely to become swamped and no useful work can be done

Acceptance testing

• The process of demonstrating to the customer that the system is acceptable

• Based on real data drawn from customer sources. The system must process this data as required by the customer if it is to be acceptable

Acceptance testing

• Generally carried out by customer and system developer together

• May be carried out before or after a system has been installed

Performance testing• Concerned with checking that the

system meets its performance requirements

• Number of transactions processed per second– Response time to user interaction– Time to complete specified operations

Performance testing

• Generally requires some logging software to be associated with the system to measure its performance

• May be carried out in conjunction with stress testing using simulators developed for stress testing

Reliability testing• The system is presented with a large number

of ‘typical’ inputs and its response to these inputs is observed

• The reliability of the system is based on the number of incorrect outputs which are generated in response to correct inputs

• The profile of the inputs (the operational profile) must match the real input probabilities if the reliability estimate is to be valid

Security testing

• Security testing is concerned with checking that the system and its data are protected from accidental or malicious damage

• Unlike other types of testing, this cannot really be tested by planning system tests. The system must be secure against unanticipated as well as anticipated attacks

Security testing

• Security testing may be carried out by inviting people to try to penetrate the system through security loopholes

Some Costly and Famous Software Failures

Mariner 1 Venus probe loses its way: 1962

Mariner 1

• A probe launched from Cape Canaveral was set to go to Venus

• After takeoff, the unmanned rocket carrying the probe went off course, and NASA had to blow up the rocket to avoid endangering lives on earth

• NASA later attributed the error to a faulty line of Fortran code

Mariner 1

• “... a hyphen had been dropped from the guidance program loaded aboard the computer, allowing the flawed signals to command the rocket to veer left and nose down…

• The vehicle cost more than $80 million, prompting Arthur C. Clarke to refer to the mission as "the most expensive hyphen in history."

Therac 25 Radiation Machine

Radiation machine kills four: 1985 to 1987

• Faulty software in a Therac-25 radiation-treatment machine made by Atomic Energy of Canada Limited (AECL) resulted in several cancer patients receiving lethal overdoses of radiation

• Four patients died

Radiation machine kills four: 1985 to 1987

• A lesson to be learned from the Therac-25 story is that focusing on particular software bugs is not the way to make a safe system,”

• "The basic mistakes here involved poor software engineering practices and building a machine that relies on the software for safe operation."

AT&T long distance service fails

AT&T long distance service fails: 1990

• Switching errors in AT&T's call-handling computers caused the company's long-distance network to go down for nine hours, the worst of several telephone outages in the history of the system

• The meltdown affected thousands of services and was eventually traced to a single faulty line of code

Patriot missile

Patriot missile misses: 1991

• The U.S. Patriot missile's battery was designed to head off Iraqi Scuds during the Gulf War

• System also failed to track several incoming Scud missiles, including one that killed 28 U.S. soldiers in a barracks in Dhahran, Saudi Arabia

Patriot missile misses: 1991• The problem stemmed from a software error

that put the tracking system off by 0.34 of a second

• System was originally supposed to be operated for only 14 hours at a time– In the Dhahran attack, the missile battery had

been on for 100 hours– errors in the system's clock accumulated to the

point that the tracking system no longer functioned

Pentium chip

Pentium chip fails math test: 1994

• Pentium chip gave incorrect answers to certain complex equations– bug occurred rarely and affected only a tiny

percentage of Intel's customers

• Intel offered to replace the affected chips, which cost the company $450 million

• Intel then started publishing a list of known "errata," or bugs, for all of its chips

New Denver airport

New Denver airport misses its opening: 1995

• The Denver International Airport was intended to be a state-of-the-art airport, with a complex, computerized baggage-handling system and 5,300 miles of fiber-optic cabling

• Bugs in the baggage system caused suitcases to be chewed up and drove automated baggage carts into walls

New Denver airport misses its opening: 1995

• The airport eventually opened 16 months late, $3.2 billion over budget, and with a mainly manual baggage system

The millennium bug: 2000

• No need to discuss this !!

Ariane 5 Rocket

Ariane 5

• The failure of the Ariane 501 was caused by the complete loss of guidance and attitude information 37 seconds after start of the main engine ignition sequence (30 seconds after lift- off)

• This loss of information was due to specification and design errors in the software of the inertial reference system

Ariane 5

• The extensive reviews and tests carried out during the Ariane 5 Development Programme did not include adequate analysis and testing of the inertial reference system or of the complete flight control system, which could have detected the potential failure

More on Testing

From Beatty – ESC 2002

Agenda

• Introduction

• Types of software errors

• Finding errors – methods and tools

• Embedded systems and RT issues

• Risk management and process

Introduction

• Testing is expensive

• Testing progress can be hard to predict

• Embedded systems have different needs

• Desire for best practices

Method

• Know what you are looking for

• Learn how to effectively locate problems

• Plan to succeed – manage risk

• Customize and optimize the process

Entomology

• What are we looking for ?

