2 Why We Need Model-Based Testing
27.07.2013 Views
Share Embed Flag

2 Why We Need Model-Based Testing

2 Why We Need Model-Based Testing

2 Why We Need Model-Based Testing

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
is.ifmo.ru

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

106 Exploring and Analyzing Finite <strong>Model</strong> Programs<br />

drawn from a set called a domain. In each state, exploration executes each action<br />

method repeatedly, using as many different values as it can from the domains of all<br />

its parameters. Each combination of parameter values defines a different action, so<br />

larger domains result in more actions and more transitions. Enabling conditions can<br />

depend on parameters as well as state variables, so each combination of parameter<br />

values must be checked; some combinations may not be enabled in some states.<br />

6.3 Analysis<br />

6.3.1 Safety<br />

It can be helpful to simply view the graph of the FSM, but it is more useful to<br />

investigate particular issues. Exploration can provide the answers to several kinds<br />

of specific questions.<br />

Several statistics are computed during exploration, including the number of states<br />

and transitions found (this is not shown in the algorithm of Figure 6.7). These statistics<br />

can provide useful diagnostic information. For example, they reveal whether<br />

exploration did in fact generate the true FSM. The default for the limit MaxTransitions<br />

is quite small, only 100. If exploration reaches this limit, it does not generate<br />

the true FSM, but only some portion of it. When this happens, the number of transitions<br />

found equals MaxTransitions. You may also notice unexpected dead ends in<br />

the graph. In that case, you should increase MaxTransitions and explore again.<br />

Many analysis questions can be expressed in terms of safety or liveness. In the<br />

following subsections we use safety and liveness analyses to reveal design errors in<br />

the reactive system we discussed in Chapter 3, whose model program we developed<br />

in Chapter 5, Section 5.7.<br />

Safety analysis checks whether anything bad can happen. It searches for unsafe<br />

states that violate safety requirements. <strong>We</strong> express safety requirements by writing<br />

a Boolean expression called an invariant, which is supposed to be true in every<br />

state that can be reached. An unsafe state is a state where an invariant is false.<br />

For the tools, an invariant is a Boolean field, property, or method labeled with the<br />

[StateInvariant] attribute.<br />

Safety analysis depends on writing an invariant that expresses the safety property<br />

we wish to check. <strong>We</strong> must consider which states are allowed (that make the invariant<br />

true) and which are forbidden (that make the invariant false). Identifying the safe<br />

states requires judgment and understanding the program’s purpose.<br />

Recall that the purpose of our reactive system is to perform a calibration with<br />

a valid temperature sample. Performing a calibration with an invalid temperature<br />

sample would be bad. Here the bad thing is an action (performing a calibration) but<br />

more free ebooks download links at:<br />

http://www.ebook-x.com

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!