• How are bugs introduced?

• What are their consequences?

Entomology – Bug Frequency

• Rare

• Less common

• More common

• Common

Entomology – Bug severity

• Non functional; doesn’t affect object code• Low: correct problem when convenient• High: correct as soon as possible• Critical: change MUST be made

– Safety related or legal issue

Domain Specific !

Entomology - Sources

• Non-implementation error sources– Specifications– Design– Hardware– Compiler errors

• Frequency; common – 45 to 65%

• Severity; Non-functional to critical


• Poor specifications and designs are often;– Missing– Ambiguous– Wrong– Needlessly complex– Contradictory

Testing can fix these problems !


• Implementation error sources;– Algorithmic/processing bugs– Data bugs– Real-time bugs– System bugs– Other bugs

Bugs may fit in more than one category !

Entomology – Algorithm Bugs

• Parameter passing– Common only in complex invocations– Severity varies

• Return codes– Common only in complex functions or libraries

• Reentrance problem– Less common– Critical

Entomology – Algorithm Bugs

• Incorrect control flow– Common– Severity varies

• Logic/math/processing error– Common– High

• Off by “1”– Common– Varies, but typically high

Example of logic error

If (( this AND that ) OR ( that AND other )AND NOT ( this AND other ) AND NOT( other OR NOT another ))

Boolean operations and mathematical calculations can be easily misunderstoodIn complicated algorithms!

Example of off by 1

for ( x = 0;, x <= 10; x++)

This will execute 11 times, not 10!

for ( x = array_min; x <= array_max; x++)

If the intention is to set x to array_maxon the last pass through the loop, thenthis is in error!

Be careful when switching between 1 basedlanguage (Pascal, Fortran) to zero based (C)

Entomology – Algorithm bugs

• Math underflow/overflow– Common with integer or fixed point

math– High severity– Be careful when switching between

floating point and fixed point processors

Entomology – Data bugs

• Improper variable initialization– Less common– Varies; typically low

• Variable scope error– Less common– Low to high

Example - Uninitialized dataint some_function ( int some_param ) { int j;if (some_param >= 0){ for ( j=0; j<=3; j++) { /* iterate through some process */ }} else {

if (some_param <= -10){

some_param += j; /* j is uninitialized */ }

return some_param; } return 0;}


• Data synchronization error– Less common– Varies; typically high

Example – synchronized data

struct state { /* an interrupt will trigger */GEAR_TYPE gear; /* sending snapshot in a message */U16 speed;U16 speed_limit;U8 last_error_code;

} snapshot;

snapshot.speed = new_speed; /* …somewhere in code */

snapshot.gear = new gear; /* somewhere else */snapshot.speed_limit = speed_limit_tb[ gear ];

Interrupt splitting these two would be bad


• Improper data usage– Common– Varies

• Incorrect flag usage– Common when hard-coded constants

used– varies

Example – mixed math error

unsigned int a = 5;int b = -10;

/* somewhere in code */if ( a + b > 0 ){

a+b is not evaluated as –5 !the signed int b is converted to an unsigned int


• Data/range overflow/underflow– Common in asm and 16 bit micro– Low to critical

• Signed/unsigned data error– Common in asm and fixed point math– High to critical

• Incorrect conversion/type cast/scaling– Common in complex programs– Low to critical


• Pointer error– Common– High to critical

• Indexing problem– Common– High to critical

Entomology – Real-time bugs

• Task synchronization– Waiting, sequencing, scheduling, race

conditions, priority inversion– Less common– Varies

• Interrupt handling– Unexpected interrupts– Improper return from interrupt

• Rare• critical

Entomology – Real-time bugs

• Interrupt suppression– Critical sections– Corruption of shared data– Interrupt latency

• Less common• critical

Entomology – System bugs

• Stack overflow/underflow– Pushing, pulling and nesting

• More common in asm and complex designs• Critical

• Resource sharing problem– Less common– High to critical– Mars pathfinder


• Resource mapping– Variable maps, register banks,

development maps– Less common– Critical

• Instrumentation problem– Less common– low


• Version control error– Common in complex or mismanaged

projects– High to critical

Entomology – other bugs

• Syntax/typing– if (*ptr=NULL) Cut&paste errors– More common– Varies

• Interface– Common– High to critical

• Missing functionality– Common– high

Entomology – other bugs

• Peripheral register initialization– Less common– Critical

• Watchdog servicing– Less common– Critical

• Memory allocation/de-allocation– Common when using malloc(), free()– Low to critical

Entomology – Review

• What are you looking for ?

• How are bugs being introduced ?

• What are their consequences ?

Form your own target list!

Finding the hidden errors…

• All methods use these basic techniques;– Review; checking– Tests; demonstrating– Analysis; proving

These are all referred to as “testing” !

Testing

• “Organized process of identifying variances between actual and specified results”

• Goal: zero significant defects

Testing axioms

• All software has bugs• Programs cannot be exhaustively

tested• Cannot prove the absence of all

errors• Complex systems often behave

counter-intuitively• Software systems are often brittle

Finding spec/design problems

• Reviews / Inspections / Walkthroughs

• CASE tools

• Simulation

• Prototypes

Still need consistently effective methods !

Testing – Spec/Design Reviews

• Can be formal or informal– Completeness– Consistency– Feasibility– Testability

Testing – Evaluating methods

• Relative costs– None– Low– Moderate– High

• General effectiveness– Low– Moderate– High– Very high

Testing – Code reviews

• Individual review– Effectiveness: high– Cost; Time – low,

material - none

• Group inspections– Effectiveness: very

high– Cost; Time –

moderate, material - none

Testing – Code reviews

• Strengths– Early detection of errors– Logic problems– Math errors– Non-testable requirement or paths

• Weaknesses– Individual preparation and experience– Focus on details, not “big picture”– Timing and system issues

Step by step execution

• Exercise every line of code or every branch condition

• Look for errors– Use simulator, ICE, logic analyzer– Effectiveness; moderate – dependent on

tester– Cost; time is high, material is low or

moderate

Functional (Black Box)

• Exercise inputs and examine outputs

• Test procedures describe expected behavior

• Subsystems tested and integrated– Effectiveness is moderate– Cost; time is moderate, material varies

Tip; where functional testing finds problemslook deeper in that area !

Functional (Black Box)

• Strengths– Requirements problems– Interfaces– Performance issues– Most critical/most used features

• Weaknesses– Poor coverage– Timing and other problems masked– Error conditions

Functional test process• ID requirements to test• Choose strategy

– 1 test per requirement– Test small groups of requirements– Scenario; broad sweep of many requirements

• Write test cases– Environment– Inputs– Expected outputs

• Traceability

Structural (White box)

• Looks at how code works• Test procedures• Exercise paths using many data values• Consistency between design and

implementation– Effectiveness; high– Cost; time is high, material low to moderate


• Strengths– Coverage– Effectiveness– Logic and structure problems– Math and data errors

• Weaknesses– Interface and requirements– Focused; may miss “big picture”– Interaction with system– Timing problems


• Test rigor based on 3 levels of Risk (FAA)

• C – reduced safety margins or functionality– Statement coverage– Invoke every statement at least once



• B – Hazardous – Decision Coverage– Invoke every statement at least once– Invoke every entry and exit– Every control statement takes all

possible outcomes– Every non-constant Boolean expression

evaluated to both a True and a False result



• A – Catastrophic – Modified Condition Decision Coverage– Every statement has been invoked– Every point of entry and exit has been

invoked


– Every control statement has taken all possible outcomes

– Every Boolean expression has evaluated to both a True and a False result

– Every condition in a Boolean expression has evaluated to both True/False

– Every condition in a Boolean expression has been shown to independently affect that expression’s outcome

Unit test standards

• What is the white box testing plan?

• What do you test?

• When do you test it?

• How do you test it?

Structural test process

• ID all inputs• ID all outputs• ID all paths• Set up test cases

– Decision coverage– Boundary value analysis– Checklist– Weaknesses

Structural test process

• Measure worst case execution time

• Determine worst case stack depth

• Bottom up

Integration

• Combines elements of white and block box– Unexpected return codes or

acknowledgements– Parameters – boundary values– Assumed initial conditions/state– Unobvious dependencies– Aggregate functionality

Integration

• Should you do this…when?– Depends on the complexity of the

system– Boundary values of parameters in

functions– Interaction between units– “interesting” paths

• Errors• Most common

Verification

• Verify the structural integrity of the code

• Find errors hidden at other levels of examination

• Outside of requirements

• Conformance to standards

Verification

• Detailed inspection, analysis, and measurement of code to find common errors

• Examples– Stack depth analysis– Singular use of flags/variables– Adequate interrupt suppression– Maximum interrupt latency– Processor-specific constraints

Verification

• Strengths– Finds problems that testing and inspection

can’t– Stack depth– Resource sharing– Timing

• Weaknesses– Tedious– Focused on certain types of errors

Verification

• Customize for your process/application– What should be checked– When– How– By whom

Stress/performance

• Load the system to maximum…and beyond!

• Helps determine “factor of safety”

• Performance to requirements

Stress/performance

• Examples– Processor utilization– Interrupt latency– Worst time to complete a task– Periodic interrupt frequency jitter– Number of messages per unit time– Failure recovery

Other techniques

• Fault injection• Scenario testing• Regression

– Critical functions– Most functionality with the least tests– Automation– Risk of not re-testing is higher than the cost

• Boundary value testing

Tools

ICE Simulator Logic analyzer

Step through code

X X X

Control execution

X X

Modifying data

X X

Coverage X X X

Timing analysis

X X X

Code Inspection Checklist


• Code correctly implements the document software design

• Code adheres to coding standards and guidelines

• Code is clear and understandable• Code has been commented

appropriately• Code is within complexity guidelines

– Cyclomatic complexity < 12


• Macro formal parameters should not have side affects (lint message 665)

• Use parenthesis to enhance code robustness, use parenthesis around all macro parameters (665, 773)

• Examine all typecasts for correct operation

• Examine affects of all implicit type conversions (910-919)


• Look for off-by-one errors in loop counters, arrays, etc

• Assignment statements within condition expressions (use cchk)

• Guarantee that a pointer can never be Null when de-referencing it

• Cases within a switch should end in a break (616)


• All switch statements should have a default case (744)

• Examine all arguments passed to functions for appropriate use of pass by value, pass by reference, and const

• Local variables must be initialized before use

• Equality test on floating point numbers may never be True (777)


• Adding and subtracting floats of different magnitudes can result in lost precision

• Insure that division by zero cannot occur

• Sequential multiplications and divisions may produce round-off errors


• Subtracting nearly equal values can produce cancellation errors

• C rounds towards zero – is this appropriate here ?

• Mathematical underflow/overflow potential

• Non-deterministic timing constructs

Unit test standards

Unit test standards

• 1. Each test case must be capable of independent execution, i.e. the setup and results of a test case shall not be used by subsequent test cases

• 2. All input variables shall be initialized for each test case. All output variables shall be given an expected value, which will be validated against the actual result for each test case

Unit test standards

• 3. Initialize variables to valid values taking into account any relationships among inputs. In other words, if the value of a variable A affects the domain of variable B, select values for A and B which satisfy the relationship

• 4. Verify that the minimum and maximum values can be obtained for each output variable (i.e. select input values that produce output values as close to the max/min as possible)

Unit test standards

• 5. Initialize output variables according to the following;– If an input is expected to change, set its

initial value to something other than the expected result

– If an output is not expected to change, set its initial value to its expected value

• 6. Verify loop entry and exit criteria

Unit test standards

• 7. Maximum loop iterations should be executed to provide worst case timing scenarios

• 8. Verify that the loss of precision due to multiplication or division is within acceptable tolerance

Unit test standards

• 9. The following apply to conditional expressions– “OR” expressions are evaluated by

setting all predicates “FALSE” and then setting each one “TRUE” individually

– “AND” expressions are evaluated by setting all predicates “TRUE” and then setting each one “FALSE” individually

Unit test standards

• 10. Do not stub any functions that are simple enough to include within the unit test

• 11. Non-trivial tests should include an explanation of what is being tested

Unit test standards

• 12. Unit test case coverage is complete when the following criteria are satisfied (where applicable)– 100% function and exit coverage– 100% call coverage– 100% statement block coverage– 100% decision coverage– 100% loop coverage– 100% basic condition coverage– 100% modified condition coverage

Unit test checklistCommon coding error checks

Status Note(s)

Mathematical expression underflow/overflow

<Pass/Fail/NA>

Off-by-one errors in loop counters

<Pass/Fail/NA>

Assignment statements within conditional expressions

<Pass/Fail/NA> May be detected by compiler, lint, cchk

Floats are not compared solely for equality

<Pass/Fail/NA> Lint message 777

Variables and calibrations use correct precision and ranges in calculations

<Pass/Fail/NA>

Unit test checklistCommon coding error checks

Status Note(s)

Pointers initialized and de-referenced properly

<Pass/Fail/NA>

Intermediate calculations are not stored in global variables

<Pass/Fail/NA>

All declared local variables are used in the function

<Pass/Fail/NA> May be detected by compiler or lint

Typecasting has been done correctly

<Pass/Fail/NA>

Unreachable code has been removed

<Pass/Fail/NA> Lint message 527

Common coding error checks

Status Note(s)

All denominators are guaranteed to be zero (no divide by 0)

<Pass/Fail/NA>

Switch statement handle every case of the control variable (have DEFAULT paths). Any cases that “fall through” to the next case are intended to do so

<Pass/Fail/NA> Lint message 744, 787

Fall through 616

Static variables are used for only one purpose

<Pass/Fail/NA>

All variables have been properly initialized before being used assume a value of “0” after power –up

<Pass/Fail/NA>

rob oshana southern methodist university software testing

Documents

successful testing

cost of testing

education slide

undiscovered error slide

testing students

y2k testing cost

successful test case

testing problems time